Financial technology, often referred to as fintech, is constantly pushing the boundaries of innovation with cutting-edge data-driven solutions. Consequently, fintech companies often encounter unique challenges related to data privacy and protection, especially in jurisdictions with comprehensive privacy frameworks, like the EU.
Central to these challenges is the necessity for these companies to process large amounts of information, sometimes of a sensitive nature, including financial, biometric—and, in certain cases, even criminal record—information. Adhering to GDPR and other privacy regulations is vital in these situations, as it not only ensures compliance with legal requirements but also plays a role in establishing and maintaining the trust of customers.
The guide delves into aspects of GDPR compliance that are specific to the fintech sector, to address common compliance gaps and misunderstandings. Through this guide, we will clarify how to:
- Ensure basic lawfulness of data processing
- Respect data subject rights and limitations
- Ensure data sharing compliance in partnerships and integrations
- Prevent, mitigate, and respond to data breaches
- Handle requests for data from law enforcement
This guide is tailored for decision-makers, compliance officers, and professionals within the fintech industry who seek to better understand the complexities of privacy compliance in the EU. At Legal Nodes, we have years of experience helping fintech startups and enterprises to overcome the challenges of GDPR compliance, and we often help businesses who find themselves entangled in the complex data protection framework of the GDPR. Whether you are a part of a growing startup or an established financial institution, we hope you will find valuable insights and actionable strategies in this guidance to ensure your company always remains compliant with GDPR.
Ensuring basic lawfulness of data processing
A large part of ensuring that fintech companies are GDPR compliant lies in the navigation of lawful bases for data processing. There are many different lawful bases, including establishing legitimate interests to justify data use, or cases where fintechs might need certain data to deliver some services, and so can lawfully process this data under the lawful basis of performance of a contract. In other instances, processing of data might fall under the basis of a legal requirement or even in emergency scenarios. Whatever the lawful basis, fintechs must ensure that they obtain the right level of consent and behave in a manner that is transparent, compliant, and fosters trust with the individuals whose data is being processed.
The following sections explore these lawful bases in more detail.
Choosing the correct lawful basis
In the realm of fintech, GDPR compliance hinges on identifying the correct lawful bases for data processing. Typically, these include:
- consent and explicit consent
- legitimate interest
- performance of a contract
- processing necessary for compliance with legal obligations.
Each basis has its nuances and applicability, which will require careful consideration of your data processing activities.
Consent and explicit consent
Under GDPR, consent is categorized into standard consent (Art. 6.1(a)) and explicit consent (Art 9.2(a)). While standard consent suffices for most personal data processing, explicit consent is necessary when processing more sensitive data categories, particularly biometrics.
Despite the delineation, the practical difference between standard and explicit consent is minimal. This is primarily because the GDPR sets a high bar for standard consent - it must be an active and clear affirmative action that reflects a freely given, specific, informed, and unambiguous agreement by the user.
Activities usually based on consent: client identification and authentication with fingerprints, facial recognition, or other biometric methods; marketing of third-party offers; deploying non-essential cookies such as for analytics or advertising.
In practice, this means that passive, or “soft” forms of consent, such as pre-ticked boxes with the opportunity to opt-out, will not constitute valid consent under GDPR. Consequently, where a company would like to rely on “soft”, or opt out consent, it should instead consider an alternative lawful basis under the GDPR, such as legitimate interest.
It's also important to understand that when processing sensitive data, both “standard consent” and “explicit consent” lawful bases need to be collectively considered, ensuring compliance with the conditions set for each.
Legitimate interest
Legitimate interest ((Art. 6.1(f)) is another common lawful basis for data processing. It can be applied not only to a company's own interests but also to the interests of third parties, like business partners. However, this basis must be carefully balanced against the interests, rights, and freedoms of the individuals whose data is being processed.
For this, a special Legitimate Interest Assessment (LIA) must be conducted to ensure that the company’s or the third party’s interests do not override the fundamental rights and freedoms of the data subjects. An LIA involves a thorough analysis of the necessity of the processing activity and its impact.
While legitimate interest is a popular choice due to its adaptability, it also carries a risk of misuse. Businesses must avoid overlooking the step of documenting their legitimate interest through an LIA. Neglecting to conduct an LIA and ignoring regulatory guidelines can lead to compliance issues and clash with the interests of users.
