The GDPR and is almost here and I frequently get consulted about the role and the impact of the Regulation on anti-corruption due diligence as this latter process is very likely to retrieve personal information.
In particular, very recently, I was asked if consent was required.
Making a long story short, no, it is not necessary.
Article 6 of the Regulation, besides consent, sets out other legal basis for processing:
- legal obligation. We know that, in light of anti-corruption duties, making due diligence on agents, consultants or other third parties fall into this category.
- To protect vital interests. Economic interests are amongst these and we know that fines for violation of (foreign) bribery are quite important (without even mentioning the possible repetitional damages)
Therefore, it is imperative performing an appropriate due diligence which would enable to keep your organization safe, by acquiring the information actually needed only.