1. Identification of the Data Controller
The Data Controller for the personal data collected through this website and during the provision of our consulting services is CAML UAB, registration number 305936344, J. Jasinskio g. 14B-26, LT-01112 Vilnius, Lithuania. As a registered entity in Lithuania, during the performance of critical AML functions, we are subject to the supervision of the State Data Protection Inspectorate and the Financial Crime Investigation Service (FNTT).

​

2. Scope of Data Processing and Service Specifics
In accordance with our service offerings, when applicable, we process personal data to provide the following:

1. Strategic AML/CTF Consulting: Processing client records to design internal compliance frameworks.

2. KYC/AML People Outsourcing: Processing identification documents and background checks for the employees or clients of our customers.

3. Compliance Audits and Risk Assessments: Analyzing financial behavior and transaction patterns to identify money laundering risks.

4. Training and Personnel Vetting: Processing professional data of compliance officers to ensure technical qualification.

​

3. Categories of Personal Data Processed
The Company handles several layers of information, particularly when conducting Enhanced Due Diligence (EDD) or screening Politically Exposed Persons (PEPs):

• Identification Data: Full name, date of birth, nationality, passport/ID number, and photographs.

• Contact Information: Email address, phone number, and physical address.

• Financial Data: Source of wealth (SoW), source of funds (SoF), bank account details, and transaction history.

• Corporate/UBO Data: Shareholder registers and Ultimate Beneficial Owner (UBO) details.

• Screening Data: PEP status and inclusion in international sanctions lists (EU, UN, OFAC).

 

4. Legal Bases for Processing (GDPR Article 6)
Performance of a Contract: To execute our consulting services agreement and manage the business relationship.

Compliance with a Legal Obligation: Our primary basis for AML/KYC activities is mandated by the Law on the Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania.

Legitimate Interests: To process website analytics and engage in professional communication with potential clients.

Explicit Consent: When processing "Special Categories of Data" (e.g., biometric data for remote identification) not strictly mandated by law.

​

5. Data Retention: The AML-GDPR Balance
We adhere to the following retention schedule, balancing GDPR minimization with mandatory AML retention periods:

KYC / CDD Documentation: 5-8 years after the termination of the business relationship, as per Lithuanian AML Law.

Website Inquiries: 24 months from the last contact.

Consulting Project Data: Duration of contract plus 10 years, following the statute of limitations for civil liability in Lithuania.

​

6. Data Subject Rights and Limitations
You have the right to access, rectify, and port your data. However, in an AML context, the "Right to Erasure" and "Right to Object" are limited:

• Mandatory Retention: We cannot delete data required by law for financial crime prevention until the mandatory period expires.

• "Tipping Off" Rules: We may be legally prohibited from disclosing if a Suspicious Activity Report (SAR) involving your data has been filed.

​

7. International Transfers and Security
Sub-Processing: All transfers to sub-processors (e.g., ID verification providers) are secured via Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs).

Security Measures: We employ bank-grade protocols, including end-to-end encryption for document transfers and multi-factor authentication for all staff.

​

8. Updates and Contact
This policy is periodically reviewed to reflect changes in EU AML Regulations (AMLR). For inquiries, contact our compliance officer at office@caml.lt.

​

Last Updated: March 26, 2026