The KLEPTOTRACE project develops a tool designed to detect anomalies in firms’ ownership structures and flag high risks of collusion, corruption, and money laundering within the European Union. This tool aims to support public authorities with financial crime investigations while also incorporating a research component focused on developing AI models to detect illicit schemes based on the characteristics of assets. The expected outcome is a set of services operating within a configurable privacy and data protection framework, ensuring compliance with local legal requirements.

Contact details

Project Coordinator (Data Controller)

• Prof. Ernesto Ugo Savona
• E-mail: transcrime@unicatt.it
• UCSC-Transcrime
• Via S. Vittore 43/45, 20123 Milan (Italy)

Personal data received through these channels will be processed as far as necessary to effectively handle your requests. This data will not be shared with others and deleted when it is no longer required to handle your requests. The rights described in section 5 also apply to this personal data.

Joint controllers

The KLEPTOTRACE project connects 11 partners from various fields who jointly determine the purposes and means of processing within the project (joint-controllers). These partners can be split up into four groups with different tasks in the project. The specific tasks and goals are defined in an agreement between the European Union and the partners. You can find a short description of the tasks and the influence on the purposes and means of processing below.

Research organization

The research organization involved in project KLEPTOTRACE is Transcrime – Università Cattolica del Sacro Cuore, covering a broad spectrum of activities in the project. Transcrime researches technological possibilities to meet the requirements of Partners in its field of expertise and researches the legal and ethical implications of the developed tools. All fields (tech, legal, ethics) are put into consideration when determining purposes and means of the processing.

Law Enforcement Agencies (LEAs)

LEAs  provide Transcrime with important information and feedback on requirements for the development and validation of the software which shall be used in the performance of their activities. Personal data may be shared with LEAs during the project. The Partners involved in the project are:

• ANABI: Agentia Nationala de Administrare a Bunurilor Indisponibilizate (RO)

• CNP: Cuerpo Nacional De La Policia (ES)

• FIU.LV: Financial Intelligence Unit – Latvia (LV)

• MFSA: Malta Financial Service Authority (MT)

Anticorruption Authorities (ACAs)

ACAs provide Transcrime with important information and feedback on requirements for the development and validation of the software which shall be used in the performance of their activities. Personal data may be shared with LEAs during the project. The Partners involved in the project is:

• ANAC: Autorità Nazionale Anti-corruzione (IT)

Investigative Journalists

IJs provide Transcrime with important information and feedback on requirements for the development and validation of the software which shall be used in the performance of their activities

• IRPI: Investigative Reporting Project Italy (IT)

• CONTEXT.RO: Associatia Journalistor de Investigatii Context

Purposes of processing

The KLEPTOTRACE project develops a tool designed to detect anomalies in firms’ ownership structures and flag high risks of collusion, corruption, and money laundering within the European Union. This tool aims to support public authorities with financial crime investigations while also incorporating a research component focused on developing AI models to detect illicit schemes based on the characteristics of assets. The expected outcome is a set of services operating within a configurable privacy and data protection framework, ensuring compliance with local legal requirements. In particular, the tool:

1. • Produce a groundbreaking analysis of the risk factors of transnational high-level corruption and of the schemes used to circumvent EU sanctions;
3. • Carry out 5 targeted trainings for EU public authorities, private sector (e.g. banks) and civil society to strengthen anti-corruption investigation/intelligence capabilities;
5. • Develop a data-driven toolbox for tracing and interconnecting different assets (e.g. firms, real estate, vessels) related to high-level corruption and sanctioned entities;
7. • Carry out an assessment of current EU sanction regimes and make legal and policy recommendations to make them more effective and sustainable against transnational corruption;
9. • Boost the awareness of EU authorities and civil society with a dissemination campaign about the risks of ‘kleptocracy’ and of its interlinks with organised crime and illicit financial flows.

