Privacy protection

This information describes the basic principles under which Citfin – Finanční trhy, a. s., ID No. 25079069, with the registered office at Radlická 751/113e, 158 00 Praha 5 – Jinonice, entered in the Commercial Register maintained by the Municipal Court in Prague, Section B, Insert 4313, and Citfin, spořitelní družstvo, ID No.: 25783301, with the registered address at Radlická 751/113e, 158 00 Praha 5 – Jinonice, entered in the Commercial Register maintained by the Municipal Court in Prague under File No. DR 4607 (hereinafter “Citfin”), process personal data of natural persons who are Citfin clients or who are authorised representatives of Citfin clients (legal persons) (hereinafter the “client” or “entity”), and information on the rights of data subject in relation to the processing of their personal data in Citfin.

This document will be regularly updated.

1. Introductory Information

1.1 For the purposes of personal data processing, Citfin – Finanční trhy, a. s. and Citfin, spořitelní družstvo are joint controllers, which together, have determined the purposes and means of processing. The joint controllers have defined their shares in the liability for the fulfilment of obligations by a transparent agreement so that, in terms of the exercise of data subjects’ rights or the provision of obligatory notifications of personal data processing, the obligation shall be fulfilled by the controller for which the data subject is a client. If the data subject is a client of both controllers, the obligation shall be fulfilled by the controller contacted by the data subject. Both joint controllers have designated one common contact point for data subjects, as indicated below.

1.2 For the purposes of personal data processing, both joint controllers are entitled to share and process collected personal data. In the collection of personal data, data subjects cannot choose later which controller can process their personal data and which cannot.

1.3 Citfin processes data subject’s personal data within all its activities in the provision of services of a securities trader, payment institution and savings association and in the provision of regular information to the data subject through web communications.

1.4 From 25 May 2018, Citfin processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “Regulation”).

1.5 Citfin has appointed a data protection officer (“DPO”) who oversees Citfin’s data protection compliance. The DPO can be contacted at gdprpoverenec@citfin.cz.

2. What categories of personal data we process

2.1 We only process data that allows us to provide services to our clients, comply with our statutory obligations and protect or legitimate interests.

2.2 In particular, Citfin collects, processes and stores the following categories of clients’ personal data:

2.2.1 Identification data – particularly a client’s name, surname, date of birth, personal ID number, residence address, ID no. (passport, identity card), ID photo, citizenship, nationality, country of birth, representation of the client’s signature, and company reg. no. and registered address if the data subject is an entrepreneur,

2.2.2 Contact personal data – particularly the client’s phone number, e-mail address, delivery address, access data enabling electronic communication between Citfin and the client, such as log-in names, passwords, PIN and other security features used to secure client authentication,

2.2.3 Information about products and services provided to the client – the data subject’s data regarding the addressed agenda, account no., contract no., data on the use of products/services or preferred language, geolocation data, transaction data, recommendations and offers,

2.2.4 Data from mutual communication – data from the use of the Citfin website and applications, information about any interaction through any contact point (for how long, on what topic and through which communication channel), including the handling of complaints and service requests,

2.2.5 Other data – e.g. surveillance footage, records of phone calls.

2.3 Personal ID number
When entering into a contractual relationship, Citfin is obliged to obtain the personal ID number of the client who is a natural person, a natural person who is a member of the statutory body of a legal person or who is an authorised person/managing clerk, and to store the personal ID number for as long as necessary to allow Citfin to provide agreed upon services in accordance with legal regulations and fulfil its obligations under the contract.

3. The purpose of processing of clients’ personal data

3.1 A clients’ personal data shall be collected only for certain, expressly specified and legitimate purposes and cannot be further processed in a manner that is inconsistent with these purposes. The client is transparently informed about the purpose of processing.

