Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Business support
  4. GDPR - The General Data Protection Regulation
  5. Guide to GDPR
  6. AML and data protection

AML and data protection

The Money Laundering Regulations require law firms to carry out anti-money laundering checks on clients, both individuals and corporate clients which inevitably involves the processing of personal data and sometimes special category data.

Law firms have a legal obligation to carry out identification and verification checks on clients. Therefore the lawful basis for processing any personal data for this purpose is Article 6(1)(c). As stated earlier, consent is difficult to obtain and maintain and in the context of personal data that is processed for the purposes of AML checks, law firms are obliged by the regulations to retain this information for a period of time. If the individual withdraws their consent during that time then the law firm would have to delete it if requested, as it has no lawful basis under data protection law to retain this information. A data controller cannot change its lawful basis for processing and so the solution is not to rely on consent.

Increasingly law firms are using technology to carry out checks remotely. The technology supplier will be a data processor and it is important to remember that the law firm remains responsible for the processing carried out through the technology, as they remain the data controller.

Biometric data

Some of the suppliers are allowing the use of facial recognition technology which relies on the collection of biometric data. This is special category data and so must be thought about more carefully. This technology should only be used if necessary and the decision about necessity is for the law firm.

If the law firm is using biometric data, for AML purposes there is a lawful basis set out in schedule 1 part 2 of the Data Protection Act 2018 which sets out the list of substantial public interests in the UK for processing provided by Article 9(1)(g). Paragraph 12 allows processing that is necessary for the purposes of complying with a regulatory requirement.

The controller must also consider the retention of AML records and in particular the retention of biometric data. The Law Society of Scotland’s supervisory position is that law firms should be able to document they have undertaken the verification check, a summary of the information on which the check was based, the result and what decisions were made following the result. Therefore it may not be necessary for the biometric data to be retained by the technology company. As it is a processor, the law firm can instruct it to delete personal data held on its behalf

Case study

Our law firm has started using a technology company to assist it with AML checks. This allows facial recognition technology to be used and our law firm has decided that this is only necessary where the fee earner has not met the individual either face to face or through a video call. This decision was taken following the completion of a Data Protection Impact Assessment and took this approach to comply with the requirement for the processing to be necessary and the data minimisation principle.

They have also asked the technology company to delete the biometric data one month after it has been collected.

The law firm has also updated it’s privacy notice for clients to explain its use of technology, including the possibility that it will process biometric data.

Add To Favorites
Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited