en

Fintech Market Overview

This article does not constitute legal advice.

Data protection in Spain

Fintech Software

Fintech businesses located in Spain or, under certain circumstances, businesses addressing the Spanish market from non-EU territories, are subject to data protection rules to the extent that they access and process personal data, either as data controllers or as service providers (i.e., data processors processing the data on behalf of their clients). Since 25 May 2018, the main data protection rule in Spain has been the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) that directly applies in all EU Member States. This new legal framework provides some benefits, such as the homogenisation of data protection rules within the EU, which can help local fintech businesses to expand to other EU Member States and may make it easier for fintech businesses from territories outside Spain that are GDPR-compliant to launch their services in the Spanish market.1

Notwithstanding the above, at a national level and in addition to the GDPR, Spain has certain local data protection rules. In particular, a new general data protection law was passed in December 2018: Spanish Basic Law 3/2018 on data protection and digital rights guarantees (LOPDGDD). The LOPDGDD formally repealed the previous national data protection regulations, which were incompatible with the GDPR, and adapted local rules to make them compatible with the GDPR. The main goal of the LOPDGDD is to provide specific data protection regulation in different matters that are not expressly covered by the GDPR or that are covered by the GDPR but in relation to which the Member States are allowed to regulate further. Consequently, certain data processing (such as inclusion of debtors' data in creditworthiness shared files) have been regulated in detail in the LOPDGDD. Also, the LOPDGDD has approved a new set of rights of citizens in relation to new technologies, known as 'digital rights'. This set of new digital rights may affect the business of certain fintech entities, such as digital rights granted to employees regarding the use by employers of IT tools for monitoring purposes in the workplace or the use of geolocation systems.1

The Spanish government has also tried to reinforce these digital rights by approving a Charter of Digital Rights for Spain, in 2021, which, even though it does not have a legal or mandatory nature, creates the framework and sets the criteria for future regulations on this matter in Spain.1

Finally, the criteria of the Spanish Data Protection Agency, which is one of the most active data protection authorities in the EU, should also be taken into account. During 2021, the Spanish Data Protection Agency has significantly increased the size of fines imposed, as compared to previous years.1

As regards the possibilities of fintech businesses carrying out profiling activities (i.e., the processing of personal data involving the profiling and, in some cases, the adoption of automated decisions with an impact on individuals), these activities are subject to the GDPR and to certain guidelines of the Spanish Data Protection Agency. In general, the profiling activities under the GDPR need to be based on lawful legitimate grounds, mainly the existence of a legal duty (e.g., scoring or fraud prevention), the unambiguous or explicit consent of individuals or the existence of a legitimate interest. The Spanish Data Protection Agency's interpretation of the legitimate interest as lawful grounds for companies to carry out profiling activities has been quite restrictive in the past (e.g., it does not cover profiling carried out with second- or third-party data). Also, fintech companies must comply with additional information and transparency duties when they carry out profiling activities. In addition, if artificial intelligence (AI) technologies are used to carry out profiling activities, fintech businesses must take into account the guidelines on AI issued by the Spanish Data Protection Agency and the requirements for audits on the processing of personal data using AI. Other additional guarantees, such as reinforced objection rights or the need to carry out privacy impact assessments, are imposed.2

Finally, and on a different note, some of these profiling activities may be carried out with anonymised or pseudonymised data. If this is the case, fintech businesses should take into account the fact that the Spanish Data Protection Agency has issued several guidelines and technical documents for anonymisation and pseudonymisation processes.3

Cross-border payments in Spain

Fintech in Spain

Fintech in other countries

Let's introduce you

Spanish Fintech Lawyers

Viacheslav Losev

Viacheslav Losev

Legal support for FinTech and Blockchain projects

Languages: EN RU

Notes
  1. https://thelawreviews.co.uk/title/the-financial-technology-law-review/spain
  2. http://www.aepd.es/sites/default/files/2021-01/requisitos-auditorias-tratamientos-incluyan-ia.pdf
  3. http://www.aepd.es/media/guias/guia-orientaciones-procedimientos-anonimizacion.pdf
Offer for startups

Fast start for $5K

You can launch your platform by paying $5000 initially and the rest after 6-12 months if your business grows