Privacy policy

• Pursuant to the license of the Czech National Bank, the Controller is authorized to offer and provide the following principal investment services: (i) receiving and transmitting orders concerning financial instruments within the meaning of Section 4(2)(a) of the Capital Market Undertakings Act (hereinafter „CMUA“), (ii) management of the client's assets, which include a financial instrument, on a discretionary basis within the framework of a contractual arrangement within the meaning of Section 4(2)(d) of the CMUA, or (iii) investment advisory services relating to financial instruments within the meaning of Section 4(2)(e) of the CMUA, in relation to collective investment securities and financial instruments pursuant to Section 3(1)(d) of the CMUA (all these investments services hereinafter „Activity“).
• the Controller processes the personal data, that are provided by the Data Subjects, to the extent necessary for the purposes and for the timeframe necessary for fulfilling the purposes.
• The Controller processes the Data Subjects‘ personal data for the purpose
1. of his Activity, i.e. closing or changing the contract and fulfilling the contract, including the potential calling and requests of the Data Subject;
2. of fulfilling the legal duties of the Controller, p. ex. the regulations regulating the Activity of the Controller, and especially legal obligations concerning the consumer protection, data archivation, accounting and tax administration;
3. of legitimate interests of the Collector, such as processing the personal data for the purposes of litigation, administrative or similar proceedings or debt recovery, but only if the interests and rights of the Data Subject do not prevail over the legitimate interests of the Controller. For the legitimate interests, the Controller also processes the data for internal administrative purposes (internal evidence, reporting, etc.), for quality assurance and risk management; and
4. set by the Data Subject in agreement with the Cookies Policy. The Data Subject can agree with all the cookie files or only with a selected group of cookie files. This agreement is voluntary and the Data Subject may withdraw the consent at any time. The agreement is required for the processing of the data of specific categories (health conditions) and personal data to be used for marketing purposes.
• After fulfilling the original purposes (for example, fulfilling the contract) the Controller may process the personal data for different purposes (for example to fulfil the legal requirements concerning the archivation of the documents).
• For the interests above, the Controller processes especially the data below:
1. Identity and contact data: academic title, name, surname, date of birth, place of birth, birth number, ID data (including a photocopy of ID taken with the beginning of the contract or during the performance of the contract in accordance with regulations), sex, and contact address;
2. Further data about the Data Subject or concerning the Data Subject, par. example marital status or registration referral code;
3. Electronic contact data: cell phone number, e-mail address;
4. Other electronic data: IP address, device location;
5. Further personal data necessary for the contract performance: bank account number, amount of payments and their history;
6. Data about the Data Subject required by legal regulations (par. ex. In accordance with Act No. 253/2008 Coll., on certain measures against the legitimization of the proceeds of crime and financing of terrorism (hereinafter „AML Act“)), including the photography taken by the Data Subject, Controller or the third party contractually bound to the Controller for the purpose of verifying the conformity of the photography with the image in the identity document in the sense of the AML Act,and data taken from publicly accessible and inaccessible registers;
7. other personal data provided by Data Subject in the contract or other documents, within the telephone or e-mail communication, and
8. records of phone calls and data from these calls.
• The Controller obtains personal data directly from the Data Subjects (especially in the case of contract negotiations and other communication with the Data Subject), from third parties (especially from state administration bodies in the performance of legal obligations or on the basis of special legal regulations), from publicly available sources (especially public registers) or from their own activities (especially by evaluating and analyzing personal data obtained from other sources mentioned above). The Administrator also obtains personal data to a limited extent automatically by using cookies on the Administrator's website.
• The personal data of the Data Subject will be processed fairly, lawfully and transparently. Only personal data that are adequate, relevant and limited to what is necessary with regard to the purpose will be processed.
• The Data Subject's personal data will be processed in a manner ensuring proper security, including the protection by means of appropriate technical or organizational measures, against unauthorized or unlawful processing and against accidental loss, destruction or damage.
• The Controller processes only the data collected in accordance with GDPR and it is his duty to update the data. For this purpose, the Data Subjects must declare any changes in their data and provide proof of the change to the Collector without delay.
• Personal data of the Subjects will be processed for the period of validity of the contract or its administration by the Administrator and subsequently, as long as the legitimate interest lasts (especially during the limitation period for performance of the contract (max. 10 years) from its termination or from the date of termination of administration and in case of court arbitration, execution or other similar proceedings for the duration of these proceedings and subsequently for the period of time for filing extraordinary remedies and during proceedings on filed extraordinary remedies), as well as for the Data subject's consent to processing if consent has been granted. the existence of a legal obligation that applies to the Administrator (financial administration, supervisory body, archiving regulations) or for the purposes of the legitimate interests of the Administrator (litigation). The Controller processes personal data exclusively for defined purposes in accordance with the existing legal title for processing. If the contract with the Data Subject is not concluded, the Administrator processes the personal data obtained in connection with the conclusion of the contract for a period of five years. Records of calls to the customer line are recorded by the Administrator for a period of five years.
• The Data Subject has the right to withdraw consent to the processing of his/her personal data or explicit consent to the processing of a special category of personal data at any time, without prejudice to the lawfulness of the processing based on the consent given prior to its withdrawal. More detailed information on the withdrawal of consent to the use of cookies can be found in the Cookie Policy.
• For the purposes of the Controller´s Activity, the Data Subject´s personal data may be provided to entities operating investment services and other financial institutions in a contractual relationship with the Controller, the Controller´s tied agents, authorized employees and persons providing IT, development, legal, accounting and consulting services to the Controller in order to ensure proper performance of the obligations laid down in generally binding legal regulations and contractual obligations. Furthermore, personal data may also be disclosed under the law to prosecution authorities, courts, the CNB, tax administrators, tax authorities, executors or insolvency administrators, the CIB and other public authorities.
• If the Data Subject provides the data of other persons, which are processed by the Controller during the performance of the contract, the responsibility of fulfilling the personal data protection obligations towards these persons (especially informing them about the processing of personal data) lies on this Data Subject.
• The Controller is not planning to transfer the Data Subject’s personal data to a third country (i.e. outside the European Union or European Economic Area) or to an international organization. However, if the Data Subject has accepted or selected cookies provided by Google, Facebook, Twitter or YouTube, he/she has expressly consented to the transfer of personal data to third countries (especially the USA). If this is the case, the Controller draws attention to the fact that after the transfer of personal data to third countries, the Controller does not have sufficient legal and factual tools to ensure the security of users' personal data.
• The Controller has not appointed a data protection officer but has designated a person responsible for this area who supervises the proper processing of the Data Subject's personal data.
• The Data Subject has the right to request from the Controller access to his/her personal data, and to obtain a copy of personal data processed by the Controller, their rectification or erasure or restriction of processing, and to object to the processing, the right to the portability of such data to another controller, as well as the right to lodge a complaint with the Office for Personal Data Protection (Pplk. Sochora 27, 170 00 Prague 7, website: www.uoou.cz) if he/she believes that the Controller is processing personal data in violation of the GDPR. Also, he/she may exercise his/her rights in the competent court.
• The contact details of the Controller for the processing of personal data: