2. Definition of the basis of lawfulness for retention and of the retention period

16.

Article 16 of the Commercial Code requires traders to keep the documents or information referred to in Articles 11, 12, 14 and 15 ‘for 10 years from the end of the financial year to which they relate’, but only for accounting purposes. Therefore, all personal data of a customer processed in the context of accounting (records, books and records), letters received and copies of letters sent may be kept by the controller for a period of 10 years from the end of the financial year to which they relate (which generally coincides with the end of the calendar year). Personal data stored on the basis of this provision must therefore be erased at regular intervals, unless they are also processed for another purpose (e.g. compliance with another legal obligation providing for a longer retention period). Personal data collected in the context of the accounting year 2024 will therefore have to be erased or anonymised by the controller on¹ January 2035, even if the account of the data subject has still not been closed. 

17.

Furthermore, Article 27 (entitled ‘Archiving’) of the 2009 Law requires payment institutions and electronic money institutions to ‘keep, in accordance with the time limits laid down in the Commercial Code, all appropriate records to enable the CSSF to check that they comply with their obligations under this Law’.

18.

Moreover, if reference is made to the Law of 5 April 1993 on the financial sector as amended, credit institutions must provide for the registration and retention, in accordance with the time limits laid down in the Commercial Code, of ‘any service provided, any activity carried out and any transaction carried out by them’ (Article 37-1(6)).  Data collected and stored based on the abovementioned national provisions may therefore in principle be kept for a maximum of 10 years from the end of the financial year to which they relate and then be erased or anonymised by the controller (unless there is another longer retention period applicable to such data). 

19.

In accordance with Article 3.6 of the 2004 Law, Article 1.5 of the Grand-Ducal Regulation of 1 February 2010 specifying certain provisions of the amended Law of 12 November 2004 on the fight against money laundering and terrorist financing and Article 25 of the CSSF Regulation No 12-02 of 14 December 2012 on the fight against money laundering and terrorist financing, as amended (hereinafter "the CSSF Regulation"), professionals are required to keep for five years after the end of the business relationship with the customer or after the date of the transaction concluded on an occasional basis the following documents, data and information:

• a copy of the documents, data and information that are necessary to comply with the customer due diligence obligations set out in sections 3 to 3-3 of the 2004 Act, the books of accounts, commercial correspondence and the results of any analysis carried out, 
• supporting documents and transaction records that are necessary to identify or reconstruct individual transactions in order to provide, where necessary, evidence in the context of a criminal investigation or investigation.

20.

The CNPD notes that the personal data retained are, for example, those contained in official customer identification documents such as passports, identity cards, driving licences or other similar documents or copies of those documents; research to establish the context and purpose of abnormally large complex transactions; beneficial ownership data (e.g. extracted from the beneficial ownership register), etc.

21.

The CNPD also notes that the retention of certain data on the basis of the aforementioned provisions may, in rarer cases, also concern special categories of personal data within the meaning of Article 9 of the GDPR or personal data relating to criminal convictions and offences within the meaning of Article 10 of the GDPR.[1]

22.

Indeed, political opinions and religious beliefs can be revealed through financial transactions, for example, through donations made to political parties or organizations, churches or parishes. Membership of a trade union can be revealed by levying an annual fee on a person’s bank account. Personal data concerning health can be obtained by analysing medical bills paid by a data subject to a health professional (e.g. a psychiatrist). Finally, information about certain purchases may reveal information about a person’s sex life or sexual orientation.[2]

23.

Furthermore, the due diligence obligations under the 2004 Law could lead controllers to collect and store data relating to judicial proceedings against a natural person, such as those relating to his indictment or trial, and, where applicable, the resulting conviction, which constitute data relating to ‘offences’ and ‘criminal convictions’ within the meaning of Article 10 of the GDPR, irrespective of whether or not, in the course of those judicial proceedings, the commission of the offence for which the person was being prosecuted was actually established.[3]

24.

Given that the context in which this type of data is processed could give rise to significant risks to the fundamental rights and freedoms of data subjects,[4]the processing of data covered by Articles 9 and 10 of the GDPR requires the controller to put in place a number of additional safeguards, such as specific information that these categories of data may be processed for the purposes of compliance with the 2004 Law or a mechanism enabling the controller to ensure that the data come from reliable sources, are accurate and up-to-date.[5]

25.

