All questions

Intellectual property and data protection

i Intellectual property

A business model as such cannot be protected by copyright law. Therefore, it is not uncommon for successful fintech business models to be copied and optimised. Computer programs, however, that are characterised by a minimum of individuality and originality are subject to copyright protection according to Section 2 of the Act on Copyright and Neighbouring Rights (UrhG).

Under German law copyright can be neither registered nor transferred, since the copyright itself emerges the moment the piece of work, such as the software, is created by its actual originator. The capacity of being the originator is strictly connected to a natural person and may therefore not be transferred. Obviously the lack of registration leads to various practical problems that often result in lawsuits. Nonetheless, a licence may be granted enabling the holder to make use of the piece of work in every or in particular matters (Section 31 of the UrhG). Employees and their employers implicitly agree on a full licence by drafting the employment contract. Therefore, the employer is allowed to make use of the piece of work. Concerning computer programs, another rule applies (Section 69b of the UrhG), granting the employer even more rights. Unless agreed otherwise, the employee is owed no compensation.

ii Data protection

Generally speaking, data protection is governed by the Law on Telemedia (TMG) and the General Data Protection Regulation (GDPR), which replaced to a material extent the previous version of the Federal Act on Data Protection as of 25 May 2018 without, however, changing the fundamental principles of German data protection law. The GDPR and the TMG intend to prevent the collection and use of data related to individuals unless it is duly necessary to do so (Section 12(1) of the TMG, Article 1 of the GDPR). Data are considered to be related to individuals if the responsible body has the legal means that enable it to identify the data subject.

Collection and processing of data related to individuals is only permitted if it is explicitly allowed by law or if the data subject consents (Section 12(1) TMG; Article 6(1) GDPR). Sections 14 and 15 of the TMG contain such allowances, if data are necessary to design a contract concerning the use of telemedia, to grant the user access to services or to charge those services properly. Furthermore, the user can declare his or her consent electronically (Section 12(2) of the TMG). Additionally, the user must be informed about nature, extent and purpose of data collection.

Digital profiling has to comply with the general principles stated above. The GDPR does not regulate digital profiling as such but focuses on some of its typical forms: firstly, the automated individual decision-making, including profiling, must comply with Article 22 of the GDPR; secondly, a decision that produces legal effects on the data subject or has a similarly significant influence on the data subject must not be based solely on automated processing (Article 22(1) GDPR). However, Article 22(1) GDPR shall not apply, if the decision: (1) is necessary for entering into, or performance of, a contract between the data subject and the data controller; (2) is authorised by law to which the controller is subject and that also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (3) is based on the data subject's explicit consent (Article 22(2) GDPR).