AUSTRIA Law and Practice

Contributed by: Markus Fellner, Florian Kranebitter and Florian Henöckl, Fellner Wratzfeld & Partners

From a data protection point of view, a fintech firm, just like any other company, must comply with the applicable provisions, in particular the EU General Data Protection Regulation (GDPR) as well as the Austrian Data Protection Act. The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form a part of a filing system. Therefore, a data protection declaration is required that regulates the processing and use of customers’ data. In addition to the data protection declaration, precautions must also be taken for the exercise of the rights of the data subjects, in particular the right to rectification, the right to erasure (“right to be forgotten”) and the right to restriction of processing.

Cybersecurity is a decisive aspect for fintech firms due to the nature of the activity as well as the usually large amount of data processed. In this area, it can be assumed that fintech firms have a large number of obligations to ensure a sufficiently high level of protection for customers. The importance of this aspect is also reflected in the fact that a separate sub-area has now been established, specialising in cybersecurity solutions for fintech firms. Parallel to the growth of the fintech market, this area has also grown steadily.

The European Parliament has reacted to this with DORA. DORA sets uniform requirements for the security of the network and information systems of companies and organisations operating in the financial sector as well as critical third parties, which provide ICT (information communication technologies) services to them, such as cloud platforms or data analytics services. DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.

Under the provisional agreement, the new rules will constitute a very robust framework that boosts the IT security of the financial sector. The efforts asked from financial entities will be proportional to the potential risks.

Almost all financial entities will be subject to the new rules. Under the provisional agreement, auditors will not be subject to DORA but will be part of a future review of the regulation, where a possible revision of the rules may be explored.

The presence of fintech firms on social media channels entails the need to observe the legal framework in this area. In this area, competition law, copyright and data protection framework conditions are particularly relevant.

In software development, for fintech firms as well as other companies, legal framework conditions must be observed from the outset, which are necessary for successful development of and later progress with the application. The software development can initially be done by the company itself, but also by way of a contract with a third party. In development, copyrights of third parties must be observed, in which no intervention may be made, otherwise the further development and market launch may fail. Once the development has been completed and the