Data protection in FinTech companies – time to prepair for the new regulation

FinTech industry, resulting from the strengthening of linkages between the financial services and information technology sector, is a real technological whirlwind, providing financial markets with an enormous leap in progress.

And while innovative solutions enable faster, cheaper and more convenient provision of financial services for customers, after the European Union’s General Data Protection Regulation (hereinafter – Regulation) enters into force in May, 2018, FinTech companies should get ready to implement the provisions of the Regulation, as these companies, providing payment and other financial services, collect, control and process a wide range of personal data.

First of all, it is important to note that the Regulation applies not only to the FinTech companies established in EU but also to the companies established outside EU, if they have European customers.

Furthermore, it is important that a person’s consent to the processing of personal data is received properly. To obtain such consent, FinTech company will have to submit a request to process the data separately from other issues (i.e., separately from the terms and conditions), in a simple form and in clear and understandable language. Pre- ticked opt-in or opt-out boxes will no longer be allowed, for each category of data un-ticked opt-in method will have to be used. The burden of proof that the consent to the processing of personal data was properly received will be on data controller, namely FinTech company.

Thirdly, data protection officer in FinTech company. Regulation does not require that the data protection officer must be appointed in every company, but it seems that the data protection officer will have to work for the majority of FinTech companies, as most of them will be collecting, controlling, using and processing sensitive personal data (i.e., biometric data for identification of individuals), data management will be linked to the main activity of these companies, these companies according to a certain order will continuously or periodically assess the risk of credit rating, terrorist financing, money laundering purposes.

Regulation allows to choose whether the data protection officer will be an employee, or will act by a service agreement as natural or legal person from the outside.

Fourth, performance of the data protection impact assessment. Where a type of data processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural person, FinTech companies shall, prior to the data processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

Such an assessment should be documented with the conclusion which, if necessary, to be submitted to the supervisory authority. Local personal data supervisory authorities shall make publicly available list of the activities, which will be subject to this requirement.

An assessment most likely shall be required if automatic processing of data is intended to provide information, make predictions or take measures/decisions based on a person’s: behavior, economic situation, health, location, personal preferences, race/ethnic origin .

An assessment shall also be required before commencing to perform monitoring (e.g., video surveillance) in publicly accessible areas on a large scale, or when processing large scale filing systems containing biometric data.

Finally, Cross-Border Data Transfers. In today’s world, it is increasingly important to be able to move data freely to wherever those data are needed. The transfer of personal data to recipients outside the EEA is allowed if the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection; or the data exporter puts in place appropriate safeguards; or a derogation or exemption applies.

The Regulation continues to allow for transfers of personal data based on standard data protection clauses adopted by the European Commission and gives official recognition to the possibility of transfers based on an organisation’s approved Binding Corporate Rules. Most important that the transfers must be on the basis of binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights. Significantly, the Regulation specifically states that such transfers may be made without requiring specific authorisation from a data protection authority.