Data Protection Policy
Thank you for your interest in our web site and our company. Despite the fact that we check external links carefully, we assume no liability for the contents or safety of the sites accessed by means of these external links.
We protect your personal data to the highest possible degree during collection, processing, and your visits to our web site. Your data are protected as required by law. The following contains an explanation of the type of data that we collect when you visit our web site as well as of how we use this data.
General information about data protection policy
Starting on 25 May 2018, the General Data Protection Regulation or GDPR applies throughout the European Union. The GDPR stipulates how personal data may be processed and how they must be protected. You will find a summary of the basic information below.
What is the GDPR?
The GDPR is a regulation of the European Union. It applies directly in every member state, including in Croatia. Every person whose data are processed can directly claim protection under the GDPR. Detailed information can be found here.
What does the GDPR govern?
The GDPR contains regulations about the processing of your personal data. The GDPR protects all information about you including your name, telephone number, investment, and hobbies. The principles in this regulation stipulate how your personal data may be stored and processed. Detailed information can be found here.
Why is the protection of my data so important?
Data protection is a fundamental right. Just as your right to freedom or security, your right to data protection is enshrined in the Charter of Fundamental Rights of the European Union. This EU Charter of Fundamental Rights applies to the relationship between you and government institutions.
The law also recognises that there must be a balance between the interests of entities processing personal data and the so-called data subjects in private and business affairs – for example between you and your investment company.
Personal data say a lot about us and can reveal our hobbies, preferences, and wishes. And this is of course worth protecting. But we have to know your preferences in order to be able to offer you individualised service. One core element of data protection is that we find a way together in which we can and may process your data in your interests and under your supervision. Detailed information can be found here.
Where can I learn more about the GDPR?
The text of the GDPR can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&
The EU Charter of Fundamental Rights: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:12012P/TXT
You can find more information about your rights on the following web sites:
Croatian Data Protection Authority; http://azop.hr/data-protection-agency
European Commission https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
Principles and basic concepts of data protection law
It is important to clarify some basic terms so that we can talk about data protection. We have also included the Article designations of the GDPR so that you can look these definitions up if you wish to do so. Please note that the information provided here is only a summary. The full text of the GDPR and the respective articles can be found here: http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1526239688361&uri=CELEX:32016R0679
What are personal data?
Personal data include all information that relate to an identifiable natural person (“data subject”). A natural person is considered to be identifiable when his or her identity can be determined directly or indirectly, for example by reference to a name or code number.
More information can be found in Article 4 (1) GDPR.
What does the processing of data include?
The term “processing” means any operation performed on personal data with or without the help of automated systems. This includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
More information can be found in Article 4 (2) GDPR.
What does “controller” mean?
The term “controller” refers to the natural or legal person, public authority, agency, or other body that decides on the purposes and means of processing personal data alone or jointly with others. One example of this is us as a management company.
More information can be found in Article 4 (7) GDPR.
What does “processor” mean?
The term “processor” means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
More information can be found in Article 4 (8) GDPR.
The processing of your data in our company
Who is responsible for processing personal data?
The following company is responsible for processing your data:
Erste Asset Management Ltd
Ivana Lučića 2a
Responsible authority for data protection issues:
Croatian personal data protection agency
Martićeva ulica 14
Tel. 00385 (0)1 4609-000
Fax. 00385 (0)1 4609-099
What personal data are processed?
We process the following personal data:
- Master and identification data such as first and last name, e-mail address, and if necessary telephone number, date of birth, hobbies, etc. when you provide this information to us
- The results of processing to fulfil contracts and declarations of consent
- Data to meet legal and regulatory requirements
Please note: This is simply a general list. We do not have all of the data specified above in every case. You have the right to receive a detailed, individual list from us upon request at any time. Please contact email@example.com to this end.
Where do you obtain the personal data that you process?
Most of your personal data that we process was provided by you: for example when you signed up for our newsletter or submitted an enquiry.
Data can also come from the following sources:
- Public sources such as the trade register, property register, bankruptcy database, or register of associations
- From other institutions in the Erste group
We may also receive data from government agencies or from individuals acting under government mandate, such as from the Financial Market Authority, guardianship or criminal courts, public prosecutors, or court-appointed notaries. You have the right to receive a detailed, individual list from us.
