The nuts and bolts of data protection for the new payment services.
The Account Information and Payment Initiation services make the payment services market more versatile, and certainly set some interesting data-protection questions. Account Information Services provide consolidated information on payment accounts, e.g. via multibanking apps. Whereas Payment Initiation Services, such as the Swedish provider Klarna, trigger online payment transactions.
A Three-Person Affair
Until now, only the account-holding payment service providers could provide information on account data; or payments would be triggered by the customers themselves. Whereas with the onset of Account Information and Payment Initiation services, these relationships can now be three-way. This means that personal data is processed by yet another party, which can have unpleasant consequences for the data subjects.
The Austrian Payment Services Act 2018 (ZaDiG) addresses this market development through tailored data-protection restrictions: the new payment services may not pass data on to third parties or store them for longer than is necessary for their service. They may access sensitive payment data, such as personalised security features (PIN, TANs, signatory number), only if this is necessary for their service. Such data, which are an attractive prey for fraud, may only be processed by the new payment services to a very limited extent. Payment Initiation Service providers may not store them; and Account Information Service providers are not allowed to request them at all.
Do you have questions? The BTP expert team will be happy to advise you on the legal requirements relating to data protection and payment services.