# Article 25 — Data protection **Source:** [Regulation (EU) 2023/1113 — EUR-Lex](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1113) 1. The processing of personal data under this Regulation is subject to Regulation (EU) 2016/679. Personal data that is processed pursuant to this Regulation by the Commission or EBA is subject to Regulation (EU) 2018/1725. 2. Personal data shall be processed by payment service providers and crypto-asset service providers on the basis of this Regulation only for the purposes of the prevention of money laundering and terrorist financing and shall not be further processed in a way that is incompatible with those purposes. The processing of personal data on the basis of this Regulation for commercial purposes shall be prohibited. 3. Payment service providers and crypto-asset service providers shall provide new clients with the information required pursuant to Article 13 of Regulation (EU) 2016/679 before establishing a business relationship or carrying out an occasional transaction. That information shall be provided in a concise, transparent, intelligible and easily accessible form in accordance with Article 12 of Regulation (EU) 2016/679 and shall, in particular, include a general notice concerning the legal obligations of payment service providers and crypto-asset service providers under this Regulation when processing personal data for the purposes of the prevention of money laundering and terrorist financing. 4. Payment service providers and crypto-asset service providers shall ensure at all times that the transmission of any personal data on the parties involved in a transfer of funds or a transfer of crypto-assets is conducted in accordance with Regulation (EU) 2016/679. The European Data Protection Board shall, after consulting EBA, issue guidelines on the practical implementation of data protection requirements for transfers of personal data to third countries in the context of transfers of crypto-assets. EBA shall issue guidelines on suitable procedures for determining whether to execute, reject, return or suspend a transfer of crypto-assets in situations where compliance with data protection requirements for the transfer of personal data to third countries cannot be ensured. ## What this means in practice Article 25 is the bridge between ToFR and [**GDPR**](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679). Four specific commitments: 1. **Purpose limitation.** Personal data collected under ToFR must be used **only** for AML/CFT — not for marketing, not for analytics, not for any commercial purpose. Para 2 is express. 2. **Transparency notice at onboarding** (para 3) — the GDPR Art. 13 notice must specifically flag the ToFR processing purpose. Generic privacy notices that lump everything together will fall short. 3. **Third-country transfer governance** (para 4) — Travel Rule data flowing to non-EU recipients falls under GDPR Chapter V (adequacy decisions, SCCs, derogations). The EDPB (after consulting EBA) was tasked with issuing implementation guidelines; EBA was separately tasked with issuing guidelines on when to reject, return or suspend a crypto-asset transfer if compliant transmission cannot be ensured. 4. **Security in transit** (para 4 first subparagraph) — the transmission channel must satisfy GDPR's security requirements (Art. 32). For CASPs, this means any Travel Rule transmission arrangement must provide appropriate security, integrity controls, and a GDPR-compliant basis for any onward processing. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.mica.wtf/tofr/transfer-of-funds-regulation/chapter-v-information-data-protection-record-retention/article-25-data-protection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.