On October 18, 2018, the Dutch Supervisory Authority for data protection adopted guidance on the second Payment Service Directive (“PSD2”). The PSD2 intends to open the financial services market to a larger scale of innovative online services. To that effect, the PSD2 sets out rules for obtaining access to the financial information of bank customers. Among other things, it provides that in most cases service providers’ access to this personal data is subject to consent.
The Supervisory Authority points out that the required consent is an additional protection imposed by the PSD2. It is not a legal basis for the processing of personal data under the General Data Protection Regulation (“GDPR”). In fact, under the GDPR the processing should not be based on consent, but rather on an alternative legal basis – namely, the execution of an agreement. Interestingly, while the regulator acknowledges that PSD2 consent is not a GDPR consent, it applies the same standard to both. As a result, according to the authority, the consent must be obtained separately from the main agreement (for example, in the form of a pop-up consent request), and customers must be able to retract their consent at any time, an action that would likely result in the end the agreement, since a provider would be unable to process any new data thereafter.