Source: OJ L 150, 9.6.2023, pp. 1–39Current language: EN
- Anti-money laundering
Basic legislative acts
- Transfer of funds regulation (TFR)
Article 25 Data protection
Summary What does Article 25 of the Transfer of funds regulation (TFR) say?
This article establishes the data protection framework that sits alongside the regulation's core obligations.
It anchors the entire regulation to the EU's existing data protection rules — primarily GDPR (Regulation (EU) 2016/679) — and makes clear that personal data collected under this regulation can only be used for AML/CFT purposes, with commercial use of that data explicitly prohibited.
The article also places transparency obligations on payment service providers and crypto-asset service providers toward their clients, and addresses the specific challenge of cross-border data transfers in the context of crypto-asset transactions, tasking both the European Data Protection Board and EBA with issuing relevant guidelines.
Important points:
- Process personal data collected under this regulation solely for the prevention of money laundering and terrorist financing — using it for commercial purposes is prohibited.
- Provide new clients with the required data protection information before establishing a business relationship or carrying out an occasional transaction, in a concise, transparent, intelligible and easily accessible form.
- The European Data Protection Board is required to issue guidelines on data protection requirements for transfers of personal data to third countries in the context of crypto-asset transfers, and EBA is required to issue guidelines on procedures for handling transfers where those requirements cannot be met.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The processing of personal data under this Regulation is subject to Regulation (EU) 2016/679. Personal data that is processed pursuant to this Regulation by the Commission or EBA is subject to Regulation (EU) 2018/1725.
Personal data shall be processed by payment service providers and crypto-asset service providers on the basis of this Regulation only for the purposes of the prevention of money laundering and terrorist financing and shall not be further processed in a way that is incompatible with those purposes. The processing of personal data on the basis of this Regulation for commercial purposes shall be prohibited.
Payment service providers and crypto-asset service providers shall provide new clients with the information required pursuant to Article 13 of Regulation (EU) 2016/679 before establishing a business relationship or carrying out an occasional transaction. That information shall be provided in a concise, transparent, intelligible and easily accessible form in accordance with Article 12 of Regulation (EU) 2016/679 and shall, in particular, include a general notice concerning the legal obligations of payment service providers and crypto-asset service providers under this Regulation when processing personal data for the purposes of the prevention of money laundering and terrorist financing.
Payment service providers and crypto-asset service providers shall ensure at all times that the transmission of any personal data on the parties involved in a transfer of funds or a transfer of crypto-assets is conducted in accordance with Regulation (EU) 2016/679.
The European Data Protection Board shall, after consulting EBA, issue guidelines on the practical implementation of data protection requirements for transfers of personal data to third countries in the context of transfers of crypto-assets. EBA shall issue guidelines on suitable procedures for determining whether to execute, reject, return or suspend a transfer of crypto-assets in situations where compliance with data protection requirements for the transfer of personal data to third countries cannot be ensured.
Relevant recitals
Recital 19 Personal data processing requirements and intra-group data transfers
The processing of personal data under this Regulation should take place in full compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council(17). Further processing of personal data for commercial purposes should be strictly prohibited. The fight against money laundering and terrorist financing is recognised as an important public interest ground by all Member States. In applying this Regulation, the transfer of personal data to a third country is required to be carried out in accordance with Chapter V of Regulation (EU) 2016/679. It is important that payment service providers and crypto-asset service providers operating in multiple jurisdictions with branches or subsidiaries located outside the Union should not be prevented from transferring data about suspicious transactions within the same organisation, provided that they apply adequate safeguards. In addition, the crypto-asset service providers of the originator and of the beneficiary, the payment service providers of the payer and of the payee and the intermediary payment service providers and intermediary crypto-asset service providers should have in place appropriate technical and organisational measures to protect personal data against accidental loss, alteration, or unauthorised disclosure or access.
Recital 34 Data protection assessment for crypto-asset transfers to non-Union providers
Crypto-assets exist in a borderless virtual reality and can be transferred to any crypto-asset service provider, whether or not that provider is registered in a jurisdiction. Many non-Union jurisdictions have in place rules relating to data protection and its enforcement that differ from those in the Union. When transferring crypto-assets on behalf of a client to a crypto-asset service provider that is not registered in the Union, the crypto-asset service provider of the originator should assess the ability of the crypto-asset service provider of the beneficiary to receive and retain the information required under this Regulation in compliance with Regulation (EU) 2016/679, using, where appropriate, the options available in Chapter V of Regulation (EU) 2016/679. The European Data Protection Board should, after consulting EBA, issue guidelines on the practical implementation of data protection requirements for transfers of personal data to third countries in the context of transfers of crypto-assets. Situations might occur where personal data cannot be sent because the requirements of Regulation (EU) 2016/679 cannot be fulfilled. EBA should issue guidelines on suitable procedures for determining whether the transfer of crypto-assets should be executed, rejected or suspended in such cases.
Recital 63 Fundamental rights and data protection compliance
This Regulation is subject to Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 of the European Parliament and of the Council(23). It respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, in particular the right to respect for private and family life (Article 7), the right to the protection of personal data (Article 8), the right to an effective remedy and to a fair trial (Article 47) and the principle of ne bis in idem.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
intermediary crypto-asset service provider
Definition
crypto-asset services
Definition
funds
Definition
originator
Definition
electronic money
Definition
crypto-asset account
Definition
crypto-asset
Definition
payment service provider
Definition
payment account
Definition
transfer of funds
- a credit transfer as defined in Article 4, point (24), of Directive (EU) 2015/2366;
- a direct debit as defined in Article 4, point (23), of Directive (EU) 2015/2366;
- a money remittance as defined in Article 4, point (22), of Directive (EU) 2015/2366, whether national or cross-border;
- a transfer carried out using a payment card, an electronic money instrument, a mobile phone or any other digital or IT prepaid or postpaid device with similar characteristics;
Definition
intermediary payment service provider
Definition
crypto-asset
Definition
DLT
Definition
terrorist financing
Definition
distributed ledger technology
Definition
beneficiary
Definition
crypto-asset service provider
Definition
transfer of crypto-assets
Definition
distributed ledger address
Definition
payee
Definition
third country
Definition
business relationship
Definition
payer
Definition
money laundering
Footnote 23
Footnote 17