Personal Data Processing and Protection Policy

The company AML solutions s.r.o., ID No.: 106 91 766, with its registered office at Na Strži 1702/65, 140 00 Prague 4, registered in the Commercial Register maintained by the Municipal Court in Prague, file no. C 346730 (hereinafter referred to as the “Controller”), as the operator of the online database/application “PEP check” available at https://www.pepcheck.cz, the purpose of which is to determine a possible match between a person entered by the user and a person who is, according to available information, considered to be a politically exposed person pursuant to Act No. 253/2008 Coll., on certain measures against money laundering and terrorist financing, as amended (hereinafter referred to as the “AML Act”), and a so-called sanctioned person pursuant to Act No. 69/2006 Coll., on the implementation of international sanctions, as amended (hereinafter referred to as the “Application”), processes personal data of its clients, politically exposed persons, and sanctioned persons (hereinafter referred to as “Data Subjects”) in accordance with applicable legal regulations, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR), hereinafter referred to as the “GDPR Regulation”.

For the purpose of providing complete information regarding the processing of personal data of Data Subjects, the Controller issues these Personal Data Processing and Protection Policy (hereinafter referred to as the “Policy”):

1. Controller of personal data

AML solutions s.r.o.,
ID No.: 106 91 766
with its registered office at Na Strži 1702/65, 140 00 Prague 4
registered in the Commercial Register maintained by the Municipal Court in Prague, file no. C 346730
E-mail: info@amlsolutions.cz

2. Scope of processed personal data

As a data controller, the Controller processes the following personal data about clients who are natural persons as Data Subjects:

  1. Identification data: first name, last name, date of birth, address of residence, ID No.;
  2. Contact details: phone number, e-mail address;
  3. Data concerning the client’s solvency: data regarding creditworthiness and trustworthiness;
  4. Banking information: account number, payment card number, bank code, IBAN, SWIFT;
  5. Data on contract performance: information on payments, any delay, the amount of debt past due.
  6. Identification data of your device: IP/MAC address;
  7. Information about your behavior on the website (using so-called cookies).

The Controller also processes the data listed in this Article about natural persons who act as statutory or supervisory bodies of clients, as well as natural persons who own clients.

Regarding natural persons who are politically exposed persons within the meaning of Section 4 (5) of the AML Act and the FAU (Financial Analytical Office) Methodical Guideline No. 7, intended for obliged persons under Section 2 of Act No. 253/2008 Coll., MEASURES AGAINST POLITICALLY EXPOSED PERSONS, the Controller processes the following personal data:

  1. First name and last name, including academic titles (if any);
  2. Date of birth;
  3. Data from which the status of a politically exposed person within the meaning of the AML Act arises;
  4. Photograph;
  5. Data on the possible application of international sanctions under Section 2 of Act No. 69/2006 Coll., on the implementation of international sanctions, as amended, against a politically exposed person.

All personal data concerning politically exposed persons are obtained exclusively from publicly available sources, i.e., are publicly traceable via remote access, and these sources are listed in the output of the politically exposed person search. Primarily, public registers and lists maintained on the basis of law and published as open data under Section 5a of Act No. 106/1999 Coll., on Free Access to Information, as amended, are used to obtain this data.

Information on the application of international sanctions is drawn from:

  1. the currently valid consolidated list of persons, groups, and entities subject to European Union sanctions under the EU Sanctions Map (www.sanctionsmap.eu),
  2. the currently valid Government Regulation No. 210/2008 Coll., implementing special measures to combat terrorism,
  3. the currently valid national sanctions list pursuant to Act No. 1/2023 Coll., on restrictive measures against certain serious acts applied in international relations,
  4. currently valid selected decisions of the United Nations Security Council in accordance with Section 8d (2) of Act No. 69/2006 Coll., on the implementation of international sanctions, and a general measure of the Financial Analytical Office issued pursuant to Section 8d of this Act,

