We regularly talk to you about the importance of consent in the day-to-day running of our business, and we've already covered it extensively: from privacy by design, to the construction of our new funnel and its inclusion at the heart of the strong authentication principle, it is the keystone of our service to shoppers. We go even further by comparing the famous GDPR explicit consent to the PSD2 explicit consent that concerns us.
The promotion of open banking in 2018 by PSD2 -the Payment Services Directive- opened the possibility for account aggregators to access shoppers' payment data, with their consent.
With the shopper's permission, it is now possible for merchants (retailers, shopping centres, brands) to offer a multitude of benefits to shoppers (account aggregation, rewards, cashback, e-ticket, buy now pay later, etc.) and to access unparalleled shopper knowledge (shopping cart, itinerary, profile, scoring) thanks to the APIs developed by these payment providers.
PSD2 puts consent at the heart of payment data. Since the notion of "explicit consent" is present in both PSD2 and the General Data Protection Regulation (GDPR), it is very tempting to compare them. However, the term "explicit consent" in the GDPR has a very different meaning in the PSD2. Our Head of Legal, Nurgül Sivasli, explains.
Payment data is highly confidential and by nature personal data. Its processing therefore requires a legal basis to comply with the RGPD.
GDPR and payment data: what are the main stakes?
There are 6 possible legal bases in the GDPR and this list is complete:
1. Consent
2. Contract
3. Legal obligation
4. Public interest mission
5. Legitimate interest
6. Safeguarding vital interests
In the GDPR, consent is therefore one of the 6 legal bases indicated in Article 6 of the GDPR, which can justify the implementation of account information processing, but it is only mandatory in very specific cases. For instance, when sensitive data is collected (art.9), to allow an automated individual decision (art.22) or in case of transfer of personal data outside the European Union (art.49).
This GDPR consent is stronger than a classic consent and requires a positive and clear act, most often illustrated by a checkbox accompanied by a statement of consent such as: "I authorize X to process my personal data for Y purpose".
In the PSD2, explicit consent is a contractual consent. It is the legal basis for the processing of personal data necessary for the execution of payment services. It is the pure execution of the contract (art. 94 PSD2).
During the execution of this contract, the consent of the data subject is not required. The data subject will have to terminate the contract (general terms of sale or user) in order to no longer have his or her personal data processed, or wait for the 90-day period for renewal of consent (soon to be 180).
Thus, if the data processing is not expressly provided for in the contract, it will not be possible for the service provider to carry it out. Everything must take place within the strict framework of the contract, which also leaves no room for further use of the data for reasons not provided for in the contract.