All questions

Intellectual property and data protection

It is essential for fintech businesses to generate the most possible value from the innovative and technological tools and systems they use. Therefore, protecting these tools and systems with intellectual property rights when possible is extremely important.

Software patentability is generally excluded because software cannot be considered an invention per se (Article 45 of the Italian Industrial Property Code). Although software is sometimes patent eligible, patents are excluded in most cases in the fintech field. However, Italian law envisages software safeguards through copyright protection (Article 64 bis of the Italian Copyright Law), which is granted if the software meets the creative requirements set out in the copyright law.

Fintech businesses are increasingly using open source software or standard software as a base on which to develop customised solutions for their businesses. In these cases, attention must be paid to the presence of copyleft clauses that often impose to disclose the source code of the developments made. According to the applicable terms, obligations to disclose may vary.

Furthermore, business knowledge can be protected as a business secret. This protection ensures that no-one can use secret information developed for business purposes. The fact that the information is secret ensures protection is granted.

Specific rules must be set out in agreements between parties to ensure that the owner of the IP rights over any invention or software created under a contractual relationship is clear.

The following rules apply to employment relationships:

  1. inventions by the employee in performing his or her work duties: the employer is the owner of IP rights over the employee's inventions;
  2. inventions by the employee in performing his or her work duties, even if invention is not a specific work duty: the employer is the owner of IP rights over the employee's inventions, but the employee has the right to be fairly remunerated for the invention; and
  3. inventions by the employee outside his or her work duties, but connected with the employer's field of business: the employee is the owner of IP rights over the inventions, but the employer has a pre-emptive right over the inventions.

In the fintech field, it is necessary to ensure that personal data is lawfully processed in compliance with European Regulation 2016/679 (General Data Protection Legislation – GDPR, which came into force on 25 May 2018) and Italian legislation (specifically Legislative Decree No. 196/2003, the Privacy Code, recently amended by Legislative Decree No. 101/2018). Indeed, sensitive information relating to the financial assessment of natural persons are frequently processed, and a large amount of correct information is gathered to ensure the legal obligations imposed on financial intermediaries are met. The legal obligations deriving from MiFID II and from AML legislation are a prime example. Both require that information be gathered to profile clients and conduct risk analysis to provide the most profitable investment portfolio for both financial intermediaries and clients. Although profiling is mandatory by law, the GDPR must be complied with, particularly information and transparency duties that require disclosure of the rules governing the profiling system if requested by the data subject or client. This is a very sensitive area because complying with the data subject's right could contrast with the legal entity's right to protect business information and keep it secret.

Big data plays a strategic role in the fintech field and, to ensure business growth, fintech businesses need to have access to advanced technology and well-structured databases. Credit and commercial information systems also play a strategic role in this sector by providing information and thus meeting fintech operators' business needs. The activities performed by these systems are regulated by law and, within the privacy legislation, by specific codes of conduct. It must be underlined that large differences exist between the two information systems. As outlined in Section II.i, credit information systems can be public (i.e., the Central Credit Register managed by the BoI) or private, and only financial intermediaries (and other entities under the BoI's control) may supplement the databases and ask for information to be extracted from the databases. Conversely, commercial information systems provide information collected from public sources and are available to the public. Commercial information systems are thus clearly fundamental for payment institutions and, especially since PSD II's entry into force, their importance in the fintech field continues to increase.