9 January 2018

New rules on processing of payment data from 2018

New and more lenient rules on processing of payment data came into force at the turn of the year. We will monitor how the business community will make use of these new possibilities, and how the changes may contribute to supporting the Fintech wave.

At the turn of the year, the rules on processing of payment data were eased. The new Payment Services Act will abolish the previous Danish exceptional prohibition, and the Act now allows for business operators to process payment data in connection with depersonalisation and provision of services directly aimed at the consumer. The processing requires explicit consent from the consumer, and it must appear clearly from the consent form which data are being processed and for which purpose.


Previously, the Danish Consumer Ombudsman applied a narrow interpretation of the provisions of the Payment Services Act applicable at that time concerning the processing of data connected with a payer’s use of a payment card or Online bank (payment data). Originally, it was the practice of the Consumer Ombudsman that the prohibition against processing of payment data in section 85 of the Payment Services Act only applied to companies covered by the Act.

In 2016, the Consumer Ombudsman changed its practice and since then, the prohibition against processing of payment data under the Payment Services Act has applied to all business operators and not only banks and providers of e-money or payment services. The financial overview which most people know from their Online banks was originally prohibited by the Consumer Ombudsman, but the Danish FSA made a special exemption for the banks in April 2014 if the payment data were only available to the consumer and only in the period during which the consumer was logged on to the Online bank.

It is expected that the Consumer Ombudsman will still apply a narrow interpretation of the possibilities for processing of payment data, but the basis will be different, as the Payment Services Act will break with the Danish exceptional prohibition.

Below, we will give you an overview of the processing of payment data under the new Act.


The new rule reads as follows:

Section 125. The Act on processing of personal data applies to business operators processing payment data, cf. however subsections 2-6.

Subsection 2. A business operator must obtain prior explicit consent from a consumer if the business operator processes payment data in connection with the provision of a service, which is directly aimed at the consumer, cf. subsection 3, no. 2.

Subsection 3. A business operator shall only process payment data in connection with the:

  • Implementation or correction of a payment transaction;
  • Provision of a service directly aimed at the consumer; or
  • Depersonalisation of payment data.

Subsection 4. Notwithstanding of subsection 3, the payment data may not be processed in order to offer individual prices or terms of the same product or service to different customers. As regards insurance contracts, it further applies that payment data may not be processed in connection with the performance of insurance contracts.

Subsection 5. Notwithstanding of subsection 4, a business operator may process aggregate payment data for the purpose of a credit rating.

Subsection 6. Notwithstanding of subsection 3, a business operator shall not transfer payment data to a third party, unless the transfer is authorised by other legislation or takes place in connection with the execution or correction of a payment transaction or the provision of a service requested by the consumer, and which is not contrary to subsections 2-5.


Payment data are person identifiable data connected with a payer’s use of a payment service, the type of the payment service used (credit card) and the object(s) purchased using the payment service. In general, it will be the data appearing from the payer’s online bank, but the data may also include what the payer purchased and the price. Payment data are considered personal data and are therefore covered by the general personal data regulation.

The concept of personal data must be interpreted in accordance with the Personal Data Act, and thereby also future EU regulation on data protection, and personal data therefore constitutes all kinds of data on an identified or identifiable physical person. In general, this means name, address, contact data, social reg. no., etc. and, under the Payment Services Act, this will include card and account number as well as the name of the holder of the card or account. Any processing of payment data must therefore be in accordance with good data processing practices and the principles on necessity, transparency, proportionality, restriction of purpose and a reasonable storage period.

Payment data, which are not collected via a payment service but for example via a loyalty programme, are not covered by the definition of payment data if the data are collected as a clearly separate function and thereby independently of a payment service. Loyalty programmes will meet these requirements when the processing of the data relating to the use of the payment service, and the product/service purchased, takes place in separate data flows. The loyalty function and the payment function may, however, be collected on the same payment card as long as there are two separate functions, data flows and systems. In this case, the data obtained for the loyalty programme will not constitute payment data, but will still constitute personal data, which must be processed in accordance with personal data law.

Depersonalised data do not constitute payment data or personal data and are therefore not covered by the Payment Services Act (or personal data law).


Under section 125 of the Payment Services Act, a business operator may only process payment data for the following purposes:

  • Implementation or correction of a payment transaction;
  • Provision of a service directly aimed at the consumer;
  • Depersonalisation of payment data;
  • Credit rating (in case of aggregate payment data).

The list is exhaustive, non-waivable for the consumer and applies to all business operators processing payment data, and not only providers of payment services. The data processed must be necessary and proportionally matched to the service provided, and the business operators should comply with the “privacy by design” and “privacy by default” principles incorporated in the EU regulation on data protection.