Entities subject to the 2004 Act may retain their customers' personal data for an additional period of five years "where such retention is necessary for the effective implementation of internal measures to prevent or detect money laundering or terrorist financing. (Article 3.6(6)) or where an additional retention period is required by the supervisory authorities (Article 3.6(5)). In accordance with that provision, the CNPD points out that a period of 10 years should not be the ‘default’ retention period for all customers of a payment service provider. It is up to the controller, in accordance with the principle of accountability, to document why an additional period of five years is necessary.

26.

It is also important to note that the 2004 Act provides that ‘[w]ithout prejudice to the longer retention periods prescribed by other laws, professionals are required to erase personal data at the end of the retention periods referred to in paragraph 1 .’ (Article 3.6, paragraph 4). The obligation to erase the data of the data subjects after 5 or 10 years (after the end of the business relationship with the customer or after the date of the transaction concluded on an occasional basis) is therefore also laid down in the 2004 Law. It follows that controllers should therefore not retain data beyond these time limits for anti-money laundering and terrorist financing purposes.

27.

The CNPD also takes note of Article 11.2 of the CSSF Regulation, as amended, according to which: ‘The customer acceptance policy must also provide for the procedures to be followed in the event of a suspicion or reasonable grounds for suspicion of money laundering, an associated predicate offence or terrorist financing in the event of failure to contact a potential customer. The reasons for a refusal on the part of the customer or the trader to enter into a business relationship or to carry out a transaction must be documented and kept in accordance with the procedures laid down in Article 25 of this Regulation, even if the refusal on the part of the trader does not result from the finding of an indication of money laundering or terrorist financing.’ Consequently, the data of a data subject who is refused the opening of an account or himself renounces such opening may be retained in accordance with the rules laid down in the 2004 Act.

28.

In the light of the foregoing, the CNPD draws a distinction between three possible starting points for calculating the retention periods prescribed by Article 3.6 of the 2004 Law:

(i)               the end of the business relationship with the customer (which corresponds, for example, to the closure of the bank account or online account of a data subject);

(ii)              the date of an occasional transaction;

(iii)            the date on which the customer or trader refused to enter into a business relationship.

29.

The CNPD notes that it may happen that an account is blocked by the controller for reasons relating to the application of the 2004 Act (for example, in accordance with section 3.4 of the 2004 Act pending identity verification) and that in the event of no reaction on the part of the customer, the account remains indefinitely blocked and does not allow a retention period to be triggered. As this situation may lead in some cases to the retention of the data subject’s data for an unlimited period of time in breach of Article 5.1(e) of the GDPR,[6] the CNPD recommends that the controllers concerned set up a mechanism to relaunch the data subject and close the account no later than one year after the account has been blocked (in any event, the personal data are retained following closure for anti-money laundering and counter-terrorism purposes).

30.

Article 26.1 of Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849 recalls that information on the payer and the payee or on the originator and the payee of crypto-assets (such as, inter alia, name, payment account number, address, official identity document number, customer identification number, date and place of birth) shall not be retained beyond what is strictly necessary. The payment service provider must therefore retain such data for a period of five years, after which it must delete them (as specified in Article 26.2), unless national law provides otherwise specifying the circumstances in which payment service providers may or must extend the retention period for such data. Since the personal data processed by payment service providers on the basis of this Regulation are processed only for the purposes of preventing money laundering and terrorist financing (Article 25.2), the CNPD understands that the starting point of the aforementioned retention period is the same as that for the processing operations provided for by the 2004 Law, namely the end of the business relationship with the customer or the date of the transaction concluded on an occasional basis.

31.

Recording of telephone conversations and electronic communications is, in principle, possible only in accordance with the amended Law of 30 May 2005 on the protection of privacy in the electronic communications sector (‘the 2005 Law’) and the GDPR.

32.

Thus, pursuant to section 4.3(d) of the 2005 Act, communications may be recorded:

• based on the prior, free, specific, informed and unambiguous consent of the customer; or
• when carried out in the context of lawful business uses, to provide evidence of a commercial transaction or other commercial communication.

33.

The exception for ‘commercial communications’ may cover, for example, recordings of telephone conversations made by call centres, help desks, after-sales services, etc.

34.

In both cases, it is necessary to inform customers and employees in advance and in a transparent manner, in particular about the purpose(s) of the registration and the retention period. This information must comply with the requirements of the GDPR.[7]

35.

In order to comply with these requirements, the CNPD considers it necessary that during each telephone interview subject to surveillance, correspondents are specifically made aware of the recording, whether or not an automated message is broadcast at the beginning of the call.

36.

