The European Union law is classified in primary and secondary legislation. The primary legislation represents the central legal source of all EU action and it essentially consists of the integration treaties concluded between the Member States of the European Union. The secondary legislation includes regulations, directives and decisions and derives from the principles and objectives set out in the treaties.
b) Primary legislation
The freedom of payment is regulated by Article 63 (2) Treaty on the Functioning of the European Union (TFEU). It is often seen as an attachment to the other single market freedoms. The freedom of payment is, however, a distinct freedom. It therefore covers, directly or indirectly, all payments connected with the exercise of different fundamental freedoms. The freedom of payment guarantees, for instance, that "the debtor who owes money for a delivery of goods or a service fulfils his contractual obligations voluntarily and without an unacceptable restriction and the creditor is free to receive such a payment" (Case C-412/97 ED  ECR I-3845, paragraph 17).
Moreover, Art. 63 (2) TFEU prohibits restrictions of payment transactions not only between the EU Member States but also between the Member States and third countries. The scope of this freedom therefore extends beyond the territory of the European Union.
b) Secondary legislation
The legal basis for establishing an EU-wide internal market for payment transactions has already been created with the Payment Service Directive 2007/64/ EC (PSD), which has been implemented in the Austrian legislation by the Payment Services Act (ZaDiG) since 1 November 2009.
The PSD has mainly regulated the framework conditions, such as transparency requirements, the implementation period as well as the rights and obligations of payment service users and payment service providers.
Similar to the PSD, the Payments Accounts Directive 2014/92/EU (PAD) includes provisions on transparency with regard to the comparability of charges, the provision of exchange services within a Member State as well as provisions to facilitating cross-border payment and opening of accounts for consumers. The PAD is in force since 17.09.2014 and it has been transposed into national law by the Consumer Payments Act (VZKG) as of 18.09.2016.
The PSD will be abrogated by the directive (EU) 2015/2366 (PSD 2) with effect from 13.01.2018. The PSD2 also refers, in accordance with a correspondence table in its Annex II, to numerous provisions of the PSD which repealed. The PSD2 is to be implemented in the Austrian law until 13.01.2018.
Due to several changes since the PSD came into force there was a need for a new regulation. The payment market has developed further in technical terms through additional payment services in the field of Internet payments. This change applies to payment initiation service providers (PISPs) and account information service providers (AISPs) which are now being regulated by the PSD2. Both the PISPs and AISPs are playing an important role in electronic commerce. They set up a software bridge between the merchant's website and the account servicing payment service providers (ASPSPs) online platform to trigger electronic payments via Internet or to retrieve account statements.
All data processing systems developed and implemented within the framework of PSD 2 must be subject to data protection. The PSD2 contains a central regulation on data protection, which allows data processing for the purpose of payment transactions exclusively by having the explicit consent of the payment service user (Art.94). In addition to that, there are in the PSD 2 also data protection provisions for the payment initiation service providers (Article 66 (2) (g)) as well as for the account information service providers (Article 67 (2) (f)).
Moreover, the General Data Protection Regulation 2016/679 (GDPR), which will come into force on 25.05.2018, was published within the EU Data Protection Reform on 04.05.2016. This means that data protection legislation is now being harmonized throughout the EU. The main purpose of the regulation is to protect natural persons in the processing of their personal data while ensuring the free movement of personal data (Article 1 (3)).
Furthermore, within the EU are currently established provisions which are relevant for the payment transactions in the field of money laundering, such as the Fourth EU Money Laundering Directive 2015/849/EU. This directive has been transposed into national law by the Financial-Money Laundering Act (FM-GwG) since 26.06.2017. The relevant provisions for the payment transactions are targeting not only the banks, but also among others e.g. attorneys as well as auditors, who have reporting obligations concerning potentially "suspicious transactions" performed by their clients.
The Money Transfer Regulation (EU) 2015/847 was adopted together with the Fourth Money Laundering Directive. It entered into force on 26.06.2015 and has been in force in Austria without any further implementation act since 26.06.2017. This regulation replaced the previous regulation (EC) 1781/2006, which was concentrated exclusively on the client data. According to the new legal act, the payment service providers are currently required to provide details on both the beneficiary of the transfer as well as information on the beneficiary.