The requirement for consent does not apply in connection with processing of payment data when the processing takes place in connection with the implementation or correction of a payment transaction or in connection with depersonalisation of payment data. Consequently, the requirement for consent only applies in connection with provision of services aimed directly at the consumer. This implies services which the consumer requests and has actively requested to receive/use, for instance concerning:

  • Overview of the consumption
  • Budget planning
  • Categorisation and comparison of consumption
  • Notification concerning consumption, consumption patterns and unusual transactions
  • Payment reminders
  • Marketing
  • Advice
  • Discount and loyalty programmes
  • Automatic reporting to public authorities of charity donations.

This provision makes it possible also to use payment data with the consumer’s consent for individual marketing aimed at the consumer. But it is not possible to fix individual prices or terms to the consumer based on the payment data - so-called individual price discrimination.

The business operator may not use, access or store data for other purposes than provision of the service explicitly requested and consented to by the consumer. The business operator may also not disclose payment data to a third party, unless disclosure is part of the provision of the service requested by the consumer, when stipulated by law or when necessary to execute or correct the transaction.


It is a mandatory requirement that the business operator must obtain explicit consent from the consumer if the business operator processes payment data in connection with the provision of a service directly aimed at the consumer.

The consent must be obtained with the consumer's full knowledge of the facts, and before the processing of the data initiates. However, there is nothing that prevents that the consent forms part of a framework agreement or standard terms, as long as this clearly appears from the agreement and is clear to the consumer.

The consent form must contain clarifying information in respect of the payment data processed and its purpose. It is therefore not sufficient that the business operator obtains consent to the processing of all available payment data in connection with the provision of an unspecified service. It must be clear to the consumer that the payment data is used for e.g. an overview of the consumption to help the consumer get an overview of his/her private economy.

The requirement for consent does not apply in case of depersonalisation of payment data or the implementation and correction of payment transactions.


The prohibition against offering individual prices or terms to the consumer based on payment data includes fixing of interest on a loan and insurance premiums. This is a general prohibition against discriminatory pricing of different prices of the same product based on payment data.

The prohibition tries to takes into consideration that the business operator may not identify the consumer’s willingness to pay and set prices on this basis. The intention is to ensure that the consumer’s possibility of using an offer, a loan, a special price or insurance will not depend on how the consumer chooses to compose his consumption.

Therefore, section 125 (4) concerning individual prices does not prevent e.g. that retailers rely on data obtained from loyalty card systems with separate data flows. This means that loyalty programmes at e.g. supermarkets, where the payment data and purchase data are processed as separated data, are exempted from the rules (however, please note the provisions of the EU regulation on data protection concerning profiling, including especially article 22).

Loyalty programmes with general and predetermined discount structures may continue and be supplemented with a number of individual marketing measures, as long as the consumer consents to the processing of his payment data.


The new rules on the processing of payment data provides a number of possibilities for established as well as new businesses. It will be especially interesting to follow the development of proactive use of payment data for the purposes of advice and individual marketing.

The Payment Services Act came into force on 1 January 2018, and Horten will closely monitor the development in the area.

related news

New rankings from Chambers

13 March 2018

Chambers, the leading international guide to the best law firms, ranks Horten as one of the best in the country yet again.

Chambers nominates Horten as Greenland expert

21 February 2018

The recognised international ranking agency Chambers has ranked Horten as one of the country’s leading law firms specialised in the conditions prevailing in Greenland.

Unique cooperation between Horten and Symbion

5 February 2018

Horten has entered into unique cooperation with Symbion and Accelerace where we will make a team of lawyers available for start-up businesses at the shared office facilities Horten CoLab.

Four new partners at Horten

16 January 2018

With effect from 1 January 2018, Horten appointed Christian Tullberg, Kristoffer Westberg, Christina Steen and Niels Jørgen Oggesen as partners.

New Managing Partner at Horten

2 January 2018

Finn Schwarz, Attorney and Partner, has been appointed Managing Partner of Horten Law Firm as of 1 January 2018.

Tender Offer to shareholders of Copenhagen Airports

11 December 2017

Copenhagen Airports announced on December 8 that a vehicle owned by Ontario Teachers Pension Plan and ATP has made a mandatory tender offer to the shareholders of Copenhagen Airports.

Loans to property companies are not considered leverage in property funds

23 November 2017

Recently, the Company Appeals Board decided to reject the FSA's narrow case law concerning exemptions when calculating leverage in alternative investment funds.

