PRIVACY NOTICE – AML SCREENING SERVICE

Effective from: May 15, 2025

1. WHAT DOES THIS AML PRIVACY NOTICE COVER?

1.1 This Privacy Notice (“AML Privacy Notice”) explains how SEON Technologies Kft. (“SEON”, “we”, “us”, or “our”) processes Personal Data (as defined in Section 5 of this Privacy Notice) in the context of building, maintaining, and operating its Anti-Money Laundering (“AML”) database and screening infrastructure. This includes the continuous collection and organization of data from publicly available sources, such as sanctions lists, Politically Exposed Persons (“PEP”) registries, watchlists, crime records, and similar public data repositories.

1.2 SEON acts as a data controller for the personal data it collects and processes in this context. The processing supports our customers’ anti-money laundering (AML), Know Your Customer (KYC), Know Your Business (KYB), Know Your Supplier (KYS), anti-bribery and corruption (ABC), counter-terrorist financing (CTF) compliance, the detection of financial crime and fraud, due diligence, risk management and other similar efforts  carried out in the public interest. These screenings are intended not only to help customers comply with legal and regulatory obligations but also to detect, prevent, and respond to financial crime, fraud, and serious misconduct, including other forms of unlawful or unethical activity (such as modern slavery, human trafficking, and environmental crime). The personal data SEON processes thus plays a key role in enabling responsible screening and decision-making that promotes financial system integrity and broader public trust.

1.3 This AML Privacy Notice applies solely to SEON’s AML screening services where SEON processes personal data as an independent data controller. It does not apply to processing activities where SEON acts as a data processor on behalf of its customers—such as in the case of Adverse Media screening, transaction monitoring, or AML checks performed on customer-submitted data that does not result in a match within SEON’s database. 

  • For Adverse Media checks, SEON does not maintain its own dataset but retrieves information in real time from a third-party SaaS provider based on customer-submitted queries, processing that data exclusively under customer instruction.
  • Similarly, when SEON receives personal data from a customer for an AML check or in the course of transaction monitoring, it acts as a processor unless the individual’s data matches an entry in SEON’s independently maintained AML database. In that case, SEON is a data controller only in respect of the matched information already present in its database, and such personal data is subject to this AML Privacy Notice. All other processing remains under the customer’s controllership.

For more information about how your personal data is processed in contexts where SEON acts as a processor (including unmatched AML queries, Adverse Media checks, or transaction monitoring), please consult the privacy notice of the SEON customer who initiated the relevant screening.Therefore, throughout this AML Privacy Notice, references to “AML screening services” refer exclusively to the name and entity screening activities conducted by SEON in its capacity as (an independent) data controller.

1.4 For SEON’s general privacy notice, applicable to information the SEON collects from and about data subjects in connection with its products, services, websites, platforms, software, applications, conferences,events, electronic newsletters or communications, please click here.

1.5 At SEON we are committed to protecting your Personal Data and respecting your right to privacy. Please read this notice carefully, as it explains how your Personal Data is processed, your rights, and how you can contact us with any questions or concerns.

2. WHO IS THE DATA CONTROLLER

2.1 In certain jurisdictions, such as the European Economic Area (EEA), the United Kingdom (UK), and certain states of the United States (US) such as Virginia, Utah, California, Connecticut, Colorado, Illinois and Texas, data protection and privacy laws distinguish between (i) “controllers” or “businesses”;  and (ii) “processors” or “service providers” or “contractors”.

2.2 Data controller/business/contractor (hereinafter together referred to as: “Controller”) is the party that sets out the purposes and means (why and how) of processing of Personal Data, exercise control of the Personal Data, and stipulate retention periods of the Personal Data according to their purposes.

2.3 SEON Technologies Kft., an entity incorporated and existing under the laws of Hungary (registered set: Rákóczi út 42, 1072 Budapest, Hungary, Company Reg. No. 01-09-292732), is the data controller when it collects and manages the publicly available AML source data and makes that data searchable to its customers.

2.4 SEON has appointed a Data Protection Officer (DPO). SEON commits to resolve complaints about your privacy and our collection or use of your Personal Data transferred to the United States pursuant to the EU/US Data Privacy Framework. You may contact our DPO at [email protected].  SEON will investigate and attempt to resolve any complaints or disputes regarding processing of Personal Data within a reasonable timeframe.  See Section 3 “EU-US Data Privacy Framework (DPF)” and Section 12 “Remedies,” for more information.

