Processing and Protection of Personal Data Policy

AML solutions s.r.o., ID No.: 106 91 766, with its registered office at Na Strži 1702/65, 140 00 Prague 4, registered in the Commercial Register maintained by the Municipal Court in Prague under file No. C 346730 (hereinafter referred to as the "Controller"), as the operator of the internet database/application "PEP check" available at https://www.pepcheck.cz, the primary purpose of which is to determine a possible match between a person entered by the user and a person who, according to available information, is considered to be a politically exposed person under Act No. 253/2008 Coll., on certain measures against money laundering and terrorist financing, as amended (hereinafter referred to as the "AML Act"), or other directly applicable legal regulations in the member states of the European Union (hereinafter referred to as the "Application"), processes the personal data of its clients and politically exposed persons (hereinafter referred to as the "Data Subjects") in accordance with applicable legal regulations, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "GDPR").

In order to provide comprehensive information on the processing of personal data of data subjects, the Controller issues these processing and protection of personal data policies (hereinafter referred to as the "Policy"):

1. Personal Data Controller

  1. AML solutions s.r.o.,
    ID No.: 106 91 766
    with its registered office at Na Strži 1702/65, 140 00 Prague 4
    registered in the Commercial Register maintained by the Municipal Court in Prague under file No. C 346730
    Email: info@amlsolutions.cz

2. Scope of Processed Personal Data

  1. As a data controller, the Controller processes the following personal data regarding clients who are natural persons:

    1. Identification data: first name, last name, date of birth, residential address, ID No.;
    2. Contact details: phone number, email address;
    3. Client solvency data: data related to creditworthiness and trustworthiness;
    4. Bank account details: account number, card number, bank code, IBAN, SWIFT;
    5. Contract fulfillment data: payment details, delay information, overdue debt amounts;
    6. Device identification data: IP/Mac address;
    7. Information about your behavior on the website (via cookies).

    The Controller also processes these data concerning natural persons who are in positions of statutory or supervisory bodies of clients, as well as concerning natural persons who own clients.

  2. Regarding natural persons who are politically exposed persons within the meaning of Section 4(5) of the AML Act and Methodological Instruction No. 7 of the Financial Analytical Office, intended for obligated persons under Section 2 of Act No. 253/2008 Coll., MEASURES AGAINST POLITICALLY EXPOSED PERSONS, the Controller processes the following personal data:

    1. First and last name, possibly academic titles;
    2. Date of birth;
    3. Data indicating the status of a politically exposed person under the AML Act;
    4. Photograph;
    5. Data on the application of international sanctions under Section 2 of Act No. 69/2006 Coll., on the implementation of international sanctions, as amended, against a politically exposed person.

    All personal data related to politically exposed persons are obtained exclusively from publicly available sources, i.e., they are publicly accessible remotely, and these sources are listed in the output of the search for politically exposed persons. Public registers and lists, which are maintained under the law and published by law in a manner allowing remote access as open data pursuant to Section 5a of Act No. 106/1999 Coll., on free access to information, as amended, are primarily used for data collection. Data on the application of international sanctions are sourced from www.sanctionsmap.eu and the national sanctions register of the Czech Republic.

3. Purpose of Processing, Legal Basis, and Duration of Processing

  1. The Controller processes personal data provided by data subjects for the purpose of fulfilling business relationships related to the provision of the right to use the Application and related services, as well as for sending promotional messages and offering services based on the legitimate interest in the development of our business, products, and services.
  2. Personal data of data subjects may be processed based on:
    1. Fulfillment of the Controller's legal obligations set by legal regulations, especially accounting, tax regulations, the Act on Certain Measures Against the Legalization of Proceeds from Criminal Activity, and other related regulations, for the period stipulated by specific legal regulations;
    2. Fulfillment of the Controller's contractual obligations arising from the relationship between the Controller and the data subject when providing services to the data subject (especially data necessary for providing legal services), for the period necessary to provide the service;
    3. The legitimate interest of the Controller or a third party, which includes the protection of the Controller's rights and legal claims. Based on this, personal data of the data subject are processed for the purpose of protecting the Controller's rights and legal claims, to the necessary extent, for 10 years from the termination of the client's legal relationship with the Controller. Personal data of politically exposed persons are processed without the consent of the data subject based on Recital 47, Article 6(1)(e) and (f), Article 17(3)(a) of the GDPR Regulation, and Article 43 of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015, on the prevention of the use of the financial system for money laundering or terrorist financing, amending Regulation (EU) No. 648/2012 and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, in the public interest and in the interest of protecting the legitimate interest of the Controller and obligated persons under the AML Act to obtain information on politically exposed persons to prevent money laundering, terrorist financing, and comply with the obligations under the AML Act and other legal regulations governing this area. Data related to the application of international sanctions are processed under Section 10 of Act No. 69/2006 Coll. in conjunction with Recital 47, Article 6(1)(e) and (f), Article 17(3)(a) of the GDPR.
    4. The consent of the data subject, for the period specified in the consent of the data subject. With the consent of the data subject, the Controller processes personal data to the extent and for the purposes specified in the specific consent granted. The data subject voluntarily and freely gives consent. Refusal to consent does not disadvantage the data subject and cannot be used against them. If the consent is withdrawn or personal data no longer need to be processed, they will be promptly deleted.

