Home » Archieven voor Websites voor mkb'ers

Auteur: Websites voor mkb'ers

PART 1 – XS2A and Consent

Is your organization reluctantly getting ready for PSD2? Or, are you jumping with excitement ready to dot the I’s on your Fintech/PSD2 business plans? Either way, if you’re in the financial services industry, it’s likely your organization is going to introduce, or face, new and innovative services that require the use and exchange of personal data. Services that are governed not only by PSD2 but also by GDPR, the EU privacy framework.


If you’re aware of the key motives of PSD2 and GDPR you can skip right to the next bit. For a bit of a refresher, here’s a 2 penny summary.

PSD2 is an EU directive that aims to promote safer and innovative digital payment services, reduce cost of financial transactions and strengthen consumer rights. The two sections of PSD2 that have attracted most debate are the obligation for banks to grant third parties access to transactional information otherwise known as XS2A (access2accounts) and strong authentication requirements for payments. These two parts of PSD2 introduce obligations for financial institutions that require the handling of personal data.reconciling PSD2 and GDPR in 5 easy steps

This is where the General Data Protection Regulation (GDPR) comes in. Its the new, and very strict, EU data protection framework that also applies to handling of personal data as required by PSD2. The key motives of the GDPR are to keep personal data safe and to reinforce the rights of data subjects by giving them control over their own data. All organizations that are active in the EU or are in the business of processing personal data of EU citizens, have to comply with the GDPR. Non- compliance can lead to fines of up to 4% of an organization’s annual worldwide turnover, or 20 Mio EUR, whichever is more.

GDPR and PSD2 both aim for better consumer protection. But at the same time as PSD2 requires open access to transactional data, GDPR introduces increasingly strict obligations to keep these data safe and ensure that consumer rights are met. In short, if you’re getting ready for PSD2, make sure that whenever you’re dealing with personal data, you also comply with the GDPR.

XS2A & Consent

Banks and payment service providers hold transactional data. Data that are carefully shielded as business assets, and are kept safe in accordance with regulatory requirements such as privacy laws. Following XS2A, third party service providers will gain access to these sensitive personal data. PSD2 however also provides that Payment Service Providers (PSPs) may gain access, process and store personal data only with the “explicit consent” of the customer. To understand what “Explicit Consent” means, and how PSPs can obtain valid consent from their users, we have to turn to the GDPR. The GDPR lists the following requirements for valid consent:

1 - active consent

The GDPR requires “a statement or a clear affirmative action” that signals the customer’s agreement to a certain data processing. Meaning, the customer has to actively do something to let you know they agree to what you are about to do with their data. Good examples are ticking a box stating they agree with the processing, or choosing technical standards for a service (e.g. cookie settings). “Opt-out” mechanisms, pre-ticked opt-ins, or implicit consent deducted from silence, are not allowed.

step 2 - freely given

Consent must be freely given. If the customer has no genuine or free choice or is unable to refuse or withdraw consent without detriment, consent is not considered “free”. For example, as a condition to use a payment service, the PSP requires a customer to agree that their personal data may be used for purposes completely unrelated to the delivery of that service. Any such “bundled” consent is considered to be given under undue pressure, meaning, not free. Also, any consent given in the context of an interaction where there is a clear imbalance of power (e.g. employer/employee, doctor/patient, public authority/citizen) is not free.

3 - granular

The PSP must provide granular options for obtaining consent separately for different processing operations and different purposes. This means that if a PSP wishes to use personal data for purposes other than those necessary for the execution of the payment service, it should get separate consent for each of those purposes.

step 4 - specific & informed

Prior to the processing of personal data, you should provide the customer with sufficient information that enables them to understand what they are consenting to. This means that the purposes, the scope and the consequences of the data processing as well as the identity of the data processor and the rights of the customer (see part III of these series) should be specifically described and communicated to the customer. The communication should be done in an easily accessible form –don’t hide it in general terms and conditions-, and in plain and clear language that can be understood by your target audience. Consent cannot be given for vague, or open ended processing activities. For example “we will share your data with carefully selected partners for marketing purposes”.

step 5 - compatibility original purpose

Once you’ve communicated your purposes of personal data processing and received consent, you may not use these data for other purposes that are not compatible with the original purpose. To understand if your original purpose and your new purposes are “compatible” you may ask yourself: based on my communication, would the customer expect me to use their data in this way?  If not, you will need separate consent (see: granular consent).

step 6 - demonstrate consent

The GDPR does not prescribe any specific way in which consent must be obtained, or administered, but it does put the burden of proof on the PSP. The PSP must be able to demonstrate consent. This means that the PSP will have to keep records of their own communications, as well as the obtained consent. As there is a clear potential  for disagreement on whether or not valid consent for payment was obtained, you may have to think about double opt-in (e.g. via e-mail confirmation of the consent) or other technical mechanisms that provide such proof.

step 7 - children

Personal data of children are especially protected. They may be less aware of the risks and consequences of the processing of their personal data. Ensure that you amend your language in communications to children so they can understand what they consent to. Depending on national legislation on the age limit for “children” (13-15 years), you need to get the consent of the parents as well.

step 8 - consent withdrawal

Customer’s have the right to withdraw consent at any time. PSPs must inform customer’s on how they can withdraw consent.  Unless there is some other legal basis for the data processing, organizations must discontinue the data processing going forward.

For a full self-assessment of your organizations compliance with all requirements under the GDPR and practical tips on how to remedy any privacy non-compliance, please check out our Accelerator software tooling. Accelerator privacy softwareFor more information or a complimentary Accelerator demo, please contact us at: info@privacyvalley.com.


