What will you learn about personal data?
A. General information relating to personal data protection
1. What is the GDPR?
2. How is personal data protection enshrined in Czech legislation?
3. Why is personal data protection so important?
4. Principles and basic terms contained in the legislation on personal data protection.
B. Processing your personal data at Erste Asset Management GmbH
5. Who are the controller and processor of your personal data?
6. How do we process your personal data?
7. What sources do we obtain your personal data from?
8. What is the purpose of processing your personal data?
9. To whom may we provide your personal data?
10. How long can we keep your personal data?
11. What security rules apply to protecting your personal data?
12. How do we deal with cookies, social networks and monitoring our websites?
C. Your rights
13. What rights do you have with regard to personal data protection?
14. How can you exercise your rights?
A. General information concerning personal data protection in the Czech Republic.
A general regulation on personal data protection, referred to by the English abbreviation of “GDPR” – General Data Protection Regulation, came into effect in the European Union on 25 May 2018. The GDPR specifies how personal data may be processed and how it must be protected. The text below summarised the main points relating to this issue.
1. What is the GDPR?
The GDPR is a European Union regulation. It is directly applicable in each member state and therefore also in the Czech Republic. Any individual whose data are processed may refer directly to the GDPR. You can find the text of the regulation here: https://eur-lex.europa.eu/legal-content/CS/TXT/PDF/?uri=CELEX:32016R0679&from=CS
2. How is personal data protection enshrined in the Czech legislation?
The European Union has not only issued the GDPR, but an entire “personal data protection package”. This also includes a new directive on personal data protection in criminal cases. How does the directive differ from the regulation? Unlike the regulation, the directive has first to be transposed into domestic law. Apart from that, the directive leaves room for member states to make minor changes to various aspects, unlike the GDPR itself.
With respect to areas where the regulation allow member states to do so, the Czech Republic will implement the regulation through a new Act on personal data processing, which is currently being prepared. Personal data protection is currently regulated in this country by Act No. 101/2000 Coll., the Personal Data Protection Act. In the event of any discrepancy between the regulation and the Act, the text of the GDPR will prevail.
3. Why is personal data protection so important?
Personal data protection is a fundamental right. In the same way as your right to freedom or security, the right to personal data protection is enshrined in the Charter of Fundamental Rights of the European Union.
In the public, private and economic areas, there must be a balance between the interests of those who process personal data and the so-called “data subjects” – in other words between you and your bank or management company. These rules are contained in the GDPR and also in the Personal Data Protection Act.
4. Principles and basic terms contained in the legislation on personal data protection
In order to be able to discuss personal data protection, it is important to clarify some basic terms. We have also provided the relevant references to the GDPR articles to enable you to search for a definition should you wish. Please bear in mind that this is only a summary, with extremely reduced content.
What are personal data?
Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name or identification number.
Article 4 (1) GDPR.
What is covered by personal data processing?
The term “processing” means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure (by transmission, dissemination or otherwise making available), alignment or combination, restriction, erasure or destruction.
Article 4 (2) GDPR.
What does “controller” mean?
The term “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Article 4 (7) GDPR.
What does “processor” mean?
The term “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Article 4 (8) GDPR.
B. Processing your personal data at Erste Asset Management GmbH
We only process the personal data of our investment fund shareholders to the extent necessary to meet our obligations are manager and administrator of investment funds managed by Erste Asset Management GmbH. This mainly involves keeping records of purchases and redemptions of investment fund units, maintaining a list of unit holders, which is replaced by a separate register of records of booked units and settling complaints and claims from investors. Česká Spořitelna, a.s. works on a contractual basis as the principal personal data processor.
5. Who are the controller and processor of your personal data
Information on the personal data controller responsible for processing your personal data:
Erste Asset Management GmbH
having its registered office at Am Belvedere 1, 1100 Vienna, Republic of Austria
Co ID: FN 102018b
Operating through its branch office
Erste Asset Management GmbH, Czech Republic branch
having its registered office at Prague 4, Budějovická 1518/13a, postcode 140 00
Co ID: 04107128
entered in the Commercial Register held at the Municipal Court in Prague, Section A, Insert 77100
6. How do we process your personal data
Our company will only process your personal data to the extent necessary to meet the following purposes. We primarily process contact and identification details and data obtained in relation to your investment in our investment funds. We also process the personal data of other people where their personal data are important for us in relation to the performance of a contractual or other legal relationship. The categories of personal data we process are:
- Identifying information – name, surname, title, birth number or date of birth, permanent address, ID number (identity card, passport or other similar document), signature – for a natural person engaged in business also a tax ID and company ID. These are all the personal data we use to confirm your unique and fixed identity.
- Contact information – primarily your contact address, telephone number, e-mail address and other similar information. These are the personal data we use to contact you.
