Source: OJ L, 2024/1620, 19.6.2024

Current language: EN

Article 98 Data protection

Summary What does Article 98 of the Anti-money laundering authority regulation (AMLAR) say?

This article addresses how the Authority handles personal data protection in the context of its AML/CFT work.

It establishes the legal basis for the Authority's processing of personal data, frames its cooperation obligations with data protection bodies when issuing guidance, and carves out a limited power to restrict data subject rights where necessary for its supervisory tasks.

The article sits at the intersection of this regulation and the EU's data protection framework, explicitly cross-referencing Regulation (EU) 2018/1725 and Regulation (EU) 2016/679 to anchor the Authority's data processing activities within the broader legal order.

Important points:

  • The Authority's processing of personal data for ML/TF prevention purposes is legally grounded as a public interest task under both Regulation (EU) 2018/1725 and Regulation (EU) 2016/679.
  • When drafting guidelines and recommendations with a significant impact on personal data protection, the Authority is required to closely cooperate with the European Data Protection Board and, after Commission authorisation, consult the European Data Protection Supervisor.
  • The Authority is permitted to adopt internal rules restricting data subject rights, but only where such restrictions are necessary for the performance of its AML/CFT supervisory tasks.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. The processing of personal data on the basis of this Regulation for the purposes of ML/TF prevention as referred to in Article 70 of Directive (EU) 2024/1640 and Article 76 of Regulation (EU) 2024/1624 shall be considered necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Authority under Article 5 of Regulation (EU) 2018/1725 and Article 6 of Regulation (EU) 2016/679.

    2. When drafting guidelines and recommendations in accordance with Article 54, having a significant impact on the protection of personal data, the Authority shall closely cooperate with the European Data Protection Board established by Regulation (EU) 2016/679 to avoid duplication, inconsistencies and legal uncertainty in the sphere of data protection. After being authorised by the Commission, the Authority shall also consult the European Data Protection Supervisor established by Regulation (EU) 2018/1725. The Authority may also invite national data protection authorities as observers in the process of drafting such guidelines and recommendations.

    1. In accordance with Article 25 of Regulation (EU) 2018/1725, the Authority shall be permitted to adopt internal rules which restrict the application of the rights of data subjects where such restrictions are necessary to the performance of the tasks referred in Article 70 of Directive (EU) 2024/1640 and Article 76 of Regulation (EU) 2024/1624.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod