Information for data subject about processing of personal data

Under the Article 13 and 14 of the Regulation (EU) 2016/679 of the European Parliament and of theCouncil of 27 April 2016 on the protection of natural persons with regard to the processing of personaldata and on the free movement of such data (hereinafter as „Regulation“) and under the Law on thepersonal data protection and on amendments to certain laws No. 18/2018 (hereinafter as „Law“)

(hereinafter as „GDPR“)

1. The controller:

- Merchant Payment Acquiring Services, s.r.o., registered office: Mlynské Nivy 56, 821 05 Bratislava – Ružinov, Registration No.: 46 857 559, registered in the Business Register of the District Court Bratislava I, Section Sro, Insert No.: 85316/B

2. The data protection officer:

- Not designated

3. The purposes of the processing:

A. Marketing communication, product and service offerings, etc.

B. The performance of a contract to which the data subject is party

- operations relating to the identification of a contracting party,
- operations relating to the conclusion, recording, management of contracts and performance of contractual obligations,
- complaint handling, satisfaction survey, product and service offerings
- the processing of personal data for the purposes of accounting and the fulfillment of tax and other statutory obligations
- statistical data processing
- the processing of personal data in relation to the fulfillment of obligations under specific laws

C. The protection of the legitimate interests of the controller in relation to the performance of contractual obligations

- management of the agenda of extrajudicial debt recovery, active litigation and passive litigation

4. The legal basis for the processing:

- for the purpose 3.A. – on the basis of the consent of the data subject,
- for the purpose 3.B. – the Article 6 (1) (b) – necessary for the performance of a contract, the Commercial Code of the Slovak Republic, the Civil Code of the Slovak Republic,
- for the purpose 3.C. – the Article (6) (1) (f) – the legitimate interests pursued by the controller

5. The recipients/categories of recipients to whom personal data may be provided

- persons cooperating with the controller to provide services within the scope of his business,
- banks
- providers of financial services,
- providers of payment services,
- providers of telecommunication services,
- providers of technical, support and IT services,
- public authorities, courts,
- other persons who may process personal data under a specific agreement with the controller.

6. Transfer of personal data:

- the personal data will not be transferred to a non-EU (EEC) third country.

7. The period for which the personal data will be stored:

- for the purpose 3.A. during the period for which consent was granted, maximum period of 10 years,
- for the purposes 3.B. and 3.C. during the period necessary to perform the obligations under the contract and during the period needed to protect the legitimate interests of the controller, maximum period of 10 years.

8. Information about the type of personal data and about the categories of personal data processed:

The controller processes the personal data necessary for the fulfillment of his obligations and the protection of legitimate interests, mostly within the range of title, name and surname, date
of birth, personal number, registration number and other identification data, data about registration in relevant register, residence, registered office, communication data (telephone
number, e-mail address, postal address), localization data, online identifiers, payment data including the data needed to process payments via the internet etc.

9. Rights of the data subject:

The data subject shall have:

a) the right of access to the processed personal data and the right to obtain confirmation of processed personal data – the right to obtain confirmation as to whether or not personal
data are being processed, information about the purposes, about the categories of personal data, about the recipients/categories of recipients to whom the personal data have
been/will be disclosed, where possible, the envisaged period for which the personal data  will be stored, the criteria used to determine that period, the right to rectification, the right
to erasure the personal data, the right to restriction of processing, the right to object, the right to lodge a complaint with a supervisory authority, information about the existence of
automated decision-making, including profiling. The controller shall provide a copy of the personal data undergoing processing; any further copy for a reasonable fee. The information shall be provided in an electronic form, unless otherwise requested by the data subject.

b) The right to rectification of incorrect and/or out-of-date personal data and the right to complete the incomplete personal data,

c) The right to erasure of personal data under the Article 17 of the Regulation - the data subject shall have the right to obtain the erasure of personal data and the controller shall
accept it, if the personal data are no longer necessary in relation to the purpose(s) for which they were collected, if the data subject withdraws consent and where there is no other legal
ground for the processing, if the data subject objects to the processing and there are no overriding legitimate grounds for the processing, if the personal data have been unlawfully  processed, for compliance with a legal obligation under the Union and/or Slovak Republic law, if the personal data have been collected in relation to the offer of information society
services referred to in Article 8 (1) of the Regulation. Where the controller has made the personal data public, the controller shall take reasonable steps to inform other controllers that the 
erasure of his/her personal data. The provisions on erasure shall not apply to the extent that processing is necessary:

- for excercising the right of freedom of expression and information,
- for compliance with a legal obligation under the Union or Slovak Republic law,
- for reasons of public interest in the area of public health,
- for archiving purposes in the public interest, scientific, historical research purposes, statistical purposes,
- for the establishment, exercise or defence of legal claims.

d) The right to restriction of processing under the Article 18 of the Regulation – the data subject shall have the right to restriction of processing, if the accuracy of the personal data
is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data, if the processing is unlawful and the data subject opposes the erasure
of the personal data and requests the restriction of their use instead, if the controller no longer needs the personal data for the purposes of the processing, but they are required
by the data subject for the establishment, exercise or defence of legal claims, if the data subject has objected to processing pursuant to Article 21 (1) pending the verification
whether the legitimate grounds of the controller override those of the data subject. Where processing has been restricted, such personal data shall, with the exception of storage, only
be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for
reasons of important public interest of the Union or of a member state. A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.

e) The right to receive the personal data concerning him or her which he or she has provided to a controller under the Article 20 of the Regulation – the personal data provided to the
controller, can be transmitted to another controller in a structured, commonly used and machine-readable format, if the processing is based on consent or on performance of
a contract, the processing is carried out by automated means even directly from one controller to another, where technically feasible. This right shall not adversely affect the
rights and freedoms of others.

f) The right to object to processing of personal data under the Article 21 of the Regulation – the data subject shall have the right to object at any time to processing of personal data for
the purposes of the legitimate interests pursued by the controller and also to object to profiling based on those provisions. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data for such purpose. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

g) The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects
him or her. This shall not apply if the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller, the decision is authorised by
Union or Slovak Republic law, the decision is based on the data subject’s explicit consent,

h) The right to withdraw consent – where the processing is based on the consent of the data subject, the data subject shall have the right to withdraw this consent at any time

i) The right to lodge a complaint with the Office for Personal Data Protection.

10. Information about the nature of the consent of the data subject:

Providing a consent may be a voluntary contractual requirement, the data subject provides his/her personal data on the basis of his/her free choice, taking into account the content of
personal data and the related purpose, the provision of personal data may be necessary for the conclusion of a contract. By using the website of the controller, by filling in personal data into the forms at the website of the controller or by any other way of providing personal data in a recordable form, the data subject provides consent to the use of personal data by the controller.

11. Profiling and pseudonymisation:

To fulfill his obligations and to protect legitimate interests, the controller may carry out the automated processing of personal data and process the personal data in such way that the
personal data can not be attributed to the particular data subject without the use of separately stored additional information, all this also for purpose of producing statistics, reports,
statements, recommendations and procedures.

12. The source of personal data:

Personal data are obtained exclusively in accordance with relevant legislation, in particular by providing personal data by the data subject, by obtaining personal data by persons cooperating with the controller under a specific contract, by obtaining personal data from publicly available sources and registers or from registers with access for specific categories of persons.