Personal data processing and protection principles of the company

company: Live Safe s.r.o., joint stock company, ID No: 091 54 884 registered office: Vodičkova 791/41, 110 00 Prague 1 - Nové Město the company is registered in the Commercial Register maintained by the Municipal Court in Prague Section C, Insert 331785 (hereinafter referred to as "Controller“)

Principles of personal data processing Personal data protection is a priority for our company. Below we provide detailed information about our company's personal data processing policy and why we process your personal data, what rights you have in relation to the processing of your personal data and other information regarding the processing of personal data. We follow strict rules when processing personal data in our company and make sure that only authorized persons have access to it. We do not pass on your personal data outside our company structure without your knowledge, except in cases where you have given your consent, or where we are required or authorised to do so by law or where it is in our legitimate interest to do so.

Article I.

Basic provisions

  1. The Controller of personal data pursuant to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as: "GDPR") is Live Safe s.r.o., joint stock company, ID No: 091 54 884, registered office: Vodičkova 791/41, 110 00 Prague 1 - Nové Město, the company is registered in the Commercial Register, maintained by the Municipal Court in Prague, Section C, Insert 331785 (hereinafter referred to as the "Controller" or "Operator") hereby informs about the purpose, scope, time and legal title of the processing of personal data of the data subjects, including access to them and the scope of the data subject's rights related to the processing of personal data on the part of the Controller. The Controller is the operator of servers on the Internet network - hereinafter referred to as the servers of Live Safe s.r.o..
  2. The servers of Live Safe s.r.o. are all information servers operated by the company on the Internet. All conditions of access and use of the information and/or services of the servers by all users are defined and governed by these binding documents, which also define all terms used.

Article II.

Basic concepts

  1. The Controller processes personal data in accordance with applicable legislation, i.e. Act No. 110/2019 Coll., on the processing of personal data (hereinafter referred to as the "Act") and the REGULATION (EU) 2016/67 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "Regulation"). For the purposes of the Policy below, the Controller refers to the following terms in the Regulation:
    • “personal data” - any information about an identified or identifiable natural person (data subject). An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person;
    • “special categories of personal data” - personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning the health or sex life or sexual orientation of a natural person;
    • “processing of personal data” - any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated processes, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, restriction, erasure or destruction;
    • “pseudonymisation” - the processing of personal data so that they can no longer be attributed to a specific data subject without the use of additional information, provided that the additional information is kept separately and is subject to technical and organisational measures to ensure that it is not attributed to an identified or identifiable natural person;
    • “controller” - a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, that law may determine the controller concerned or the specific criteria for its determination;
    • “recipient” - the natural or legal person, public authority, agency or other body to which the personal data are disclosed, whether or not it is a third party;
    • “data subject consent” - any free, specific, informed and unambiguous expression of will by which the data subject gives his or her consent to the processing of his or her personal data by declaration or other manifest acknowledgement;
    • “processor” - a natural or legal person, public authority, agency or other body that processes personal data for the controller;
    • “record” - any structured collection of personal data accessible according to specific criteria, whether centralised, decentralised or disaggregated by function or geography;
    • “erasure of personal data” - physical destruction of the media, their physical erasure or permanent exclusion from further processing;
    • “restriction of processing of personal data” - marking of stored personal data in order to restrict its processing in the future;
    • “personal data breach” - a breach of security that results in the accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access to personal data transmitted, stored or otherwise processed;
    • “supervisory authority” - an independent body established by an EU Member State to monitor the application of personal data protection requirements; in the Czech Republic, this body is the Office for Personal Data Protection.
    • “Cookies” - Short text files that are stored by your web or mobile browser. Most cookies contain a unique identifier, called a cookie ID. This is a string of characters assigned by websites and servers to the browser that stored the cookie. This allows websites and servers to distinguish and identify individual browsers. Cookies are used to improve the functioning of the website, to evaluate its traffic and to better target marketing activities. If you browse our website, we assume that you agree to the use of these files.
    • “Third country” - Countries outside the European Economic Area, which mainly includes the member countries of the European Union and Iceland, Liechtenstein and Norway.
  2. On what principles is the General Regulation based? The main principles can be summarised as follows: lawfulness, fairness, transparency - the Controller must process personal data on the basis of at least one legal ground and in a transparent manner towards the data subject, purpose limitation - personal data must be collected for specified and legitimate purposes and must not be processed in a way incompatible with those purposes, data minimisation - personal data must be adequate and relevant in relation to the purpose for which they are processed, accuracy - personal data must be accurate, storage limitation - personal data should be stored in a form which permits identification of the data subject only for the time necessary for the purposes for which they are processed, * integrity and confidentiality - technical and organisational security of personal data.

Article III.

Purpose, scope and duration of the processing of personal data

A. Basic principles

The Controller is guided by the following principles when processing personal data:

  • The Controller always processes all personal data in a lawful, fair, just, transparent and accountable manner;
    • Processing is purpose-limited, which means that the Controller processes personal data only for specific, explicit and legitimate purposes, and personal data are not further processed in a way that is incompatible with those purposes;
    • In the context of data minimisation, the Controller processes adequate, relevant and limited personal data to the extent necessary in relation to the purpose for which it is processed;
    • The Controller processes accurate and up-to-date personal data. If the personal data is inaccurate, the Controller shall ensure its correction or, where appropriate, deletion, for which it may require the necessary cooperation;
    • The Controller shall store personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;
    • The Controller shall process personal data in a manner that ensures appropriate security and protection of personal data.