2.5 For any inquiries about this AML Privacy Notice, please contact SEON at the following email address: [email protected]

3. EU-U.S. DATA PRIVACY FRAMEWORK (DPF) 

3.1 SEON and its US subsidiaries comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and UK Extension set forth by the U.S. Department of Commerce. SEON has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) concerning the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this AML Privacy Notice and the EU-U.S. DPF Principles and the DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program and to view our certification, please visit https://www.dataprivacyframework.gov/.

3.2 SEON is responsible for processing Personal Data it receives under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and subsequently transfers to a third party acting as an agent on its behalf. Access complies with the EU-U.S. DPF Principles for all onward transfers of Personal Data from the EU, including the onward transfer liability provisions. The Federal Trade Commission has jurisdiction over SEON’s compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. In certain situations, Access may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

3.3 SEON is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) with regard to our compliance with the EU-U.S. Data Privacy Framework (DPF).

3.4 In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, SEON commits to resolve DPF Principles-related complaints about our collection and use of your Personal Data. EU and UK individuals with inquiries or complaints regarding our handling of Personal Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact SEON at: [email protected]

3.5 In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, SEON commits to refer unresolved complaints concerning our handling of Personal Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to an alternative dispute resolution with the panel established by the EU data protection authorities (DPAs) and Information Commissioner’s Office (ICO).

3.6 For complaints, regarding EU-U.S. DPF and the UK Extension to the EU-U.S. DPF compliance not resolved by any of the other DPF mechanisms; you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website: https://www.dataprivacyframework.gov/s/article/C-Pre-Arbitration-Requirements-dpf

4. WHY DO WE PROCESS YOUR DATA AND ON WHAT LEGAL BASIS?

Purpose and Legal Basis.

4.1 With respect to your Personal Data, SEON’s primary purpose in the processing is to perform our AML screening services to our customers, helping them detect financial crime, comply with anti-money laundering (AML) and counter-terrorist financing (CTF) regulations, and assess risk associated with individuals or entities during onboarding or ongoing monitoring. 

4.2 SEON processes Personal Data from publicly available sources—such as sanctions lists, Politically Exposed Persons (PEP) registries, watchlists, and crime databases—in its role as an independent data controller. The primary legal basis for this processing is SEON’s legitimate interest under Article 6(1)(f) of the GDPR. SEON has a legitimate commercial interest in building, maintaining, and operating a reliable, scalable, and high-quality AML screening infrastructure which supports the provision of AML compliance services to its customers—many of whom are financial institutions, fintech platforms, or other regulated entities. These customers also have their own legitimate interests in accessing structured and accurate risk-relevant data to meet their anti-money laundering (AML), Know Your Customer (KYC), Know Your Business (KYB), anti-bribery and corruption (ABC), counter-terrorist financing (CTF), financial crime and fraud prevention obligations efficiently. Furthermore, the processing may also be necessary for a task carried out in the public interest (for example, the public interest in preventing crime, financial crime, and fraud). Together, these interests align to support the detection and prevention of financial crime, while maintaining regulatory compliance and safeguarding trust in the financial system. 

In addition to providing AML screening services to its customers, SEON may also process personal data for the following purposes under its own legitimate iterest: 

  • To strengthen and enhance the accuracy, integrity, and security of its AML infrastructure and underlying databases, supporting the detection of fraud, financial crime, and related unlawful activity;
  • To develop, test, optimize, and improve SEON’s AML technology, including the use of automatic algorithms and machine learning, aimed at enhancing search precision, reducing false positives, and improving system performance. This may include using artificial intelligence (e.g., machine-learning techniques), identifying potentially fraudulent patterns that could indicate illicit activity, providing customers with calculated risk scores or alerts regarding elevated fraud risk, and maintaining appropriate audit logs;
  • To create anonymized or aggregated datasets from the AML database (excluding any data that would permit the identification of an individual), for the purposes of system performance analysis and product development;
  • To comply with legal obligations applicable to SEON, including the need to retain and verify records of processing activity, and to ensure lawful sourcing and use of publicly available personal data;
  • To fulfill our legal obligations regarding the processing and retention of Personal Data, including securing the appropriate legal basis for processing certain Personal Data related to specific end-users. It is crucial for us to obtain and keep records confirming that this legal basis has been established, as it enables us to demonstrate compliance with applicable data protection laws; 
  • To investigate, prevent, or take action against unlawful activity, suspected misuse of services, or behavior that may pose a threat to SEON’s platform, infrastructure, or the rights and safety of individuals or third parties;
  • To comply with applicable legal requirements, enforceable requests from authorities, court orders, or other legal processes;
  • To establish, exercise, or defend legal claims.

