Data Protection Declaration

1. Responsible Party

The controller pursuant to Article 4 No. 7 of Regulation (EU) No. 2016/679 (General Data Protection Regulation, GDPR) is:

Dr. Daniel H. Gerl
Langenbergsweg 40
53179 Bonn
Germany
Email: admin@123sanctions.eu

2. General Information on Data Processing

2.1 Categories of personal data processed

In the context of operating this website, the application, and the services offered, we process the following categories of personal data, depending on usage:

• Contact details (e.g., email address)
• Inventory data (e.g., names, company affiliation, project names)
• Content data (e.g., uploaded files, text entries)
• Usage data (e.g., access times)
• Meta and communication data (e.g., IP address)
• Data on sanctioned persons, organizations, and institutions (e.g., names, aliases, dates of birth, nationalities, identification numbers), insofar as these are listed on publicly accessible sanctions lists

2.2 Our dual role in data protection law

123sanctions.eu assumes different roles in data protection law depending on the processing context:

(a) Controller (Art. 4 No. 7 GDPR):
We are the controller for the processing of our users' personal data (e.g., registration and account data, usage data, contact data) and for the processing of data on sanctioned persons in the context of providing the screening database (see section 9).

(b) Processor (Art. 4 No. 8, Art. 28 GDPR):
If users transmit personal data of third parties to our application within the scope of sanctions list screening, we process this data exclusively on behalf of and according to the instructions of the respective user. In such cases, the user remains the controller within the meaning of data protection law.

2.3 Recipients of personal data

Personal data will only be passed on to third parties if this is necessary for the fulfillment of the contract, if there is a legal obligation to do so, or if we use processors in accordance with Article 28 GDPR.

2.4 Storage period

Personal data will only be stored for as long as is necessary for the respective processing purposes or for as long as there are statutory retention periods. The data will then be deleted or anonymized. For the specific deletion periods in the area of sanctions list data, see section 9.5.

3. Infrastructure and Hosting

The operation of 123sanctions.eu is divided into two technically and organizationally separate areas:

3.1 Website (123sanctions.eu – static website)

The publicly accessible website is used exclusively to provide information about our services. Hosting is provided by Hostinger International Ltd. on servers located within the European Union. The website does not process any personal data beyond the technically necessary access data described in section 4. A contract for order processing in accordance with Article 28 GDPR has been concluded with Hostinger.

3.2 Application (sanctions list screening platform)

The web application, databases, and all customer data (registration data, screening queries, uploaded files, results) are operated and stored exclusively on servers belonging to Hetzner Online GmbH in Nuremberg, Germany. Hetzner is certified according to ISO/IEC 27001:2022. Customer data is stored exclusively on this infrastructure within Germany. All user-related data is encrypted at rest using AES-256-GCM with a root-protected Data Encryption Key (DEK). A contract for order processing in accordance with Article 28 GDPR has been concluded with Hetzner.

Compute-intensive tasks (sanctions list imports, entity resolution, index construction) run on a separate server, also located in Germany. This server connects to the databases we maintain on servers operated by Hetzner Online GmbH via an encrypted tunnel. The compute server has no access to customer data — technical isolation is enforced through database column-level access controls and container-level separation. The compute server processes only publicly available sanctions list data.

4. Visiting Our Website

4.1 Server log files

When you visit our website, the hosting server automatically collects the following technically necessary information: date and time of access, browser type and browser version, operating system, IP address, referrer URL, file accessed, and status code.

This data is not merged with other data sources or evaluated for marketing purposes. The legal basis is Article 6(1)(f) GDPR.

4.2 Cookies

This website only uses cookies that are absolutely necessary to provide the service you have expressly requested. Consent is not required for this in accordance with Section 25 (2) No. 2 TDDDG. Insofar as personal data is processed in this context, the legal basis is Article 6 (1) (f) GDPR.

5. Use of the Application

5.1 Registration and user account

Registration is required to use the screening application. The data you provide will be processed. The legal basis is Article 6(1)(b) GDPR.

5.2 Screening processes and uploaded data

As part of the screening processes, the application processes the data transmitted by users exclusively for the purpose of comparing it with sanctions lists. This processing takes place on the Hetzner servers at the Nuremberg site. All screening data is encrypted at rest using AES-256-GCM. With regard to this data, 123sanctions.eu acts as a processor (see section 2.2 lit. b).

