GDPR
The EU General Data Protection Regulation - the global benchmark for personal-data protection, materially shaping how AML, KYC and surveillance systems handle data.
What it does
GDPR (Regulation (EU) 2016/679) protects natural persons with regard to the processing of their personal data and the free movement of such data within the EU. In compliance terms, it sets the constitutional perimeter inside which AML, KYC, sanctions screening, market-abuse surveillance and on-chain forensics all operate.
Key concepts for compliance teams
- Lawful basis - AML processing typically rests on legal obligation (Article 6(1)(c)) and, for sensitive categories, the substantial-public-interest derogation.
- Data minimisation - collect only what the AML rules require.
- Retention - AML records typically must be kept 5 years post-relationship; longer retention requires specific justification.
- Rights - access, rectification, erasure (limited where AML retention applies), portability.
- International transfers - SCCs, adequacy decisions, TIA assessments.
Where AML and GDPR collide
The classic flash-points: tipping-off rules (an AML duty) vs subject access requests (a GDPR right); SAR/STOR retention vs the right to erasure; sanctions screening vs proportionality; sharing data within a banking group vs purpose limitation. EDPB Guidelines 04/2020 on personal data and AML offer the canonical reading.
Penalties
Up to €20m or 4% of global annual turnover, whichever is higher. Recent multi-hundred-million-euro fines (Meta, Amazon) have set a clear "upper-range" precedent for systemic non-compliance.