All questions

Intellectual property and data protection

i Intellectual property

Fintech businesses models and related software may be protected by the rules applicable to the ownership of inventions and works, which should be analysed separately.

Fintech business models may be classed as inventions that are typically the result of research. That result may essentially be protected by patents, utility models or, if such protection is not available or the parties do not wish to request it, inventions can also enjoy a certain degree of protection as know-how or as trade secrets:

  1. Spanish patents provide protection for inventions for 20 years as of the filing date;
  2. utility models protect inventions of lower inventive rank than patents, and are granted for a period of 10 years;
  3. once the referred protection periods have expired, the invention will enter the public domain and may be freely used by any person; and
  4. know-how and trade secrets have value as long as they are kept confidential, as opposed to patents, and therefore it is a matter of contract (confidentiality agreements) and of fact (other protective measures adopted) that the invention remains valuable.

On a separate note, software would not be deemed an invention but would be protected by copyright from the very moment of its creation. Registration is not necessary for the protection of software. The exploitation rights for the work will run for the life of the author and survive 70 years after the author's actual or declared death.

Regarding the ownership of IP rights, the ownership of inventions and works should again be analysed separately. These are default rules under Spanish law to attribute ownership of inventions:

Absent other applicable rules, the natural person who creates the invention (i.e., the inventor) is the owner.

If the inventor is an employee (private or public):

  1. if the invention is a result of his or her work for a company, pursuant to the terms of his or her employment agreement or to the instructions received from the company, then the owner of the rights to the invention will be the company; and
  2. if the invention is a result of his or her independent work but relevant knowledge obtained from a company or the company's facilities was used, then the company can claim ownership rights to the invention or a right to use the invention, subject to the payment of fair compensation.

The rule in connection with works is that the original owner of the rights to the work is the author or co-authors (or, in very specific and limited cases, an individual or a legal private or public entity who leads and coordinates personal contributions and publishes the result under its own name – usually in the case of software). The general rule is that the author is the owner of all moral and exploitation rights to the work. However, some specific legal presumptions as well as some important exceptions exist:

  1. Regarding copyrightable work created by an employee under his or her employment agreement, Spanish law presumes that, unless otherwise agreed, all exploitation rights of the work have been assigned, on an exclusive basis, to the company for the purposes of its ordinary course of business. This assumption applies in particular, but is not limited to, the creation of software.
  2. In the event of joint co-authors, either:
    • all co-authors have equal exploitation rights, unless otherwise agreed; or
    • the exploitation rights to the work correspond to the (legal or natural) person that assumes responsibility for the creation of the work and publishes it under the person's own name.
ii Data protection

Fintech businesses located in Spain or, under certain circumstances, businesses addressing the Spanish market from non-EU territories are subject to data protection rules to the extent that they access and process personal data, either as data controllers or as service providers (i.e., data processors processing the data on behalf of their clients). From 25 May 2018, the main data protection rule applicable in Spain is the General Data Protection Regulation (Regulation (UE) 2016/679) (GDPR) that is directly applicable to all EU Member States. This new legal framework provides some benefits, such as the homogenisation of data protection rules within the EU, which can help local fintech businesses to expand to other EU Member States and may make it easier for fintech businesses from territories outside Spain that are GDPR-compliant to launch their services in the Spanish market.

Notwithstanding the above, at a national level and in addition to GDPR, certain local data protection rules exist in Spain. In particular, a new general data protection law was passed in December 2018: Spanish Basic Law 3/2018 on Data Protection and Digital Rights Guarantees (LOPD). The LOPD formally repealed the previous national data protection regulations, which were incompatible with the GDPR, and adapted local rules in order for them to be compatible with GDPR. The main goal of the LOPD is providing specific data protection regulation in different matters that are not expressly covered by the GDPR or that are covered by the GDPR but in relation to which the Member States are given some competence to enact a more detailed regulation. Consequently, certain data processing (such as inclusion of debtors' data in creditworthiness shared files) have been regulated in detail in the LOPD. Also, the LOPD has approved a new set of rights of citizens in relation to new technologies, known as 'digital rights'. This set of new digital rights may impact the business of certain fintech businesses, such as digital rights granted to employees regarding the use by employers of IT tools for monitoring purposes in the workplace or the use of geolocation systems.

Finally, the criteria of the Spanish Data Protection Agency, which is one of the most active data protection authorities within the EU, must also be taken into account.

As regards the possibilities of fintech companies carrying out profiling activities (i.e., the processing of personal data involving the profiling and, in some cases, the adoption of automated decisions with an impact on individuals), such activities are subject to the GDPR rules and to certain guidelines of the Spanish Data Protection Agency. In general terms, the profiling activities under the GDPR need to be based on lawful legitimate grounds, mainly the existence of a legal duty (e.g., scoring or fraud prevention), the unambiguous or explicit consent of individuals or the existence of a legitimate interest. The interpretation of the Spanish Data Protection Agency of the legitimate interest as a lawful ground for companies to carry out profiling activities has been quite restrictive in the past (e.g., it does not cover profiling carried out with second- or third-party data). Also, additional information and transparency duties must be complied with by fintech companies when carrying out profiling activities. Other additional guarantees, such as reinforced objection rights or the need to carry out privacy impact assessments are imposed. Finally, some of these profiling activities may be carried out with anonymised or pseudo-anonymised data. If this were the case, fintech business must take into account that the Spanish Data Protection Agency has issued specific guidelines for carrying out anonymisation processes.