The intersection of GDPR and Anti-Money Laundering (AML) regulations creates unique compliance challenges for organizations. AML obligations require collecting and retaining extensive personal data, which must be reconciled with core GDPR principles such as data minimization, purpose limitation, and storage limitation.
Here is the complete recorded presentation for the speech “GDPR & AML what can go wrong” :
The intersection is becoming even more complex with the EU Anti-Money Laundering Authority (AMLA) becoming operational in 2026, as this new centralized supervisor will impose additional harmonized data collection and retention requirements that organizations must reconcile with their existing GDPR obligations. Organizations subject to both AML and GDPR requirements should ensure they have a clear legal basis for processing, typically a legal obligation under Article 6. The legitimate interest basis may also apply for certain fraud-prevention activities. For a step-by-step approach to meeting both sets of requirements, see our GDPR compliance checklist.
FAQ
Does GDPR apply to AML (Anti-Money Laundering) processing?
Yes, but with tension. AML obligations require retaining transaction and identity data for 5-10 years under EU AML Directives. GDPR storage limitation principles apply, but AML legal obligation (Art. 6(1)© GDPR) overrides consent requirements and provides the lawful basis for this retention.
Can AML screening results be shared with other entities?
Only under strict conditions. Sharing between group entities for consolidated AML monitoring may be permissible under legitimate interests, but requires a documented transfer mechanism. Sharing with non-obligated third parties requires a separate legal basis.
What data subject rights can be restricted for AML purposes?
Article 23 GDPR permits restricting rights (access, erasure, notification of breach) when necessary to prevent tipping off under AML law. A subject access request from a person under suspicious transaction investigation can be lawfully refused if disclosure would prejudice the investigation.
What retention period applies to AML records under GDPR?
EU AML Directives require 5-year retention. Some member states extend to 10 years. This provides the legal basis for the retention under GDPR Art. 6(1)©. At the end of the retention period, data must be deleted under storage limitation principles.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
