PERSONAL DATA PROTECTION INFORMATION

SKPAY, a. s. (JSC)

25 May 2018

Personal data means shall mean any information relating to an identified or identifiable natural person, while such person is one who can be identified, directly or indirectly, in particular by reference to an identifier of general application or by reference to one or more characteristics or factors specific to his physical, physiological, psychic, mental, genetic, economic, cultural or social identity. Any natural person whose personal data are processed shall be deemed to be the Data Subject within the meaning of the Regulation and the PPDA.

Clients' personal data are processed in information systems operated by SKPAY, a. s. (JSC), with its registered office at Nám. SNP Square 35, 811 01 Bratislava, Reg. No. (IČO): 46 552 723, registered in the Commercial Register of the District Court Bratislava I, Section: Sa, Insertion no.: 5488B [hereinafter: "SKPAY"] or the joint operators of which are members of the Poštova banka, a. s. Group [hereinafter: the "Bank Group"]. The members of the Group are provided on the website www.postovabanka.sk/nase-spolocnosti and in this document [hereinafter: the "Group Members"].

The protection of clients' personal data is important for SKPAY, therefore when processing the data SKPAY shall comply with new rules for their protection as defined by Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [hereinafter: the "Regulation"] and Act No. 18/2018 Coll. on Protection of Personal Data and on Changing and Amending of certain acts [hereinafter: the "PPDA"]. This Information on Personal Data Processing corresponds to the legal status in the Slovak Republic as of the date of the start of application of the Regulation or entry into force of the PPDA, i.e. as of 25 May 2018, and it also includes the new rights of the Data Subjects under the new legislation.

The person in charge of supervising personal data protection in SKPAY is the Data Protection Officer. If you have questions about personal data processing or other questions about personal data, you can contact the Data Protection Officer via e-mail at the address zodpovedna.osoba@skpay.sk or in writing by letter sent to the address SKPAY, a. s., Zodpovedná osoba, Nám. SNP 35, 811 01 Bratislava. In the case of exercising rights in the area of personal data protection in electronic form, the client is obliged to send the submission in paper form within 3 business days to the address specified above. SKPAY is entitled to verify the client's identity in case of doubts.

LEGAL BASIS OF PERSONAL DATA PROCESSING
The Regulation and the PPDA allow the processing of personal data if:

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes,
• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
• Processing of personal data is necessary according to a special regulation or an international treaty binding on the Slovak Republic,
• Processing of personal data is necessary for the protection of life, health or property of the Data Subject or another natural person,
• Processing of personal data is necessary for fulfilment of an important task carried out in the public interest or in the exercise of official authority vested in the controller, or
• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the Data Subject is a child; this legal basis shall not apply to the processing of personal data carried out by public authorities in the performance of their tasks.

The legal basis for the processing of personal data in SKPAY is primarily

• Legislation in force:
• Act No. 492/2009 on payment services and amending certain laws [hereinafter: the "PSA"],
• Act No. 297/2008 Coll. on the Prevention of Legalization of Proceeds of Criminal Activity and Terrorist Financing and on Amendments and Supplements to Certain Acts as amended,
• Act No. 395/2002 Coll. on archives and registries and on amendments to certain acts, as amended,
• Act No. 351/2011 Coll. on electronic communication [hereinafter: the "ECA"]
• PPDA,
• Regulation.
• A product or service provision contract concluded between the client and SKPAY;
• Legitimate interest of SKPAY or a third party;
• Consent of the Data Subject if provided by him or her. The client may withdraw the consent to the processing of personal data at any time;
• Performance of obligations arising from an international or bilateral agreement by which the Slovak Republic is bound [FATCA].

As a Data Subject, under the PSA, you are obliged to provide SKPAY and allow personal data to be obtained by copying, scanning or other recording as well as other data required by SKPAY. SKPAY is obliged to reject the conclusion of a product or service provision contract while keeping the client's anonymity.

