Collection of personal data
PwC Legal is legally obliged to obtain and process personal data about clients, their ultimate beneficial owners and the client representatives under the Anti-Money Laundering / Terrorist Financing Act (the AML/CTF Act) of 18 September 2017.
The collection of personal data for these purposes is necessary to carry out a task in the public interest within the meaning of applicable privacy and data protection legislation.
Use of personal data
Personal data obtained in the context of AML/CTF is processed by a compliance team using a compliance tool that serves as a record-keeping system designed for the purposes of the prevention, detection or investigation of potential money laundering and terrorist financing. In line with our legal obligations, our processing activities shall allow applying:
- Appropriate Client Due Diligence (CDD) measures for new and existing clients, their ultimate beneficial owners and the client representatives
- A Risk Based Approach (RBA) as the cornerstone of a data driven PwC Legal AML/CTF framework
PwC Legal will not process personal data obtained in a way that is incompatible with the AML/CTF purposes without consent from individuals to do so.
Personal data will be retained by the compliance tool in line with the data retention period foreseen by the Act. Once the legally obliged retention period elapses the data will be erased from our systems.
The Act foresees in transitory measures to facilitate the increase of the retention period from 5 years to 10 years:
- For client relationships ended from 2012 to 2017, data will be kept for 7 years.
- For client relationships ended during 2018, data will be kept for 8 years.
- For client relationships ended during 2019, data will be kept for 9 years.
- For client relationships ended as from 2020, data will be kept for 10 years.
Rights of individuals
As explicitly foreseen in article 65 of the Act, individuals whose personal data are processed in accordance with this Act do not have the right to access and correct his or her data, nor the right to be forgotten, nor the right to portability of these data, nor the right to object, nor to the right not to be profiled, nor to the notification of security failures.
In accordance with the Act, the rights of the individual can be exercised indirectly through the Belgian Data Protection Authority.