For what purposes and on what legal basis are my personal data processed?
We are a management company pursuant to the Croatian Investment Fund Act (NN 44/16) and pursuant to the Alternative Investment Fund Manager Act (NN 21/18). We process your personal data in connection with this activity. In detail, this means:
Processing for contract fulfilment
We are permitted to render certain services for you depending on the type of contracts that we have concluded with you. This can be an agreement relating to a special purpose fund, or can be a management agreement, for example. We must process your data to this end. Our offerings are just as diverse as the wide range of contracts that we enter into. The scope of data processing is specified in the terms of the respective contract.
Processing to fulfil legal obligations
Certain legal regulations and purposes also require that we process your personal data, such as:
- Act on Open-Ended Investment Funds with Public Offering (Official Gazette 44/16)
- Alternative Investment Funds Act (Official Gazette 21/18)
- Capital Market Act (Official Gazette 88/08, 146/08, 74/09, 54/13, 159/13, 18/15, 110/15, 123/16 and 131/17)
- Antimony laundering and terrorist financing law (Official Gazette 108/17)
- Ascertaining your identity, transaction monitoring, reporting suspicious activity: Financial Market Money Laundering Act and the EU Wire Transfer Regulation 847/2015
- Provision of information to public, courts, and criminal financial authorities pertaining to criminal proceedings based on intentional financial crimes: Austrian Banking Act, criminal procedural code, criminal financial code
Processing based on legitimate interests
We or third-party agents have a legitimate interest in processing data in the following cases:
- Measures for the prevention of fraud, fraud transaction monitoring
- Data processing for exercising legal claims
- Recording telephone calls, for example for complaints and for documenting declarations that are relevant for transactions
Processing personal data for the purposes of direct marketing can also be a legitimate interest.
Processing based on declaration of consent
If there is no contract, legal obligation, or legitimate interest, data processing can also be legal when you have given us your consent or authorisation to do so. The scope and contents of this data processing are always defined by the specific consent that you have granted. You can revoke this consent at any time.
The revocation has no impact on the legality of data processing up to the point in time that the consent is revoked. In other words, revocation has no retroactive effect.
Am I obligated to provide my personal data? What happens when I do not wish to do so?
We require certain personal data from you for our business relationship. If we do not know your name and e-mail address, we cannot send you any newsletters or information about our new products, or invitations to interesting events. If you do not wish to provide your personal data to us, we may be unable to offer you certain products and services. If we are only permitted to process your data based on your consent, you are not obligated to give this consent or provide your data.
Are any decisions made based on automated processing, such as profiling?
We employ no automated decision-making processes pursuant to Article 22 GDPR at the beginning of or during our business relationship.
To whom are my personal data passed on?
Your personal data can be passed on to:
- Companies, units, and persons (employees and contract agents) within the group headed by Erste Asset Management Ltd when these entities need these data to fulfil contractual, legal, or supervisory obligations and to realise their legitimate interests
- Public agencies and institutions when we are legally obligated to do so, for example the Croatian Financial Market Authority (HANFA), tax authorities, etc.
- Third parties contracted by us, such as IT and back office service providers, when they require these data for their activities. Third parties are contractually required to treat your data confidentially and to only process them for the provision of the relevant services
- Third parties when this is required for contract fulfilment or based on legal regulations, for example the recipient of a wire transfer and their payment transaction service provider.
Your data may also be passed on to third parties when you have consented to this forwarding.
How long are my personal data stored?
Your personal data are stored for as long as required to fulfil the relevant purposes in any case. The law also stipulates for how long we must keep the data. These retention obligations may also apply when you are no longer our customer or an interested party.
What security measures are applied in data processing?
We place high value on data protection and data security. We have taken all technical and organisational measures needed to secure our data processing. This especially pertains to the protection of your personal data. We protect these data against unauthorised and unlawful processing, unintentional loss, unintentional destruction, and unintentional damage. These measures include the use of modern security software and encryption methods, physical access control, and precautions to prevent and defend against external and internal attacks.
What about cookies and web analytics?
Web analytics: We forward personal data to the service provider Adobe Analytics for the purposes of anonymised statistical analyses of the user flow on our web sites. You can prohibit the forwarding of your data. Click here to prevent your data from being recorded.
What are my rights?