Limitations to the provision of information and updates to this statement

Pursuant to Article 14 GDPR, where personal data have not been obtained from the data subject, the controller is generally obliged to provide the data subject with information such as the identity and the contact details of the controller and the data protection officer (DPO), and various details on the processing. The KLEPTOTRACE consortium provides this information within this statement.

Nonetheless, pursuant to Article 14 (5) (b) GDPR the extent to which information has to be provided can be limited where the provision proves impossible or would involve a disproportionate effort, in particular for processing for scientific purposes. As KLEPTOTRACE does not obtain data from the data subject and carries out scientific research, it falls under the scope of this article. Consequently, the project consortium is not obliged to directly provide data subjects with information on the processing of the data on its own accord. However, KLEPTOTRACE takes appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including the publication of information on the processing within this statement. Regarding this publication of information, it is inherent to research in the field of law enforcement that some information is subject to confidentiality. The exposure of detailed information in this data privacy statement is hence partially limited to avoid impairment of the projects pursued purposes.

Data subjects’ rights and limitations

KLEPTOTRACE processes personal data, relevant and limited to what is necessary for the purpose of the project, from the sources stated below. Some sources contain data, which makes the identification of individuals potentially possible. The project consortium is not in a position to detect those matches or bits of information without additional data. Data subjects generally have the right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability. These rights may be restricted under the conditions described below. However, any requests to the abovementioned points of contact will be carefully assessed on a case-by-case basis and replied to.

Pursuant to Article 11 (1) GDPR the project consortium is not obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with the GDPR. However, pursuant to Article 11 (2) GDPR where data subjects provide additional information in order to exercise their rights under Articles 15–22 GPDR, the KLEPTOTRACE consortium will handle the request compliant with technical and legal requirements. In this regard, the identity of the data subject, as well as the relation to the data referred to in the request has to be sufficiently verified.

The exercise of some of the data subjects’ rights (4.1 – 4.4 of the Agreement) may be further restricted pursuant to Article 89 (2) in conjunction with the respective national legislation. The following rights are generally available to the data subjects.

Right to access (Article 15 GDPR)

The data subject has the right to obtain confirmation as to whether or not processing of personal data concerning them takes place in the KLEPTOTRACE project. If this is the case the data subject can request access to his/her data. Granting the right to access only occurs where the identification of the data subject is possible.

Right to rectification (Article 16 GDPR)

The data subject has the right to obtain the rectification of inaccurate personal data concerning them. The exercise of this right is only possible where the data subject can be identified, and the inaccuracy of data is verified.

Restriction of processing (Article 18 GDPR)

The data subject has the right to obtain the restriction of processing, where:

1. • the accuracy of the personal data is contested;
2. • the processing is unlawful, the data subject opposes the erasure of personal data and requests the restriction of processing instead;
3. • the controller no longer needs the personal data, but they are required by the data subject for the establishment, exercise or defense of legal claims;
4. • the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

The exercise of this right may require provision of further information to allow identification of the data subject as described in section 4 of the Agreement.

Right to object (Article 21 GDPR)

The legal basis for the processing of personal data in the KLEPTOTRACE project is Article 6 (1) (f). The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning them unless the KLEPTOTRACE consortium demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

The exercise of this right may requires provision of further information to allow identification of the data subject as described in section 4 of the Agreement.

Right to erasure (’Right to be forgotten’) (Article 17 GDPR)

The data subject has the right to obtain erasure of personal data concerning them, if

1. • the data subject objects to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds (see 4.4 of the Agreement);
3. • the personal data have been unlawfully processed;
5. • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

Pursuant to Article 17 (3) (d) GDPR the right to erasure may be restricted to the extent that the processing is necessary for scientific purposes and would render impossible or seriously impair the achievement of objectives of the processing. The KLEPTOTRACE consortium will assess the possibilities to erase personal data under the conditions stated in section 4 of the Agreement.

Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

The data subject has the right to lodge a complaint with a data protection supervisory authority in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

A list of national supervisory authorities can be found in the European Commission website (here).

