The observance and the ensuring of the rights relating to data processing of clients (Clients) and all other natural persons concerned (Clients and other persons concerned hereinafter jointly referred to as Data Subjects) is a priority for Erste Asset Management Ltd. (hereinafter: EAM or the Company).
During the management, recording, processing and forwarding of personal rights of Data Subjects, the Company proceeds in compliance with the following legal regulations:
· Act CXII of 2011 on Informational Self-determination and the Freedom of Information (hereinafter: "Privacy Act"),
· REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR),
· Act XVI of 2014 on Collective Investment Forms and their Managers and on the Amendment of Certain Financial Laws (ACIFM),
· Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers and the Rules of the Activities they may Perform (AIFCD),
· Commission Delegated Regulation (EU) No 231/2013 of 19 December 2012 supplementing Directive 2011/61/EU of the European Parliament and of the Council with regard to exemptions, general operating conditions, depositaries, leverage, transparency and supervision (AIFM Regulation)
· Act V of 2013 on the Civil Code (Civil Code),
· Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (AML Act);
In order to comply with data security requirements, the Company ensures the protection and security of the personal data of Data Subjects with special regard to protection against unauthorized access, alteration, transfer, disclosure, deletion, destruction or accidental destruction or damage.
1. Keeping of contact person data
The Company keeps record of the persons representing its clients and contractual partners and the contractual and other contact persons of clients and partners in its corporate governance system.
Continuous contact with contractual partners and supporting of the administration relating to the performance of contracts as part of the ensuring of the day-to-day operation of the Company.
In the processing of contact person data, the Company meets the following requirements:
- precise recording of data during the recording of contact person data,
- if a contact person changes, the new contact person is recorded as replacement of the old contact person,
- if the data of the contact person is not provided by the contact person himself, he must be informed of this at the time of the first contact.
The Company shall not disclose personal data without identification of the person requesting of the data.
Legal basis for data processing
Based on item (f) of paragraph 1 of Article 6 of GDPR, the legal basis of data processing is the Company's legitimate interest to ensure seamless day-to-day operation and to be able to get in touch immediately with the contact persons of contractual partners in day-to-day work.
Scope of processed data
name, position, email address, phone number
Deadline for the deletion of data
- If the contact person changes during the term of the contract, the personal data of the old contact person is deleted immediately.
- In all other cases, data is deleted within 5 (five) years from the termination of the contract.
2. Recording of phone-calls
The Company records both incoming and outgoing calls.
Purpose of data processing
Enforcement of the rights of clients, business partners and the Company, providing evidence for the deciding of potential disputes, subsequent provability, subsequent evidence of oral agreements, deciding of disputes relating to the settlement of transactions and operation of the telephone complaint management system prescribed by law
Legal basis for data processing
- In the case of telephone complaint management, the fulfilment of the legal obligations prescribed for the Company by the relevant legal regulations other regulatory means and AIFCD,
- in other cases, the Company's legitimate interest based on item (f) of paragraph 1 of Article 6 of GDPR to help the clarification of disputes arising between Data Subjects and the Company.
Scope of processed data
calling number, called number, date and time of call, audio recording of the phone-call and the personal data provided by the Data Subject during the call
Deadline for the deletion of data
- In the case of telephone complaint management, the Company will keep the audio recording of the telephone communication between the Company and the Data Subject communicating the complaint for a period of 5 (five) years (in line with the provisions of relevant legal regulations, other regulatory means and AIFCD),
- In the case of recording non-complaint-related phone-calls, the recording is kept for a period of 5 (five) years.
Upon the Data Subject's request, the Company will make the audio recording available for listening and will provide the Data Subject free of charge with an attested transcript of the audio recording.
3. Data processing relating to client identification
The AML Act applies to the Company with regard to its portfolio management service activity. Accordingly, in the cases specified in the referenced legal regulation, the Company must perform customer due diligence. The detailed rules of customer due diligence are defined in point O) of the Company's Business Regulation in force from time to time.
Purpose of data processing
Identification of the clients concluding contracts with the Company for portfolio management
Legal basis for data processing
The legal basis for data processing is the fulfilment of the Company's legal obligation prescribed in the AML Act.
Name, name at birth, place of birth, date of birth, mother's name at birth, nationality, address, number of personal identification document
Deadline for the deletion of data
The Company is entitled to process personal data received during the fulfilment of its obligation prescribed in the AML Act for a period of 8 (eight) years from the data of termination of the business relationship or the data of execution of the transaction order.
4. Complaint-related data processing
The Company gives Clients the opportunity to communicate complaints regarding the Company's behaviour, activities or omissions orally (personally or by phone) or in writing (personally or by way of a document submitted by another person, by mail, fax or e-mail).
Purpose of data processing
Investigation of customer complaints
Legal basis for data processing
Fulfilment of the Company's legal obligation prescribed in the relevant legal regulations other legal regulatory means and AIFCD
Scope of processed data
Name, address, seat, mail address and phone number of the person submitting the complaint
Deadline for the deletion of data
The Company shall keep the complaint for a period of 5 (five) years from the date of its response to the complaint.
