Source: OJ L, 2024/1624, 19.6.2024

Current language: EN

Article 76 Processing of personal data

Summary What does Article 76 of the Anti-money laundering regulation (AMLR) say?

This article sits at the intersection of AML obligations and data protection, setting out the conditions under which obliged entities are permitted to process sensitive personal data — specifically special categories of data under GDPR (such as health or biometric data) and data relating to criminal convictions and offences — in the context of their AML/CFT duties.

It establishes a clear purpose limitation, prohibiting the use of such data for commercial purposes, and notably addresses the use of automated decision-making and AI systems, requiring human oversight and a right for customers to obtain an explanation and challenge decisions made about them.

Important points:

  • Process sensitive personal data and criminal conviction data only for AML/CFT purposes, not for commercial use, and only where strict safeguards are in place including customer notification, data accuracy, non-discrimination, and high-level security measures.
  • When processing data on criminal matters, maintain procedures that distinguish between allegations, investigations, proceedings, and convictions, in keeping with the presumption of innocence.
  • Automated or AI-driven decisions affecting a customer relationship must be limited to data collected under Chapter III, be subject to meaningful human intervention, and allow the customer to obtain an explanation and challenge the outcome.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. To the extent that it is strictly necessary for the purposes of preventing money laundering and terrorist financing, obliged entities may process special categories of personal data referred to in Article 9(1) of Regulation (EU) 2016/679 and personal data relating to criminal convictions and offences referred to in Article 10 of that Regulation subject to the safeguards provided for in paragraphs 2 and 3 of this Article.

    1. Obliged entities shall be able to process personal data covered by Article 9 of Regulation (EU) 2016/679 provided that:

      1. they inform their customers or prospective customers that such categories of data may be processed for the purpose of complying with the requirements of this Regulation;

      2. the data originate from reliable sources, are accurate and up-to-date;

      3. they do not take decisions that would lead to biased and discriminatory outcomes on the basis of those data;

      4. they adopt measures of a high level of security in accordance with Article 32 of Regulation (EU) 2016/679, in particular in terms of confidentiality.

    1. Obliged entities shall be able to process personal data covered by Article 10 of Regulation (EU) 2016/679 provided that they comply with the conditions laid down in paragraph 2 of this Article and that:

      1. such personal data relate to money laundering, its predicate offences or terrorist financing;

      2. the obliged entities have procedures in place that allow the distinction, in the processing of such data, between allegations, investigations, proceedings and convictions, taking into account the fundamental right to a fair trial, the right of defence and the presumption of innocence.

    1. Personal data shall be processed by obliged entities on the basis of this Regulation only for the purposes of the prevention of money laundering and terrorist financing and shall not be further processed in a way that is incompatible with those purposes. The processing of personal data on the basis of this Regulation for commercial purposes shall be prohibited.

    1. Obliged entities may adopt decisions resulting from automated processes, including profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679, or from processes involving AI systems as defined in Article 3, point (1), of Regulation (EU) 2024/xxx of the European Parliament and of the Council(45), provided that:

      1. the data processed by such systems is limited to data obtained pursuant to Chapter III of this Regulation;

      2. any decision to enter or refuse to enter into or maintain a business relationship with a customer or to carry out or refuse to carry out an occasional transaction for a customer, or to increase or decrease the extent of the customer due diligence measures applied pursuant to Article 20 of this Regulation, is subject to meaningful human intervention to ensure the accuracy and appropriateness of such a decision; and

      3. the customer may obtain an explanation of the decision reached by the obliged entity, and may challenge that decision, except in relation to a report as referred to in Article 69 of this Regulation.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod