PRINCIPLES OF PERSONAL DATA PROCESSING AND CLIENT PRIVACY

COMPANY Malcom Finance (4Trans Factoring s.r.o.)

(“DATA PROCESSING POLICY”)

 

The controller of personal data pursuant to Article 4 point 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: “GDPR”) is 4Trans Factoring s.r.o., ID No. 06760881, with registered office at Karmelitská 379/18, Prague 1, 118 00 hereinafter: “Controller”).

The Controller is aware of its legal obligations in processing the Data of its Clients and the responsibilities imposed on it in this context by Czech and EU legislation. This Policy provides a basic framework of how and under what conditions to handle Client Data, how to proceed with the processing of Data and who to contact in fulfilling obligations under the OA, the GDPR and this DATA PROCESSING POLICY.

The contact details of the Data Controller are: 

Address: Karmelitská 379/18, Prague 1, 118 00

email: podpora@malcom.app

 

Supervisory authority:

The supervisory authority is the Office for Personal Data Protection

Registered office: Pplk. Sochor 27, 170 00, Prague 7

Contact e-mail: posta@uoou.cz

Phone number: 234 665 125

 

1. Definitions

Personal data (“Data” or “Data”) = any information about an identified or identifiable natural person; an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This means that personal information includes information such as email, address, phone number, username, profile pictures, personal preferences, user-generated content, information relating to physical characteristics. It may also include unique numeric identifiers such as the IP address of the user’s computer or MAC address of the device and cookies.

Genetic Data = Personal data relating to inherited or acquired genetic characteristics of an individual that provide unique information about the individual’s physiology or health and that result, in particular, from the analysis of a biological sample of the individual concerned.

Biometric data = personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which permits or confirms unique identification, such as a facial representation, a dynamically recorded handwritten signature or dactyloscopic data.

Health data = Personal data relating to the physical or mental health of an individual, including data about the provision of health services, that are indicative of the individual’s health.

Anonymous data = data which, either in its original form or after processing, cannot be linked to an identified or identifiable data subject.

Pseudonymised data = data which has been processed in such a way that it can no longer be attributed to a specific data subject without the use of additional information, provided that the additional information is kept separately and is subject to technical and organisational measures to ensure that it is not attributed to an identified or identifiable natural person.

Data subject = the natural person to whom the personal data relate. A natural person is also considered to be a person carrying on a business on the basis of a trade or other authorisation.

Controller = the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, that law may determine the controller concerned or the specific criteria for determining it.

Processor/Recipient = a natural or legal person, public authority, agency or other body which processes personal data for the Controller and which is listed in the List of External Processors.

Processing of personal data = any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated processes, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, restriction, erasure or destruction.

Personal Data Breach = a breach of security that results in the accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.

Consent of the data subject = any free, specific, informed and unambiguous expression of will by which the data subject gives his or her consent to the processing of his or her personal data by declaration or other manifest affirmation.

Authority= Office for Personal Data Protection, located at Pplk. Sochor 29, Prague 7, Postal Code 170 00, www.uoou.cz

GDPR = REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

OOU Act = Act No. 101/2000 Coll., on the protection of personal data, as amended.

NSIS Act = Act No. 480/2004 Coll., on certain information society services, as amended.

Client = a natural or legal person who has been approached or has approached 4Trans Factoring s.r.o. for the purpose of sending an offer of services, request for services, conclusion of a contract or has already concluded such a contract.


 

2.     LEGAL FRAMEWORK, PRINCIPLES OF PERSONAL DATA PROCESSING

The basic legal framework for the processing of personal data consists of the GDPR, the OOU Act, the NSIS Act and other related legislation.

The basic principle of the processing of Data is that it is processed in a fair, lawful and transparent manner in relation to the data subject (“lawfulness, fairness and transparency”). Data is collected for specific, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes is possible.

The data must be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed (‘data minimisation’); accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate in relation to the purposes for which they are processed are erased or rectified without delay (‘accuracy’).

The data must be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed; personal data may be stored for a longer period if they are processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, provided that appropriate technical and organisational measures are implemented and complied with in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).

The data must be processed in a manner that ensures appropriate security of the personal data, including protection by appropriate technical or organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage (‘integrity and confidentiality’);

As a Data Controller, we take appropriate measures to provide the data subject with all information relating to the acquisition, processing, erasure and security of personal data in a concise, transparent, comprehensible and easily accessible manner using clear and plain language. As a Data Controller, we must comply with these obligations, which we do, among other things, through this DATA PROCESSING PRINCIPLE.

