Relevance of the sanctions list check in terms of data protection

In many companies, so-called sanctions list checks or embargo list checks are carried out. The fact that this is a topic relevant to data protection law is often forgotten. However, since personal data is processed in the course of these audits, the scope of application of the GDPR is opened and the requirements must be complied with.

What are sanctions lists?

Sanctions lists or embargo lists are governmental lists that are issued in order to achieve a certain behavior. Certain business relationships with certain persons or organizations, or with regard to certain products, are sanctioned. Often there is no legal obligation to audit. Nevertheless, sanctions can be imposed if relevant business relationships are entered into.

The aim of the person/organization-related sanctions list check is to combat terrorism worldwide. The enactment of country/product-related sanctions lists usually has political or economic reasons. Therefore, different national laws order e.g.,

  • Freeze funds and economic resources of suspected terrorist individuals and entities,
  • not to make funds or other economic resources available to them, either directly or indirectly (prohibition of provision), and
  • not to sell and export certain goods to certain persons, entities and bodies (arms embargo).

Violations of these provisions may, for example, constitute criminal offenses under §§ 17 et seq. AWG constitute.

Conducting the check

In order not to become liable to prosecution or risk other sanctions, many companies check persons, organizations and companies before entering into a business relationship with them. For this purpose, software is often used that compares the persons, organizations and companies entered with a constantly updated version of the various lists.

Regular checks are also usually carried out in ongoing business relationships. Customers, suppliers, all business partners, but also all employees within the meaning of Section 26 (8) BDSG are affected by data processing.

Aspects relevant under data protection law

If software is used, it must be checked on a case-by-case basis whether commissioned processing pursuant to Art. 4 No. 8 GDPR exists. If necessary, an agreement must be concluded with the processor in accordance with Art. 28 GDPR. The processing activity must be documented in the directory pursuant to Art. 30 (1) GDPR. The general requirements from Art. 5 GDPR must be observed, e.g. the test results may not be stored indefinitely. The information must not be misused and a legal basis must exist for the data processing. In addition, the information requirements according to Art. 13, 14 GDPR must be complied with. The persons affected by the data processing must be informed to the extent required by law.


If you need support with the data protection-compliant design of the sanctions list audit in your company or other topics related to data protection, simply make an appointment with us here! We will be happy to advise you!