Privacy protection

This information describes the basic principles under which Citfin – Finanční trhy, a.s., IN 25079069, with registered office at Radlická 751/113e, 158 00 Prague 5 – Jinonice, registered in the Commercial Register at the Municipal Court of Prague, Section B, Insert 4313, and Citfin, spořitelní družstvo, IN: 25783301, with registered office at Radlická 751/113e, 158 00 Praha 5 – Jinonice, registered in the Commercial Register at the Municipal Court of Prague Under Act No. 4607 (hereinafter referred to as “Citfin”), process personal data of natural persons who are customers of Citfin or who are agents of customers (legal entities) of Citfin (also referred to as “Customer” or “Subject”); and information on the rights of data subjects regarding the processing of their personal data by Citfin.

This document will be regularly updated.

1. Introductory Information

Citfin – Finanční trhy, a.s. and Citfin, spořitelní družstvo, are jointly responsible for the processing of personal data by data administrators, who jointly set out the purposes and resources of the processing. Joint administrators have defined, on the basis of a transparent agreement, their shares in the responsibility for the performance of their duties so that, as regards the exercise of the rights of the data subject or, with regard to the provision of mandatory notifications of the processing of personal data, the responsibility for such activities falls on the data administrator with whom the data subject is a Customer; in the event that it is a Customer with both administrators, this shall be the administrator to whom the data subject turns with his or her request. Both joint administrators have one common point of contact for data subjects, as listed below.

For the processing of personal data, the two joint administrators can share and process the collected personal data. During the collection of personal data, and later, after the collection, the data subject cannot choose which administrator can process his or her personal data.

Citfin processes the personal data of the data subjects in all their activities in providing services of a securities broker, payment institution and savings association, and when providing regular information to subjects via web communication.

From 25 May 2018, Citfin processes the personal data of the subjects in accordance with the Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereafter “Regulation”).

Citfin has appointed a Personal Data Service Provider (“DPO”) to oversee compliance with personal data protection in Citfin. DPO can be reached via e-mail at gdprpoverenec@citfin.cz.

2. What categories of personal data we process

We only process such data that allow us to provide our Customers with our services in order to comply with our legal obligations and to protect our legitimate interests.

Citfin collects, processes and stores in particular the following categories of personal data of Customers:

• personal identification data – especially name, surname, date of birth, birth number, address, identity card number (passport, ID card), identity card photograph, nationality, country of birth, sample of Customer’s signature, and if he or she is a businessperson a trade licence ID and address of the registered office,
• biometrics – data which is processed for the purpose of unique identification of a natural person, e.g., identifiers derived from a record of the likeness of an identified person in order to authenticate the conformity of his or her likeness with data obtained from photographs in provided copies of documents,
• personal contact information – in particular telephone number, email address, delivery address, access data to enable communication between Citfin and the Customer electronically, such as login names, passwords, PINs and other security features that serve to secure Customer authentication,
• product and service data provided to the Customer – data of the subject related to account number, contract number, use of products/services or preferred language, geolocation data, transaction data, recommendations and offers,
• data from mutual communication – data from the use of Citfin websites and applications, and contact information through any contact point (how long, on which topic and which communication channel), including complaints and service requests,
• telephone call recording data – storage, access, use, transfer and retention of data on data carriers,
• other data – such as camera recordings.

When entering into a contractual relationship, Citfin has the obligation to learn the national identification number of the Customer – natural person who is a member of the legal person’s statutory body, and keep it for a specified period so that Citfin can provide the agreed services in compliance with the law and fulfil its obligations under the contract.

Recordings containing personal data may be disclosed to authorized Citfin employees, to state supervisory bodies, to persons to whom it is necessary to disclose personal data on the basis of and in accordance with the provisions of the relevant legislation, to entities to which Citfin is entitled to disclose personal data in order to protect the rights and obligations arising from the contract negotiations or from the actual contractual relationship, and to companies that perform activities for Citfin on the basis of outsourcing or other service contracts in which such companies will act as personal data processors.

3. The purpose of processing of clients’ personal data

Customers’ personal data must be collected only for specific, explicit and legitimate purposes and must not be further processed in a way that is incompatible with those purposes. The Customer is transparently informed about the purpose of processing.

