Back to: Blog Author: Piotr Pawłowski Published on: October 30, 2023

Navigating the Waters: Understanding GDPR in the Context of PSD2

In the fast-evolving digital landscape, the intersection of financial services and data protection has become a hot topic, particularly with the introduction of the PSD2 (Revised Payment Service Directive) and the GDPR (General Data Protection Regulation) in the European Union. Both of these regulations aim to provide a more secure and transparent digital experience for users, but they also present a complex challenge for businesses looking to comply with their requirements.
A Balancing Act: PSD2 and Data Sharing
PSD2 is a game-changer in the fintech industry, seeking to foster innovation and competition by opening up access to banking data for third-party providers (TPPs). Under PSD2, banks are required to provide TPPs access to their customer’s account information and payment initiation services, given the customer’s explicit consent. This directive aims to enhance consumer choice, offer better and more tailored financial products, and ultimately create a more integrated European payment market.
GDPR: Setting the Gold Standard for Data Protection
Concurrently, GDPR has set a new standard for data protection and privacy, ensuring that individuals have more control over their personal data. It mandates organizations to implement stringent data protection measures, obtain clear consent for data processing, and uphold transparency in how they use customer data.
The Intersection: Navigating Compliance
The crux of the matter lies in the intersection of PSD2 and GDPR. On one hand, PSD2 promotes the sharing of financial data to spur innovation, while on the other, GDPR emphasizes the importance of protecting that very data. Businesses, especially fintech startups and traditional banks, now face the daunting task of ensuring that their services are compliant with both regulations.
Explicit Consent and Transparency
One of the key areas where GDPR and PSD2 intersect is in the requirement for explicit consent. Under PSD2, TPPs must obtain explicit consent from users before accessing their financial data. Similarly, GDPR requires clear and affirmative consent for the processing of personal data. Businesses must ensure that the consent mechanisms they use are up to GDPR standards, providing clear information and an easy way for users to opt-in or out.
Data Minimization and Purpose Limitation
GDPR introduces the principles of data minimization and purpose limitation, meaning that only the data necessary for a specific purpose should be collected and processed. TPPs accessing financial data under PSD2 must adhere to these principles, ensuring that they only access the data required to provide their service and do not use it for any other purposes.
Security Measures
Both PSD2 and GDPR emphasize the importance of implementing robust security measures to protect user data. Under PSD2, TPPs are required to use strong customer authentication (SCA) to verify the identity of users. GDPR also mandates organizations to implement appropriate technical and organizational measures to protect personal data.
Conclusion: Navigating the Complexity
Navigating the complexities of PSD2 and GDPR compliance is no easy feat. Businesses must strike the right balance between innovation and data protection, ensuring that they provide secure and transparent services to their users. By understanding the nuances of both regulations and implementing robust compliance measures, businesses can harness the benefits of opean banking under PSD2 while upholding the high standards of data protection mandated by GDPR.

Work with the best experts in the fintech industry!

Do you have a project in mind?

Let's talk