All questions

Intellectual property and data protection

i Data protection

Fintech companies need to adequately protect their (client) data. In the Netherlands, rules in this regard are laid down in various laws and regulations. This includes the General Data Protection Regulation (GDPR)25 and the Dutch GDPR Implementation Act26, the Protection of Business Secrets Act (PBSA)27 and the Law to Protect Networks and Information Systems (LPNIS),28 as further described below. Depending on the type of fintech company and the types of data it processes, additional requirements may follow from sector specific legislation, including PSD2 (e.g., consent requirements) and MiFID II (e.g., data retention requirements).

The GDPR and GDPR Implementation Act aim to protect the privacy of individuals and lay down rules relating to the processing of their personal data. Personal data is broadly defined under the GDPR and includes any information relating to an identified or identifiable natural person (also named 'data subject').29 Examples of personal data relevant for the fintech sector are, inter alia, names, contact details, bank account numbers, identification documents, (electronic) signatures and credit information relating to individuals, including information relating to private clients, directors, ultimate beneficial owners (UBOs) and representatives of a company. The GDPR contains specific (more strict) rules for the processing of 'special categories' of personal data, including biometric data.30 Fintech companies falling under the scope of the GDPR need to process personal data lawfully and fairly and need to comply with obligations regarding transparency, security, data breach notifications and confidentiality. The GDPR furthermore prescribes that personal data needs to be collected and processed for specified, explicit and legitimate purposes. This means, for instance, that customer due diligence activities must be based on a statutory data processing ground and must be proportionate to its aim. Profiling31 as such is not regulated under the GDPR or Dutch GDPR Implementation Act, but the GDPR does grant data subjects the right not to be subject to any automated individual decision-making without any human involvement. When implementing new fintech business models or software solutions that involve the processing of personal data, companies need to comply with the principles of privacy by design and privacy by default.

The PBSA provides companies with a tool to protect their confidential know-how and other business information. This can include any type of information, including client data and algorithms used in fintech business models. The information must be secret, must have a commercial value and must be adequately protected to qualify as a business secret (and thereby falling under the scope of this Act).

The LPNIS applies to digital service providers, including fintech companies, that provide essential services (such as banking services or the provision of a financial markets infrastructure) and that have at least 50 or more employees or generate a revenue of at least €10 million. The LPNIS requires such providers to implement measures that decrease the likelihood of cybersecurity incidents taking place. These measures should also ensure minimum negative consequences if a cybersecurity incident would occur. The LPNIS also requires companies to report serious incidents to the Computer Emergency Response Team (CERT) of the Dutch Ministry of Justice and Safety.

ii Intellectual property rights

Several types of intellectual property rights may play a role when it comes to protecting fintech business models and related software. One important kind of intellectual property right is copyright protection. In certain cases, patent protection may be available as well. When a business model is not eligible for copyright or patent protection, the PBSA may under circumstances provide certain protection of such a business model.

When it comes to copyright protection, the Dutch Copyright Act (DCA)32 requires that a work has an 'original character' and 'bears the personal mark of the author'. This is, in essence, the same criterion as the criterion developed by the European Court of Justice in the Infopaq judgment (16 July 2009): a work must be one's 'own intellectual creation'. A basic principle under the DCA is that mere 'ideas' do not qualify for copyright protection as such. Ideas need to be worked out in detail to become copyright protected. If a certain work has sufficient originality, it is automatically protected by the DCA. There are no registration formalities in the Netherlands for copyright protection.

With respect to software, the DCA explicitly provides that software and preparatory materials for software are eligible for copyright protection. The copyright protection of software programs applies to the expression (in any form) of a computer program (inter alia, source and object code). Equal to the aforementioned basic principle, ideas and principles that underlie elements of a computer program, or ideas that underlie interfaces, are not copyright protected. This means that financial company A and financial company B can have, in essence, the same software solution in place, while both solutions have been programmed in a different manner (have a different source code), by different persons (but with the same underlying ideas).

While it is relatively easy to qualify for copyright protection, qualifying for patent protection is a different – and more complex – story. Software as such (the program 'stand-alone' or 'as such') cannot be protected by a patent in the Netherlands (nor in the European Union). If the software has a certain 'technical effect' – when it is for instance implemented in hardware and directs or determines a certain movement of such hardware – it may be eligible for patent protection included in the technical solution as a whole. The threshold for obtaining patent protection is, however, still rather high and process of obtaining patent protection is time consuming. During the application process, it will be assessed whether the technical solution is 'new' and contains a sufficient inventive step as compared to existing solutions.

The copyrights to certain software programs are automatically attributed to the employer if an employee develops the software in the course of his or her employment. The same more or less applies to patentable inventions made by an employee in the course of his or her employment. It is possible for the employee and employer to make other contractual arrangements, thereby deviating from the starting point that the intellectual property rights created by the employee during his or her employment vest in the employer.

Financial companies that hire independent contractors for developing fintech business models or software should arrange for the transfer of the copyrights and other intellectual property rights that come into existence during or after the development by written contract. Otherwise, the independent contractor will be, for instance, the owner of the copyrights.

Where certain business methods or certain know-how that is kept confidential is not eligible for copyright or patent protection, then such information could be eligible for trade secret protection under the PBSA, provided that the requirements set out in Section VII.i are met.