Answer ... Fintech companies must abide by the Organic Law on Protection of Personal Data and Digital Rights, which means they are obliged to respect fundamental rights regarding personal data protection.

Certain particularities regarding credit information systems must be taken into account. First, fintech companies are obliged to inform the client in the event of a denial of service due to information obtained from credit bureaux. Second, they are also obliged to inform the client when payment defaults are registered with credit bureaux.

Answer ... The most relevant regulations with regard to cybersecurity include:

• the Law on Information Society Services and Electronic Commerce;
• the Law on Electronic Signatures (50/2003);
• the Organic Law on Protection of Personal Data and Digital Rights;
• the Law on General Telecommunications (9/2014);
• the Law on Retention of Data Related to Electronic Communications and Public Communication Networks;
• Royal Decree 381/2015, which establishes measures against illegal or irregular traffic which has fraudulent purposes in electronic communications;
• the Criminal Code;
• the National Cybersecurity Strategy 2019; and
• the Regulation on the Evaluation and Certification of Technology Security.

As a general principle, fintech companies must adopt special technical measures to manage, reduce and prevent incidences that may affect the security of the network and information systems that they use and provide.