At the turn of the year, the rules on processing of payment data were eased. The new Payment Services Act will abolish the previous Danish exceptional prohibition, and the Act now allows for business operators to process payment data in connection with depersonalisation and provision of services directly aimed at the consumer. The processing requires explicit consent from the consumer, and it must appear clearly from the consent form which data are being processed and for which purpose.
ABOLISHMENT OF DANISH PROHIBITION
Previously, the Danish Consumer Ombudsman applied a narrow interpretation of the provisions of the Payment Services Act applicable at that time concerning the processing of data connected with a payer’s use of a payment card or Online bank (payment data). Originally, it was the practice of the Consumer Ombudsman that the prohibition against processing of payment data in section 85 of the Payment Services Act only applied to companies covered by the Act.
In 2016, the Consumer Ombudsman changed its practice and since then, the prohibition against processing of payment data under the Payment Services Act has applied to all business operators and not only banks and providers of e-money or payment services. The financial overview which most people know from their Online banks was originally prohibited by the Consumer Ombudsman, but the Danish FSA made a special exemption for the banks in April 2014 if the payment data were only available to the consumer and only in the period during which the consumer was logged on to the Online bank.
It is expected that the Consumer Ombudsman will still apply a narrow interpretation of the possibilities for processing of payment data, but the basis will be different, as the Payment Services Act will break with the Danish exceptional prohibition.
Below, we will give you an overview of the processing of payment data under the new Act.
THE NEW RULE
The new rule reads as follows:
Section 125. The Act on processing of personal data applies to business operators processing payment data, cf. however subsections 2-6.
Subsection 2. A business operator must obtain prior explicit consent from a consumer if the business operator processes payment data in connection with the provision of a service, which is directly aimed at the consumer, cf. subsection 3, no. 2.
Subsection 3. A business operator shall only process payment data in connection with the:
- Implementation or correction of a payment transaction;
- Provision of a service directly aimed at the consumer; or
- Depersonalisation of payment data.
Subsection 4. Notwithstanding of subsection 3, the payment data may not be processed in order to offer individual prices or terms of the same product or service to different customers. As regards insurance contracts, it further applies that payment data may not be processed in connection with the performance of insurance contracts.
Subsection 5. Notwithstanding of subsection 4, a business operator may process aggregate payment data for the purpose of a credit rating.
Subsection 6. Notwithstanding of subsection 3, a business operator shall not transfer payment data to a third party, unless the transfer is authorised by other legislation or takes place in connection with the execution or correction of a payment transaction or the provision of a service requested by the consumer, and which is not contrary to subsections 2-5.
WHAT ARE PAYMENT DATA?
Payment data are person identifiable data connected with a payer’s use of a payment service, the type of the payment service used (credit card) and the object(s) purchased using the payment service. In general, it will be the data appearing from the payer’s online bank, but the data may also include what the payer purchased and the price. Payment data are considered personal data and are therefore covered by the general personal data regulation.
The concept of personal data must be interpreted in accordance with the Personal Data Act, and thereby also future EU regulation on data protection, and personal data therefore constitutes all kinds of data on an identified or identifiable physical person. In general, this means name, address, contact data, social reg. no., etc. and, under the Payment Services Act, this will include card and account number as well as the name of the holder of the card or account. Any processing of payment data must therefore be in accordance with good data processing practices and the principles on necessity, transparency, proportionality, restriction of purpose and a reasonable storage period.
Payment data, which are not collected via a payment service but for example via a loyalty programme, are not covered by the definition of payment data if the data are collected as a clearly separate function and thereby independently of a payment service. Loyalty programmes will meet these requirements when the processing of the data relating to the use of the payment service, and the product/service purchased, takes place in separate data flows. The loyalty function and the payment function may, however, be collected on the same payment card as long as there are two separate functions, data flows and systems. In this case, the data obtained for the loyalty programme will not constitute payment data, but will still constitute personal data, which must be processed in accordance with personal data law.
