http://www.legislation.gov.uk/id/uksi/2017/692

PART 4Reliance and Record-keeping

Data Protection41.

(1)

Any personal data obtained by relevant persons for the purposes of these Regulations may only be processed for the purposes of preventing money laundering or terrorist financing.

F1(2)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(3)

No other use may be made of personal data referred to in paragraph (1), unless—

(a)

use of the data is permitted by or under an enactment other than these Regulations F2or the F3UK GDPR; or

(b)

the relevant person has obtained the consent of the data subject to the proposed use of the data.

F4(4)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F4(5)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F5(6)

Before establishing a business relationship or entering into an occasional transaction with a new customer, as well as providing the customer with the information required under Article 13 of the F6UK GDPR (information to be provided where personal data are collected from the data subject), relevant persons must provide the customer with a statement that any personal data received from the customer will be processed only—

(a)

for the purposes of preventing money laundering or terrorist financing, or

(b)

as permitted under paragraph (3).

(7)

In Article 6(1) of the F7UK GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest includes processing of personal data in accordance with these Regulations that is necessary for the prevention of money laundering or terrorist financing.

(8)

In the case of sensitive processing of personal data for the purposes of the prevention of money laundering or terrorist financing, section 10 of, and Schedule 1 to, the Data Protection Act 2018 make provision about when the processing meets a requirement in Article 9(2) or 10 of the F8UK GDPR for authorisation under the law of the United Kingdom (see, for example, paragraphs 10, 11 and 12 of that Schedule).

(9)

In this regulation—

“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act);

“sensitive processing” means the processing of personal data described in Article 9(1) or 10 of the F9UK GDPR (special categories of personal data and personal data relating to criminal convictions and offences etc).