6. Transfers to Third Countries

6.1 Principle: Customer data remains in Germany

All customer data — including registration data, screening queries, uploaded files, and screening results — is processed and stored exclusively in Germany on servers belonging to Hetzner Online GmbH in Nuremberg. Customer data is not transferred to third countries at any point.

This is ensured through a three-layer technical isolation architecture:

• Database column-level access controls: The compute server's database user is technically blocked from accessing columns containing customer data.
• AES-256-GCM encryption: All customer data is encrypted at rest with a root-protected Data Encryption Key (DEK) that is not available to compute processes.
• Container isolation: Customer-facing services and compute services run in separate, network-isolated containers.

6.2 AI processing of public sanctions list data

For certain functions — entity resolution, decision summaries, newsletter generation, and the chat assistant — publicly available government sanctions list data (names, aliases, dates of birth, nationalities, identification numbers) is transmitted to Anthropic, PBC (San Francisco, USA). No customer names, screening queries, or screening results are ever sent to Anthropic. The data transmitted consists exclusively of information published by government authorities on official sanctions lists.

(a) Legal basis

The processing is based on Article 6(1)(f) GDPR (legitimate interest). The data transmitted is published by government authorities for the express purpose of public dissemination and compliance enforcement. The legitimate interest lies in improving the quality and accuracy of the sanctions database through AI-assisted processing.

(b) Transfer mechanism

The transfer is based on the adequacy decision of the European Commission for the EU-US Data Privacy Framework (DPF) and, additionally, on the Standard Contractual Clauses (SCCs) approved by the European Commission in accordance with Art. 46(2)(c) GDPR, which are part of the Data Processing Addendum (DPA) concluded with Anthropic.

(c) Supplementary protective measures

We have conducted a Transfer Impact Assessment (TIA) in accordance with the recommendations of the EDPB (Recommendations 01/2020) and implemented the following supplementary technical and organizational measures:

• Encrypted transmission path: Communication with Anthropic takes place exclusively via an encrypted VPN tunnel provided by Mullvad VPN AB (Sweden) with an exit node in Frankfurt am Main. This means that Anthropic has no insight into the IP address of the application server. Unencrypted transmission is technically impossible.
• Data minimization: Only publicly available sanctions list data is transmitted. Customer data, screening queries, and screening results are technically excluded from transmission through the isolation architecture described in section 6.1.

(d) Contractual guarantees

Anthropic has contractually committed itself under the DPA not to use the data for its own purposes (in particular, not for training AI models) and to comply with the requirements of the GDPR. Anthropic has SOC 2 Type II attestation and ISO/IEC 42001:2023 certification.

(e) Note on legal developments

We continuously monitor legal developments in the area of transatlantic data transfers and adapt our transfer mechanisms and protective measures as necessary, particularly with regard to the continued validity of the EU-US Data Privacy Framework.

7. Contact

When you contact us by email or letter, the data you provide will be processed solely for the purpose of handling your request. The legal basis for this is Article 6(1)(b) of the GDPR.

8. Online Presence in Social Media

We may maintain an online presence on social networks. These can only be accessed via external links. The data processing that takes place there is subject to the data protection regulations of the respective providers.

9. Processing of Data of Sanctioned Persons

9.1 Subject matter and origin of the data

As part of sanctions list screening, 123sanctions.eu processes personal data of persons, organizations, and institutions that are included in sanctions lists. This data comes from publicly available sources, in particular the so-called sanctions lists, which are available in various electronic formats via official data portals.

9.2 Purpose of processing

The processing of this data serves to fulfill the legal obligation to continuously check contractual and business partners against sanctions lists. This obligation to check applies to all economic operators. Against the backdrop of the rapidly growing scope of sanctions lists, the use of technical software solutions is regularly necessary. The structured collection and searchability of data on sanctioned persons is in the legitimate interest of our users in order to be able to fulfill these legal obligations with reasonable effort.

Note: 123sanctions.eu provides a free usage plan that gives small businesses and individuals access to automated sanctions checks against numerous sources, including hit notifications and time-controlled recurring checks. Economic sanctions are only effective if they are actually complied with. Access to powerful screening tools should therefore not be a privilege reserved for large companies with corresponding compliance budgets. 123sanctions.eu thus contributes to the effective enforcement of sanctions objectives and supports representatives of civil society, public authorities, and sanctions legislators.