- Information relating to your investment – records of purchases and redemptions of investment fund units, information on investment or personal accounts, information on any enforcement, inheritance or insolvency proceedings, or on relationships with the account holder (authorised agent, legal representative, creditor, etc.), country of residence for tax purposes.
The categories listed above are general examples. Should you wish to receive a detailed and individualised copy of your processed data, you can contact us in the manner set out in Article 14.
7. Source of the personal data
If you have invested in our investment funds, we primarily obtain your personal data from Česká Spořitelna, a.s., with which you have concluded an agreement for investment services.
We also obtain your personal data directly from you, if you ask us for information or send us a complaint. Another source might be contractual documentation, two-way communication during the performance of contractual obligations, publicly accessible registers of legal and natural persons, state bodies or state officials – the Czech National Bank, the Police of the CR, notaries or executors.
8. What is the purpose of processing your personal data
Performance of statutory and contractual obligations
We are a management company pursuant to Act No. 240/2013 Coll., on management companies and investment funds. As a consequence of the conclusion of a contract between you and Česká spořitelna, a.s. and your decision to invest in our investment funds, we primarily process your personal data in order to comply with our statutory obligations. The legal basis for processing your personal data (identification and contact) is compliance with the following laws in particular:
- Act No. 240/2013 Coll., on management companies and investment funds,
- Act No. 164/2013 Coll., on international cooperation in tax administration (this Act imposes an obligation to exchange information with other financial institutions on persons who are subject to tax obligations in another country)
- Act No. 253/2008 Coll., on selected measures against the legitimisation of proceeds of crime (this Act imposes an obligation to identify and monitor clients)
- Decree No. 58/2006 Coll., on the manner of keeping separate records of investment instruments and records based on separate records of investment instruments
The performance of the aforementioned statutory obligations is primarily for the following purposes:
- the proper and prudent provision of investment services and the performance of obligations imposed on our company in connection with the provision of investment services;
- the handing over of information on foreign accounts in accordance with applicable international treaties and other legal regulations (FATCA, GATCA);
- customer checks pursuant to the Act on selected measures against the legitimisation of proceeds of crime and financing of terrorism;
- performance of reporting obligations for public authorities
- prevention of fraudulent behaviour;
- performance of obligations relating to the exercise of enforcement, inheritance, executory or insolvency proceedings;
- performance of archiving obligations.
Processing your personal data on the basis of a legitimate interest of Erste Asset Management GmbH
In certain cases we will process your personal information in order to protect the rights and legitimate interests of Erste Asset Management GmbH. This type of processing may be carried out without your consent. However, the range of reasons that entitle us to carry out this type of processing is limited. We will always carefully assess whether this legitimate interest actually exists. A legitimate interest might be, for example:
- measures to prevent crimes;
- the exercise of legal claims and resolution of any disputed agendas;
- recording telephone calls to document how well your requests are dealt with;
- measures to protect our company’s assets, our customers and third parties;
- managing relationships with our clients and communications relating to your investment, or dealing with your requests.
9. Recipients and processors of personal data
We process and store personal data within the framework of Erste Asset Management GmbH and Česká spořitelna, a.s. We carefully select the persons who work with us on the basis of guarantees that will ensure the technical and organisational protection of your personal data. Only processers who are employed on a contract to process personal data may process personal data for Erste Asset Management GmbH. In accordance with legal requirements, Erste Asset Management GmbH, Czech Republic branch may provide your personal data to the following recipients:
- a company that provides personal data processing for us;
- State authorities, within their statutory powers;
- the regulator for the purposes of supervising the activities of Erste Asset Management GmbH, Czech Republic branch.
Transmission of personal data to third countries
Compliance with legal obligations with regard to maintaining a list of unit holders and records of purchases and redemptions of units requires us, in some cases, to transfer your personal data for processing outside the Czech Republic. This is mainly to satisfy obligations relating to Act No. 164/2013 Coll. on international cooperation in tax administration.
10. The length of time your personal data is stored
We process personal data for the duration of a contractual relationship or other legal title that allows us to process your personal data. This means that we have established strict internal rules according to which the legality of our retention of personal data is verified, as well as the fact that we do not retain the data for longer than we are entitled to. After expiry of the legal reason, we will delete the relevant personal data. If necessary, we may process selected personal data even when the purpose for which it was provided to Erste Asset Management GmbH has expired (e.g. with respect to the enforcement of claims in court).
We only keep your personal data for as long as is absolutely necessary and archive it in accordance with statutory time limits imposed by law (generally for a period of 10 years).
Storage, archiving and the other operations referred to above are carried out for Erste Asset Management GmbH by Česká Spořitelna, a.s. as processor, on the basis of a contract.
