All questions

Intellectual property and data protection

i Intellectual property

Anything that is not a technical solution, including schemes, rules and methods for performing mental acts, playing games or doing business, and software as such, is excluded from patent protection. This does, however, not preclude software-based inventions that are implemented in hardware from patent protection, provided that all applicable conditions are fulfilled.

Software and business models may also be protected by copyright if they meet the originality requirement. For acquiring copyright protection, no formalities need to be fulfilled. Only the expression of the software or business model will be protected, and not the underlying ideas or principles.

The object and source code, architecture, structure and organisation of the software are considered the 'expression of the software'. A graphic user interface does not enable the reproduction of the software, and is therefore not considered an expression of the software. Consequently, a graphic user interface cannot be protected under the Software Act, but only by common copyright law.

Unless otherwise specified in the employment contract, the employee that is the creator of an original work will own the copyright on that work. The same applies to contractors. With regard to software, however, there is a legal presumption that the employer is the copyright owner of the original software created by the employee.

No specific compensation regime is provided for by law, allowing parties to freely agree on a potential compensation for any intellectual property created.

ii Data protection

Fintech companies that are based in the EU, or that offer goods or services to natural persons (data subjects) in the EU or monitor their behaviour, will have to comply with the principles and obligations of the GDPR and the Belgian Act of 30 July 2018 when processing personal data. If the client data consists of information relating to an identified or identifiable data subject, the data will be qualified as personal data.

Profiling refers to the creation and use of profiles of data subjects based on common characteristics (e.g., preferences, financial status). Depending on the objective of the profiling, it will be treated differently. The use of profiles to create recommendations and personalise the client experience, for instance, will not be treated the same way as the use of such profiles to automatically reject credit applications or otherwise significantly impact the rights of the data subject.

In the first scenario, in other words, a mere scoring or evaluation, the general rules of the GDPR will apply, and the specific requirements to carry out a data protection impact assessment (DPIA) may apply in Belgium (as well as elsewhere), depending on the other circumstances of the processing (e.g., data enrichment via other sources, scale of processing). For the second scenario, a DPIA will in any event be required under the GDPR, and specific requirements apply in relation to the permitted legal grounds for such processing, the categories of personal data that may be taken into account and data subject rights.

In each scenario, a risk assessment will be needed to determine whether the supervisory authority must be consulted in relation to the project.