5. Other data processing
As the Company's main activity is investment management (collective portfolio management and portfolio management), the Company may be requested to provide information, communicate or handover data and to make available documents by courts, the prosecutor, investigating authorities, authorities dealing with offences, administrative authorities, the National Authority for Data Protection and the Freedom of Information, the National Bank of Hungary and by other authorities based on authorization granted by law.
The Company will only disclose personal data to authorities if and to the extent that is absolutely necessary in order to achieve the purpose of the request.
Data processors
The Fund Manager uses Microsoft's "Office 365" service during the above data management, during which the data subject's personal data is transferred to Erste Digital (Erste Digital GmbH; contact information: Am Belvedere 1, 1100 Vienna, Austria, website) belonging to the Erste Group, as well as Microsoft (Microsoft Ireland Operations Ltd.; contact information), as data processors acting on behalf of the Fund Manager, are also processed based on the legitimate interests of the Fund Manager. Consequently, for the general use of Office 365, data subjects do not have to give their consent according to Article 6 (1) point a) of the GDPR.
The use of Office 365 supports the work processes of the Fund Manager and other members of the Erste Group, the monitoring of modern digital administration and the benefits arising from unified data management (such as increasing the level of service and the typical user experience and reducing data security risks arising from the service).
Erste Digital and Microsoft contribute to the provision of Office 365. Personal data is managed only within the European Union or in a country that ensures the level of protection of the data processor's personal data required by the GDPR.
Name: Erste Asset Management Ltd. (Erste Alapkezelő Zrt.)
Seat: 1138 Budapest, Népfürdő utca 24-26. szám 9. emelet
Company registration number: 01-10-044157
Registering authority: Court of Registration of the Metropolitan Court
Tax number: 11895336-2-41
Phone number: 06-30/625-7410
Email address: erstealapkezelo@erstealapkezelo.hu
The Company's employee providing information on data protection matters:
Name: dr. Győző Stift
Phone number: 06-30/625-7410
Email address: gyozo.stift@erstealapkezelo.hu
1. Right to information
The Company takes appropriate measures to make sure that all communications mentioned in Articles 13 and 14 of GDPR regarding the processing of personal data and all information mentioned in Articles 15-22 and 34 of GDPR are provided to Data Subjects in a brief, transparent, comprehensible and easy-to-access manner, formulated clearly and understandably.
The right to information may be exercised in writing through the contacts specified in Chapter II of this Information.
Oral information may also be provided upon the Data Subject's request provided that the Data Subject was identified in another manner.
The Company must provide information upon the Data Subject's request in writing within the shortest possible time from the receipt of the request but within 25 days at the latest in understandable form.
2. Right of access
The Data Subject has the right to receive feedback from the Company on whether his or her personal data is being processed and if such data is being processed, the Data Subject has the right to have access to the personal data and to the information listed below.
a) the purposes of processing;
b) categories of the personal data of the Data Subject;
c) recipients or categories of recipients to whom the personal data was or will be communicated, in particular, third country recipients or international organizations;
d) if relevant, the planned period of keeping of the personal data or, if this cannot be specified, the aspects of determining the period of keeping;
e) the Data Subject's right to request from the data controller the rectification, deleting or restriction of processing of the personal data relating to him or her and to object to the processing of such data;
f) the right to submit complaints to any supervisory authority;
g) if the data was not collected from the Data Subject, all information available regarding the source of the data;
h) the existence of automated decision-making, including profiling and, at least in those cases, information about the logic involved, as well as the significance and envisaged consequences of such processing for the Data Subject.
The Company will make a copy of the processed personal data available to the Data Subject. The Company may charge a reasonable fee based on the relating administrative expense for further copies requested by the Data Subject. Upon the Data Subject's request, the Company will provide the information in electronic form.
3. Right to rectification
The Data Subject has the right to the rectification of his or her inaccurate personal data by the Company upon the Data Subject's request without unjustified delay. Taking the purpose of processing into account, the Data Subject also has the right to request supplementation of incomplete personal data (among others, by submitting a supplementary declaration).
4. Right to erasure
The Data Subject has the right to the erasure of his or her personal data by the Company upon the Data Subject's request without unjustified delay and the Company is obliged to erase the personal data relating to the Data Subject without unjustified delay if any of the following conditions apply:
a) the personal data is no longer necessary for the purpose for which it was collected or otherwise processed;
b) the Data Subject withdraws his or her consent forming the basis of processing and the processing of the data has no other legal basis;
c) the Data Subject objects to the processing of the data and there is no overriding legitimate cause for the processing of the data or the Data Subject objects to processing;
d) the personal data was processed illegitimately;
e) the personal data has to be erased in order to fulfil a legal obligation prescribed by EU or member state law applicable to Company;
f) the personal data was collected in relation to the offering of information society services.