Processing of persona data without consent is possible in the following cases

• Processing is based on the legitimate interests or according to special legal regulations;
• Subject of the processing is constituted solely by the title, name, surname and address of the Data subject without a possibility of adding his other personal data and they are used solely for the needs concerning the mail correspondence with the Data subject and the keeping of records of such data;
• Processed personal data have already been disclosed.

LEGITIMATE INTERESTS
A legitimate interest is a justifiable and relevant interest beyond the scope of the established legal bases under which personal data are processed. A legitimate interest is not where the interests or rights of the Data Subject override those interests. The legitimate interest may not be contrary to the legislation concerning personal data protection or other generally binding legal regulations. If a controller's interest is considered justified, the Data Subject's personal data may be processed, provided that its rights and interests override the fundamental rights, freedoms and legitimate interests of the Data Subjects. SKPAY always checks whether the interest is genuinely legitimate and then assesses whether the legitimate interest overrides the rights and freedoms of the Data Subject. The Data Subject shall be entitled to object with the Data Protection Officer to such processing of personal data and apply for the deletion of personal data. After such an objection, the controller must carry out an individual assessment whether its legitimate interest actually overrides the fundamental rights and freedoms of the Data Subject who made the objection.

Legitimate interests of SKPAY include mainly:

1. Protecting SKPAY’s assets,
2. Protecting the safety of SKPAY‘s employees and clients,
3. Prudent business of SKPAY,
4. Preventing and detecting financial crime,
5. Exchanging the personal data contained in an application within the Bank Group for internal administrative purposes [this includes joint client service],

JOINT CONTROLLERS
Joint controllers of information systems are the controlling undertaking [Poštová banka, a. s.] and the Group Members within the Bank Group. The Group includes the following companies:

• Poštová banka, a. s., Reg. No. (IČO): 31 340 890, with its registered office at Dvořákovo nábrežie 4, 811 02 Bratislava [controlling undertaking],
• Poštová poisťovňa, a. s., Reg. No. (IČO): 31 405 410, with its registered office at Dvořákovo nábrežie 4, 811 02 Bratislava,
• PRVÁ PENZIJNÁ SPRÁVCOVSKÁ SPOLOČNOSŤ POŠTOVEJ BANKY, správ. spol., a. s., Reg. No. (IČO): 31 621 317, with its registered office at Dvořákovo nábrežie 4,811 02 Bratislava,
#/
• Dôchodková správcovská spoločnosť Poštovej banky, d.s.s., a. s., Reg. No. (IČO): 35 904 305, with its registered office at Dvořákovo nábrežie 4, 811 02 Bratislava,
• PB Finančné služby, a. s., Reg. No. (IČO): 35 817 453, with its registered office at Hattalova 12, 831 03 Bratislava,
• 365.fintech, a. s., Reg. No. (IČO): 51 301 547, with its registered office at Dvořákovo nábrežie 4, 811 02 Bratislava - town section Staré Mesto (Old Town), and
• SKPAY a. s., Reg. No. (IČO): 46 552 723, with its registered office at Nám. SNP Square 35, 811 01 Bratislava.

Together with other members of the Bank Group, information systems have been developed in which the personal data of clients are processed for marketing purposes [IS Marketing of the Group] and profiling [IS Profiling]. A typical example is monitoring the behaviour of website visitors in order to track their preferences so that the Group Member can contact them with a tailor-made offer in the future. If the client gives the Bank Group such marketing and profiling consent, the client may be informed of the Group's product and service offers, competitions, events and campaigns, either through direct marketing or marketing research and satisfaction surveys.

