The AVG and the Wwft create administrative hassles for many organizations. What makes it all even more difficult is the apparent contradiction between the two laws. Whereas the Wwft (Money Laundering and Terrorist Financing Prevention Act) calls for the recording of data on various individuals, the AVG (General Data Protection Regulation) stipulates that as little data as possible must be recorded. So which law takes precedence? What may or may not be captured?
The goals of the AVG are to protect personal data within the EU and to ensure the free movement of personal data within the EU. Therefore, the AVG requires "data controllers" to, among other things, only record necessary data to the extent it has a legitimate purpose and a legal basis to do so. Personal data may only be retained for as long as necessary for the purpose for which it is processed. Sharing personal data with others is also only allowed if strictly necessary and the necessary safeguards have been put in place (e.g. the conclusion of processing agreements). In addition, the data subject (the person to whom the personal data refers) must be informed about the processing of his personal data.
The Wwft - the name says it all - aims to prevent money laundering and the financing of terrorism. To this end, it requires banks, financial institutions and numerous other parties to, among other things, conduct customer due diligence, report suspicious transactions to the 'Financial Intelligence Unit(FIU) and to register all kinds of information. Those parties must also determine the risks of money laundering and terrorist financing. They must conduct a simplified or enhanced customer due diligence depending on the money laundering or financing risk posed by a business relationship or transaction. The documents and data used in this process must be recorded, both as regards the "beneficial owner" (the natural person who owns or controls the client legal entity, or the natural person on whose behalf a transaction or activity is carried out) and other natural persons involved. Among the natural persons, other than beneficial owners, the name, date of birth, address and certain identity document information must be recorded. Of beneficial owners, the identity (at least first and last name) and information and documents reasonably gathered to verify the identity of the beneficial owner must be recorded. Various records must also be kept on unusual transactions.
The data and documents must be kept for five years from the time the business relationship ends or the transaction in question is completed. In principle, the data must be deleted after that time. Captured documents and data must be retrievable. Institutions must have systems in place to respond quickly and completely to FIU inquiries.
Specifically on data protection, the Wwft stipulates that data processed under the Wwft, may only be processed for the purpose of "prevention of money laundering and financing of terrorism" (and not for e.g. commercial purposes). Before entering into a business relationship or transaction, an institution must provide information to the client about the obligations applicable under the Wwft for the processing of personal data.
A general main rule of law is that specific legislation takes precedence over general legislation. The AVG contains a general regime for the processing of personal data. The AVG explicitly accommodates the (more specific) Wwft; one of the legal grounds for processing personal data is the "necessity of the processing to comply with a legal obligation incumbent on the controller. In short, this means that, in principle, personal data may be processed if (and to the extent) this is required by law. The obligations under the Wwft thus provide both a purpose ('comply with the Wwft) and a legal basis for processing personal data under the Wwft.
The Wwft generally dovetails well with the AVG. Both the Wwft and the AVG provide that, in principle, the data obtained may only be processed to the extent necessary. It follows from the Wwft that this necessity exists for five years. In practical terms, it is advisable to split a client file, or set it up in such a way that the part to which the Wwft applies can be kept or deleted separately from the other information. The two laws are also in line with each other in terms of information duties: the information duty from the Wwft complements the information duties from the AVG. The alignment of the Wwft and the AVG does not affect the fact that all AVG obligations apply to the data processing operations in the context of the Wwft (think of the mentioning of the 'Wwft -personal data processing operations' in the register of processing activities) , unless explicitly stipulated otherwise.
Incidentally, one might wonder whether the Wwft could not be considered privacy-unfriendly in a more general sense. After all, personal data of those involved are kept, possibly without them ever doing anything wrong. However, it goes too far to discuss that here.
The experience of red tape may be difficult to eliminate, but the combination of Wwft and AVG need not be unclear. Maintaining personal data to comply with the Wwft compares well with the AVG - provided that personal data is only processed to the extent and for as long as required by the Wwft. The Wwft provides the legal basis. It is up to business to implement.
Do you have questions about the AVG and its interface with the Wwft and how to deal with it in practice? Then follow the course Wwft and AVG: the area of tension and compliance in practice.
