On the basis of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), which becomes applicable on 25 May 2018, we hold a number of obligations concerning the protection of your personal data. We place a maximum of emphasis on fulfilling these obligations. Therefore, we hereby provide you with the following key information concerning the processing of your personal data.
1. Which data do we process?
EXCHANGE s.r.o., company ID: 25777726, with registered office at Kaprova 14/13, 110 00 Prague 1 - Josefov ("eXchange" or "we"):
eXchange processes the following data of cash service (exchange) customers, as required by Act No. 253/2008 Coll., on Certain Measures Against Money Laundering and Terrorist Financing, as amended ("Act No. 253/2008 Coll."), when the transaction value clearly exceeds EUR 1 000:
- Data identifying customers that are natural persons:
- all first names and surnames;
- birth number or, if not assigned, date of birth;
- place of birth;
- permanent or other address;
- in addition, for natural persons engaging in business activities, business name, any distinguishing add-on or other designation, place of business and identification number;
- form and number of identity document, issuing State or authority and period of validity;
- whether or not the client is a politically exposed person;
- in addition, for contractual customers only, customer number.
- For natural persons that are members of the governing body of a customer that is a legal entity:
- data to establish and verify the identity of the natural person, which shall be the same data as those mentioned above for customers that are natural persons, including form and number of identity document, issuing State or authority and period of validity;
- business name or legal entity name including any distinguishing add-on or other designation, registered office, identification number of the entity or any similar number assigned abroad, as well as data identifying any other legal entity that is the governing body, a member of the governing body or the controlling entity of the legal entity.
- For trustees, administrators or persons holding a similar position in a customer that is a trust, or for customers belonging to other legal arrangements without a legal personality:
- data identifying the natural person (identical to the data identifying customers that are natural persons and members of the governing bodies of legal entities - see above);
- name of the trust or other legal arrangement that does not have a legal personality.
- For all three of the above categories of natural persons, identifying data other than those stated above may also be obtained, such as telephone number, email delivery address and employment or employee information, if the risk evaluation under Article 21a of Act No. 253/2008 Coll. so justifies.
- In addition, for all three of the above categories of natural persons:
For customers concluding a framework agreement on the provision of payment services, eXchange processes the data required by Act No. 253/2008 Coll., which are identical to those required for cash service (currency exchange) customers.
- whether the Czech Republic is applying international sanctions against the natural person or legal entity in question under the Act on the Implementation of International Sanctions;
- data identifying the agent if the customer is represented by power of attorney;
- data identifying the legal representative or guardian if the customer is represented by a legal representative or guardian, as well as data identifying the relevant court decision when represented by a guardian;
- for the duration of the business relationship or during other commercial transactions, data on background checks concerning the validity and completeness of data identifying the customer, information obtained during background checks on the customer, the reasons for applying a simplified customer background check or for exempting the customer from a background check, and records of any changes to these data;
- copies or extracts from submitted documents;
- information on the purpose and intended nature of the transaction or business relationship;
- if the client is a legal entity, trust or other legal arrangement without a legal personality, data on the ownership and management structure of the customer and its beneficial owner, and the adoption of measures to establish and verify the identity of the beneficial owner;
- data on the ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity's knowledge of the customer, the business and risk profile;
- data on investigations into the source of funds or other assets relating to the transaction or business relationship;
- data on reasonable measures for establishing the origin of the assets of a politically exposed person that are used within the business relationship with that person;
- data to verify the identity of the beneficial owner and the procedure to establish that person's identity;
- sufficient data on beneficiaries of trusts or other legal arrangements without a legal personality that are designated by particular characteristics or class so as to establish the identity of the beneficiary at the time of the pay-out or at the time of the exercise by the beneficiary of its vested rights.