Where SEON relies on its legitimate interest as a legal basis, SEON performs a Legitimate Interest Assessment (LIA) to ensure that its interests in building and maintaining an AML screening infrastructure do not override the fundamental rights and freedoms of individuals. This includes implementing safeguards to ensure data is processed in a manner that is necessary, proportionate, and compliant with data protection principles.

4.3 In certain cases, SEON’s processing of personal data may also involve Personal Data – particularly relating to crime lists, sanctions, or entries on regulatory databases – that may be classified personal data under Article 10 of the GDPR (e.g., data relating to criminal convictions or offences). In such cases, SEON processes this data only to the extent that it is authorized by Union or Member State law and in line with applicable legal requirements. This includes processing that is necessary for substantial public interest purposes pursuant to Article 6(1)(e) of the GDPR such as the prevention of financial crime, fraud, and other unlawful activity. SEON ensures that appropriate safeguards are in place to protect individuals’ rights and freedoms, including data minimization, access controls, and transparency measures.

4.4 Furthermore, in some circumstances, SEON may also process Personal Data on the basis of legal obligation, pursuant to Article 6(1)(c) GDPR, where such processing is required under applicable EU or Member State laws. This may include obligations arising from anti-money laundering (AML), counter-terrorist financing (CTF), or financial crime prevention laws, which mandate the collection and maintenance of certain records or the performance of due diligence tasks. Where this applies, SEON ensures that the processing is strictly limited to what is legally required and is carried out in full compliance with the relevant legal and regulatory frameworks.

4.5 SEON does not rely on consent as the legal basis for its AML database processing activities, nor does it engage in automated decision-making that produces legal or similarly significant effects for individuals under Article 22 GDPR (see more about automated decision-making at Section 10 of this AML Privacy Notice).

4.6 SEON does not “sell”, “lease”, “share”, or “trade” your Personal Data for cross-contextual behavioral advertising purposes, as defined under applicable data protection laws.

Data Processing Activities.

4.7 SEON performs various forms of automated data processing, which include, but are not limited to, activities such as collecting, recording, organizing, aggregating, structuring, storing, modifying, enriching, retrieving, consulting, using, transmitting, sharing, disseminating or otherwise making data accessible, aligning or combining, restricting, erasing, or destroying or retaining it.

Principles for processing your Personal Data at SEON.

4.8 SEON follows the principles of Personal Data protection outlined in the GDPR, the United Kingdom General Data Protection Regulation (hereinafter: UK GDPR), and other applicable data protection laws. In line with these principles, SEON ensures that your Personal Data is: 

  • Processed fairly, lawfully, and transparently;
  • Collected and processed solely for specified, explicit, and legitimate purposes, and not used in ways that are incompatible with those purposes;
  • Adequate, relevant, and limited to what is necessary for the purposes for which it is processed;
  • Kept accurate and regularly updated;
  • Stored in an identifiable form for no longer than necessary for the processing purposes;
  • Processed in a way that ensures appropriate security;
  • Not transferred outside your chosen data residency (see Section 7.1) without sufficient protection.

Notification on the Personal Data processing.

4.9 Please note that you may have not been notified directly by SEON about the inclusion of your personal data in our AML database because the information we process is collected exclusively from publicly accessible sources, such as official sanctions lists, PEP registers, regulatory publications and other similar sources (see Section 6.1). These sources typically do not contain reliable contact information, such as email or postal addresses, and SEON does not collect or retain such details. For this reason, it is not feasible for us to contact individuals directly. However, if your data has been screened by one of SEON’s customers using our AML services, that customer—acting as the data controller in that context—is responsible for informing you, in accordance with applicable data protection laws (e.g., under Articles 13 or 14 of the GDPR). You should therefore consult the privacy notice of the organization that requested the screening for further information about how your data was used.

