Fintech companies process some of the most sensitive personal data categories: financial history, transaction patterns, creditworthiness assessments, income data, and in some cases biometric data for identity verification. GDPR compliance in fintech is not optional — it is a prerequisite for operating in the EU and for obtaining the banking and payment licences that most fintechs need.
This article covers the key GDPR obligations that are specific or particularly challenging for fintech companies.
What Makes Fintech GDPR Compliance Different
Regulatory overlap. Fintech companies typically operate under multiple regulatory frameworks simultaneously: GDPR, PSD2/PSD3, AML/KYC requirements, PCI DSS, and in some cases MiFID II. These regimes have different data retention requirements, different disclosure obligations, and different legal bases. GDPR compliance in fintech means navigating all of them together.
Automated decision-making. Credit scoring, fraud detection, and transaction monitoring are all automated AI/ML systems that make or inform decisions about individuals. GDPR Article 22 applies — individuals have the right to object to purely automated decisions, and you must be able to provide human review.
High-value targeting. Financial data breaches have immediate material consequences for individuals — identity theft, financial fraud, credit impact. Supervisory authorities treat fintech data breaches as high-priority enforcement.
Lawful Bases in Fintech
Fintechs cannot rely on a single lawful basis for all processing. The appropriate basis depends on the specific processing activity:
| Processing activity | Lawful basis |
|---|---|
| Processing to fulfil a payment or account contract | Contract performance (6(1)(b)) |
| Credit decision-making | Legitimate interest or contract (with Article 22 obligations) |
| AML/KYC compliance | Legal obligation (6(1)(c)) |
| Marketing to existing customers | Legitimate interest (with opt-out) |
| Marketing to prospects | Consent (6(1)(a)) |
| Fraud detection | Legitimate interest (6(1)(f)) — subject to balancing test |
| Analytics and product improvement | Legitimate interest (if properly balanced) |
| Biometric verification (special category) | Explicit consent (9(2)(a)) or legal obligation |
Consent is often inappropriately used as the basis for processing that should rely on contract performance or legal obligation. Using consent where contract is the appropriate basis creates problems: the customer can withdraw consent, but you still need to process the data to perform the contract.
Automated Decision-Making in Fintech (Article 22)
Credit scoring, loan decisions, fraud flags, and risk assessments are common automated decision-making activities in fintech. GDPR Article 22 applies when:
- A decision is based solely on automated processing (no human review of individual cases)
- The decision has legal or similarly significant effects on the individual
For credit decisions: accepting or rejecting a loan, setting a credit limit, flagging an account are all "significant effects."
What Article 22 requires:
- Inform individuals that automated decision-making is taking place
- Provide meaningful information about the logic involved
- Offer the right to request human review
- Allow the individual to express their point of view and contest the decision
Many fintechs meet this through a combination of: disclosing automated processing in the privacy notice, a human review request flow in the app, and a complaints process. The disclosure must be specific — not just "we may use automated processing" but "your credit application was assessed automatically based on [factors]."
Financial Data Retention: The Tension with Data Minimisation
Fintech companies face a specific tension between GDPR data minimisation and anti-money laundering requirements:
- AML/KYC law: Requires retention of customer identification documents and transaction records for a minimum of 5 years after the relationship ends (typically 5–10 years depending on jurisdiction)
- GDPR: Requires data not to be kept longer than necessary
The resolution: financial records may be retained for the legally required period under the legal obligation basis. But this retention must be limited to what AML/KYC law actually requires. Retention of marketing data, behavioural analytics, and surplus customer data beyond what regulation requires is not justified by AML retention rules.
Implement a data lifecycle map that distinguishes:
- Data retained for AML compliance (5–10 years, legal obligation basis)
- Data retained for account management (duration of relationship plus reasonable period)
- Data retained for fraud prevention (risk-based, document the justification)
- Marketing and analytics data (limited, documented retention with clear justification)
Third-Party Open Banking Data
PSD2/PSD3 open banking creates additional GDPR considerations:
- When an account information service provider (AISP) accesses transaction data, they process it under a separate controller relationship
- Strong customer authentication (SCA) and consent under PSD2 is distinct from GDPR consent — both may be required
- Data obtained via open banking cannot be reused for purposes beyond those consented to at the point of access
Fintech companies building on open banking data must have a clear policy on purpose limitation — the transaction data accessed for a specific purpose cannot be retained and reused for product improvement or secondary analysis without a fresh consent or legitimate interest assessment.
Identity Verification and Biometric Data
KYC identity verification often involves selfie matching, document scanning, and liveness detection — which may involve biometric data (facial geometry). This is special category data under GDPR Article 9.
Requirements:
- Explicit consent for the biometric processing, separate from the main onboarding consent
- DPIA before deploying biometric identity verification at scale
- Data minimisation — do not retain full biometric templates if the match has been confirmed and the template is no longer needed
- Third-party KYC providers must be contracted as processors under Article 28 DPAs