What rules must you follow?
First of all, you must implement a privacy policy on the platform’s website, informing users about all the personal data you collect (process) from them, the legal basis for processing, and everything that happens to that data (data categories, purpose of processing, sharing with third parties, the purpose of sharing, etc.). For information on the content of the privacy policy, we refer to “Rules you must follow if you own a website.”
When is the processing of users’ personal data on the website/platform legally allowed?
Any activity involving the processing of personal data of an individual must have a legal basis as outlined in Article 6 of the GDPR. According to Article 6 of the GDPR, it is legal to process personal data when (we have selected the legal grounds that may apply in your case):
Legal Grounds for Processing Personal Data According to the GDPR
User’s Consent (lit. a)
The data subject has given explicit consent for the processing of their data (for example, they have consented in writing or by ticking a checkbox).
Performance or Conclusion of a Contract (lit. b)
The processing is necessary for the performance or conclusion of a contract to which the data subject is a party (for example, a contract for investment services between you and the user through the platform as outlined in your website’s Terms and Conditions, where certain personal data is required to conclude and execute the contract).
Compliance with a Legal Obligation (lit. c)
The processing is necessary for compliance with a legal obligation – in your case, this may relate to fulfilling legal obligations imposed by Anti-Money Laundering (AML) and Counter-Terrorism Financing legislation (AML) applicable to all financial institutions, including companies providing investment services like yours through an online investment platform. Investment services include, for example, receiving and transmitting orders for one or more financial instruments, executing orders on behalf of clients, investment advisory services, etc.
Public Interest (lit. e)
The processing is necessary for the performance of a task carried out in the public interest (for example, only for data collected for AML purposes and stored for a long period, this legal basis can apply, as stipulated by the above-mentioned Directive and Article 22(4) of the Romanian Law transposing this Directive: “Processing of personal data under paragraph (1) is considered necessary for implementing public interest measures in accordance with the provisions of Regulation (EU) 2016/679 regarding the protection of natural persons”).
Note: In principle, the data you collect from users on the presentation website cannot be justified by the grounds listed in points b), c), or e) above, because users of the presentation website (who are only visiting the site) do not actually benefit from your platform’s services. For these users, there is no obligation to collect data for AML reasons or for entering into a contract. Until users actually benefit from the platform’s services (e.g., creating an account, executing transactions, etc.), the grounds mentioned in b), c), or e) do not apply, but potentially, the one in lit. a) could.
Explanations for the Legal Grounds Listed Above
Due to the specific nature of your activity (providing investment services), you are legally obligated to collect certain personal data from users for AML (Anti-Money Laundering) reasons, and under the relevant regulations, you must store this data for a period of 5 years.
AML legislation is harmonized across the EU, and each member state follows the same rules due to EU Directive 2015/849, which concerns the prevention of money laundering and the financing of terrorism, as amended and completed. In Romania, this Directive is transposed into Law no. 129/2019.
According to the regulations, this data is processed only for the purpose of preventing money laundering and terrorism financing, and it cannot be processed later in a way that is incompatible with this purpose. Processing of this personal data for other purposes, such as commercial purposes, is prohibited.
In general terms, according to AML regulations (Article 13(1) of Law 129/2019 transposing EU Directive 849/2015):
- Before establishing a business relationship (legally defined as a professional relationship related to your services, considered to last for a certain period of time when the contact is established);
- For occasional transactions worth at least the equivalent in RON of 15,000 euros, or involving a fund transfer of at least 1,000 euros, or when there are suspicions of money laundering or terrorism financing;
- If there are doubts regarding the accuracy or sufficiency of the identification information already held about the client, you are required to apply standard customer due diligence measures that allow you to identify the user of your platform and verify their identity based on documents, data, or information obtained from reliable and independent sources. You must also assess the purpose and nature of the business relationship and, if necessary, obtain additional information about it. You must ensure continuous monitoring of the business relationship, including by reviewing transactions conducted throughout the relationship, to ensure that the transactions align with the information held about the client, the activity profile, and the risk profile, including, where applicable, the source of funds, and that the documents, data, or information held are updated and relevant.
According to Article 22(1)(1) of Regulation 19/2019 on measures to prevent and combat money laundering and terrorism financing through financial sectors supervised by the Financial Supervisory Authority, the following personal data may be required for individuals:
- Name
- Surname
- Alias (if applicable)
- Date and place of birth
- Personal identification number, number
- Series of the identification document
- Permanent address/residence (full address – street, number, block, staircase, floor, apartment, city, county/district, country)
- Citizenship
- Nationality
- Country of origin
- Occupation and, if applicable
- Employer’s name or nature of self-employment
- Telephone number
- Email address (if available)
- Public office held (if applicable)
- Purpose and nature of the business relationship with you, source of funds to be used in the business relationship, etc.
