General information about personal data processing
Personal data processing
BSSE processes personal data in compliance with the applicable legislation in the necessary extent.
The purpose of this documents is to provide information within the meaning of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR” hereinafter) and Act No. 18/2018 (Coll.) on the Protection of Personal Data and on Amendments to Related Laws as amended (the “Personal Data Protection Act” hereinafter) about your rights relating to the processing of your personal data.
This document should also provide information on what personal data and on what legal basis we process, how we handle it, from what sources we obtain it, for what purposes we use it, to whom we provide it, and where you can obtain information about your personal data that we process.
Bratislava Stock Exchange j.s.c. registered seat at Vysoká 17, Bratislava 811 06, Slovak Republic, IČO 00 604 054, registered in the Commercial Register in the section Sa, Insert No. 117/B of the Municipal Court Bratislava IIII (the “BSSE” hereinafter) is the Controller according to the GDPR and the Personal Data Protection Act to which you have provided your personal data or which has obtained your personal data for one or several purposes. BSSE collects your personal data, has them available and is responsible for its proper and lawful processing.
You can exercise your rights towards the Controller in the manner specified below. Should you have any questions with regard to the processing of your personal data, contact the Controller via electronic mail at: email@example.com, by telephone at: +421-2-4923 6102 or contact the data protection officer via electronic mail at: firstname.lastname@example.org or by telephone at: +421-2-4923 6301.
Scope of personal data processing
We only process personal data if necessary for the provision of our services or for the fulfilment of legal duties of BSSE or contractual obligations and commitments, while protecting our legitimate interests.
We primarily collect personal data on investors in financial instruments/clients.
Furthermore we process data on, for example, the representatives – including the members of statutory bodies and employees – of the capital market entities (primarily BSSE members, issuers whose securities are admitted to trading on the regulated market and/or included on the MTF list, central depositories) and other contractual partners.
We process your personal data, the data on services that you use, the data provided to us within mutual communication and other data so as to comply with the principles of personal data processing pursuant to the GDPR and the Personal Data Protection Act.
We process personal data in the following scope:
· Client identification data (primarily name, surname, title, birth number, ID code, the registration number kept in the central depositories, nationality, the address of permanent residence, the number of capital account kept in the central depositories);
· Transaction data related primarily to transactions in securities and transfers of securities;
· The data related to client identification is stored and processed in structures necessary to fulfil the rights and obligations arising from:
o The Act No 566/2001 (Coll.) on Securities and Investment Services and on Amendments and Supplements to Related Laws (the “Securities Act”) as amended by later legislation, Act No 429/2002 (Coll.) on the Stock Exchange as amended by later legislation;
o The Act No 297/2008 (Coll.) on Prevention of Legalisation of Proceeds from Criminal Activity and protection Against Financing of Terrorism and on Amendments and Supplements to Related Laws as amended by later legislation;
o Decree of the National Bank of Slovakia No 16/2007 on reporting by the Stock Exchange and the Central Securities Depository for the purposes of financial market supervision as amended later, issued on the basis of the Act No 747/2004 (Coll.) on Financial Market Supervision and on Amendments and Supplements to Related Laws as amended by later legislation;
o Directive 2014/65/EU of the European Parliament and of the Council on markets in financial instruments and from Regulation (EU) No 600/2014 of the European Parliament and of the Council on markets in financial instruments and from relevant implementing and technical standards (RTS and ITS);
· Contact data of a representative of the contractual partner including contractual partners of BSSE members and issuers, and other descriptive data;
· Data from external sources, especially publicly available registers such as the Business Register (primarily name, surname, address);
· Data from communication with natural persons when receiving and dealing with requests, submissions and suggestions in the extent necessary for their handling;
· Contact data of natural persons/data subjects (especially e-mail address, telephone number) who have given consent to process their personal data.
