Privacy Policy

Our privacy policy explains why and how we process data, what third parties are involved and what rights the subjects of our data processing have.

I. Introduction and terms

1. GENERAL

OpenSanctions operates a platform that brings together the most relevant sanctions lists, as well as databases on politically exposed persons and persons of public interest, into a single, easy-to-use dataset. The data and the code used to create it are provided for public download. The use for non-commercial purposes, especially for journalistic purposes, does not require any further contract and is also possible free of charge. On the other hand, commercial use by companies within the scope of their business operations (either internally or in a product) requires the conclusion of a license agreement for which a fee is charged. By operating OpenSanctions and the website with the URL https://www.opensanctions.org (hereinafter referred to as the "Website"), we process personal data. These are treated carefully by us and processed in accordance with the applicable laws - in particular the German Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the Telecommunications Telemedia Data Protection Act (TTDSG).

With these data protection provisions, we want to inform you about what personal data we collect from you, for what purposes and on what legal basis we use it and, if applicable, to whom we disclose it. In addition, we will explain to you what rights you have to protect and enforce your data privacy.

2. TERMS

Our privacy policy contains technical terms that are in the GDPR and the BDSG. For your better understanding, we would like to explain these terms in simple terms in advance:

2.1 Personal data

"Personal data" is any information relating to an identified or identifiable individual (Art. 4 No. 1 GDPR). Information of an identified person can be, for example, the name or the email address. However, personal data is also data for which the identity is not immediately apparent, but can be determined by combining one's own information or that of others and thus finding out who it is. A person can be identified, for example, by providing your address or bank details, date of birth or user name, IP addresses and/or location data. Relevant here is all information that in any way allows a conclusion to be drawn about a person.

2.2 Processing

Article 4 No. 2 GDPR understands a "processing" to be any operation in connection with personal data. This applies in particular to the collection, recording, organization, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or other form of making available, alignment or combination, restriction, erasure or destruction of personal data.

II. Person responsible and data protection officer

3. RESPONSIBLE

Responsible for data processing is:
Company: OpenSanctions / Friedrich Lindenberg („wir“)
Address: Schonensche Str. 43, 13189 Berlin
E-Mail: info@opensanctions.org

4. DATA PROTECTION OFFICER

Our company is not obliged to appoint a company data protection officer. For questions and concerns regarding data protection on our website and in our you can contact us via the aforementioned contact details.

III. Processing Framework

5. PROCESSING FRAMEWORK: OPERATION OF OPENSANCTIONS (CONTRACT & WEBSITE).

In the course of operating OpenSanctions and the associated website, we process the personal data listed in detail below in Section IV. In doing so, we distinguish between website visitors or customers, on the one hand, who use the OpenSanctions offering (hereinafter referred to as "Users") and individuals, on the other hand, whose data is reflected in the OpenSanctions database (hereinafter referred to as "Individuals in the OpenSanctions Database").

We only process data of users that they actively provide on the website (e.g. when concluding a contract or by filling out forms) or that they automatically provide when using our offer. User data is processed exclusively by us and is not sold, lent or passed on to third parties.

We have not collected the data of persons in the OpenSanctions data set ourselves. They originate from official governmental, suprastate or international public sources. These sources are listed in detail here: https://www.opensanctions.org/datasets/. They are viewable and searchable by the public on our website, and can be downloaded and used in accordance with our Terms of Use.

If we use the help of external service providers for the processing of personal data, this is done within the framework of so-called commissioned processing, in which we as the client are authorized to issue instructions to our contractors. To operate our website, we use an external service provider for hosting. We host our website with the external provider Vercel, Inc. (address: 340 S Lemon Ave #4133 Walnut, CA 91789, USA, https://vercel.com/) at the data center location Global, edge runtime in Frankfurt a.M. Germany. If further external service providers are used for individual processing operations listed in section IV, they will be named there.

We do not transfer data to third countries and do not plan to do so. We will provide information about exceptions to this principle in the processing operations described below. Any data transfer to third countries will then take place on the basis of the so-called EU standard contractual clauses.

