Insight: IP and data protection for fintech companies in Germany

All questions

Intellectual property rights and data protection

in Intellectual property rights

As such, a business model cannot be protected by copyright law. Therefore, it is not uncommon for successful fintech business models to be copied and optimized. Computer programs that are characterized by a minimum of individuality and originality are, however, subject to copyright protection under Section 2 of the Act on Copyright and Neighboring Rights (UrhG).¹²²

Under German law, copyright cannot be registered or transferred, as copyright itself arises the moment the work, such as the software, is created by the actual author.¹²³ The ability to be an author is strictly linked to a natural person and therefore cannot be transferred. The lack of registration obviously leads to various practical problems which often result in lawsuits. A license may nevertheless be granted which gives the holder the opportunity to make use of the work in any case or in certain cases (UrhG § 31). Employees and their employers implicitly agree to a full license by drawing up the employment contract.¹²⁴ Therefore, the employer can make use of the piece of work. When it comes to computer programs, another rule applies (UrhG § 69b), which gives the employer even more rights. Unless otherwise agreed, the employee is not liable for compensation.¹²⁵

The emergence of new trends and business models brings new issues from the perspective of several branches of law, including copyright; for example, NFTs (i.e. cryptographic tokens), which are not fungible in terms of their technical characteristics and are in that sense unique.¹²⁶ Regardless of the supervisory approach, which as such is technology neutral, the relevance of digital processes related to NFTs for copyright law still needs further clarification.

ii Data protection

In general, data protection is governed by the General Data Protection Regulation (GDPR),¹²⁷ which substantially replaced the previous version of the Federal Act on Data Protection on 25 May 2018 without, however, changing the basic principles of German data protection law. The GDPR intends to prevent the collection and use of data relating to individuals unless it is duly necessary to do so (Article 1 of the GDPR). Data is considered to be linked to individuals if the responsible body has legal means that make it possible to identify the data subject.¹²⁸

Collection and processing of data relating to individuals is only permitted if it is expressly permitted by law or if the data subject consents (Article 6(1) GDPR). In addition, the user must be informed about the nature, scope and purpose of the data collection.

Digital profiling must follow the general principles mentioned above. The GDPR does not regulate digital profiling, as such, but focuses on some of the typical forms:

1. the automated individual decision-making, including profiling, must comply with Article 22 of the GDPR; and
2. a decision that produces legal effects for the data subject or has a correspondingly significant influence on the data subject must not be based exclusively on automated processing (Article 22 no. 1 GDPR).

However, Article 22(1) of the GDPR shall not apply if the decision:

1. is necessary to enter into or fulfill a contract between the data subject and the data controller;
2. is authorized by law to which the controller is subject and which also stipulates appropriate measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
3. is based on the data subject’s explicit consent (Article 22(2) GDPR).