3. Purpose of processing, legal basis, and processing period

  1. The Controller processes personal data provided by Data Subjects in order to carry out the business relationship related to granting permission to use the Application and related services, and also for sending marketing communications and offering our services on the basis of our legitimate interest in developing our business, products, and services.
  2. The personal data of Data Subjects may be processed on the following grounds:
    1. Compliance with the Controller’s legal obligations laid down by legal regulations, in particular the Accounting Act, tax regulations, and the Act on certain measures against money laundering and terrorist financing, and other related regulations, for the period arising from a specific legal regulation;
    2. Performance of contractual obligations arising from the existence of a relationship between the Controller and the Data Subject in the provision of services to the Data Subject (in particular, data necessary for the provision of legal services), for as long as necessary to provide the service in question;
    3. Legitimate interest of the Controller or a third party, which includes the protection of the rights and legal claims of the Controller. On this basis, personal data of the Data Subject are processed for the purposes of protecting the rights and legal claims of the Controller, to the necessary extent for 10 years from the date the client’s legal relationship with the Controller ends. Personal data of politically exposed persons are processed without the Data Subject’s consent on the basis of Recital 47, Article 6(1)(e) and (f), Article 17(3)(a) of the GDPR Regulation and Article 43 of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, and it is done in the public interest and in the interest of protecting the legitimate interest of the Controller and obliged persons under the AML Act in obtaining information about politically exposed persons for the purpose of preventing the laundering of proceeds of crime, terrorist financing, and fulfilling obligations under the AML Act and other legal regulations governing this area. Data regarding the application of international sanctions are processed on the basis of Section 10 of Act No. 69/2006 Coll. in conjunction with Recital 47, Article 6(1)(e) and (f), Article 17(3)(a) of the GDPR Regulation.
    4. Consent of the Data Subject, for the period defined in the consent of the Data Subject. With the Data Subject’s consent, the Controller processes personal data to the extent and for the purpose arising from the specific consent granted. The Data Subject gives consent voluntarily and of his or her free will. Not providing consent does not in any way prejudice the Data Subject, nor may the Controller disadvantage him or her because of it. If the Data Subject withdraws consent or it is no longer necessary to continue processing his or her personal data, such data is immediately erased.

4. Transfer of personal data

  1. The Controller does not share the Data Subject’s personal data with another entity unless permitted to do so by law or the Policy. Personal data may be transferred to third parties on the basis of a legal obligation or at the request of a public authority that has the statutory power to require the transfer of the personal data in question.
  2. The Controller uses other entities – suppliers – to fulfill its legal obligations, who are primarily bound by contractual arrangements with the Controller to process the Data Subject’s personal data and who provide adequate guarantees of personal data protection, mainly on the basis of contractual arrangements with the Controller.
  3. Personal data of Data Subjects are, within the meaning of the above, transferred to:
    1. Persons providing legal, tax, and accounting advice;
    2. IT experts and companies providing the management and maintenance of the Controller’s information technologies, particularly the Application;
    3. Persons providing the recovery of the Controller’s claims.
  4. Processed personal data of politically exposed persons is disclosed to third parties solely for the purpose of preventing the laundering of proceeds of crime and terrorist financing within the meaning of the AML Act, and may not be further processed in a manner incompatible with these purposes. In order to reduce the risk of misuse of this data for other purposes, access to the data is subject to a fee. The Controller discloses the personal data of a specific politically exposed person only on the basis of an individualized request (entering the first name, last name, or possibly the date of birth of a specific politically exposed person); access to the complete database of politically exposed persons is not allowed.
  5. The Controller respects the principles of the Data Subject’s personal data protection and carefully ensures and verifies that those to whom it transfers the Data Subject’s personal data are bound to comply with all rules of personal data protection, in particular not to disclose it to other persons, not to misuse it and/or otherwise handle it unlawfully.