Purpose and duration of personal data processing
We process your data in the scope necessary for legitimate purpose – e.g. so that we can report the trade-related data to the supervisory authorities or meet the obligation under the Act No 297/2008 on Prevention of Legalisation of Proceeds from Criminal Activity and protection Against Financing of Terrorism and on Amendments and Supplements to Related Laws as amended by later legislation. We process certain data because it is necessary in order to protect the rights and legitimate interests of BSSE as well as of third parties, or in order to fulfil the contractual rights and obligations. In other cases, we only process your personal data with your consent.
The purpose of processing includes the following categories:
· Compliance with obligations laid out by binding legislation – the processing of personal data for this purpose is necessary as it is required by separate legislation (e.g. fulfilment of the reporting obligation to the supervisory authorities and public authorities, compliance with the enforcement obligations, compliance with the client identification and inspection obligation and other obligations in the area of prevention of money laundering, inspection and prevention/detection of market abuse, archiving purposes);
· the following legislation is primarily:
The Act No 566/2001 (Coll.) on Securities and Investment Services and on Amendments and Supplements to Related Laws (the “Securities Act”) as amended by later legislation, Act No 429/2002 (Coll.) on the Stock Exchange as amended by later legislation and Act No 297/2008 on Prevention of Legalisation of Proceeds from Criminal Activity and protection Against Financing of Terrorism and on Amendments and Supplements to Related Laws as amended by later legislation, Act No 442/2012 (Coll.) on International Assistance and Co-operation in Tax Administration as amended by later legislation, Act No 431/2002 (Coll.) on Accounting as amended by later legislation, Regulation (EU) No 596/2014 on market abuse and Directive 2014/57/EU of the European Parliament and of the Council on criminal sanctions for market abuse, Directive 2014/65/EU of the European Parliament and of the Council on markets in financial instruments, Regulation (EU) No 600/2014 on markets in financial instruments (MIFID 2 and MiFIR) and relevant implementing and technical standards (RTS and ITS), Commission Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield, Act No 222/2004 (Coll.) on Value-Added Tax as amended by later legislation. BSSE processes personal data for this purpose for a period specified by the relevant legislation.
· Performance of a contract – it is necessary to process personal data for proper fulfilment of the rights and obligations arising to the Controller from a contractual relationship. The Controller processes personal data for this purpose for the period of duration of a contract.
· Legitimate interest pursued by the Controller – the processing of personal data in these areas is a legitimate interest of BSSE (e.g. protection of the Controller’s premises, resolution of disputes, administration and recovery of receivables, performance of analyses and assessment of possible risks, software testing) in the extent equal to the purpose of performance of a contract. The Controller processes personal data for this purpose for the period of duration of the contract and until expiration of limitation periods (resulting from a lawsuit caused by a possible breach of the contract), as well as for the period necessary for the archiving purposes pursuant to §78 Section 8 of the Act on Protection of Personal Data.
· Given consent by data subject to process his/her personal data:
For other purposes (e.g. for marketing activities, etc.)
Provision of personal data with your consent is voluntary in this case.
We require provision of other data, because it is necessary to process it for the performance of a contract, for the fulfilment of our legal obligations or for the protection of our legitimate interests. If you do not provide such data to us, we are unable to provide to you the relevant service or other performance for which your personal data is required.
Source of personal data
Depending on circumstances, we process data that we have obtained from capital market entities, contractual parties, data we have obtained from you upon conclusion of a contract and its performance, data from publicly accessible sources, registers, lists and records (e.g. the Business Register) and data from third parties if required under a separate regulation. In order to meet the requirements of relevant legislation or a contract, the transfer of data may occur. We primarily process the data provided to us by our business partners.
The manner of processing of personal data
BSSE processes personal data by automated means and by non-automated means.
Provision of personal data to third parties
On principle, we process personal data within our company. We provide data to third parties only with your consent or if required by separate legislation (e.g. for settlement of transactions by the central depository, supervision by the National Bank of Slovakia). Your personal data may be processed by our co-operating suppliers if it is necessary to achieve any of the above-mentioned purposes, especially if the external entity has the necessary professionalism and expertise in the given area.
BSSE provides personal data of investors in financial instruments/clients to the supervisory authorities and other entities to whom it is required to do so based on separate legislation – those mainly include state administration, courts, law enforcement agencies, distrainers, notaries, financial administration etc. We are required to provide your data to various state institutions, but always under conditions specified by legal regulations.
