410U.K.The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 are amended as follows.
411U.K.In regulation 3(1) (interpretation), at the appropriate places insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;
““the GDPR” and references to provisions of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”.
412U.K.In regulation 16(8) (risk assessment by the Treasury and Home Office), for “the Data Protection Act 1998 or any other enactment” substitute “—
(a)the Data Protection Act 2018 or any other enactment, or
(b)the GDPR.”
413U.K.In regulation 17(9) (risk assessment by supervisory authorities), for “the Data Protection Act 1998 or any other enactment” substitute “—
(a)the Data Protection Act 2018 or any other enactment, or
(b)the GDPR.”
414U.K.For regulation 40(9)(c) (record keeping) substitute—
“(c)“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
(d)“personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”
415(1)Regulation 41 (data protection) is amended as follows.U.K.
(2)Omit paragraph (2).
(3)In paragraph (3)(a), after “Regulations” insert “ or the GDPR ”.
(4)Omit paragraphs (4) and (5).
(5)After those paragraphs insert—
“(6)Before establishing a business relationship or entering into an occasional transaction with a new customer, as well as providing the customer with the information required under Article 13 of the GDPR (information to be provided where personal data are collected from the data subject), relevant persons must provide the customer with a statement that any personal data received from the customer will be processed only—
(a)for the purposes of preventing money laundering or terrorist financing, or
(b)as permitted under paragraph (3).
(7)In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest includes processing of personal data in accordance with these Regulations that is necessary for the prevention of money laundering or terrorist financing.
(8)In the case of sensitive processing of personal data for the purposes of the prevention of money laundering or terrorist financing, section 10 of, and Schedule 1 to, the Data Protection Act 2018 make provision about when the processing meets a requirement in Article 9(2) or 10 of the GDPR for authorisation under the law of the United Kingdom (see, for example, paragraphs 10, 11 and 12 of that Schedule).
(9)In this regulation—
“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act);
“sensitive processing” means the processing of personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences etc).”
416(1)Regulation 84 (publication: the Financial Conduct Authority) is amended as follows.U.K.
(2)In paragraph (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)For paragraph (11) substitute—
“(11)For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
417(1)Regulation 85 (publication: the Commissioners) is amended as follows.U.K.
(2)In paragraph (9), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.
(3)For paragraph (10) substitute—
“(10)For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”
418U.K.For regulation 106(a) (general restrictions) substitute—
“(a)a disclosure in contravention of the data protection legislation; or”.
419U.K.After paragraph 27 of Schedule 3 (relevant offences) insert—
“27AAn offence under the Data Protection Act 2018, apart from an offence under section 173 of that Act.”