For information on the AI-assisted processing of publicly available sanctions list data (entity resolution, decision summaries), see section 6.2.

9.3 Legal basis

The processing of data relating to sanctioned persons by 123sanctions.eu is based on Article 6(1)(f) GDPR. The legitimate interest arises from the need to enable our users to comply with sanctions regulations, including the relevant EU regulations, the Foreign Trade Act (AWG) and the Sanctions Enforcement Act (SanktDG).

9.4 Applicability of the GDPR and data subjects

Although legal entities themselves are not considered data subjects within the meaning of the GDPR, the data of the natural persons behind them—such as managing directors, legal representatives, or beneficial owners—fall within the scope of application insofar as they are processed in the screening process. According to this, "personal data" includes all information relating to an identified or identifiable natural person.

As the controller within the meaning of Art. 4 No. 7 GDPR, we ensure proper, in particular transparent and purpose-specific data processing in accordance with Art. 5 (1) GDPR. This applies regardless of whether the sanctions list screening is carried out manually or using automated procedures.

9.5 Storage period and de-listing

The storage of data on sanctioned persons is also necessary because de-listing processes require historical traceability. The criminality or administrative offense of sanctions violations is determined by the sanctions regulations applicable at the time of the offense in the relevant version, as the lex mitior rule pursuant to Section 30 AWG expressly does not apply. The data will be deleted as soon as it is no longer required for the purpose of sanctions list screening.

9.6 Rights of sanctioned persons concerned

Sanctioned persons may assert their rights under Art. 15 et seq. GDPR. If you wish to notify us of any changes or updates or request information about your data protection rights, please contact us at the address given in section 1. Please note that the exercise of individual rights—in particular the right to erasure—may be restricted if processing is still necessary to fulfill legal obligations or to safeguard legitimate interests (Art. 17 (3) GDPR).

10. Processing of Data of Politically Exposed Persons (PEP)

10.1 Subject matter and origin of the data

Politically exposed persons (PEPs) are natural persons who hold or have held a high-level public office at international, European, or national level within the last year, as well as their immediate family members and known associates (Sections 1 (12), (13), (14) GwG). 123sanctions.eu processes personal data of PEPs obtained from publicly available sources, in particular from official PEP databases, public office directories, and government publications.

10.2 Purpose of processing

The processing serves to fulfill the due diligence obligations under money laundering law. Obligated parties within the meaning of the GwG must determine, within the framework of customer identification, whether a contractual partner or its beneficial owner is a politically exposed person (Sections 10 (1) No. 4, 15 (3) GwG). If the result is positive, enhanced due diligence obligations must be applied. Given the scope of the groups of persons to be checked, in practice this check can usually only be carried out efficiently using automated technical solutions, similar to the sanctions list check. The structured collection and searchability of PEP data is in the legitimate interest of our users in order to be able to fulfill these legal obligations efficiently.

10.3 Legal basis

The processing of PEP data by 123sanctions.eu is based on Article 6(1)(f) GDPR. The legitimate interest arises from the need to enable our users to comply with their due diligence obligations under the GwG and Directive (EU) No. 2015/849 (Money Laundering Directive).

For users of our platform who are themselves obligated parties within the meaning of Section 2 GwG, the processing may also be based on Article 6(1)(c) GDPR (legal obligation), as the GwG expressly requires PEP checks.

10.4 Data subjects

Unlike the sanctions list check, PEP processing only affects natural persons who are recorded on the basis of their public office. Classification as a PEP does not constitute a negative assessment of the data subject, but serves exclusively for risk classification within the framework of due diligence obligations under money laundering law.

10.5 Storage period

PEP data is stored for as long as the data subject is classified as a PEP. Reference is made to Section 1 (12) GWG. The data is deleted as soon as it is no longer required for the purpose of the PEP check.

10.6 Rights of data subjects

PEPs can assert their rights under Art. 15 ff. GDPR. The restrictions mentioned in section 9.6 apply accordingly.

11. Your Rights

As a data subject, you have the following rights in particular:

• Right to information (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure (Article 17 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object (Article 21 GDPR)
• Right to withdraw consent (Article 7(3) GDPR)
• Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

The competent supervisory authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, Germany.