Legislators on both the European and Czech level have been active in adopting new regulations that influence several areas of the modern economy. Financial services, with consumer finance on one side and markets in financial instruments on the other, have been at the center of these efforts. Financial regulation is not, however, the only measure heavily affecting banks, investment firms, and FinTech companies by putting new compliance requirements in place. Another huge legal instrument – the General Data Protection Regulation adopted on the EU level in 2016 – imposes new requirements on all companies dealing with personal data.
Consumer Finance and the New Consumer Credit Act
On December 1, 2016, the new Consumer Credit Act took effect in the Czech Republic. This new law was designed to clear the consumer loans market – which had been flooded by dubious businesses providing subprime loans for sky-high interest rates – by imposing vigorous regulatory requirements on non-bank providers of consumer loans, which until then had been able to conduct business on the basis of a simple trade license.
Under the new Act, such non-bank providers need to obtain a special permit from the Czech National Bank (CNB), newly empowered with regulatory authority over the consumer loans market. These licenses can only be issued to companies with a registered share capital of at least CZK 20 million (approx. EUR 750,000). The procedure resembles the bank licensing process in its complexity. Each provider must submit several documents and internal policies to the CNB reflecting compliance with the Act’s requirements, including the professional capacity of employees and compliance with strict procedures regarding the assessment of creditworthiness, AML rules, policies for communication with customers and for enforcing claims, IT security, and so on.
The “cleansing effect” of the new legislation is apparent from the fact that as of March 1, 2017, only 107 applications for the CNB permit had been filed, in part because many firms lacked the resources to comply with the capital requirements. Those providers filing applications before that date are permitted to continue their business until the CNB decides on their request. The CNB has up to 15 months to make its final decision on any application, and as of May 8, 2017, no permits had been granted.
A Major Overhaul in Personal Data Protection
The General Data Protection Regulation, intended to harmonize and modernize European data protection rules, will take effect and replace the existing laws of the EU member states on May 25, 2018. In the wake of the Regulation, various businesses began the process of reviewing their data processing activities and internal procedures to prepare for the new rules.
Meanwhile, the European Data Protection Working Party, an independent EU advisory body on data protection and privacy, started issuing guidelines on the unclear elements of the Regulation. In one of the April guidelines, the Working Party has addressed a frequent question of many companies, especially Internet firms and FinTechs: Will we need to appoint a Data Protection Officer?
Under the Regulation, a DPO (a designated person responsible for data protection compliance) is mandatory where the company’s core activities require regular and systematic monitoring of data subjects on a large scale or large scale processing of sensitive data.
The Working Party’s opinion clarifies that “core activities” are those operations that are an inextricable part of the company’s activity and cites a hospital processing patients’ health records and a security company surveilling public space as examples. By contrast, a company’s processing of personal data of its own employees is merely an ancillary activity. “Regular and systematic monitoring” includes all forms of online tracking and profiling, including, among other things, processing for the purposes of data-driven marketing activities, credit scoring, or location tracking. Consequently, a DPO will be necessary in many technology startups and companies developing mobile apps or providing consumer loans online.
By Jan Kotous, Counsel, Head of Corporate/M&A, and Jan Gerych, Associate, Wolf Theiss
This Article was originally published in Issue 4.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
