Source: OJ L, 2024/1640, 19.6.2024Current language: EN
- Anti-money laundering
Basic legislative acts
- Sixth anti-money laundering (AML 6) directive
Article 70 Processing of certain categories of personal data
Summary What does Article 70 of the Sixth anti-money laundering (AML 6) directive say?
This article addresses the conditions under which competent authorities — including FIUs, supervisory authorities, and law enforcement bodies — may process sensitive personal data, specifically special categories of data (such as health or biometric data under GDPR) and data relating to criminal convictions and offences.
It sits alongside the broader data protection framework of the regulation and carves out a permissible basis for this processing, provided a set of specific internal safeguards are met.
The article extends these same requirements to Union institutions, bodies, offices, and agencies when they process equivalent categories of data for the purposes of this Directive.
Important points:
- Competent authorities are permitted to process special categories of personal data and criminal conviction data only to the extent necessary for the purposes of this Directive, and only with specific safeguards in place.
- Processing must be carried out on a case-by-case basis, exclusively by staff who have been specifically designated and authorised, and those staff must maintain high professional standards of confidentiality, integrity, and skill, including in handling big data sets.
- Technical and organisational measures ensuring data security to high technological standards are required, and these same safeguards apply equally to Union institutions, bodies, offices, and agencies.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
To the extent that it is necessary for the purposes of this Directive, competent authorities may process special categories of personal data referred to in Article 9(1) of Regulation (EU) 2016/679 and personal data relating to criminal convictions and offences referred to in Article 10 of that Regulation subject to appropriate safeguards for the rights and freedoms of the data subject, in addition to the following safeguards:
processing of such data shall be performed only on a case-by-case basis by the staff of each competent authority that have been specifically designated and authorised to perform those tasks;
staff of the competent authorities shall maintain high professional standards of confidentiality and data protection, they shall be of high integrity and are appropriately skilled, including in relation to the ethical handling of big data sets;
technical and organisational measures shall be in place to ensure the security of the data to high technological standards.
The safeguards referred to in paragraph 1 of this Article shall also apply to the processing for the purposes of this Directive of special categories of data referred to in Article 10(1) of Regulation (EU) 2018/1725 and personal data relating to criminal convictions and offences referred to in Article 11 of that Regulation by Union institutions, bodies, offices or agencies.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
supervisor
Definition
property
Definition
competent authority
- a Financial Intelligence Unit (FIU);
- a supervisory authority;
- a public authority that has the function of investigating or prosecuting money laundering, its predicate offences or terrorist financing, or that has the function of tracing, seizing or freezing and confiscating criminal assets;
- a public authority with designated responsibilities for combating money laundering or terrorist financing;
Definition
terrorist financing
Definition
money laundering
Definition
self-regulatory body
Definition
third country
Definition
supervisory authority