Privacy statement.

This Privacy Statement is provided pursuant to S. 5(2)(as of Act No. 110/2019 Coll., which makes provision with respect to personal data protection, as amended, and with effect from 25/5/2018 pursuant to Article 6(1)(c) of Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1. ABOUT EXACTLY

Exactly (hereinafter also referred to as the "Data Controller") means OrangeTrust s.r.o., registered office in Spálená 97/29, Praha - Nové Město, PSČ 110 00, Czech Republic, company registration number: 05422248.

Terms such as "we", "us", "our", "ours", etc., that may be used in the Privacy Statement also have the same meaning. OrangeTrust s.r.o. is a small electronic money institution that issues Electronic Money within the meaning of S. 4 of Czech Act No. 370/2017 Coll., which makes provision with respect to the payment system, and operates the Exactly Payment System.

This Privacy Statement (hereinafter referred to as the "Privacy Policy") governs the way we process personal data and ensure its protection in the Exactly Payment System. We are bound by Czech Act No. 110/2019 Coll., which makes provision with respect to personal data protection, as amended (hereinafter referred to as the "Personal Data Protection Act"), and with effect from 25/5/2018 by Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "GDPR").

Pursuant to S. 2(1)(b)(5) of Act No. 253/2008 Coll., which makes provision with respect to selected measures against the legalization of proceeds of crime and financing of terrorism (hereinafter referred to as the "AML Act"), OrangeTrust s.r.o. is a legally obliged entity.

Pursuant to S. 7 and S. 8 of the AML Act OrangeTrust s.r.o. as an obliged entity has a legal duty to perform the identification of its clients to the extent of personal data stated hereinafter in order to prevent the misuse of the financial system for the legalization of proceeds of crime and financing of terrorism and also perform due diligence of clients in cases stipulated by the law pursuant to S. 9 of the AML Act.

2. TYPES OF PROCESSED DATA

Within the meaning of Act No. 110/2019 Coll., which makes provision with respect to personal data protection, as amended (hereinafter referred to as the "Personal Data Protection Act"), and with effect from 25/5/2018 within the meaning of the GDPR we are entitled to process your personal data (hereinafter referred to as the "Personal Data") to the following extent:

  • Name, surname, title, birth code or date of birth, place of birth, sex;
  • Permanent residence or other residence and citizenship, phone number, e-mail address;
  • Copies of identification documents proving identity;
  • For natural persons doing business: registered business name, place of business and the person’s identification number
  • Bank account number
  • Data about implemented and cancelled payment transactions;
  • Data about credit, debit or other payment card including PAN, expiry date
  • Information obtained from Exactly questionnaires or similar forms
  • IP address
  • Data about visits to our website, in particular operational data

For the purpose of fulfilling statutory duties of a Data Controller pursuant to S. 9 of the AML Act.

  • The period of the processing of personal data is 10 years from doing business or from terminating the business relationship between you and the Data Controller (whichever is the later). You agree to the fact that as a data subject you cannot withdraw this consent.
  • The Data Controller is entitled to provide the data to competent state authorities upon request and you agree to it
  • In the case of a breach of personal data security is likely to result in a high risk to the rights of the data subject, the Data Controller shall notify all data subjects of this breach without delay.
3. DATA SUBJECT RIGHTS

3.1. Data subject may request information about the processing of its personal data, pursuant to S. 12 of the Personal Data Protection Act the Data Controller is obliged to provide this information without delay. The Data Controller’s duty to provide information to the data subject governed by S. 12 of the Personal Data Protection Act.

3.2.

Pursuant to S. 21 of the Personal Data Protection Act, each data subject who has a fair reason to believe that the Data Controller or the processor processes its personal data that is contrary to the protection of private and personal life of data subjects or contrary to law, in particular if personal data is inaccurate, having regard to the purposes for which they are processed, has a right to:

1. ask the Data Controller or the processor for clarification;

2. ask that the Data Controller or the processor to indemnify, by:

  • blocking
  • rectification
  • completion or erasure of personal data

3.3. If consequential damages have occurred as a result of the processing of the data subject’s personal data, the claim shall be enforced pursuant to special legislation.

3.4. If a breach of statutory duties occurred when personal data was processed by the Data Controller or by the processor, they shall be jointly and severally liable for the breach.

3.5. The contact details of the Data Controller’s representative in charge of personal data protection are as follows: a) Ms. Elizaveta, e-mail: elizaveta.k@exactly.com, +420773062208

4. FINAL PROVISIONS

4.1. By continuing to use the functionalities of the Exactly Payment System you express your free, specific, informed and unequivocal will that you agree to the processing of your personal data pursuant to the Privacy Policy and that you have been duly acquainted with, and informed about, the processing of your personal data.

4.2. We are entitled to unilaterally amend the Privacy Policy pursuant to valid legislation and you agree to this entitlement.

4.3. If we amend the Privacy Policy, we are obliged to notify you of this change in advance by e-mail containing a link to the new Privacy Policy from where you may print it or download it in electronic form.

4.4. The Privacy Policy is issued in electronic form and is available on OrangeTrust s.r.o. website.

4.5. The Privacy Policy comes into effect as of March 25th of May, 2018.

v. 1.0