As regards non-cash services, for all foreign currency transfer requests made to another bank, eXchange also processes data identifying the counterparty/recipient to arrange the transfer of funds. Based on the request received from our bank, eXchange processes the account number of the counterparty and the first name, surname and address of the counterparty account holder. eXchange then passes these data to our bank to carry out the transfer.
eXchange processes the e-mail address of persons that have expressed an interest in having currency exchange tables sent by email. As regards our currency exchange table download service, eXchange processes the applicant's name (company name or business name), the applicant's ID, the applicant's phone number and e-mail address, details of the applicant's contact person (including e-mail address and telephone number), the name of the project for which the data is being downloaded, the website of the server that uses the exchange rates and the IP address of the server that downloads the tables.
For persons who have used the contact form, eXchange processes the sender's name and surname, e-mail address and optionally a telephone contact or VIP client number to speed up feedback or customer identification.
We do not process any other of your personal data.
2. On what basis, for what purpose and for how long do we process your personal information?
eXchange processes the personal data of both cash and non-cash service customers (the latter includes the sending and downloading of currency exchange tables) based on our obligations arising from applicable legislation and the fact that data processing is necessary for us to fulfil our contracts.
eXchange processes customers' personal data for the sole purpose of fulfilling our legal or contractual obligations.
The data retention periods applicable to eXchange are set out in Act No. 253/2008 Coll., which regulates the periods during which data may be retained by obliged entities. eXchange does not retain data beyond these periods.
eXchange retains the accounting and tax documents used to charge the services we provide for the sole purpose of fulfilling the obligations established in the relevant accounting and tax legislation, only for the period set out in those regulations.
In exceptional cases of attempted fraudulent behaviour or similar disputes, we are obliged to process all data relevant to such dispute for the duration of the dispute until its termination based on a final ruling, solely for the purpose of protecting our rights in such disputes.
3. To whom do we transfer or make your personal data accessible?
We only make your personal data accessible to the competent public authorities that are authorised to request them as part of their supervision activities under generally binding legislation.
eXchange employs the services of processors to provide certain support services (internal auditing, bookkeeping, information system development, etc.). This work is always carried out exclusively for our company based on our own guidelines. In selecting each processor, eXchange takes care as to their credibility and quality of service, as well as the security of personal data processed.
eXchange transfers customers' personal data to foreign countries for cross-checking against lists of politically exposed or sanctioned persons, thus fulfilling the obligation to identify customers in accordance with Act No. 253/2008 Coll. In doing so, eXchange transfers customers' personal data to a foreign company that provides a service for the verification of politically exposed or sanctioned persons. This company has its registered office in Australia, which is the place where the personal data is actually processed. eXchange transfers this data under a signed processing agreement, which includes standard contractual clauses in accordance with the decisions of the European Commission.
We do not transmit your personal data to any other countries.
4. Your statutory rights
In accordance with the legislation in force as regards personal data protection, you have the following rights:
- the right to access your personal data that we process;
- the right to correct your personal data if they is in any way incorrect or inaccurate;
- if you find or believe that we are processing your personal data in a way that is in conflict with the protection of your private and personal life or in violation of the law, including if your personal data are inaccurate with regard to the purpose for which they are being processed, you have the right to request an explanation from us and to demand that we remedy this situation (for example, by blocking, correcting, supplementing or deleting your personal data);
- the right to request the erasure of your personal data or restriction of processing;
- the right to object to data processing to assess whether the statutory obligations to which we are subject have been breached;
- if we are processing your personal data with your consent, you have the right to withdraw this consent;
- you also have the right to the portability of the data you have provided to us, which we process out of necessity for contract performance purposes. If you would like to transmit these data to another controller, we will allow you to obtain your personal data in a structured, commonly used and machine-readable format or, if technically feasible, we will transmit them directly to the new controller;
- In addition to the above, you also have the right to file a complaint with the supervisory authority, which is the Office for Personal Data Protection (in Czech: Úřad pro ochranu osobních údajů), which has its registered office at Pplk. Sochora 27, 170 00 Prague 7, internet adress www.uoou.cz/en.
If you have any queries or questions as regards the processing of your personal data, please contact us at any time:
in writing at the address:
110 00 Prague 1 - Josefov,
by telephone on:
800 22 55 99 (toll-free number for local calls only),
+420 222 700 890 (for international calls), or
you can also contact our representative for supervision above personal data processing:
The last update to this document was on May 25, 2018