 

3.     HOW AND WHAT CLIENT DATA WE COLLECT AND HOW WE USE IT

4Trans Factoring Ltd may collect or obtain Data through our website, forms, applications, electronic or telephone contact, face-to-face meetings or otherwise. Sometimes it is provided to 4Trans Factoring s.r.o. directly by the Client, such as when you create a user account on our site, when you contact us by phone, email or in person, sometimes we collect it as an Administrator, such as through the use of cookies to determine how you use our site or applications, or we collect it from others, such as from cooperating entities.

Automated decision making, including profiling – may be used by the Controller when sending or displaying personalised communications or content. This is a specific method, which is any form of automated processing of Data consisting of using it to assess certain personal aspects relating to an individual, in particular to analyse or estimate aspects relating to their personal preferences, interests, economic situation, behaviour, location, health, reliability or movement. This means that the Data may be collected by the Controller in different situations. This Data may be centralized and analyzed by the Controller in order to assess and estimate the Client’s personal preferences and interests. Based on such analysis, the Controller then sends or displays communications and or content tailored to the interests and needs of the Client. Subject to certain conditions, the Client has the right to object to the use of the Data for profiling purposes.

 

The Data is collected by the Controller:

– for the legal reason set out in Article 6(1)(b) of the GDPR, i.e. because their processing is necessary for the performance of a contract to which the Client, as the data subject, is a party or for the implementation of measures taken prior to the conclusion of the contract at the request of the Client. The data is provided on a mandatory basis and the purpose of processing this Data is the conclusion and performance of the contractual relationship and related actions (communication with the Client regarding the services offered, etc.). The source of the Data is the Client or a person authorised by the Client. If the Data is not provided by the Client, the contract cannot be concluded with him/her, nor can negotiations be held for the purpose of concluding a contract, nor can the service requested by the Client be provided (e.g. sending specific information on the service, arranging an appointment, concluding a contract with the Administrator (hereinafter referred to as “Performance of the contract”).

 

– for the legal reason set out in Article 6(1)(f) of the GDPR Regulation, i.e. because the processing is necessary for the purposes of the legitimate interests of the Controller in order for the Controller to send the Client marketing commercial communications – newsletter, targeted advertising, personalised recommendations, etc. The data is provided voluntarily on the basis of the Client’s consent. The source of the Data is the Client or a person authorized by the Client. If the Client does not provide the Data, the Client cannot receive commercial communications (newsletter) and the Client cannot use the Controller’s websites and applications properly (hereinafter referred to as “OS and cookie consent”).

 

– for the legal reason set out in Article 6, paragraph 1, letter c) of the GDPR Regulation, i.e. because the processing is necessary for the fulfilment of the legal obligation of the Controller to comply with legal requirements under specific legislation (e.g. Act No. 253/2008 Coll. on certain measures against the legalization of the proceeds of crime and terrorist financing, etc.). The source of the Data is the Client or a person authorised by the Client. If the Client does not provide the Data, no contract can be concluded with the Client or negotiated for the purpose of concluding a contract, nor can the service requested by the Client be provided (e.g. sending specific information, arranging a meeting, concluding a contract with the Controller, etc.) (hereinafter referred to as the “Legal Obligation”).

 

– for the legal reason set out in Article 6(1)(f) of the GDPR, i.e. because the processing is necessary for the purposes of the legitimate interests of the Controller, to enable the Controller to ensure the security of its platforms and services against abuse, to better understand the Client and ensure the proper functioning of its websites and applications, to ensure the fulfilment of the Controller’s contractual obligations, etc. The Data is provided on a mandatory basis and the purpose of the processing of this Data is to ensure the security of the Administrator’s websites/applications and their protection against misuse, as well as to better understand the Client’s needs and requirements, to improve services and brand awareness, to ensure the proper functioning of the OS, advertising, and their improvement and protection through cookies, and to ensure the fulfillment of the contractual obligations of the Administrator towards third parties. The source of the Data is the Client or a person authorised by the Client. If the Client fails to provide the Data, it may affect our ability to provide our services to the Client (“Legitimate Interests”).

