Data protection

Data protection and privacy laws become more and more relevant in the area of payment services. This development is also connected to the entry into force of the GDPR.²⁸ The relationship between the GDPR and the PSD2 is, however, not always free of tensions.

4.1.The transposition of Art 94 PSD2

The PSD2 addresses data protection in Art 94. The general rule set forth by this provision is that “payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user”

(Art 94(2) PSD2). For reasons that are not entirely clear, the Austrian legislator chose to transpose this rule in two separate provisions – § 24 and § 90 ZaDiG 2018. While § 90 contains, following the structure of the PSD2, the general rule on the protection of personal data, § 24 refers – based on Art 21 PSD2 – to record keeping; the latter article does not explicitly mention the protection personal data.²⁹ Admittedly,

§ 24 ZaDiG 2018 and Art 21 PSD2 do concern the protection of

28 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ 2016, L 119, 1-88.

29 “Member States shall require payment institutions to keep all appropriate records for the purpose of this Title for at least 5 years, without prejudice to Directive (EU) 2015/849 or other relevant Union law.”

Transposition of the PSD 2 in Austria

personal data in a wider sense because the recording and the storage of personal data constitute acts of “processing” within the meaning of Art 4(2) GDPR. However, it remains obscure why the Austria legislator deemed a transposition of Art 94 PSD2 (only) in § 90 ZaDiG 2018 insufficient. In fact, the foundations of the current legal situation had already been laid in § 18 and § 61 ZaDiG 2009, against the background of a similar European legal basis (Art 79 PSD I). Moreover, § 24 and

§ 90 ZaDiG 2018 use a different wording: While § 24 ZaDiG 2018 refers to “ausdrückliche Einwilligung”,³⁰ § 90(4) ZaDiG 2018 speaks of “ausdrückliche Zustimmung”.³¹ Both versions can be translated to English as “explicit consent” but do constitute different terms in German; the latter term might, in certain situations, be understood to refer to a contractual relation under private law rather than to a consent given within the meaning of the laws on data protection.³² However, there is no indication that the Austrian legislator desired to implement a different meaning in the two related sections. The current wording of the ZaDiG 2018 might be the result of the rather complicated legislative history of the two provisions, as the rules on data protection were moved back and forth between § 24 and § 90 in different versions in the course of the transposition of the GPDR and the PSD2 and were also altered in comparison to the respective drafts.

It should be noted that it is not clear whether Art 94 PSD2 and §§

24, 90 ZaDiG 2018 refer to an explicit consent within the meaning of the GDPR³³ or an explicit contractual consent under the rules of

30 “Zahlungsdienstleister dürfen die für das Erbringen ihrer Zahlungsdienste notwendigen personenbezogenen Daten nur mit der ausdrücklichen Einwilligung des Zahlungsdienstnutzers verarbeiten.”

31 “Zahlungsdienstleister dürfen die für das Erbringen ihrer Zahlungsdienste notwendigen personenbezogenen Daten nur mit der ausdrücklichen Zustimmung des Zahlungsdienstnutzers abrufen, verarbeiten und speichern.”

32 Cf. Duy/Stempkowski, PSD II und Datenschutz, Österreichisches Bankarchiv 2018, 791 (794-795).

33 There, the term “consent” of the data subject refers to “any freely given, specific, informed and unambiguous indication of the data subject's wishes by

the regime for payment services. The prevailing opinion in Austria – given the practical problems and the inherent inconsistencies with other sectors where an explicit consent under the GDPR is not required – seems to be that Art 94 and the corresponding provisions in the ZaDiG 2018 are not to be construed as a reference to the GPDR but rather to a reference to contractual principles for the provision of payment services.³⁴ This approach seems to be reasonable; furthermore, the opinion of the European Data Protection Board appears to be of the same opinion.³⁵

4.2.Case law on the relationship of payment services and the protection of personal data

Recent case law analyzed the relationship of PSPs and payment service users from the perspective of both the PSD2 and the GDPR.