Processing of personal data without the consent of the Customer

• in order to process Customer documentation in relation to the negotiation, realization and settlement of business. Without the personal data provided for the purpose, Citfin cannot:
• verify the Customer’s identity when negotiating a contract or negotiating a deal,
• prepare the contract documentation or change it and discuss it with the authorized person,
• comply with the requirements of banking supervision of prudence in the conduct of business in the banking market,
• provide information and listings of negotiated transactions only to authorized persons.

Without the provision of this information, a contractual relationship cannot be concluded or continued.

• acquisition and storage of copies of Customer’s personal documents – Citfin is entitled or obliged to identify the Customer or an authorized person. The Customer acknowledges and agrees that Citfin will make a photocopy of the documents submitted (e.g., extract from the Commercial Register, ID card) as part of the identification of the Customer and authorised persons. The photocopying of documents and their preservation is permitted or required by Act No. 253/2008 Coll., on Certain Measures against Money Laundering and Terrorism Financing.
• to enable the use of products and services: If you choose our products and use our services, we process your data on our side. These are, above all, your identification data, product and service information, and data from your use of internet or mobile applications.
• in order to meet Citfin’s statutory obligations under the law, in particular in order to:
• implement Customer identification and other obligations pursuant to  Act No. 253/2008 Coll., on Certain Measures against the Money Laundering and Terrorism Financing, Act No. 370/2017 Coll., on Payments, Act No. 256/2004 Coll., on Business on the Capital Market, Act No. 87/1995 Coll., on Savings and Credit Cooperatives, Directive 2016/680 of the European Parliament and of the Council, Directive 2016/679 of the European Parliament and of the Council;
• comply with the requirements of Act No. 21/1992 Coll., on Banks;
• fulfil the contractual obligations arising from a contract concluded with the Customer;
• preserve and archive data according to legal requirements.
• to protect the rights and legitimate interests of Citfin:
• for this purpose, we in particular evaluate data about the use of our services by our Customers in order to set as accurately as possible the specifications of our products and services,
• addressing all disputed agendas, particularly for the purposes of conducting court cases and other disputes,
• in order to manage our relationship with Customers when dealing with Customers starting, setting up, changing, providing product and service information, solving requests, wishes and complaints of Customers, including requirements and the exercise of privacy rights.
• We use the address and identification personal information of the entities for the direct marketing of Citfin products and services. Processing for direct marketing purposes may be considered as processing due to Citfin’s legitimate interest. The Customer is always given the opportunity to disagree with further offering of products and services that is done by Citfin’s legitimate interest.

Processing of personal data with the consent of the Customer

The processing of personal data that does not fall under the above-mentioned purposes can only be done with the consent of the Customer. Providing such consent is entirely at the discretion of the Customer. In Citfin this is the following:

• the processing and storage of biometrics  – for the purpose of unique identification of a natural person. This is identifiers derived from a record of the Customer’s likeness in order to authenticate the conformity of the Customer’s likeness with the data obtained from photographs in provided copies of documents,
• processing of Customer data for marketing purposes beyond the processing for marketing purposes due to Citfin’s legitimate interest, in particular the offer of certain individual products and services at the request of the Customer or the dissemination of information and offers of products and services with which the Customer has given his/her consent.

4. Method of processing and storing personal data and their retention period with Citfin

Citfin retains data only for the necessary time in compliance with legal regulations and archives them 10 years after the end of the calendar year in which the contractual relationship with Citfin has ended. Citfin has set strict internal archiving rules to ensure that Customer data is not held longer than authorized.

Data that is processed with the consent of the Customer is kept by Citfin for as long as the consent is validly granted. For the avoidance of doubt, the consent and change or revocation of the consent of Citfin is retained by virtue of its legitimate interests for the entire duration of its consent and 10 years after its expiration.

Citfin handles the Customer’s personal data manually or in an automated way and securely stores it in paper or electronic form. In connection with the purpose of the processing, the personal data of the Customer are kept in the Citfin Customer information system.

Citfin does not apply automated decision-making to the processing of personal data using automated means (applications, software, algorithms, etc.) or profiling, during which automated data processing occurs in order to evaluate certain personal aspects of the subject (e.g., economic situation, behaviour, preference, or surveillance of position).