5. PERSONAL DATA PROCESSED

5.1 During the AML screening services, SEON may process certain Personal Data about you that it collects from publicly accessible sources (such as official sanctions lists, PEP registers or crime and watchlist). The type of Personal Data processed depends on the specific AML screening activity performed and may vary based on regulatory jurisdiction and source material.

5.2 Personal Data processed by SEON may include, but is not limited to:

  • Screened data from sanctions lists, crime lists, watchlists, and similar sources: This includes information from third-party publicly available databases and official lists used for sanctions enforcement, crime prevention, and other regulatory objectives. The data processed may include (but is not limited to): full name, date of birth, age, height/weight, place of birth, gender, nationality, citizenship, country of residence, aliases, reasons for inclusion on the list, references to legal or administrative decisions, and the timeframe during which you appear on the list—depending on what is made available by the original source.

Some of this information may relate to criminal convictions or offences and thus fall under Article 10 of the GDPR. SEON may processes such data solely under the legal basis defined in Section 4.3 of this AML Privacy Notice. 

  • Screened data from PEP lists: Publicly available information on individuals who currently hold or have previously held prominent public functions—such as heads of state, ministers, judges, senior military officials, or executives of state-owned enterprises—as well as their close family members and known associates. This may include (but is not limited to) full name, date of birth, place of birth, nationality, family circumstances information (e.g. your marital status and dependents), education details, your job title and your education history), address, photographs (if available), the nature and duration of the public role, and associated relationships that may indicate a politically exposed status.
  • Corporate registry information: Publicly available data obtained from national or regional corporate registries or trusted third-party sources, relating to individuals’ roles and interests in corporate entities. This may include details such as directorships, shareholder status, ownership percentages, affiliated entities, and control or influence in a business structure, as made available by the source registry or dataset.

(hereinafter collectively referred to as: “Personal Data”)

5.3 The amount of Personal Data processed will vary depending on the publicly available
information for the individual and the reason the individual is included in our AML screening database.
As a result, not all of the categories listed above may be included for an individual.

Children.

5.4 SEON’s AML screening services are not intended for use by or targeted toward children. SEON processes data that originates from public records or other public sources. If SEON becomes aware that it holds Personal Data relating to a child under the age threshold defined by applicable law or the relevant customer, appropriate measures will be taken to ensure the deletion of such data.

6. WHERE DO WE OBTAIN THE DATA FROM?

6.1 SEON collects personal data from a wide range of publicly accessible sources to build and maintain its AML database. These sources include (but is not limited to):

  • Sanctions Lists: Official sanctions databases published by international and national authorities, such as the United Nations Security Council, the European Union (EU), the U.S. Office of Foreign Assets Control (OFAC), the UK Sanctions List, and equivalent national regulatory bodies.
  • PEP and RCA Registers: Public records identifying Politically Exposed Persons (PEPs), their relatives and close associates (RCAs), including government directories, official gazettes, and other public disclosures.
  • Law Enforcement and Regulatory Publications: Crime lists and enforcement records issued by police agencies, financial intelligence units (FIUs), anti-corruption bodies, and other relevant authorities concerning individuals or entities involved in financial crime, corruption, tax evasion, and similar offences.
  • Corporate and Official Registries: Publicly accessible company registers and business directories that reveal individuals’ ownership roles, directorships, and affiliations with corporate entities.
  • Public Media Sources and Websites: Open web sources, including reputable news outlets, press releases, official announcements, and other public websites, which report on financial crime, regulatory breaches, or other relevant risk indicators. Only sources meeting SEON’s reliability and integrity criteria are included.
  • Trusted Third-Parties: In some cases, SEON may also incorporate information from specialized data providers or aggregators that compile and republish verified content from multiple public domain sources.

6.2 This means that SEON only includes your Personal Data in its AML screening database only where publicly available sources indicate that there is information relevant to the purposes described in this AML Privacy Notice. Specifically, a record will be included in SEON’s AML database if the public data suggests that individuals or entities may be associated with matters that SEON’s customers ought to be aware of when conducting AML, sanctions, or other risk-based compliance screening.

6.3 SEON does not access or collect this data directly from individuals, and it does not rely on customer-submitted information to build its independent AML database.

