Articles
Consent vs Legal Obligation
Why AML KYC should never be based on consent, and how to choose the right GDPR legal basis.
Published 4 June 2026
Consent is unsuitable for AML
Consent must be freely given and revocable. Neither is compatible with a legal obligation imposed by Law 10/2010.
Correct legal bases
- KYC and transaction monitoring: legal obligation (Art. 6(1)(c)).
- Suspicious activity reporting: legal obligation.
- Marketing: consent or legitimate interest.
- Contractual performance: necessary for a contract.