The Dutch Data Protection Agency has published a new Q&A on the explicit consent (uitdrukkelijke toestemming) requirements for payment service providers (PSPs) for accessing personal data under PSD2.
PSPs are required to request explicit consent for accessing personal data. Different rules apply if the services provided are limited to account information services. A PSP may only request explicit consent regarding access to personal data which is necessary for providing its services.
On 18 October 2018, the Dutch Data Protection Agency (Autoriteit Persoonsgegevens) issued a Q&A on the explicit consent (uitdrukkelijke toestemming) requirements for payment service providers (PSPs) under PSD2. To view the DPA news item: click here.
The Q&A provides, among others, the following clarifications:
- Consent should be requested separately from any other parts of an agreement between parties.
- Explicit consent is only thought to have been given when consent has been freely given. Pressuring a consumer into giving consent is not allowed, the consumer should be able to decline without experiencing a disadvantage.
- Consent must be given unambiguously and actively. It must be unmistakably clear that consent is given, following for example from a (digital) written or spoken statement. Implied consent may not be assumed. Using pre-ticked boxes is not allowed.
- Consumers must be informed in an accessible manner and in understandable language of the purpose (and means) of personal data processing, the identity of the organisation deciding on that; which personal data is collected and used; and, on the right to withdraw consent, which should be as simple as giving consent.
- Consent has to be given for specific processing and a specific purpose.
A payment service provider must be able to demonstrate it has requested and been given unambiguous consent upon request by the supervisory authority.