GDPR requirements |
Reference to Article in GDPR |
Penalty |
Data subject’s consent
|
The data subject’s consent is required if a fintech company uses optional cookies (e.g. Google Analytics to track website traffic). The data subject’s consent should be given voluntarily and clearly, and the data subject has the right to object to data processing.
|
Articles 13, 14 and 25
|
Up to €20 million or up to 4% of total worldwide turnover
|
Risk assessment
|
The fintech company must conduct a risk assessment, and when processing high-risk data it must also conduct an impact assessment. For example, an impact assessment must be conducted for any data processing based on profiling and automatic decision-making. These assessments must be updated as necessary.
|
Article 35
|
Up to €10 million or up to 2% of total worldwide turnover
|
The fintech company must ensure that the data subject has the right to object to such profiling and automatic decision-making.
|
Article 22(1)
|
Up to €20 million or up to 4% of total worldwide turnover
|
Secure data processing
|
The fintech company must adopt appropriate security measures and technical solutions. For example, the company must meet technical standards issued by the European Banking Authority https://eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2 or other standards (e.g. ISO 27701:2019).
|
Article 32
|
Up to €10 million or up to 2% of total worldwide turnover
|
The fintech company must strictly adhere to the GDPR data processing principles (e.g. storing personal data no longer than necessary or for a statutory period).
The fintech company must not use, access or store data for any purpose other than to provide, for example, an account information service clearly requested by a user of payment services.
|
Article 5
|
Up to €20 million or up to 4% of total worldwide turnover
|
The fintech company must draw up an IT document providing guidelines on the security, risk analysis and physical and logical protection of information resources, usage of information systems, and steps in response to a security incident.
|
Articles 24(2) and 32
|
Up to €10 million or up to 2% of total worldwide turnover
|
When drawing up technical standards on authentication and communication, the fintech company must systematically evaluate and consider the privacy aspect in order to identify risks associated with each available technical solution and what safeguards could be implemented to minimise threats to data protection.
|
Article 32
|
Up to €10 million or up to 2% of total worldwide turnover
|
Third countries and IS servers deployed there
|
The fintech company must inform data subjects that their data can be processed outside the EU/EEA (e.g. the obligation to inform data subjects going on business trips, booking a hotel or a flight, applying for a visa).
|
Articles 13, 14 and 44
|
Up to €20 million or up to 4% of total worldwide turnover
|
The fintech company must implement extra security requirements if data is transmitted or IS servers deployed outside the EU/EEA.
|
Article 44
|
Up to €20 million or up to 4% of total worldwide turnover
|
Processing special category data
|
NB: Special category data under GDPR is not to be confused with sensitive payment data under PSD2.
|
|
|
A fintech company that processes special category data must seek the data subject’s consent to such processing.
|
Article 9
|
Up to €20 million or up to 4% of total worldwide turnover
|
The fintech company may process information on the data subject’s criminal record only if legislation provides for such processing.
|
Article 10
|
Up to €20 million or up to 4% of total worldwide turnover
|
Training
|
The fintech company must regularly inform and train its staff involved in processing activities.
|
Article 39(1)(b)
|
Up to €10 million or up to 2% of total worldwide turnover
|
Reporting an incident
|
Within 72 hours of the incident being detected
|
Article 33
|
Up to €10 million or up to 2% of total worldwide turnover
|