5. Right to be forgotten
Where the controller has made the personal data public and is obliged to erase it, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
6. Right to the restriction of processing
The Data Subject has the right to the restriction of the processing of data by the Company upon his or her request if any of the following conditions is fulfilled:
a) the Data Subject challenges the accuracy of the personal data in which case the restriction will apply to the period that is necessary for the Company to verify the correctness of the personal data;
b) processing of the data is illegitimate and the Data Subject objects to the deleting of the data and instead requests a restriction of their use;
c) the Company no longer needs the personal data for processing but the Data Subject requests the keeping of the data for the submission, enforcement or protection of legal claims;
d) the Data Subject objected to the processing of the data in which case the restriction will apply to the period until the priority of the Company's legitimate interests to the Data Subject's legitimate interests is determined.
7. Right to data portability
The Data Subject has the right to receive the personal data relating to him or her that he or she provided to the Company in a structured, widely used and computer readable form and has the right to forward such data to another data controller.
8. Right to object
The Data Subject has the right to object to the processing of his or her personal data at any time for reasons relating to his or her situation if the personal data is processed for the Company's legitimate interest.
9. Resort to court
In the case of infringement of the Data Subject's rights relating to data processing, the Data Subject may resort to court in the cases defined in the Privacy Act.
10. Indemnification and compensation
If the Data Subject suffers any damage in relation to data processing, he or she may claim indemnification according to the provisions of the Privacy Act.
If the Company infringes rights relating to the personality of the Data Subject by the illegitimate processing of his or her data or non-compliance with data security requirements, the Data Subject may claim compensation from the Company.
11. Procedural rules
The Company must, without unjustified delay but within one month from the receipt of the relevant request, inform the Data Subject of the measures taken in accordance with point 2-8 of this Chapter III. If necessary, with regard to the complexity of the request and the number of requests, this deadline may be extended by two further months. The Company must notify the Data Subject of the extension of the deadline within one month of the receipt of the request, naming the causes of the delay. If the request was submitted by the Data Subject electronically, the notice shall, if possible, also be given electronically unless requested otherwise by the Data Subject.
If the data controller does not take measures based on the Data Subject's request, it must notify the Data Subject without delay but within one months of the receipt of the request at the latest of the causes for not taking any measures and of the fact that the Data Subject may submit a complaint with any supervisory authority and may exercise his or her right to legal remedy in court.
The Company will provide the requested information and notices and take the requested measures free of charge. If the Data Subject's request is manifestly unfounded or excessive, in particular because of its repetitive character, the Company may, with regard to the administrative costs involved in the provision of the requested information or notice or the taking of the requested measure:
a) charge a reasonable fee or
b) refuse to act on the request.
The burden of proof of the request being manifestly unfounded or excessive lies with the Company.
***
Data Subjects may submit complaints concerning the data processing of the Company to National Authority for Data Protection and Freedom of Information (NAIH):
Name: National Authority for Data Protection and Freedom of Information
Seat: 1055 Budapest, Falk Miksa utca 9-11.
Website: www.naih.hu
Email: ugyfelszolgalat@naih.hu
***
For any matters not regulated herein, the provisions of the Privacy Act and GDPR shall apply.
Erste Asset Management Ltd.
Cookies are used in various places on our website. Cookies are small text files that recognize users when they return to the website. However, no personal information such as name or address is stored. You cannot therefore be identified by the information in question.
We use cookies to tailor our offers to your needs and analyze how these offers are used. You can change the settings of your browser so that your consent must be obtained before using a cookie. Only the cookie category "Essential", which is necessary for the functioning of the website, cannot be deactivated. These cookies do not store any personal data.
We distinguish the following two processing purposes:
1. Essential for the use of our online services
What is it about? This data processing is essential to enable you to use our online services, such as the website. This involves, for example, your preferred language setting. Or information required for billing partner services.
Can you prevent this data processing? No. Without this data processing you cannot use our online services.
2. Website Analytics (statistics)
What is it about? We have a legitimate interest in statistically evaluating the use of our online services (in accordance with § 7 of the Data Protection Act). For this purpose, we collect pseudonymous data about your interaction with our online services (such as our website) and evaluate this data in aggregated form.
Can you prevent this data processing? Yes. You can prevent the statistical evaluation by adjusting your privacy settings.
Webpage visitors can manage their cookie settings any time in settings of the browser. Please note, that you may ban using cookies via settings of your browser, or previous cookies can be deleted any time. However, this may lead to difficulties in using the website, or some of the functions will not be available.
We use various service providers to carry out the data processing described above. Here you will find brief descriptions of these services and the respective processing purposes:
CommandersAct (essential)
We use the CommandersAct Consent Management Platform to obtain, manage and document cookie consent. This platform is operated by "Fjord Technologies" in France. https://www.commandersact.com/de/loesungen/customer-data-platform/
Adobe Analytics (statistics)
Adobe Analytics uses cookies to differentiate requests from different browsers and to store helpful information that an application can use later. They may also be used to associate browsing information to customer records.
In particular, Analytics uses cookies to anonymously define new visitors, help analyze clickstream data, and track historical activity on the website, such as response to particular campaigns or the length of the sales cycle.