Information accompanying transfers of funds
Opinion of the European Data Protection Supervisor on a proposal for a Regulation of the European Parliament and of the Council on information on the payer
accompanying transfers of funds.
On 5 February 2013, the Commission adopted two proposals: this proposal for a Regulation of the European Parliament and of the Council on information on the payer accompanying transfers of funds and the parallel proposal for a Directive of the European Parliament and of the Council on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing. The proposals were sent to the EDPS for consultation on 12 February 2013.
The EDPS underlines that the legitimate aim of achieving transparency of payments sources, funds deposits and transfers for purpose of countering terrorism and money laundering has to be pursued while ensuring compliance with data protection requirements.
The following issues should be addressed in both proposals:
· an explicit reference to applicable EU data protection law should be inserted in a substantive and dedicated provision, mentioning in particular Directive 95/46/EC and the national laws implementing Directive 95/46/EC, and Regulation (EC) No 45/2001;
· a definition of ‘competent authorities’ and ‘financial intelligence units (FIUs)’ should be added in the proposed Directive;
· it should be clarified that the legal ground for the processing would be the necessity to comply with a legal obligation by the obliged entities, competent authorities and FIUs;
· it should be recalled that the sole purpose of the processing must be the prevention of money laundering and terrorist financing, and that data must not be further processed for incompatible purposes;
· the specific prohibition to process data for commercial purposes should be laid down in a substantive provision;
· a dedicated recital should be added to clarify that the fight against tax evasion is only inserted as predicate offences;
· substantive provisions on the transfers of personal data should be introduced which provide for an appropriate legal basis for the intra-group/PSP to PSP transfers that would respect the text and interpretation of Directive 95/46/EC; the proportionality of requiring the mass transfer of personal and sensitive information to foreign countries for the purpose of fighting AML/TF should be re-assessed
· an evaluation of alternative and less intrusive options to the general publication obligation should be undertaken and, in any case, specification in the proposed Directive the purpose of such a publication as well as the personal data that should be published;
· a substantive provision should be added that sets forth a maximum data retention period that must be respected by Member States.
In respect of the proposed Regulation, the EDPS further recommends to:
· refrain from using the national identity number as a reference without specific restrictions and/or safeguards, but to use the transaction number instead;
· recall the importance of respecting the principle of data accuracy in the context of AML procedures;
· add a provision stating that ‘the information should only be accessible to designated persons or classes of persons’;
· add a provision regarding the respect of confidentiality and data protection obligations by employees dealing with personal information on the payer and the payee;
· clarify that no other external authorities or parties that have no interest in combating money laundering or terrorist financing should access the data stored;
· specify to which authority the breaches of the Regulation will be reported and by requiring that appropriate technical and organisational measures are implemented to protect data against accidental or unlawful destruction, accidental loss, alteration, or unlawful disclosure.