Gdpr | CRM - UMD Network

Protection of personal data

Administrator identification data

The company UMD Network, as, with registered office at Krátkého 250/4, ID number: 04 874 820, registered in the Commercial Register maintained by the Municipal Court in Prague under file no. stamp B 21420

Contact information of the representative Ing. Juraj Lanc, 0908865401, juraj.lanc@universal.sk

Purpose of personal data processing

The administrator processes the personal data of the persons concerned for the purpose of:

• Performing financial intermediation within the meaning of the Act on Financial Intermediation, including client identification, verification of this identification;

• Fulfillment of a contractual relationship in which the person in question acts as one of the contractual parties, or where the person concerned is a person acting on behalf of a party to the contract or in order to take pre-contractual measures at the request of the person concerned;

• performance of marketing activities by the administrator, including the organization of marketing campaigns and competitions, registration of competitors and publication of winners;

• fulfillment of obligations stipulated by special regulations (e.g. Act on Financial Intermediation, Act on Protection against Legalization, Act No. 395/2002 Coll. on Archives and Registrations, etc.);

• performing financial intermediation within the meaning of the Act on Financial Intermediation, including client identification, verification of this identification; - Article 6 paragraph 1 letter c) Regulation (§ 31 paragraph 1 letter a) of the Financial Intermediation Act);

• performance of a contractual relationship in which the person in question acts as one of the contractual parties, or where the person in question is a person acting on behalf of the contracting party or that, based on the request of the person in question, measures are taken before the conclusion of the contract; - Article 6 para. 1 letter b) Regulation;

• the performance of marketing activities by the administrator, including the organization of marketing campaigns and competitions, registration of competitors and publication of winners - Article 6 paragraph 1 letter a) Regulations; • fulfillment of obligations stipulated by special regulations (e.g. Act on Financial Intermediation, Act on Protection from Legalization, Act No. 395/2002 Coll. on Archives and Registrations, etc.) - Article 6 para. 1 letter c) Regulations;

