Key Benefits:
The National Computer and Liberties Commission,
Entered by Groupama of an application for authorisation for an automated processing of personal data for the purpose of combating the Money laundering and the financing of terrorism;
Given the Council of Europe Convention No 108 for the protection of persons with regard to the automatic processing of personal data;
In view of Directive 95 /46/EC of the European Parliament and the Council of 24 October 1995 on the protection of persons
2005 /60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the system Financial for money laundering and terrorist financing;
In view of Commission Directive 2006 /70/EC of 1 August 2006 implementing measures for the implementation of Directive 2005 /60/EC of the European Parliament and of the Council in respect of Concerns the definition of " Politically exposed persons " And the technical conditions for the application of simplified customer due diligence obligations as well as the exemption on the basis of financial activity on a casual or very limited scale;
Seen monetary and financial code (CMF), including articles L. 561-1 to L. 562-11, L. 574-1, L. 574-2, R. 562-1, R. 562-2, R. 563-1 to R. 563-3 and R. 564-1;
Seen law n ° 78-17 of January 6, 1978 relating to computers, files and freedoms, as modified by Law n ° 2004-801 of 6 August 2004, in particular the 4 ° of the I and the II of Article 25;
Seen theOrder No. 2009-104 of 30 January 2009 on the prevention of the use of the financial system for the purpose of money laundering Capital and terrorist financing, ratified by Law No. 2009-526 of 12 May 2009 ;
Seen decree n ° 2005-1309 of 20 October 2005 for the application of Law n ° 78-17 of 6 January 1978 Relating to computers, files and freedoms, as amended by decree n ° 2007-451 of 25 March 2007 ;
Seen Decree n ° 2009-1087 of 2 September 2009 Vigilance and reporting obligations to prevent the use of the financial system for money laundering and terrorist financing;
Seen decree n ° 2012-1125 of October 3, 2012 Relating to the vigilance and reporting requirements for the prevention of the use of the financial system for the purpose of money laundering and the financing of terrorism modifying articles R. 561-12, R. 561-16 and R. 561-20 of the monetary and financial code ;
Due to the order of 2 September 2009 taken in application Of article R. 561-12 of the monetary and financial code and defining information elements related to the customer's knowledge and The business relationship for the purpose of assessing the risk of money laundering and terrorist financing;
In view of deliberation n ° 2005-297 of 1 December 2005 With single authorization of certain Processing of personal data implemented in financial institutions in the fight against money laundering and terrorist financing, as amended by the Defreeing n ° 2007-060 of April 25, 2007 and deliberation n ° 2011-180 of June 16, 2011 ;
Given the Application for authorisation filed by Groupama on behalf of the Groupama Group companies, relating to a Automated processing of personal data aimed at combating money laundering and the financing of terrorism;
On the proposal of Mr Jean-Paul AMOUDRY, Commissioner, and after hearing the observations By Mr. Jean-Alexandre SILVY, Commissioner of the Government,
Form the following comments:
On the controller:
Groupama Company.
On the Purpose:
Groupama submitted to the Commission a request for authorisation relating to the automated processing of personal data implemented by the various entities of the Groupama Group in order to comply with the legal obligations in respect of The fight against money laundering and the financing of terrorism and the freezing of assets.
Automated processing operations used by banks in the banking sector in the fight against money laundering and Terrorist financing, in particular, to detect transactions Financial, carried out by their customers, that are likely to be classified as money laundering or terrorist financing offences by the competent authorities and, as such, must, where appropriate after collecting information To send a statement to the national financial intelligence unit TRACFIN.
The identification of such transactions, to a large extent on the basis of criteria Integrated into the automated processing operations of the establishments concerned Lead them to wish, for reasons of prudence, to sever any contractual relationship with some of the clients who are the object of it. Such treatment may thus, by virtue of their scope, lead to the exclusion of persons from the benefit of a contract in the absence of any legal provision providing for the implementation of such an exclusion
Nature and purpose, leading to the exclusion of persons from the benefit of a right or contract in the absence of any legal or regulatory provisions providing for such exclusion. Accordingly, it falls within the scope of 4 ° of the I of Article 25 of the Act of 6 January 1978 amended in 2004 and, as such, must be authorized by the CNIL.
By its amending deliberation No. 2005-297 of 1 December 2005, the Committee has Authorized " Certain processing of personal data which are implemented in financial bodies in the fight against money laundering and the financing of terrorism ", provided that the purposes of such processing, Categories of data used and their recipients do not exceed the framework laid down by the single authorisation AU-003, that these treatments also meet the conditions laid down in this text and that the CNIL has received a commitment of conformity to AU-003.
Any automated processing project whose purposes or Categories of data or recipients exceed the scope of this single authorisation or which do not comply with the requirements laid down therein, must, on the other hand, be subject to a specific authorisation application presenting and explaining the Differences between the treatment envisaged and the single authorisation.
The analysis of the characteristics of the automated processing operations covered by this application for authorisation leads to the conclusion that the processing request is in conformity with the AU 003, with the exception of differences in data which, as such, are Submitted for review by the CNIL.
On processed data:
The following data are added to the list already provided for in UA 003:
-the end date of the business relationship or the closing of the account;
-the person's role;
-the date of death;
-the sex;
-the ID number.
The Commission considers, given the purpose Continued, that the collection of this data is relevant, adequate and not excessive within the meaning of section 6 of the Act of January 6, 1978, as amended.
For the Chair:
The Vice-Chairperson Delegate,
E. Givry
