Feature Post


What is the difference between GDPR and PSD2?

What is the difference between GDPR and PSD2?

GDPR is the General Data Protection Regulation is the regulation to to harmonize data privacy laws across Europe (and gradually being adopted across the world). 

And the PSD2(Second Payment Services Directive), is an EU Directive which sets requirements for payment services, and gives consumers more choice around how they manage their payments and bank accounts. 


Both GDPR and PSD2 set standards with respect to the 

1.    Safekeeping of personal data
2.    and Information Provision to customers.

The GDPR applies broad rules across all industries, while PSD2’s standards are specific to payment services. 

PSD2 provides a specific framework in relation to payments data and how this can be accessed. 


Data access vs data protection

Which means while PSD2 requires access to be given to payment account-related data, the GDPR reaffirms the obligation to protect this data.

From payments perspective, all Payment Services Providers (PSP) are required to comply with both PSD2 and GDPR.

These both sometime times can cause conflict and confusion, where there are potential instances where the applicable PSD2 provisions could be interpreted as regulating the same matter in a different way to the GDPR.

Possible conflicts between PSD2 and GDPR

One example is where a user withdraws consent (did not accept) under GDPR notice (usually a popup note at the bottom website) but wishes to use a Third Party Provider (TPP) service that is regulated under PSD2. For instance an Open Banking api lying under a mobile app.

Besides the data protection offered under the GDPR, users (account owners) are given increased control over their data under PSD2. 

It is important to note that

  • GDPR applies only to personal data
  • PSD2 applies to the payment account-related data of PSUs.

Key differences graphic  


Are there any control mechanism?

So how can this be controlled? PSD2 includes an inbuilt control mechanism by requiring Third Party Providers (TPPs) to be licensed and/or registered entities with the regulating body. 

Moreover, Account Information Service Providers (AISPs) providing products such as Account Aggregation services, are also required to be registered entities.

The activities of TPPs are supervised by the relevant supervisory authority in each jurisdiction. 

This means that even though service providers have some responsibilities in ensuring that the interfaces (mostly open banking APIs) that they offer function properly, they are not responsible to ensure each TPP is operating in compliance with GDPR.

A #FinTech or a #NeoBank who is planning to step into the world of payments requires clear understanding and strict compliance to these regulations in order to avoid hefty fines and risking their licenses.

And banks (data producers) have greater responsibility to data protection, opening access to it, and penalties in case of data breach.

Some interesting reads on balancing GDPR and PSD2 and PSD2 and GDPR: friends or foes?