Fintech Market Overview

This article does not constitute legal advice.

Data protection in Portugal

Fintech Software

Fintech businesses collect, control and process vast amounts of personal data (including KYC data) and, as a result, they are subject to the data privacy rules provided in the General Data Protection Regulation (GDPR), which applies not only to fintech companies established in the EU but also to companies established outside the EU if they have customers in the EU and the processing of the customers' personal data is made in the context of the offering of services to those data subjects, irrespective of whether a payment is required from the data subject. The European Data Protection Board (EDPB) has clarified, in its Guidelines 3/2018 on the territorial scope of the GDPR, adopted on 16 November 2018, that the intention to target customers in the EU is key to assessing whether entities established outside the territory of the EU are subject to the GDPR.1

In some instances, the processing of personal data may require the customer's consent. Pre-ticked opt-in or opt-out boxes will no longer be allowed, as consent must be expressed through a statement or clear affirmative action. The GDPR places onerous accountability obligations on data controllers to evidence compliance, which constitutes a major paradigm shift in the data protection regime. This includes the conduct of data protection impact assessments for more risky processing operations (such as those involving the processing of personal data that could be used to commit financial fraud) and the implementation of data protection by design and by default.1

These general data protection rules are complemented by banking secrecy and AML rules, which fintech companies will have to observe when providing services to their clients.1

Bank secrecy rules determine that the disclosure of clients' personal data protected by banking secrecy (including cross-border transfers) is permitted only with the client's prior authorisation or if the disclosure is necessary to achieve one of the following:

  • compliance with a legal obligation that expressly limits those secrecy duties
  • compliance with judicial authorities' requests in the context of criminal proceedings
  • compliance with a disclosure obligation towards the BoP, the CMVM or the tax authorities, when these entities are acting pursuant to their respective attributions 1

In the past, the Portuguese Data Protection Authority (CNPD) had ruled in a specific case that all personal data processed by a bank is subject to banking secrecy.1

As regards the processing of clients' data for the purposes of AML reporting, the disclosure of specific relevant personal data is based upon the fulfilment of a legal obligation, and there is thus no need to obtain the data subject's consent. As the concept of 'client authorisation' under the PSEMLF and the financial institutions' legal framework differs from the concept of 'consent' under the GDPR, many banks and other financial institutions opt to collect clients' authorisation to disclose information covered by banking secrecy in the context of their general client terms and conditions.1

Another important aspect of data processing in the context of fintech business is the definition of clients' profiles and business segmentation, as well as automated decision-making based on profiling. Automated decisions that produce effects concerning the data subject or that significantly affect him or her and are based solely on the automated processing of data intended to evaluate certain personal aspects relating to him or her are not permitted.1

The GDPR has introduced new provisions to address the risks arising from profiling and automated decision-making. Mainly, under the GDPR, one may only carry out this type of decision-making where the decision is either necessary for the entry into or performance of a contract or authorised by the EU or Member State law applicable to the controller, or, finally, based on the individual's explicit consent. Where one of these grounds applies, additional safeguards must be introduced, as well as disclosure of specific information about automated individual decision-making to affected data subjects, concerning the logic, significance and envisaged consequences. In a January 2020 response to the Member of the European Parliament Sophie in 't Veld's letter on unfair algorithms, addressing whether the GDPR was sufficient to protect data subjects from unfair automated decision-making, the EDPB stressed that 'controllers are obliged to consider all the potential risks that the use or creation of the specific algorithm can potentially pose to the rights and freedoms of natural persons and, if necessary, take measures to address these risks'.1

There are also additional restrictions on using special categories of data (such as health-related data or biometric data) for any processing of personal data, which can ultimately impact the way fintech companies will implement strong customer authentication mechanisms under the PSD II Regulatory Technical Standards, as the Regulatory Technical Standards suggest the use of the payment service users' biometric data in that context. The CNPD has consistently ruled that financial data are sensitive data, in the sense that they reveal aspects of an individual's private life and, therefore, should be protected under the Portuguese Constitution. As financial data is also considered by the EDPB as data of a highly personal nature, this may ultimately influence the stringency of technical and organisational measures that data controllers and processors choose to implement to protect the data, as well as the need to undergo a data protection impact assessment (DPIA) before commencing processing activities on the data. The processing of financial data may, then, entail the need for a DPIA under the CNPD's Regulation 1/2018, which lists the processing activities that are subject to a mandatory DPIA, as the Regulation refers to the processing of data of a highly personal nature in four of its nine cases.1

Without prejudice to the above, Portuguese legislation implementing the GDPR entered into force on 8 August 2019. Law No. 58/2019 brings some additional adjustments and restrictions to the rules set out in the GDPR, notably regarding the processing of deceased persons' personal data, the applicable data storage periods and minors' consent for data processing. Most notably, and without prejudice to the GDPR's purpose limitation principle, Law No. 58/2019 allows controllers or processors to keep personal data until the expiry of any statutory limitation periods during which they may need to use the data to demonstrate compliance with legal or contractual obligations.1

Cross-border payments in Portugal

Fintech in Portugal

Fintech in other countries

Let's introduce you

Portuguese Fintech Lawyers

Kristina Berkes

Kristina Berkes

Participation as a lawyer at investment venture funds, leading venture M&A deals in IT, supporting iGaming and business assets

Silvia Calls

Silvia Calls

We work for international SMEs, startups and Telco's

Denis Polyakov

Denis Polyakov

Comprehensive legal services for businesses on corporate, tax law, cryptocurrency legislation, investment activities

  1. https://thelawreviews.co.uk/title/the-financial-technology-law-review/portugal
Offer for startups

Fast start for $5K

You can launch your platform by paying $5000 initially and the rest after 6 months if your business grows