4. Transfer of Personal Data

  1. The Controller does not share the data subject's personal data with another entity unless permitted by law or these policies. Personal data may be transferred to third parties based on legal obligations or public authority requests that have the legal power to request the transfer of relevant personal data.
  2. The Controller uses other entities – suppliers to fulfill its legal obligations, primarily based on contractual agreements with the Controller, who are bound to process the personal data of the data subject and provide guarantees of personal data protection.
  3. Personal data of data subjects are transferred to:
    1. Legal, tax, and accounting advisors;
    2. IT specialists and companies providing maintenance of the Controller's information technologies, particularly the Application;
    3. Persons responsible for collecting the Controller's receivables.

5. Data Subject Rights

  1. In connection with the processing of personal data, the data subject has the following rights:

    1. Right to Information

      The data subject has the right to be informed about the processing of their personal data concerning them. This information includes the contact details of the Controller, the purpose and legal basis for processing, information about its legitimate interests, recipients of the personal data, the retention period of the personal data, all rights of the data subject, the reason for providing personal data, information on the transfer of personal data to third countries outside the European Union, and where applicable, whether automated decision-making, including profiling, is involved.

    2. Right of Access to Personal Data

      The data subject has the right to request the Controller to inform them whether any personal data concerning them is being processed, and if so, what specific data. Naturally, they can request specific details or a complete overview of all personal data.

      The Controller will provide the first copy of the requested information completely free of charge.

    3. Right to Rectification or Completion

      If the Controller processes inaccurate, incorrect, or incomplete personal data about the data subject, the data subject has the right to request the Controller to correct or complete the data.

      To ensure that the rectification or completion is appropriate, the Controller must verify whether the personal data being processed is accurate or complete.

    4. Right to Erasure

      The data subject may exercise this right with the Controller if:

      1. the personal data is no longer needed for the purposes for which it was collected or otherwise processed;
      2. they withdraw their consent, upon which the personal data was processed, and there is no other legal basis for processing;
      3. they object to the processing and there are no overriding legitimate reasons for processing;
      4. the personal data was processed unlawfully;
      5. the personal data must be erased to comply with a legal obligation;
      6. the personal data was collected in connection with the offer of information society services under Article 8(1) of the GDPR.

      Once the Controller verifies that all the conditions for erasing the personal data are met, they will delete the data subject's personal data.

    5. Right to Restriction of Processing

      This right allows the data subject to request the Controller to restrict the processing of their personal data if:

      1. they contest the accuracy of their personal data for the period necessary for the Controller to verify the accuracy of the personal data;
      2. the processing is unlawful, and the data subject opposes the erasure of personal data and requests a restriction on their use instead;
      3. the Controller no longer needs the personal data for processing purposes, but the data subject requires it for the establishment, exercise, or defense of legal claims;
      4. the data subject has objected to the processing, pending verification of whether the Controller's legitimate grounds override those of the data subject.

      If the Controller restricts processing based on the above, the personal data of the data subject, except for storage, may only be processed with their consent or for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or a Member State. In such cases, the Controller will notify the data subject in advance that the restriction on processing will be lifted.

    6. Right to Data Portability

      Under this right, the data subject may obtain their personal data from the Controller, which they have provided to the Controller, in a structured, commonly used, and machine-readable format, and simultaneously transfer this data to another controller.

      The data subject is also entitled to request the Controller to transfer their personal data in a structured, commonly used, and machine-readable format directly to another controller, if technically feasible.

      The right to data portability applies only if the data is processed:

      1. automatically; and simultaneously
      2. based on the data subject's consent or to fulfill contractual obligations.

