Data subject’s consent

The data subject’s consent is required if a fintech company uses optional cookies (e.g. Google Analytics to track website traffic). The data subject’s consent should be given voluntarily and clearly, and the data subject has the right to object to data processing.

Articles 13, 14 and 25

Up to €20 million or up to 4% of total worldwide turnover

Risk assessment

The fintech company must conduct a risk assessment, and when processing high-risk data it must also conduct an impact assessment. For example, an impact assessment must be conducted for any data processing based on profiling and automatic decision-making. These assessments must be updated as necessary.

Article 35

Up to €10 million or up to 2% of total worldwide turnover

The fintech company must ensure that the data subject has the right to object to such profiling and automatic decision-making.

Article 22(1)

Up to €20 million or up to 4% of total worldwide turnover

Secure data processing

The fintech company must adopt appropriate security measures and technical solutions. For example, the company must meet technical standards issued by the European Banking Authority https://eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2 or other standards (e.g. ISO 27701:2019).

Article 32

Up to €10 million or up to 2% of total worldwide turnover

The fintech company must strictly adhere to the GDPR data processing principles (e.g. storing personal data no longer than necessary or for a statutory period).

The fintech company must not use, access or store data for any purpose other than to provide, for example, an account information service clearly requested by a user of payment services.

Article 5

Up to €20 million or up to 4% of total worldwide turnover

The fintech company must draw up an IT document providing guidelines on the security, risk analysis and physical and logical protection of information resources, usage of information systems, and steps in response to a security incident.

Articles 24(2) and 32

Up to €10 million or up to 2% of total worldwide turnover

When drawing up technical standards on authentication and communication, the fintech company must systematically evaluate and consider the privacy aspect in order to identify risks associated with each available technical solution and what safeguards could be implemented to minimise threats to data protection.

Article 32

Up to €10 million or up to 2% of total worldwide turnover

Third countries and IS servers deployed there

The fintech company must inform data subjects that their data can be processed outside the EU/EEA (e.g. the obligation to inform data subjects going on business trips, booking a hotel or a flight, applying for a visa).

Articles 13, 14 and 44

Up to €20 million or up to 4% of total worldwide turnover

The fintech company must implement extra security requirements if data is transmitted or IS servers deployed outside the EU/EEA.

Article 44

Up to €20 million or up to 4% of total worldwide turnover

Processing special category data

NB: Special category data under GDPR is not to be confused with sensitive payment data under PSD2.

A fintech company that processes special category data must seek the data subject’s consent to such processing.

Article 9

Up to €20 million or up to 4% of total worldwide turnover

The fintech company may process information on the data subject’s criminal record only if legislation provides for such processing.

Article 10

Up to €20 million or up to 4% of total worldwide turnover

Training

The fintech company must regularly inform and train its staff involved in processing activities.

Article 39(1)(b)

Up to €10 million or up to 2% of total worldwide turnover

Reporting an incident

Within 72 hours of the incident being detected

Article 33

Up to €10 million or up to 2% of total worldwide turnover