treats your Personal Data responsibly and therefore in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "GDPR") and Act No.18/2018 Coll. on the protection of Personal Data and on amending and supplementing certain acts (hereinafter referred to as "the Act"), makes available to you as a Data Subject (a natural person whose Personal Data is processed) on its website, in addition to its identification and contact details and the contact details of the responsible person, other necessary information, which can be found in the tabs on the left.

In accordance with Article 24 of the GDPR and Section 31 of the Act, the Data Controller has taken appropriate technical, organisational, personal and security measures and safeguards, which take into account in particular: o the principles of the processing of Personal Data, which are lawfulness, fairness and transparency, the limitation and compatibility of the purposes for which Personal Data are processed, the minimisation of Personal Data, their pseudonymisation and encryption, as well as integrity, confidentiality and availability;

• the principles of necessity and proportionality (including the scope and amount of the Personal Data processed, the retention period and access to the Data Subject's Personal Data) of the processing of Personal Data with regard to the purpose of the processing operation;
• the nature, scope, context and purpose of the processing operation;
• the resilience and recovery of Personal Data processing systems;
• instructions to authorised persons of the Data Controller;
• taking measures to promptly determine whether a Personal Data breach has occurred and promptly informing the supervisory authority and the responsible person;
• taking measures to ensure the rectification or erasure of inaccurate data or the exercise of other rights of the Data Subject;
• risks of varying likelihood and severity to the rights and freedoms of natural persons (in particular accidental or unlawful destruction of Personal Data, loss or alteration of Personal Data, misuse of Personal Data - unauthorised access or unauthorised disclosure, assessment of the risks taking into account the origin, nature, likelihood and severity of the risk in relation to the processing and to identify best practices to mitigate the risk).

Information on the purpose of processing and the retention period of Personal Data

One of the principles of the processing of Personal Data is the purpose limitation principle. Under this principle, Personal Data may only be collected for a specifically identified, explicitly stated and legitimate purpose and may not be further processed in a way that is incompatible with that purpose.

The processing of Personal Data should be closely linked to the purpose of the processing of Personal Data, in particular as regards the list or scope of the Personal Data processed, which should be necessary for the processing of the Personal Data in question to achieve the purpose. It is not appropriate to artificially or additionally expand the list or scope of Personal Data with regard to the purpose. If the purpose and the list or scope of the Personal Data is determined by law, it must be respected; if the Data Controller determines the list or scope of the Personal Data to be processed, he or she must take care not to extend it unnecessarily beyond the scope of the purpose.

The Personal Data Protection Act provides for the obligation of the Data Controller to provide the Data Subject with information on the purpose of the processing of Personal Data for which the Personal Data are intended, even if the Personal Data are not collected directly from the Data Subject. It is necessary that this information is provided to the Data Subject at the latest when his or her Personal Data are collected, or in sufficient time, in a clear and comprehensible manner and in such a way that the Data Subject can actually acquaint himself or herself with and understand the information.

We therefore process your Personal Data for the purpose of providing private financial services. The period of retention of Personal Data or information on the criteria for determining it: The Personal Data will be kept for the duration of the purpose and subsequently for archiving purposes for the period specified in the Data Controller's archiving plan and shall be archived for the period required and specified in the relevant legislation and according to the general limitation periods.

Rights of the Data Subject

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "GDPR") and Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments and Amendments to Certain Acts (hereinafter referred to as the "Act") guarantee you the following rights as a Data Subject:

1. the right of the Data Subject to access to Personal Data, the content of which is:
   • the right to obtain confirmation from the Data Controller as to whether Personal Data relating to the Data Subject is being processed;
   • in the event that the Personal Data of the Data Subject is processed, the right to access the Personal Data processed and the right to obtain such information:
   • information about the purposes of the processing;
   • information on the categories of Personal Data concerned;
   • information on the recipients or categories of recipients to whom the Personal Data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations;
   • where possible, information on the expected retention period of the Personal Data or, if this is not possible, information on the criteria for determining it;
   • information on the existence of the right to request from the Data Controller the rectification of Personal Data relating to the Data Subject or their erasure or restriction of processing and on the existence of the right to object to such processing;
   • information on the right to lodge a complaint with the supervisory authority;
   • if the Personal Data were not obtained from the Data Subject, any available information as to their source;
   • information on the existence of automated decision-making, including profiling as referred to in Article 22(1) and (4). Regulation and, in such cases, at least meaningful information about the process used as well as the significance and the envisaged consequences of such processing of Personal Data for the Data Subject;
     • the right to be informed of the adequate guarantees under Article 46 of the Regulation relating to the transfer of Personal Data where Personal Data are transferred to a third country or an international organisation;
     • the right to be provided with a copy of the Personal Data being processed, provided, however, that the right to be provided with a copy of the Personal Data being processed shall not adversely affect the rights and freedoms of others;