7. LOCATION, DURATION OF THE PROCESSING; DATA RETENTION

7.1 SEON stores the data processed within its infrastructure on secure cloud servers provided by Amazon Web Services (AWS). By default, the data is hosted in the European Union (EU), specifically in AWS’s Ireland data center (EU-West-1). However, customers may opt to have their data processed in the United States (US-East-1) based on their regional or regulatory preferences. All data is stored in accordance with strict security protocols, including encryption in transit and at rest, and access is limited to authorized personnel only. SEON’s hosting arrangements comply with relevant data protection and financial sector requirements, including the European Banking Authority (EBA) guidelines.

7.2 Apart from the storage, your Personal Data may be stored and processed in your region or another country where SEON, its affiliates and their service providers maintain servers and facilities, including but not limited to Hungary, Unites States, United Kingdom and Indonesia. We take steps, including through contracts, intended to ensure that the information continues to be protected wherever it is located in a manner consistent with the standards of protection required under applicable law.

7.3 SEON maintains its AML screening database by continuously sourcing and updating information from publicly available and reputable sources, such as international sanctions lists and official registers. To ensure the accuracy and transparency of screening results, SEON includes information indicating the most recent date on which a given data entry was observed in the source. This allows users of the AML service to understand whether an entry is currently listed or potentially outdated. This approach supports both ongoing compliance and retrospective review obligations, helping SEON’s customers meet their legal and regulatory responsibilities while aligning with data minimisation and proportionality principles under applicable data protection laws.

7.4 SEON retains personal data in its AML database for as long as it remains necessary to fulfil the purposes for which it was collected. Specifically, this includes supporting SEON’s legitimate interest in maintaining a reliable and accurate screening infrastructure to assist customers in meeting anti-money laundering and financial crime prevention obligations. The data is subject to regular updates and relevance reviews, and is retained only while it continues to serve these compliance-driven and risk-based objectives. When determining how long to retain personal data, SEON takes into account the volume, type, and sensitivity of the data, the potential impact on individuals in case of unauthorised use or disclosure, the purposes for which the data is processed, and whether those purposes could be met through less data-intensive means.

8. HOW DO WE SHARE YOUR PERSONAL DATA

Recipients.

8.1 SEON may share or make available personal data processed within its AML infrastructure with the following categories of recipients, strictly in accordance with data protection principles and appropriate contractual safeguards:

  • SEON’s Business Customers and Partners: Regulated businesses and institutions (e.g., financial services providers, fintech platforms, igaming platforms and online marketplaces) who use SEON’s AML screening services to assess potential risk or conduct due diligence as well as SEON’s resellers and integration and similar partners who facilitate access to SEON’s AML screening services. This sharing occurs in response to a customer-initiated query, where the customer has provided specific search parameters (e.g., name, date of birth), and SEON returns relevant AML data from its database. Importantly, the results returned to one customer are not accessible by any other customer for unrelated screenings. These customers and parters act as (independent) data controllers when submitting queries and receiving screening results through SEON’s platform.
  • Sub-Processors and Infrastructure Providers: SEON may also engage trusted third-party service providers to support its infrastructure and system operations. These may include infrastructure and cloud service providers (e.g., Amazon Web Services), analytics tools, and customer support platforms. Such providers act as processors on behalf of SEON and are contractually bound to process Personal Data only under SEON’s instructions and in compliance with applicable data protection laws. All sub-processors are subject to strict contractual obligations, including data protection clauses consistent with Article 28 of the GDPR.
  • SEON Group Personnel and Affiliates: Internally, access to personal data within SEON is restricted to authorized personnel who require it for legitimate purposes, such as system maintenance, product development, compliance audits, and customer support. SEON ensures that all such staff are subject to confidentiality obligations and appropriate training on data protection. Where necessary, SEON may share your Personal Data between entities within the SEON group for the purposes outlined in this AML Privacy Notice.

8.2 Additionally, SEON may share your Personal Data in the following limited circumstances:

  • With legal and professional advisors (e.g., law firms, consultants);
  • With auditors performing regulatory or contractual assessments;
  • With competent supervisory authorities, regulators, enforcement bodies, or courts when required by law or in response to valid legal processes;
  • In the context of a corporate transaction (e.g., merger, acquisition, or restructuring), where your Personal Data may form part of the transferred assets, subject to appropriate safeguards.

