Sceau

Regulations · Regulation explained

GDPR in the AML practice

AML work is personal-data processing at industrial intensity: identity documents, beneficial owners, screening results, suspicion reports. The GDPR does not yield to the AMLR — the two apply together, and the friction points are precisely where offices get it wrong.

InstrumentRegulation (EU) 2016/679; AMLR arts. 76–79 (processing for AML purposes)
Applies fromIn force since 25 May 2018
Who is coveredEvery office processing personal data — which is every obliged entity, for every client file

The requirements, article by article

Art. 6(1)(c)

The legal basis is the obligation

AML processing rests on legal obligation — not consent. Clients cannot opt out of due diligence, and asking them to consent misstates the relationship.

In Sceau — Records of processing name the AML legal bases per data category.

Arts. 12–15

Access rights meet tipping-off

Data subjects can request their data — but STR-related information is shielded: confirming a report would violate the disclosure prohibition.

In Sceau — DSR handling flags STR-adjacent data and tracks the one-month clock with the lawful carve-out documented.

Art. 5(1)(e)

Retention has two masters

AML law requires keeping records for five years; GDPR forbids keeping them longer than necessary. Both are satisfied by scheduled, documented deletion.

In Sceau — Retention schedules per record class drive review-due dates.

Arts. 33–34

Breaches on a 72-hour clock

Personal-data breaches must be notified to the authority within 72 hours where risk exists — AML files are high-sensitivity by nature.

In Sceau — Breach records compute the notify-by deadline from detection.

§
A honest note

This page is a plain-language orientation, not legal advice. Article numbering follows the instrument as published in the Official Journal; where implementing technical standards are still in draft, we say so. The legal text always prevails.

See it running against your own files

A 30-minute demo walks your real obligations through the platform — classification, screening, evidence, filing.

Book a demo