Conflicting regimes – when GDPR meets the Anti-Money Laundering Act in fintech operations

View as Markdown
2 mins read • Legal Writer • GDPR • 10 June 2025
  1. How supervisory authorities handle conflicting requirements
  2. Practical recommendations for fintech companies

Fintech companies that handle large volumes of personal data in their operations, for example in know-your-customer (KYC) processes and transaction monitoring, can benefit from support from a data protection and compliance lawyer. This is because a legal tension arises between two mandatory regimes: GDPR, which requires that personal data is not retained longer than necessary, and the Anti-Money Laundering Act, which in some cases requires customer data to be retained for at least five years and sometimes even longer after the business relationship has ended.

These opposing requirements are particularly acute for fintech companies that automate their data processing and rely on external providers for data storage. As a rule, anti-money laundering legislation takes precedence where there is a statutory duty to retain data, as a lex specialis in relation to GDPR. This also means that the data must be retained even if the data subject objects and requests erasure.

How supervisory authorities handle conflicting requirements

The Data Protection Agency and the Financial Supervisory Authority have different mandates but engage with many of the same actors. During supervision, it is crucial that companies clearly document their lawful basis for processing personal data and maintain internal procedures to manage these conflicting requirements. Even though it may sound straightforward to say that the Anti-Money Laundering Act’s retention obligations prevail over GDPR’s erasure requirements, interpretative difficulties continually arise. It is therefore important to have documentation in place demonstrating the rationale adopted when a particular process was implemented.

Practical recommendations for fintech companies

  • Specify retention periods for each purpose in the privacy notice.
  • Document and justify any derogations from the gdpr storage limitation principle.
  • Ensure internal procedures reflect both GDPR and the Anti-Money Laundering Act.
  • Distinguish between archiving and active processing or use of personal data.

At Morling Consulting, our data protection and compliance lawyers help fintech companies navigate the boundary between GDPR and the requirements applicable to financially regulated businesses across Europe.

Illustration of third-country risk under AMLR showing a simplified EU map, control icons, and a geographic trigger point linking the EU to third countries for enhanced customer due diligence (KYC).

10 March 2026

Third-country risks under AMLR: Articles 29–31 and their significance for customer due diligence
Read more
Illustration of an AMLR KYC process in four steps: ID verification, beneficial ownership check, business purpose assessment, and anomaly flag in registry screening.

3 March 2026

Customer due diligence under AMLR: identity, beneficial ownership and the purpose of the relationship
Read more
Illustration of a KYC block due to insufficient customer due diligence under AMLR, showing a customer profile, checklist, and stop symbol in a legal compliance setting.

24 February 2026

Inability to meet customer due diligence requirements under the AMLR
Read more