IV. Processing in detail

6. OPENSANCTIONS DATABASE

6.1 Description of processing

The core service of OpenSanctions is to bring together the most relevant sanctions lists, as well as databases on politically exposed persons and persons of public interest, into a single, easy-to-use dataset and publish them on the platform.

The data of individuals in the OpenSanctions dataset are not collected by us. They come from official government, suprastate, or international agencies. These agencies and organizations have created and published the datasets. They contain data on legal entities as well as on natural persons. We only use the data within the framework of our portal. The sources included on OpenSanctions are listed in detail here: https://www.opensanctions.org/datasets/. The data from the various sources are combined by us in a database, consolidated and, for example, cleansed of duplicates. They are viewable and searchable by the public on our website, can be downloaded and used according to our terms of use. We process the following information individuals in the OpenSanctions record: first name, last name and, if applicable, title, address, passport number, nationality, data source, sanctioning authority. Background Text. OpenSanctions also assigns an ID number for each record and specifies the source(s) from which a record originated.

We host the OpenSanctions dataset in the Google Cloud (Company: Google Cloud EMEA Limited, address: Velasco, Clanwilliam Place, Dublin 2, Ireland, https://cloud.google.com/) in the Frankfurt data center location. When visiting our website, no data exchange takes place between the user's terminal device and the Google Cloud. Rather, our website accesses the database and generates static web pages from it. These are delivered to the users by the servers used by our hosting service provider Vercel.

6.2 Purpose

The processing is done in order to provide the public with a central user-friendly platform for international sanctions, politically exposed persons or persons of public interest. Additionally, our project is intended to create transparency in an area that is confusing and difficult for civil society to access due to a multitude of different sanctions lists and other data sources. Furthermore, OpenSanctions promotes compliance and control of sanctions and facilitates the fight against corruption. For journalists, the platform serves as a research tool. For companies, it serves as a tool for sanctions control/sanctions list checks and thus for compliance with legal requirements, such as foreign trade, export control or money laundering prevention.

6.3 Legal basis

Processing is necessary to protect the overriding legitimate interests of the controller (Art. 6(1)(f) GDPR). Our legitimate interest is the purposed named in 6.2. With regard to the journalistic purposes as a research aid, we also invoke the media privilege from Art. 85 GDPR in conjunction with. §19 of the Berlin Data Protection Act (BlnDSG).

6.4 Storage period and deviating data subject rights

The data of individuals in the OpenSanctions data set will be published on OpenSanctions for as long as they are in the corresponding published source. If an individual has been removed from a sanctions list, for example, he or she will also be removed from the OpenSanctions database in the course of OpenSanctions' regular reconciliation with these third-party sources.

Notwithstanding Section 16 of this Privacy Policy, we specifically ask individuals in the OpenSanctions dataset to submit claims for correction or deletion directly to the official governmental, supra-governmental or international bodies that maintain the relevant lists. Further information and contact options regarding the respective listing bodies can be found here.

6.5 Recipients and transfer to third countries

With its publication on the Internet, the data is accessible worldwide and can be viewed, accessed and used by anyone without restriction (i.e. in particular by any third party worldwide). The data records can also be found using search engines. The data can be downloaded not only by users of OpenSanctions. We would like to point out that data available on the internet can be easily copied and redistributed by third parties.

7. CONTRACT

7.1 Description of processing

In the course of concluding and fulfilling the contract for the commercial use of OpenSanctions by companies in the course of their business operations, we process personal data of our contractual partners. This regularly involves the following data: Company, address, bank details, as well as for our contact persons: salutation, first and last name, e-mail address, telephone number (landline and/or mobile).

7.2 Purpose

The data processing is carried out for the proper fulfillment and processing of the user contract. In addition, we require the data for your identification as a contractual partner, for correspondence with you, for the billing of our services, for the settlement of any existing liability claims and the assertion of any claims against you.

