Bitkom welcomes the opportunity to comment on the European Data Protection Board’s (EDPB) draft Guidelines on the interplay of the Second Payment Services Directive and the GDPR (EDPB Guidelines). We believe that more cooperation and exchange between data protection authorities and practitioners is needed to translate the legal text of the GDPR into practice and reduce legal uncertainty, especially in the context of the interplay with the Second Payment Services Directive (PSD2) as well as with other legislation.
We welcome that the EDPB Guidelines clarify some important questions, especially in the interpretation of the PSD2 concept of "consent" or in the authorization to process third party data (so-called silent party data). Furthermore, the guidelines bring some clarity for the legal regime of the PSD2 and the application of the GDPR. They are therefore suitable for payment service providers, but in particular for payment initiation service providers (PISP) and account information service providers (AISP), to be able to offer and further develop their products and innovate.
We see the need for amendments in the Guidelines though with regard to the proposed digital filters, which will severely restrict the business models created by the PSD2. The EDPB does not clarify how digital data filters are to be implemented and how a duty to implement such a filter clarify how digital data filters are to be implemented and how a duty to implement such a filter can be aligned with the framework of the PSD2 and the RTS.
We detailed our concerns and proposals in our Position Paper which can be downloaded below. As Bitkom represents new service providers as well as traditional industry players, our paper outlines cross-industry arguments and solutions.