For AML purposes, these types of data must be kept and stored electronically for a period of 5 years from the termination of the business relationship with the client (this period may be extended for up to 5 years if required by competent authorities). After the period expires, you are required to delete this data.
Each of the personal data types collected from users must be justified by at least one of the conditions mentioned above.
Do You Need to Appoint a Data Protection Officer (DPO)?
It is mandatory to appoint a DPO if Article 37(1)(b) of the GDPR applies to your case.
According to the legal provisions mentioned above, it is mandatory for a data controller to appoint a DPO when two conditions are met:
a) The main activities of the controller or the processor require the regular and systematic monitoring of data subjects;
b) On a large scale.
a) Regarding the first condition, according to Recital 97 of the GDPR and Article 2.1.2 of the Guidelines on the Data Protection Officer, the main activities of a controller refer to “its core activities, not to the processing of personal data as an ancillary activity.” “Main activities” can be considered as the key operations necessary to fulfill the objectives of the controller or the processor authorized by the controller. In other words, activities where data processing is an essential part of the operator’s activity.
In the case of investment platforms, this condition is met, as the purpose of the activity (providing investment services) cannot be achieved without processing the personal data of users.
Regarding the concept of periodic and systematic monitoring of data subjects, this is not explicitly defined by the GDPR. However, the concept of “monitoring the behavior of data subjects” is mentioned in Recital 24 and clearly includes all forms of tracking and profiling on the internet, including for behavioral advertising purposes.
According to the interpretation by the Article 29 Working Party (WP29), the term “periodic” can have one or more of the following meanings: permanent or at certain intervals, for a specific period, recurrently or repeatedly, at fixed times, consistently, or periodically.
According to WP29’s interpretation, the term “systematic” can have one or more of the following meanings: it is carried out according to a system, predetermined, organized or methodical, taking place within a general data collection plan.
b) Regarding the second condition, “on a large scale,” it is essential that the processing involves a significant number of individuals, across a large geographical area.
Does the DPO need to have any certifications?
A DPO must have a certification to be appointed to this role, but the exact level of expertise required is not strictly defined by the GDPR.
In Romania, the DPO role is classified under occupation code 242231 according to Decision No. 74/19.03.2018 by the National Qualifications Authority. According to this decision, the educational level required for a DPO is higher education with a bachelor’s degree, with special conditions such as a minimum of 1 year of work experience and a specialized training course with certification.
How can you appoint a DPO?
Article 37 (6) of the GDPR provides that the DPO:
a) can be a member of the operator’s staff or an authorized person by the operator, or
b) can perform their duties based on a service contract.
If you want to choose a member of your staff, there are 2 possibilities:
a. The DPO performs their tasks based on an employment contract, under two conditions:
- The DPO is appointed from among the employees, or
- The DPO is a new employee.
If the DPO is appointed from among existing employees, the individual employment contract needs to be modified if they are assigned new responsibilities in addition to their current ones, or if they are employed full-time in the DPO role.
If you choose to recruit a DPO who will be part of your staff, it is necessary to sign an individual employment contract, either for a fixed-term or indefinite period, depending on your requirements.
b. Secondly, the DPO role can also be fulfilled based on a service contract signed with an individual or another company.
You are required to maintain a record of processing activities under your responsibility, which must be made available to the supervisory authorities upon request, if your company has more than 250 employees or if the processing is not occasional (in your case, the processing is not occasional, but periodic due to the nature of the activity).
According to GDPR, Article 30(1):
Each controller, and where applicable, the controller’s representative, shall maintain a record of processing activities under their responsibility. This record shall include the following information:
- (a) the name and contact details of the controller, and where applicable, the controller’s representative, the data protection officer (DPO), and any other relevant parties;
- (b) the purposes of the processing;
- (c) a description of the categories of data subjects and the categories of personal data;
- (d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
- (e) where applicable, transfers of personal data to a third country or an international organization, including identifying the third country or international organization, and where transfers are made under Article 49(1), second paragraph, documentation proving the existence of adequate safeguards;
- (f) where possible, the envisaged time limits for the erasure of different categories of data;
- (g) where possible, a general description of the technical and organizational security measures referred to in Article 32(1).
The records referred to in paragraphs (1) and (2) must be kept in writing, including in electronic format.
 for online investment platforms){kind=link}