This document is an excerpt from the EUR-Lex website
Document 52023XX01019
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on payment services in the internal market and the Proposal for a Directive on payment services and electronic money services in the Internal Market (The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on payment services in the internal market and the Proposal for a Directive on payment services and electronic money services in the Internal Market (The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on payment services in the internal market and the Proposal for a Directive on payment services and electronic money services in the Internal Market (The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
OJ C, C/2023/1019, 16.11.2023, ELI: http://data.europa.eu/eli/C/2023/1019/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
Official Journal |
EN Series C |
C/2023/1019 |
16.11.2023 |
Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on payment services in the internal market and the Proposal for a Directive on payment services and electronic money services in the Internal Market
(C/2023/1019)
(The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)
On 28 June 2023, the European Commission issued a Proposal for a Regulation of the European Parliament and of the Council on payment services in the internal market and amending Regulation (EU) No 1093/2010 (the ‘PSR Proposal’) and a Proposal for a Directive of the European Parliament and of the Council on payment services and electronic money services in the Internal Market amending Directive 98/26/EC, and repealing Directives 2015/2366/EU and 2009/110/EC (the ‘PSD3 Proposal’), together ‘the Proposals’.
Payment services often involve processing of personal data which can reveal sensitive information about an individual data subject. The EDPS therefore welcomes the efforts made to ensure consistency with the General Data Protection Regulation (1) (‘GDPR’). He also stresses the need to clearly differentiate the ‘permissions’ under Proposal from and the legal basis for processing of personal data under the GDPR.
One of the aims of the Proposal is to enable providers of payment systems and of payment services to process special categories of personal data in the public interest of the well-functioning of the internal market for payment services. As the processing of such data is liable to constitute a serious interference with the rights to respect for private life and to the protection of personal data, it is important that legislation be precise enough to show the objective connection between each category of data in a specific payment context and the public interest objective to be achieved.
The EDPS welcomes that the Proposal would require account servicing payment service providers (‘ASPSPs’) to provide the user with a dashboard to monitor and manage the permission she or he has granted. To further reduce the risk of unlawful sharing of personal data by ASPSPs, the EDPS recommends:
— |
ensuring that the dashboard makes reference to the specific designated payment service(s) for which she or he granted her/his permission; |
— |
ensuring that access requests remain limited to what is necessary to provide the requested service; |
— |
ensuring clarity regarding the legal basis of access requests; |
— |
allowing ASPSPs to verify the permission granted by the payment service user or to introduce appropriate alternative safeguards in the PSR Proposal. |
Finally, the EDPS recommends ensuring close cooperation between competent authorities under the Proposal and data protection supervisory authorities to ensure consistency between the application and enforcement of the Proposal and EU data protection law. The EDPS therefore recommends expressly referring to supervisory authorities responsible for monitoring and enforcing data protection law in Article 93(3) of the PSR Proposal.
1. Introduction
1. |
On 28 June 2023, the European Commission issued a Proposal for a Regulation of the European Parliament and of the Council on payment services in the internal market and amending Regulation (EU) No 1093/2010 (the ‘Payment Services Regulation Proposal’ or ‘PSR Proposal’) (2) and a Proposal for a Directive of the European Parliament and of the Council on payment services and electronic money services in the Internal Market amending Directive 98/26/EC, and repealing Directives 2015/2366/EU and 2009/110/EC (the ‘Payment Services Directive 3 Proposal’ or ‘PSD3 Proposal’) (3), hereinafter referred together as ‘the Proposals’. |
2. |
Three Annexes accompany both the PSR Proposal and the PSD3 Proposal (six Annexes in total), outlining the types of payment services (Annex I), as well as the type of electronic money services (Annex II) falling under the scope of the draft Proposals. Finally, Annex III provides a correlation table on the provisions of Directives 2015/2366/EU and 2009/110/EC with the provisions in the Proposals. |
3. |
The EDPS notes that the types of services covered by the Proposals seem to be essentially the same as the ones covered by Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (‘PSD2’) (4). |
4. |
The specific objectives of the PSR Proposal (5) are to:
|
5. |
The Proposals are presented in conjunction with the Proposal for Regulation on Financial Information Data Access (‘the FIDA Proposal’) (6), covering among others access to financial data other than payment account data, which falls under the scope of the Proposals that form the subject matter of the present Opinion (7). |
6. |
In essence, the PSR Proposal would:
|
7. |
The PSD3 Proposal is largely based on Title II of the current PSD2, regarding ‘Payment Service Providers’, which only applies to payment institutions. It updates and clarifies the provisions relating to payment institutions and integrates electronic money institutions as a sub-category of payment institutions. It also includes provisions concerning cash withdrawal services provided by retailers or independent ATM deployers (16). |
8. |
The present Opinion of the EDPS is issued in response to a consultation by the European Commission of 29 June 2023, pursuant to Article 42(1) of EUDPR. The EDPS welcomes the reference to this consultation in Recital 147 of the PSR Proposal and Recital 77 of the PSD3 Proposal. In this regard, the EDPS also positively notes that he was already previously informally consulted on the Proposals pursuant to Recital (60) of the EUDPR. |
12. Conclusions
52. |
In light of the above, the EDPS makes the following recommendations:
|
Brussels, 22 August 2023.
Wojciech Rafał WIEWIÓROWSKI
(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(2) COM(2023) 367 final.
(3) COM(2023) 366 final.
(4) Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35).
(5) COM(2023) 367 final, page 5-6.
(6) COM(2023) 360 final.
(7) COM(2023) 367 final, page 4.
(8) Articles 4-26 of the PSR Proposal.
(9) Articles 35-38 of the PSR Proposal.
(10) Article 43 of the PSR Proposal.
(11) Article 80 of the PSR Proposal.
(12) Articles 82-84 of the PSR Proposal.
(13) Articles 85-86 of the PSR Proposal.
(14) Chapter 8 of the PSR Proposal.
(15) Chapter 9 of the PSR Proposal.
(16) COM(2023) 367 final, page 7.
ELI: http://data.europa.eu/eli/C/2023/1019/oj
ISSN 1977-091X (electronic edition)