Personal data processing and protection: comments and recommendations by the NBB
1. Introduction and processing purposes
The implementation of the Anti-Money Laundering Law requires the processing of personal data. This includes processing operations which are required to enable financial institutions to comply with their legal AML/CFT obligations, and processing operations performed pursuant to the European Regulation on transfers of funds and to national and international financial sanctions measures.
These processing operations are aimed in particular at implementing monitoring procedures adapted to the ML/FT risks throughout the business relationship, at assisting in monitoring, detecting and examining customer transactions involving sums likely to be derived from a criminal activity falling under the concept of money laundering or to participate in the financing of terrorism, or at detecting funds and economic resources subject to a freezing or sanction measure.
The data processed relate in particular to the identification and verification of the identity of the customer and, where applicable, his agents and beneficial owners, the operation of the account, financial transactions or products subscribed to. They also include the information referred to in Article 34, § 1 of the Anti-Money Laundering Law, which is necessary for implementing the customer acceptance policy, for fulfilling the ongoing due diligence obligations with regard to business relationships and transactions, and for complying with the specific enhanced due diligence obligations.
The specific conditions to be satisfied when processing these data are set out in Article 64 of the Anti-Money Laundering Law. In particular, it should be noted that these data may only be processed for the specific purposes for which they are collected and may under no circumstances be used for commercial purposes.
2. Derogation from common law
The rights of the persons whose personal data are held and processed for AML/CFT purposes are specified in Article 65 of the Anti-Money Laundering Law. This provision derogates from the general rules of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (usually referred to as the “General Data Protection Regulation” or “GDPR”), on the ground that the participation of financial institutions in AML/CFT is a public interest task and that the processing of these data is based on, and necessary for the fulfilment of, the legal obligations imposed on these financial institutions.
As regards the application of the general rules on personal data protection, please refer to the website of the Data Protection Authority and, in particular, to its recommendations in this area.
As regards the application of these rules in the specific context of AML/CFT, please refer to the comments on the processing of personal data by obliged entities set out on page 97 et seq. of the Explanatory Memorandum of the Amending Law of 20 July 2020 (see the page “Main reference documents”).
3. Internal policies and procedures
Financial institutions should ensure that their customer acceptance policies and their internal procedures are compatible with the applicable provisions of the GDPR, while also taking into account the special provisions laid down in this regard in Articles 64 and 65 of the Anti-Money Laundering Law.