Information on the protection of personal data (information memorandum on the processing of clients’ personal data, processing of personal data for marketing purposes and for protection of property and security, and for other purposes of processing).
Across Wealth Management, o.c.p., a.s., with registered office at Zochova 3, 811 03 Bratislava, the Slovak Republic, company ID (IČO): 35 763 388, registered in the Business Register of the Bratislava I District Court, Section: Sa, file No.: 2079/B (hereinafter only referred to as the “Controller” or the “Company”) processes your personal data for the purposes and on the legal bases as defined below in this information memorandum. This information memorandum also contains more detailed information about the processing of your personal data, as well as information about the rights you are entitled to as a data subject under Act No. 18/2018 Coll. on the protection of personal data and on amendments to certain acts, as amended (hereinafter only referred to as the “PPD Act”) and under regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter only referred to as the “GDPR”).
Our Company is the Controller of your personal data, which means that our Company determines the purpose and means for the processing of your personal data.
1. OUR COMPANY’S CONTACT DETAILS
Business name: Across Wealth Management, o.c.p., a.s.
Address: Zochova 3, 811 03 Bratislava, Slovak Republic
Phone: +421 2 5824 0300
2. WHICH PERSONAL DATA WE PROCESS
2.1. Common personal data: Our Company as the Controller processes the following personal data you provide us mainly by completing an application for the opening of an account, by completing forms on the website of our Company at www.across.sk or by any other means, which in particular include:
2.1.1. identification data (such as name, surname, title, date of birth, birth certificate number, other information from an ID document, nationality, client number, product number);
2.1.2. contact details (such as address of permanent and/or temporary residence, email address, phone number);
2.1.3. socio-demographic data (such as your age, gender, family status, education, income information, current and former employment, information concerning a politically exposed person, risk profile);
2.1.4. economic data (such as information about ownership rights in movable or immovable property, debt information, information about investment activities);
2.1.5. transaction data (such as information about transactions on accounts, recipients and senders);
2.1.6. data necessary for the use electronic services (such as IP address, information about software, web browser and device used, cookies);
2.1.7. video and audio records (such as recordings made by surveillance camera systems);
2.1.8. other relevant data (such as information about distraint proceedings, bankruptcy proceedings, personal bankruptcies, data related to the performance of your contractual obligations and liabilities, data about you payment discipline);
2.2. Special categories of personal data: Our Company as the Controller does not process any special categories of personal data (sensitive data). Special categories of personal data are personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. If the processing of a special category of your personal data is also required, we will either request you to provide your explicit consent to such processing, or we will process such personal data on another relevant legal basis.
3. PURPOSES FOR THE PROCESSING OF PERSONAL DATA (WHY WE HAVE YOUR PERSONAL DATA) AND LEGAL BASES FOR THEIR PROCESSING (ON WHAT BASIS WE HAVE YOUR PERSONAL DATA)
3.1. Personal data for specific purpose: When providing our services, we always process your personal data for a specific purpose specified in advance; each specific purpose of processing only requires some of your personal data. On the other hand, if you do not provide relevant personal data necessary for the specific purpose, our Company will be unable to provide the relevant service to you, or it will only be able to provide it in a very limited scope, which may eventually not be desirable for you. We are also required to process some personal data based on separate regulations that apply to our Company due to the nature of the services our Company provides; they are, in particular, the following regulations:
3.1.1. Act No. 566/2001 Coll. on securities and investment services and on amendments to certain acts (the Securities Act), as amended;
3.1.2. Act No. 297/2008 Coll. on the protection against money laundering and terrorist financing and on amendments to certain acts, as amended;
3.1.3. Act No. 186/2009 Coll. on financial intermediation and financial advisory services and on amendments to certain acts, as amended;
3.1.4. Act No. 203/2011 Coll. on collective investments, as amended;
3.1.5. DIRECTIVE 2014/65/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 15 May 2014 on markets in financial instruments;
3.1.6.REGULATION (EU) No. 600/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 15 May 2014 on markets in financial instruments.
