Legal tips for startups and scaleups

Takeaways from Stibbe's legal workshop 'Scale Up Academy Blue Tulip Awards'

On Tuesday February 4, Stibbe hosted a legal workshop as part of the Scale Up Academy of the Blue Tulip Awards, in cooperation with Temper and Dyme (Accenture Innovation Awards 2018 finalists). The purpose of the event was to make startups and scaleups more aware of the legal challenges that may arise when active in a digital world. Companies are rushing to get ahead - but aren’t we forgetting something? Let us first truly understand what it means to live in a digital world. 

In this legal workshop, Stibbe highlighted the impact of laws and regulations on digital developments at various levels. They passed on helpful insights to help your company grow, while remaining compliant with laws and regulations, and in a digital environment that is changing at ever-increasing speed.

During the legal workshop, Stibbe identified a couple of need-to-know legal points of attention for startups and scaleups, as listed below.

Legal points of attention

1) FinTechs & Financial Regulation

If you are active in the FinTech sphere (for instance as a payment services provider, electronic money institution, or as an offeror of security tokens) you must ensure that you have the right licenses and authorizations in place before entering the market. Prior to actively engaging in innovative or incumbent financial services, there are a few things you should do: 

  • Define your business model and verify whether any license requirements apply to your activities. Ask for (legal) help if you are not certain, or check directly with the regulators; Dutch regulators such as the Dutch Central Bank (DNB) and the Dutch Authority for the Financial Markets (AFM) have published guidance documents to help new market entrants to find their way. Only if you are comfortable that your proposition does not require a license, and is otherwise legally permissible, should you begin offering your product.
  • Take into account that the consideration period and processing time of a license application can be lengthy (up to 7-9 months, including preparations). Be clear to investors that you can only start to actively offer your product once the license has been obtained.
  • Once you receive your license, the real work starts. Make sure you remain compliant with the license requirements and ongoing obligations as you proceed with your activities. Make sure there is a decent level of legal knowledge (either in-house or external) readily available and monitor relevant legal developments.

2) Algorithmic discrimination

No business wants to be accused of discriminating its customers, or its customers’ customers – and no business wants to learn that a system they sold, bought or used has been revealed to be biased. While it is difficult to give general guidelines to ensure your systems are always fair, let alone to give them in a single paragraph, (this is a developing field, in which many eminent machine learning scientists are working very hard) there are several helpful things you can do in this regard. 

  • Define the purposeof your model and define what you consider a fair model – write this down. What problem is your model meant to solve, and when will you be satisfied that it is ‘sufficiently fair? What does fairness mean to you? Outcome parity? Equal accuracy? Blind merit-based evaluation (but then: what is merit and are you sure that your definition of 'merit' is fair?)? Check with a lawyer whether your definition of a fair model is legally permissible.
  • Monitor how your system is doing: does it work, and does it perform according to your definition of fairness?
  • If your system leads to different outcomes for members of a protected class, evaluate why this is happening. Does this fit your own idea of fairness? Can you reasonably justify this? If not, adjust the system.

3) GDPR compliance

Like any company, startups and scaleups need to make sure they comply with data protection laws, including the General Data Protection Regulation (GDPR). This can be challenging for new companies, to say the least. Some tips from us to get you started:

  • Start thinking about GDPR compliance as early as possible, preferably in the earliest starting phases of your company’s life. It is easier to design your company, products and services in a compliant way – before you really start collecting personal data – than to adapt later.
  • Inform yourself about the main roles outlined in the GDPR (for example the definitions and identities of a ‘controller’ and a ‘processor’ of data), and be aware of the corresponding GDPR responsibilities. Think about the role your company plays in collecting and further processing personal data of customers, users, employees, business contacts, etc. Be aware that your company may fulfill different roles indifferent data processing activities.
  • Be aware of the data-processing activities that your company carries out, and the measures you have taken to protect personal data. If asked, you need to be able to explain what is happening and which measures you have taken. You are accountable for ensuring up-to-date GDPR compliance.


The 13th edition of the Blue Tulip Awards for new innovative concepts and solutions in the Dutch market will take place on April 17, 2020. Have you signed up for the Blue Tulip Awards? Are you interested in receiving legal guidance from Stibbe StartsUP? For further information, please go to our website or directly apply at

Disclaimer: This publication has been prepared by Stibbe for general information purposes only. The information herein does not constitute legal advice. Users of this publication should seek legal advice before applying it to specific situations.


Share this article on social media: 


View all frequently asked questions about the Innovation Awards Program


For questions regarding the Innovation Awards please contact us