   The Data Subject's right of access to Personal Data inherently means that the Data Subject has the right to obtain confirmation from us as to whether Personal Data relating to him or her is being processed and, if so, the right to access that Personal Data. At the request of the Data Subject, we will provide a copy of the Personal Data being processed. We may charge a reasonable fee for any additional copies requested by the Data Subject, commensurate with the administrative costs. Where the Data Subject has made a request by electronic means, the information shall be provided in a commonly used electronic format, unless the Data Subject has requested otherwise. The information must be provided immediately and at the latest within 1 month. We have the right to extend the processing time for an additional 2 months if the request is complex or frequent. However, it must notify the Data Subject within 1 month of the reason for the extension of the processing period. In the event of an unreasonable or excessive request, we have the right to charge a fee commensurate with the cost or refuse the request. We must explain the reason for the refusal and the right of the Data Subject to lodge a complaint with the supervisory authority.

2. the right of the Data Subject to rectification of Personal Data, which includes:
   • the right to have incorrect Personal Data concerning the Data Subject corrected by the Data Controller without undue delay;
   • the right to supplement incomplete Personal Data of the Data Subject, including by providing a supplementary declaration of the Data Subject;

   The right of the Data Subject to rectification of Personal Data means that you can ask us to rectify or complete your Personal Data at any time if it is inaccurate or incomplete. The Data Subject shall have the right to have incomplete Personal Data completed, including by providing a supplementary declaration.

3. the right of the Data Subject to erasure of Personal Data (the so-called "right to be forgotten"), which includes:
   • the right to obtain from the Data Controller the erasure of Personal Data relating to the Data Subject without undue delay if one of the following grounds is met:
     • the Personal Data are no longer necessary for the purposes for which they were collected or otherwise processed;
     • The Data Subject shall withdraw the consent on the basis of which the processing is carried out, provided that there is no other legal basis for the processing of the Personal Data;
     • The Data Subject objects to the processing of Personal Data pursuant to Article 21(1) of the Regulation and there are no overriding legitimate grounds for the processing of Personal Data or the Data Subject objects to the processing of Personal Data pursuant to Article 21(2) of the Regulation;
     • Personal Data have been unlawfully processed
     • the Personal Data must be erased in order to comply with a legal obligation under European Union law or the law of a Member State to which the Data Controller is subject;
     • the Personal Data were collected in connection with the offer of information society services pursuant to Article 8(1) of the Regulation;
   • the right to have the Data Controller who has disclosed the Personal Data of the Data Subject take reasonable measures, including technical measures, having regard to the technology available and the cost of implementing the measures, to inform other Data Controllers who process Personal Data that the Data Subject has requested them to erase all references to, copies of, or replicas of that Personal Data

   however, the right to erasure of Personal Data containing the rights under Article 17(1) and (2) of the Regulation [i.e., with the content of the rights under (i) and (ii) of this subparagraph (c)(J) of this document] will not arise if the processing of the Personal Data is necessary:

   1. to exercise the right to freedom of expression and information;
   2. for compliance with a legal obligation requiring processing under European Union law or the law of a Member State to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
   3. for reasons of public interest in the field of public health in accordance with Article 9(2)(h) and (i) of the Regulation as well as Article 9(3) of the Regulation;
   4. for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the Regulation, where the right referred to in Article 17(1) of the Regulation is likely to make it impossible or seriously impede the achievement of the purposes of such processing of Personal Data; or
   5. to prove, exercise or defend legal claims;

   Thus, the Data Subject's right to erasure of Personal Data means that we must erase your Personal Data if (i) it is no longer necessary for the purposes for which it was collected or otherwise processed, (ii) the processing is unlawful, (iii) you object to the processing and there are no overriding legitimate grounds for the processing, or (iv) we are under a legal obligation to do so.

4. the right of the Data Subject to restrict the processing of Personal Data, which includes:
   • the right to have the Data Controller restrict the processing of Personal Data in respect of one of the following cases:
     • The Data Subject contests the accuracy of the Personal Data during a period allowing the Data Controller to verify the accuracy of the Personal Data;
     • the processing of the Personal Data is unlawful and the Data Subject objects to the erasure of the Personal Data and requests instead the restriction of its use;
     • the Data Controller no longer needs the Personal Data for the purposes of the processing, but the Data Subject needs them to establish, exercise or defend legal claims;
     • The Data Subject objected to processing pursuant to Article 21(1) of the Regulation, pending verification whether the legitimate grounds on the part of the Data Controller outweigh the legitimate grounds of the Data Subject;
   • the right, where the processing of Personal Data has been restricted pursuant to subparagraph (i) of this point (d) of point J hereof, to have such restricted Personal Data processed only with the consent of the Data Subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State, with the exception of retention;
   • the right to be informed in advance of the lifting of the restriction on the processing of Personal Data;

   The Data Subject's right to restrict the processing of Personal Data means that until we have resolved any disputed issues regarding the processing of your Personal Data, we must restrict the processing of your Personal Data so that we can only store and not further process the Data Subject's Personal Data.

