Data protection in the digital financial era: A guide for the Fintech ecosystem
Data protection in the digital financial era
This initiative arises from the growth and expansion of the Fintech ecosystem, as identified by the Superintendency of Industry and Commerce. Consequently, there is a need to guide the actors operating within this ecosystem regarding their obligations concerning personal data.
Below are the main guidelines issued by the Superintendency of Industry and Commerce, which must be followed by all stakeholders in the Fintech sector.
Guidelines on the processing of personal data for the Fintech ecosystem
Mandatory prior authorization by the data subject
1. The processing of personal data must be limited strictly to data that is relevant, appropriate, and necessary to fulfill the purposes for which it was collected. These purposes must be constitutionally legitimate.
2. In the Fintech context, the processing of personal data must be authorized in advance by the data subject. Likewise, the data subject must be informed about the data being collected and the specific purpose for its use. Therefore, in applications available for download, the data subject must be free to decide whether to grant access to their personal information, such as location or camera access, with the purpose of each access clearly stated to enable an informed decision.
Form of authorization
3. Authorization for the processing of personal data may be given by the data subject in writing, through a data message, orally, or through unequivocal conduct that reasonably indicates consent was granted. However, for the processing of sensitive data, authorization through unequivocal conduct is not valid. Furthermore, Fintech ecosystem actors must maintain evidence of the authorization granted by the data subject.
Distinct purposes
4. Authorization for processing personal data for purposes beyond the provision of the service must be granted separately. In these cases, it is recommended that the authorization use simple language and brief, clear expressions that are easily understood by the data subjects. Examples of distinct purposes include:
- Profiling and better understanding of preferences and needs.
- Sharing data with related entities for commercial and/or advertising purposes.
- Contacting for commercial and/or advertising purposes.
Collection of sensitive personal data
5. Conditioning the performance of financial activities or access to financial services and products through technological means on the provision of sensitive personal data—especially biometric data—is strictly prohibited.
6. The collection and processing of sensitive personal data, particularly biometric data, requires enhanced diligence from the data controller. Therefore, the controller must inform the data subject:
- That, because these are sensitive data, they are not required to authorize their processing; and
- Which of the data to be processed is considered sensitive, and the specific purpose of the processing for each type of sensitive personal data
Automated processing
7. No data subject may be subjected to automated decision-making without prior notice, and they must be able to challenge such decisions through available channels, especially when the decisions have adverse effects, such as denial of credit or financial services.
Access to personal data and exercise of data subject rights
8. Simple and accessible mechanisms must be in place for data subjects, along with procedures that maintain detailed records of access by authorized third parties, including the identity of the requester, origin, recipient, purpose, and dates.
9. Data controllers and processors must implement legal design strategies—such as layered notices—to facilitate the understanding of how personal data is used. They must also provide visible and intuitive mechanisms that allow data subjects to manage their privacy and decisions regarding third-party access. Processing must be transparent, clearly informing data subjects about the third parties involved and their roles. Investing in these strategies can be considered part of fulfilling the accountability principle.
International transfers or transmissions of data
10. When international transfers or transmissions of personal data are carried out through technological means in the provision of financial services, the data controller within national territory must:
- Verify that the receiving controller or processor is located in a country that provides an adequate level of personal data protection, in accordance with the guidelines of the Superintendency of Industry and Commerce (SIC).
- If the transfer or transmission is to a country that does not offer an adequate level of protection, the controller must confirm that the operation falls under the exceptions set forth in Article 26 of Law 1581 of 2012.
- If the transfer does not meet either condition, a declaration of conformity must be requested from the Delegation for the Protection of Personal Data.
How can we help you?
At Forvis Mazars, we have a team of professionals specialized in compliance with Law 1581 of 2012, Decree 1377 of 2013, Law 1266 of 2008, and other current regulations on personal data protection. If you need support implementing or complying with the guidelines contained in this bulletin, don’t hesitate to contact us. We are here to help you ensure the protection of your customers' personal data and comply with all applicable regulations.
