Information on Personal Data Processing

Users of "Everifin“ payment services

pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data

(hereinafter as the “GDPR”)

Due processing of Your personal data and protection of Your privacy is important for us and therefore in the processing of Your personal data we proceed in accordance with the applicable legislation and protect it with maximum level of care.

At this place, you will find detailed information in particular on how we process personal data, why we process them, what rights You have in relation to the processing of Your personal data, as well as further information that may be of interest to You and that concern personal data processing.

In this instruction you will find in particular information on the following topics:

1. Who is the controller of Your personal data

2. Detailed information on individual legal bases for processing

3. Detailed information on individual purposes of processing

4. Instruction on Your rights related to the processing of Your personal data

1. Who is the controller of Your personal data?

Controller of personal data shall always be the company with respect to which the data were provided, and which determine the purpose and means of personal data processing.

Controller of Your personal data is the provider of “Everifin” payment services, which means company Usability Engineering Center s. r. o., with registered office in Mikovíniho 8, 917 01 Trnava, company registered in the Business Register of the District Court Trnava, Section: Sro, insertion No. 30858/T, identification number (IČO): 46 963 774 (hereinafter as the “Controller“).

In processing Your personal data, due to the nature of services provided by the Controller, transmission of data to third parties may occur, however, solely to the countries of the European Union and to the countries of the European Economic Area.

Contact information of the Controller:

Postal address: Usability Engineering Center s. r. o.

Mikovíniho 8, 917 01 Trnava

E-mail contact: [email protected]

Mobile: +421 918 935 649

2. Which legal basis enables us to process Your personal data?

The Controller processes Your personal data based upon one of the following legal bases:

Basic obligations of the Controller to process Your personal data arise in this case to the Controller from several generally binding legal regulations governing in particular taxes and other financial payments, as well as in other special legal regulations, in particular in Act on Protection Against Legalising of Means from Criminal Activities and on Protection Against Financing of Terrorism, Act on Reporting of Anti-Social Activities, Act on Payment Services, Act on Supervision Over Financial Market or Act on the NBS; providing of personal data, in this case, represents a statutory requirement for performing of rights and obligations of the Controller under the law

Performance of the contract by the Controller Processing of Your personal data by the Controller is in this respect necessary to conclude the contract with the Controller and subsequently for the Controller to be able to provide services to You that the Controller agreed to provide, i. e. in particular for providing of information on Your payment accounts, submitting of payment orders based upon Your order with respect to payment account administered by Another Provider of Payment Services and, if necessary, even for complaint handling procedure and for the purpose of further communication with You; providing of personal data in this respect represents a contractual requirement that is necessary for concluding of the contract between the Controller and data subject

Consent of data subject Processing of Your personal data may be based upon Your consent, in particular in relation to individual transactions, where consent is granted by authorization of individual transaction; You may withdraw the consent at any time in writing at the address: Mikovíniho 8, 917 07 Trnava or in electronic form at e-mail address [email protected]; potential subsequent withdrawal of consent shall have no effect on the lawfulness of personal data processing prior to the withdrawal of the consent; providing of personal data in such case does not represent statutory or contractual requirement, it is completely voluntary, however, in certain cases it is necessary for due providing of services by the Provider

The legitimate interest of the Controller Processing of Your personal data may be based upon the legitimate interest of the Controller, where the Controller shall examine whether such processing represents a disproportionate intervention into Your rights; the legitimate interest of the Controller represents in particular defense of legal claims of the Controller and sending of offers for services of the Provider to existing clients; you may request further information from the Controller at any time through the above-specified contact information of the Provider; providing of personal data, in this case, does not represent statutory or contractual requirement, it is completely voluntary, however, in certain cases it is necessary for due providing of services by the Controller

3. For what purposes do we process Your personal data?

The Controller processes Your personal data always for the particular purpose which is defined in advance:

Providing of services of the Provider

The Provider processes personal data in particular for the purpose of due providing of payment services under mutual contractual relationship concluded with the data subject, in particular providing of consolidated information on an individual or several payment services of the data subject, submitting of payment orders based upon instruction from the data subject with respect to payment account which is administered by Another Provider of Payment Services or for documenting activities of the Controller for the purpose of performing supervision over the conduct of the Provider, including the processing of statistical and other information for these purposes.