7.3 Legal basis

The data processing is necessary for the conclusion and execution of the contract according to Art. 6 para. 1 p. 1 lit. b GDPR. Without the data mentioned in section 7.1, we are unable to process your application and fulfill obligations arising from the contract.

7.4 Storage period

We delete the data as soon as they are no longer required to achieve the purpose for which they were collected. The personal data collected and processed by us in the context of the conclusion of the contract and its execution will be stored until the expiry of the legal obligation to retain data and then deleted, unless we are obliged to store it for a longer period in accordance with Article 6 (1) sentence 1 lit. c GDPR due to tax and commercial law retention and documentation obligations (from HGB, StGB or AO) or you have consented to storage beyond this in accordance with Article 6 (1) sentence 1 lit. a GDPR.

7.5 Recipients

As a matter of principle, we will not pass on your personal data to third parties. However, data may be transferred to our external tax office in the context of our accounting.

8. PROVISION OF THE WEBSITE AND SERVER LOGFILES

8.1 Description of processing

Each time you visit the website, we automatically collect information that your browser transmits to our server. This is the following data:

  • IP address
  • the subpages called up on the website
  • the date and time the website was accessed
  • the country and location from which a user visited the website.

These are also stored in the so-called log files of our system. The temporary storage of your IP address by the system is necessary in order to deliver our website to a user's terminal device. For this purpose, the user's IP address must remain stored for the duration of the session. The IP address is only recorded in the log files shortened by the last three digits.

8.2 Purpose

The processing is carried out to enable the website to be called up and to ensure its stability and security. In addition, the processing serves the statistical evaluation and improvement of our online offer.

8.3 Legal basis

The processing is necessary to protect the overriding legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose named in section 8.2.

8.4 Storage period

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. Deletion of the log files takes place after 90 days.

9. COOKIES AND OTHER TRACKING TECHNOLOGIES

9.1 Description of processing

Our website uses cookies. Cookies are small text files that are stored on the user's terminal device when visiting a website. Cookies contain information that enables the recognition of a terminal device and possibly certain functions of a website. We distinguish between our own cookies and external, so-called third-party cookies. So-called "session cookies" and "persistent cookies" are used on our site. "Session cookies" are automatically deleted when you end your Internet session and close the browser. Persistent cookies remain stored on your terminal device for a longer period of time. In addition to cookies, we also use other tracking technologies, such as pixels or so-called fingerprinting. If cookies are technically necessary for the operation of our site, your consent is not required for this. All other cookies and tracking technologies that are not technically necessary are only set after you have actively consented to the use of cookies/tracking technologies via our Consent Tool.

We use a tool we developed ourselves to obtain and document consent. The Consent Tool itself stores your selection in a cookie on your terminal device. This means that you do not need to make a decision about cookies again on a subsequent visit to our website. You can find out which cookies are used on our website for which purpose, how long they are stored on your end device and which consents you may have already declared in the settings of your browser.

9.2 Purpose

We use cookies to make our website more user-friendly and to offer the functions described in section 9.1.

9.3 Legal basis

The processing is necessary with regard to technically required cookies, as well as the use of the Consent Tool to protect the overriding legitimate interests of the responsible party (Art. 6 para. 1 lit. f GDPR in conjunction with § 25 para. 2 TTDSG). Our legitimate interest lies in the purpose named in section 9.2. For processing with regard to all other - i.e. non-technically necessary cookies/tracking technologies - the legal basis is consent (Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TTDSG). Such consent is voluntary.

9.4 Storage period, revocation of consent

Cookies are automatically deleted at the end of a session or at the end of the specified storage period. Since cookies are stored on your terminal device, you as the user have full control over the use of cookies. By changing the settings in your Internet browser, you can disable or restrict the transfer of cookies. Cookies that have already been stored can be deleted. This can also be done automatically. If cookies are deactivated, deleted or restricted for our website, it may be that individual functions of our website cannot be used or can only be used to a limited extent. You can revoke any consent you may have given for the use of cookies at any time in the settings of your browser with effect for the future.

