Is European Commission’s proposed AML legislative package in line with GDPR?

On July 22nd, 2021, The European Commission released a package of legislative proposals, which aims to increase the effectiveness of the anti-money laundering and countering the financing of terrorism (AML/CFT). The rules consists of:

  • a Proposal for a Regulation of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing;
  • a Proposal for a Directive of the European Parliament and of the Council on the mechanisms for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and repealing Directive (EU) 2015/849;
  • a Proposal for a Regulation of the European Parliament and of the Council establishing the European Authority for Countering Money Laundering and Financing of Terrorism, amending Regulations (EU) No 1093/2010,  (EU) 1094/2010 and (EU) 1095/2010; and
  • a Proposal for a Regulation of the European Parliament and of the Council on information accompanying transfers of funds and certain crypto-assets.

On 22 September 2021, the EDPS published his Opinion on the European Commission’s proposed Anti-Money Laundering legislative package (AML).

One of the main rights of GDPR is the minimization of personal data. On the other side of the equation, AML regulations state that when financial institution investigates suspicious activity, it must save and keep personal data and transactions or again be faced with fines due to non-compliance. The processing of personal data, meanwhile, is often crucial in financial institutions’ AML activities.

The EDPS welcomes the AML package due to the risk-based approach, harmonization of framework, enhanced supervision and pursue to fight money laundering and the financing of terrorism effectively. However, to ensure compliance with the GDPR requirements, – EDPS considers that further clarifications and changes are needed.

1. Identification of personal data categories

One of the main aspects which the EDPS highlights – is the necessity for the AML legislative package to identify the categories of personal data that shall be processed to fulfill AML/CFT obligations.

2. Special categories of personal data

The EDPS recommends that it should be specify particular types of special categories of personal data and the specific purposes of processing. Particularly, personal data related to sexual orientation and ethnic origin should not be allowed in the processing.

3. CDD vs KYC

EDPS recommends establishing a clear differentiation between the Client due diligence (CDD) and Know Your Costumer (KYC) processes. KYC process requires information used for offering financial services and products according to the clients’ profile, while CDD needs identification information, “watch lists”. This means that the cases in which obliged entities should have recourse to collect such data should be specified. Additionally, there should be clear differences between the amount and type of data gathered and the number of sources to be consulted for the CDD process of the regular customer compared to the CDD performed on the PEP.

4. Politically exposed persons

Considering the level of risk differs for particular category of politically exposed persons, their family members and persons known to be close associates, EDPS proposes that AML shall issue specific guidelines on the criteria for the persons falling under each of the mentioned category.

5. Administrative sanctions and measures

The next EDPs recommendation focuses on the individuals, which are at risk to the publication of their identity and personal data in case of administrative sanctions and measures. EDPS proposes including the risks to the protection of the personal data of persons mentioned, among the criteria for the consideration of the competent authority. The best course of action would be to establish clear criteria for non-publication, and only when these reasons cease to exist allow to use alternative measures, such as publication of personal data.


EDPS remarks to the AML/CFT legislative package are an indicator for financial institutions to review their internal personal data processing in AML/CFT activities by answering the following questions:

  • whether the company has sufficiently separated the purposes for personal data processing, specified categories of personal data and the legal basis for processing; also, whether the company processes personal data for an undefined purpose;
  • whether the company processes special categories of personal data and has assessed the specifics of processing such data;
  • whether the processing of personal data in KYC and CDD processes is differentiated;
  • whether the company ensures proper management of access to personal data.

If your company needs any assistance with this matter do not hesitate to contact the experts of ECOVIS ProventusLaw for more information or advice.

Newsletter SubscriptionGet in touch