11. What security measures are applied to the processing of personal data
The protection of your personal data is our priority. We implement all necessary technical and organisational measures to safeguard your personal data during processing. We protect personal data against unauthorised and unlawful use or unintended loss. These measures include the use of state-of-the-art security software, access control and measures to prevent against both internal and external electronic attacks. All persons who come into contact with data during its processing are bound by a duty of confidentiality.
12. How do we deal with cookies, social networks and monitoring our website?
Social media and automatic image downloading
Our company uses presentations based on various social media platforms. If you use this service, after connecting to this service, your browser will give your service provider your IP address or other information such as cookies when you connect to the service. Our company is not responsible for transmitting this information.
Website analytics tools
In order to obtain a better evaluation of our website traffic, we sent anonymous statistics to an external service provider. These data do not contain any direct or indirect person-specific data or IP addresses.
13. Your rights in relation to personal data protection
We process your personal data in a transparent and correct manner, in accordance with statutory requirements. However, you also have the right to contact us at any time to obtain information about the manner of processing your personal data or in order to exercise the rights listed below, which relate to personal data.
- Right of access to personal data, pursuant to Article 15 GDPR
- Right to rectification of personal data, pursuant to Article 16 GDPR
- Right to erasure of personal data (the right to be forgotten) pursuant to Article 17 GDPR
- Right to restriction of processing of personal data, pursuant to Article 18 GDPR
- Right to portability of personal data, pursuant to Article 20 GDPR
- Right to object to the processing of personal data, pursuant to Article 21 GDPR
- Right not to be subject to a decision based solely on automated processing, pursuant to Article 22 GDPR
Right of access to personal data - you have the right to request a copy of your personal data processed by Erste Asset Management GmbH and information on its scope, the recipients to whom it has been disclosed, how they have been acquired and for how long they will be stored.
Right to rectification of personal data - it is important for us that your personal data be correct and complete. If you believe that the personal information we hold about you is inaccurate or incomplete, you have the right to ask us to update or supplement it.
Right to erasure of personal data (the right to be forgotten) - we place great importance on ensuring that your personal data are only processed in accordance with legal regulations. If you have reason to believe that this is not the case, you have the right to request that your personal data be deleted. Potential grounds for deletion are that your personal data are not necessary for the purpose for which they were processed, that you have withdrawn consent to their processing, that the data have been processed unlawfully or have to be erased in order to comply with legal obligations.
Right to restriction of processing of personal data - you have the right to request that the processing be restricted if you believe that your personal data are inaccurate or that the processing of personal data is illegal, but you do not wish to erase them, or you have objected to their processing, but it is unclear whether our legitimate interest prevails over your legitimate interests. Should you request it, we may process your personal data even when it is no longer necessary for the purpose for which it was provided to you (for example, in connection with the enforcement of a claim in court, for which you need the personal data we have processed).
Right to portability of personal data - in the case of automated processing of personal data based on a contract or consent you have given us, you are entitled to the so-called portability of such data which will be provided to you in a structured, commonly used and machine readable format (such as an Excel file). You may also have the right to request that your personal data be passed directly to another personal data controller.
Right to object to the processing of personal data - you may at any time object to the processing of personal data we process for legitimate interest. Should you raise an objection, we may only continue to process your personal data if we demonstrate serious legitimate reasons for its processing. In the case of processing your personal data for direct marketing purposes, you may object at any time to such processing, which will terminate the processing for these purposes.
Right not to be subject to a decision based solely on automated processing - our company does not perform any automated decision making or profiling in the processing of your personal data pursuant to Article 22 GDPR
14. How can you exercise your rights
You can contact us directly with any inquiries regarding the processing of your personal data or requests to exercise your rights through a form that you can download at the end of this policy, or you can contact any branch of Česká spořitelna, a.s.
How long does it take to settle the request?
We will respond to any requests concerning the exercise of your rights without undue delay, within 30 days of receipt of the request. However, should the request be extremely complex or should we receive a large number of other requests, the deadline may be extended by a further two months. We will always keep you informed of any such extension, including the reasons that led to it. We will communicate with you in your preferred manner (email, letter).
Should there be any doubt, we may request additional information to verify your identity in order to respond to your personal data processing request. This is desirable to prevent any unauthorised persons from accessing your personal information.
Are any fees charged for responding to my request?
No, your requirements, as far as they concern the processing of your personal data, are settled free of charge. However, if the request is clearly unreasonable or disproportionate, in particular because it is repeated, we may require a reasonable fee to cover administrative costs.
Right to file a complaint with the Supervisory Authority
If you believe that your personal data has been infringed or that we have not complied with your claim in accordance with the law, you have the right to file a complaint with the Supervisory Authority (the Office for Personal Data Protection).
Office for Personal Data Protection:
Pplk. Sochora 27
170 00 Prague 7
telephone: +420 234 665 111
Should you wish to file a request to obtain your personal data or exercise your rights relating to personal data protection, click below.