1.   Member States shall ensure that a payment service user has the right to make use of services enabling access to account information as referred to in point (8) of Annex I. That right shall not apply where the payment account is not accessible online.

2.   The account information service provider shall:

(a) provide services only where based on the payment service user’s explicit consent;

(b) ensure that the personalised security credentials of the payment service user are not, with the exception of the user and the issuer of the personalised security credentials, accessible to other parties and that when they are transmitted by the account information service provider, this is done through safe and efficient channels;

(c) for each communication session, identify itself towards the account servicing payment service provider(s) of the payment service user and securely communicate with the account servicing payment service provider(s) and the payment service user, in accordance with point (d) of Article 98(1);

(d) access only the information from designated payment accounts and associated payment transactions;

(e) not request sensitive payment data linked to the payment accounts;

(f) not use, access or store any data for purposes other than for performing the account information service explicitly requested by the payment service user, in accordance with data protection rules.

3.   In relation to payment accounts, the account servicing payment service provider shall:

(a) communicate securely with the account information service providers in accordance with point (d) of Article 98(1); and

(b) treat data requests transmitted through the services of an account information service provider without any discrimination for other than objective reasons.

4.   The provision of account information services shall not be dependent on the existence of a contractual relationship between the account information service providers and the account servicing payment service providers for that purpose.