IP - 07121-1/2020/1869
|IP - 07121-1/2020/1869|
|Relevant Law:||Article 6(1)(c) GDPR|
|National Case Number/Name:||07121-1/2020/1869|
|European Case Law Identifier:||n/a|
|Original Source:||Informacijski pooblaščenec (in SL)|
The Slovenian DPA (IP) held that a bank had the right to request from an individual more detailed information about their assets, if the individual had been flagged as a "politically exposed person" under the national anti-money laundering legislation. The bank's position was held to be in accordance with Article 6(1)(c) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
On October 9th, a complainant submitted a request to the Slovenian DPA (IP) to ask them whether the complainant was obliged to provide a bank with more accurate information about their assets. The bank had flagged the complainant as a politically exposed person, on the basis of Article 61 of the Act on Prevention of Money Laundering and Terrorist Financing (Slovenian Legislation, ZPPDFT-1). The complainant believed the bank's request was excessive and that there was no basis for processing the data related to his assets. Therefore, the complainant filed a complaint with the DPA.
Dispute[edit | edit source]
Whether a bank was within its right to request from a data subject who had been flagged as a "politically exposed person" additional information about the nature of their assets.
Holding[edit | edit source]
The Anti-Money Laundering and Terrorist Financing Act requires the collection of certain data from politically exposed persons. Article 61, ZPPDFT-1 defines as a politically exposed person any natural person who acts or has acted in a prominent public position in a Member State or a third country in the last year, including his immediate family members (among whom according to the fourth paragraph of the same the spouse or common-law partner, parents and children and their spouses or common-law partners) and close associates.
Having regard to this, the Act provides an appropriate legal basis for obtaining statutory personal data from individuals identified by banks as politically exposed persons and their immediate family members in accordance with Article 6(1)(c) GDPR. Article 6(1)(c) stipulates that processing is lawful when it is necessary for compliance with a legal obligation to which the controller is subject to. The DPA held that obtaining legally required information on the assets and origin of assets from an individual identified as a politically exposed person falls within the bank's scope of obligation, based on the Anti-Money Laundering Act. However, the DPA did note that even though the bank had the right to obtain the information in this instance, it would still have to provide the data subject with information on processing, in accordance with Article 13 of the GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
On 9 October 2020, the Information Commissioner (hereinafter: IP) received your request for an opinion stating that the bank with which you wished to provide financial services identified you as a politically exposed person on the basis of Article 61 of the Act on prevention of money laundering and terrorist financing (ZPPDFT-1), on which you have no comments, but you are surprised by the bank's request to provide accurate information about your assets (real estate, movable property, funds in cash accounts), and your partner and mother, whereby the bank justified the request for the provision of this information by referring to Article 61/6 of ZPPDFT-1. You believe that the bank's request is excessive and that there is no basis for processing data on your assets. You ask the IP for an opinion on whether the commercial bank's request On the basis of the information you have provided us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (hereinafter: the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter: ZVOP-1) and 2 According to Article of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter: ZInfP), we provide our non-binding opinion regarding your questions. The Anti-Money Laundering and Terrorist Financing Act requires the collection of certain data from politically exposed persons. In this part, this Act provides an appropriate legal basis for obtaining statutory personal data from individuals identified by banks as politically exposed persons and their immediate family members in accordance with Article 6, paragraph 1 (c) of the General Data Protection Regulation. . The condition for this is that the bank has established appropriate procedures and risk management systems (within which it performs a risk assessment, on the basis of which it obtains data from the individual). However, IP is not competent to assess the adequacy of these procedures and other aspects of the content of bank conditions, which the latter base on the requirements of ZPPDFT-1. This is being judged by other bodies. Justification: The Prevention of Money Laundering and Terrorist Financing Act (Official Gazette of the Republic of Slovenia, No. 68/16, hereinafter: ZPPDFT-1) determines measures, competent bodies and procedures for the detection and prevention of money laundering and terrorist financing and regulates inspection control over the implementation of its provisions . In the first paragraph of Article 61, the said law obliges banks (and other taxpayers) to establish an appropriate risk management system, which also includes a procedure for determining whether a party or its legal representative or proxy is a politically exposed person. The procedure based on the risk assessment referred to in Article 13 of ZPPDFT-1 shall be determined by the liable parties in their internal act, taking into account the guidelines of the competent supervisory body referred to in Article 139 of this Act. In the second paragraph of Article 61, ZPPDFT-1 defines as a politically exposed person any natural person who acts or has acted in a prominent public position in a Member State or a third country in the last year, including his immediate family members (among whom according to the fourth paragraph of the same the spouse or common-law partner, parents and children and their spouses or common-law partners) and close associates. submitted to the liable party by the client; if this information cannot be obtained in the manner described or if it is in accordance with the risk assessment of the business relationship, transaction, product, service or distribution channel, the taxpayer obtains it directly from the written statement of the customer. The Information Commissioner is not responsible for supervising and advising banks in setting up internal systems and procedures related to politically exposed persons, so we suggest that you seek an opinion on the adequacy of risk assessment procedures and systems and, consequently, the content of the bank's conditions. services for politically exposed persons, you should first contact the Office for the Prevention of Money Laundering and the Bank of Slovenia, which are responsible for guiding banks in the preparation of such internal systems, procedures and acts The lawful processing of personal data in accordance with point (c) of the first paragraph of Article 6 of the General Regulation is, inter alia, the processing necessary to fulfill the legal obligation applicable to the controller. Therefore, obtaining legally required information on the assets and origin of assets and assets that are the subject of a business relationship or transaction is permissible for an individual identified as a politically exposed person and his or her immediate family members, provided that the information is they are defined by the provision of the sixth paragraph of Article 61 of ZPPDFT-1. Namely, the mentioned provision of the law creates an appropriate legal basis for obtaining the stated personal data on the mentioned persons, assuming that the bank has established appropriate procedures and a risk management system - within which it then performs a risk assessment, on the basis of which it obtains data from the individual - which the IP is not competent to judge. In any case, when the controller (bank) obtains personal data from an individual on a legal basis, he is obliged to present to him certain information on processing and reasons for processing (including purposes and legal basis) in accordance with Article 13 of the General Regulation. . With satisfaction, Prepared by: Mojca Leitinger Okršlar, State Supervisor for Personal Data Protection Information Commissioner: Mojca Prelesnik, B.Sc. Information Commissioner