shutterstock_631473233

AMLD and the GDPR

Many AMLD obligations raise questions about the storage of collected data. What may and what may not be stored now, or what must be stored according to the various regulations? According to the GDPR, personal data must be deleted, but according to the AMLD you must create a file and keep data. Which legislation should be followed now? And if data must be stored and recorded, what is the retention period? In this blog an answer to frequently asked questions!

According to the AMLD, certain institutions are obliged to carry out a customer due diligence and to record the client data. An example of this is making a copy of an ID card, but other client data must also be recorded. Because there is a legal obligation for the institution, this recording is not in conflict with the GDPR. In principle, personal data may be processed if (and insofar as) this is required by law. The obligations under the AMLD thus provide both a purpose ("compliance with the AMLD") and a legal basis for the processing of personal data in the context of the AMLD.

Retention period

Under the AMLD, this data must be kept for five years. The same applies to data related to unusual transactions. Article 34a of the AMLD contains further provisions on data protection.

  • Personal data, collected on the basis of this Act, will only be processed by an institution for the purpose of preventing money laundering and terrorist financing. The personal data may not be further processed for commercial purposes or other purposes that are not compatible with the purpose of the AMLD.
  • Before entering into a business relationship or conducting an incidental transaction, an institution provides information to a client about the obligations applicable under this Act with regard to the processing of personal data with a view to preventing money laundering and terrorist financing.
  • An institution will destroy the personal data it has obtained on the basis of this Act immediately after the expiry of the period referred to in Article 33, third paragraph, and 34, unless otherwise provided by law.

This means that the persons whose data are registered must be informed about this, as well as the purpose of the processing. In addition, the persons whose data are registered must be informed of their right of inspection, right of correction and these persons must be given the opportunity to exercise those rights.

In exceptional cases, different rules apply to the rules of the AMLD and GDPR, for example for data that the person subject to the AMLD has reported when reporting an ‘unusual’ transaction.

General Data Protection Regulation (GDPR)

The GDPR is about the lawful handling of personal data. The main provisions of the GDPR can be summarized as follows:

  • Conformity law

Personal data may only be processed in accordance with the law. For the data subject (that is the person whose personal data are processed) it must be clear and transparent how and why the personal data are processed.

  • Justified purpose

Personal data may only be collected for a legitimate purpose. That goal must be well-defined and explicitly described in advance. The purpose for which an organization will process the personal data must be compatible with the purpose for which the personal data were collected.

  • Notify

Does an organization or person process personal data? In that case, the person whose personal data are processed must in any case be aware of the identity of the organization or person that processes these personal data (the so-called controller). The purpose of the data processing must also be clear to the person whose personal data are being processed.

  • As little as possible

When organizations process personal data, they must use "as little as possible" as a starting point. This means, among other things, that the processing of the data must fit the purpose for which they are processed.

  • Correct and current data

The controller must ensure that the data is accurate and, if necessary, updated.

  • Security

Data processing must be appropriately secured. Extra strict rules apply to special data, such as about race, health and religion.

Recommended Posts