Home » LegalTech

Tag: LegalTech

Join Us

                         Privacy Expert / InnovatorPrivacy Management Software privacy valley accelerator privacy tool privacymanagement data bescherming eu privacywet compliance

Do you want to be part of a fast-growing legal tech scale-up? At Privacy Valley we believe that compliance with the law should not be complicated. We focus on developing legal tooling that makes privacy compliance a walk in the park, so our customers can focus on what they do best, their business.

Our Accelerator is a state of the art software platform to manage privacy compliance. It gives real time insight in privacy status, tells our users how to resolve any issues and guides them intuitively towards compliance. We put our customers in control.

We are looking for business minded Privacy Counsels with a strong background in data protection, security and privacy. You will collaborate with a team of privacy, marketing and sales professionals in building and further developing the Accelerator platform. In addition, your role is outward facing. Continuously supporting and improving our service to customers and resellers in using the Accelerator Software and helping them with any remaining privacy issues and GDPR implementation.

What are we looking for?Privacy Management Software privacy valley accelerator privacy tool privacymanagement data bescherming eu privacywet compliance

“Privacy Expert and Innovator”: For our team of legal experts and innovators, we’re looking for people with a thorough understanding of privacy laws and technology. You want to be the best in your field of expertise. You feel comfortable building and innovating the Accelerator Platform and equally comfortable advising our clients who range from start-ups to international corporations. For our senior role we are looking for a minimum of 4 year-experience in the field of privacy in private practice or in-house. Experience in internet/digital companies, fintech or health-tech is an added bonus.

“Entrepreneurial and innovative bright minds”: Do you have your own ideas about what a legal-tech company should be? Maybe you’ve thought about launching your own company but you’re not quite there yet? Do you have a curious mind, and do you feel excited about the prospect of working in a fast-growing company where your expertise really can make the difference? We want to talk to you!

“Customer journey builders”: You understand that privacy laws make organizations uneasy. Not complying means they risk a big fine, reputational loss. It’s all very unpleasant. Our product is all about getting our customers back in control. What makes you happy is guiding our customers there.

Languages”: A good chunk of what we do is in English, so your English should be quite good. The same is true for security, you needn’t be a security expert, but you should understand security practices and you are comfortable speaking Security.

9-5 attitude”: Absolutely, sure, we want to get stuff done, be passionate about your work, but equally important, be passionate about yourself, your friends, family, cooking, sports, whatever makes you tick, and we know it’s not just work.

What we offer

  • A team of both seasoned and junior privacy lawyers, marketing and sales people to work with. We strive for a legal team of 5-6 lawyers, who like to bring out the best in themselves and each other.
  • The opportunity to grow with us and make your mark.
  • Attractive remuneration package.


Privacy Management Software privacy valley accelerator privacy tool privacymanagement data bescherming eu privacywet compliancePrivacy Valley is a fast-growing business so there is a lot of room for personal development. We’ve learned that the best ideas to make our product easier to use, prettier or more robust can come from anyone. Our clients, our founders, our interns, our marketing people…. So we encourage our people to contribute to our business in every which way they can. Interested? Please contact us: info@privacyvalley.com or give us a call +31848844538

PART 1 – XS2A and Consent

Is your organization reluctantly getting ready for PSD2? Or, are you jumping with excitement ready to dot the I’s on your Fintech/PSD2 business plans? Either way, if you’re in the financial services industry, it’s likely your organization is going to introduce, or face, new and innovative services that require the use and exchange of personal data. Services that are governed not only by PSD2 but also by GDPR, the EU privacy framework.


If you’re aware of the key motives of PSD2 and GDPR you can skip right to the next bit. For a bit of a refresher, here’s a 2 penny summary.

PSD2 is an EU directive that aims to promote safer and innovative digital payment services, reduce cost of financial transactions and strengthen consumer rights. The two sections of PSD2 that have attracted most debate are the obligation for banks to grant third parties access to transactional information otherwise known as XS2A (access2accounts) and strong authentication requirements for payments. These two parts of PSD2 introduce obligations for financial institutions that require the handling of personal data.reconciling PSD2 and GDPR in 5 easy steps

This is where the General Data Protection Regulation (GDPR) comes in. Its the new, and very strict, EU data protection framework that also applies to handling of personal data as required by PSD2. The key motives of the GDPR are to keep personal data safe and to reinforce the rights of data subjects by giving them control over their own data. All organizations that are active in the EU or are in the business of processing personal data of EU citizens, have to comply with the GDPR. Non- compliance can lead to fines of up to 4% of an organization’s annual worldwide turnover, or 20 Mio EUR, whichever is more.