IFLR1000 recognises 12 Horten partners

18 October 2017

The international directory IFLR1000 recently published its Financial and Corporate Rankings for 2018 - and Horten has improved its ranking in several areas.

Compliance: E-leaning in competition law

20 September 2017

Horten now offers e-learning in competition law tailored to each company.

ATP makes investment in Copenhagen Airports - tender offer expected

15 September 2017

Copenhagen Airports (Nasdaq Copenhagen listed; ticker: KBHL:DC), the operator of the largest airport in the Nordic Region, announced on September 13 that ATP together with Ontario Teachers' Pension Plan had agreed to purchase a stake in Copenhagen Airports bringing joint control over 57.7 per cent of all shares and votes.

The Maritime and Commercial High Court states: Hästens' trademark infringed

18 August 2017

The Maritime and Commercial High Court has ruled that Hästens Sängar AB’s blue check pattern is a (well-known) trademark in Denmark. The manufacturer Nordicform AS, Magasin and a number of other distributors have thereby infringed Hästens’ trademark rights and violated the Danish Marketing Practices Act by selling bedclothes with the blue check pattern, and they must pay compensation.

Google - an overview of the summer’s EU case against the internet giant

27 July 2017

In June 2017, the European Commission ruled in the first of three pending cases against Google and ordered Google to pay a record-high fine of EUR 2.42 billion for abuse of its dominant position. According to the European Commission, Google favoured Google Shopping in its search engine.

The International Comparative Legal Guide to Alternative Investment Funds 2017

28 June 2017

The International Comparative Legal Guide to Alternative Investment Funds is published each year. Partner Claus Bennetsen has contributed to this year's edition.

Change in the regulation of investment advisors

12 June 2017

With a new act, the regulation of investment advisors will be transferred from the Financial Business Act to the Act on financial advisors and mortgage credit intermediaries. As the change introduces restrictions as to which financial instruments investment advisors must advise on, investment advisors may now also receive and transmit orders from investors.

New Payment Services Act adopted

2 June 2017

On 2 June 2017, the Danish parliament adopted the long-awaited new Payment Services Act, which will come into force on 1 January 2018.

Final sale of LM Wind Power to General Electric

1 May 2017

The actual takeover of LM Wind Power took place on 20 April 2017 following the competition authorities' approval in the EU, USA, China and Brazil.

Horten advances in new Chambers and Legal 500 rankings

19 April 2017

In 2017, the leading international ranking agencies, Legal 500 and Chambers, are once again ranking Horten among the best law firms in Denmark.

Horten is part of Copenhagen Fintech Lab's Law Connect

20 March 2017

Horten participates in Copenhagen Fintech Lab’s Law Connect programme where we, together with a number of other law firms, are to assist the Lab's residents with relevant legal sparring.

Comparative markets - supermarkets and hypermarkets

9 March 2017

The CJEU recently issued its ruling in case C-562/15 on comparative advertising comparing prizes between shops of different sizes and formats.

Global Leaders in Law appoints Horten as exclusive partner for Denmark

10 January 2017

Global Leaders in Law, the leading global general counsel forum based in London, and Horten has announced partnership. Appointed as a global bronze partner, Horten will sponsor the activities of Global Leaders in Law in 2017.

New billion loan supports the development of Carlsberg Byen's largest phase so far

5 January 2017

Horten has advised Carlsberg Byen in connection with the conclusion of a DKK 4.2 billion financing agreement with the pension company PFA.

New partners

4 January 2017

With effect from 1 January 2017, Horten appointed Lars Lüneborg and Julie Arnth Jørgensen as partners.

Legalisation of loans to shareholders and members of management adopted

1 December 2016

Until now, Denmark has been one of the few EU countries that has not allowed companies to issue loans to shareholders and members of management, except for loans to Danish and some international parents. Obviously, this is a competitive disadvantage. On 1 January 2017, such loans will be legal.

Greenland adopts personal data act

22 November 2016

From 1 December 2016, the Personal Data Act became effective in Greenland at the request of the Greenland Home Rule. The Act replaces the data protection legislation from 1978, which has applied in Greenland until now.

Mezzanine Capital Partners grants EUR 15 million to MBL Gruppen

31 October 2016

Mezzanine Capital Partners has concluded an agreement with MBL concerning a grant to the company and its shareholders of EUR 15 million to ensure MBL's future geographical growth and development of its product range. Horten has assisted MBL Gruppen.

Horten acts as GE’s Danish lawyer in GE’s acquisition of LM Wind Power

28 October 2016

Horten has acted as GE’s Danish lawyer in GE’s intent to purchase LM Wind Power, a Denmark-based manufacturer and supplier of rotor blades to the wind industry.

