What rights and limits do we have in terms of treating sensitive customer information?
Treatment of personal information is necessary for those required to report to be able to fulfill their duties according to the Money Laundering Act.
The Money Laundering Act presents certain separate, extended and detailed rules regarding treatment of personal information. For instance, the act provides the legal foundation to treat this kind of information. It also provides the foundation for storing information about customers and transactions up to five yeras after the transaction occurred. Furthermore, the act states that it is necessary to have "systems that enable swift and complete responses to requests from Økokrim and other governmental departments.."
Note that the Money Laundering Act does not entail any general exception from GDPR. It will still be strict demands in terms of minimising data and strong relevance of stored information.
Also bear in mind that stored information should both be relevant, up to date and correct.