PURPOSE OF PERSONAL DATA PROCESSING
The purpose of personal data processing is, in particular, the identification, verification and control of the identification of clients and their representatives, the conclusion and execution of transactions between SKPAY and clients, the protection and enforcement of rights towards clients, the documentation of SKPAY activities, the provision of activities subject to supervision of financial institutions and their activities. Other purposes of personal data processing include:

• Performance of obligations arising from Act No. 297/2008 Coll. on the Prevention of Legalization of Proceeds of Criminal Activity and Terrorist Financing,
• Marketing and related profiling [marketing contacting and campaigns within Bank Group],
• Risk assessment and compliance with prudential principles,
• Ensuring the activities of SKPAY with respect to the performance of obligations arising from the concluded contractual relations in accordance with the provisions of the PSA and other special laws regulating the activities of individual members, especially in the recovery of claims, etc.,
• Other purposes specified in the contractual documentation between the Client and SKPAY or the Group Member or in the documents governing the pre-contractual relationship,
• Protection of the rights and legally protected interests of SKPAY or a third party in the protection of property, financial or other interests and to ensure security.

SCOPE OF PROCESSED PERSONAL DATA
In its activities, SKPAY processes the personal data of Data Subjects and the information covered by the obligation of secrecy according to the PSA in the same way as the bank secret concerning the clients. The scope, or list of personal data processed is determined by legal regulations or is specified in the contract or application for the conclusion of a contract between SKPAY and the Data Subject or is specified in the consent to personal data processing. We process personal data only to the extent necessary. We collect personal data by copying, scanning, or otherwise recording from client and other person's identity documents and making copies thereof, or otherwise in accordance with the PSA.

In particular, when providing products and services, we process the following categories of personal data:

Identity data and contact details: In particular, the title, first name, surname, permanent address, temporary address, correspondence address, birth number, date of birth, place of birth, nationality, type and number of identity document, validity of identity document, contact telephone number, fax number and e-mail address, photograph of the Data Subject, scans and copies of identity documents, record of limitation of legal competence, type and number of identity document, issuing authority, date of issue, validity of the document, other data from identity documents In the case of a natural person - entrepreneur, we also process the address of the place of business, the official register or another official record in which the person is registered and the registration number in that register or record, the contact telephone number and e-mail address;

Transaction data: In particular, details of transactions, products and services provided, details of incoming and outgoing payments, details of the payee, data obtained during the establishment and use of the products and services of individual members of the Bank Group;

Cookies: For website optimization in terms of system performance, usability and provision of useful information about our products and services, we process information from log files on your computer [hereinafter: "cookies"), including, e.g., the user behaviour, activity within the active page elements, connection and computer data, in particular, the IP address, browser type and settings, operating system, and other parameters related to the computer operating system. We use this information for effective website management to learn more about our users’ behaviour on the website, to analyse trends and collect demographic data about our users as a whole, for the purpose of fraud prevention, e.g. investigating security incidents. The issue of cookies is dealt with in the next section of this document.

PERSONAL DATA RECIPIENTS
The personal data of the client and the Data Subjects shall be made available or provided only to third parties or recipients, if it is allowed by:

• The Regulation,
• The PPDA,
• Another generally binding legal regulation, a directly enforceable legal act of the European Union or an international treaty by which the Slovak Republic is bound,
• If disclosure or provision is contractually agreed between SKPAY and the client,
• The client has given consent for such acting,
• If the disclosure or provision is necessary for the performance of a contract concluded with the client.

In accordance with applicable legal regulations, the personal data of our clients may be provided on the basis of a written request from a public authority, even without the client's prior consent. Such authorities include, in particular, courts, public notaries, law enforcement authorities, tax authorities, customs authorities, tax administration, financial control administration, court distrainers, the Slovak Chamber of Court Distrainers, the Criminal or Financial Police Service, the Ministry of Finance, administrators, the National Security Authority, the Slovak Information Service, the Military Intelligence, the Police Force, the Office for Personal Data Protection of the Slovak Republic [hereinafter: the "Office"], the Supreme Audit Office, the Judicial Treasury and other state bodies, state administration bodies, natural and legal persons that are authorized by the relevant law.
Client's personal data may only be made available to members of the Bank Group if there is a legal basis for such acting. In its activity, SKPAY also uses the services of contractual partners. In some cases, this activity involves the processing of personal data. In particular, in includes the development, management, support and maintenance of systems and applications used to provide services and products to our clients. SKPAY takes care to consistently select contractual partners; assesses their reliability according to the PPDA and the Regulation. For the contractual relationship, SKPAY has the rules of personal data protection in place. Entities processing personal data for and on behalf of SKPAY have a contract for the processing of personal data concluded according to the PPDA. Our processors are provided in the Individual Business Terms and Conditions or on the website www.skpay.sk.

TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES AND METHODS OF SECURITY
No personal data of clients are transferred to third countries that do not guarantee adequate protection of personal data. If we transfer personal data to third countries that do not guarantee an adequate level of protection, we undertake to comply with the Regulation, the PPDA, the PSA as well as other generally binding legal regulations.

RETENTION PERIODS AND DETERMINATION METHODS
The period for the processing and storage of personal data relating to the client is stipulated in the applicable legal regulations, the SKPAY’s registry administration rules or in the consent of the client to personal data processing. We keep personal data during the term of the contract so that we can provide you with our services. The general retention period of the personal data relating to the client is set at 10 years after the termination of the legal relationship between the controller and the Data Subject for the purpose of performing all legal obligations. Personal data for which the right to process and store them has terminated [this is also the withdrawal of the consent to the processing of personal data], shall be deleted.

RIGHTS OF THE DATA SUBJECT
The rights of the Data Subjects stipulated in Art. 12 et seq. of the Regulation and in Art. 12 et seq. of the Regulation and in Article 19 et seq. of the PPDA include rights to information or notification of:

1. The identification data and contact details of the controller and the controller's representative, if authorized,
2. Contact details of the Data Protection Officer,
3. Purpose of the personal data processing for which the personal data are intended,
4. Legal basis for the processing of personal data,
5. Legitimate interests of the controller or of a third party where the processing of personal data is necessary for the purpose of the legitimate interests of the controller or third party,
6. Recipient's or recipient's category identification,
7. That the controller intends to transfer personal data to a third country or international organization, the identification of the third country or international organization, the existence or absence of a European Commission decision on adequacy, or a reference to appropriate safeguards or suitable safeguards and means for obtaining a copy thereof or information on where they made available,
8. Storage period of personal data; if this is not possible, then information on the criteria for its determination,
9. The right to demand from the controller access to personal data relating to the Data Subject, the right to object to the processing of personal data and the right to portability of personal data,
10. The right to withdraw his or her consent at any time,
11. The right to contact the Office and to file a motion to initiate proceedings for infringement of his or her rights under the PPDA and the Regulation,
12. Whether the provision of personal data is a legal requirement or a contractual requirement or a requirement necessary to conclude a contract and whether the Data subject is obliged to provide personal data as well as the possible consequences of not providing personal data,
13. The existence of automated individual decision-making, including profiling; in such cases, the controller shall provide the Data Subject with information on the procedure used, as well as the significance and implied consequences of such personal data processing for the Data Subject.
14. Other purposes of the processing and other relevant information referred to above if the controller intends to further process the personal data for a purpose other than that for which they were obtained,
15. The right to obtain confirmation from the controller that personal data concerning him or her are being processed. If the controller processes such personal data, the data subject shall have the right to access such personal data,
16. The right to require the controller to correct personal data relating to the Data Subject, to delete them or to limit their processing, or the right to object to the processing of personal data,
17. The source of personal data where personal data have not been obtained from the Data Subject,
18. Appropriate safeguards related to the transmission of personal data to third countries or an international organization.
19. Correction of personal data, deletion of personal data or limitation of the processing of personal data,
20. The right to obtain personal data relating to him or her which he or she has provided to the controller, in a structured, commonly used and machine-readable format, and has the right to transmit such personal data to another controller, where technically feasible,
21. The right to object to the processing of his or her personal data on grounds relating to his or her particular situation, including profiling. The controller may not further process personal data unless it demonstrates the necessary legitimate interests in the processing of personal data that override the rights or interests of the Data Subject or the reasons for exercising legal claims,
22. The right to object to the processing of personal data relating him or her for the purpose of direct marketing, including profiling, insofar as it relates to direct marketing. If the Data Subject objects to the processing of personal data for the purpose of direct marketing, the controller may not process personal data for the purpose of direct marketing,
23. The right to that a decision does not apply to him or her which is based only on automated processing of personal data including profiling and which has legal effects related to or similarly significantly affecting him or her,
24. Controller's obligations to notify the Data subject without undue delay of the personal data breach if such personal data breach may lead to a high risk to the rights of a natural person.

