Can the presentation by the consumer of its identification data to the merchant (e.g. CustomerID and IBAN through a QR code read by the Point of Interaction (POI)) be interpreted as the consumer providing explicit consent via the merchant to the usage of this data by a Payment Initiation Service Provider (PISP) that has a contractual relationship with the merchant (but not with the consumer) for the processing of data that will enable the initiation of a single (instant) credit transfer with the consumer’s Account Servicing Payment Service Provider (ASPSP), subject to sufficient information about this PISP made available beforehand to the consumer (in accordance with Articles 44 and 45 of PSD2)? Or is the explicit consent of the consumer to the PISP required by way of contract, as mentioned in section 3.2.1 of the EDPB Guidelines 06/2020 on the interplay of Directive 2015/2366/EU (PSD2) and the GDPR?
Article 94(2), PSD2, states that payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment user.
Typically for (instant) credit transfers at the POI based on consumer-presented data (e.g. a QR-code with CustomerID and IBAN read by the merchant POI), a PISP could be involved on the merchant side who use the PSD2 Application Programming Interface (API) to connect to the consumer’s ASPSP, but the same PISP might not have a relationship with the consumer (e.g. in case of a single transaction) to initiate the transaction with the consumer’s ASPSP.
How can the consumer give its consent to this PISP via the merchant with respect Article 94(2), PSD2, in particular for in-store transactions? Could the fact that the consumer presents their identification data to the merchant POI (e.g. a QR-code with CustomerID and IBAN read by the merchant POI) be interpreted as an explicit consent to the PISP through the merchant?
As provided for by Article 94(2) of Directive (EU) 2015/2366 (PSD2), where the Payments Initiation Service Provider (PISP) is involved on the merchant side, at the point-of-interaction, the presentation of the payer´s information (e.g. Customer-ID and IBAN through a QR-code read by the merchant) can be considered to satisfy the requirements of explicit consent for processing of personal data. In order to satisfy the information requirements of Articles 44 and 45 PSD2 the payer has to be informed, or have access to clear and comprehensive information by this PISP prior to the initiation.
The answers clarify provisions already contained in the applicable legislation. They do not extend in any way the rights and obligations deriving from such legislation nor do they introduce any additional requirements for the concerned operators and competent authorities. The answers are merely intended to assist natural or legal persons, including competent authorities and Union institutions and bodies in clarifying the application or implementation of the relevant legal provisions. Only the Court of Justice of the European Union is competent to authoritatively interpret Union law. The views expressed in the internal Commission Decision cannot prejudge the position that the European Commission might take before the Union and national courts.