Legal basis of the processing

The processing of personal data by the KLEPTOTRACE project is based on Article 6 (1) (f).

Article 6 (1) (f) GDPR allows processing where it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The common legitimate interest of all partners in KLEPTOTRACE goes along with the project goals and is to effectively participate in the project and development and research of novel data driven techniques to support LEAs, ACAs, CAs in investigations and monitoring activities. KLEPTOTRACE is jointly controlled by the partners (see Article 26 GDPR ‘Joint controllers’) and the individual interests beyond the overall goal may differ.

The Research Partner in KLEPTOTRACE (i.e. Transcrime – Università Cattolica) has a legitimate interest to study, analyze and understand novel technologies for financial crime investigation. Moreover, the processing of data is a key element for applied research projects that constitute Transcrime’s core business. Therefore, its legitimate interest within the KLEPTOTRACE project also extends to be able to run and strengthen these business models in particular by developing their technical capabilities through research.

Business interests are protected by Article 15 and Article 16 of the Charter of Fundamental Rights of the European Union. Scientific research is protected under Article 13 of Charter of Fundamental Rights of the European Union. Although some of the interests of the partners differ, they all pursue the goal to make underground investigations more effective through development and research of novel data driven techniques thereby helping making societies more secure and following legitimate interests.

The KLEPTOTRACE consortium conducted a data protection impact assessment and it is aware of the risks to fundamental rights and freedoms of the data subjects affected by the processing. These risks may result in interests contrary to the interests of the KLEPTOTRACE consortium. Those interests go along with the protection of personal data and the right to privacy protected under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The KLEPTOTRACE project carefully weighed these different interests. Putting into respect the public availability and pseudonymity of the data, the specific interest in development of privacy aware tools, as well as the implementation of high safeguards to protect the rights and freedoms of the data subjects in the project, these contrary interests do not outweigh the legitimate interests of the project partners described above.

In some countries data processing for the KLEPTOTRACE project may be based on specific research clauses in national law. Where this is the case, the processing is based on Article 6 (1) (e) GDPR in conjunction with these specific research clauses. Where such clauses do not exist, the processing is based on Article 6 (1) (f) GDPR as described above.

Categories of personal data

KLEPTOTRACE processes the following categories of personal data:

1. • Business Information coming from Orbis Bureau van Dijk and  Dun & Bradstreet via API
   1. • Generic description: Information on companies operating worldwide. It contains information on companies, such as company name, legal form, date of incorporation, economic sector, legal addresses and other local units, legal events, financial statements, ownership, and administrative information. It contains information on individuals covering the position of shareholders, beneficial owners, or managerial positions of businesses registered globally.
   1. • Personal data involvement: Personal data related to the profile of the individuals which have covered or are currently covering positions in the companies (such as, administrative or shareholder positions) is included. It regards information on the name of individuals, date of birth, place of birth, national identifier (when available), and information on the position covered in the company (such as, starting or ending date, and type of position).
   1. • Special category of data involved: From the information on the individuals, it is not possible to retrieve information on racial or ethnic origin, or political opinions, or religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning a person’s sex life or sexual orientation.
   1. • Involvement of data related to criminal convictions and offences: From the information on the individuals, it is possible to understand whether the individuals is mentioned in a compliance dataset, which collects information on individuals with criminal convictions, sanctions, and other offences from open data sources and press releases. However, this dataset does not provide detailed information about those offenses. But, in those cases in which the data source indicates an allegation against an individual, it enables users to perform more targeted inquiries into other compliance databases. This approach facilitates a deeper understanding of the allegation’s origin and specifics, thereby enhancing risk assessment procedures. Essentially, it streamlines the process of consulting additional compliance sources by preemptively signaling an alert that warrants further evaluation.
   2. • Category of data subjects whose processed personal data may be traced: The personal data pertains to information on current beneficial owners, current shareholder, current and previous managers of companies registered worldwide.
   1.  