• the use of services associated with administration and services associated with the display of the client's personal and financial information, or other information voluntarily provided by the client on the inŠanon portal, which the administrator provides electronically via the inŠanon web portal, as well as via a mobile application that is accessible to the client at the internet address "insanon.cz" or "insanon.universal.cz". Article 6 paragraph 1 letter a) Regulations. 2 Categories of personal data concerned Title, name, surname, date of birth, social security number, address of permanent or other residence, contact telephone number, fax number and e-mail address, nationality, type and number of identity document, address of the place of business, as regards the natural person who runs a business, the subject of the business and the designation of the official register or other official records, data relating to obligations between the contracting party and the controller, data on the fulfillment of the contractual party's obligations to the controller, data on the employer, employment relationship, other employment relationship, service relationship, employment in the state sector, education achieved. Recipients, the category of recipients to whom personal data will be accessible, the administrator does not provide personal data of the persons in question to third parties, except in cases where the obligation to provide personal data is imposed on the administrator by a generally binding legal regulation or if the provision of personal data is agreed between the administrator and the person in question. The administrator provides and makes available personal data in particular to: - the Czech National Bank, - law enforcement authorities, - the National Criminal Agency of the Presidium of the Police Force, - the Office for the Protection of Personal Data of the Czech Republic, - subjects, with which the administrator has concluded cooperation agreements in connection with the performance of financial intermediation within the meaning of the Financial Intermediation Act (in particular banks, insurance companies, reinsurance companies, savings banks, leasing companies, investment companies, securities dealers, supplementary pension companies, pension management companies, etc.) , - to entities with which the administrator has concluded cooperation agreements in connection with consulting activities, legal services, the performance of supplier activities in relation to the information system, etc. The administrator does not disclose the provided personal data, except in special cases, e.g. in the case of marketing campaigns and competitions. In the case of marketing campaigns and competitions, personal data (name and surname), based on the prior consent of the persons concerned, published in an appropriate manner in the mass media and on the website. Third countries to which the administrator intends to provide personal data The administrator does not intend to provide personal data to third countries or international organizations. Retention period of personal data Personal data is stored for a certain period until the purpose for which the personal data was provided is fulfilled and subsequently archived in accordance with the relevant legal regulations: • documents related to financial intermediation within the meaning of the Act on Financial Intermediation for a period of at least 10 years from the beginning of the validity of the contract for the provision of financial services; • performance of marketing activities - for the period for which the person concerned has given consent, or for a shorter period of time until consent is revoked. If consent is not given for a specific time, personal data are processed until the purpose for which the person concerned has given consent ends; 3 • use of inŠanon services - for the period for which the person concerned has given consent, or for a shorter period of time until consent is revoked. If consent is not given for a specific period of time, personal data is processed until the purpose for which consent was given by the person in question ends; • debt collection/lawsuits - for 10 years. Rights of the person in question The person in question has the right to: • request access to his personal data from the administrator according to Article 15 of the Regulation: The person in question has the right to obtain confirmation from the administrator as to whether the personal data to which he relates is being processed; • the right to correct personal data according to Article 16 of the Regulation: The person concerned has the right to have the administrator correct incorrect personal data concerning him without undue delay. With regard to the purposes of the processing, the person concerned has the right to supplement incomplete personal data, including by providing an additional declaration; • the right to erasure of personal data according to Article 17 of the Regulation: The person concerned has the right to obtain from the controller the erasure of personal data concerning him without undue delay, and the administrator is obliged to delete personal data without undue delay, provided that: a) personal the data are no longer needed for the purposes for which they were obtained or otherwise processed b) the person concerned revokes the consent on the basis of which the processing is carried out and if there is no other legal basis for the processing c) the person concerned has objections to the processing according to Article 21 par. 1 of the Regulation and there are no valid reasons for the processing or the person concerned has objections to the processing according to Article 21 par. 2 Regulation, d) personal data were processed illegally e) is a reason for deletion of the obligation of the law, special regulation or international agreement to which the Czech Republic is bound, f) personal data was obtained in connection with the offer of information society services to a person under the age of 16. The person concerned will not have the right to delete personal data provided that their processing is necessary: a) to exercise the right to freedom of expression and to information, b) to fulfill an obligation according to the law, a special regulation or an international treaty to which the Czech Republic is bound, or when fulfilling a task carried out in the public interest or in the exercise of public authority entrusted to the administrator, c) for reasons of public interest in the field of public health, d) for the purposes of archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes if probable, that the right to erasure will make it impossible or seriously difficult to achieve the goal of such processing, or e) to prove, exercise or defend legal claims. The administrator shall delete the personal data of the persons concerned upon request, without undue delay after evaluating that the request of the person concerned is justified. • the right to limit the processing of personal data according to Article 18 of the Regulation: The person concerned has the right to the processing of personal data if: a) the correctness of the personal data is disputed, during the period allowing the administrator to verify the correctness of the personal data, 4 b) the processing is illegal and the concerned the person objects to the erasure of personal data and instead requests the restriction of their use, c) the administrator no longer needs the personal data for the purposes of processing, but the person in question needs them to prove, exercise or defend legal claims, d) the person in question has objections to the processing of personal data based on the administrator's legitimate claim, until it is verified whether the legitimate reasons on the part of the administrator outweigh the legitimate reasons of the person concerned. If the processing has been limited, such personal data, with the exception of storage, are processed only with the consent of the person concerned or to prove, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. The administrator informs the person in question who has reached the restriction of processing before the restriction of processing is lifted. • the right to object to the processing of personal data according to Article 21 of the Regulation: The person concerned has the right to object at any time for a reason related to his specific situation against the processing of personal data concerning him, which is carried out on the basis of: - the legal basis for the performance of tasks carried out in the public interest or in the exercise of public authority, or from the legal title of the administrator's legitimate interest, - processing of personal data for the purposes of direct marketing, including profiling to the extent that it is related to such direct marketing, - processing for the purposes of scientific or historical research or for statistical purposes, with the exception of cases where the processing is necessary for the fulfillment of tasks due to public interest. • the right to refuse profiling according to Article 22 of the Regulation: The person concerned has the right to refuse to have their personal data be the subject of automated decision-making, including profiling. • the right to the portability of personal data according to Article 20 of the Regulation: The person concerned has the right to the portability of personal data, which means obtaining the personal data that he has provided to the administrator, while having the right to transfer this data to another administrator in a commonly used machine-readable format, provided that the personal data were obtained based on the consent of the person concerned or on the basis of a contract and their processing takes place in the form of automated means. • the right to file a proposal to initiate proceedings on the protection of personal data at the Office for the Protection of Personal Data. Sochora 27 170 00 Prague 7 pursuant to § 100 of Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments and Supplements to Certain Acts (hereinafter referred to as the "Act on the Protection of Personal Data"), if he believes that his rights have been violated in the area of personal data protection, • in the case of granting consent to the processing of personal data, the person concerned has the right to revoke his consent at any time in writing to the headquarters of the UMD company or electronically to centrala@umd. cz 5 Principles of personal data processing When processing personal data, the administrator observes the following principles of personal data processing: a) principle of legality Personal data are processed in a legal manner in a fair and transparent manner. b) principle of purpose limitation Personal data are obtained only for a specifically determined, explicitly stated and legitimate purpose. Furthermore, it does not process personal data obtained in this way for another purpose that is not compatible with the original purpose. c) the principle of data minimization Only those personal data are processed that, in terms of scope and content, correspond to the purpose of their processing and are unavoidable to achieve it. d) principle of correctness Only correct and up-to-date personal data are processed. If personal data is found to be incorrect, the controller will take all available measures to correct or delete it. e) the principle of minimization of storage Personal data are processed only for the time that is unavoidable to achieve the specified purpose. Once the purpose has been achieved, the personal data is disposed of, except in cases where the controller is obliged to store such data in accordance with legal regulations. f) the principle of integrity and confidentiality The Administrator ensures the protection of personal data that it processes. For this purpose, it has taken adequate technical, personnel and organizational measures. g) principle of responsibility The Administrator is responsible for the processing of personal data in accordance with the Regulation, the Personal Data Protection Act and other relevant legal regulations. The administrator is obliged to prove this compliance. Provision of personal data by the person concerned The Administrator may process personal data only on the basis of a directly enforceable legally binding act of the European Union, an international treaty, by which the Czech Republic is bound, the provisions of the Personal Data Act or a special law, or based on the consent of the person concerned. The person in question is obliged to provide the administrator with all required personal data and information, which are established by generally binding legal regulations. Among the legal regulations that establish the obligation of the person concerned to provide personal data and that govern the processing of personal data include in particular - Act 38/2004 Coll. on Insurance Intermediaries, - Act on Protection against Legalization - Regulation, - Act on Protection of Personal Data, - Act No. 395/2002 Coll. on archives and registries Provisions of other legal regulations governing the obligation of the person concerned to provide the administrator with personal data are not affected by this. The administrator processes personal data without the consent of the person concerned, even if: • the processing is necessary to fulfill the contract, to which the person in question is a party to the contract or to take measures on the basis of the person in question before concluding the contract. 6 • processing is necessary to protect the vital interests of the person concerned or another natural person, • processing is necessary to fulfill a task carried out in the public interest or in the exercise of public authority entrusted to the administrator, • processing is necessary for the purposes of legitimate interests pursued by the administrator or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular if the data subject is a child. If the aforementioned legal basis for the processing of personal data does not apply to the processing of personal data, the administrator is authorized to process personal data only with the consent of the person concerned. The consent of the person concerned is voluntary, the administrator may not force or condition the consent of the person concerned by the threat of rejection of the contractual relationship, service or product. Refusal to provide personal data, as stipulated by law, may result in the controller refusing to enter into a contractual relationship. Existence of automated decision-making, including profiling Personal data of the person concerned are processed in electronic and written form. The administrator does not process the personal data of the person concerned on the basis of automated individual decision-making, including profiling. The right of the person in question to submit a request 1. The person in question is authorized to submit a request in written or electronic form. 2. The written application must be delivered to the address of the UMD headquarters. 3. The application submitted electronically must be delivered to the email address: centrala@umd.cz. 4. UMD is required to provide information in written or electronic form, usually in the form in which the request was submitted. If the person in question requests it, UMD can also provide information orally, in case the person in question proves his identity in another way. 5. UMD provides assistance to the data subject in exercising his rights of access to personal data, the right to rectification, erasure and restriction of the processing of personal data, the right to portability, the right to object so that he is not subject to a decision that is based exclusively on automated processing of personal data (hereinafter referred to as "rights of the person concerned") 6. The UMD company is obliged to provide the person in question with information about the measures that were taken on the basis of his request in exercising the rights of the person in question, without unnecessary delay, no later than one month from the delivery of the application. The UMD company can extend the stated period by another two months in justified cases, taking into account the complexity and number of applications. The UMD company is obliged to inform the person concerned of each such extension within one month of the delivery of the request together with the justification for the extension of the deadline. If the person in question submitted the Application in electronic form, UMD will provide the information in electronic form, unless the person in question has requested the provision of information in another way. 7. If the UMD company does not take measures based on the request of the person in question, without delay and at the latest within one month from the delivery of the request, it is obliged to inform the person in question of the reasons for non-acceptance and of the possibility of filing a proposal to initiate proceedings on the protection of personal data at the Office for the Protection of Personal Data of the Czech Republic. 7 8. Information, which the UMD Company is obliged to provide to the person in question in the event that personal data is obtained from the person in question and in the event that it is not obtained from the person in question and notifications and measures taken in connection with the rights of the persons in question and notifications of violations of personal data protection are provided to the person in question free of charge . If the request of the person concerned is manifestly unfounded or unreasonable, especially if it is repeated in nature, UMD may: a) request a reasonable fee for the administrative costs of providing the information or a reasonable fee for the administrative costs of the notification or a reasonable fee for the administrative costs of taking the requested action or b ) refuse to deal with the request 9. The UMD company proves the obvious groundlessness of the request or the unreasonableness of the request. 10. UMD may request the provision of additional information needed to confirm the identity of the person in question if it has legitimate doubts about the identity of the natural person who submitted the request in connection with the exercise of their rights to access personal data, the right to correction, erasure and restriction of personal data processing, the rights to the portability of personal data and the right to object to the processing of personal data; the provisions of Article 11 of the Regulation are not affected by this. a) to a person who is represented on the basis of a power of attorney, verification of his data in the scope of data according to point 2. letter d) 2.4. of this article on the basis of documents, data or information obtained from the submitted power of attorney with verified signature, official register or other official records or other reliable and independent source of verification of the identification of a natural person, which is authorized to act on the basis of a power of attorney to the extent of the data according to point 2. letter a) in her identity document in her physical presence, b) to a minor who does not have an identity document, verification of the type and number of the identity document and the form of the legal representative of the minor present with the form in his identity document