GDPR Compliance for Fintech Projects: How to Ensure Data Protection and User Trust

Who Does the GDPR Apply To?

The GDPR applies to the processing of personal data in the context of the activities of an establishment in the EU, regardless of whether the processing takes place in the EU or not. That is, even if your company is not located on the territory of the EU but processes data of EU residents, your activities fall within the scope of the GDPR. The GDPR applies to all businesses, including banks, fintech startups, financial services, payment systems, and so on.

Below is a list of questions that will help you understand whether the GDPR applies to your activities:

• Is your company located on the territory of the EU?
• Does your company process data of EU residents?
• Is the personal data of your users stored on the territory of the EU?
• Does your company conduct its activities or provide services on the territory of the EU?

If you answered “yes” to at least one of these questions, you must comply with the requirements of the GDPR.

Processing Principles — the Foundation of Compliance

The most important thing to start with and always keep in mind when working with the GDPR is the principles of personal data processing. These are not merely the “spirit of the law,” but fairly practical and mandatory norms on the basis of which the regulator checks whether personal data processing complies with the provisions of the GDPR. The Regulation identifies the following principles:

• lawfulness, fairness, and transparency
• purpose limitation
• data minimization
• accuracy
• storage limitation
• integrity and confidentiality
• accountability

Regulators in their decisions analyze and point to violations of data processing principles. Here are several examples of regulator decisions regarding fintech companies:

SERVICIOS FINANCIEROS CARREFOUR, E.F.C. (AEPD — Spain) — €1,500,000 — The controller (financial company) suffered a cyberattack as a result of inadequate technical and organizational measures — violation of the principle of integrity and confidentiality.

ING Bank Śląski (UODO — Poland) — €4,323,250 — The controller (bank) scanned identity documents without a proper legal basis and without assessing necessity in each individual case — violation of the principles of lawfulness, data minimization, and purpose limitation.

Piraeus Bank S.A. (HDPA — Greece) — €50,000 — The controller (bank) processed personal data after the data subject had requested that processing cease — violation of the principles of lawfulness, fairness, transparency, and accuracy.

All principles are unconditionally important, and fintech projects should pay particular attention to the principles of minimization, accuracy, integrity, and confidentiality.

Legal Bases for Data Processing — What to Choose?

The GDPR provides for 6 possible legal bases on which personal data may be processed. For fintech businesses, the most common bases are consent and performance of a contract. Often, fintech businesses have a legal obligation to process data for the purposes of AML and KYC procedures — in such a case, the Regulation provides for such a basis as compliance with a legal obligation. In the case of processing personal data for the purpose of ensuring system security, the company has a legitimate interest — another legal basis.

In the case of applying the basis of performance of a contract, the processing of personal data must be lawful if it is necessary in the context of a contract or the intention to enter into a contract.

There is also a special type of consent — explicit consent. Such consent is required in certain situations where there is a serious risk to the protection of personal data, for example when processing special categories of data. The requirements of “ordinary” consent will no longer be sufficient, and the data subject must explicitly state their consent, for example in writing.

Therefore, in each individual case of personal data processing, it is necessary to identify a sufficient legal basis.

Data Subject Rights as a Point of Contact with Clients

When processing data of EU residents, it is necessary to keep in mind and be prepared for appeals and requests from data subjects. Data subjects must be informed that they can exercise the rights provided for by the GDPR by contacting your company. Such information is usually stated in the privacy policy — see more in our article on Privacy Policy.

Data Protection Officer — Role in Compliance

Since fintech companies systematically and extensively process their users’ data, including sensitive data, the GDPR obliges them to appoint a Data Protection Officer (DPO). This is a person (an employee or an individual/legal entity on an outsourced basis) who has sufficient professional knowledge in the field of personal data protection. The Data Protection Officer is obliged to:

• provide advice and guidance to the company that processes personal data regarding its obligations under the GDPR;
• monitor compliance with GDPR requirements (compliance) by the company’s employees and management;
• cooperate with personal data protection regulators.

In practice, a DPO is engaged by fintech companies in cases involving the processing of personal data during AML/KYC procedures, the organization of data flow in the system, the use of third-party vendors, and so on.

Compliance, Personal Data, DPO… How to Manage It All?

In summary, compliance is a complex process that requires the highest level of attention, professionalism, and understanding of the specifics of the fintech business. Therefore, the Legal IT Group team will be happy to help you not only comply with legislative requirements, but also be user-friendly!