The GDPR grants you the following rights pertaining to your personal data. You have the right to:
- Access, pursuant to Article 15 GDPR
- Rectification, pursuant to Article 16 GDPR
- Erasure, pursuant to Article 17 GDPR
- Restriction of processing, pursuant to Article 18 GDPR
- Data portability, pursuant to Article 20 GDPR
- Objection, pursuant to Article 21 GDPR
- No decision-making based solely on automated processing, including profiling, pursuant to Article 22 GDPR
What does the right to access mean?
You have the right to demand a confirmation of whether we process your personal data. If this is the case, you also have the right to information about this personal data and to the following information:
• Purposes of processing
• Categories of personal data that are processed
• Recipients or categories of recipients to whom the personal data have been disclosed or will be disclosed, especially recipients in non-EU countries and at international organisations
• If possible the planned duration that the personal data will be stored for or, if this is not possible, the criteria that are applied to determine this duration;
• The existence of the right to have your personal data rectified or erased; restriction of or objection to this processing
• Right to file complaints with a supervisory authority
• All available information about the source of the personal data when the data are not collected from the data subject
• Whether automated decision-making including profiling are used pursuant to Article 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved, as well as the significance and consequences of such processing for the data subject.
An explanation of how exactly to exercise your rights can be found here.
What does the right to rectification mean?
It is important to us that your data are correct and complete at all times. If you suspect that they are incorrect or incomplete, you can request that we rectify or complete the data. You can exercise this right via e-mail firstname.lastname@example.org or via post to Company address.
What does the “right to erasure” and the “right to be forgotten” mean?
We attach considerable importance to only processing your data in accordance with the rules of the GDPR. Should you have reason to believe that this is not the case, you can request that your personal data be erased. Reasons for this can be:
• The personal data are no longer required for the purposes for which they were collected or processed in some other manner.
For example: Your personal data must be erased when they were solely collected send newsletters (sole purpose) and you have not consented to the processing of these data for other purposes. In this case, there is no need to process the data when you have unsubscribed from the newsletter and after the retention obligation no longer applies. The legal retention obligations are described.
• You revoke your consent on which the processing was based pursuant to Article 6 (1) a) GDPR or Article 9 (2) a) GDPR, and there is no other legal basis for processing.
For example: You have consented to the processing of your personal from a third-party provider (sole purpose). As soon as you revoke this consent, your personal data must be erased. Exceptions: There are other purposes or justifications for processing and you are also in a customer relationship with the third-party provider, for example.
• You file an objection against processing pursuant to Article 21 (1) GDPR, and there are no overriding legitimate grounds for processing.
For example: You can file an objection when an entity is processing your personal data without your consent just because this entity claims to have a legitimate interest in doing so (and there is no other justification). When you contest this and there was no legitimate interest, your personal data must be erased. Your objection was successful.
• Your personal data were processed unlawfully.
Unlawfully processed personal data must be erased.
• The erasure of your personal data is mandated by EU law or the law of the member state.
This refers to laws or other regulations that demand the erasure of personal data.
• The personal data were collected in connection with the offer of information society services pursuant to Article 8 (1) GDPR.
This is a special protection afforded to minors who use online services.
This was a brief summary of the right to erasure. This should not be confused with the “right to be forgotten”.
The “right to be forgotten” pertains to personal data that have been made public. This means that when a person who originally published the data is required to erase the data (because one of the reasons for deletion above applies), this person must also then inform all persons who received the data in question as a result of their publication that the data in question must be erased. This rule is rather complicated. These provisions of the GDPR pertain to Internet search engines in particular.
What does the right to restrict processing mean?
We attach considerable importance to always processing your data in accordance with the rules of the GDPR. Should you have reason to believe that this is not the case, you can request that the processing of your personal data be restricted. However, this is only possible for the following legitimate reasons:
• You contest the correctness of your personal data. You can demand that the processing of your personal data be restricted for the duration of the period required by the data controller to verify the correctness of your personal data.
Opinions can differ. But further processing can be restricted for the time during which a matter is being clarified so that the contested personal data do not have to be erased or changed immediately. It could turn out that the data were correct after all.
• The processing of personal data is unlawful. But instead of having your personal data erased, you “only” wish to have their use restricted.
