The key and most far reaching changes in recent years has undoubtedly been the introduction of the General Data Protection Regulation (GDPR), as well as the introduction, strengthening and expansion of rules and regulations relating to the prevention and suppression of money laundering and terrorist financing – commonly referred to as Anti Money Laundering laws and regulations or "AML").
The General Data Protection Regulation (GDPR) is designed to protect the data privacy of EU citizens. Every company that legally processes the data of EU citizens, regardless of where that company is located, must comply with GDPR policies. The fines for non-compliance are indeed quite significant, as they can reach as high up to €20 million or up to 4% of the company's annual sales (whichever is greater).
So Where Does the Clash Occur?
One of the main pillars of GDPR is the right of EU citizens to have their data erased from the data processor's systems forever. By way of example, if an EU citizen, whose data you have legally collected as they were doing business with you, instructs you that they no longer wish for you to be retaining their data, you need to be in a position to erase all such data from your systems (including any backups, mailing lists, marketing lists, etc).
On the other side of the equation, AML regulations state that when you investigate suspicious activity, you must save and keep such data and transactions for five years or again be faced with fines due to non-compliance.
The question which a lot of clients raise is exactly this: which of the two sets of regulations do I follow so that I am in compliance with both and don't get fined?
Articles 6 and 17 of GDPR
Fortunately, although it might not be immediately clear, GDPR has provided for such eventualities and has included language that protects both data controllers and data processors.
Article 6 provides the legal basis for data controllers to collect the data of EU citizens, which is to comply with AML regulations. Secondly, it provides the legal basis for data processors to process the data to support "legitimate interests", namely, to detect suspicious activity so you can be compliant with the AML regulations.
Thereafter, Article 17 clarified things even further, by indicating that legal requirements take precedence over the right to erasure. As such, if a regulation requires you to save the data, as AML regulations do, the right to erasure does not take effect until after that legal period ends in accordance with the AML regulation time-period.
Although no Court Decision has been issued as of yet on this matter, relevant guidance can be obtained from recent decisions issued by the Office of the Commissioner of Data Protection:
- In a decision published in June 2019, the Commissioner found that the controller was regulated by AML national legislation, which requires the retention of data for at least five years to ensure that regulators, companies, and customers have access to key business records regarding financial transactions. As such, it was deemed that there was no violation as the processing was lawful under the provision Art 17(1)(b) GDPR providing that "the processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller".
- In a decision published in October 2019, the Commissioner found that, pursuant to the applicable national social insurance and tax law, the controller was required to keep records of all expenses including salaries. In order to comply with this obligation, the controller was obliged to keep the complainant's passport information, employment contract and salary information. Moreover, according to the national law on statute of limitations, the controller was allowed to keep the complainant's dismissal records for a period of six years after the dismissal as the complainant could appeal the decision of the controller to the relevant court. As such, there was no breach in refusing to delete the data of the person from the data controller's system.
Originally Published by , November 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.