 

4. WHO HAS ACCESS TO THE DATA – CATEGORIES OF DATA RECIPIENTS

Client data may be shared by the Controller to meet its legal obligations, to improve its services, or when it receives the Client’s consent to such sharing.

Only trusted external processors/recipients may process data on behalf of the Controller. The Controller provides these external processors/recipients with only the information they need to provide the service and requires that they do not use the Data for any other purpose. The Controller makes every effort to ensure that all third parties with whom it works keep the Data properly secured. Services that require the processing of Data are provided by the Controllers, for example. External IT service providers such as platform providers with hosting services, administration and support of our databases as well as our software and applications that may contain Data (these services could sometimes involve accessing the Data in order to perform the required tasks), social media monitoring providers, Identity management, ratings and reviews, customer relationship management, web analytics and search engines, user-generated content processing tools, advertising, marketing, digital and social media agencies that deliver advertising, marketing services and campaigns, analyze their effectiveness and manage Client relationships.

The Controller is obliged to disclose data to third parties if it has such an obligation in order to comply with a legal obligation or to protect the rights, property, interests or safety of the Controller, its Clients, employees, external brokers.  The Controller may also disclose the data if it has the Client’s consent to do so or if permitted by law. The Administrator neither offers nor sells the data. The Data collected will not be shared with any third party, except as mentioned above.

 

5.     WHERE WE STORE THE DATA      

The Data collected by the Controller about the Client is stored and processed only in the EU or in countries that have committed to EU standards for the processing and security of personal data (USA). Outside the EU, personal data is only processed or stored with processors/recipients that are certified under the EU – U.S. Privacy Shield – these are Google LLC and Meta Platforms Ireland Limited.            

 

6. HOW LONG WE KEEP THE DATA    

The Client’s data is retained for as long as necessary to fulfil the purpose for which the Controller received it, to meet the Client’s needs or to comply with its legal obligations.          

The criteria set out below shall apply to determine the retention period of the Data:

 

– if the Client is interested in the service offered by the Controller and or has concluded a contract with the Controller – Data in electronic form are retained for 10 years from their acquisition or from the termination of the contractual relationship with the Client, unless the legislation provides for a longer period (Performance of the contract),

 

– if the Client is interested in receiving OS, the Data is stored for 10 years from the date of acquisition (Consent to OS and cookies),

 

– if the Client contacts us with an enquiry or a request for feedback, the Data is retained for the time necessary to process the enquiry and for a further 10 years from the last interaction (Contract Performance),

 

– if the Client creates an account, the Controller retains the Data until the Client requests deletion or for 10 years from the last activity on the Client’s account (Legitimate Interests)

 

– if the Client has consented to receive direct marketing communications, the Data is retained until the Client unsubscribes or asks the Controller to delete it, or for 10 years from the last interaction (OS and cookie consent); for consents given to the processing of personal data for marketing purposes, the retention period is 3 years from the date of consent,

 

– if cookies are placed on the Client’s device, the Data is kept for the time necessary to achieve its purpose, depending on the type of cookie (OS and cookie consent),

 

– if the Controller copies the Client’s OP/Passport and thereby fulfils legal requirements under specific legislation (e.g. Act No. 253/2008 Coll. on certain measures against the legalization of proceeds of crime and terrorist financing, etc.), the Data is retained for 10 years from the date of acquisition or from the termination of the contractual relationship with the Client or the completion of the transaction, unless the legislation provides for a longer period (Legal obligation with consent),

 

– if the Controller complies with the legal requirements under specific legislation (e.g. Act No. 253/2008 Coll. on certain measures against the legalization of proceeds of crime and terrorist financing, etc.), the Data are stored for 10 years from their acquisition, or from the termination of the contractual relationship with the Client or the execution of the transaction, unless the legislation provides for a longer period (Legal Obligation).

 

Some Data may be retained by the Data Controller in order to comply with its legal obligations and also to properly protect its legitimate interests or for statistical or record-keeping purposes.        

 

If the purpose of retaining the Data has been fulfilled and the retention period has expired, the Data will be deleted or anonymised from the Controller’s systems and records so that the Client can no longer be identified.


 

7.     HOW THE DATA IS SECURED                    

The Data Controller makes every effort to properly protect the Data from the moment it is obtained until it is deleted, pseudonymised or anonymised. The Controller keeps and processes the Data secure to industry standards and has taken all reasonable security measures through conscientious internal processes and security policies to prevent misuse of the Data or unauthorised access to the Data. The Controller has contractually ensured that each authorised and trusted processor (see Article 4 of this document) treats the Data in the same manner.          