The GDPR gives you the right to choose. If you do not wish to have unlawfully processed data erased immediately, you can demand that they remain stored, but that they may no longer be used.
• Data controllers no longer need your personal data for processing. However, they need the data to assert, exercise, or defend legal claims.
When your personal data should in fact be erased but are needed so that you can exercise or defend your own rights, they can still be processed for these purposes.
• You have filed an objection against processing pursuant to Article 21 (1) GDPR. Restricted processing can be demanded until it is determined whether the legitimate interests of the controller override your interests.
Further processing can be restricted for the time during which a matter is being clarified so that the contested personal data do not have to be erased immediately. It could turn out that the processing was justified after all.
An explanation of how to exercise your right to restrict processing can be found here.
What does the right to data portability mean?
Your personal data belong to you. Because of this, you have the right to receive this data in a structured, common, and machine-readable format. This pertains to data that you have provided to us and that are processed by means of automated systems based on your consent or for contract fulfilment. You can also demand that we forward these personal data directly to another controller.
In what form will I be given the data?
We provide the data as a PDF, XLS or XML file.
Was does the right to object mean?
Your data may only be processed when there is a legitimate interest in doing so.
If such a legitimate interest is claimed, you must be informed of this. If you feel that there is no legitimate interest, you can raise an objection. This is especially the case when your personal data are used for direct marketing. If the controller is unable to prove any legitimate reasons for further processing, the controller will not be permitted to continue processing your data after you object. Except for processing for the purposes of direct marketing. Your objection has absolute effect here.
What does your right to not be subject to decision-making based solely on automated processing, including profiling, mean?
We do not employ automated decision-making pursuant to Article 22 GDPR for entering into or fulfilling business relationships. More information can be found here. For this reason, the right to object to this does not apply.
How and where can I exercise my rights?
What information am I required to provide?
We must verify your identity for every enquiry so that your financial data do not fall into the wrong hands and so that another person cannot erase your data against your will. Please understand that we will demand additional information about your identity in cases of doubt. This serves your own protection so that only authorised persons can access your data.
How can I submit a request?
Regardless of which right you wish to exercise, you can submit your request to us in any of three ways:
- By regular mail (please sign and include a copy of a photo ID) to
Erste Asset Management Ltd
Ivana Lučića 2a
- In person at the nearest Erste bank branch, or
- By e-mail via email@example.com (include a copy or a photo of personal ID)
Please explain your case as concretely as possible so that we can process it without delay. Please pay particular attention to the information about your right to data portability.
How long will it take for my request to be processed?
We will provide you with the information about relevant measures immediately, in any case within one month after receipt of your request.
This period can be extended by a further 7 days when the complexity and number of requests requires this additional time. We will inform you of a possible deadline extension and the reasons for this within 7 days after the receipt of your request in any case.
How will my request be processed?
We will send you the information in written form to your home address.
What are the key considerations relating to my right to data portability?
We only forward data directly to third parties when you
- expressly instruct us to do so,
- release us from our obligation to banking secrecy, and
- when the third party in question is a financial services provider, attorney, notary, tax consultant, accountant, or government agency.
Does it cost anything when I exercise my rights?
No, the requests are processed free of charge. Exception: When requests are submitted for reasons that are clearly unjustified or to an excessive extent, we are entitled to demand a reasonable fee. This covers the administrative costs for the notification, refusal, or implementation of the requested measure.
Can I file a complaint?
Our employees will be pleased to assist you with all complaints, questions, and suggestions relating to data protection. We are certain that we can work together to find a solution to nearly every problem.
If you do not receive an answer to a request in good time, feel that your data protection rights have been violated, or feel that we have not processed your request in accordance with the law, you can file a complaint with the responsible supervisory authority:
Croatian Data Protection Authority
Martićeva ulica 14
Tel. 00385 (0)1 4609-000
Fax. 00385 (0)1 4609-099
Every person who has suffered tangible or intangible damages due to a violation of the GDPR is also entitled to compensation from the controller or processor pursuant to Article 82 GDPR. The general provisions of civil code apply in such cases. Please note that the Data Protection Authority is not responsible for damage claims, but the local court that is responsible for matters of civil law in your district. You can also file motions and lawsuits with the regional court whose competence covers the district where the defendant resides or has its offices.
Valid from May 2018