Processing of Personal Data by Obliged Entities
In the digital age, the processing of personal data has become a crucial aspect of various business operations. Particularly for ‚obliged entities‘ under anti-money laundering (AML) laws, it is essential to understand the nuances and legal requirements associated with personal data processing.
The processing of personal data by obliged entities is governed by stringent laws to ensure the balance between crime prevention and data protection. The 4th AMLD emphasizes compliance with the General Data Protection Regulation (GDPR) and the Data Protection Regulation for EU institutions. Similarly, the German GwG, particularly § 11a, outlines clear guidelines for how obliged entities should handle personal data.
Key Provisions and their impact:
- Purpose Limitation: Personal data can only be processed for the specific purpose of preventing money laundering and terrorist financing. Any processing beyond these confines, such as for commercial purposes, is strictly prohibited.
- Client Information Requirements: Obliged entities are required to inform new clients about their data processing activities, ensuring transparency.
- Restrictions on Data Access: There are legislative measures in place that may restrict data subjects’ access to their personal data, which is necessary to ensure the effectiveness of AML investigations.
Obliged entities must adopt robust data processing systems and protocols to comply with these regulations. This involves not only ensuring the lawful collection and use of personal data but also implementing adequate security measures to protect such data. Entities must also stay informed about any changes in AML and data protection laws to remain compliant.
The processing of personal data by obliged entities is a critical element in the fight against money laundering and terrorist financing. By adhering to the outlined legal frameworks, such as the German GwG and the EU Directive, these entities play a pivotal role in maintaining financial integrity and protecting individual data rights. Understanding and complying with these regulations is not just a legal obligation but also a contribution to a more secure financial system.
Article 41 of the 4th AMLD (Directive (EU) 2015/849), addresses the processing of personal data in the context of preventing money laundering and terrorist financing.
It states that the processing of personal data under this Directive must comply with the European Union Regulations (EU) 2016/679 and (EU) 2018/1725. These regulations are key legislative frameworks for data protection within the EU, commonly known as the General Data Protection Regulation (GDPR) and the Data Protection Regulation for EU institutions, respectively.
Obligated entities can process personal data only for the purposes of preventing money laundering and terrorist financing. It prohibits any further processing of personal data in a manner that is incompatible with these purposes, especially for commercial purposes.
This part mandates that obliged entities must provide new clients with specific information, as required by Article 10 of Directive 95/46/EC, before establishing a business relationship or executing an occasional transaction. This information includes a general notice about the legal obligations of obliged entities to process personal data for preventing money laundering and terrorist financing, as referred to in Article 1 of this Directive.
It deals with the application of the prohibition of disclosure.
Member States are required to adopt legislative measures that may restrict a data subject’s right of access to personal data.
Such restrictions should be necessary and proportionate measures in a democratic society, taking into account the legitimate interests of the person concerned. The restrictions aim to:
- Allow obliged entities or competent national authorities to properly fulfill their tasks for the Directive’s purposes.
- Prevent interference with official or legal inquiries, analyses, investigations, or procedures related to this Directive, ensuring that the prevention, investigation, and detection of money laundering and terrorist financing are not jeopardized.
Section 11a of the German GwG deals with the processing of personal data by obligated entities.
It outlines the conditions under which personal data can be processed for the purposes of preventing money laundering and terrorist financing.
Obligated entities may process personal data only as necessary for preventing money laundering and terrorism financing, as per the provisions of this Act.
It states that if an obligated entity transmits personal data for purposes to the competent supervisory authorities or to entities and individuals used by the supervisory authorities, or to the central office for financial transaction investigations, the obligations to inform the data subject as per Article 13(3) of Regulation (EU) 2016/679 and the right to access of the data subject under Article 15 of the same Regulation do not apply.
This subsection extends to third parties, which are used by an obligated entity to fulfill the general due diligence obligations.
- Directive (EU) 2015/849 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L0849
- Directive (EU) 2018/843 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018L0843
- German Anti-Money Laundering Act (Geldwäschegesetz – GwG) https://www.bafin.de/SharedDocs/Downloads/EN/Aufsichtsrecht/dl_gwg_en.html
- BaFin-Interpretation and Application Guidance on the German Money Laundering Act (October 2021) https://www.bafin.de/SharedDocs/Downloads/EN/Auslegungsentscheidung/dl_ae_auas_gw2021_en.html