3.2 Processing of personal data without the client’s consenta

3.2.1 In order to process the client documentation in connection with the negotiation, execution and settlement of trades. Without the personal data provided for this purpose, Citfin cannot:

• Verify the client’s identity in the negotiation of contracts or trades,
• Prepare contractual documentation or an amendment to it and discuss this information with an authorised person,
• Fulfil the banking supervision requirements for vigilance in business activities in the banking market,
• Provide information and statements of agreed upon transactions to authorised persons only.

Without this data, the contractual relationship cannot be concluded or continued..

3.2.2 In order to enable the use of products and services:
If you have selected our products and used our services, we process your data. In particular, this includes your identification data, information about and products and services and data derived from your use of internet or mobile applications.

3.2.3 In order to fulfil Citfin’s statutory obligations arising from legal regulations, particularly to:

• Identify the client and fulfil other obligations under Act No. 253/2008 Sb., on selected measures against legitimisation of proceeds of crime, Act No. 370/2017 Sb., on the payment system, Act No. 256/2004 Sb., on business activities on the capital market, Act No. 87/1995 Sb., on savings and loan associations and credit unions;
• Comply with the requirements of Act No. 21/1992 Sb., on banks;
• Fulfil the contractual obligations under the contract concluded with the client;
• Store and archive data according to statutory requirements.

3.2.4 In order to protect Citfin’s rights and interests protected by the law:

• To this end, we primarily assess data concerning the clients’ use of our services to set the parameters of our products and services as accurately as possible,
• To solve any disputes, particularly for the purposes of litigations and other legal actions,
• To manage our relationship with clients when we discuss the establishment, setting, changes, provision of information on products and services, handle clients’ requests, wishes, complaints, including requests to exercise any of the rights related to personal data protection.
• We use data subjects’ addresses and personal data identification for the purposes of direct marketing of Citfin products and services. The processing for direct marketing purposes can be considered processing performed based on the Citfin’s legitimate interests. The client always has the opportunity to express their disagreement with product and service offerings, which are provided based on the Citfin’s legitimate interests.

3.3 Processing of personal data with the client’s consent

3.3.1 Personal data processing for purposes other than specified above can only be performed with the client’s consent. Clients may grant consent at their sole discretion. In Citfin, this concerns the following processing:

• Making and storing a copy of the client’s personal documents
  A copy of an identity card can only be made with the express consent of the card holder. Citfin makes copies of personal documents mainly to prevent criminal activities. When concluding contracts and identifying the client, the client will be asked to provide a personal document to obtain personal data contained therein (it is the Citfin’s statutory obligation to obtain this data), but also a copy of the personal document will be made (in accordance with legal regulations). However, the consent to making a copy of the ID card or passport is voluntary, and the client is entitled to refuse without any consequences. The refusal to grant consent does not prevent the client from concluding a new contract in the future. When personal data is changed, the client may be asked again to grant consent to making a copy, however, the client is entitled to refuse this again.
• Processing of client’s personal data for marketing purposes beyond the processing for marketing purposes performed based on the Citfin’s legitimate interests, in particular, offerings, individual products and services at the client’s request, distribution of information and offers of products and services to which the client has consented.

4. Method of processing and storing personal data and their retention period with Citfin

4.1 Citfin stores data only for as long as necessary in accordance with legal regulations and archives them for 10 years following the end of the calendar year in which the contractual relationship with Citfin was terminated. Citfin has implemented strict internal rules of archiving to ensure that the clients’ data is not stored for a longer than authorised period.

4.2 Citfin stores data, which is processed with the client’s consent for the period of validity of the consent. In order to avoid doubt, Citfin stores the consent and any change or withdrawal of the consent by virtue of its legitimate interests for the entire validity period of the consent and 10 years after the consent expired.

4.3 Citfin processes the client’s personal data manually or in an automated way and stores it securely in paper or electronic form. In connection with the purpose of processing, the client’s personal data is stored in the Citfin’s client information system.

