Data protection

Data privacy policy

With the following information, we would like to give you an overview of the processing of your personal data by ALL AML GmbH, i.e. the scope and purpose of the personal data collected, used and processed by us.

Personal data is data that relates to an identified (or identifiable) natural person. It is data that can be assigned to you personally, such as your name, your address or your e-mail address.

If you have any questions about our processing of your personal data, you can contact us at any time at one of the contact addresses listed below.

1. Responsible party

The responsible party for data processing pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is

ALL AML GmbH
Am Hamburger Bahnhof 1
10557 Berlin
E-Mail: info@allaml.eu

The representatives of the responsible party are: Dr Carsten Giersch and Jennifer Hanley-Giersch.

ALL AML GmbH has appointed an external data protection officer. Contact details for our data protection officer are as follows:

Two Towers Consulting GmbH & Co. KG
Hohenzollernring 51
50672 Köln
E-Mail: datenschutz.all-aml@two-towers.eu

If you wish to contact the data protection officer by e-mail and encrypt the communication, you are welcome to first send an e-mail to the aforementioned e-mail address requesting the public S/MIME key.

We process personal data that we receive from you. In addition, we process – in case it is necessary for the provision of our services – personal data that we legitimately obtain from publicly accessible sources (e.g. commercial register, sanctions lists, press) or that is legitimately transmitted to us by other third parties (e.g. a credit agency).

2. Processing of data when using our website

When you visit our website, we collect some personal data, which we would like to inform you about below. For technical reasons, we always collect the information that your browser transmits to our server.    

The collection of this general connection data is necessary in order to display our website to you correctly, to ensure the stability of the connection and to defend ourselves against cyber attacks. This general connection data is as follows:

  • IP address,
  • browser types, languages and versions used,
  • operating system used by the accessing system,
  • website from which an accessing system is directed to our website (so-called referrer),
  • internet service provider (ISP) of the accessing system,
  • amount of data transferred,
  • subpages that are accessed via an accessing system on our website,
  • date and time at which an internet page was accessed, including the time zone difference to Coordinated Universal Time (UTC).

The legal basis for data processing is Art. 6 para. 1 p. 1 lit. f DSGVO. Our legitimate interest is derived from the purposes for data collection as listed above. This website is hosted on servers of our provider DomainFactory. Our web host stores this data for a period of seven days.

Cookies

Our website uses a cookie to store your possible consent to specific processing purposes. The processing of your personal data in connection with this cookie is absolutely necessary for the operation of our website and is carried out on the basis of Art. 6 para. 1 lit. f GDPR. Your consent to the setting of this cookie is therefore not necessary. The cookie is stored in your browser for one year unless you remove it beforehand.

Data security

This website uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential content, such as orders, login data or contact requests that you send to us as the operator. You can recognise an encrypted connection by the fact that there is a “https://” instead of a “http://” in the address line of the browser and by the lock symbol in your browser line.

We use this technology to protect your transmitted data.

3. Processing of data when contacting us

You can contact us in several ways, e.g. by telephone or e-mail. In this case, we will store the personal data collected (e.g. your name, your e-mail address, your telephone number) exclusively for the purpose of responding to your request or for contacting you and the associated technical administration. 

The legal basis for processing the data is our legitimate interest in responding to your request pursuant to Art. 6 (1) lit. f GDPR. If your contact is aimed at signing a contract, the additional legal basis for processing is Art. 6 para. 1 lit. b GDPR. 

If services are requested, we may also carry out a limited business partner check to ensure compliance with various national laws and EU regulations as well as to prevent damage and criminal offences. We also process personal data that we legitimately obtain from publicly accessible sources (e.g. commercial register, sanctions lists, press, internet) or that is legitimately transmitted to us by other third parties (e.g. a credit agency).

Legal basis for the processing of the data is, on the one hand, legal obligations pursuant to Art. 6 para. 1 c GDPR, e.g. the EU sanctions in capital and payment transactions (overview here), and our legitimate interest in the prevention of default risks and criminal offences against us pursuant to Art. 6 para. 1 lit. f GDPR.

If the purpose for storing your data no longer applies, it will be deleted, unless its – temporary – further processing is necessary to fulfil retention obligations under commercial and tax law. This may arise, for example, from the German Commercial Code (HGB) or the German Fiscal Code (AO). The periods for storage or documentation specified therein are generally two to ten years; or for the preservation of evidence within the framework of the statutory limitation periods, according to §§ 195 ff of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years.