3.2. Purposes of processing and applicable legal basis: We process your personal data for the following purposes and on the following legal bases:
|Purpose of processing:||Legal basis for processing:|
|Provision of services to clients of the Company – involves the processing of personal data of former, existing and prospective clients for the purposes of providing financial services that constitute the core business of our Company||Processing of personal data for the purposes of the performance of a contract and as part of steps taken prior to entering into a contract|
|Marketing purposes – mainly the distribution of a newsletter, customer satisfaction evaluation, sending offerings for products and services offered by our Company, as well as for products and services provided by companies and partners of the Across Private Investments group||Consent to the processing of personal data|
|Accounting purposes – the processing of personal data of business partners and subcontractors of the Company who are natural persons, including their contact details, for the purposes of contractual and business relationships||Processing of personal data for the purposes of the performance of a contract and as part of steps taken prior to entering into a contract|
|Exercise of legal claims – the processing of personal data for the purposes of exercising our Company’s legal claims in court, out-of-court, arbitration, administrative, distraint, bankruptcy and restructuring proceedings||Processing of personal data based on a legitimate interest|
|Identification and contact data – basic contact details of representatives of legal persons and other natural persons we obtain from publicly accessible sources designated for this purpose, directly from such persons, or from other persons||Processing of personal data based on a legitimate interest|
|Protection of property and security – the processing of personal data of clients, as well as other data subjects by means of surveillance camera systems for the purposes of protection of the property of our Company, the security of our Company, as well as the security of data subjects in the interior and exterior premises of our Company||Legitimate interest|
|Black list – the processing of personal data of legal persons and other natural persons with whom the Company will not enter into a contractual relationship||Legitimate interest|
3.3. Processing of personal data based on a legitimate interest: Our Company as the Controller is permitted under GDPR to process personal data even without obtaining consent to the processing of such personal data or without being required to process the personal data based on another legal basis, such as, for example, the performance of a contract or performance of obligations under a separate regulation. Under Article 6(1)(f) of GDPR, our Company is also entitled to process personal data on the basis of a legitimate interest.
3.4. Specific purposes of processing on the basis of a legitimate interest: You have the right to object against such processing of personal data on the basis of a legitimate interest under Article 6(1)(f) of GDPR; the details about such right are included in paragraph 1.6 below. If you exercise this right against the specific processing, our Company shall no longer process the personal data unless it demonstrates its compelling legitimate grounds for the processing which override your interests, rights and freedoms, or unless our Company demonstrates the grounds for the establishment, exercise or defence of legal claims If you object to the processing of your personal data on the basis of the legitimate interest specifically for direct marketing purposes, our Company will no longer process your personal data for such purposes.
3.4.1. Legitimate interest for marketing purposes: The legitimate interest of our Company in processing your personal data (mainly title, name, surname, address of residence and email) for marketing purposes (distribution of a newsletter, customer satisfaction evaluation, sending offerings for products and services offered by our Company, as well as for products and services provided by companies and partners of the Across Private Investments group) consists in that the promotion of the services and products of our Company to our current and former clients contributes to the development and growth of our Company; at the same time, the communication with our former and current clients provides feedback that enables our Company to identify how to improve our services and products and how to remove any issues and deficiencies. Our Company is deeply committed to provide the best and highest quality services to its clients; therefore, it is in our legitimate interest to use the basic contact data of our former and current clients for sending information about our services and products and, at the same time, to receive regular feedback from them through such communication. It is nearly vital for the proper functioning and development of our Company because each and every company operating on the market nowadays seeks to keep regular contacts with its clients.
3.4.2. Legitimate interest in surveillance camera monitoring: Our Company has a legitimate interest in using a surveillance camera system to monitor the interior and exterior premises where it carries out its business and provides its services. This is an important interest of our Company to safeguard its property, operation and public order and, at the same time, to ensure the security of our clients and other natural persons. Surveillance camera recordings also serve for the purpose of detecting criminal offences, identifying and searching for their perpetrators mainly for the purposes of the protection against money laundering and terrorist financing, revealing unlawful financial operations for the purposes of court proceedings and criminal prosecution.
3.4.3. Legitimate interest to keep a black list: Our Company is responsible under the applicable legal regulations to duly provide financial services and is fully liable for such provision of services. Equally, our Company serves a specific portfolio of clients and, therefore, we place the greatest emphasis on the quality of our services and the good reputation of our Company in our market segment. On that account, our Company keeps, including for preventive reasons, a specific internal list of persons in respect of whom a specific treatment and/or modification of the conditions of the provision services by our Company may be necessary. This involves safeguarding the economic interests, as well as good reputation and standing of our Company on the market in the financial segment in which our Company operates.
4. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF THE PERSONAL DATA
4.1.List of recipients of the personal data: your personal data may be provided to the following recipients:
4.1.1. auditors and tax advisors where they carry out audit or advisory services for the Company;
4.1.2. banks and their branches where a client requests, in connection with the services and products provided by our Company, to also receive services provided by banks (mainly loans, credits, leasing);
4.1.3.contractors or agents of our Company who are not its employees and who ensure the operation of our Company and the provision of services by our Company and/or who, as brokers, seek and solicit clients for our Company and provide comprehensive consultancy and full service care to our clients (contracted financial agents and independent financial agents);
4.1.4. central securities depository Centrálny depozitár cenných papierov, e.g., when registration is required;
4.1.5. other security dealers, where required by the client or by the nature of the services and products provided by our Company for the client;
4.1.6. securities exchange Burza cenných papierov v Bratislave, a.s., with registered office at Vysoká 17, 811 06 Bratislava, company ID (IČO): 00 604 054;
4.1.7. providers of IT services that provide some IT services and infrastructure for our Company, including its website.
