4

Suppose you have a startup that raises money from a number of angel investors, many of whom are investing as natural persons.

What is the lawful GDPR basis for processing the investors' personal data, including their name, address, and photo IDs?

My guess would be either Contract or Legal Obligation (to comply with AML regulations).

A subscription agreement cannot be drafted without the investor's personal details. However, it can be drafted without a photo ID, but the photo ID is necessary to check the identity of the investor against an AML database.

Note: this question is about a UK company and so about the UK Data Protection Act, but since that is basically a copy-and-paste of GDPR, this question applies to EU companies as well.

Paul Razvan Berg
  • 381
  • 2
  • 8

2 Answers2

3

'Know Your Customer' (KYC) is a synonym for 'customer due diligence' checks.

The Money Laundering Regulations refer to 'customer due diligence' and not to KYC, so searching the regs for Know Your Customer or KYC will have no results. But you can search the Financial Conduct Authority's handbook for "Know Your Customer" or "KYC" and eventually arrive at useful information.

The Regulations create legal obligations to apply 'customer due diligence measures' that necessarily involve the processing of some personal data.

As Dale M said, one of the six lawful bases for processing personal data is 'legal obligation' (Article 6(c) GDPR): "processing is necessary for compliance with a legal obligation to which the controller is subject".

Lag
  • 20,104
  • 2
  • 46
  • 76
0

Legal obligation

One of the basis for collecting data under GDPR is a legal obligation. Assuming KYC is a legal requirement, this is satisfied.

Dale M
  • 237,717
  • 18
  • 273
  • 546