4. Application management

If you apply to us for an open position or send us an unsolicited application, we will process your personal data for the purpose of handling the application process.

If an employment relationship is established, we will store your data for the purpose of processing the employment relationship in compliance with the statutory provisions. Otherwise, we will delete the application documents no later than six months after the notification of the rejection decision, provided that this deletion does not conflict with any other legitimate interests (e.g. fulfilment of the burden of proof in the context of proceedings under the General Equal Treatment Act). In addition, we store application data for a maximum period of two years, insofar as we have been given appropriate consent to do so.

The legal basis for processing your data is Art. 88 GDPR in conjunction with. § Section 26 (1) BDSG.

5. Processing of data during business relationships

As part of our business relationship, you must provide all personal data that is required for the establishment, execution and termination of a business relationship and for the fulfilment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we will generally not be able to conclude, execute and terminate a contract with you.

We process the following personal data when executing business relationships:

  • Processing of personal data in the context of the administration of the business releationships. This concerns data of natural persons, e.g. partners of a partner company or (e.g. employed) contact persons of the client. The client shall inform its employees about the transfer of personal data accordingly.
  • Processing of personal data as part of the Know your customer process (KYC): This involves processing personal data (name, address and other contact details, date and place of birth and nationality) and legitimisation data (e.g. ID card data) collected by the client from its clients, as well as data permissibly collected from public sources (e.g. commercial register, transparency register, press). The client shall inform its business partners about the disclosure of personal data accordingly.
  • Processing of personal data as part of the internal and external suspicious activity reporting processes: This involves processing personal data collected by the client from its clients (name, address and other contact details, date and place of birth and nationality), legitimisation data (e.g. ID card data) and transaction data and forwarding this data to official bodies within the scope of obligations under money laundering legislation. The client shall inform its business partners about the forwarding of personal data accordingly.
  • Processing of personal data in the context of other processes, e.g. training and information: This concerns data of natural persons, e.g. partners of a partner company or (e.g. employed) contact persons of the client. The client shall inform its employees about the transfer of personal data accordingly.

If the processing of personal data is necessary for the processing of contractual relationships, such as the fulfilment of an existing contract with you, the processing is based on Art. 6 para. 1 lit. b GDPR. The processing of personal data in the context of outsourcing the function of the Money Laundering Officer pursuant to Section 7 GWG is also based on Art. 6 para. 1 lit c GDPR.

 6. Newsletter

On our website, we offer you the opportunity to subscribe to a newsletter that will keep you up to date with the latest developments in our field. To subscribe to our newsletter, you must give your consent and provide us with an e-mail address. Your personal data collected when subscribing to the newsletter is exclusively used to send you our newsletter.

The processing is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR by subscribing to the newsletter. You can revoke this consent at any time. For this purpose, there is a note in every e-mail of our newsletter that allows you to revoke your consent and thus unsubscribe in one step.

It is of course also possible to unsubscribe from the newsletter via other contact channels. The data you provide us with for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and deleted from our system after you unsubscribe or cancel the newsletter. Data stored by us for other purposes remains unaffected by this.

If you have provided us with your e-mail address when purchasing services, we reserve the right to send you offers for similar services to those already purchased from our portfolio by e-mail. In this respect, data processing is carried out solely on the basis of our legitimate interest in personalised direct advertising in accordance with Art. 6 para. 1 lit. f GDPR. You are entitled to object to the use of your email address for the aforementioned advertising purpose at any time. Upon receipt of your objection, we will immediately stop using your email address for advertising purposes.

7. Transfer of data to third parties

We may share personal data with third parties.

Internally, those who need your data to fulfil our contractual and legal obligations will have access to it. We use the subcontractors and founding members of ALL AML GmbH, Berlin Risk Advisors GmbH, Am Hamburger Bahnhof 1, 10557 Berlin and Two Towers Consulting GmbH & Co. KG, Hohenzollernring 51, 50672 Cologne to execute orders, for which purpose they receive and process personal data from us. Other service providers may also receive data for the fulfilment of our contractual and legal obligations as long as they maintain confidentiality in particular. These are companies in the categories of IT services, logistics, telecommunications, consulting, sales and marketing.

These service providers generally process personal data within the EU. If the processing takes place outside the EU, we ensure an appropriate level of data protection to comply with the requirements of European law. This is done primarily on the basis of the EU standard data protection clauses formulated by the European Commission.

