On 29 December 2021, the summary of Opinion 12/2021 of the European Data Protection Supervisor (EDPS) on the anti-money laundering and countering the financing of terrorism (AML/CFT) package of legislative proposals was published in the Official Journal of the European Union.
In a nutshell, the EDPS welcomes the objectives pursued by the AML/CFT legislative package while emphasizing that the package needs further specifications and clarifications for ensuring compliance with the principles of necessity and proportionality and enhancing legal certainty for obliged entities on their duties.
In particular, the EDPS highlights that the AML/CFT legislative package should specifically identify the personal data categories to be processed by the obliged entities for fulfilling the AML/CFT obligations, and it should better describe the conditions and limits for the processing of special personal data categories.
To what concerns the beneficial ownership registers, the EDPS considers that access to such registers should be limited to competent authorities who are in charge of enforcing the law and to obliged entities when taking customer due diligence measures, thus recommending the legislator to assess the necessity and proportionality of the general access to such registers and, on the basis of this assessment, if considered appropriate, to lay down a specific legal framework in this regard, distinct from the one related to access by competent authorities.
Moreover, in order to encourage the adoption of codes of conduct and certifications to be adhered to by providers of databases and watch lists used for AML/CTF purposes, the EDPS invites the legislator to include in the legislative package a reference to codes of conduct under Article 40 of the GDPR and to certifications under Article 42 of the GDPR, to be developed taking into account the specific needs in this sector.