1. • Local Administrator
   1. • Generic description: Information on local administrators operating in some of the countries covered by the project. These individuals are identified based on their roles in the administrative structure of their respective regions, municipalities, or provinces. The inclusion criteria for local administrators involve their active involvement in political or administrative capacities at various levels of local governance. It contains information such as individual name and surname, national Identifier, gender, date of birth, place of birth, country of birth, political position, level of administration (region, municipality, province), date of election, political party.
   1. • Personal data involvement: Personal data related to the profile of the individuals which have covered or are currently covering local administration positions in one of the covered countries is included. It regards information on the name of individuals, date of birth, place of birth, national identifier (when available), and information on the position covered in the local administration (such as, the political party, the date of election, and the role in the administrator).
   1. • Special category of data involved: From the information on the individuals, it is possible to retrieve information on political opinions, but not about racial or ethnic origin, or religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning a person’s sex life or sexual orientation.
   1. • Involvement of data related to criminal convictions and offences: From the information on the individuals, it is not possible to understand whether the individuals are related to criminal convictions and offences involved. 
   2. • Category of data subjects whose processed personal data may be traced: The personal data pertains to information on the current and historical position of local administrators in part of the countries covered by the project.
   1.  

1. • Cadastral Data from GeniusLoci
   1. • Generic description: Information on real estate in Italy. It contains information on the real estate, the owner, and the owning right. It contains data such as Sheet, Parcel, Subcategory, Annuity, description and location of a building or land. Information on the owners of the land (biographical data, tax code, rights and real charges).
   1. • Personal data involvement: Personal data related to the profile of the owners of the land or building are treated. It regards information on the name of individuals, date of birth, place of birth, national identifier (when available), and information on their owning right.
   1. • Special category of data involved: From the information on the individuals, it is not possible to retrieve information on political opinions, racial or ethnic origin, or religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning a person’s sex life or sexual orientation.
   1. • Involvement of data related to criminal convictions and offences: From the information on the individuals, it is not possible to understand whether the individuals is related to criminal convictions and offences involved. 
   2. • Category of data subjects whose processed personal data may be traced: The personal data pertains to information on the current owner of land and buildings in Italy.
   1.  

1. • Compliance List from Lexis Nexis World Compliance and SGR
   1. • Generic description: Information on sanctions (entities and individuals included in a global screening list), enforcements (entities and individuals with final sentences and court filings around the world, gathered from open data and press releases), high-level politically exposed individuals and state-owned entities. Name of individuals or entities, place of birth (or location), date of birth, Reasons for filing.
   1. • Personal data involvement: Personal data related to the profile of the individuals in the compliance list is included. It regards information on the name of individuals, date of birth, place of birth, and the reason for filing.
   1. • Special category of data involved: From the information on the individuals, it is possible to retrieve information on political opinions (in case of politically exposed entities). But no information on racial or ethnic origin, or religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning a person’s sex life or sexual orientation.
   1. • Involvement of data related to criminal convictions and offences: By examining compliance datasets that draw on open data sources and press releases, it’s possible to identify whether individuals are noted for criminal convictions, sanctions, and other offenses. Such information is crucial for associating the assets accessible to these individuals with their possible illicit sources of income, thereby aiding in the recovery of assets derived from unlawful gains.
   2. • Category of data subjects whose processed personal data may be traced: The personal data pertains to information on current beneficial owners, current shareholder, current and previous managers of companies registered worldwide.
   1.  