B. Purpose and legal basis of processing

Users' personal data is processed on the basis of the following reasons:

  • The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures taken prior to the conclusion of the contract at the request of the data subject (Article 6(1)(b) GDPR); In particular, this includes: negotiating the contract; identifying the client's needs and requirements and other necessary data (e.g. the client's financial situation, financial knowledge and experience); entering into and administering the contract; recording electronic communications for the purpose of entering into the contract and fulfilling contractual obligations under the contract; fulfilling contractual obligations and providing contractual performance; and assessing and managing risk using various methods, including profiling.
  • The processing is necessary for the performance of a legal obligation to which the Controller is subject (Article 6(1)(c) GDPR); in particular, the fulfilment of the requirements of any supervisory and other public authorities and the fulfilment of legal obligations arising from special legislation.
  • The processing is necessary for the purposes of the legitimate interests of the Controller or third party concerned, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular where the data subject is a child (Article 6(1)(f) GDPR); In particular, this concerns (i) the protection of the legal interests of the Controller; (ii) direct marketing activities; and (iii) the protection of property and persons. * The data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6(1)(a) GDPR).

Article IV.

Categories of personal data processing

A.Performance of the contract For the purposes of the performance of the contract, the Controller processes in particular the following categories of data

  • Identification and contact details of the client (e.g. name, surname, telephone, address, nationality, date of birth, birth number, identity document details, e-mail);
  • Personal data related to the subject of the contract (e.g. bank account);
  • Data required for measures against the laundering of proceeds of crime (the required data include the financial situation of the client, the source of funds, the purpose of the investment).
  • Monitoring data (e.g., data obtained from meeting records, records of use of online services, records of communications with clients and browsing of the IPCO website, data on commercial communications sent, data from mobile applications);
  • Data on the negotiation and use of services, on the setting up of contracts.

B. Fulfilment of a legal obligation In providing its services, the Controller must process personal data to comply with legal obligations imposed by national law. The processing of personal data for the performance of legal obligations includes:

  • Keeping documents and records of meetings;
  • Providing assistance to any supervisory and controlling authorities, executors, notaries, insolvency administrators and other public authorities in accordance with the relevant legislation;
  • of measures against money laundering and terrorist financing to prevent abuse of the financial system;
  • Compliance with obligations arising from the application of international sanctions;
  • Keeping legal records of data;
  • Mutual information and information sharing for the prevention and detection of violations;
  • Collecting information on persons subject to tax obligations in another country and transmitting that information to the competent tax authorities.

C. Legitimate interests The Controller processes personal data on the legal basis of a legitimate interest of the company or a third party, in particular in the following situations:

  • Marketing activities Marketing activities are a legitimate interest of the Controller, provided that the data subject can reasonably expect such processing given the circumstances. The processing of personal data for direct marketing purposes is considered to be processing carried out for legitimate interest. Direct marketing includes offering the products of the company of which the data subject is a client, as well as offering the products of other companies within the group, where a legitimate interest can be presumed to exist. Conversely, the legal basis of legitimate interest does not apply to the transfer of personal data to third parties for the purpose of sending marketing communications with which the data subject has no relevant existing relationship, where the data subject's consent to this processing purpose is required. The data subject has the right to object to the processing of personal data for direct marketing purposes. If he/she objects, his/her personal data will no longer be processed for these purposes. This right is notified to the data subject by the Data Controller.
  • Protection of the rights and legally protected interests of the company The Controller processes personal data to protect its rights and legal claims. The processing of personal data occurs to the extent strictly necessary in the context of court proceedings or proceedings before out-of-court dispute resolution bodies, in the recovery of outstanding insurance premiums, recourse penalties and other claims.
  • Protection of property and persons The Controller may use security camera systems. The Controller uses CCTV security and processes personal data from CCTV footage to ensure the safety and security of buildings and premises used by the company, to protect property and persons in these buildings, to protect data, to ensure the interests of the company, the safety and interests of employees, clients and third parties, to prevent, detect and investigate criminal activity or violations of the company's internal rules and to provide evidence in legal proceedings. The Controller shall always consider the extent of CCTV surveillance so that it does not cover a larger area or a greater number of persons than is required for the above purposes. For the purpose of obtaining evidence, and provided that the data subject has been duly informed, a hidden camera may be used to record and investigate criminal activities or violations of the company's internal rules. The Controller may provide the recordings obtained by the CCTV system to law enforcement authorities on the basis of the law and within its limits.
  • Consent to the processing of personal data Consent is only one of the legal bases for processing personal data. Consent to the processing of personal data is required by the Controller only in situations where it is not possible to process personal data on the basis of another legal basis. The Controller requires consent to the processing of personal data in particular for: a. Processing of personal data for purposes other than so-called direct marketing (cases where marketing cannot rely on a legal basis of legitimate interest); b. Exclusively automated processing of personal data (individual decision-making), including profiling, unless another legal title applies; c. Use of online tracking tools (cookies, apps, gps).

