Processing of personal data when performing client controls

Pursuant to the Anti-Money Laundering Act, we may have to carry out client controls of our clients and thereby process personal data like names, personal identification and/or national insurance number and addresses of the board, management and contact persons at the client in addition to beneficial owners. We may also process special categories of personal data like criminal issues and political affiliation about contact persons at the client and beneficial owners in addition to their family members and colleagues.

BDO is the controller when processing of this personal data. The legal basis for the processing is: 

• GDPR Article 6 (1)(c) (legal obligation) and the Anti-Money Laundering Act  
• GDPR Article 9 (2)(g) (substantial public interest) and the Anti-Money Laundering Act 

BDO is obliged to retain documents applied in connection with client control for at least five years after the client relationship has ended or a transaction carried out, ref. the Anti-Money Laundering Act section 30. The personal data shall be deleted within one year after the retention requirement ceases.

Pursuant to the Anti-Money Laundering Act, we are also obliged to report suspicions on money laundering and terror financing, and other criminal issues to the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime (Økokrim). The reports shall contain all our knowledge about the issue that has led to the reporting, including personal data about persons involved. Such reports are exempt from access for those involved.