9.5 Recipients

When third-party cookies are used, data may be transmitted to the corresponding providers of these third-party services. Here, a transfer to third countries outside the European Union or the European Economic Area may also occur. We provide information about the recipients of data and the transfer to third countries in the settings of the Consent Tool or in the corresponding passage for the third-party service in this Privacy Policy.

10. CONTACT BY E-MAIL

10.1 Description of the processing

You can also contact us via the e-mail addresses provided on the website. To contact us, you can write to us using the e-mail address provided on the website. In this case, the personal data transmitted with the e-mail will be processed by us.

10.2 Purpose

The data transmitted with and in your e-mail will be used exclusively for the purpose of processing and responding to your request.

10.3 Legal basis

The processing is necessary to protect the overriding legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose named in section 10.2. If the e-mail contact is aimed at the conclusion or fulfillment of a contract, the data processing is carried out for the fulfillment of the contract (Art. 6 para. 1 lit. b GDPR).

10.4 Storage period

We delete the data as soon as it is no longer required to achieve the purpose for which it was collected. This is usually the case when the respective communication with you has ended. The communication is terminated when it can be inferred from the circumstances that your concern has been conclusively clarified. If legal retention periods prevent deletion, the data will be deleted immediately after the expiry of the legal retention period.

11. CUSTOMER AND CONTACT MANAGEMENT

11.1 Description of processing

To manage customer inquiries, sales and contract management, we use the CRM suite HubSpot (provided by HubSpot, Inc., 25 First Street, Cambridge, MA 02141 USA, Privacy Policy). The data is managed on European servers provided by HubSpot.

11.2 Purpose

The data you submit will be used solely for the purpose of processing and responding to your request. Statistical information on sales processes and relevant inquiries is also collected for analysis purposes.

11.3 Legal basis

The processing is necessary to protect the overriding legitimate interests of the controller (Art. 6 (1) f GDPR). Our legitimate interest lies in the purpose named in section 10.2. If the contact is aimed at the conclusion or fulfillment of a contract, the data processing is carried out for the fulfillment of the contract (Art. 6 para. 1 lit. b GDPR).

11.4 Storage period

We delete the data as soon as it is no longer required to achieve the purpose for which it was collected. This is usually the case when the respective communication with you has ended. The communication is terminated when it can be inferred from the circumstances that your concern has been conclusively clarified. If legal retention periods prevent deletion, the data will be deleted immediately after the expiry of the legal retention period.

12. PAYMENT PROCESSING

To process payments for commercial services (e.g., data subscriptions, API fees, or one-time payments), we use the payment processor Stripe.com. Upon completion of such payment transaction, you will be redirected to Stripe's website, which is subject to further Privacy Policy.

Accounting information and details of the customer base are also managed on the portal LexOffice.de, operated by (Haufe Service Center GmbH, Munzinger Straße 9, 79111 Freiburg, Germany, privacy policy).

13. SOCIAL NETWORKS

13.1 Description of processing

Our website does not use any so-called social media plugins. The Twitter and LinkedIn logos displayed on our website are merely linked to the corresponding profiles of our company on the social networks. A data transfer to the social networks does not take place with the integration of the logos. If you click on one of the logos, you will only be redirected to the external website of the respective social network. However, our profiles within the social networks do constitute data processing. If you are logged in to the respective social network when you visit such a profile, this information will be assigned to your user account there. If you interact with our profile, e.g. comment, "share", "like" or "retweet" a post, this information will also be stored in your user account. As a rule, your interactions with our profile can also be viewed by us.

On the social network LinkedIn, we have the possibility to obtain statistical data about the use of our LinkedIn profile via the so-called "Insights" function. The social networks with which you communicate store your data using pseudonyms as usage profiles and use them for advertising purposes and market research. For example, you may be shown advertisements within the social network and on other third-party websites that match your presumed interests. For this purpose, cookies are usually used, which the social network stores on your terminal device. You have the right to object to the creation of these user profiles, for the exercise of which you must contact the social networks directly.

