Anti-Money Laundering Law of 18 September 2017 - Articles 60 to 65
Obliged entities shall keep, using any type of record-keeping system, for the purposes of the prevention, detection or investigation of potential money laundering and terrorist financing by CTIF-CFI or other competent authorities, the following documents and information:
1° identification data referred to Sections 2 and 3 of Title 3, Chapter 1, where appropriate updated in accordance with Article 35, and a copy of the records or the result of checking an information source, referred to in Article 27, for a period of ten years after the end of the business relationship with their customer or after the date of an occasional transaction;
2° without prejudice to any other applicable document retention legislation, the records and registration data of transactions required to identify and precisely reconstitute the transactions conducted, for a period of ten years after carrying out the transaction;
3° the written report prepared in accordance with 45 and 46, in accordance with the methods described in 2°.
By way of derogation of the first subparagraph, the retention period of ten years shall be reduced to seven years in 2017 and respectively eight and nine years in 2018 and 2019.
By way of derogation of Article 60, 1°, the obliged entities may substitute the retention of a copy of the records by the retention of references of these records, provided that the references, due to their nature and their retention methods, enable obliged entities to produce these documents immediately, upon request of CTIF-CFI or other competent authorities during the retention period laid down in the same Article, and without that these documents could have been changed altered in the meantime.
The obliged entities who intend to use the derogation referred to in the first subparagraph shall specify beforehand in their internal control procedures, the categories of records of which they retain references instead of a copy, as well as the methods of retrieving these documents through which they can be produced upon request, in accordance with the first subparagraph.
§ 1. Without prejudice to any other applicable legislation, obliged entities are obliged to delete personal data at the end of the retention period referred to in Article 60.
§ 2. With respect to the retention of documents and information, referred to in Article 60, first subparagraph, regarding the business relationships ended or transactions concluded up to 5 years prior to the date of entry into force of this Law, the retention period of these documents and information shall be seven years.
Obliged entities have systems enabling them fully respond, within the period of time laid down in Article 48 via secure and confidential channels, in order to ensure complete confidentiality, to requests for information from CTIF-CFI in accordance with Article 81, from the judicial authorities or supervisory authorities referred to in Article 85, within the scope of their respective powers, to determine whether the entities involved maintain or, in the ten years prior to this request, have maintained a business relationship with a specific person, as well as, where appropriate, to questions on the nature of this relationship.
§ 1. The processing of personal data in pursuant to this Law is subject to the provisions of the Law of 8 December 1992 on the protection of privacy in relation to the processing of personal data and to the provisions of the European regulations that are directly applicable. This personal data processing is necessary to carry out a task in the public interest within the meaning of Article 5 of the same Law.
§ 2. Obliged entities only process personal data in accordance with this Law for ML/TF prevention purposes and do not subsequently process this data in a way that is incompatible with these purposes.
The processing of personal data collected in accordance with this Law for any other purposes than those laid down in this Law, i.e. for commercial purposes, is prohibited.
§ 3. Obliged entities provide their customers with the required information in accordance with Article 9 of the aforementioned Law of 8 December 1992 prior to establishing a business relationship or to carrying out an occasional transaction.
This information particularly includes a general notification of the obligations of obliged entities pursuant to the aforementioned Law when processing personal data for money laundering and terrorist financing prevention purposes.
The person whose personal data are processed in accordance with this Law does not have the right to access and correct his or her data, nor the right to be forgotten, nor the right to portability of these data, nor the right to object, nor to the right not to be profiled, nor to the notification of security failures.
The right of the individual involved to access personal data relating to him is exercised indirectly, pursuant to Article 13 of the aforementioned Law of 8 December 1992, through the Commission for the Protection of Privacy established by Article 23 of the same Law.
The Commission for the Protection of Privacy only informs the applicant that the necessary verifications have been carried out and of the result of these verifications in terms of the legality of the processing in question. These data may be provided to the applicant when the Commission for the Protection of Privacy, by agreement with CTIF-CFI and after consulting the person responsible for the processing, finds on the one hand that the notification is not likely to reveal the existence of a disclosure referred to in Article 47 and 54, the action taken, or the use of CTIF-CFI’s right to request additional information in accordance with Article 81, nor likely to compromise the goal of combating ML/TF, and on the other hand finds that this data relates to the applicant and is held by obliged entities, CTIF-CFI or supervisory authorities in accordance with this Law.