International Data Transfers.


8.3 SEON is a global organisation and provides global services. Therefore, SEON may transfer your Personal Data to SEON group entities located outside the European Economic Area (EEA), including to the United Kingdom, where such transfers are subject to the European Commission’s adequacy decision.

8.4 SEON may also transfer your Personal Data to third-party service providers located in jurisdictions outside the EEA, Switzerland, or the UK. These transfers may include destinations such as the United States or other third countries.

8.5 To ensure your Personal Data remains protected, SEON implements appropriate safeguards for international data transfers, including:

  • The use of Standard Contractual Clauses (SCCs) approved by the European Commission or the UK Information Commissioner’s Office;
  • Reliance on adequacy decisions where applicable; and
  • Conducting transfer impact assessments to evaluate potential data protection risks and adopt necessary supplementary measures.

9. HOW DO WE ENSURE DATA ACCURACY AND SECURITY?

9.1 SEON takes appropriate steps to ensure that the data used in its AML screening services is accurate and secure. The data in SEON’s AML database is regularly updated from official, publicly available sources, and filtering mechanisms—such as date of birth verification—are applied to improve matching accuracy and reduce false positives. 

9.2 However, as a data aggregator, we do not exercise editorial control over the personal information that appears in the source material we collect. The content and accuracy of the original records remain the responsibility of the source or issuing authority (e.g., sanctioning body, government agency, or official registry). SEON processes and mirrors the data as it appears in those official sources, without altering or modifying its substance.

9.3 To protect the Personal Data it processes, SEON maintains a robust security framework. This includes internationally recognized certifications (such as ISO/IEC 27001), regular audits (such as SOC 2 Tpye II), and a range of technical and organizational safeguards designed to prevent unauthorized access, ensure data integrity, and support overall data protection compliance.

9.4 For further information on SEON’s security framework, please our Privacy & Security Whitepaper available at: https://seon.io/legal-and-security/seon-privacy-and-security-whitepaper/

10. DO WE ENGAGE IN AUTOMATED DECISION-MAKING?

10.1 SEON does not engage in automated decision-making within the meaning of Article 22(1) of the GDPR that would produce legal effects or similarly significantly affect you.

10.2 As part of SEON’s AML service, personal data is first collected and stored from publicly available sources—such as sanctions lists, PEP registries, and crime databases—for the purpose of building and maintaining SEON’s AML screening infrastructure. At this initial stage, SEON does not conduct any active processing beyond storage, nor does it draw conclusions or take any actions related to individuals.

10.3 Subsequently, if a customer initiates an AML screening query by submitting personal data (e.g., a name and date of birth), SEON compares this against its database to determine whether a potential match exists. If a match is found, SEON provides structured search results to the customer containing the relevant public data entry.

10.4 SEON does not determine whether a match is conclusive or make any determinations regarding the identity, risk level, or eligibility of an individual, hence, SEON does not make any decisions or recommendations for our customers about you based on the information processed by SEON. All decision-making responsibilities rest solely with the customer, who must assess the relevance and implications of any matches identified. SEON expressly prohibits customers from making solely automated decisions based on SEON’s results that produce legal effects or similarly significantly affect individuals. SEON’s customers are – contractually – responsible for taking appropriate steps to verify the identity of the individuals they screen and to determine how to interpret and act on the results. SEON provides a structured and searchable database, but final verification and decision-making remain the responsibility of the customer performing the AML check.

11. WHAT ARE YOUR RIGHTS?

What are your rights?

11.1 Depending on where you reside (thus, what data protection laws are applicable to you) you may have the following rights regarding the processing of your Personal Data carried out by us:

Right to access.

11.2 You may have the right to request access to your Personal Data and obtain information regarding (among others): the purpose of processing; what categories of Personal Data are processed; to whom your Personal Data is transferred or disclosed; for what period is your Personal Data processed (data retention period); your rights in connection with data processing carried out regarding your Personal Data; your right to lodge a complaint with a supervisory authority regarding the processing; in case your Personal Data is being collected from other sources than from you, any available information as to the source; the existence of automated decision-making and related information, including the logic involved, as well as the significance and the envisaged consequences of such processing for you; whether your Personal Data is transferred outside the EEA and regarding the conditions of these transfers. 

