Answer ... As of 25 April 2018, the European General Data Protection Regulation (AlgemeneVerordeningGegevensbescherming – ‘GDPR’) (Regulation (EU) no. 2016/679) has replaced the Dutch Data Protection Act. The applicable data protection regime in the Netherlands now follows from the GDPR and the Dutch GDPR Implementation Act (Uitvoeringswet AVG). All companies that process personal data within the meaning of the GDPR must comply with the requirements laid down in this European regulation. This regime has no specific implications for fintech companies; it applies to all companies that process personal data (practically every company today). Depending on the type of fintech company and the manner in which it uses personal data, additional requirements following from sector-specific legislation may apply, such as the explicit consent requirement under the second Payment Services Directive. If a fintech company makes use of big data and/or artificial intelligence, specific requirements following from the GDPR with regard to profiling apply. Examples of requirements that must be taken into account if the Dutch data protection regime applies include the following:

• Personal data may be processed only if such processing is done lawfully, fairly and in a transparent manner in relation to the data subjects;
• A record of processing activities must be maintained; and
• Depending on the risk presented to the rights and freedoms of natural persons, a data protection impact assessment must be carried out prior to the actual processing of the personal data.

Answer ... The applicable cybersecurity regime in the Netherlands mainly follows from requirements included in sector-specific legislation focusing on a specific type of business or from other areas of law, such as the GDPR. For example, the GDPR requires the controller and processor of personal data to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved with the processing of the personal data. Other examples of statutory requirements relating to cybersecurity can be found in the Dutch Prudential Rules (Financial Supervision Act) Decree (Besluitprudentiële regels Wft), pursuant to which certain types of financial companies must have procedures and measures in place to ensure the integrity, continuous availability and security of automated data processing.

In 2018 the Dutch Act on Security Network and Information Systems implementing the EU Cybersecurity Directive (no. 2016/1148) entered into force. The requirements laid down in the act apply to digital service providers (eg, online marketplaces, search engines, cloud computing service providers) that have at least 50 or more employees and/or generate a revenue of at least €10 million and provide essential services (eg, energy, banking, financial markets infrastructure). Pursuant to the act, these companies have a duty of care and must take adequate technical and organisational measures to control identified security risks.

Which cybersecurity requirements apply to fintech companies primarily depends on the exact business model of the fintech company and the applicable regulatory regime.