      It follows from the above that not all data held by the Controller about the data subject can be transferred to another controller under this procedure.

    7. Right to Withdraw Consent for the Processing of Personal Data

      If the Controller processes the data subject's personal data based on granted consent, the data subject is entitled to withdraw this consent at any time. The withdrawal of consent for the processing of personal data does not need to be justified. However, the withdrawal of consent does not affect the lawfulness of the processing that occurred while the consent was in effect.

      If there is no other legal reason for processing, the Controller will immediately erase the data subject's personal data upon the withdrawal of consent.

    8. Right to Object

      The data subject is entitled to object to the processing of their personal data for the purposes of the Controller's legitimate interest.

      If the Controller does not demonstrate compelling legitimate grounds for the processing that override the interests or rights and freedoms of the data subject or for the establishment, exercise, or defense of legal claims, the Controller is obliged to stop processing the data subject's personal data.

    9. Right to Lodge a Complaint with a Supervisory Authority

      If the data subject believes that the processing of their personal data violates data protection laws, they can lodge a complaint with the supervisory authority.

      In the Czech Republic, the relevant supervisory authority is the Office for Personal Data Protection, located at Pplk. Sochora 27, 170 00 Prague 7, website: https://www.uoou.cz.

  2. All the above rights are also available to the data subject after the end of the legal relationship with the Controller.
  3. The data subject may exercise all the above rights as follows:
    1. By email at info@amlsolutions.cz;
    2. In writing at the Controller's registered office, Na Strži 1702/65, 140 00 Prague 4;
    3. In person at the Controller's registered office, Na Strži 1702/65, 140 00 Prague 4.
  4. To ensure proper protection of personal data and the rights of the data subject, and to prevent misuse by other persons, the Controller must verify the identity of the data subject.
  5. If it is not possible to identify the data subject from the information provided in the request to exercise their rights, the Controller is entitled to ask the data subject to provide additional information that will allow them to verify the identity of the data subject. If it is still not possible to identify the data subject after providing additional information, the Controller cannot comply with the data subject's request.
  6. The Controller processes all requests received without undue delay, at the latest within one month of their receipt. If it is not possible to process the data subject's request within this period (mainly due to the complexity of the request), the Controller is entitled to extend the processing period by up to two months. The Controller will inform the data subject of this, along with the reasons for the extension, within one month of receiving the request.
  7. If the Controller determines that the request does not meet the above requirements for a positive response, they are entitled to reject the request and will inform the data subject of the reasons for the rejection. In such a case, the data subject is entitled to file a complaint with the supervisory authority (see above in Article 5.1(i) of the Policy) and/or seek judicial protection before general courts.
  8. If the Controller complies with the request, they will take appropriate measures based on the decision and inform the data subject accordingly.

6. Data Security

The Controller ensures that appropriate technical and organizational measures are in place to safeguard personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. This includes encryption, pseudonymization, access control, regular audits, and security training for staff.

The Controller also ensures that when personal data are transferred to third parties, appropriate contractual guarantees are in place to ensure data security and confidentiality. The Controller follows the principles of data minimization and purpose limitation, ensuring that only the data necessary for the specific purpose of processing are collected and used.

7. Changes to the Policy

This Policy may be updated periodically to reflect changes in personal data processing practices or in legal requirements. Data subjects will be informed of any significant changes in an appropriate manner (e.g., via email or notice on the website). The current version of this Policy is always available on the Controller's website at https://www.pepcheck.cz.

8. Contact Information

For any questions or requests regarding the processing of personal data, please contact the Controller at:

  • Email: info@amlsolutions.cz
  • Mailing Address: AML solutions s.r.o., Na Strži 1702/65, 140 00 Prague 4

This Policy is effective as of [Date].

© 2025 by AML solutions s.r.o., all rights reserved

Our Services

Internal Policy System 2025
Risk Assessment 2025
AML Questionnaire, Identification, and Control 2025
AML Training for 2025
International Sanctions Training 2025
FAU Contact Person and Authorized Person
Registration in the Register of Beneficial Owners 2025

Support

+420 734 834 662
podpora@pepcheck.cz
API & Documentation
What Are My AML Obligations?
What is a Politically Exposed Person?
Legal Help During FAU Inspection
Frequently Asked Questions
Have a question or collaboration idea? Contact us.

PEP check by AML solutions

AML solutions s.r.o.
Terms & Conditions
Privacy Policy
Cookie Policy
Cookie Settings

Follow Us