Source: OJ L 150, 9.6.2023, pp. 1–39

Current language: EN

Article 25 Data protection


Summary What does Article 25 of the Transfer of funds regulation (TFR) say?

This article establishes the data protection framework that sits alongside the regulation's core obligations.

It anchors the entire regulation to the EU's existing data protection rules — primarily GDPR (Regulation (EU) 2016/679) — and makes clear that personal data collected under this regulation can only be used for AML/CFT purposes, with commercial use of that data explicitly prohibited.

The article also places transparency obligations on payment service providers and crypto-asset service providers toward their clients, and addresses the specific challenge of cross-border data transfers in the context of crypto-asset transactions, tasking both the European Data Protection Board and EBA with issuing relevant guidelines.

Important points:

  • Process personal data collected under this regulation solely for the prevention of money laundering and terrorist financing — using it for commercial purposes is prohibited.
  • Provide new clients with the required data protection information before establishing a business relationship or carrying out an occasional transaction, in a concise, transparent, intelligible and easily accessible form.
  • The European Data Protection Board is required to issue guidelines on data protection requirements for transfers of personal data to third countries in the context of crypto-asset transfers, and EBA is required to issue guidelines on procedures for handling transfers where those requirements cannot be met.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. The processing of personal data under this Regulation is subject to Regulation (EU) 2016/679. Personal data that is processed pursuant to this Regulation by the Commission or EBA is subject to Regulation (EU) 2018/1725.

    1. Personal data shall be processed by payment service providers and crypto-asset service providers on the basis of this Regulation only for the purposes of the prevention of money laundering and terrorist financing and shall not be further processed in a way that is incompatible with those purposes. The processing of personal data on the basis of this Regulation for commercial purposes shall be prohibited.

    1. Payment service providers and crypto-asset service providers shall provide new clients with the information required pursuant to Article 13 of Regulation (EU) 2016/679 before establishing a business relationship or carrying out an occasional transaction. That information shall be provided in a concise, transparent, intelligible and easily accessible form in accordance with Article 12 of Regulation (EU) 2016/679 and shall, in particular, include a general notice concerning the legal obligations of payment service providers and crypto-asset service providers under this Regulation when processing personal data for the purposes of the prevention of money laundering and terrorist financing.

    1. Payment service providers and crypto-asset service providers shall ensure at all times that the transmission of any personal data on the parties involved in a transfer of funds or a transfer of crypto-assets is conducted in accordance with Regulation (EU) 2016/679.

    2. The European Data Protection Board shall, after consulting EBA, issue guidelines on the practical implementation of data protection requirements for transfers of personal data to third countries in the context of transfers of crypto-assets. EBA shall issue guidelines on suitable procedures for determining whether to execute, reject, return or suspend a transfer of crypto-assets in situations where compliance with data protection requirements for the transfer of personal data to third countries cannot be ensured.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod