This privacy policy explains how are your personal data processed by the controller, Finax o.c.p, a.s, and hereby provides you, as a person to whom we process personal data (hereinafter referred to as “data subject” or “client”), information pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

1. Identification and contact details of the controller

The controller is Finax o.c.p, a.s., a company with its registered seat at Bajkalská 19B, 82101 Bratislava, Slovakia, Business ID: 51 306 727, registered in Business Register of the Municipal Court Bratislava III, Section:Sa, InsertNo.6713/B(further referred to only as “Finax” or “controller”).

Controller contact details:
Address for correspondence: Finax, o.c.p., a.s., Bajkalská 19B, 82101 Bratislava.
Email: client@finax.eu
Telefón: +421 2 2100 9985

2. Data Protection Officer 

The controller has entrusted with the supervision of the processing of personal data a Data Protection Officer, which you can contact in case of any questions related to the processing of your personal data by email to dpo@finax.eu or in writing on address: Tibor Šiška, Data Protection Officer, Finax, o.c.p., a.s., Bajkalská 19B, 82101 Bratislava.

3. Purpose of personal data processing

The controller processes personal data for the following purposes:

3.1 Provision of financial services to clients, signing, recording, and management of contracts including customer care (e.g., electronic communications service and client area), managerial analyses, and complaints handling in the title of the license as an investment firm as well as in connection with negotiated services related to investment services.

Legal basis: the processing of personal data is necessary under a special regulation, together with the fulfillment of the contract of which the data subject is a party or to take measures, before the conclusion of the contract, at the request of the data subject.

The source of the personal data of the data subject is the data subject. In connection with ancillary services, data were obtained with the conclusion of a contractual agreement for the provision of financial services, and additional data were obtained with the negotiation of ancillary services.

The personal data of the data subject are made available to the following recipients or categories of recipients: financial agents, the National Bank of Slovakia, bailiffs, law enforcement authorities, courts, an accounting services provider, external financial audit, information technology providers, financial institutions providing ancillary services (e.g. insurance company acting in respect of group insurance).

Provision of personal data from the data subject is in part a legal and in another part a contractual obligation.

The controller does not perform automated individual decision-making or profiling for the purpose of processing personal data.

The controller processes the following categories of the data subject’s personal data: first name, last name, personal identification number, date of birth, place of birth, phone number, email address, nationality, type, number and validity of an identification card or passport, permanent residence, address of correspondence, tax domicile, VAT ID, whether you are a resident of the USA, social security number, politically exposed person, sanctioned person, method and language of communication, bank account, signature, age, skills, experience with financial products, financial situation, risk profile, investment horizon, purpose of the investment, economic profile, AML risk category, investment strategy, ESG preferences, geolocation information, transaction information (including information on payments and contributions into a PEPP pension), facial image, audio recordings (for instance, call recordings with clients) and copies of issued documents, including ID cards (including the photograph from the ID card), sex, education, data related PEPP provision and payouts, PEPP beneficiaries, additional data related to ancillary services (for instance, in the case of insurance, data on insurance product, premiums, data on health status, beneficiaries / marriage / partnership, number of children), in the case of a natural person-entrepreneur, we also process the address of the place of business, the subject of the business, the name of the official register or other official record in which the business is registered and the relevant entry number in this register or record, business activity, data on the end users of benefits.

3.2 Purpose of processing: fulfillment of obligations in the field of prevention of legalization of proceeds from criminal activity and financing of terrorism, registration and management of reports about unusual trading operations, and identification of the client to exercise due diligence in relation to the client.

Legal basis: the processing of personal data is necessary under a special regulation.

The source of the personal data of the data subject is the data subject, public sources of information.

Personal data of the data subject are made available to the following recipients or categories of recipients: National criminal agency, Financial Intelligence Unit, external financial audit, National Bank of Slovakia, courier services, financial institutions providing ancillary services (e.g. insurance company acting in respect of group insurance).

Provision of personal data of the data subject is a legal obligation.

The controller does not perform automated individual decision-making or profiling for the purpose of processing personal data.

The controller processes the following categories of the data subject’s personal data: first name, last name, personal identification number, date of birth, place of birth, nationality, type, number and validity of an identification card or passport, permanent residence, address of correspondence, politically exposed person, sanctioned person, AML risk category, facial image and copies of issued documents, including ID card (including the photograph from the ID card), data from the relationship monitoring documentation.

3.3 Purpose of processing: verification of client identification through the facial biometrics system

Legal basis: the controller processes biometric data on a legal basis of a special regulation.

The source of the personal data of the data subject is the data subject.

The personal data of the data subject are made available to the following recipients or categories of recipients: intermediaries, the National Bank of Slovakia, the Financial Intelligence Unit, other public authorities controlling the activities of an investment firm, financial institutions providing ancillary services (e.g. insurance company acting in respect of group insurance).

The controller does not perform automated individual decision-making or profiling for the purpose of processing personal data.

The controller processes the following categories of the data subject’s personal data: biometric facial characteristics.

3.4 Purpose of processing: processing of personal data of clients in regard to accounting and external audits.

Legal basis: the processing of personal data is necessary under a special regulation.

The personal data of the data subject are made available to the following recipients or categories of recipients: accounting company, external financial audit, Financial Administration of the Slovak Republic, National Bank of Slovakia, controlling bodies.

Provision of personal data of the data subject is a legal obligation.

The controller does not perform automated individual decision-making or profiling for the purpose of processing personal data.

The controller processes the following categories of the data subject’s personal data: first name, last name, permanent residence, address of correspondence, name of the company (employer), employee identification number, transaction information (payments and deposits), and current card balance.

3.5 Purpose of processing: providing information about financial accounts to assess correct tax liability according to Article 19 of Act No. 359/2015 Coll. on automatic exchange of financial account information in the field of taxation.

Legal basis: the processing of personal data is necessary under a special regulation.

The personal data of the data subject are made available to the following recipients or categories of recipients: external financial audit, Tax office, the National Bank of Slovakia.

Provision of personal data of the data subject is a legal obligation. The controller does not perform automated individual decision-making or profiling for the purpose of processing personal data.

The controller processes the following categories of the data subject’s personal data: first name, last name, date of birth, place of birth, permanent residence, address of correspondence, tax domicile, VAT ID, whether you are a resident of the USA, social security number, bank account number, current bank account balance, gross income.

3.6 Purpose of processing: provision of products and services and the use and sharing of information as a part of marketing

Legal basis: consent of data subject and the legitimate interest of the controller.

The legitimate interest pursued by the controller in the processing of the personal data (i) for the purpose of direct marketing is the offer of products and services similar to those already used by the client, (ii) for the purpose of advertising campaigns, e.g. through social networks, marketing surveys, displaying targeted advertising is to inform about its products and services /marketing/.

The controller processes personal data for the purpose of (direct) marketing also with the consent of the data subject, e.g., in case the data subject has subscribed to the marketing communication (i.e. newsletter). The consent may be withdrawn at any time by the data subject.

The personal data of the data subject are made available to the following recipients or categories of recipients: financial agents, information technology providers, marketing agencies encompassing analytical and statistical indicators of the web, social network operators.

Provision of personal data by the data subject – the client is a legitimate request of the controller. The provision of personal data by the data subject - the person who has subscribed to the marketing communication is his / her consent.

The controller processes the following categories of the data subject’s personal data: email, telephone number, name, surname, age, sex, place of residence.

3.7 Purpose of processing: conclusion, registration, and administration of contracts including customer care (e.g. electronic communication service and client area), manager’s analysis, and solving complaints from the standpoint of financial intermediation of financial services.

Legal basis: the processing of personal data is necessary under a special regulation.

The personal data of the data subject are made available to the following recipients or categories of recipients: financial institutions providing financial services, the National Bank of Slovakia, the Court of executors, law enforcement authorities, courts, an accounting company, external financial audit, information technology providers.

Provision of the data subject’s personal data is in part a legal and in another part a contractual obligation.

The controller does not perform automated individual decision-making or profiling for the purpose of processing personal data.

The controller processes the following categories of the data subject’s personal data: title, first name, last name, given name, personal identification number, date of birth, place of birth and country, phone number, email, nationality, type, number and validity of an identification card/ passport, permanent residence, postal address, tax domicile, VAT ID, whether you are a resident of the USA, social security number, politically exposed person, sanctioned person, type and language of communication, bank account, signature, age, skills, experience, financial situation, risk inclination, investment horizon, purpose of the investment, economic profile, AML risk category, investment strategy, geolocation information and transaction information, health condition of the client for the purpose of insurance, information about types of company and personal pension funds and authorized persons, based on these agreements, picture of face, biometric data (characteristics of voice, face or signature), audio recordings (for instance, call recordings) and copies of issued documents, including ID card (including the photograph from the ID card).

3.8. Purpose of processing: processing of personal data of person seeking employment

Legal basis: contractual and pre-contractual relationship

The personal data of the data subject are made available to the following recipients or categories of recipients: information technology providers.

The controller does not perform automated individual decision-making or profiling for the purpose of processing personal data.

The controller processes the following categories of the data subject’s personal data: first name, last name, date of birth, place and country of birth, nationality, telephone number, email, education, work history, and other CV details.

3.9 Purpose of processing: marketing communication regarding the campaign referral from a friend

• Legal basis: legitimate interest of the controller.

The personal data of the data subject are made available to the following recipients or categories of recipients: information technology providers.

Personal data is not obtained directly from the data subject but from another person who thinks that the data subject would be interested in the services of the controller. The controller shall always inform the data subject of the source from which the personal data were obtained.

The controller does not perform automated individual decision-making or profiling for the purpose of processing personal data.

The controller processes the following categories of the data subject’s personal data: email.

3.10 Purpose of processing: fulfillment of the obligations of an investment firm in relation to the categorization of clients, obtaining information concerning the client's and / or potential client's knowledge and experience in the field of investments under the Securities Act

• Legal basis: the processing of personal data is necessary under a special regulation.

The personal data of the data subject are made available to the following recipients or categories of recipients: financial institutions providing a financial service, the National Bank of Slovakia, law enforcement authorities, courts, external financial audit, information technology providers.

Provision of personal data of the data subject is a legal obligation. The controller does perform automated individual decision-making or profiling for the purpose of processing personal data.

Personal data processed for this purpose are collected through the investment form on the Finax website. The answers are evaluated by the technical device, which assigns to the data subject one of the eleven categories, according to the pre-set algorithm, based on their investment relationship. The technical device shall also propose to the data subject an investment plan that the data subject may accept or modify (within the limits set by Finax). At any time, the data subject may return to the investment questionnaire and change his or her answers.

The controller processes the following categories of the data subject’s personal data: knowledge and experience of the client or potential client in the investment field, the financial situation of the client or potential client, including the investment objectives (e.g., sustainability preferences) and the client's ability to bear a loss.

3.11 Purpose of processing: improvement and development of services, compiling statistical reports, troubleshooting, development, and improvement of other products and services, fraud prevention and detection purposes, IT security 

Legal basis: legitimate interest of the controller, processing of personal data is necessary under a specific regulation.

The personal data of the data subject are provided to the following recipients or categories of recipients: information technology providers, the National Bank of Slovakia.

The source from which the personal data of the data subject originate is the data subject.

The controller does not carry out automated individual decision-making within the framework of the above-mentioned purpose of processing personal data. The controller may carry out profiling to analyze or predict the economic situation and behavior of the data subject, aiming to develop and test new functionalities, compile statistical reports, solve problems, develop and improve other products and services of the Company. This profiling does not lead to automated decision-making with legal effects concerning or similarly significantly affecting the data subject.

The controller processes the following categories of personal data of the data subject: audio recordings (recordings of phone calls with clients), data collected in connection with the application use (e.g., activities in the application, use of various functions, demographic data), however, where possible, the controller will process anonymized data

4. Processing of biometric data – biometric facial characteristics

When concluding a business relationship with a client, the controller is obliged to perform a verification of client identification under Act No. 297/2008 Coll. on protection against money laundering and terrorism financing.

The controller enables verification of the identification in several ways: with or without facial biometrics.

If the client decides to use the facial biometrics system, he / she will be asked to scan his / her identity document, take a so-called selfie photo, and take a liveliness test, consisting of the client watching a randomly moving dot on the monitor of his device (mobile, laptop). The system then assesses whether the person on the identity document is identical to the person who took the selfie photo and performed the liveliness test. If the client decides to use the facial biometrics system to verify his / her identification, the client is notified that the operator will process his / her data for the period stipulated by law. The legal basis for the processing of biometric data is a special law.

The verification of identification can also be performed in another way (without the processing of biometric facial characteristics). In this case, the data subject will only enter personal information from his / her identity document in an online form and, following the conclusion of a contract with the controller, the client will be asked to take steps needed for the identity verification, in particular sending the scan of the identity document, bank statement from another bank and subsequently making a transfer from the account in question to the controller’s account.

5. Purpose and legal basis for personal data processing

The legal basis regarding the processing of personal data is in particular the standard fulfillment of legal obligations, the conclusion and fulfillment of the contract, the legitimate interest (in the case of direct marketing in relation to existing clients), and the data subject's consent (in the case of direct marketing in relation to those, who have signed up for the marketing communications).

The controller operates in a highly regulated field of the financial market, resulting in several obligations imposed by specific regulations. Therefore, your personal data are being processed even if a specific law imposes this obligation on us, particularly but not exclusively

Act No. 566/2011 Coll. Act on Securities and Investment Services and on Amendment to Certain Acts (Securities Act)

Regulation (EU) 2019/1238 of the European Parliament and of the Council on a pan-European Personal Pension Product (PEPP)

Act No. 129/2022 Coll. on a pan-European Personal Pension Product and on Amendment to Certain Acts

• Act No. 297/2008 Coll. on the Prevention of Legalization of Proceeds of Criminal Activity and Terrorist Financing
• Act No. 186/2009 Coll. on financial intermediation and financial counselling
• Directive 2014/65/EU of the European Parliament and the Council of the European Union on markets in financial instruments
• Regulation (EU) No. 600/2014 of the European Parliament and the Council of the European Union on markets in financial instruments
• Act No. 431/2002 Coll. on Accounting
• Act No. 395/2002 Coll. on Archives and Registries
• Commission delegated regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council as regards organizational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive
• Act No. 595/2003 Coll. on income tax
• Act No. 359/2015 Coll. on automatic exchange of financial account information in the field of taxation
• Regulatory rulings and methodological guidelines of the National Bank of Slovakia

6. Transfer of personal data to third countries

Personal data shall be the subject of a cross-border transfer to the Member State of the European Union or to the third countries that do ensure an adequate level of personal data protection as well as to the third countries that do not ensure an adequate level of personal data protection on the understanding that the controller had taken measures directed at personal data protection.

7. Personal data retention period

The controller is authorized to process the personal data of the concerned person and retain them for a period defined by Act No. 566/2001 Coll. Act on securities and investment securities, which applies for the duration of the contract and after the termination of it for the necessary amount of time, capped at the maximum of 10 years unless the government regulations state otherwise.

The processing of personal data in the case of consent is only possible for the period for which the consent was granted or as the case may be until the consent withdrawal.

In the case of personal data processing for the purpose of direct marketing based on the legitimate interest of the controller, the personal data will be processed until the data subject has objected to the processing in question.

Personal data retention is also defined by other laws described in section 5, based on which we are obliged to retain our records accordingly:

- to Act No. 297/2008 art. 19, sec. 2, for the period of 5 years after termination of the contract and in regard to art. 19, sec. 3, for longer than 5 years if the financial intelligence unit requests it, capped at a maximum of 10 years,

- to Act No. 595/2003 time periods defined in sec./ art. 39and sec./ art. 40 of the act depending on the taxation period,

- to Act No. 359/2015 art. 19 sec. 3 – 10 years from the end of the calendar year in which information was reported according to the relevant legislation and FATCA,

- to Act No. 431/2002 in respect to art. 35 sec. 3 – 10 years after the year to which is the documentation related,

- to Act No. 186/2009 – Financial agent for the period of at least 10 years starting from the beginning of the validity of the contract offering financial services

- to Act No. 395/2002 – 10 years after the year to which is the documentation related to, with NBS having a right to extend this period,

- Regulation 2017/565/EÚ – art. 73 at least for the time period of validity of the contract with the client, with respect to art. 76 sec. 8 – 5 years, at the request of relevant authorities 7 years,

- Regulation 600/2014/EÚ – in respect to art. 25 sec. 1 – information about all instructions and transactions for 5 years.

