Source: OJ L, 2024/1624, 19.6.2024

Current language: EN

Article 76 Processing of personal data

    1. To the extent that it is strictly necessary for the purposes of preventing money launderingmeans the conduct set out in Article 3, paragraphs 1 and 5, of Directive (EU) 2018/1673 including aiding and abetting, inciting and attempting to commit that conduct, whether the activities which generated the property to be laundered were carried out on the territory of a Member State or on that of a third country; knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances; and terrorist financingmeans the conduct set out in Article 11 of Directive (EU) 2017/541 including aiding and abetting, inciting and attempting to commit that conduct, whether carried out on the territory of a Member State or on that of a third country; knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances;, obliged entities may process special categories of personal data referred to in Article 9(1) of Regulation (EU) 2016/679 and personal data relating to criminal convictions and offences referred to in Article 10 of that Regulation subject to the safeguards provided for in paragraphs 2 and 3 of this Article.

    1. Obliged entities shall be able to process personal data covered by Article 9 of Regulation (EU) 2016/679 provided that:

      1. they inform their customers or prospective customers that such categories of data may be processed for the purpose of complying with the requirements of this Regulation;

      2. the data originate from reliable sources, are accurate and up-to-date;

      3. they do not take decisions that would lead to biased and discriminatory outcomes on the basis of those data;

      4. they adopt measures of a high level of security in accordance with Article 32 of Regulation (EU) 2016/679, in particular in terms of confidentiality.

    1. Obliged entities shall be able to process personal data covered by Article 10 of Regulation (EU) 2016/679 provided that they comply with the conditions laid down in paragraph 2 of this Article and that:

      1. such personal data relate to money launderingmeans the conduct set out in Article 3, paragraphs 1 and 5, of Directive (EU) 2018/1673 including aiding and abetting, inciting and attempting to commit that conduct, whether the activities which generated the property to be laundered were carried out on the territory of a Member State or on that of a third country; knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances;, its predicate offences or terrorist financingmeans the conduct set out in Article 11 of Directive (EU) 2017/541 including aiding and abetting, inciting and attempting to commit that conduct, whether carried out on the territory of a Member State or on that of a third country; knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances;;

      2. the obliged entities have procedures in place that allow the distinction, in the processing of such data, between allegations, investigations, proceedings and convictions, taking into account the fundamental right to a fair trial, the right of defence and the presumption of innocence.

    1. Personal data shall be processed by obliged entities on the basis of this Regulation only for the purposes of the prevention of money launderingmeans the conduct set out in Article 3, paragraphs 1 and 5, of Directive (EU) 2018/1673 including aiding and abetting, inciting and attempting to commit that conduct, whether the activities which generated the property to be laundered were carried out on the territory of a Member State or on that of a third country; knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances; and terrorist financingmeans the conduct set out in Article 11 of Directive (EU) 2017/541 including aiding and abetting, inciting and attempting to commit that conduct, whether carried out on the territory of a Member State or on that of a third country; knowledge, intent or purpose required as an element of that conduct may be inferred from objective factual circumstances; and shall not be further processed in a way that is incompatible with those purposes. The processing of personal data on the basis of this Regulation for commercial purposes shall be prohibited.

    1. Obliged entities may adopt decisions resulting from automated processes, including profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679, or from processes involving AI systems as defined in Article 3, point (1), of Regulation (EU) 2024/xxx of the European Parliament and of the Council(45)Regulation (EU) 2024/xxx of the European Parliament and of the Council of xxx laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (Not yet published in the Official Journal)., provided that:

      1. the data processed by such systems is limited to data obtained pursuant to Chapter III of this Regulation;

      2. any decision to enter or refuse to enter into or maintain a business relationshipmeans a business, professional or commercial relationship connected with the professional activities of an obliged entity, which is set up between an obliged entity and a customer, including in the absence of a written contract and which is expected to have, at the time when the contact is established, or which subsequently acquires, an element of repetition or duration; with a customer or to carry out or refuse to carry out an occasional transaction for a customer, or to increase or decrease the extent of the customer due diligence measures applied pursuant to Article 20 of this Regulation, is subject to meaningful human intervention to ensure the accuracy and appropriateness of such a decision; and

      3. the customer may obtain an explanation of the decision reached by the obliged entity, and may challenge that decision, except in relation to a report as referred to in Article 69 of this Regulation.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod