The interplay between the second payment services directive, the national Romanian law on the payment services and GDPR

The second Payment Services Directive [Payment Services Directive (Directive 2015/2366/EU of the European Parliament and of the Council of the 23rd of December 2015, hereinafter ‘PSD2’] provided new rules for the market for payment services, including rules that allow new payment service providers to obtain access to payment accounts of data subjects for the purposes of providing the said services. The PSD2 rules regarding the payment services providers were transposed in the Romanian national law in 2019 by means of Law no. 209/2019 on the payment services (hereinafter ‘Law no. 209/2019’), and National Bank of Romania Regulation no. 4/2019 regarding payment institutions and specialized suppliers in account information services (hereinafter ‘Regulation no. 4/2019’). Regarding data protection, in accordance with Article 94 para. (1) of the PSD2 and art. 217 of Law no. 209/2019, any processing of personal data, including the provision of information about the processing shall be carried out in accordance with the GDPR and with Regulation (EU) No. 2018/1725. However, in addition to that, both PSD2 and Law no. 209/2019 provide for certain specific rules regarding consent, security, sensitive payment data, and silent party data, among others. Therefore, the paper will analyse the interplay and overlap in the regulatory regimes regarding the legal basis for processing data, the conditions for explicit consent, the processing of silent party data, the processing of special categories of data and sensitive payment data, and the way the payment service providers shall ensure data minimization, security, and transparency.