Verification of Payee only works by processing personal data: it compares a payee name against the holder of an IBAN. That's exactly the kind of processing GDPR governs, so it's worth understanding how a name check can be both useful and compliant.
Lawful basis
Two bases commonly support VoP. First, legal obligation: the Instant Payments Regulation requires PSPs to offer the check. Second, legitimate interest: preventing misdirected payments and fraud is a recognised interest that benefits the payer too. The exact basis should be confirmed with your DPO, but VoP is not processing without justification.
Minimise and don't repurpose
Use only the data needed for the check — name and IBAN — and don't reuse verification data for unrelated purposes. Data minimisation and purpose limitation keep VoP proportionate.
Retention and residency
- Retention — keep verification records only as long as needed for audit, dispute handling and compliance.
- Data residency — for EU PSPs, processing and storing within the EU avoids transfer complications.
- Security — encrypt in transit and at rest, and log access for accountability.
Why provider choice matters
Because VoP touches personal data, who runs it matters. A provider operating within the EU, with clear data handling and EU residency, simplifies your GDPR position. RoxPay operates on European open-banking infrastructure with EU data residency, so the name check stays inside the EU and within a clear data-protection framework.