Dynamic IP addresses may constitute personal data

19 October 2016

The European Court of Justice recently ruled in C-582/14 that a dynamic IP address may constitute personal data.

IFLR1000 ranks eight Horten partners as Leading Lawyers and two as Rising Stars

18 October 2016

The international directory IFLR1000 recently published its Financial and Corporate Rankings for 2017. These rankings were good news for Horten, as we have increased the number of partners ranked as Leading Lawyers within their legal areas of expertise.

Legalisation of loans to shareholders and members of management

7 October 2016

Danish businesses will finally be able to grant loans to shareholders and members of the management in connection with the adoption of a new bill.

Horten assists VPK Packaging Group with acquisition of Peterson Packaging

3 October 2016

On 3 October 2016, the Belgian packaging manufacturer VPK Packaging Group acquired the Norwegian Peterson Packaging A/S from Pemco A/S and Unitel A/S.

NETS awards shares to approx. 2,500 employees

30 September 2016

In connection with the recent IPO, NETS, the leading supplier of payment solutions, awarded a total of 400,000 shares to approx. 2,500 employees.

Axcel, PFA and PKA acquires control in Danish Ship Finance

28 September 2016

Danish Ship Finance, the leading Copenhagen based dedicated ship finance institution, today announced that its large owners Danske Bank A/S, Danmarks Nationalbank, A.P. Møller-Maersk A/S and Nordea Bank AB (publ) had entered into an agreement to sell their entire shareholdings equal to 72 per cent of the shares in Danish Ship Finance to a Danish consortium consisting of Axcel, PFA and PKA.

IPO of Nets

27 September 2016

Nets, the Copenhagen based digital payment provider, settled the sale and purchase of offer shares in its successful IPO on Nasdaq Copenhagen.

When is a floating company charge accepted?

20 September 2016

In the Cimber case, the Supreme Court must decide when a chargee accepts a floating company charge.

Internet media under pressure because of new EU ruling

15 September 2016

The latest ruling on hyper links and copyright confirms previous case law and adds a new rule of presumption, which may threaten the existence of some Internet media.

Circle K wins over OK in legal action concerning a new logo - Horten assisted Circle K

25 August 2016

Horten has assisted Circle K in a legal action against OK. OK claimed that Circle K's new logo infringed the company's trademark rights to OK and was therefore contrary to the Trademark Act.

New rankings from IFLR1000: Horten is still the leading law firm within energy and infrastructure

22 June 2016

Every year, the international directory IFLR1000 publishes a guide of the world's best law firms within energy and infrastructure. In the recently published guide, Horten is, like last year, rated as one of the country's best advisers within this area.

A/B Duegården was allowed to go bankrupt

11 May 2016

The Supreme Court has ruled in the widely publicized case A/B Duegården in liquidation vs. Nykredit Bank A/B and Nykredit Realkredit A/B.

New ratings from the international reference book Legal 500

4 May 2016

There are several good news for Horten in the new rankings, among these to new Tier 1-ratings in Media & entertainment and Telecoms.

Bill on registration of actual shareholders adopted

19 April 2016

On 1 March 2016, a bill on registration of actual shareholders was adopted by the Danish Parliament. The act will, among others, amend the Companies Act.

New association: The Danish association for marketing law

13 April 2016

11 of Denmark's leading experts within marketing law have established the Danish Association for Marketing Law. The association's first arrangement will take place on 3 May and focus on hidden advertising.

International women lawyers discuss the future of the legal profession

6 April 2016

Horten participates when 150 lawyers from all over the world meet in Berlin on 7-8 April under the headline "Law in a changing world – how women can contribute to innovation of the legal profession".

Horten Corporate Day 2016 - Danish companies at the forefront

18 March 2016

At Horten's Corporate Day 2016 on 16 March, Danish and foreign executives and experts gave their views on the trends and opportunities of the Danish business sector. Horten will repeat the success next year with Horten Corporate Day 2017.

Public-private investments in Greenland

9 March 2016

On 26 February 2016, Horten and Nuna Law Firm hosted a conference with focus on public-private investments in Greenland.

New online dispute portal and requirements for web shops

19 January 2016

In the future, all Danish and EU web shops must link to the pan-European online dispute portal ODR (Online Dispute Resolution). ODR will be available from 15 February 2016.

New practice on diminished value in online purchasing

13 January 2016

A failure to state the cancellation terms entitles the consumer to a full refund if the purchase is cancelled within 14 days.