Home > Publications > Belgian DPA issues its advice on combatting cyberfraud through money mules
Print pageprint Stay Informedprint


Belgian DPA issues its advice on combatting cyberfraud through money mules

Author(s) of this Publication

On 24 August 2021, the Belgian Data Protection Authority (DPA) published its advice n° 136/2021 regarding a draft resolution against cyberfraud particularly through ‘money mules’. The advice follows from a request made by the President of the Belgian Chamber of Representatives as the draft resolution’s subject matter involves processing personal data.

‘Money mules’, are intermediaries that lend their bank details to transfer stolen money between various payment accounts in return for a commission. In practice, the unveiling of the criminal networks running these operations turns out to be a challenging task as financial institutions are currently lacking the appropriate resources to investigate the fraudsters’ identities, which remain hidden through the ‘money mules’ scheme.

With this in mind, the resolution aims at developing a legal framework that allows financial institutions to share (personal) data of suspicious accounts and transactions when there is a presumption of money laundering.

The DPA voiced the following concerns from a personal data protection viewpoint:

  1. 1.    Commercial atmosphere

The DPA questions whether commercially competing institutions should have the competence to launch money laundering investigations on their clients and share the obtained (personal) data, given that such competence usually belongs to mandated governmental institutions (also see consid. 31 GDPR). The risk indeed arises that the obtained data are subsequently used for commercial purposes, which should be prevented at all costs. Hence, if financial institutions are to receive an investigative role, privacy-enhancing technologies should be used optimally to ensure a minimal set of data processing, e.g. through limited blacklists excluding data only occurring once.

  1. 2.    Necessary and proportionate

Another question that arises is whether the envisaged legislative measure is necessary to achieve a legitimate purpose. This necessity test implicates conducting a prior analysis of the facts justifying the measure and the efficiency level in light of the anticipated purpose. At the same time, it should be verified whether an alternative measure is available that offers the same outcome but is less intrusive from a data protection perspective. In principle, such a measure should take precedence.

  1. 3.    Predictable legal basis

Each processing of personal data must be founded on a legal basis provided by the GDPR, e.g., complying with a legal obligation – which should be framed by clear and accurate Belgian legislation. In addition, the application of the legislation itself must be predictable for the data subjects as it should contain all required information, such as the identification of the data controller, the processing purpose, the retention period, the personal data recipients, etc.

  1. 4.    Sensitive personal data

Processing personal data that are either sensitive or relate to criminal convictions and offences is principally prohibited by the GDPR. In its advice, the DPA highlights that the exceptions allowing the processing of the aforementioned personal data must be fully complied with. For example, processing personal data concerning a criminal offence may only be carried out under the control of the official authority or when the processing is authorised by EU or Belgian legislation with appropriate safeguards for the data subjects’ rights and freedoms.

  1. 5.    Social security number

Lastly, the DPA reminds us that several prescriptions and precautions must be considered when processing social security numbers (see Act of 8 August 1983 on the scheme of a National Register for natural persons). The financial institutions must be granted proper processing powers by the Belgian Minister of the Interior amongst others, unless the processing is explicitly foreseen in the legislative text directly.

To conclude, we note that the DPA has taken a rather cautious stance on the draft resolution to combat ‘money mules’ by setting up a network to share (personal) data between financial institutions. However, although the DPA does express several data protection concerns in its advice, it has not formulated an overall negative decision, probably taking into account a balance of interests.


Should you have any questions regarding this matter, please do not hesitate to contact Sarah van den Brande (s.vandenbrande@liedekerke.com) or Matthias Bruynseraede (m.bruynseraede@liedekerke.com).