Home » Operations » Control & Compliance in Operations

What does GDPR mean for payments?

The European Payments Council (EPC) has published an infographic setting out the main ways in which the General Data Protection Regulation (GDPR) will affect payments and payment service providers (PSPs). It says that when it comes to data privacy, payments might be one of the most sensitive areas for consumers. Some of the new obligations of PSPs include processing data with the customer's consent – but also in the following circumstances:

  • to ensure the performance of a contract;
  • to comply with a legal obligation;
  • to safeguard a data subject's vital interests;
  • for the purposes of legitimate interests (except when this is overridden by the interests and rights of the individual).

The infographic also highlights an important distinction between GDPR and the revised Payment Services Directive (PSD2), noting that the notion of 'sensitive payment data' under PSD2 shouldn't be confused with the special categories of data under GDPR. Under PSD2, PSPs can access/process/retain data only for the provision of the specific services and with the explicit consent of the user. Under the GDPR, however, consent is just one of the possible grounds for processing personal data.

This item appears in the following sections:
Control & Compliance in Operations

Also see


No comment yet, why not be the first?

Add a comment