BSSE processes personal data via own employees as the Controller, or via own suppliers while ensuring technical, organisational and personnel measures that will lead to a high level of protection and security of personal data. If we authorise someone else to perform a certain activity that is part of our services, the supplier’s access to relevant personal data may occur. The supplier is entitled to handle data solely for the purposes and to the extent which it has been contractually appointed by BSSE. In this case your consent is not required for the purposes or performance, because such processing is allowed directly by law. In the event of use of cloud storage, we always ensure a high level of data security.
BSSE’s suppliers are primarily providers of IT services including cloud storage services, entities recovering our claims, advocates, print and postal service providers and auditor.
Rights of the data subject
We process your personal data in a transparent and correct manner, and in compliance with the Personal Data Protection Act and the GDPR. You have the right to access your data, to demand explanation, as well as other rights if you think something is incorrect with the processing. You can also file a complaint with the Office for Personal Data Protection. You can exercise your rights on BSSE by means of electronic mail at: email@example.com, by telephone at: +421-2-4923 6102 or with the data protection officer via electronic mail at: firstname.lastname@example.org, or by telephone at: +421-2-4923 6302.
Right of access to personal data and right to be informed – You have the right of access to your personal data, in particular to obtain information how your personal data are being processed. This, however, cannot affect the rights of third parties. For recurring requests, we may require a reasonable reimbursement not exceeding the cost necessary to provide information.
Right to rectification of personal data –
In the event that your data is incorrect/inaccurate, we will of course correct it. Taking into account the purpose of the processing, you have the right to have incomplete personal data completed.
Right to erasure –
You have the right to obtain from the Controller the erasure of your personal data, if the personal data have been unlawfully processed.
Right to object –
In the event of a breach of the Controller’s obligations regarding the collection or processing of personal data, you have the right to demand explanation of such actions from the Controller, to demand that the Controller refrain from such actions or demand that the Controller remove the state thus created. Furthermore, you have the right to address your suggestions to the Office for Personal Data Protection.
Other rights –
Under the conditions specified in the Personal Data Protection Act and the GDPR, you have the right to limit the processing and the right for data portability (if it is technically feasible).
You can decline the provision of personal data that we ask from you. However, if the provision of such data is legally required, we will be unable to provide the related service to you.
In cases where we require your consent to process your data, you are entitled to withdraw this consent at any time. The withdrawal of consent does not affect the processing of your data for the period for which you have validly given your consent, and neither does it affect the processing of your data for other legal reasons, if applied (e.g. compliance with binding regulation or for the purposes of our legitimate interests).
If you have given your consent for marketing or you have been receiving commercial offers from us for other eligible reason, you can withdraw your consent at any time or unsubscribe from receiving offers in the following ways:
· In person at BSSE’s seat at Vysoká 17, 811 06 Bratislava, Slovak Republic
· In writing by post to the address: Burza cenných papierov v Bratislave, a.s. , Vysoká 17, P.O. Box 151, 814 99 Bratislava 1, Slovak Republic or
· By e-mail to: email@example.com.
If you wish to restrict or withdraw your consent with the processing of data for marketing purposes, send us the withdrawal of your consent to: firstname.lastname@example.org. Please note that if you restrict marketing, we may still continue to contact you for maintenance purposes, i.e. we can still use your contact to send service messages and for purposes other than marketing.
Monitoring by CCTV
BSSE operates a camera system (CCTV) with the recording function. BSSE is entitled – for the purposes of legitimate interest such as: protection of BSSE’s and its employees’ property, assuring the safety of employees and other persons, criminality detection and control of access – to monitor its premises and adjoining premises that BSSE exclusively uses by means of CCTV. BSSE retains the recordings for a period of 14 days.
Personal data will be provided to recipients: a private security service, an entity providing technical support for the system. Personal data may be provided to public authorities under separate legislation. Personal data is not provided to third countries.
No automated decision-making or profiling occurs during the processing of personal data.