All questions

Intellectual property and data protection

Upon their creation, such business models and related software are automatically protected by copyright.

The company may develop a trademark under which it wishes to sell this product and register such trademark with the European Union Intellectual Property Office.

Once the software is developed, the fintech may also use i-DEPOT operated by the Benelux Office for Intellectual Property (BOIP), as it is a reliable means of proving the existence of an idea at a specific date, before other intellectual property rights, such as trademarks, are acquired.

The fintech will deposit the source code of the program with the BOIP, which keeps the iDEPOT for a period of five to 10 years. However, the iDEPOT does not give rise to an intellectual property right.

Patent protection is not available under the Luxembourg law on patents of 20 July 1992, as amended – software is excluded from patent protection.

Regarding intellectual property rights, unless the provisions of the employment contract are more favourable to the employee, the employer is normally the owner of the developed software or business model. In addition, in principle, no compensation is due.

i Data protection rules

When processing personal data, fintech companies must comply with:

  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR); and
  2. the Luxembourg Law of 1 August 2018 on the organisation of the National Commission for Data Protection and implementing the GDPR.

Payment service providers shall only access, process and retain personal data necessary for the provision of their payment services with the explicit consent of the payment service user.

ii Secrecy rules2009 Law

The members of the administrative, management and supervisory bodies, directors, employees and the other persons working for payment institutions and electronic money institutions must maintain secrecy of the information entrusted to them in the context of their professional activity. The disclosure of any such information is punishable by the sanctions laid down in Article 458 of the Luxembourg Criminal Code.

There are, however, some exceptions to the professional secrecy requirement, among others, where disclosure of information is required by the law or towards entities in charge of the provision of outsourced services.

1993 Law

Natural and legal persons, subject to prudential supervision of the CSSF pursuant to the 1993 Law or established in Luxembourg and subject to the supervision of the ECB or a foreign supervisory authority for the exercise of an activity referred to in the 1993 Law, as well as members of the management body, the directors, the employees and the other persons who work for these natural and legal persons shall maintain secrecy of the information entrusted to them in the context of their professional activity or their mandate. Disclosure of such information shall be punishable by the penalties laid down in Article 458 of the Criminal Code.

There are, however, some exceptions to the professional secrecy requirement, among others, where disclosure of information is required by the law or towards Luxembourg-based persons subject to the supervision of the CSSF, the ECB, or the CAA, and who are subject to a secret obligation that is criminally sanctioned when the information disclosed to these persons is provided within a service contract.

There are special rules regarding profiling, which are detailed in the GDPR. They mainly concern the following data subject's rights:

  1. the right of being informed of the existence of profiling and the consequences of such profiling;
  2. the right to object to the processing of his or her personal data for the purposes of direct marketing, including profiling to the extent that it is related to such direct marketing; and
  3. the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her that is based solely on automated processing and that produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.