How does GDPR interact with AML record-keeping?
The GDPR (Regulation (EU) 2016/679) recognises AML obligations as a lawful basis for processing personal data (Art. 6(1)(c) — legal obligation). Retention beyond the AML statutory period is generally unlawful absent another legal basis. Subject access requests are limited where disclosure would prejudice an SMR / SAR or financial-crime investigation. Many EU member states have specific AML carve-outs from data-subject rights. The same logic applies under the UK GDPR and the Australian Privacy Act 1988 (which has its own AML carve-out in APP 6.2(b)).