Clifford Chance

This article is the first in a planned series of four articles

The revised Payment Services Directive (Directive (EU) 2015/2366) (PSD2), which introduced open banking, aims to encourage innovation and competition in the European payments market. By permitting payment services providers (such as incumbent financial institutions and fintechs) to access and analyse certain financial data from consumers and businesses, PSD2 is an attempt to stimulate the development and provision of new innovative payment services. In parallel, the introduction of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) has had a significant impact on how personal data must be handled. Any access that payment services providers have to personal data, and the use they make thereof, must comply with the strict regulations of the GDPR. When working to comply with both pieces of legislation, payment services providers need to balance the innovative opportunities offered by PSD2 with the data protection challenges created by GDPR.  Some of the key balancing issues relate to consent, data portability, automated decision-making, profiling and data minimisation. In a series of four articles we aim to shed some light on these key issues. This first article elaborates on the ‘(explicit) consent’ under PSD2 and GDPR.

BOLT

For the purpose of these four articles, an imaginary fintech company called BOLT will be used as an example. BOLT is licensed in The Netherlands as a payment service provider (PSP) and is authorised to provide the new payment services introduced by PSD2: account information services and payment initiation services.