Article 76 AMLR – Processing of personal data
1. To the extent that it is strictly necessary for the purposes of preventing money laundering and terrorist financing, obliged entities may process special categories of personal data referred to in Article 9(1) of Regulation (EU) 2016/679 and personal data relating to criminal convictions and offences referred to in Article 10 of that Regulation subject to the safeguards provided for in paragraphs 2 and 3 of this Article.
2. Obliged entities shall be able to process personal data covered by Article 9 of Regulation (EU) 2016/679 provided that:
| (a) | they inform their customers or prospective customers that such categories of data may be processed for the purpose of complying with the requirements of this Regulation; |
| (b) | the data originate from reliable sources, are accurate and up-to-date; |
| (c) | they do not take decisions that would lead to biased and discriminatory outcomes on the basis of those data; |
| (d) | they adopt measures of a high level of security in accordance with Article 32 of Regulation (EU) 2016/679, in particular in terms of confidentiality. |
3. Obliged entities shall be able to process personal data covered by Article 10 of Regulation (EU) 2016/679 provided that they comply with the conditions laid down in paragraph 2 of this Article and that:
| (a) | such personal data relate to money laundering, its predicate offences or terrorist financing; |
| (b) | the obliged entities have procedures in place that allow the distinction, in the processing of such data, between allegations, investigations, proceedings and convictions, taking into account the fundamental right to a fair trial, the right of defence and the presumption of innocence. |
4. Personal data shall be processed by obliged entities on the basis of this Regulation only for the purposes of the prevention of money laundering and terrorist financing and shall not be further processed in a way that is incompatible with those purposes. The processing of personal data on the basis of this Regulation for commercial purposes shall be prohibited.
5. Obliged entities may adopt decisions resulting from automated processes, including profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679, or from processes involving AI systems as defined in Article 3, point (1), of Regulation (EU) 2024/xxx of the European Parliament and of the Council (45), provided that:
| (a) | the data processed by such systems is limited to data obtained pursuant to Chapter III of this Regulation; |
| (b) | any decision to enter or refuse to enter into or maintain a business relationship with a customer or to carry out or refuse to carry out an occasional transaction for a customer, or to increase or decrease the extent of the customer due diligence measures applied pursuant to Article 20 of this Regulation, is subject to meaningful human intervention to ensure the accuracy and appropriateness of such a decision; and |
| (c) | the customer may obtain an explanation of the decision reached by the obliged entity, and may challenge that decision, except in relation to a report as referred to in Article 69 of this Regulation. |