13.2 Purpose

We maintain profiles on the aforementioned social networks for the purpose of public relations and corporate communication with customers and interested parties. We use the "Insights" function of LinkedIn to evaluate the reach of our posts on the social network and to make them more appealing to our visitors in the future.

13.3 Legal basis

The legal basis for data processing in the context of our profiles on social networks is the protection of our overriding legitimate interests (Art. 6 (1) lit. f GDPR). Our legitimate interest lies in the purpose named in section 12.3. If you are asked for consent by the respective operator of a social network, the legal basis is Art. 6 (1) lit. a GDPR. The data processing is carried out with regard to our presences on Twitter and LinkedIn, LinkedIn otherwise on the basis of joint responsibility pursuant to Art. 26 GDPR.

13.4 Recipients and transfer to third countries.

The respective social networks are operated by the companies listed below. For further information on data protection with regard to our profile on the social networks, please refer to the linked data protection provisions.

  • Twitter: Twitter Inc, 1355 Market St, Suite 900, San Francisco, California 94103, USA; privacy policy.
  • LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; privacy policy. The privacy agreement with LinkedIn can be found at www.linkedin.com/legal/l/dpa. The shared responsibility agreement can be viewed at legal.linkedin.com/pages-joint-controller-addendum.

The social networks also process your personal data in the USA.

14. GOOGLE ANALYTICS

14.1 Description of processing

Our website uses "Google Analytics", a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as "Google"). Google Analytics uses cookies (see item 7.), which allow an analysis of your use of our offer. We use Google Analytics in the offered version "Universal Analytics", which allows this analysis across devices by assigning the data to a pseudonymous user ID. The information generated by the cookies is usually transferred to a Google server in the USA and stored there. However, we use Google Analytics exclusively with IP anonymization. This means that your IP address is shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. The statistics generated by Google Analytics record in particular how many users visit our website, from which country or location the access takes place, which sub-pages are called up and via which links or search terms visitors reach our website. The user conditions of Google Analytics can be found at www.google.com/analytics/terms/de.html. An overview of data protection at Google Analytics is available at www.google.com/intl/de/analytics/learn/privacy.html. Google's privacy policy can be viewed at www.google.de/intl/de/policies/privacy.

14.2 Purpose

The processing takes place in order to be able to evaluate the use of our website. The information thus obtained is used to improve our online presence and to design it in line with requirements.

14.3 Legal basis

The processing is based on consent pursuant to Art. 6 (1) lit. a GDPR. This is obtained by us via the Consent Tool (see Section 9.1). Such consent is voluntary.

14.4 Storage period and right of objection, revocation of consent

We have explained the storage period, as well as your control and setting options for cookies in section 9.4. You can revoke the consent you have given with regard to Google Analytics at any time in the settings of the consent tool with effect for the future. Alternatively, you can object to data processing by Google Analytics at any time by downloading and installing the browser add-on offered by Google at tools.google.com/dlpage/gaoptout?hl=en. The analysis data processed and stored with Google Analytics will be automatically deleted by us after 14 months.

14.5 Recipients and transmission to third countries

According to the German data protection supervisory authorities (Data Protection Conference), Google Analytics is jointly responsible for data processing on our behalf. Against this background, we have also concluded the "Google Measurement Controller-Controller Data Protection Terms" with Google. Google also processes your personal data in the USA.

15. CONTENT DELIVERY NETWORK (CDN)

15.1 Description of processing

Our website uses so-called content delivery networks (CDN). CDNs have the effect of shortening the loading time of common JavaScript and CSS libraries, as well as image icons, because the files are transferred from fast, near-site or underutilized servers of external service providers. Another advantage compared to local storage of JavaScript and CSS libraries, as well as image icons on our server is that the files are regularly checked for security and kept up-to-date by the external service providers. We have included JavaScript and CSS libraries from the external service provider to implement some programming functions on our website. When you visit our website, a connection is established to the servers of the aforementioned external services and the JavaScript and CSS library, as well as image icons, are loaded into our website in the process. This transmits to the external service providers which website you have visited. Your IP address may also be transmitted. To prevent the execution of JavaScript altogether, you can install a JavaScript blocker in your browser.