Right to rectification.

11.3 You may have the right to request to rectify your inaccurate Personal Data and to request to complete your incomplete Personal Data by means of providing with a supplementary statement.

Right to erasure.

11.4 If you request to do so, any of your Personal Data will be erased in the event of the following:

  • your Personal Data is no longer necessary for the purpose concerned;
  • you object to the processing and there are no overriding legitimate grounds for the processing;
  • your Personal Data has been processed unlawfully;
  • your Personal Data has to be erased according to relevant laws.

11.5 Please note that we  are entitled to not erase your Personal Data if it is necessary – inter alia – for exercising the right of freedom of expression and information, for compliance with legal obligations, and for the establishment, exercise or defense of legal claims.

Right to restriction of processing.

11.6 You may have the right to obtain a restriction of processing where one of the following applies:

  • you have contested the accuracy of your Personal Data, in which case you will obtain restriction for a period of time enabling us to verify the accuracy of your Personal Data;
  • the processing is unlawful, and you oppose the erasure of your Personal Data and request the restriction of the use of your Personal Data instead;
  • your Personal Data is no longer needed for the purposes of the processing, but your Personal Data are required by you for the establishment, exercise or defense of legal claims; or
  • you objected to the processing and the verification is pending whether the our legitimate grounds override yours.

11.7 Where processing has been restricted, Personal Data shall, with the exception of storage, only be processed for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or of an EU member state.

11.8 Please be assured that we will carefully review any rectification requests you submit. However, such requests may not always result in changes to the information we hold about you in our AML database. This is because SEON aggregates data from publicly available sources, and if the information remains accurate and relevant based on the original source, or if there are other lawful grounds permitting us to retain it unchanged, we may not alter or remove it. We encourage you to contact the original source directly if you believe the public data is incorrect. Once updated by the source, SEON’s records will reflect the change during our next scheduled update.

Right to object to processing.

11.9 You may have the right to object to the processing of your Personal Data on grounds relating to your particular situation, where the legal basis of the processing activity is our legitimate interest. Your Personal Data will no longer be processed unless we can demonstrate compelling legitimate grounds, which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. 

Right to data portability.

11.10 If certain conditions apply, you may have the right to receive your Personal Data in a structured, commonly used and machine-readable format and have the right to transmit that data from us to another controller without hindrance, where technically feasible.

Right not to be subject to automated-decision making.

11.11 You  may have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. However, please note that the automated processing activities by SEON do not qualify as automated decision-making (as defined in the applicable data protections laws) that would have legal consequences or similarly significant impacts on you. For more information about this please refer to Section 10 of this AML Privacy Notice.

How can you exercise your rights?

11.12 If you wish to exercise any of your foregoing rights, you should submit your requests to us by sending a request to our Data Protection Officer (DPO) at [email protected]. In this case, SEON will act in accordance with the requirements set out in the applicable law applicable to the data controller in relation to data subject requests.

11.13 We will provide information on the actions taken on your request without undue delay and in any event within one month of the receipt of your request (or sooner if required by applicable law). This period may be extended with a reasoned notification to you by two months where necessary, taking into account the complexity and number of requests. 

11.14 Please note that we may ask you to verify your identity before taking further action on your request.

11.15 We will take the necessary actions free of charge except when your request is manifestly unfounded or excessive. In case we have reasonable doubts as to the identity of the natural person making the request, we may request additional information necessary to confirm your identity. We will inform all recipients of all rectification, erasure, or restriction of processing to whom Personal Data was disclosed except if it is impossible or requires disproportionate effort.

11.16 In case we do not take any action regarding your request, we will inform you within one month of the receipt of your request (or sooner if required by applicable law) as to the reasons and the possibility of lodging a complaint with a data protection supervisory authority and seeking a judicial remedy.

Limitations Related to Public Source Data

11.7 Please note that SEON operates as a data aggregator and does not exercise editorial control over the content of the publicly available or official records it collects—such as sanctions lists, crime registries, or PEP databases. This means that:

  • SEON cannot alter, update, or remove the content of these original data sources;
  • Requests for rectification or erasure that relate to the substance of public records cannot be actioned directly by SEON;
  • If your request relates to incorrect, outdated, or disputed information in one of these public sources, we will direct you to the relevant original source (e.g., the issuing authority or competent organization) so that you may pursue correction or removal there.