Article V.

Conditions for consent to processing

  1. Granting of consent If you have consented to the processing of your personal data, this means that we have received your consent to process your personal data for the purpose and to the extent specified in the consent.
  2. Withdrawal of consent You have the right to withdraw your consent at any time by: a. By e-mail sent to [email protected]; b. By letter delivered to Vodičkova 791/41, 110 00 Prague 1 - Nové Město; c. Via a link contained in each marketing offer sent electronically. Withdrawal of consent shall not affect the lawfulness of processing based on consent given before its withdrawal.
  3. Period of validity of the consent The period of validity of the consent is usually specified in the consent. Unless otherwise stated in the consent, the consent is generally valid for the duration of the longest contractual relationship between us and for 1 year after its termination.
  4. Processing of personal data by third parties We are assisted in the provision of our services by processors whose operations comply with European data protection standards. The processing of personal data by third parties is governed by their own terms of service. You acknowledge that we may transfer your personal data to them for the purposes set out below and you agree that we may also transfer personal data to them and you agree that the processors may delegate processing to other sub-processors.

Article VI.

Transmission of personal data

  1. Transfer to other Controllers We may transfer personal data to recipients in their capacity as a data controller during processing within the scope of the purpose, in particular: a. Companies within the Controller Group; b. Public authorities and the courts (especially in the performance of our legal duties); c. Auditors or other independent persons ensuring compliance with legal obligations (e.g. lawyers, bailiffs); d. Information technology providers or operators
  2. Handover to processors When processing personal data within the scope of the purpose, we may transfer personal data to recipients in our capacity as our data processor who process personal data for us according to our instructions, in particular: a. Sales representatives and intermediaries; b. Providers of sanctions lists maintained in connection with measures to prevent the laundering of the proceeds of crime; c. Information technology providers or operators, providers of services necessary for the performance of our activities (administrative activities, accounting, archiving, debt management and recovery, etc.).
  3. Transfer of personal data abroad We process your personal data mainly within the European Union (hereinafter referred to as the EU). Their transfer outside the EU is possible under the conditions set out below: a. Binding corporate rules Your personal data may be shared with companies of the Controller's group outside the EU on the basis of so-called binding corporate rules. Such transmission or processing occurs b. List of countries with adequate protection If necessary, we will allow others to process your personal data abroad. We ensure that personal data is transferred to countries with adequate protection. Safe third countries ensuring an adequate level of protection of personal data are those countries that have a valid European Commission decision on the adequacy of protection of personal data. The Commission publishes the list of decisions in the Official Journal of the European Union and on its website. A list of valid Commission decisions on the adequacy of data protection can also be found here. c. Suitable guarantees If the country does not fall into a category of countries with adequate protection, we may transfer your personal data to that country if the transfer is based on appropriate safeguards (e.g. standard data protection clauses, an approved code of conduct, an approved certification mechanism).

Article VII.

Access to personal data

  1. Only the Controller and persons who are in an employment relationship with the Controller or processors under a contractual relationship with the Controller have access to personal data, and only for the stated purpose of processing. Access to and handling of personal data processed by the Controller is subject to the Controller's internal security regulations.
  2. The Controller may disclose the personal data of the data subject to third parties only if required or permitted by law, otherwise only with the consent of the data subject.
  3. The processors of personal data are suppliers and service providers related to the operation of the Controller's organisation.

Article VIII.

Your rights

  1. Under the terms of the GDPR, you have a. the right of access to your personal data under Article 15 of the GDPR, b. the right to rectification of personal data pursuant to Article 16 of the GDPR or restriction of processing pursuant to Article 18 of the GDPR. c. the right to erasure of personal data pursuant to Article 17 GDPR. d. the right to object to processing under Article 21 GDPR; and e. the right to data portability under Article 20 GDPR. f. the right to withdraw consent to processing in writing or electronically to the address or email of the Controller specified in Article III of these Terms.
  2. You also have the right to file a complaint with the Office for Personal Data Protection if you believe that your right to personal data protection has been violated.

Article IX.

Personal data security conditions

  1. The Controller declares that it has taken all appropriate technical and organisational measures to safeguard personal data.
  2. The Controller has taken technical measures to secure data storage and storage of personal data in paper form.
  3. The Controller declares that only persons authorised by it have access to the personal data.

Article X.

Final provisions

  1. All private legal relations arising from or in connection with the processing of personal data are governed by the law of the Czech Republic, regardless of where the data was accessed. The Czech courts are competent to resolve any disputes arising in connection with the protection of privacy between the user and us, and will apply Czech law.
  2. By checking the consent box, you confirm on the DEXFIN trading platform that you are aware of the privacy policy and that you accept it in its entirety.
  3. The Controller is entitled to change these conditions. It will publish the new version of the Data Protection Policy on its website and will also send you a new version of the Data Protection Policy to the email address you have provided to the Controller. These terms and conditions shall take effect on 1.7.2021