5. Rights of the Data Subject

  1. In connection with the processing of personal data, the Data Subject has the following rights:

    1. Right to information

      The Data Subject has the right to be informed about the processing of personal data concerning him or her. This information includes the Controller’s contact details, the purpose and legal basis of the processing, information about its legitimate interests, about the recipients of personal data, the period of retention of personal data, all rights of the Data Subject, the reason for providing personal data, as well as information on any transfer of personal data to third countries outside the European Union and, if applicable, information on whether automated decision-making, including profiling, is carried out.

    2. Right of access to personal data

      The Data Subject also has the right to request the Controller to inform him or her whether any personal data is being processed, and if so, which data. Of course, the Data Subject may request specific data or a complete overview of all personal data.

      The Controller provides the first copy of the requested information completely free of charge.

    3. Right to rectification or completion

      If the Controller processes inaccurate, incorrect, or incomplete personal data about the Data Subject, the Data Subject has the right to request the Controller to correct or complete them.

      In order for the Controller to be able to carry out such correction or completion, it must verify whether the personal data currently being processed are accurate or complete.

    4. Right to erasure

      The Data Subject may exercise this right with the Controller if:

      1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
      2. the Data Subject withdraws his or her consent on the basis of which the personal data were processed and there is no other legal ground for the processing;
      3. the Data Subject objects to the processing and there are no overriding legitimate grounds for processing;
      4. the personal data have been processed unlawfully;
      5. the personal data must be erased to comply with a legal obligation;
      6. the personal data have been collected in connection with the offer of information society services pursuant to Article 8(1) of the GDPR Regulation.

      As soon as the Controller verifies that all conditions for complying with the request for erasure of personal data are met, the Data Subject’s personal data will be erased.

    5. Right to restrict processing

      This right allows the Data Subject to ask the Controller to restrict the processing of his or her personal data in the following cases:

      1. the Data Subject contests the accuracy of his or her personal data, for a period enabling the Controller to verify the accuracy of the personal data;
      2. the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
      3. the Controller no longer needs the personal data for the purposes of processing, but the Data Subject requires them for the establishment, exercise, or defense of legal claims;
      4. if the Data Subject has objected to the processing, pending verification of whether the Controller’s legitimate grounds override those of the Data Subject.

      If the Controller restricts processing based on the above, the Controller may process the Data Subject’s personal data, with the exception of storage, only with his or her consent, or for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or of a Member State. In such a case, the Controller will inform the Data Subject in advance that the restriction will be lifted.

    6. Right to data portability

      By exercising this right, the Data Subject can obtain from the Controller his or her personal data that he or she provided to the Controller, in a structured, commonly used, and machine-readable format, and at the same time transfer this data to another controller.

      At the same time, the Data Subject is entitled to ask the Controller to transfer his or her personal data directly to another controller, in a structured, commonly used, and machine-readable format, if technically feasible.

      The Data Subject has the right to data portability only if the data is processed:

      1. automatically; and simultaneously
      2. on the basis of the Data Subject’s consent or on the basis of fulfilling contractual obligations.

      From the above, it follows that not all data that the Controller has about the Data Subject can therefore be transferred to another controller using the above procedure.

    7. Right to withdraw consent to the processing of personal data

      If the Controller processes the Data Subject’s personal data based on the consent given, the Data Subject has the right to withdraw this consent at any time. Withdrawal of consent to the processing of personal data does not need to be justified in any way. However, withdrawal of consent does not affect the lawfulness of the processing of personal data that took place at the time after consent was given and before its withdrawal.

      Unless there is another legal basis for processing, the Controller will immediately erase the Data Subject’s personal data after withdrawal of consent.

    8. Right to object

      The Data Subject has the right to object to the processing of his or her personal data for the purposes of the Controller’s legitimate interest.

      Unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests or rights and freedoms of the Data Subject, or for the establishment, exercise, or defense of legal claims, it must stop processing the Data Subject’s personal data.

    9. Right to lodge a complaint with a supervisory authority

      If the Data Subject believes that the processing of his or her personal data is or has been in violation of the legal regulations governing personal data protection, he or she may lodge a complaint with the supervisory authority.