As regards more specifically credit institutions, Article 37-1 (paragraph 6a) of the Law of 5 April 1993 on the financial sector, as amended, lays down the obligation to keep records of telephone conversations or electronic communications ‘in connection, at least, with transactions concluded in the context of proprietary trading and the provision of services relating to client orders concerning the receipt, transmission and execution of client orders’  for ‘five years and, where the CSSF so requests, for a period of up to seven years.’ Telephone conversations and electronic communications must therefore in principle be deleted five years after their registration, unless longer retention is justified by another purpose compatible with the original purpose and one of the grounds for lawfulness laid down in Article 6 of the GDPR is applicable.

37.

In accordance with Article 12.6 of the GDPR, where the controller has reasonable doubts as to the identity of the natural person making the request referred to in Articles 15 to 21 (for example, a request for access or erasure), it may request that additional information necessary to confirm the identity of the data subject be provided.

38.

In general, the identity card should not be considered as an appropriate means of authentication to confirm the identity of the data subject unless a proportionality assessment demonstrates otherwise. Such a proportionality assessment must take account of the type of data processed, the nature of the request and the context of the request, while avoiding excessive data collection and ensuring an adequate level of security of processing[8].  

39.

Nevertheless, a payment service provider may ask a data subject wishing to exercise their rights under the GDPR to provide a copy of their identity card or other official document proving their identity (where such collection is justified and proportionate under the GDPR).

In such a situation, the controller must then implement safeguards to prevent unauthorised or unlawful processing of the identity card. This may include refraining from making a copy after verifying the identity card or deleting a copy of an identity document immediately after successful authentication of the identity of the person concerned. Moreover, the EDPS recalled that “the subsequent retention of a copy of an identity document may constitute a breach of the principles of purpose limitation and storage limitation (Article 5(1)(b) and (e) GDPR) and, in addition, of national law relating to the processing of the national identification number (Article 87 GDPR). The EDPB recommends, as a good practice, that the controller, after verifying the identity card, makes a note, stating for example “the identity card has been verified” in order to avoid unnecessary copying or storage of copies of identity cards.” [9]

40.

The CNPD also points out that the processing of an identity card for authentication purposes in the context of the exercise of the rights of data subjects is without prejudice to the obligations to retain a copy of the identity card under the 2004 Law (the erasure of the identity card collected to confirm the identity of a person exercising, for example, a right of access in accordance with Article 15 of the GDPR, does not presuppose the erasure of his identity card retained for purposes related to the fight against money laundering and terrorist financing (‘AML/CFT’) in a separate database).[10]

41.

Article 6.1(f) GDPR provides for the lawfulness of processing if such processing “is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child, prevail”.

42.

The CNPD would like to recall the three cumulative conditions for a controller to be able to rely on Article 6.1(f) GDPR:[11]

i)       the pursuit of a legitimate interest by the controller or by a third party;

ii)      the necessity of the processing of personal data for the fulfilment of the legitimate interest pursued (the legitimate interest in the processing of data pursued cannot reasonably be achieved as effectively by other means less detrimental to the fundamental rights and freedoms of the data subjects);

iii)    the interests or fundamental rights and freedoms of the data subject do not override the legitimate interest of the controller or a third party (e.g. where personal data are processed in circumstances where data subjects do not reasonably expect such processing).

43.

The conditions for the application of the legitimate interest must be interpreted restrictively.[12] Legitimate interest must not constitute a basis for lawfulness by default. The CNPD recommends a balancing of the rights and interests involved for each processing operation, which analysis must be detailed and documented before the processing operation in question.

44.

This involves assessing the degree of intrusion of the envisaged processing into the individual sphere, by measuring its impact on the privacy of individuals (processing of sensitive data, processing of vulnerable persons, profiling, etc.) and on their other fundamental rights (freedom of expression, freedom of information, freedom of conscience, etc.) as well as the other concrete impacts of the processing on their situation (monitoring or surveillance of their activities, banking exclusion, etc.). Those impacts must be measured in order to determine, on a case-by-case basis, the extent of the intrusion caused by the processing into the lives of individuals.[13]

45.

Recourse to this legal basis entails certain additional obligations for the controller in managing the rights of data subjects:

• Specific obligation to provide information on the legitimate interests pursued (Article 13.1(d) GDPR where the personal data are collected from the data subject and Article 14.2(b) GDPR where the personal data have not been collected from the data subject);
• Right of objection of the data subject (Article 21(1) of the GDPR): right of the data subject to object at any time, on grounds relating to his or her particular situation, to processing of personal data concerning him or her based on legitimate interest, including profiling based on those provisions. The controller shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims;
• Right to restriction of processing (Article 18 GDPR): right of the data subject to obtain the restriction of processing where the data subject has objected to the processing pursuant to Article 21.1 GDPR, during the verification of whether the legitimate grounds pursued by the controller outweigh those of the data subject.

