In 2018, new regulations came into force covering two crucial areas: personal data protection and counteracting money laundering and terrorism financing, which are part of an organization's compliance system. For businesses, compliance means organizing the organization through the creation of an appropriate structure and the implementation of appropriate measures that minimize the risk of any irregularities occurring within the company*.

The new approach presented by EU bodies in creating regulations in the discussed areas is consistent with the above definition. Neither the GDPR, which applies directly in member states, nor the Anti-Money Laundering and Terrorist Financing Act (AML Act), which implements EU directives, provide ready-made solutions for every company, which can be arranged into a checklist and met or not. This seems appropriate, as each type of business has different characteristics, and it is also difficult to identify specific solutions that will be appropriate for both microenterprises and large joint-stock companies.

Currently, a risk-based approach has been adopted. Each entity required to comply with the regulations must identify potential areas where there is a greater or lesser risk of money laundering, terrorist financing, or personal data processing breach. A risk assessment should be conducted proportionately to the scale and type of business. Mitigation measures, procedures, and other security measures should then be implemented to minimize the identified risks and threats. On the one hand, this is cumbersome and creates the risk of improper implementation of the regulations, particularly by small businesses attempting to meet the requirements on their own. On the other hand, it is possible to create flexible and effective systems and procedures that respond to the frequent changes in threats and methods of protection against them. Prioritization of tasks and areas and appropriate allocation of resources are possible, minimizing the greatest threats.

Moving on to the intersection of AML and GDPR, we will outline several key issues and obligations of obligated institutions related to personal data protection, based on some of the principles of data processing listed in the GDPR. Unfortunately, this article does not provide a comprehensive discussion of all the principles and other issues (e.g., data subject rights) arising from the implementation of obligations under the AML Act in the context of personal data protection.

Many of the obligations of obligated institutions under the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing involve the processing of personal data. These include:

  • The need to identify and verify the identity of customers, authorized persons, and beneficial owners (Article 34, paragraphs 1 and 2 of the AML Act). For the proper application of security measures, it is even possible to copy the identity cards of customers and persons authorized to act on their behalf (Article 34, paragraph 4 of the AML Act),
  • Processing all information that obligated institutions receive from whistleblowers (Article 53 of the AML Act),
  • Determining whether a customer or beneficial owner holds a politically exposed position (PEP).

If an obligated institution is required to maintain a Register of Personal Data Processing Activities (Article 30 of the GDPR), it should undoubtedly identify the area of ​​processing activities related to counteracting money laundering and terrorist financing and indicate the processes carried out within it. These may include, among others, the obligations indicated above.

Basis for data processing

One of the most important principles of data processing under the GDPR is the principle of legality (compliance with the law). A controller may only process personal data if it is based on one of the grounds enumerated in Article 6 of the GDPR.

In the case of obligated institutions' activities related to the AML Act, this is compliance with a legal obligation incumbent upon them. This is the basis indicated in Article 6(1)(c) of the GDPR.

The implementation of this principle by the personal data controller will be the entry of the appropriate basis for data processing into the RCPD, which (as a rule) must be maintained by obligated institutions.

Moreover, the indicated basis for the processing of personal data should be included in the information clause that the obliged entities provide to the client, among others, before establishing business relations (Article 34, paragraph 5 of the AML Act).

Security

Another principle stemming from the GDPR is ensuring the confidentiality and integrity of personal data, which is nothing other than ensuring their security. Article 32 of the GDPR embodies the principle stemming from Article 5, Section 1, Letter f, and echoes the approach discussed above. Security measures must be proportionate to the size, subject matter, and nature of the business, and appropriate to the risk. In the area of ​​AML, the risk of data inaccuracy or leakage is high, so obligated institutions should exercise due diligence in securing their data. Examples of such measures include physical restrictions on access to data, as well as subjective restrictions (authorization to process data only to the extent necessary) and regular employee training.

Adequacy and purpose limitation

The next two principles will be discussed together, as they are interrelated. Purpose limitation and adequacy of data processing are quite difficult to grasp in AML context. On the one hand, entities are required to exercise the utmost diligence and take all necessary measures to meet statutory requirements. On the other hand, this should be done only to the extent necessary.

Practically speaking, almost any action by an obligated institution will be adequate and necessary to achieve its objective if it could contribute to a more effective risk analysis or better implementation of security measures. It is recommended to include a description of the given (questionable) criterion in the risk analysis document to demonstrate this adequacy.
Actions that do not comply with these principles are almost exclusively limited to the instrumental use of the AML Act to "extract" data and information from customers or authorized persons.

Storage time limitation

The GDPR indicates that personal data may only be stored for the period necessary to achieve the purposes for which the data is processed (Article 5, Section 1, Letter e). Fortunately, the AML Act specifies to obligated institutions the exact period for which they must store collected documents. This is 5 years, counting from the first day of the year following the year in which the business relationship with the client was terminated or in which occasional transactions were carried out (Article 49 of the AML Act). The data retention period should be specified in the information clause and the RCPD.

Interestingly, the deadline for the Inspector General for Information (GIFI) is slightly different. Storage can last as long as GIFI deems necessary, and every five years, it should only review the need for further processing of the collected information (Article 100 of the AML Act).

When implementing a personal data protection system within a company and fulfilling obligations arising from anti-money laundering and countering terrorism financing regulations, it is essential to adopt a risk-based approach. Each entity must properly identify threats and implement appropriate measures, bearing in mind the interplay of these crucial regulations (GDPR and AML). In the event of any inspections, obligated institutions and entities processing personal data will be required to demonstrate due diligence in their actions.

This alert is for informational purposes only and does not constitute legal advice.

* B. Makowicz, Compliance in the enterprise, Warsaw 2011, pp. 16-17

author:


|

series editor:


|

    Have any questions? Contact us – we'll respond as quickly as possible.

    Post Views: 19