      In the Czech Republic, the competent supervisory authority is the Office for Personal Data Protection, with its registered office at Pplk. Sochora 27, 170 00 Prague 7, website: https://www.uoou.cz.

  2. All of the above rights of the Data Subject apply even after the legal relationship with the Controller has ended.
  3. The Data Subject may exercise all of the above rights in the following ways:
    1. By e-mail to the e-mail address info@amlsolutions.cz;
    2. In writing at the Controller’s registered office at Na Strži 1702/65, 140 00 Prague 4.
  4. To ensure adequate protection of personal data and the rights of the Data Subject and to prevent abuse by other persons, the Controller must verify the Data Subject’s identity.
  5. If the Data Subject cannot be identified from the information provided in the request to exercise his or her rights, the Controller is entitled to request additional information that would allow the Controller to sufficiently verify the Data Subject’s identity. If the Data Subject still cannot be identified even after providing additional information, the Controller cannot comply with the Data Subject’s request.
  6. The Controller processes all requests received without undue delay, no later than one month from their receipt. If it is not possible to process the Data Subject’s request within this period (in particular due to the complexity of the request), the Controller is entitled to extend the period for processing the request by up to two months. The Controller will inform the Data Subject of this fact, along with the reason for extending the period, within one month of receiving the request.
  7. If the Controller concludes that the request does not meet the above requirements for a positive response, it is entitled to refuse the request, informing the Data Subject of the reasons for refusal. In such a case, the Data Subject is entitled to lodge a complaint with the supervisory authority (see above in Art. 5, paragraph 5.1, letter (i) of the Policy) and/or to request judicial protection from the general courts.
  8. If the Controller complies with the request, it will take appropriate measures based on this decision and inform the Data Subject thereof.

6. Protection of personal data

  1. The Controller’s priority is to protect the Data Subject’s personal data against unauthorized or accidental access to personal data, their alteration, destruction or loss, unauthorized transfer, other unauthorized processing, as well as other misuse of the Data Subject’s personal data.
  2. If it is found that personal data security has been breached or there is a suspicion that such security has been breached, the Controller will assess whether a breach of security has actually occurred, evaluate its severity, and according to the severity (no risk, low risk, high risk), inform the Data Subject and the supervisory authority, which is the Office for Personal Data Protection, as necessary.
  3. For this purpose, the Controller has adopted appropriate technical and organizational measures, including internal staff training on handling personal data. The Controller regularly tests, checks, and verifies all personal data security measures for their currency, adequacy, and appropriateness.
  4. The Controller also carries out random checks and audits of its suppliers, to whom it has disclosed the Data Subject’s personal data, in order to verify their compliance with personal data protection.
  5. At the same time, all employees of the Controller, as well as all its suppliers and their employees, are contractually and/or legally bound by confidentiality regarding all information and personal data that have been made available to them.

7. Useful contacts

AML solutions s.r.o.,
ID No.: 106 91 766
with its registered office at Na Strži 1702/65, 140 00 Prague 4
registered in the Commercial Register maintained by the Municipal Court in Prague, file no. C 346730
E-mail: info@amlsolutions.cz

Office for Personal Data Protection
Registered office: Pplk. Sochora 27, 170 00 Prague 7
E-mail: posta@uoou.cz
Telephone: +420 234 665 111
Website: https://www.uoou.cz

© 2025 by AML solutions s.r.o., all rights reserved

Our Services

Internal Policy System 2025
Risk Assessment 2025
AML Questionnaire, Identification, and Control 2025
AML Training for 2025
International Sanctions Training 2025
FAU Contact Person and Authorized Person
Registration in the Register of Beneficial Owners 2025

Support

+420 734 834 662
podpora@pepcheck.cz
API & Documentation
What Are My AML Obligations?
What is a Politically Exposed Person?
Legal Help During FAU Inspection
Frequently Asked Questions
Have a question or collaboration idea? Contact us.

PEP check by AML solutions

AML solutions s.r.o.
Terms & Conditions
Privacy Policy
Cookie Policy
Cookie Settings

Follow Us