Article 32 of Law 10/2010, of 28 April 2010, on the prevention of money laundering and the financing of terrorism, refers to the Law on the Protection of Personal Data (LOPD) in the following points:
- The processing of personal data and files, whether automated or not, created to carry out the provisions of this Law shall be subject to the provisions of the LOPD and in its implementing regulations, and which should comply with high-level security measures of the LOPD.
- The processing of personal data will be exempt from both the obligation to inform and to consent required under the LOPD; neither is consent to the transfer of such data to the competent authority in the fight against money laundering or terrorist financing required.
- The rules contained in the LOPD relating to the exercise of rights of access, rectification, cancellation and opposition will not be applicable to the processing of personal data and files. In the event that an applicant attempts to exercise these rights, the obligors will be limited to the provisions of Article 32 of the Law.
In addition to the above, if it regards data of people with public responsibility, the following must be taken into account:
- Obligated parties will be able to create files that contain identification details of persons with public responsibility, even when they do not a business relationship.
- To this effect, obligated parties will be able to gather available information concerning persons with public responsibility without obtaining their consent, even if such information is not available from publicly accessible sources.
- The data contained files will only be used to comply with the reinforced due diligence measures provided by the Law.
- Those that create these files cannot use the data for any other distinct purpose.
- Obligated parties will not be required to inform the affected party concerning the inclusion of their data in the files.
- In all cases, the obligated parties must subject the files to of high-level security measures of the LOPD.
Chapter II of the Law on Money Laundering deals with the due diligence measures (normal, simplified and strengthened) that obligated parties must adopt both formal and real identification requirements of the person who directly or indirectly owns capital that could be laundered.
These identification and investigation measures should be contained in a manual or written protocol, in order to train employees, and will vary according to the risk and on the type of client, business relationship, product or transaction.
However, with respect to the security level of the file, it must be taken into account that Art. 81.8 of the RLOPD makes reference to the possibility of the segregation of data within the same file with different security measures: …when files or data processing based on their specific purpose or use, or by nature of the data that it contains, exist in an information system and require the application of different security levels from the main system, they will be segregated. In each case, the appropriate security level measure will be applied as long as they can be distinguished from the affected data and users with access to the files and this is stated in the security document.
In conclusion, it is not enough to know the rules on the protection of personal data in Spain, but one must know and apply the specific characteristics established by each of the sectoral rules.
This article is not considered as legal advice