The General Data Protection Regulation (GDPR) was implemented on May 25, 2018, and designed to protect the data privacy of the EU citizens and residents. GDPR limits the ways how the companies can process, collect, use, and store the personal data of the EU citizens and residents. Every company, irrespective of jurisdiction, that processes the above data must comply with GDPR rules. The fines for non-compliance could be up to €20 million.
What is the issue?
At a certain point, GDPR rules might seem to conflict with AML regulations, most likely in terms of Article 17 of GDPR covering the right to be forgotten. At first sight, it seems that the EU citizens and residents should have the right to request erasing all their personal data, including AML-related data. However, under AMLD and local AML laws, the company should preserve the above data at least five years after terminating a business relationship.
What is the solution?
Article 6 (c,f) provides the legal ground for data controllers to collect the data and for data processors to process the data to support “legitimate interests” (in this case delivering AML compliance) to be compliant with AML regulations.
Article 17(3)(b) provides a clarification of this issue. According to this Article, the legal requirements take precedence over the right to be forgotten.
Therefore, the customer could request to erase all the data, except of the data that was collected for the AML-related purposes. The customer will be able to enforce the right to erase AML-related data only after the expiration of 5 years after the termination of business relations.
Here at ZeroTolerance, we can assist you with adopting your Data Protection Policies, AML Policies and Procedures in compliance with GDPR and CCPA requirements. Should you need our assistance or require more information please contact us email@example.com