5. Recipients of the client’s personal data

Customers’ personal data is strictly managed within Citfin. Citfin may transfer the  acquired personal data of the Customer, including special categories of data, to a third party only on the basis of a legal title, in particular to fulfil the task resulting from legislation. The Customer is transparently informed about individual recipients of his or her personal data.

Citfin’s personal data may be further provided by Citfin to other companies that are committed to helping with its activities, such as companies that act as a personal data processor for Citfin. These companies include IT service providers, archiving service providers, debt recovery companies, lawyers, and marketing agencies. The access of these entities and the processing of personal data by Customers by a third party will always be done on the basis of a contract for the processing of personal data and under the conditions established by the relevant legal regulations.

With the consent of the Customer, his or her personal data may also be forwarded to other entities.

Personal data is processed in the Czech Republic; we do not share your personal data with any third country or international organization.

If the Customer uses online identification of a person within the Customer’s onboarding web interface, the selected personal data will be processed with the Customer’s consent by the Company:

• Bankovní identita a.s., ID No.: 09513817, with registered office at Smrčkova 2485/4, 180 00 Prague 8 – Libeň;
• Onfido Limited, ID No.: 07479524, with registered office at 14-18 Finsbury Square, 3rd Floor, London, England, EC2A 1 AH

and submitted to Citfin.

6. Sources of personal data

Citfin acquires personal data of Customers in particular:

• from Customers themselves, directly when concluding contracts for the provision of products and services, or indirectly by using the provided products and services;
• in the disclosure of information to Customers about products and services, such as through the Citfin website or through mobile applications;
• from publicly available resources (public registers or lists);
• from potential Customers of Citfin;
• from Citfin’s own activities.

7. Clients’ rights as data subjects

Citfin collects, processes, and stores personal data in full respect of the data protection rights of the data subjects as they result from the applicable provisions and legislation. In personal data processing the Customers, as data subjects, can make use of the rights specified below, and which they may use at their own discretion:

• Right of access to personal data – The Customer may request information about the processing of his or her personal data for free. Citfin is entitled to require, in cases where Customers’ applications are manifestly unreasonable or inappropriate, in particular because they are repeated, a reasonable reimbursement of information about the Customer’s processed personal data not exceeding the costs necessary to provide the information. For the same reasons, it is also possible to refuse such requests.
• The right of transfer (i.e. the Customer may obtain personal data concerning him/her and which he/she provided in a structured, commonly used and machine-readable format, and the right to pass these data to another administrator).
• The Customer, as a personal data subject, who discovers or considers that Citfin as an administrator or other person processing personal data for Citfin processes his or her personal data contrary to the protection of his/her private and personal life, or in contradiction with given law, may request clarification or require Citfin or the processor to:
• without undue delay, correct and/or add information to inaccurate personal data of the Customer concerned,
• erase his or her personal data (especially if such personal data are no longer needed for the purpose for which they were collected or otherwise processed or consent with processing or opposing the processing was revoked, and there are no overriding legitimate reasons for further processing),
• limit personal data processing (especially when the accuracy of personal data was denied or processing is unlawful and the subject rejects the deletion of personal data and asks instead for restrictions on their use or personal data are no longer needed for processing but the subject requires them to identify, exercise or defend their claims).
• In the case of processing data under consent, the Customer, as the data subject, has the right to grant the consent, at any time, in whole or in part, with effects in the future. Without proper consent, Citfin will not continue to process the data. Your consent can be revoked by emailing or sending a letter to the mailing address below. Revocation of consent is without prejudice to the lawfulness of processing based on consent given prior to its recall.
• Furthermore, the data subject also has the right to file a complaint against the processing of personal data with the Personal Data Protection Authority, Pplk. Sochora 27, 170 00, Prague 7, https://www.uoou.cz/

In relation to exercising their rights and in case of any questions or gaining  information regarding the handling of personal data, Customers may contact Citfin through the Call Centre Citfin + 420 234 092 333, or via email info@citfin.cz, or contact the DPO at gdprpoverenec@citfin.cz.

In Prague on 1 June 2023

Secure communication with Citfin clients