Tensions between the PSD II and the GDPR are expected to mount as financial entities seek to comply with overlapping provisions in the two pieces of legislation. In the case at hand, the Court examined the interaction between provisions aiming at similar results, i.e. the right of access to personal information.
Merits
An individual in Austria, having a legal dispute with his landlord, needed evidence of his rent payments made over the previous five years. Since relevant data on his bank’s online system were available only for the last 12 months, he requested from his bank the information corresponding to the preceding four years. Based on the Austrian law provision implementing Article 40(2)1 of the EU Payment Services Directive (2015/2366/EC) (PSD II), the bank replied that the information could be provided for a charge of approx. 30 EUR per year. In response, the individual submitted a request under the data protection legislation, asking for his personal data processed by the bank and more precisely the payments made to various property management companies over the previous five years. The bank failed to reply to said request and the individual filed a complaint with the Austrian Data Protection Authority, which ruled in his favour, holding that the bank had violated the applicant’s right to information and had to provide the requested information within two weeks pursuant to Article 15 of the GDPR (Right of access by the data subject)2.
Decision of the Federal Administrative Court of Austria
On the bank’s appeal, the Federal Administrative Court of Austria upheld the Data Protection Authority’s decision, ruling that3:
• The consumer obligation information under the PSD II and the right to information of data subjects under the GPDR are conceptually different and must not restrict each other. Accordingly, the lex specialis argument raised by the bank, i.e. that Article 15 of the GDPR should not be construed in a way that contradicts the PSD II, was dismissed.
• The above rights exist side by side4, hence, the fulfilment of the obligation information under the PSD II does not result in the loss of the bank’s customer’s right to access information under Article 15 of the GPDR. In other words, data subjects may exercise their right to access information, irrespective of whether the payment service provider has complied with his obligation information under the PSD II.
Comments
Before assessing the above ruling as a victory for the applicant and the banks’ customers in general, it should be noted that the information requested by the latter pertained only to specific payment transactions and not full account statements. In addition, based on Article 15(3) of the GDPR, “[…] where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form […], meaning that the banks may provide the requested information in a mere electronic spreadsheet or printout. And of course, the right of access by the data subject is a qualified one, since its exercise shall not adversely affect the rights and freedoms of others (Article 15(4) GDPR), i.e. some details may be blacked out.
All in all, the most significant point of the dispute remains the relationship between the relevant provisions of the PSD II and GDPR and how Courts, and particularly the European Court of Justice, will treat the “lex specialis” argument raised by the bank5.
1 Article 40, Charges for information, (2): The payment service provider and the payment service user may agree on charges for additional or more frequent information, or transmission by means of communication other than those specified in the framework contract, provided at the payment service user’s request.
2 DSB, 21 June 2018, D122.844/0006-DSB/2018
3 BVwG, 24 May 2019, W258 2205602-1.
4 [3.4.3.7. Da die etwaige Erfüllung von Informationspflichten – hier nach ZaDiG 2018 – nicht zum Verlust des Auskunftsrechts der betroffenen Personen nach Art 15 DSGVO führen kann, bestehen die Rechte nebeneinander. Die mitbeteiligte Partei konnte das Recht auf Auskunft nach Art 15 DSGVO somit unabhängig davon ausüben, ob die BF ihren Pflichten nach ZaDiG 2018 nachgekommen ist oder nicht].
© Logaras Law (2023). All contents on this website, including logos, trademarks, texts, newsletters and articles (hereinafter the “Contents”), are protected under intellectual property law. Except where otherwise stated, use, downloading, reproduction and distribution in whatever form and by whatever medium (including Internet) for whole or part of the Contents available on this website and newsletter is not authorized.