On October 18, 2018, the Dutch Supervisory Authority for data protection adopted guidance on the second Payment Service Directive (“PSD2”).  The PSD2 intends to open the financial services market to a larger scale of innovative online services.  To that effect, the PSD2 sets out rules for obtaining access to the financial information of bank customers.  Among other things, it provides that in most cases service providers’ access to this personal data is subject to consent.

The Supervisory Authority points out that the required consent is an additional protection imposed by the PSD2.  It is not a legal basis for the processing of personal data under the General Data Protection Regulation (“GDPR”).  In fact, under the GDPR the processing should not be based on consent, but rather on an alternative legal basis – namely, the execution of an agreement.  Interestingly, while the regulator acknowledges that PSD2 consent is not a GDPR consent, it applies the same standard to both.  As a result, according to the authority, the consent must be obtained separately from the main agreement (for example, in the form of a pop-up consent request), and customers must be able to retract their consent at any time, an action that would likely result in the end the agreement, since a provider would be unable to process any new data thereafter.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.