15.2 Purpose

The processing takes place in order to shorten the loading time of our website and to be able to integrate JavaScript and CSS libraries, as well as image icons quickly and securely.

15.3 Legal basis

The processing is necessary to protect the overriding legitimate interests of the controller (Art. 6 (1) (f) GDPR). Our legitimate interest lies in the purpose named in section 14.2.

15.4 Recipients and transfer to third countries

By integrating the JavaScript and CSS libraries, as well as image icons, your data will be transmitted to one of the following CDNs: Vercel CDN, operated by Vercel, Inc.340 S Lemon Ave #4133 Walnut, CA 91789, USA.

V. Security measures

16. Security measures

To protect your personal data from unauthorized access, we have provided our website with an SSL or TLS certificate. SSL stands for "Secure Sockets Layer" and TLS for "Transport Layer Security" and encrypts the communication of data between a website and the user's terminal device. You can recognize active SSL or TLS encryption by a small lock logo displayed on the far left of the browser's address bar.

VI. Your rights

17. Data subject rights

With regard to the data processing by our company described above, you are entitled to the following data subject rights:

17.1 Information (Art. 15 GDPR).

You have the right to request confirmation from us as to whether we are processing personal data relating to you. If this is the case, they have a right to information about this personal data and to the information listed in detail in Art. 15 GDPR under the conditions set out in Art. 15 GDPR.

17.2 Correction (Art. 16 GDPR).

You have the right to request from us without undue delay the rectification of any inaccurate personal data concerning you and, where applicable, the completion of any incomplete personal data.

17.3 Deletion (Art. 17 GDPR).

You have the right to request that we delete personal data concerning you without undue delay, provided that one of the reasons listed in detail in Art. 17 GDPR applies, e.g. if your data is no longer required for the purposes we pursue.

17.4 Restriction of data processing (Art. 18 GDPR).

You have the right to request us to restrict processing if one of the conditions listed in Art. 18 GDPR applies, e.g. if you dispute the accuracy of your personal data, data processing will be restricted for the period of time that allows us to verify the accuracy of your data.

17.5 Data portability (Art. 20 GDPR).

You have the right, under the conditions set out in Art. 20 GDPR, to request that we hand over the data concerning you in a structured, common and machine-readable format.

17.6 Withdrawal of consent (Art. 7 (3) GDPR).

You have the right to revoke your consent at any time in the case of processing based on consent. The revocation applies from the time it is asserted. In other words, it has effect for the future. The processing therefore does not become unlawful retroactively as a result of the revocation of consent.

17.7 Complaint (Art. 77 GDPR).

If you believe that the processing of personal data concerning you violates the GDPR, you have the right to lodge a complaint with a supervisory authority. You may exercise this right at a supervisory authority in the EU member state of your place of residence, place of work or place of the alleged infringement.

17.8 Prohibition of automated decisions/profiling (Art. 22 GDPR).

Decisions which have legal effects concerning you or which significantly affect you must not be based solely on automated processing of personal data - including profiling. We inform you that we do not use automated decision-making, including profiling, with regard to your personal data.

17.9 Right to object (Art. 21 GDPR).

If we process personal data of yours on the basis of Art. 6(1)(f) GDPR (to protect overriding legitimate interests), you have the right to object to this under the conditions set out in Art. 21 GDPR. However, this only applies insofar as there are reasons arising from your particular situation. After an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms. We also do not have to stop processing if it serves the assertion, exercise or defense of legal claims. In any case - also regardless of a specific situation - you have the right to object at any time to the processing of your personal data for direct marketing.

Revised: November 2022

Got more questions? Join the Slack chat to ask questions and get support. You can also book an hour of consulting time to discuss technical questions with the team.