4.2. Public authorities and other third parties: your personal data may also be provided to any competent law enforcement authority, prosecutor’s office, court, regulator, supervision and control authority, government agency, distrainer, bankruptcy trustee, municipality, town, city, higher territorial unit, ministry, the National Security Authority, the Supreme Audit Office, the Office for Personal Data Protection of the Slovak Republic, the Financial Directorate of the Slovak Republic or other recipient if our Company believes that such provision is:
4.2.1. in compliance with a generally binding regulation, the PPD Act or GDPR; or
4.2.2. necessary for exercise, establishment or defence of a legal right/claim of our Company; or
4.2.3. necessary for the protection of important interests of our Company or important interests of any other person.
4.3. Provision of personal data upon data subject’s instruction: We may also provide your personal data to other recipients if you give consent or instruction to our Company for such provision of your personal data.
5. PERIOD FOR WHICH THE PERSONAL DATA ARE STORED
5.1. We will store your personal data not longer than for the period for which it is necessary for the purposes for which our Company processes your personal data, unless a generally binding regulation permits and/or requires that we store such personal data for a longer period.
5.2. Your individual personal data are stored for the following periods:
|Purpose:||Period for which the personal data are stored:|
|Provision of services to the clients of the Company||For the duration of the term of the contract plus additional ten years after the year when the contract was terminated/completed (pursuant to Act No. 431/2002 Coll. on accounting, as amended, Act No. 566/2001 Coll. on securities and investment services, and Act No. 186/2009 Coll. on financial intermediation and financial advisory services). If judicial proceedings are initiated against you as a debtor, our Company will process your personal data for the necessary period for which such judicial proceedings will continue.|
|Marketing purposes||For the period of validity of the consent (three years) or until the withdrawal of consent.|
Where the personal data is processed for a legitimate interest, for the period necessary for the performance of the purpose of processing, but not longer than for five years.
|Accounting purposes||For the duration of the term of the contract plus additional ten years after the year when the contract was terminated/completed (pursuant to Act No. 431/2002 Coll. on accounting, as amended). If judicial proceedings are initiated against you as a debtor, our Company will process your personal data for the necessary period for which such judicial proceedings will continue.|
|Exercise of legal claims||For the period necessary for the exercise of our Company’s rights and claims, at least for the duration of the limitation of time pursuant to the Civil Code or the Commercial Code, but longer than for ten years. If judicial or administrative proceedings are initiated against you as a debtor, our Company will process your personal data for the necessary period for which such judicial or administrative proceedings will continue.|
|Identification and contact data||For the period necessary in order to establish contact with specified persons, but not more than for five years from obtaining them.|
|Protection of property and security||For 33 days.|
|Black list||For the period of five years from obtaining them.|
6. TRANSFER OF THE PERSONAL DATA TO THIRD COUNTRIES
6.1. Our Company does not transfer, and does not intend to transfer, your personal data to third countries that do not provide an adequate level of personal data protection save for cases where such transfer is expressly required by a generally binding regulation or decision of a public authority.
7. YOUR RIGHTS AS A DATA SUBJECT RELATED TO THE PROCESSING OF YOUR PERSONAL DATA
7.1. Individual rights of data subjects: As does our Company have its rights and obligations in connection with the protection of personal data, you also have the rights in connection with the protection of your personal data (personal data that concern you). They are the following rights:
7.1.1. Right of access: You have the right to obtain from our Company confirmation as to whether our Company processes your personal data, which personal data it processes, for which purposes it processes your personal data, for how long it stores them, from which sources our Company obtains them, where it provides them, who processes such personal data except for our Company, whether and how automated decision-making, including profiling, is used in the processing or your personal data, and what other rights you have in connection with the processing of your personal data. All aforementioned information is included in this information memorandum, but if you think you do not know whether and which of your personal data our Company processes and how it processes them, you have the right of access to such personal data. Under the right of access, you may request our Company to provide you a copy of the personal data undergoing processing; the first such copy will be provided by our Company free of charge, any further copies will be charged.
7.1.2. Right to rectification: If you find that our Company processes your personal data that are inaccurate, incorrect or incomplete, you have the right to request our Company to correct and/or update such personal data.
