This Data Processing Agreement (“DPA”) supplements the General Terms and Conditions of OpenSanctions Datenbanken GmbH – hereinafter referred to as the "Data Processor" – when the General Data Protection Regulation (EU) applies to certain customers – hereinafter referred to as the "Data Controller" and hereinafter collectively referred to as the "Parties".
1. Subject Matter
1.1 The subject matter of this Data Processing Agreement is to establish the data protection framework for the contractual relationship between the Parties.
1.2 The description of each specific task, including details of the task's scope, nature, purpose of data processing, types of personal data, and categories of data subjects, can be found in the annex under section 1.
2. Location of Data Processing
The contractually agreed data processing shall take place exclusively in a Member State of the European Union or another country party to the Agreement on the European Economic Area, unless otherwise specified in the annex. Any transfer of processing to a third country shall require the prior written consent of the Data Controller and shall only be carried out if the special conditions for transfers to third countries pursuant to Articles 44 ff. GDPR are met.
3. Duration
3.1 OpenSanctions processes data for the duration it provides its services to the Controller. When the Controller cancels its OpenSanctions subscription, the Processor will cease to process the data. Because the Processor does not retain query data submitted to the hosted matching API beyond the period required to generate a response (see Annex section 1.1), there is in the ordinary course no residual personal data of the Controller to return or delete upon termination, save for operational logs subject to standard retention.
3.2 The Data Controller may terminate its subscription without notice if the Data Processor seriously breaches data protection regulations or the provisions of this Agreement. In particular, non-compliance with the obligations agreed in this Agreement and derived from Article 28 GDPR constitutes a serious breach.
4. Instructions
4.1 The Data Processor shall process personal data only within the scope of the contracts concluded between the Parties and the instructions given by the Data Controller. This shall not apply if the Data Processor is required to process the data by EU law or the laws of the Member State to which the Data Processor is subject. In such cases, the Data Processor shall inform the Data Controller of these legal requirements before processing, unless such notification is prohibited by the relevant law due to an important public interest.
4.2 If instructions alter, cancel, or supplement the specifications made in the annex to this Agreement, they shall only be valid if a corresponding new agreement is made in writing.
4.3 Regardless of the form of issuance, both the Data Processor and the Data Controller shall document every instruction from the Data Controller in written form, including via email, which is sufficient. These instructions shall be retained for the duration of the Agreement and for three years thereafter.
4.4 The Data Processor shall promptly notify the Data Controller if, in the Data Processor's opinion, an instruction from the Data Controller violates legal provisions. In such cases, the Data Processor shall have the right, upon timely prior notice to the Data Controller, to suspend the execution of the instruction until the Data Controller has amended or confirmed the instruction. If the Data Processor can demonstrate that processing according to the Data Controller's instructions may result in the Data Processor's liability under Article 82 GDPR, the Data Processor shall be entitled to suspend further processing until the liability between the Parties has been clarified.
5. Support Obligations of the Data Processor
5.1 Given the nature of the processing, the Data Processor shall implement appropriate technical and organizational measures to assist the Data Controller in responding to requests from data subjects under Articles 12 to 22 GDPR.
5.2 Taking into account the nature of the processing and the information available to it, the Data Processor shall support the Data Controller in fulfilling its obligations under Articles 32 to 36 GDPR. Specifically, this includes ensuring the security of processing, reporting data breaches to the supervisory authority, notifying data subjects of breaches, conducting data protection impact assessments, and consulting the relevant supervisory authority.
5.3 If a data subject or supervisory authority contacts the Data Processor directly regarding personal data processed under this Agreement, the Data Processor shall promptly inform the Data Controller and coordinate further steps with them.
6. Audit Rights of the Data Controller
6.1 Upon request, the Data Processor shall provide the Data Controller with all necessary information to demonstrate compliance with the obligations set out in this Agreement and Article 28 GDPR. In particular, the Data Processor shall provide the Data Controller with information about stored data and data processing programs.
