All questions

Intellectual property and data protection

i Intellectual property

In France, business models cannot be protected by intellectual property rights (copyright or patent), which means that fintech companies cannot protect their business models.

France has implemented the European Directive of 14 May 1991 on the legal protection of computer programs. Therefore, software can be protected by copyright, not by a patent. Software is automatically protected by copyright, provided that it meets the originality requirements. If the patentability of software is excluded as a matter of principle, such protection may be granted where the software constitutes 'a step in an industrial process and/or in the operation of a system'.

Software created by one or more employees in the performance of their duties or following the instructions given by their employer belongs to the employer to which all the rights of authors are vested (unless the employment contract provides otherwise).

ii Data protection

The EU General Data Protection Regulation 2016/679 (GDPR) applies in particular to the processing of personal data if the fintech company is based in France or outside the EU and offer goods or services, or monitor the behaviour of data subjects in France.

As part of this new regulation, the fintech companies subject to the GDPR (either as 'data controllers' or as 'data processors') have to comply with a large number of obligations, which relate for example, but are not limited, to:

  1. the principles applying to the processing of personal data, for example, lawfulness, fairness, transparency, purpose limitation, data minimisation and 'privacy by design', accuracy, storage limitation, security, confidentiality, etc.;
  2. the ability of the controller to demonstrate compliance with such principles (accountability);
  3. the obligation to identify a legal basis before the processing (special requirements apply to certain specific categories of data such as sensitive data); and
  4. data subjects' rights (e.g., transparency, the right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object to a processing).

The application of the GDPR has compelled many fintech companies to launch comprehensive GDPR compliance programmes, including data mapping efforts, gap analysis and implementation programmes (e.g., by way of amendment of current internal processes, contracts, software's technical characteristics).

GDPR also provides for rules relating to profiling activities. Profiling involves three elements:

  1. it has to be an automated form of processing;
  2. it has to be carried out on personal data; and
  3. the objective of profiling must be to evaluate aspects about an individual.

Under GDPR, fully automated individual decision-making, including profiling, that has a legal or similarly significant effect is prohibited unless limited exceptions apply. Automated processing is deemed to significantly affect an individual in the following scenarios: online advertising solely based on automatic processing means where the individual being targeted is vulnerable (e.g., children, minority group) or differential pricing where higher prices effectively bar individuals from certain goods or services.

Fintech companies must ensure, as part of their GDPR compliance programmes, that suitable measures are in place to safeguard the rights and interests of individuals.