Depersonalised data do not constitute payment data or personal data and are therefore not covered by the Payment Services Act (or personal data law).
HOW MAY A BUSINESS OPERATOR PROCESS PAYMENT DATA?
Under section 125 of the Payment Services Act, a business operator may only process payment data for the following purposes:
- Implementation or correction of a payment transaction;
- Provision of a service directly aimed at the consumer;
- Depersonalisation of payment data;
- Credit rating (in case of aggregate payment data).
The list is exhaustive, non-waivable for the consumer and applies to all business operators processing payment data, and not only providers of payment services. The data processed must be necessary and proportionally matched to the service provided, and the business operators should comply with the “privacy by design” and “privacy by default” principles incorporated in the EU regulation on data protection.
The requirement for consent does not apply in connection with processing of payment data when the processing takes place in connection with the implementation or correction of a payment transaction or in connection with depersonalisation of payment data. Consequently, the requirement for consent only applies in connection with provision of services aimed directly at the consumer. This implies services which the consumer requests and has actively requested to receive/use, for instance concerning:
- Overview of the consumption
- Budget planning
- Categorisation and comparison of consumption
- Notification concerning consumption, consumption patterns and unusual transactions
- Payment reminders
- Marketing
- Advice
- Discount and loyalty programmes
- Automatic reporting to public authorities of charity donations.
This provision makes it possible also to use payment data with the consumer’s consent for individual marketing aimed at the consumer. But it is not possible to fix individual prices or terms to the consumer based on the payment data - so-called individual price discrimination.
The business operator may not use, access or store data for other purposes than provision of the service explicitly requested and consented to by the consumer. The business operator may also not disclose payment data to a third party, unless disclosure is part of the provision of the service requested by the consumer, when stipulated by law or when necessary to execute or correct the transaction.
EXPLICIT CONSENT
It is a mandatory requirement that the business operator must obtain explicit consent from the consumer if the business operator processes payment data in connection with the provision of a service directly aimed at the consumer.
The consent must be obtained with the consumer's full knowledge of the facts, and before the processing of the data initiates. However, there is nothing that prevents that the consent forms part of a framework agreement or standard terms, as long as this clearly appears from the agreement and is clear to the consumer.
The consent form must contain clarifying information in respect of the payment data processed and its purpose. It is therefore not sufficient that the business operator obtains consent to the processing of all available payment data in connection with the provision of an unspecified service. It must be clear to the consumer that the payment data is used for e.g. an overview of the consumption to help the consumer get an overview of his/her private economy.
The requirement for consent does not apply in case of depersonalisation of payment data or the implementation and correction of payment transactions.
PROHIBITION AGAINST PRICE DISCRIMINATION
The prohibition against offering individual prices or terms to the consumer based on payment data includes fixing of interest on a loan and insurance premiums. This is a general prohibition against discriminatory pricing of different prices of the same product based on payment data.
The prohibition tries to takes into consideration that the business operator may not identify the consumer’s willingness to pay and set prices on this basis. The intention is to ensure that the consumer’s possibility of using an offer, a loan, a special price or insurance will not depend on how the consumer chooses to compose his consumption.
Therefore, section 125 (4) concerning individual prices does not prevent e.g. that retailers rely on data obtained from loyalty card systems with separate data flows. This means that loyalty programmes at e.g. supermarkets, where the payment data and purchase data are processed as separated data, are exempted from the rules (however, please note the provisions of the EU regulation on data protection concerning profiling, including especially article 22).
Loyalty programmes with general and predetermined discount structures may continue and be supplemented with a number of individual marketing measures, as long as the consumer consents to the processing of his payment data.
NEW POSSIBILITIES
The new rules on the processing of payment data provides a number of possibilities for established as well as new businesses. It will be especially interesting to follow the development of proactive use of payment data for the purposes of advice and individual marketing.
The Payment Services Act came into force on 1 January 2018, and Horten will closely monitor the development in the area.