8. Rights of the data subject

In connection with the processing of your personal data, you have the following rights stated below. If you exercise any of the rights below, we will notify you of your request being processed within 30 days of its receipt. In justified cases, we may extend this period to 60 days, which we will inform you about.

Right of access by the data subject

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the recipients or categories of recipient to whom the personal data have been disclosed, in particular recipients in third countries; the envisaged period for which the personal data will be stored. The data subject also has the right to obtain a copy of the personal data that are being processed.

Right to rectification

If you believe Finax is processing incorrect, inaccurate, or outdated personal data about you, you have the right to obtain the rectification of personal data. It is important for us to process accurate personal data about you, so be sure to use this right whenever any of your personal data, which is important to your relationship with us, changes. Based on your corrected or up-to-date information, we will rectify the personal data we process about you.

Right to erasure (‘right to be forgotten’)

You shall have the right to obtain from the controller the erasure of personal data concerning him or her where one of the following grounds applies and there are no statutory exclusions:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the data subject withdraws consent on which the processing is based, and where there is no other legal basis for the processing;
• the data subject objects to the processing of personal data, processed on the basis of legitimate interest, due to his / her specific situation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes;
  • the personal data have been unlawfully processed.

• However, please be aware that, with respect to legal obligations that Finax as an investment firm has, in particular in the areas of regulating securities trading, combating money laundering, terrorist financing, and fraud prevention, Finax is obliged to store personal data of their clients as well as potential clients even after the end of the business relationship and therefore this personal data can be deleted only after the expiry of the set deadlines. For more information on the specific retention periods, see Chapter 7. Personal Data Retention Period.

  Right to restriction of processing

  You shall have the right to obtain from the controller restriction of processing where one of the following applies:

  if you contest the accuracy of the personal data being processed, for a period enabling the controller to verify the accuracy of the personal data;

  the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

  we no longer need the personal data for the processing, but they are required by you for the establishment, exercise, or defence of legal claims;

  you object to the processing of personal data pending the verification of whether the legitimate grounds of the controller override those of the data subject.

  In these cases, Finax will not delete your personal data but will mark it and restrict its processing for certain purposes.

  Right to data portability

  You shall have the right to receive the personal data concerning you, which you have provided to a controller and the processing is carried out by automated means in a structured, commonly used, and machine-readable format. You have the right to transmit those data to another controller. If it is technically feasible, we will directly transmit your personal data to another controller.

   

  Right to object and automated individual decision-making

  You shall have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on our interest, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to the processing of personal data concerning you.

  You also have the right to object if your personal data is processed automatically, which may result in a decision that has legal effects for you or otherwise affects you significantly.

  In the event of an objection to the processing of your personal data that are being processed on a legal basis of Finax's legitimate interest, Finax will assess the situation based on the information provided by you and inform you whether Finax's legitimate interest prevails in a particular situation and the processing will continue or your rights as a data subject prevail and the processing will be stopped.

  Right to withdraw consent

  If your personal data are being processed based on the consent, you are entitled to withdraw this consent at any time. However, withdrawal of consent has no impact on the legality of processing resulting from consent before its withdrawal.

  Right to lodge a complaint with a main supervisory authority

  if you consider that the processing of personal data relating to you infringes this Regulation, you have the right to lodge a complaint with a main supervisory authority - the Office for Personal Data Protection of the Slovak Republic,

  Office for Personal Data Protection of the Slovak Republic
  Hraničná 12
  820 07 Bratislava 27
  Slovak Republic

  https://dataprotection.gov.sk

  How to exercise your rights

  The data subject may exercise his / her rights to Finax by e-mail sent to dpo@finax.eu or in writing to: Tibor Šiška, Data Protection Officer, Finax, o.c.p., a.s., Bajkalská 19B, 82101 Bratislava

  Please state your name, surname, e-mail address, or permanent address in your request. If you do not provide us with this information, your request will not be accepted. We require this additional information to verify your identity and not to disclose your personal information to an unauthorized person.

  In the case of exercising the right of access to personal data or the right of portability of personal data, the signature of the data subject on the written request must be officially authenticated. If Finax has a legitimate suspicion concerning the identity of the data subject, it has the right to ask the data subject to provide additional information needed for verification of the identity, e.g. such as a written request with an officially verified signature of the data subject.

9. Cookies

Finax website uses cookies. More information about cookies can be found here.