1. • Investigative Leaks from ICIJ
   1. • Generic description: Information on people or entity using offshore companies and trust which have been exposed in leaks. It contains information on the name of individuals or entities, nationalities, jurisdictions used, leaks in which they have been exposed.
   1. • Personal data involvement: Personal data related to the profile of the individuals in the compliance list is included. It regards information on the name of individuals and their nationalities.
   1. • Special category of data involved: From the information on the individuals, it is not possible to retrieve information on political opinions, racial or ethnic origin, or religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning a person’s sex life or sexual orientation.
   1. • Involvement of data related to criminal convictions and offences: The information available on individuals does not clarify whether they are listed in compliance datasets, which compile records of criminal convictions, sanctions, and other offenses. However, it does reveal if individuals have utilized services provided by companies and intermediaries based in offshore jurisdictions. Such intelligence activities can prove valuable by enabling investigators to gain a comprehensive overview of the assets accessible to these individuals. It should be noted, though, that this data source does not furnish details regarding the nature of the offenses.
   2. • Category of data subjects whose processed personal data may be traced: The personal data pertains to information on individuals using offshore companies and trust which have been exposed in leaks.
   1.  

All databases/sources are owned by third parties and/or publicly available and the specific processing procedures performed on them are subject to previous evaluation by the projects data protection officer.

Processing details

1. 1. Step 1 – User search: The user searches fora company, individual, a vessel or an address (or set of those) by using unique identifiers (e.g., VAT/Tax codes), names or other search parameters. This latter may be combined with additional information to improve the search (e.g., postcode, country ISO code). The user selects the data sources in which they want to perform their research in. They obtain a list of correspondence for which they decide to retrieve information on.

1. 1. Step 2 – Data gathering and creation of database: The necessary information is identified based on the user’s search criteria, gathered, and stored in a database. The data retrieved are gathered from different sources (as listed in previous question).

1. 1. Step 3 – Data reconciliation: The user has the capabilities to reconcile data that pertains to specific entities and individuals, since they may have different identifier and appears as different nodes in different data sources. This is done manually by the user, at most facilitated by suggestions from the toolbox.

1. 1. Step 4 – Data processing and risk scoring: The toolbox processes the relevant data in the database to calculate risk scores at asset level. Risk indicators are assigned to a selected given asset or to a group of assets. Risk indicators are calculated by the prototype based on algorithms developed by Transcrime. The risk scores will be based on both deterministic and probabilistic criteria (details in the methodological note in the KLEPTOTRACE toolbox and available on request), and will assess:
      • • Static Risk, composed of:
        1. • Anomalies in ownership characteristics,
        2. • Anomalies in financial characteristics,
        3. • Links with: PEPs; Sector Risk; Territory Risk.
   2. • Relational Risk:
      1. • Group of assets with ownership links;
      2. • Group of assets geographically concentrated;
      3. • Risks coming from the other nodes connected to the target assets.

Step 5 – Output: Based on calculations made in Step 4, the prototype provides a series of output to the user. Outputs include:

1. 1. • The lists of assets with associated risk indicators (e.g., complexity of ownership structure);
   2. • Aggregated statistics of risk indicators referred to the list of assets uploaded by the user;
   3. • Groups of assets linked through anomalous ties (e.g., ownership links, geographic links);
   4. • A graph showing anomalous links between assets (e.g., ownership links, geographic links);
   5. • A map showing the geographic concentration of assets in specific locations.

1.  

Step 6 – Data storage and data destruction: Relevant data, if not previously erased by the user, may be stored until the end of the project (April 2025). After expiry of this period, the corresponding data will be deleted or fully anonymised. In any case, searches performed by each user will not be visible by the other users nor the developers

 

Recipients or categories of recipients of the personal data

Personal data may be shared only among Joint-Data Controllers involved in the KLEPTOTRACE Project.

Storage and retention

Personal data are not intended to be stored longer than necessary for the research purposes pursued by the KLEPTOTRACE project. At the end of the project in April 2025, it will be reassessed for each partner individually, if further storage is necessary and lawfully possible. In this regard, the differences between, LEAs, ACAs, CAs and research organizations have to be taken into account. In order to assess the necessity of further storage, data review takes place periodically over the course of the project. Unnecessary data will be anonymized or deleted.