Activities usually based on legitimate interest: fraud detection and prevention, direct marketing of the company's own offers, and credit scoring.
Performance of contract
Performance of contract and the essentiality of data for service provision can also serve as a solid lawful basis. It's important, however, that the personal data being collected is truly necessary to deliver the service to the user.
If the data is merely advantageous but not required for service provision or contractual fulfillment, then this legal basis is not appropriate. Consequently, for purposes like enhancing a service, a different lawful basis would be more fitting, typically the legitimate interest or user consent.
Activities usually based on contractual necessity: processing transactions, user account management, customer support services.
Processing is necessary for compliance with a legal obligation
Meeting statutory obligations often leads the fintech industry to use legal compliance as a lawful basis for data processing. This is particularly relevant for meeting standard regulatory obligations like AML and KYC.
It's also important to ensure that no more information than what is required by the legal obligation is collected and stored. For instance, while there may be a need to keep records of a user's financial transactions, any additional data, like biometric identification information that isn't essential for legal compliance, should be promptly erased.
Activities usually based on compliance with a legal obligation: AML and KYC procedures, reporting of fraud, tax reporting, and compliance.
Other lawful bases
While the GDPR presents two other lawful bases, they are unlikely to be useful for fintech companies. These lawful bases are:
- processing that is necessary in order to protect the vital interests of the data subject or another natural person
- processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
The first lawful basis was created for genuinely critical situations and is rarely used outside the domain of emergency services.
The second lawful basis was created specifically with public institutions in mind. While fintech companies may sometimes confuse it with the lawful basis of compliance with a legal obligation, it would be more appropriate to rely on the latter unless the organization is a public institution.
Accountability under the GDPR
Accountability is one of the most important principles of the GDPR for fintech because it demonstrates responsible and lawful data processing, which can be crucial for users and the regulators. On a basic level, adhering to the accountability principle in GDPR entails documenting your data processing activities and conducting regular audits.
The most important aspects of this process are:
- Records of Processing Activities (RoPA). A RoPA is a detailed document that lists an organization's data processing activities and the most important details, such as the lawful basis that the organization chose to rely on, the retention period, and other relevant details.
- Legitimate Interest Assessments (LIAs). Documenting your legitimate interest is crucial to ensure compliance and provide a clear record in case of a request from a regulator, and these assessments provide a place for that.
- Data Protection Impact Assessments (DPIAs). DPIAs are an essential GDPR tool for identifying and mitigating risks associated with specific data processing activities. By conducting a DPIA, you will be able to identify, document, and prepare to mitigate potential harm to your users. For instance, activities like automated credit scoring or systematic processing of sensitive data like biometrics would require DPIAs.
Furthermore, to ensure ongoing compliance with GDPR, fintech companies must also establish mechanisms for maintaining accountability over time. This would involve continuous monitoring and conducting regular reviews of the existing documentation and assessments.
📚 Learn more: what is DPF self-certification for businesses?
Transparency
In the fintech industry, transparency towards data subjects is not just a regulatory requirement, but an essential cornerstone for building trust, as it's the most “visible” regulatory requirement. Under the GDPR, companies are obligated to communicate clearly with data subjects about the usage of their personal data. Although the full list of information required to be provided is extensive, at a basic level, the GDPR mandates:
- concise and easy-to-understand details about the purpose of data collection
- the types of personal data processed
- the rights available to data subjects
- disclosure of any third-party data sharing, as well as the sources of the data, if it comes from third parties
Furthermore, in scenarios involving automated decision-making, such as automated credit scoring or fraud detection algorithms, fintech companies must exercise particular care. It's imperative to transparently explain the logic behind these automated decisions and to clarify the measures implemented to safeguard the interests and rights of the data subjects.
📚 Read more: what’s the difference between a DPO and an AI Ethics Officer?
Respecting data subject rights and limitations
Another important realm of GDPR compliance is data subject rights. These rights include:
- access
- rectification
- erasure (also known as the right to be forgotten)
- restriction of processing
- data portability
- objection
- the right not to be subject to automated decision-making
In the fintech sector, the rights to deletion and objection are particularly significant, often being the most exercised by users, along with the right not to be subject to automated decision-making. Companies must be prepared to handle Data Subject Requests (DSRs), and establish procedures both in customer support and internal operations to comply with them in time. Responses to DSRs should typically be provided within one month, with a possibility of extending this by a further two months if the request is complex.
