Information on the period of storage of personal data by financial institutions

The Agency for the Protection of Personal Data (AZLP), actively monitoring the application of the Law on the Protection of Personal Data, and after the analysis of the frequency of submitted requests and petitions relating to the period of storage of personal data for the subjects of personal data – customers natural persons, with whom a business relationship is established, or a business relationship is established, or occasional transactions are carried out by the financial institutions determined by the Law on Prevention of Money Laundering and Financing of Terrorism, reports on the following:

Pursuant to Article 9 of the Law on the Protection of Personal Data (LAPD), which establishes the principles related to the processing of personal data, among other things, it is determined that personal data is stored in a form that allows the identification of the subjects of the personal data, no longer than is necessary for the purposes for which the personal data is processed.

In Article 10 of the ZZLP, among other things, it is determined that the processing of personal data is legal if the processing is necessary to fulfill a legal obligation of the controller.

Article 51 of the Law on Prevention of Money Laundering and Financing of Terrorism stipulates, among other things, that entities (financial institutions) are obliged to provide copies of documents, i.e. electronic records of data secured by the use of means of electronic identification issued within the framework of a registered scheme for electronic identification in accordance with the law, with which they determine and verify, i.e. identify and authenticate the identity of the client, the authorizer and the true owner, for the procedures carried out for the analysis of the client or the true owner and for the transactions carried out or attempted transactions, the client file and business correspondence , to keep them for ten years in electronic or paper form after the transaction, counted from the last transaction.

Based on the legal framework set up in this way, AZLP reports that the processing of personal data through their storage in the manner as stated above with respect to the period of ten years constitutes legal processing of personal data, and for the purpose of fulfilling the obligations of financial institutions as controllers of personal data data provided in the Law on Prevention of Money Laundering and Financing of Terrorism.