All questions

Intellectual property and data protection

i Intellectual property

Fintech business models and related software may be protected by the rules applicable to the ownership of inventions and works, which should be analysed separately.

Fintech business models may be classed as inventions that are typically the result of research. That result may essentially be protected by patents, utility models or, if such protection is not available or the parties do not wish to request it, inventions can also enjoy a certain degree of protection as know-how or as trade secrets:

  1. Spanish patents provide protection for inventions for 20 years as of the filing date;
  2. utility models protect inventions of lower inventive rank than patents, and are granted for 10 years;
  3. once the referred protection periods have expired, the invention will enter the public domain and may be freely used by any person; and
  4. know-how has value as long as it is protected as a trade secret and, thus, it is kept confidential (as opposed to patents and utility models), which means that it is not generally known by individuals belonging to the environment where this information would be known and it is not easily accessible by them; it has a potential or effective commercial value by being secret; and it has been subject to reasonable measures to keep it secret. These measures could include contracts (confidentiality agreements) and the adoption of practical measures (security measures, such as password protection and limitations on access to certain personnel), demonstrating that the invention or work remains valuable.

On a separate note, software is to be deemed an invention but is protected by copyright from the very moment it is created. Registration is not necessary to protect software. The exploitation rights for the work will run for the life of the author and survive 70 years after the author's actual or declared death should the author be a natural person. If the software's author is a legal person, the rights will run for 70 years as from 1 January of the year following that in which the software was lawfully published or, failing publication, from its creation.

Regarding the ownership of intellectual property rights, the ownership of inventions and works should again be analysed separately. There are default rules under Spanish law to attribute ownership of inventions.

In the absence of other applicable rules, the natural person who creates the invention (i.e., the inventor) is the owner.

When the inventor is an employee (private or public):

  1. if the invention is a result of his or her work for an employer, pursuant to the terms of his or her employment agreement or to the instructions received from his or her employer, the employer owns the rights to the invention; and
  2. if the invention is a result of his or her independent work but he or she benefited from knowledge obtained from his or her employer or used its facilities, the employer may be deemed to own the invention or have rights to use it, in exchange for fair compensation.

The rule in connection with works is that the original owner of the rights to the work is the author or co-authors (or, in very specific and limited cases, an individual or a legal private or public entity that leads and coordinates personal contributions and publishes the result under its own name – usually in the case of software). The general rule is that the author is the owner of all moral and exploitation rights to the work.

However, some specific legal presumptions as well as some important exceptions exist:

  1. regarding copyrightable work created by an employee under his or her employment agreement, Spanish law presumes that, unless otherwise agreed, all exploitation rights over the work necessary for conducting the employer's ordinary course of business are exclusively assigned to the company when the work is delivered. This assumption is extended, if the work involves software, to all exploitation rights, without limitation based on the employer's course of business; and
  2. in the event of joint co-authors, either:
    • all co-authors have equal exploitation rights, unless otherwise agreed; or
    • the exploitation rights to the work correspond to the (legal or natural) person that assumes responsibility for the creation of the work and publishes it under the person's own name.
ii Data protection

Fintech businesses located in Spain or, under certain circumstances, businesses addressing the Spanish market from non-EU territories, are subject to data protection rules to the extent that they access and process personal data, either as data controllers or as service providers (i.e., data processors processing the data on behalf of their clients). Since 25 May 2018, the main data protection rule in Spain has been the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) that directly applies in all EU Member States. This new legal framework provides some benefits, such as the homogenisation of data protection rules within the EU, which can help local fintech businesses to expand to other EU Member States and may make it easier for fintech businesses from territories outside Spain that are GDPR-compliant to launch their services in the Spanish market.

Notwithstanding the above, at a national level and in addition to the GDPR, Spain has certain local data protection rules. In particular, a new general data protection law was passed in December 2018: Spanish Basic Law 3/2018 on data protection and digital rights guarantees (LOPDGDD). The LOPDGDD formally repealed the previous national data protection regulations, which were incompatible with the GDPR, and adapted local rules to make them compatible with the GDPR. The main goal of the LOPDGDD is to provide specific data protection regulation in different matters that are not expressly covered by the GDPR or that are covered by the GDPR but in relation to which the Member States are allowed to regulate further. Consequently, certain data processing (such as inclusion of debtors' data in creditworthiness shared files) have been regulated in detail in the LOPDGDD. Also, the LOPDGDD has approved a new set of rights of citizens in relation to new technologies, known as 'digital rights'. This set of new digital rights may affect the business of certain fintech entities, such as digital rights granted to employees regarding the use by employers of IT tools for monitoring purposes in the workplace or the use of geolocation systems.

The Spanish government has also tried to reinforce these digital rights by approving a Charter of Digital Rights for Spain, in 2021, which, even though it does not have a legal or mandatory nature, creates the framework and sets the criteria for future regulations on this matter in Spain.

Finally, the criteria of the Spanish Data Protection Agency, which is one of the most active data protection authorities in the EU, should also be taken into account. During 2021, the Spanish Data Protection Agency has significantly increased the size of fines imposed, as compared to previous years.

As regards the possibilities of fintech businesses carrying out profiling activities (i.e., the processing of personal data involving the profiling and, in some cases, the adoption of automated decisions with an impact on individuals), these activities are subject to the GDPR and to certain guidelines of the Spanish Data Protection Agency. In general, the profiling activities under the GDPR need to be based on lawful legitimate grounds, mainly the existence of a legal duty (e.g., scoring or fraud prevention), the unambiguous or explicit consent of individuals or the existence of a legitimate interest. The Spanish Data Protection Agency's interpretation of the legitimate interest as lawful grounds for companies to carry out profiling activities has been quite restrictive in the past (e.g., it does not cover profiling carried out with second- or third-party data). Also, fintech companies must comply with additional information and transparency duties when they carry out profiling activities. In addition, if artificial intelligence (AI) technologies are used to carry out profiling activities, fintech businesses must take into account the guidelines on AI issued by the Spanish Data Protection Agency and the requirements for audits on the processing of personal data using AI.9 Other additional guarantees, such as reinforced objection rights or the need to carry out privacy impact assessments, are imposed.

Finally, and on a different note, some of these profiling activities may be carried out with anonymised or pseudonymised data. If this is the case, fintech businesses should take into account the fact that the Spanish Data Protection Agency has issued several guidelines and technical documents for anonymisation and pseudonymisation processes.10