Understanding limitations on data subject rights
The good news is that while these rights are fundamental, they are not absolute and come with a set of limitations. For instance, the right to object might be limited if it conflicts with the legitimate interests of the business, such as in fraud detection and prevention. Here, a user’s objection may not necessarily stop the processing of their personal data if the business can clearly justify the limitation of the right by demonstrating the risks of such a move for fraud detection in its LIA.
Similarly, legal obligations, particularly within the AML and KYC regulations in the EU, mandate the collection and retention of certain personal data. For example, under the EU’s pivotal KYC framework of the Directive (EU) 2015/849, fintech companies would be required to retain customer data for a minimum of five years after the end of the business relationship, thus limiting the exercise of the right to deletion.
Communicating limitations to data subjects
When implementing the limitations, it’s important to effectively communicate them to the data subjects. This transparency ensures that users are not caught off guard when, for instance, their request for data deletion is not fully complied with due to overriding legal obligations. Clear communication about these limitations not only aligns with GDPR’s principle of transparency but also fosters trust between the fintech company and its users.
Compliance in partnerships and integrations
In the fintech sector, partnerships and integrations are a regular occurrence that necessitates robust data transfer safeguards and technical and organizational measures (TOMs) to ensure the GDPR level of protection for any data transfers.
Engaging another processor
When engaging providers to process data on behalf of your fintech company and for your specific purposes, it's vital to recognize the importance of specific instructions for this provider. As per Articles 28 and 29 of the GDPR, your company will be responsible for ensuring that these providers adhere to GDPR to the same extent as your own operations.
In practice, this will have far-reaching implications considering the vast involvement of different categories of service providers used in fintech. External services like credit bureaus, AML and sanction screening software, customer support centers, task management systems, and many others will all require a thorough due diligence to verify their compliance capabilities. Particular attention should be given to those who handle sensitive data, such as biometric verification providers.
Here, requesting to fill out privacy questionnaires, obtaining security reports and lists of outsourced providers, and documenting your arrangement in a Data Processing Agreement (DPA) would be the basic steps to be taken to ensure compliance and safeguard your business from liability claims.
Partnering with a controller
In scenarios where your fintech company collaborates as a separate or joint controller of data, it’s crucial to establish clear, documented arrangements detailing responsibilities for GDPR compliance. Depending on whether you jointly determine the methods and scope of data processing, responsibilities may include:
- establishing processes for handling Data Subject Requests (DSRs)
- informing data subjects about processing activities
- delineating liability and response procedures in the event of a data breach or other GDPR violations
International data transfer
Considering the global nature of fintech partnerships and operations, international data transfers are also a likely occurrence. Consequently, ensuring that data transferred outside the EU is adequately protected will be essential. For this purpose, GDPR provides several key mechanisms, specifically:
- the European Commission's approved Standard Contractual Clauses (SCCs)
- adequacy decisions, including the recent EU-US Data Privacy Framework
- Binding Corporate Rules (BCRs)
These mechanisms are fundamental for lawful international data transfers and aligning with GDPR’s stringent requirements in jurisdictions with different levels of data protection. Ignoring them is not an option unless a company is willing to neglect the regulatory and reputational risks associated with such a move, such as potential data breaches.
👉 NEW! Get help with EU-US DPF self-certification for your business
Preparation, prevention, response, and notification of Data Breaches
A data breach under GDPR encompasses any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data”. As the definition reveals, this concept extends beyond explicit confidentiality breaches. Therefore, a scenario where access to a customer database is lost, though the data itself isn't exposed, will also be considered as a data breach.
Mechanisms for data breach management
Implementing effective systems to detect, report, and manage data breaches is unquestionably critical, especially in the fintech sector where a data breach can pose significant monetary risks to both the business and data subjects.
Data breach management involves establishing clear procedures for immediate action upon detecting any data security incident, ensuring timely and efficient measures to mitigate potential damages. The most common measures to prevent data breaches can include:
- creating and routinely updating an incident response plan, clearly defining roles and responsibilities for the employees
- conducting regular employee training and awareness programs to prevent breaches and ensure prompt and appropriate responses to incidents
Data breach notification obligations
Being prepared for these incidents is also important as identifying a breach may trigger mandatory notification obligations to supervisory authorities as well as the company's customers. For fintech companies, these obligations are especially critical as they might also involve reporting to financial regulatory bodies, depending on the nature of the data and breach, which can trigger more fines, undesired publicity, and investigations from law enforcement.