The facts of the first case³⁶ were the following: Due to a dispute, a person requested – free of charge – account statements in respect of the last five years from her PSP;³⁷ online access was provided, but only with regard to the past year. The PSP was, in principle, willing to issue the statements but demanded a payment of 120 EUR (= 30 EUR year for each of the four years, 2013-2016). As far as can be seen, this was in conformity with the laws on payment services as well

which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Art 4(11) GPDR). While under Art 6 GDPR, the data subject’s consent need not necessarily be “explicit”, Art 9(2)(a) GDPR requires – in respect of special categories of personal data – an

“explicit” consent.

34 See, e.g., Duy/Stempkowski, Österreichisches Bankarchiv 2018, 791 (795).

35 European Data Protection Board, Letter EDPB-84-2018, https://edpb.europa.

eu/sites/edpb/files/files/file1/psd2_letter_en.pdf (accessed 30 January 2020).

36 See BVwG 24.5.2019, W258 2205602-1; the court already applied the GDPR and the ZaDiG 2018.

37 To be specific, the request referred to transaction data concerning the building administration.

Transposition of the PSD 2 in Austria

as the corresponding framework contract; however, the claim was not based on these rules but rather on the right of access to personal data (which is now regulated in Art 15 GDPR). Since the PSP did not comply with the request, a complaint was filed with the Austrian Data Protection Authority (DSB).³⁸ The DSB found the complaint to be substantiated; later, the decision was upheld by the Federal Administrative Court (Bundesverwaltungsgericht – BVwG).

In essence, the question was whether the rules of the ZaDiG 2018 would prevail over the rules of the GDPR. The court held that the rules of the PSD2 were, compared to Art 15 GDPR, of a different nature;

while Art 15 GPDR refers to a right of access, based purely on the data subject’s initiative, the rules for payment services were interpreted as information obligations, obliging the PSP to take actions to inform the payment service user.³⁹ Moreover, the court did not consider the request to be “manifestly unfounded or excessive” within the meaning of Art 12(5) GDPR which states that the information under Art 15 GDPR shall be provided free of charge; the court explicitly ruled that it did not matter that the information request under the GDPR was only made to circumvent the fees that would have been due according to the rules of the ZaDiG 2018 and framework contract.⁴⁰ Accordingly, the BVwG held that the rules of the PSD2 and the ZaDiG 2018 were not leges speciales in relation to the GDPR and the complainant could indeed rely on the framework of data protection to enforce her rights; both types of rights essentially exist in parallel. It is not surprising, that there exist diverging views on this question in Austria.⁴¹ Indeed, one could

38 DSB 21. 6. 2018, DSB-D122.844/0006-DSB/2018.

39 BVwG 24.5.2019, W258 2205602-1 at 3.4.3.1.-3.4.3.7. referencing ECJ 7.

5. 2009, C-553/07 at 69; the BVwG explicitly considered it to be irrelevant that the obligations under § 53(2) ZaDiG 2018 (and Art 57(2) PSD2) are trigged upon the payer’s request.

40 BVwG 24.5.2019, W258 2205602-1 at 3.4.4.1.-3.4.4.5.

41 See, e.g., Knoll, Kontodaten nach der DSGVO, Datenschutz konkret 2019, 32 (33) (considering the ZaDiG 2018 as a lex specialis); see also Koch, ÖBA 2019, 106 (114-115).

ask whether the court’s reliance on the cited decision of the ECJ requires further analysis. This is because the ECJ delivered its opinion on the relation between different provisions of the same directive, whereas the GDPR and the PSD2 constitute two separate acts of legislation that are not necessarily fully coherent from a systematical point of view.

A different case before the BVwG⁴² that also involved the data protection laws concerned a claim for information in written form regarding, amongst others, the account movements of the complainant’s account in the course of the preceding seven years.

The court acknowledged that payment documents can contain personal data not only of the concerned person, but also of third parties (cf. Art 15(4) GDPR); and that the right to access to data aims at enabling the data subject to examine whether the processing of the data was lawful. However, the court upheld the claim insofar as the claimant’s personal data were concerned.⁴³

5. Regulation of cash withdrawal services by means of ATM