(1) A payment system or payment service provider may process personal data where this is necessary to safeguard the prevention, investigation and detection of payment fraud.
(2) The provision of information to individuals about the processing of personal data and the processing of such personal data and any other processing of personal data for the purposes of these Regulations shall be in accordance with -
(a) prior to the date of application of the General Data Protection Regulation, the Data Protection Acts 1988 and 2003, and
(b) after that date -
(i) the General Data Protection Regulation, and
(ii) the law of the State giving further effect to the General Data Protection Regulation.
(3) A payment service provider shall only access, process and retain personal data necessary for the provision of its payment services, with the explicit consent of the payment service user concerned.