Regulations · Regulation explained
GDPR in the AML practice
AML work is personal-data processing at industrial intensity: identity documents, beneficial owners, screening results, suspicion reports. The GDPR does not yield to the AMLR — the two apply together, and the friction points are precisely where offices get it wrong.
The requirements, article by article
The legal basis is the obligation
AML processing rests on legal obligation — not consent. Clients cannot opt out of due diligence, and asking them to consent misstates the relationship.
In Sceau — Records of processing name the AML legal bases per data category.
Access rights meet tipping-off
Data subjects can request their data — but STR-related information is shielded: confirming a report would violate the disclosure prohibition.
In Sceau — DSR handling flags STR-adjacent data and tracks the one-month clock with the lawful carve-out documented.
Retention has two masters
AML law requires keeping records for five years; GDPR forbids keeping them longer than necessary. Both are satisfied by scheduled, documented deletion.
In Sceau — Retention schedules per record class drive review-due dates.
Breaches on a 72-hour clock
Personal-data breaches must be notified to the authority within 72 hours where risk exists — AML files are high-sensitivity by nature.
In Sceau — Breach records compute the notify-by deadline from detection.
This page is a plain-language orientation, not legal advice. Article numbering follows the instrument as published in the Official Journal; where implementing technical standards are still in draft, we say so. The legal text always prevails.
All regulations
See it running against your own files
A 30-minute demo walks your real obligations through the platform — classification, screening, evidence, filing.
Book a demo