6.2 The Data Controller or third parties appointed by them are entitled to verify compliance with the obligations arising from this Agreement and Article 28 GDPR. Such audits shall be conducted no more than once per calendar year (except where a specific incident gives reasonable cause for a further audit), on at least 30 days' prior written notice, at the Data Controller's expense, subject to a customary non-disclosure agreement, and limited to the minimum scope necessary to verify compliance. The Data Processor shall facilitate such audits and cooperate accordingly.
6.3 Where the Data Processor holds a current information-security certification recognised by the Data Controller (in particular ISO/IEC 27001), the provision of the relevant certificate and a corresponding scope statement shall be accepted by the Data Controller as evidence of compliance with the obligations under Article 28(1) and (4) GDPR, in lieu of an on-site audit, except where the Data Controller has specific and reasonable grounds requiring further audit.
7. Data Protection Point of Contact
The data protection point of contact for the Data Processor is listed in the annex to this Agreement. Where a Data Protection Officer is required under Article 37 GDPR or has been voluntarily appointed, that officer is identified in the annex.
8. Confidentiality
8.1 The Data Processor confirms that it is familiar with the data protection regulations relevant to the data processing under the GDPR. When processing the Data Controller's personal data, the Data Processor shall maintain data confidentiality and confidentiality. This obligation shall continue to exist after termination of this contractual relationship.
8.2 The Data Processor shall ensure that employees involved in the work are familiarized with the relevant data protection regulations. The Data Processor shall oblige these employees in writing to maintain confidentiality during and after their employment, unless they are subject to an appropriate statutory duty of confidentiality. The Data Processor shall monitor compliance with data protection regulations within its company.
8.3 The Data Processor shall only provide information to third parties or data subjects with the prior written consent, or consent in electronic format, of the Data Controller. This restriction does not prevent the Data Processor from fulfilling its obligations under section 5.3, namely to acknowledge direct contact from a data subject or supervisory authority and to coordinate further steps with the Data Controller.
9. Technical and Organizational Measures
9.1 The Data Processor shall implement appropriate technical and organizational measures to ensure that processing is in accordance with the requirements of the GDPR and that the rights of data subjects are protected. The Data Processor shall organize its internal processes to meet the specific data protection requirements and achieve an appropriate level of protection. In particular, the Data Processor shall ensure the appropriate security of processing, including confidentiality (including encryption), availability, integrity, and resilience of the systems and services used for data processing, taking into account the state of the art in technology.
9.2 Technical and organizational measures may be adapted to technical developments during the term of the contractual relationship. The adapted measures must at least meet the security level of the measures agreed upon in the annex. Significant changes shall be agreed upon in writing or electronic format.
10. Information Obligations of the Data Processor and Breach of Personal Data Protection
10.1 The Data Processor shall inform the Data Controller of any breaches or suspected breaches of this Agreement or regulations related to the protection of personal data without undue delay, and in any event no later than 48 hours after becoming aware of such a breach or suspected breach.
10.2 The Data Processor shall assist the Data Controller in investigating, limiting the damage, and rectifying breaches.
10.3 If the personal data processed under this Agreement is endangered at the Data Processor's premises through seizure or confiscation, insolvency or composition proceedings, or other events or actions by third parties, the Data Processor shall immediately inform the Data Controller. The Data Processor shall also promptly inform all relevant parties that control over the data is with the Data Controller.
10.4 If supervisory authorities conduct audits, the Data Processor undertakes to inform the Data Controller of the results as far as they concern the processing of personal data under this Agreement. The Data Processor shall rectify any deficiencies identified in the audit report without delay and inform the Data Controller accordingly.
10.5 This section 10 applies mutatis mutandis to incidents in processes performed by subcontractors.
11. Subcontractors
11.1 The engagement of subcontractors by the Data Processor shall only take place with the written or electronic consent of the Data Controller.
11.2 The Data Processor shall contractually ensure that the provisions agreed in this Agreement also apply to subcontractors. The contract between the Data Processor and the subcontractor must be in writing or electronic format.
11.3 Engagement of subcontractors in third countries shall only occur if the special conditions of Articles 44 ff. GDPR are met.
11.4 The Data Controller hereby gives its consent to the engagement of subcontractors listed in the annex.
11.5 The Data Processor shall ensure that the Data Controller has the same rights of instruction and control over subcontractors as it has over the Data Processor under this Agreement. If a subcontractor fails to fulfill its data protection obligations, the Data Processor shall be liable to the Data Controller for the performance of those obligations.
