You can see the rules and regulations in other jurisdictions.
Fintech businesses based in Spain, and at times those providing services to the Spanish market from beyond EU borders, are subject to data protection rules if they gather or process personal data as either a controller or processor. Since 25 May 2018, GDPR (Regulation (EU) 2016/679) has been in force across the European Union and offers some benefits. This homogenisation of data protection allows local Spanish fintechs to extend their operation both within and outside the EU, whilst making it easier for fintechs compliant with GDPR from non-EU places to start operations in Spain.1
However, Spain has certain local data protection rules in addition to GDPR at a national level. Spanish Basic Law 3/2018 on data protection and digital rights guarantees (LOPDGDD) was passed in December 2018 and enacted a new general data protection law. By repealing previous national data protection regulations that were incompatible with the GDPR, the LOPDGDD adapted local rules to comply with the GDPR. The main goal of the LOPDGDD is to provide specific data protection regulation in different matters that are not expressly covered by the GDPR or that are covered by the GDPR but in relation to which the Member States are allowed to regulate further. As a result, certain data processing (such as including debtors' data in creditworthiness shared files) has been detailed in the LOPDGDD. Moreover, the LOPDGDD has approved a set of digital rights for citizens in relation to new technologies. This set of new digital rights may affect the business of certain fintech entities, such as digital rights granted to employees regarding the use of IT tools by employers for monitoring purposes in the workplace or the use of geolocation systems.1
The Spanish government has also tried to strengthen these digital rights by approving a Charter of Digital Rights for Spain in 2021, which, although it does not have a legal or mandatory nature, creates the framework and sets the criteria for future regulations on this matter in Spain.1
Finally, one of the most active data protection authorities in the EU, the Spanish Data Protection Agency, should also be considered. As compared to previous years, the Spanish Data Protection Agency has significantly increased the size of fines imposed during 2021.1
The potential for fintech companies to conduct profiling activities (i.e. processing of personal data involving profiling and sometimes automated decisions that affect individuals) is covered by the GDPR and certain guidelines from the Spanish Data Protection Agency. These activities must generally be based on a legal basis, such as a legal obligation (e.g., credit scoring or protection against fraud), unambiguous consent from those involved, or a legitimate interest. It has been quite restrictive in the past how the Spanish Data Protection Agency interprets the legitimate interest as a legal basis for profiling (e.g., profiling based on data from second- or third-parties). In addition, fintech companies must comply with additional information and transparency requirements when they conduct profiling. Fintech businesses must also take into account the guidelines on AI issued by the Spanish Data Protection Agency and the requirements for audits on the processing of personal data using AI if they use artificial intelligence (AI) to profile. Further guarantees, such as reinforced objection rights and privacy impact assessments, are imposed.2
Lastly, and on a different note, some of these profiling activities may be carried out with anonymised or pseudonymised data. In that case, fintech companies need to be aware of the Spanish Data Protection Agency's guidelines and technical documents on anonymisation and pseudonymisation.3
Cross-border payments in Spain
We work for international SMEs, startups and Telco's
Legal support for FinTech and Blockchain projects
Participation as a lawyer at investment venture funds, leading venture M&A deals in IT, supporting iGaming and business assets