Payment services
Consumers can use various payment services. The providers of these payment services (payment service providers) then need access to consumers' payment data. These are sensitive personal data. That is why it is important that payment data remain secure. The European PSD2 directive provides rules for this.
On this page
Examples of payment services
Examples of payment services are:
- payment services that make it possible to make payments via a smartphone;
- an automatic housekeeping book;
- payment services that link bank accounts from different banks;
- payment services that analyse payment data to provide advice on savings.
Access to payment data
If a consumer wants to use a payment service, the payment service providers (the company that offers the payment services) need access to the payment data of this consumer.
These are sensitive personal data, such as data about a person's income and purchasing behaviour. That is why payment service providers must first request explicit consent from consumers in order to be able to access their payment data.
Rules are set out in PSD2
The rules for payment service providers are set out in the European PSD2 directive. This abbreviation stands for the second Payment Service Directive. This directive regulates, among other things, that not only banks, but also other parties may have access to current accounts, provided consumers have given their consent for this.
PSD2 and the GDPR
Payment service providers must not only adhere to the rules of PSD2, but also to the privacy rules from the General Data Protection Regulation (GDPR).
The European Data Protection Board (EDPB) has drawn up guidelines on the interplay between PSD2 and the GDPR:
Quick answers
Can a payment service view my payment data?
Do you want to use a payment service? Then the payment service needs access to your payment data. This is only allowed if you have given explicit consent for this.
This means the payment service provider must clearly ask you for consent and inform you properly about what happens to your data. This way, you know exactly what you are consenting to.
What is not allowed, for example, is only asking you to accept the general terms and conditions. The payment service provider must ask you for consent separately.
Do you want to know more? Read: Consumers using a payment service.
Can I withdraw my consent for a payment service?
Yes, you can. The payment service provider (the company behind the payment service) must ensure that withdrawing consent is as easy as giving consent.
So if you can give your consent online, you should also be able to withdraw your consent online.
The payment service must also inform you how you can withdraw your consent before entering into the payment service agreement.
Do you want to know more? Read: Consumers using a payment service.
Can a payment service see my details if someone transfers money to me?
Yes, it can. If someone else has given consent to a payment service provider (the company behind the payment service), but you have not, the payment service provider can sometimes see your personal data, even if you have not consented to this. An example of this is if that other person transfers money to you via a payment service.
In that case, the payment service provider sees data that are necessary to carry out the payment service. For example:
- your name;
- your bank account number;
- the payment reference;
- the payment description.
Without your explicit consent, none of your other data can be visible.
Do you want to know more? Read: Consumers using a payment service.
Can I access my data at an organisation, or have them rectified or removed?
Yes, you can. If an organisation uses your personal data, you have a number of rights. This will ensure that you keep a grip on your personal data. These are the most important privacy rights:
- You have a right of access to your personal data.
- Does it turn out that data of you are incorrect? Or that certain data are missing? Then you can ask for rectification of your data (adjustment or addition).
- In some cases, you can also ask for removal of data.
Do you want to know what other rights you have? Check out Privacy rights under the GDPR.
What can I do if I have a question or complaint about the use of my personal data?
Always submit your questions or complaints to the organisation that uses your personal data first. Do you have a complaint and are you and the organisation unable to work it out together? Then you can lodge a complaint with the Dutch Data Protection Authority (DPA).