• Legal basis:

Statutory obligations of the Controller

Performance of contract by the Controller

Consent of data subject

The legitimate interest of the Controller

• Extent of personal data:

Regular personal data that are acquired by the Controller from the data subject: name, surname, e-mail address, telephone contact, date of birth, personal number, address of permanent residence, address of temporary residence, payment account name, payment account number, identity document (e. g. identity card, travel passport), information whether the user of service or ultimate beneficial owner is politically exposed person and origin of his finances (in case of legal entities similar information on identification of their ultimate beneficial owners are collected, in case of politically exposed person even another document proving his / her identity), IP address

• Period of personal data storing:

The Controller is entitled to process personal data of data subjects for a period of 5 years after termination of the contractual relationship between the Controller and data subject unless the legislation requires longer storing or unless there exists another legal basis for their storing.

• Third parties:

In addition to the Controller, the following persons have access to personal data: employees of the Controller, legal counsel, external provider of postal services and National Bank of Slovakia, or other competent authorities in performing of supervision over activities of the Controller, courts, and other authorities competent to resolve disputes or to enforce decisions.

Protection against legalizing of proceeds from criminal activities

The Controller, due to the nature of its activities, processes personal data also for the purpose of performing obligations arising from special legislation, in particular from Act on the Protection Against Legalising of Proceeds from Criminal Activity, in particular in relation to investigation and control of identification of clients and their reviewing and uncovering of unusual business operations.

• Legal basis:

Statutory obligations of the Controller

• Extent of personal data:

Regular personal data that are acquired by the Controller from the data subject: name, surname, e-mail address, telephone contact, date of birth, personal number, address of permanent residence, address of temporary residence, payment account name, payment account number, identity document (e. g. identity card, travel passport), information whether the user of service or ultimate beneficial owner is the politically exposed person and origin of his finances (in case of legal entities similar information on identification of their ultimate beneficial owners are collected). In case of a politically exposed person, even another document proves his/her identity.

• Period of personal data storing:

The Controller is entitled to process personal data of data subjects for a period of 5 years after termination of the contractual relationship between the Controller and data subject unless the legislation or written request of the financial intelligence unit requires longer storing or unless there exists another legal basis for their storing, however, maximum up to 10 years.

• Third parties:

In addition to the Controller, the following persons have access to the personal data: Financial intelligence unit or other competent authorities to perform supervision, external supplier of identity documents validation.

Direct marketing and statistics

The Controller processes personal data for the purpose of conducting surveys on using of payment services of the Controller as well as for informing of clients on new offers.

• Legal basis:

Consent of data subject

The legitimate interest of the Controller

• Extent of personal data:

Regular personal data that are acquired by the Controller from the data subject: name, surname, e-mail address.

• Period of personal data storing:

The Controller processes personal data of data subjects for marketing and information purposes only for the necessary period, however, only until unsubscribing from receiving information materials of the Controller or until the withdrawal of consent unless the legislation requires a longer period of their storing or unless there exists another legal basis for storing.

• Third parties:

In addition to the Controller, the following persons have access to personal data: employees of the Controller.

4. What rights do you have in relation to processing Your personal data?

Unless it contradicts generally binding legal regulations, data subjects have the right to request from the Controller

- the right of access to his / her personal data,

- right to rectification of personal data,

- right to the erasure of personal data,

- right to restriction of processing of personal data,

- right to object to the processing of personal data,

- right to his / her personal data portability,

- right to lodge a complaint to the supervisory authority.

The above-specified rights of data subjects are specified in detail in Articles 15 until 21 of the GDPR.

In what manner can You enforce Your rights to personal data?

You may claim your rights by sending a written request by mail to address Mikovíniho 8, 917 01 Trnava or in the electronic form to the e-mail address: [email protected].

The Controller will respond to your request concerning personal data processing without undue delay, however, always until one month after its receiving. In special cases, the Controller may extend this period by two months, but You will always be informed about the reasons for prolonging the period within one month after receiving the request.

The Controller responds to your request free-of-charge but in case Your requests turn out to be unreasonable, demonstrably ungrounded, or frequently repeated, the Controller may charge You a reasonable administrative fee for responding to such requests.

Personal data updating:

The Controller intends to process only up-to-date and accurate personal data. Please inform the Controller of any changes in Your personal data that you have provided to the Controller by mail to address Mikovíniho 8, 917 01 Trnava or in the electronic form to the e-mail address.