46.

For further details on the criteria that controllers must fulfil in order to process personal data on the basis of legitimate interest, the CNPD invites relevant actors to read the draft EDPS guidelines on legitimate interest[14].

47.

In the following sections, the CNPD will analyse purposes that could be pursued on the basis of the legitimate interest of a payment service provider.

48.

Recital 65 of the GDPR specifies that the further storage of personal data should be lawful where it is necessary for the establishment, exercise or defence of legal claims. In that context, limitation periods may therefore provide important guidance for determining shelf-life.[15]

49.

Article 189 of the Commercial Code provides that ‘obligations arising in the course of trade between traders or between traders and non-traders shall be prescribed by 10 years if they are not subject to shorter requirements’. It is therefore possible for a payment service provider to retain any personal data that it may need in the context of a dispute with the customer. Only personal data in connection with the performance of contracts and the services provided by the controller shall be retained for this purpose. 

50.

Fraud prevention is identified in Recital 47 GDPR as one of the possible legitimate interests protected by Article 6.1(f) GDPR.

51.

With regard more specifically to payment service providers, it is worth recalling the provisions of Article 105 of the 2009 Law: ‘Payment systems and payment service providers shall be entitled to process personal data where necessary to ensure the prevention, investigation and detection of payment fraud.  ...’.[16]

52.

In the context of its Guidelines on the interaction between the Second Payment Services Directive and the GDPR,[17] the EDPS recalled that the processing of personal data strictly necessary for fraud prevention purposes may constitute a legitimate interest of the payment service provider concerned, provided that the interests or fundamental rights and freedoms of the data subject do not override those interests. Processing activities for fraud prevention purposes should then be based on a thorough case-by-case assessment by the controller, in line with the principle of accountability.

53.

Furthermore, the EDPS indicated in his guidelines on legitimate interest that the processing of personal data in the context of the legitimate interest of fraud prevention does not apply without conditions and limitations, in particular because this type of processing can have a significant impact on data subjects. For example, recital 47 of the GDPR specifies that the processing of personal data must be "strictly necessary for fraud prevention purposes", which must be considered in conjunction with the principle of data minimisation enshrined in Article 5.1(c) of the GDPR. The EDPS also states that, at the same time, the principle of storage limitation, laid down in Article 5.1(e) of the GDPR, must be taken into account when defining data retention policies applicable to data processed for fraud detection or prevention purposes.[18]

54.

In practice, the processing carried out for control and anti-fraud purposes results in profiling using algorithms that use all available data to calculate a fraud or error risk rate for each customer (e.g. based on a history of fraud already committed). While fully recognizing the importance of the fight against payment fraud, the CNPD nevertheless wishes to reiterate the great caution with which these algorithms must be designed and used, given the risks they present and the biases they may be subject to. 

55.

In an online context, this type of processing may involve the collection of transaction data but also data related to the context of a payment transaction such as behavioural data (behavioral analysis such as keystroke dynamics, data related to purchasing and consumption habits), navigation data and data relating to connection to information systems (geolocation data, data relating to equipment: IP address, screen or browser setting, etc.).

56.

The prevention, investigation and detection of payment fraud may involve different types of processing such as the detection of anomaly or inconsistency, the management and analysis of such alerts, the compilation of lists of persons duly identified as perpetrators of acts qualified as fraud or attempted fraud as such by the controller. These processing operations can be described as ‘profiling’ within the meaning of the GDPR.[19] While there may be benefits to retaining data in the case of profiling, as there will be more data that the algorithm can learn from, controllers must respect the principle of data minimisation when collecting personal data and ensure that they retain such personal data only for as long as is necessary and proportionate to the purposes for which the data are processed.[20]

57.

In the light of the foregoing, the CNPD considers that the retention period for data in the context of the prevention and detection of fraud should be limited to the time strictly necessary for the accomplishment of that purpose. For example, the retention of data of a data subject for whom no fraud has been detected during the duration of the contract after the closure of his or her account does not seem necessary or proportionate. In this case, the CNPD considers that the controller should erase (or anonymize) the data processed to fight fraud after the end of the contractual relationship with the customer.