11.6 The Data Processor will publish updates to the list of approved subcontractors at trust.opensanctions.org/subprocessors. The Data Controller may, within 30 days of any such publication, object on reasonable grounds to the engagement of a newly added subcontractor. The Parties shall negotiate in good faith to resolve any such objection. If no resolution is reached, the Data Controller shall be entitled to terminate the affected portions of the main contract on reasonable notice.
12. Deletion and Return of Personal Data
12.1 After the completion of the processing activities specified in the main contract(s), the Data Processor is obligated to either return or delete all personal data received during the data processing, as chosen by the Data Controller. This includes, in particular, the results of data processing, provided documents, and data carriers, as well as copies of personal data. The obligation to delete or return does not apply if, under EU law or the laws of the Member States, the Data Processor is legally obligated to continue storing the data. If further storage is required, the Data Processor shall limit processing and use the data only for the purposes for which storage is required. The obligations for data security shall remain in effect for the duration of storage. The Data Processor shall delete the data without undue delay once the obligation to store it ceases.
12.2 Deletion shall be performed in such a way that the data cannot be reconstructed.
12.3 The processes shall be logged, including the date and the person conducting them. The logs and evidence of completion in written form shall be made available to the Data Controller within 48 hours of the completion of the processes.
13. Liability
13.1 Liability arising under this Agreement is governed by Section 14 of OpenSanctions' General Terms and Conditions for the API Service (the "GTC"), subject to the additional carve-outs set out in section 13.2 below. References in Section 14 of the GTC to a "Party" shall, for the purposes of this Agreement, mean the Data Processor or the Data Controller respectively.
13.2 In addition to the matters listed in Section 14.5 of the GTC, the exclusions and limitations of liability under Section 14 of the GTC shall not apply to (a) liability arising under Article 82 GDPR, including under Article 82(5) GDPR as between the Parties, or (b) breach of confidentiality obligations under section 8 of this Agreement.
14. Final Provisions
14.1 The right to assert a right of retention in accordance with Section 273 of the German Civil Code (BGB) is excluded with regard to data processed for the Data Controller.
14.2 The annex or, in the case of multiple main contracts, the annexes to this Agreement form an integral part of it.
14.3 Changes or ancillary agreements require written or electronic format. This also applies to changes to this form requirement.
14.4 If a provision of this Agreement is found to be invalid, this shall not affect the validity of the remaining provisions of the Agreement.
14.5 This Agreement is subject to the laws of the Federal Republic of Germany. The place of jurisdiction is the registered office of the Data Processor.
ANNEX TO THE DATA PROCESSING AGREEMENT
1.1 Subject Matter and Nature of the Processing
The Processor offers a hosted API service that its customers can use to query the OpenSanctions dataset. This Agreement governs the processing of personal data submitted to that hosted matching API by the Data Controller. The processing of personal data of the Data Controller's own representatives (for example, in the course of account management, billing, or support communications) is carried out by OpenSanctions in its own capacity as a controller and is governed by our Privacy Policy, not by this Agreement. OpenSanctions does not store the query data beyond the period of the processing required to generate a response.
1.2 Type of Data and Categories of Data Subjects
The data submitted to the hosted API by the Data Controller may include personal data of the following categories: names, dates of birth, identification numbers (such as passport, tax, or registration numbers), addresses, nationalities, and relevant associations to public watchlists and the categories of risk implied by those lists.
The categories of data subjects are natural persons referenced in the Data Controller's screening, due-diligence, or compliance operations — typically the counterparties, beneficial owners, or other associated persons evaluated by the Data Controller in the course of its own business.
2. Data Protection Officer
The processor is not obliged to appoint a data protection officer.
Point of contact for questions is Chief Business Officer Frederik Richter, E-Mail frederik@opensanctions.org.
3. Subcontractors
The approved subcontractors at the time of concluding this Agreement are documented here.
4. Technical and Organizational Measures according to GDPR Art 32
The technical and organizational measures at the time of concluding this Agreement are documented here.
Last updated: 12 May 2026