GDPR and PSD2 both aim for better consumer protection. But at the same time as PSD2 requires open access to transactional data, GDPR introduces increasingly strict obligations to keep these data safe and ensure that consumer rights are met. In short, if you’re getting ready for PSD2, make sure that whenever you’re dealing with personal data, you also comply with the GDPR.

XS2A & Consent

Banks and payment service providers hold transactional data. Data that are carefully shielded as business assets, and are kept safe in accordance with regulatory requirements such as privacy laws. Following XS2A, third party service providers will gain access to these sensitive personal data. PSD2 however also provides that Payment Service Providers (PSPs) may gain access, process and store personal data only with the “explicit consent” of the customer. To understand what “Explicit Consent” means, and how PSPs can obtain valid consent from their users, we have to turn to the GDPR. The GDPR lists the following requirements for valid consent:

1 - active consent

The GDPR requires “a statement or a clear affirmative action” that signals the customer’s agreement to a certain data processing. Meaning, the customer has to actively do something to let you know they agree to what you are about to do with their data. Good examples are ticking a box stating they agree with the processing, or choosing technical standards for a service (e.g. cookie settings). “Opt-out” mechanisms, pre-ticked opt-ins, or implicit consent deducted from silence, are not allowed.

step 2 - freely given

Consent must be freely given. If the customer has no genuine or free choice or is unable to refuse or withdraw consent without detriment, consent is not considered “free”. For example, as a condition to use a payment service, the PSP requires a customer to agree that their personal data may be used for purposes completely unrelated to the delivery of that service. Any such “bundled” consent is considered to be given under undue pressure, meaning, not free. Also, any consent given in the context of an interaction where there is a clear imbalance of power (e.g. employer/employee, doctor/patient, public authority/citizen) is not free.

3 - granular

The PSP must provide granular options for obtaining consent separately for different processing operations and different purposes. This means that if a PSP wishes to use personal data for purposes other than those necessary for the execution of the payment service, it should get separate consent for each of those purposes.

step 4 - specific & informed

Prior to the processing of personal data, you should provide the customer with sufficient information that enables them to understand what they are consenting to. This means that the purposes, the scope and the consequences of the data processing as well as the identity of the data processor and the rights of the customer (see part III of these series) should be specifically described and communicated to the customer. The communication should be done in an easily accessible form –don’t hide it in general terms and conditions-, and in plain and clear language that can be understood by your target audience. Consent cannot be given for vague, or open ended processing activities. For example “we will share your data with carefully selected partners for marketing purposes”.

step 5 - compatibility original purpose

Once you’ve communicated your purposes of personal data processing and received consent, you may not use these data for other purposes that are not compatible with the original purpose. To understand if your original purpose and your new purposes are “compatible” you may ask yourself: based on my communication, would the customer expect me to use their data in this way?  If not, you will need separate consent (see: granular consent).

step 6 - demonstrate consent

The GDPR does not prescribe any specific way in which consent must be obtained, or administered, but it does put the burden of proof on the PSP. The PSP must be able to demonstrate consent. This means that the PSP will have to keep records of their own communications, as well as the obtained consent. As there is a clear potential  for disagreement on whether or not valid consent for payment was obtained, you may have to think about double opt-in (e.g. via e-mail confirmation of the consent) or other technical mechanisms that provide such proof.

step 7 - children

Personal data of children are especially protected. They may be less aware of the risks and consequences of the processing of their personal data. Ensure that you amend your language in communications to children so they can understand what they consent to. Depending on national legislation on the age limit for “children” (13-15 years), you need to get the consent of the parents as well.

step 8 - consent withdrawal

Customer’s have the right to withdraw consent at any time. PSPs must inform customer’s on how they can withdraw consent.  Unless there is some other legal basis for the data processing, organizations must discontinue the data processing going forward.

For a full self-assessment of your organizations compliance with all requirements under the GDPR and practical tips on how to remedy any privacy non-compliance, please check out our Accelerator software tooling. Accelerator privacy softwareFor more information or a complimentary Accelerator demo, please contact us at: info@privacyvalley.com.


This contribution has been made in conjunction with competition attorney Emilie van Hasselt of Van Hasselt Law who can be reached at  emilie@vanhasseltlaw.eu.