5. the right of the Data Subject to comply with the notification obligation towards the recipients, which includes:
   • the right to have the Data Controller notify any recipient to whom Personal Data have been disclosed of any rectification or erasure of Personal Data or restriction of processing carried out pursuant to Articles 16, 17(1) and 18 of the Regulation, unless this proves impossible or involves disproportionate effort;
   • o the right for the Data Controller to inform the Data Subject about these recipients, if the Data Subject so requests;

   The right of the Data Subject to comply with the obligation to notify the recipients means the obligation of the Data Controller to notify each recipient to whom the Data Subject's Personal Data has been provided of any rectification and erasure of Personal Data or restriction of their processing. The Data Controller does not have this obligation only if such notification is impossible for objective reasons or requires disproportionate effort.

6. ) the right of the Data Subject to the portability of Personal Data, which includes:
   • the right to obtain the Personal Data concerning the Data Subject which he or she has provided to the Data Controller in a structured, commonly used and machine-readable format and the right to transfer that data to another controller without being prevented by the Data Controller if:
     • the processing is based on the Data Subject's consent pursuant to Article 6(1)(a) of the Regulation or Article 9(2)(a) of the Regulation, or on a contract pursuant to Article 6(1)(b) of the Regulation, and at the same time;
     • the processing is carried out by automated means, and at the same time;
     • the right to obtain Personal Data in a structured, commonly used and machine-readable format and the right to transfer such data to another controller without being hindered by the Data Controller will not have adverse effects on the rights and freedoms of others;
   • the right to transfer Personal Data directly from one data controller to another data controller, where technically feasible;

   The right to data portability means that you have the right to obtain from us your Personal Data that you have previously provided to us in a structured, commonly used and machine-readable format, and you have the right to request that we transfer your Personal Data to another data controller, subject to the fulfilment of legal conditions; the exercise of this right is without prejudice to your right to erasure of your Personal Data. However, the right of portability only applies to Personal Data that we have obtained from you on the basis of a contract to which you are a party.

7. the right of the Data Subject to object, which includes:
   • the right to object at any time, on grounds relating to the particular situation of the Data Subject, to processing of Personal Data concerning him or her which is carried out on the basis of Article 6(1)(e) or (f) of the Regulation, including objections to profiling based on these provisions of the Regulation;
   • [in the case of the exercise of the right to object at any time, on grounds relating to the particular situation of the Data Subject, to processing of Personal Data concerning him or her which is carried out on the basis of Article 6(1). (e) or (f) of the Regulation, including to object to profiling based on those provisions of the Regulation] the right not to further process the Data Subject's Personal Data unless the Data Subject demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims;
   • the right to object at any time to the processing of Personal Data concerning the Data Subject for direct marketing purposes, including profiling to the extent that it is related to direct marketing; provided that if the Data Subject objects to the processing of Personal Data for direct marketing purposes, the Personal Data may no longer be processed for such purposes;
   • (in relation to the use of information society services) the right to exercise the right to object to the processing of Personal Data by automated means using technical specifications;
   • the right to object, on grounds relating to the particular situation of the Data Subject, to processing of Personal Data concerning the Data Subject where the Personal Data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the Regulation, except where the processing is necessary for the performance of a task carried out for reasons of public interest;

   The right of the Data Subject to object therefore means that you, as a Data Subject, can object to the processing of your Personal Data that we process for direct marketing purposes or for legitimate reasons. We will stop processing Personal Data for marketing purposes as soon as we receive an objection.

8. the right of the Data Subject related to automated individual decision-making, which includes:
   • the right not to be subject to a decision which is based solely on automated processing of Personal Data, including profiling, and which has legal effects concerning him or her or similarly significantly affects him or her, except pursuant to Article 22(2) of the Regulation [i.e., except where the decision is: (a) necessary for entering into or performance of a contract between the Data Subject and the Data Controller, (b) permitted by European Union law or the law of a Member State to which the Data Controller is subject and which also provides for appropriate measures guaranteeing the protection of the rights and freedoms and legitimate interests of the Data Subject, or (c) based on the Data Subject's explicit consent];

   The Data Subject's right relating to automated individual decision-making means that as a Data Subject you have the right not to be subject to a decision which is based solely on automated processing, including profiling, and which has legal effects concerning you or similarly significantly affecting you. Where such processing is necessary for the conclusion or performance of a contract or based on the Data Subject's explicit consent, the Data Controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the Data Subject, in particular by adopting minimum measures, such as the right to human intervention on the part of the Data Controller, the right of the Data Subject to express his or her point of view and the right of the Data Subject to contest the decision.