 

As a result of the technical nature of the operation of data transmission on the Internet, the Controller cannot guarantee the security of Client Data transmitted to the Controller’s website. Therefore, the security of any information transmitted in this manner is beyond the technical capabilities of the Controller.

 

8.     CLIENT’S RIGHTS AND OPTIONS    

Client Rights:    

                         

Right to be informed

  • The Client has the right to be provided by the Controller with clear and easily understandable information about how the Controller uses the Data and what the Client’s rights are in relation to the Data. The Controller does this by the following DATA PROCESSING PRINCIPLES.

 

Right of access to the Data

  • The Client has the right to access the Data held about them by the Controller (subject to certain exceptions). The contact details of the Controller for this purpose are set out above.

 

  • The Controller is entitled to charge an adequate fee to cover the administrative costs associated with providing the requested information.

 

  • The Controller shall be entitled not to respond to manifestly unfounded, unnecessary or repetitive requests.

 

Right to rectification

  • The Client has the right to have his/her Data corrected if it is incorrect or out of date, or completed if it is incomplete. The Client may correct the Data through his/her account or contact the Administrator. The contact details of the Administrator for this purpose are set out above.

 

Right to erasure/right to be forgotten

  • In some cases, the Client has the right to have their Data deleted. This right can be exercised as long as it does not conflict with legal reasons or legitimate interests of the Controller. The contact details of the Controller for this purpose are set out above.

 

Right to refuse direct marketing (OS), including profiling

  • The Client has the right to unsubscribe from direct marketing communications at any time by clicking on the relevant link in the OS (opt-out). To cancel profiling, the Client may contact the Controller. The contact details of the Administrator for this purpose are set out above.

 

Right to withdraw consent to the processing of Data

  • The Client may withdraw his/her consent to the processing of Data at any time (this applies only to Data that is processed on the basis of such consent). The lawfulness of the processing of the Data prior to the withdrawal of consent is not affected. To withdraw consent, the Client may contact the Controller. The contact details of the Controller for this purpose are set out above.

 

Right to refuse processing on the basis of legitimate interests

  • The Client may refuse processing of the Data at any time on the basis of legitimate interests. To refuse processing of Data on the basis of legitimate interests, the Client may contact the Controller. The contact details of the Controller for this purpose are set out above.

 

Right to lodge a complaint with a supervisory authority

  • If the Client believes that the Controller’s practice in relation to the handling of the Data is in breach of the GDPR, the Client has the right to contact the Data Protection Authority and lodge a complaint about such alleged breach of the Controller’s practice. Before filing any complaint with the Data Protection Authority, please do not hesitate to contact us using the contact details set out above.

 

Right to data portability

  • The Client has the right to move, copy or transfer the Data from the Controller’s database to another database. This right applies only to Data that the Client has provided for the purpose of performance of a contract or on the basis of consent and whose processing is carried out automatically. The processing of Data for the purpose of performance of a contract or on the basis of consent is set out above. The Client may contact the Controller for information on portability. The contact details of the Controller for this purpose are set out above.

 

Right to restriction of processing

  • The Client has the right to request a restriction of the processing of their Data by the Controller. This right means that the Controller may keep the Data but will not further process or use it. This right may apply if the Client a) disputes the accuracy of the Data for the time necessary for the Controller to verify the accuracy of the Data, or b) the processing is unlawful and the Client refuses to delete the Data and instead requests a restriction on its use, or c) the Controller no longer needs the Data for the purposes of the processing but the Client requires it for the establishment, exercise or defence of legal claims, or d) the Client objects to the processing on the basis of the Controller’s legitimate interests until it is verified that the Controller’s legitimate interests outweigh those of the Client. To exercise the right to restrict processing, the Client may contact the Controller. The contact details of the Controller for this purpose are set out above.

 

Right to deactivate cookies

  • The Client has the right to deactivate cookies. Internet browsers are usually programmed to allow cookies, but the Client can change this setting in the browser settings. Disabling cookies may prevent the website from functioning properly. For more information about cookies, please visit www.aboutcookies.org .

 

 

This Data Processing Policy is effective as of 1 September 2022 and is drafted in accordance with the GDPR.