Is your personal data processed by FIU-Netherlands and do you have the right to access this?
Do you want to know whether FIU-the Netherlands has personal data about you and whether you can access it?
The answers to these questions can be found in articles of the General Data Protection Regulation, in the associated directives, and in the Police Data Act (Dutch acronym: Wpg) and Decree. But the bottom line is that you are not allowed to access this data with us. How is that?
All unusual transactions reported to us remain in our database for five years, as required by the Money Laundering and Terrorist Financing (Prevention) Act (Dutch acronym: Wwft). To give an impression of the size of this database, in 2022 we received over 1.8 million unusual transactions (UTRs). It is determined by law that the UTR-information we have, i.e. the unusual transactions and the associated personal data, fall under the classification State Secret – Secret, see Article 5 of the Government Information Security Decree – Special Information. Only authorized FIU employees have access to this information. Therefore, if a person asks us for access to his or her personal data, we are not allowed to provide it. After all, the information is state secret.
Unusual transactions are analyzed by FIU-the Netherlands to establish whether there are sufficient grounds to designate them suspicious. These transactions declared suspicious (STRs) may then be shared with the relevant intelligence, security and investigation services, such as the police and the fiscal intelligence and investigation service (Dutch acronym: FIOD). This is allowed since STRs are legally subject to the Wpg.
-
Based on the Money Laundering and Terrorist Financing (Prevention) Act (Wwft), reporting entities are under an obligation to report any unusual transaction, whether completed or intended. If you fail to do so, you are in breach of the Wwft. If, whether intentionally or unintentionally, you do not meet the obligation to report, you commit an economic crime that has certain consequences. Further information on failure to report an unusual transaction can be found on the page Obligation to report.
-
The GDPR requires that any processing of personal data must occur on a valid basis, such as a legal basis. The Wwft is a valid legal basis of this kind. As an entity with an obligation to report, you process the personal data of customers, representatives, and ultimate beneficiaries, among others. This means that, within the framework of the Wwft, you are required to process personal data for the purpose of carrying out checks on your customers.
’Know Your Customer’ checks as required by the Wwft must be carried out in accordance with the provisions of Chapter 2 of the Wwft. Among other things, this means that the identity of the customer (e.g., a buyer) and, if applicable, of the ultimate beneficiary, must be established and recorded. On the basis of the Wwft, this data must be retained for five years after the transaction or the termination of the business relationship. The same holds for data relating to unusual transactions.
-
Indicators of unusual transactions are listed in the 2018 Implementation Decree for the Money Laundering and Terrorist Financing (Prevention) Act (Wwft) (Uitvoeringsbesluit Wwft 2018 [in Dutch]). These indicators differ per reporting entity. The page on reporting groups gives an overview of the various indicators per reporting group. If in your view a transaction meets one or more of the indicators that apply to your reporting group, you must report that transaction to FIU-the Netherlands.
If you have questions about how to interpret a given indicator, you can ask your Wwft supervisory authority. This page shows which supervisory authority is responsible for your reporting group. This division of roles is addressed in more detail in the FAQ “What is the role of the Wwft supervisory authorities in relation to FIU Netherlands?’’.