Handling Law Enforcement Requests (LERs)
LERs, or Law Enforcement Requests, are demands from law enforcement authorities for access to personal data during investigations. These requests might relate to inquiries into offenses committed by the fintech company itself or investigations concerning users whose data the company processes.
Instead of falling under the GDPR, LERs fall under the scope of Directive (EU) 2016/680, also known as the Law Enforcement Directive. This directive stipulates specific procedures for handling personal data in law enforcement activities, and mandates specific rules to achieve a balance between aiding investigations and protecting individual data rights.
Basic considerations for responding to LERs
Responding effectively to LERs involves several basic considerations:
- Verification. Ensure the request is legitimate by verifying the identity and authority of the requesting agency.
- Compliance check. Assess the request against the GDPR and the Law Enforcement Directive to confirm its legality and the necessity of sharing the requested data.
- Documentation. Keep detailed records of all LERs and actions taken in response, both for compliance and for potential future audits.
- Transparency for data subjects. Inform data subjects about the data sharing unless prohibited by law.
In addition to the considerations above, it's important to understand that your company can, by its own decision, share the personal data with the relevant law enforcement authorities too. This can be relevant, for example, when you have detected fraud of one of your employees, and consider reporting it to the police.
Where you have detected a crime yourself and want to report it, this would not be encompassed by the same rules as when receiving a LER. Instead it will be governed by the GDPR. Generally, provisions of the GDPR do not force you to disclose personal data, but they do allow you to disclose personal data on a voluntary basis, provided that you consider the necessity and proportionality of such a move.
GDPR compliance checklist for fintech companies
Based on the information in this article, our team has prepared a comprehensive checklist you can use to kickstart the GDPR compliance process in your company. It's not an easy process, but definitely an important one to undertake. If you need help with implementing any of these steps, our privacy specialists at Legal Nodes can help.
Stay up to date with AI privacy compliance requirements
If you are planning on using AI in any part of your business activities or to process data, then you may need to consider how the EU's AI Act could impact you. Use our free EU AI Assessment Tool to explore the possible obligations that may fall upon your business under this new law.
Around the world, an increasing number of regulators are putting out AI frameworks, prompting businesses to seek AI risk assessments as part of their journey towards compliance.
Additionally, you should think carefully about how different uses of AI technology to handle data could put you under various compliance obligations. If you are planning to use ChatGPT in your business or use AI in your HR or recruitment processes, you may need to follow specific frameworks . If you are building an AI product, learn how to incorporate privacy protection into AI product design. For handling more sensitive data types, like children's data, explore how to process children's data in your AI app compliantly.
Get a virtual DPO to enhance your business's compliance with GDPR
As a fintech startup or established business, GDPR compliance requirements place a lot of responsibility on your business to take proactive action. It’s important that you stay informed of regulatory updates and act quickly to remain compliant.
We understand that remaining vigilant and adopting an attitude of active enthusiasm for data protection regulation requirements is not everyone’s primary focus. Many companies turn to experts like Data Protection Officers (DPOs) in their GDPR compliance efforts. DPOs can help ensure ongoing compliance with the GDPR, by overseeing data protection strategies and acting as a point of contact with supervisory authorities, as well as helping to respond to DSRs and LERs. For some fintechs, DPOs are a smart move, for others, they may well be a legal requirement.
At Legal Nodes, we work closely with DPOs who boast what can be described as an external expertise. By leveraging external DPO expertise, fintech businesses can bolster their GDPR compliance and take advantage of a perfectly positioned expert who can assist with internal GDPR matters and also act as a bridge to external privacy regulators and enforcement bodies. Learn more about our DPOs and subscriptions here.
Ensure your fintech is proactively compliant with Legal Nodes
We’ve worked with businesses around the globe, like SpatialChat, encouraging them to take proactive steps to be compliant with applicable GDPR laws, and giving businesses insights on how to reduce risks that may lead to GDPR non-compliance. The team at Legal Nodes and the DPO experts in our global network hold expertise in the fintech sector that can provide your fintech business with the protection it needs to comply and thrive. Get started by getting in touch with the team today.