Answer ... Fintech companies must comply with the following legislation when they process personal data:

• EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR); and
• the Law of 1 August 2018 on the Organisation of the National Commission for Data Protection and Implementing the GDPR.

Processing of payment service users’ personal data by payment service providers is subject to the GDPR requirements. Amongst others requirements, this processing must be based on at least one of the legal grounds as provided by the GDPR (i.e. payment service users’ consent, performance of a contract, compliance with a legal obligation to which the payment service providers is subject…).

The first piece of EU-wide legislation on cybersecurity, Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive), has been recently implemented in Luxembourg by the law of 28 May 2019 implementing the NIS Directive.

Today, boards of directors are expected to be increasingly aware of cybersecurity issues and actively involved in such matters.