The Data Subject may exercise his or her rights as follows:

• In writing and it must follow from the content of the application that the Data Subject exercises his or her right. The application submitted by e-mail or fax must also be delivered in writing within three days of its dispatch at the latest,
• With the processor in a manner as provided above, whereas the processor is obliged to submit the application or to hand it over to the controller without undue delay.

Any Data Subject’s application shall be handled by SKPAY in a period of 30 days of the receipt of a written application. In some specific cases, taking into account the complexity and number of applications, a longer period may be needed to examine the application. Such applications shall be handled by SKPAY in a period of 60 days of the receipt of a written application, whereas the Data Subject shall be informed in writing of the longer period and its reasons, within 30 days of delivery of the application. The Data Subject also has the right to contact the Office directly with his submission [https://dataprotection.gov.sk/uoou/ ].

PROCESSING OF PERSONAL DATA THROUGH "COOKIES"
On the basis of Article 55 par. 5 of the ECA, SKPAY use cookie files on the websites operated by them. Cookies allow us to customize the functioning of the website to user preferences. Thanks to cookies it is possible to analyse the most frequently visited websites and user behaviour. Cookies allow the monitoring of the effectiveness of advertisements and adjust the focus to a specific group of Clients/Users. Thanks to cookies, SKPAY is able to improve the websites so that their use is even easier and more convenient. Cookies are small text files sent and stored on your device [computer or another Internet access device] that you use to view the websites. Cookies do not harm your device when you view the website. Cookies are used to optimally create and continually improve SKPAY’s services, tailor them to your interests and needs, and improve their structure and content. Internet browsers are as a rule pre-set to automatically accept cookies. SKPAY does not use automatic data acceptance due to the fact that personal data may also be processed here. The SKPAY‘s websites will ask you explicitly during your visit whether you agree to the use of cookies and give you the opportunity to withdraw your consent at any time. On the basis of the ECA, SKPAY is entitled to collect data on connection and computer data about the user of its website, in particular the IP address, the type and settings of the browser, operating system and other parameters related to the user's computer operating system.

SECURITY MEASURES
For the purpose of protecting the personal data of our clients, SKPAY implements several security measures. These measures are equally applicable to information collection, storage, processing and disposal processes and aim to protect clients' personal data from damage, destruction, loss, alteration, unauthorized access and disclosure, provision or publication, as well as from any other inadmissible way processing. Personal data security is ensured by the technical, organizational and personnel measures that correspond to the way personal data are processed. Personal data are processed using manual as well as automated data processing means, within SKPAY‘s information systems, and information systems used within the Bank Group. Personal data are secured and protected according to the applicable security standards and personal data protection regulations. The processing of personal data is subject to strict security rules in order to maximize the protection of personal data during their processing and transmission. The right to process personal data results for the employees of SKPAY as authorised persons from the employment relationship as well as from generally binding legal regulations. An authorised person shall mean each natural person who comes into contact with personal data within his / her employment relationship, on the basis of authorization, election or appointment and who processes personal data in the scope and in a manner specified in generally binding legal regulations and internal regulations of SKPAY. By adopting security measures, SKPAY prevents unauthorised persons from having unauthorized access to the personal data being processed, handling the personal data using equipment designed for personal data processing or the protection of such data, and handling the personal data carriers, and ensures access to personal data for authorised persons to the extent necessary to perform their duties or tasks.