4.4 When processing personal data, Citfin does not apply automated decision-making that uses exclusively automated tools (applications, software, algorithms etc.), or profiling where data is processed in an automated way to assess certain personal aspects of the data subject (e.g. economic situation, behaviours, preferences or location tracking).

5. Recipients of the client’s personal data

5.1 The client’s personal data is, in principle, managed within Citfin. Citfin can provide the obtained client’s personal data, including special categories of personal data, to a third party only based on a legal title, particularly to fulfil a task arising from legal regulations. Clients are transparently informed about the recipients of their personal data.

5.2 Citfin can also provide the client’s personal data to other companies engaged in Citfin’s activities, e.g. to companies acting as personal data processors for Citfin. These companies include IT service providers, providers of archiving services, entities collecting debts, lawyers, marketing agencies. These third parties always access and process clients’ personal data based on a data processing agreement and under the terms stipulated by the applicable legal regulations.

5.3 With the client’s consent, the personal data can be provided to other entities as well.

5.4 Remote processing and data storage are not applied. All personal data are processed in the Czech Republic; your personal data is not transferred to any third country or international organisation.

6. Sources of personal data

6.1 In particular, Citfin obtains clients’ personal data:

• From the clients themselves, either directly when concluding contracts on the provision of products and services, or indirectly when using the provided products and services
• When providing information about our products and services to clients, e.g. through the Citfin website or mobile applications
• From publicly available sources (public registers or lists)
• From parties potentially interested in Citfin services
• From Citfin activities

7. Clients’ rights as data subjects

7.1 When collecting, processing and storing personal data, Citfin fully observes the protection of clients’ rights as they arise from the applicable legal regulations. In connection with personal data processing, clients as data subjects have the following rights, which they can exercise at their discretion:

• The right of access to personal data – clients can request information on the processing of their personal data free of charge. If the client’s requests are evidently unfounded or excessively repeated, Citfin is entitled to require the client to pay a reasonable fee for the provision of information on the processing of client’s personal data, which does not exceed the necessary costs of providing the information. The request can also be rejected for the same reasons.
• The right to data portability (i.e. clients can receive personal data related to them and provided by them in a structured, conventional and machine-readable format and transfer this data to another controller).
• Clients as data subjects, who ascertain or believe that Citfin as the controller, or another entity processing personal data for Citfin, processes their personal data contrary to the protection of their privacy or contrary to applicable legal regulations, are entitled to ask for an explanation or request Citfin or the processor to:
  – Rectify and/or complete inaccurate personal data related to the clients without undue delay,
  – Erase the clients’ personal data (especially when the personal data are no longer needed for the purposes for which they have been collected or otherwise processed, or if the consent to the processing has been withdrawn, or an objection has been raised against the processing, and there are no prevailing legitimate reasons for further processing),
  – Restrict the processing of the clients’ personal data (especially when the accuracy of the personal data is denied, or the processing is unlawful and the data subject refuses the erasure of personal data and requests a restriction of their use instead, or the personal data are no longer needed for the processing but the data subject requires them to determine, exercise or defend his/her legal claims).
• If data is processed based on consent, the client as the data subject is entitled to completely or partially withdraw the consent at any time with future effects. Without the relevant consent, Citfin will not continue in the processing. The consent can be withdrawn at the e-mail address or delivery address indicated below. The withdrawal of the consent shall not affect the lawfulness of the processing based on the consent granted before the withdrawal.
• The client, as the data subject, also has the right to lodge a complaint against the personal data processing with the Office for Personal Data Protection, Pplk. Sochora 27, 170 00, Praha 7.

7.2 In connection with the exercise of their rights and in case of any questions or information concerning the handling of personal data, clients are entitled to contact Citfin at the Citfin Call Centre phone line + 420 234 092 333, or by e-mail at info@citfin.cz, or to contact the DPO at gdprpoverenec@citfin.cz.

In Prague, on 25 May 2018