The decision of the Data Protection Commissioner of Hessen (Germany), published on the EDPB site shows that record keeping for AML/CFT-purposes is allowed under GDPR. The financial services provider, IQ Option Europe ltd (‘the Company’), has a legal basis for processing of personal data of complainant and has to remove/erase the personal data after the retention period has expired. The Company however had to correct its compliance with GDPR. It did not inform complainant of the legal grounds obliging the Company to maintain the personal data. Following the complaint the Company has taken additional measures:
- Review of procedures to ensure that the data minimalisation principle is adequately applied.
- Additional training sessions to the staff and instructions how to reply to future requests of clients of the Company.
It shows that financial services providers have to pay attention to data protection principles.