This contribution has been made in conjunction with competition attorney Emilie van Hasselt of Van Hasselt Law who can be reached at  emilie@vanhasseltlaw.eu.


Snel weten hoe je organisatie er voor staat

  • Organisatiescan in max. 2 maanden
  • Toegang tot Checklist EU Privacywetgeving
  • Ondersteuning door privacy expert
  • Managementrapport met status, risico’s & acties
  • 1 Gebruiker


Zelf je privacy management beheren

  • Eigen Accelerator Saas omgeving met interactief Dashboard, Kalender & Takenoverzicht
  • Toegang tot alle privacy Checklisten
  • Registratie onbeperkt aantal systemen & bedrijfsprocessen
  • Eigen privacy documenten & contracten genereren
  • Audit register voor privacy compliance
  • 1-3 Gebruikers


Voor organisaties in de zakelijke dienstverlening (advocatuur, accountancy, juridische ondersteuning, ICT).

Gebruik de accelerator commercial om uw cliënten te ondersteunen met hun privacy.

  • alle Accelerator functionaliteiten
  • 1-10 admin Gebruikers
  • werk samen met cliënten door Checklisten te delen
  • toegang tot de Privacy Valley Checklisten op eenvoudige ‘Pay per Use’ basis

The proof of the pudding

the proof of the pudding, what you need to know about privacy shield

Privacy Shield is replacing Safe Harbor, or more accurately, its filling the gap Safe Harbor left behind.  What does this mean for your company?

Erh, Safe Harbor?

If you are familiar with the painful downfall of Safe Harbor, you can skip this first part. For those who need a bit of a refresher, here’s a two penny summary.

Safe Harbor was a framework agreement between the EU and the US that was supposed to ensure the protection of EU personal data in the US, and facilitate data transfer from the EU to the US. US companies could Safe Harbor-certify and subsequently data could be legally transferred from the EU to the US.

It’s safe to say that the Safe Harbor framework was largely based on trust. Trust in US companies self-certifying under Safe Harbor and the US government enforcing it. So when the news came out that the NSA was snooping through data of EU citizens, requesting access and secret back doors into the systems of Safe Harbor certified companies, some parties to the Safe Harbor romance were not amused.

“Now that, was not what was agreed” said Max Schrems, an Austrian student with a Facebook account. He challenged Facebook in court for sending his data to the US, and won. Facebook was Safe Harbor certified but the European Court of Justice agreed with Schrems, that the US (and subsequently Facebook) was not providing adequate protection for Schrems’ personal data. Goodbye Safe Harbor.

With Safe Harbor out the Window, Atlantic data transfers relying on Safe Harbor became illegal, instantly. Data Protection Authorities all over Europe were rubbing their hands and sharpening their teeth. In Q4 2015 they gave the EU and US Commissioners an ultimatum of less than 4 months to fix the situation. In the meantime, many companies were quick to adopt other measures to legalize their trans-atlantic data transfers, such as Binding Corporate Rules and Standard Contractual Clauses (BCR and SCC).


Hello, … Privacy Shield? …  hellooo!?

On February 2nd 2016, the new framework for trans-Atlantic data transfers “Privacy Shield” was presented. Just 2 days after the deadline set by the working party of the combined EU Data Protection Authorities (the WP29).

Brilliant! You might think, so where can we find this agreement and get on with it? Ah, not so quick, the agreement does not really exist, yet. What was presented as “The new agreement” is really just a list of key elements of an agreement, which will have to be (re)formulated in more detail over the next couple of months.

Key Elements

Here are the key elements presented as the Privacy Shield:

more stringent rules for US companies handling EU personal data. The US Government will now actively monitor compliance with the Privacy Shield provisions;
clear limitations for the US authorities to access EU personal data, enforced by safeguards and oversight mechanisms. This means that EU citizens will be afforded a way to challenge the use of their data by US authorities. A novelty is that the US and EU will evaluate this new mechanism annually; and
Easy redress for EU citizens who believe their data have been misused via an especially appointed US ombudsman.

All cleared up?

The one million dollar question that is on everybody’s mind is if this Privacy Shield will put an end to uncertainty. The answer is, we don’t know. The WP29 have announced that for now, they will not undertake enforcement actions against companies that have switched to alternative methods of data transfer such as BCR’s and SCC’s. Once they’ve had the time to review the new Privacy Shield documentation, they will give an overall assessment and statement of validity on all data transfer methods, the Privacy Shield, BCRs and SCCs included. In other words, what we’ve heard until now are just words from the European Commission. The proof of the pudding is in the eating.

What to do

Adopt acceptable data transfer Mechanisms. If your company transfers data from the EU to the US, and you haven’t already adopted one of the mechanisms that the WP29 seem to accept for now (BCR’s or SCC’s) we advise you to adopt such measures. This won’t give absolute certainty that what you’re doing will be considered legal in the future. But until further notice, this should keep the DPA foxes out of your data-henhouse.

Keep an eye on future developments. It will take a while before the final draft of the Privacy Shield agreement is agreed. The Commissioners on both sides are optimistic on a timeline of a couple of months. However, with the US elections underway, and uncertainty as to how the next administration will receive this agreement, some commentators have warned that its way too early to start celebrating yet. Once the final agreement is in place, the position of the DPA’s as to what is accepted and what not, may change, and you may have to change your game with it.

Helena Verhagen, Privacy Valley