Effective AML Compliance is not possible without respecting data protection. The fight against money laundering and terrorist financing is recognised as an important public interest (Recital 42 4th AML Directive). Insofar as the processing of sensitive data is necessary for the fulfilment of due diligence obligations under money laundering law, the exception of Art. 9(2)(g) GDPR therefore applies, so that sensitive data may also be processed.

Anyone who processes personal data in the context of money laundering compliance is responsible for complying with all the principles listed in Art. 5 (1) of the GDPR and must also be able to prove compliance with them (so-called accountability).

The AMLA contains a number of explicit permissions and special regulations.

In particular, the following must be observed and implemented

  • Inclusion of AML processes in the register of processing activities (VVT)
  • Checking and documenting the correct legal basis
  • Adaptation of the data protection information
  • Data protection impact assessment (DSFA) in relation to processing PEP status, origin of assets,
  • tax data, criminal convictions, adverse media checks
  • Information, deletion and rectification processes in compliance with the tipping-off prohibition
  • Agreements with processors (outsourcing due diligence, CDD, KYC checks etc.)
  • Internal regulations in the case of centralisation within the group (no group privilege)
  • Examination of third country transfers
  • Deletion concept in compliance with AMLA documentation requirements (data minimisation and storage limitation)
  • Adaptation of the TOMs



Dr. Niklas Auffermann