Privacy

PSD-2 Privacy

Frequently asked questions:

What about my privacy?
Your payment data and the processing of your payment data are extensively regulated. Effective from 25 May 2018, the European General Data Protection Regulation applies to your bank as well as to payment initiation and account information service providers. Moreover, PSD2 contains additional requirements for the new service providers, including the requirement that they need to obtain your consent to access your bank accounts. If you don't give your consent, your account data will remain with your bank and will not be shared with the account information service provider. In the Netherlands, the Dutch Data Protection Authority and DNB are responsible for supervising your bank's and the new information service providers' compliance with European regulations (such as the General Data Protection Regulation and PSD2). However, this is never a 100% guarantee. If a bank or a new service provider fails to comply with requirements, the Dutch DPA or DNB may impose a fine.
How can PSD2 protect my privacy?

PSD2 imposes several requirements on payment initiation and account information service providers to protect your privacy. The General Data ProtectionRegulation also applies to these service providers.

Payment initiation service provider
The payment initiation service provider is only allowed to provide information about you to the beneficiary with your explicit consent. The payment initiation service provider is not allowed to store sensitive payment data (i.e. data that could
be abused for fraud; the account holder's name and the account number do not qualify as sensitive payment data). Also, they may not ask for more information from you than strictly necessary for the provision of services. The payment initiation service provider is not allowed to access, use or store your data for other purposes than the specific service that youasked them to provide.

Account information service provider
The account information service provider is only allowed to provide services with your explicit consent. It is only allowed to access information about the account or accounts specified by you. The account information service provider is not allowed to store sensitive payment data (i.e. data that could be abused for fraud; the account holder's name and the account number do not classify as sensitive payment data). It is not allowed to access, use or store your data for other purposes than the specific service that you asked them to provide.

General requirements
In addition to the privacy requirements in PSD2, the General Data Protection Regulation also applies. The General Data Protection Regulation describes what your bank and the payment initiation and account information service
providers are allowed to do with your data.

What information does the payment service provider see if I give consent to access my account?

With your consent, the payment initiation service provider will ask the bank to execute the payment order on your behalf. The bank then passes on all relevant information about the execution of the transaction to the payment initiation service provider, e.g. whether there is sufficient money in the account, whether all data are correct and whether the transaction can actually be carried out.

With your consent, the account information service provider can access your bank account and view your transactions. The exact transaction history that the account information service provider can see, depends on the technical communication method used between the bank and the service provider. If your bank has a dedicated interface for communicating with account information service providers, the bank decides what data these providers can see.

What can payment service providers do with my data?

The payment service provider is only allowed to store data related to the service for which you have given consent. The payment service provider is not allowed to use your data for other purposes, such as advice or marketing. In contrast, an, an account information service provider is allowed with your consent to provide an overview of your bank accounts with one or more banks. If it also wants to provide financial advice based on this information, it needs your separate consent for this. The account information service provider must hold a licence issued by the AFM in order to provide advisory services. The General Data Protection Regulation also applies. In general, unless arranged otherwise under a statutory or contractual obligation, payment service providers must ask for your consent each and every time (whenever they want) to process your data.

What can I do if I no longer trust the service provided?

If you no longer trust the service provided, there are several things you can do. For example, you can make enquiries with the service provider, you can withdraw your consent for the service, you can ask the service provider to erase your data and you can notify the AFM or the Dutch Data Protection Authority. Please note that if you have made a payment through a payment initiation service provider, you cannot undo this.

Can I withdraw my consent for access to my account?

Yes, you can withdraw your consent for access to your account. This is not regulated under PSD2, but under the General Data Protection Regulation. Withdrawing your consent should be easy and the account information service provider must clearly inform you about your options.

What happens to my data if I withdraw my consent for access to my account?

If you withdraw your consent, the payment service provider will no longer be able to access your account. However, this does not mean they have erased all your data. Under the General Data Protection Regulation you may have the right to have your data erased, which means you can ask the payment service provider to erase your personal data from its systems.