11.18 While SEON may – if applicable – ensure that updates from the original source are reflected in its systems once available, the exercise of certain rights under applicable data protection laws (e.g., rectification, erasure, or objection) may be subject to these source-based constraints.

11.19 Furthermore, please note that if your request relates to the processing of personal data solely by a SEON customer, we will refer your request to the relevant customer, as in such case, the customer acts as the data controller of your Personal Data.

Your Rights- California Residents

11.20 If you are a resident of California, under the California Consumer Privacy Act (“CCPA”), we are required to provide additional information to you about how we use and disclose your information, and you may have additional rights with regard to how we use your information.

11.21  Consistent with the “WHY AND HOW ARE WE PROCESSING YOUR PERSONAL DATA“ section above, we collect certain categories and specific pieces of information about individuals that are considered “Personal Information” in California. As detailed above, we may collect this Personal Information from you and other third parties. We collect, share and disclose Personal Information for the business and commercial purposes described in the “WHY AND HOW ARE WE PROCESSING YOUR PERSONAL DATA” and „HOW DO WE SHARE YOUR PERSONAL DATA?” sections above.

11.22 We do not sell Personal Information, as this term is defined under California law.

11.23 Subject to certain exceptions, as a California consumer, you have the right to: (i) access your Personal Information; (ii) obtain deletion of your Personal Information; (iii) receive information about the Personal Information about you that we have “sold” (as such term is defined under California law) to third parties within the past 12 months; and (iv) opt-out of the “sale” of your Personal Information, including as detailed above in the “Cookies and Tracking Technologies” section. To the extent permitted by applicable law, we may be required to retain some of your Personal Information, and certain Personal Information is strictly necessary in order for us to fulfill the purposes described in this Privacy Policy.

11.24  Should you wish to request the exercise of your other rights as detailed above with regard to your Personal Information, we will not discriminate against you by offering you different pricing, products or services, or by providing you with a different level or quality of products or services, based solely upon this request. Please see the “Contact us” section below if you have questions or wish to exercise such rights.

11.25 If you are a California consumer and you wish to exercise your rights as outlined in this section, you may need to provide information such as name and e-mail so that we can verify your identity. We will use the information you provide when exercising your rights for no other purpose other than to verify your identity. You also have the option of designating an authorized agent to exercise your rights on your behalf. For authorized agents submitting requests on behalf of California residents, please contact us as described below, with any evidence you have that you have been authorized by a California consumer to submit a request on their behalf.

11.26 We do not rent, sell, or share your Personal Information with nonaffiliated companies for their direct marketing purposes, unless we have your permission. You also may have the right to request that we provide you with (1) a list of certain categories of personal information we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year and (2) the identity of those third parties.

11.27  You can exercise any of these rights by contacting us through the methods described in the Privacy Notice section below.

12.   REMEDIES

12.1  In case you do not agree with our response or action, or if you consider that your rights have been infringed, you may lodge a complaint with the data protection supervisory authority in the UK or the EU Member State of your habitual residence, place of work or place of the alleged infringement, in particular, with the following data protection supervisory authorities:

12.2  Hungarian National Authority for Data Protection and Freedom of Information (address: HU-1055 Budapest, Falk Miksa utca 9-11, mailing address: 1363 Budapest, Pf.: 9.; tel.: +36-1-391-1400; e-mail: [email protected]);website: naih.hu);

12.3  Information Commissioners Office (address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, online contact form: https://ico.org.uk/global/contact-us/).

12.4 Please see EU authorities at https://ec.europa.eu/justice/article-29/structure/data-protectionauthorities/index_en.htm.

12.5  In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, SEON commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

12.6 You may, subject to its terms, invoke binding arbitration in accordance with Annex I of the DPF Principles: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf

12.7 This provides that you may invoke binding arbitration by delivering notice to SEON and following the procedures and subject to conditions set forth in Annex I of the Principles.

13. UPDATES TO THIS AML PRIVACY NOTICE

Please note that we review this AML Privacy Notice from time to time and we reserve the right amend it as necessary. When we amend this AML Privacy Notice, we will announce and publish it on our Website. We encourage you to review this AML Privacy Notice regularly.