In addition, to the extent permitted by law, we may transfer your personal data and the personal data received from you or permissibly collected in the course of our business relationship (e.g. of your employees and your clients) to courts and public authorities (e.g. your employees and your clients) to fulfil legal obligations or in the context of legal disputes to courts and public authorities (e.g. tax authorities or law enforcement authorities) in Germany and abroad.

Furthermore, we may share your personal data with the law firm Two Towers Legal – lawyer Christian Klos, Hohenzollernring 51, 50672 Cologne. This serves, for example, the joint execution of mandates or the examination of possible conflicts of interest. The legal basis for this transfer is Art. 6 para. 1 sentence 1 lit. f GDPR.

At this point, we also refer to the data protection declarations of Berlin Risk Advisors at and those of Two Two Towers Consulting and Two Towers Legal.

The transferred data may only be used by the third party for the stated purposes.

8. Video conferences with Google Meet

We use the video conferencing solution Google Meet to coordinate with our customers. When using Google Meet, audiovisual content and metadata (participant identifiers and communication logs) are processed. The audiovisual content is not recorded. After the meeting, the metadata is deleted by us. The processing of personal data is necessary in order to be able to communicate with you and is therefore based on our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

By using Google Meet, we use the services of Google Ireland Ltd, Gordon House, Barrow St, Dublin 4, Ireland, with whom we have signed a data processing agreement. By using Google, a transfer to a country outside the EEA for which there is no adequacy decision by the EU Commission pursuant to Art. 45 GDPR cannot be completely ruled out. The order processing agreement with Google therefore contains the EU standard data protection clauses. If you do not agree to the use of Google Meet as a conference solution, communication can also take place via other channels (e.g. by telephone) or via a communication solution provided by you.

9. Activities in social networks

We have social media pages through which we communicate and inform about our services. We are not the original provider of these pages, but only use them within the scope of the possibilities offered to us by the respective providers.

As a precaution, we therefore point out that your data may be processed outside the European Union or the European Economic Area. Thus the use of these social media platforms may therefore bear data protection risks for you. Safeguarding your rights – e.g. to information, deletion, objection, etc. – could be more difficult. In addition, processing in the social networks often takes place directly for advertising purposes or for analysis of usage behavior by the providers. Such activities are beyond our sphere of influence. If usage profiles are created by the provider, this often involves the use of cookies or the assignment of usage behavior to your own member profile hosted on the social network.

The described processing operations of personal data are carried out in accordance with Art. 6 Para. 1 lit. f DSGVO on the basis of our legitimate interest and the legitimate interest of the respective provider, in order to be able to communicate with you in a timely manner, or to inform you about our services. If you do have to give your consent to data processing as a user with such respective providers, the legal basis is Art. 6 para. 1 lit. a GDPR in conjunction with. Art. 7 GDPR.

Since we do not have access to the providers’ databases, we would like to point out that it is best to assert your rights (e.g. to information, correction, deletion, etc.) directly with the respective provider. Further information on the processing of your data in social networks, and the possibility of exercising your right of objection or revocation (so-called opt-out), we have listed the respective providers of social networks used by us:

LinkedIn

(Co-) Controller for data processing in Europe:

LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Irland

Privacy Policy:
https://www.linkedin.com/legal/privacy-policy

10. Your rights as a data subject

The GDPR defines a number of rights that you are entitled to in your dealings with us. Specifically, you have the right:

  • to object to the processing of personal data at any time on a case-by-case basis,
  • to obtain information about the personal data stored about you at any time and free of charge,
  • to demand that incorrect personal data concerning you will be corrected,
  • to demand that we delete any personal data concerning you without undue delay, provided that one of the reasons provided for by law applies, and insofar as the processing or storage is not necessary,
  • to demand that we restrict the processing of your personal data, provided that there are no legal requirements to the contrary,
  • to receive the personal data concerning you, which has been provided to us by you, in a structured, common and machine-readable format to transmit those data to another controller, or that we transmit them directly to another controller, where technically feasible,
  • to revoke consent for the future processing of personal data at any time and
  • to complain about our processing of personal data to a supervisory authority which is responsible for data protection – in our case to Berliner Beauftragten für Datenschutz und Informationsfreiheit.

11. Topicality and change of the data protection declaration

This data protection declaration is currently valid and is dated: 08. May 2024.

Due to the further development of our internet pages and our offerings, or due to changed legal or official requirements, it may become necessary to change this data protection declaration. You can access and print out the current data protection notice at any time by clicking on this link.

Cookie Consent with Real Cookie Banner