You can see the rules and regulations in other jurisdictions.
The GDPR and the Belgian Act of 30 July 2018 must be followed by fintech companies that are based in the EU, or that offer goods or services to natural persons (data subjects) in the EU or monitor their behavior when processing personal data. Client data that consists of information that identifies or identifies a specific data subject will be classified as personal data.1
Depending on the objective of profiling, data subjects will be treated differently based on their profiles (e.g., preferences, financial status). A profile used to create recommendations and personalise the client's experience, for example, will not be treated in the same way as one that is used to automatically reject credit applications or otherwise significantly impacts the rights of a data subject.1
In the first situation, the general regulations of GDPR must be satisfied and in some cases further measures may need to be taken, dependent on factors such as data enrichment from external sources or size of processing. In the second instance, a DPIA is obligatory and specific demands apply with regards to permissible legal grounds for processing, categories of personal data to consider and rights of data subjects.1
Each scenario will require a risk assessment to determine whether the supervisory authority should be consulted.1
The Guidelines 06/2020 of the European Data Protection Board clarify the interplay between PSD II and the GDPR, published on 15 December 2020.1
Cross-border payments in Belgium
We work for international SMEs, startups and Telco's
Participation as a lawyer at investment venture funds, leading venture M&A deals in IT, supporting iGaming and business assets
Legal support for FinTech and Blockchain projects