9. The right of the Data Subject to file a petition for initiation of proceedings within the meaning of Paragraph 100 of the Personal Data Protection Act, which includes:
   • the right of a Data Subject who believes that his or her Personal Data is being unlawfully processed or that his or her Personal Data has been misused to file a petition with the Authority for Personal Data Protection of the Slovak Republic (hereinafter referred to as "the Authority") to initiate a Personal Data protection proceeding;
   • The application to initiate proceedings may be made in writing, in person or orally on the record, by electronic means and must be signed by a certified electronic signature, by telegraph or by telefax, but must be completed in writing or orally on the record within 3 days at the latest;
   • In accordance with the provisions of Paragraph 100(3) of the Personal Data Protection Act, the proposal in question must include:
     • the name, surname, permanent address and signature of the applicant;
     • identification of the person against whom the proposal is directed; name or first and last name, registered office or permanent residence, or legal form and identification number;
     • the subject matter of the proposal, indicating which rights the applicant claims have been infringed in the processing of Personal Data;
     • evidence in support of the claims made in the proposal;
     • a copy of the document evidencing the exercise of the right under paragraph 28, if such right could have been exercised, or a statement of reasons of special consideration;
   • The Authority shall then decide on the applicant's proposal within 60 days from the date of initiation of the proceedings. In justified cases, the Authority may extend this period reasonably, but not for more than 6 months. The Authority shall inform the parties in writing of the extension of the time limit;
   • You can find a template for a Personal Data protection procedure on the website of the Authority (https://dataprotection.gov.sk/en/)

Legal basis for processing Personal Data

The Data Controller processes your Personal Data within the meaning of Article 6(1)(a) of the GDPR, or Article 13(1)(a) of the Act - the Data Subject has consented to the processing of his or her Personal Data for one or more specific purposes, within the meaning of Article 6(1)(b) of the GDPR, or Article 13(1)(b) of the Act - the processing is necessary for the performance of a contract to which the Data Subject is a contracting party, or to carry out pre-contractual measures at the request of the Data Subject, but in particular within the meaning of Article 6(1)(f) of the GDPR or Article 13(1)(f) of the Act - processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require the protection of Personal Data, in particular where the Data Subject is a child. With regard to special regulations, we process your Personal Data in particular in accordance with:

• Act No. 186/2009 Coll. on Financial Intermediation and Financial Counselling and on Amendments and Additions to Certain Acts;
• Act No. 395/2002 Coll. on archives and registers and on amendments to certain acts;
• Act No. 431/2002 Coll. on Accounting, as amended;
• and others.

Cookie Policy

In accordance with § 55 (5) of Act No. 351/2011 Coll. on electronic communications, as amended, we would like to inform you about the use of cookies and draw your attention to the possibility of changing the settings of your internet browser in case the current setting of the use of cookies does not suit you.

What are cookies?Cookies are small text files that can be sent to your browser when you visit a website and stored on your device (computer or other internet-enabled device, such as a smartphone or tablet). Cookies are stored in your browser's file folder. Cookies usually contain the name of the website from which they originate and the date on which they were created. The next time you visit the site, the web browser will reload the cookies and send this information back to the website that originally created the cookies. The cookies we use do not harm your computer.

Use of cookies By using the sites operated by Winners Group, a. s. you agree to the use of cookies in accordance with your browser settings. If you visit our website, have cookies enabled in your browser, do not change your browser settings and continue to visit our website, we consider this to be an acceptance of our terms of use for cookies.

Why do we use cookies? We use cookies to optimally create and continuously improve our services, to adapt them to your interests and needs and to improve their structure and content, as well as to create interesting offers for you. Winners Group, a. s. does not use the data obtained through the use of cookies as contact data to contact you by mail, e-mail or telephone.

How can you change your cookie settings? Most web browsers are initially set to automatically accept cookies. You can change this setting by blocking cookies or by notifying us if cookies are to be sent to your device. Instructions on how to change cookies can be found in the "help" option of each browser. If you use different devices to access the site (e.g. computer, smartphone, tablet), we recommend that you adapt each browser on each device to your cookie preferences.

Why keep your cookie settings? The use of cookies and their permission in your web browser is at your discretion. However, if we change their settings, some of our websites may have limited functionality and a reduced user experience.