7.1.3. Right to erasure (‘right to be forgotten’): You have the right to request our Company to erase your personal data without undue delay in the following cases:
126.96.36.199. your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by our Company; or
188.8.131.52. you have withdrawn consent to the processing of your personal data where such consent was required for the processing of such personal data and, at the same time, our Company has no other grounds or legal basis for their processing (such as the exercise of our Company’s rights and claims); or
184.108.40.206. you exercise your right to object to the processing of your personal data (more details concerning this right are included in paragraph 1.6 below) which our Company processes on the basis of a legitimate interest and our Company finds out that it has no other legitimate interests which would entitle our Company to further process such personal data;
220.127.116.11. if our Company has processed your personal data unlawfully; or
18.104.22.168. in order to comply with a legal obligation specified in a generally binding regulation applicable to our Company; or
22.214.171.124. if the personal data have been collected in relation to the offer of information society service addressed directly to a child.
We wish to note that our Company is not obliged to erase your personal data (personal data concerning you) in any of the aforementioned cases, if their processing is necessary:
126.96.36.199. for exercising the right to freedom of expression and information; or
188.8.131.52. for compliance of our Company with a legal obligation under a generally binding regulation; or
184.108.40.206. for archiving purposes, scientific or historical research purposes or statistical purposes; or
220.127.116.11. for the establishment, exercise or defence of legal claims of our Company.
7.1.4. Right to restriction of processing: In certain circumstances, in addition to the right to erasure, you also have the right to restriction of processing of your personal data by which you may, in particular cases, request that your personal data are marked and not subject to any processing operations for a certain period of time. Our Company is obliged to restrict the processing of your personal data if:
18.104.22.168. you contest the accuracy of the personal data, for a period enabling our Company to verify the accuracy of the personal data; or
22.214.171.124. the processing of your personal data is unlawful and you oppose the erasure of such personal data and request the restriction of their use instead; or
126.96.36.199. our Company no longer needs your personal data for the purposes of the processing but you need them for the establishment, exercise or defence of your legal claims; or
188.8.131.52. you exercise your right to object to the processing of your personal data (more details concerning this right are included in paragraph 1.6 below) pending the verification whether the legitimate interests of our Company override your legitimate interests.
Where the processing of your personal data has been restricted under this right to restriction of processing, such personal data shall, with the exception of storage, only be processed by our Company with your consent or for the establishment, exercise or defence of legal claims of our Company or for the protection of the rights of another natural or legal person or for reasons of important public interest of a state that is a member state of the European Union or a state party to the Agreement on the European Economic Area.
7.1.5. Right to data portability: You have the right to receive the personal data you have provided to our Company if our Company processes them based on the consent to the processing of personal data or based on a contractual performance, provided this must solely be the personal data which our Company processes by automated means (electronically). We will provide your personal data to you in a structured, commonly used and machine-readable format and you have the right to directly transmit those data to another controller, where technically feasible.
7.1.6. Right to object: You have the right to object to the processing of your personal data which is carried out based on the public interest and/or legitimate interest, including profiling based on legitimate interest. Our Company will no longer process your personal data unless it demonstrates its compelling legitimate grounds for the processing which override your interests, rights and freedoms, or unless our Company demonstrates the grounds for the establishment, exercise or defence of its legal claims.
If our Company processes your personal data for direct marketing purposes, you have the right to object at any time to the processing of such personal data for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. If you object to the processing of your personal data for direct marketing purposes, our Company will no longer process your personal data for such purposes.
7.1.7. Exercise of rights: You may exercise your aforementioned rights using our Company’s contact details specified in paragraph 1 above.
7.1.8. Right to complain to the Office: In addition to exercising your aforementioned rights, you may also submit a complaint to the Office for Personal Data Protection concerning the processing of your personal data by our Company. The address of the Office for Personal Data Protection is Hraničná 12, 820 07 Bratislava, Slovak Republic; other information can be found at its web site at: https://dataprotection.gov.sk/
7.1.9. Notification of personal data breach: In the case of your personal data breach that is likely to pose a high risk to your rights and freedoms, our Company is obliged to notify you of such personal data breach without undue delay.
8. RIGHT TO WITHDRAW CONSENT FOR THE PROCESSING OF PERSONAL DATA AT ANY TIME
8.1. If you have given consent to our Company for the processing of some of your personal data (the legal basis for the processing of some personal data by our Company is consent or explicit consent), you may withdraw such consent at any time, using our Company’s contact details specified in paragraph 1 above. The withdrawal has not effect on the lawfulness of the processing carried out based on the consent prior to its withdrawal.
9. CHANGES IN THIS INFORMATION MEMORANDUM
9.1. This information memorandum on the protection of personal data may be updated from time to time to reflect changes in legislative, technical or business circumstances. When updating this information memorandum on the protection of personal data, we will take appropriate measures to inform you about them, depending on the significance of the changes we are implementing.