Privacy Policy Ultima Payments a.s.
Ultima Payments a.s., a company registered under the laws of Slovakia, with its registered office at Panenská 13, Bratislava – Old Town 811 03, Slovakia, and identification number 46 955 208, registered in the Commercial Register of the District Court Bratislava I, Section: Sro, insert no. 6792/B (hereinafter referred to as the “Company” or “Controller”), is authorized to provide payment services in accordance with the relevant provisions of Act No. 492/2009 Coll. on payment services and on the amendment of certain laws, as amended (hereinafter referred to as the “Payment Services Act”), within the framework of the decision of the National Bank of Slovakia.
As part of the applicable legislation, we are obliged to ensure compliance with all rules related to privacy protection and the processing of personal data when providing our services, in accordance with these Privacy Policy guidelines (hereinafter referred to as the “Policy”) and the relevant legal provisions.
The purpose of this Policy is to identify the scope of personal data processing, the conditions and procedures for processing, storing personal data, as well as the period during which we are authorized to store such personal data. This document also outlines the rights of data subjects concerning their personal data and the ways to exercise these rights in accordance with the applicable legislation. The rules apply to all individuals who have given the Company consent to process their personal data, entered into a contract with the Company, where the processing is necessary for the fulfillment of a legal obligation of the Company, or whose personal information is processed based on the legitimate interest of the Company.
When processing personal data, we primarily comply with Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which repeals Directive 95/46/EC (General Data Protection Regulation or “GDPR”), which also governs the rights of data subjects, as well as the provisions of Act No. 18/2018 Coll. on the protection of personal data and on the amendment of certain laws (the “Personal Data Protection Act”), which apply to us, and all other applicable legal provisions.
In this Policy, personal data of data subjects are referred to as “personal data.” Personal data are any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”) as defined in Article 4(1) of the GDPR. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, email address, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Art. 1: Purpose of Processing Personal Data
1. The Company is a payment institution that, according to the Payment Services Act, provides payment services and other services related to the provision of payment services, while also performing activities required by specific legal regulations, during which personal data processing is inevitably involved, such as Act No. 297/2008 Coll. on the protection of money laundering and the financing of terrorism, and its related legal provisions, including the Company’s Anti-Money Laundering (AML) Program (hereinafter referred to as “AML Regulations”).
For the purpose of providing payment services, conducting business activities, and performing related activities under special regulations, the Company must process personal data about data subjects, whether they are customers of the Company or not. The main purpose of processing personal data is to fulfill contractual (as well as pre-contractual) legal obligations of the Company. These include, primarily, identifying customers and verifying their identification, performing customer due diligence in accordance with special regulations and procedures, opening a payment account in the name of a natural person, providing payment transactions and other services, receiving and handling customer complaints (claims), relationship management, protection and exercise of the Company’s and its customers’ rights, safeguarding the Company’s property and protecting the funds of payment service users, protecting the legally protected interests of the Company – namely, preventing illegal activities and criminal actions, and fulfilling any related obligations in monitoring these goals.
2. To improve and streamline our services and meet legal obligations, the profiling of our clients is necessary. Profiling is used to provide payment services and continuously improve their provision, comply with legal obligations, and obligations arising from AML regulations, marketing purposes, and preventing actions that would contradict valid and effective laws. To these ends, the Company in certain cases performs automated individual decision-making, including profiling.
3. If a data subject does not wish for their personal data to be used for direct marketing, automated decision-making, including profiling for direct marketing purposes, they may exercise the right to object to the processing of personal data according to these principles.
4. The Company collects personal data directly from the data subjects or from publicly accessible registers and sources.
Art. 2: Legal Basis and Reason for Processing Personal Data
1. Personal data of all data subjects are processed in accordance with all applicable legal provisions, primarily the GDPR, based on one or more of the following legal grounds:
(i) the processing is necessary for the performance of a contract or for the preparation of a contract and the opening of a customer’s payment account;
(ii) the processing is carried out based on the consent of the data subject;
(iii) the processing is necessary for compliance with legal obligations in accordance with specific legal provisions regulating the relevant area of legal relationships (e.g., the Payment Services Act, AML Regulations, and all related legal acts and regulations of the National Bank of Slovakia and other competent authorities).
The Company processes personal data based on consent provided by the data subject in accordance with Article 6(1)(a) GDPR, in accordance with Article 6(1)(b) GDPR, in accordance with Article 6(1)(c) GDPR, or also Article 6(1)(f) GDPR. If personal data are processed based on legitimate interests, the data subject will be appropriately informed in advance.
2. If personal data are processed based on a legal requirement, such as for the purpose of opening a payment account, providing payment services, identifying customers, and fulfilling other obligations based on AML regulations, the provision of the required data by the data subject is a legal obligation, and without this provision, the payment service cannot be executed or, in legally defined cases, the execution of the payment service may be withheld, and the relevant customer behavior may be reported as an illegal transaction to the appropriate authorities, with further actions taken to protect against money laundering and terrorism financing.
3. If the data subject has provided specific consent to the Company or our business partner for processing for a specified purpose, the lawfulness of such processing is usually based on this consent, a contractual relationship with the Company, or the relevant legal authorization.
4. In the course of its business activity, the Company is required to act with due professional care, and in this regard, has a legitimate interest in preventing criminal or other unlawful actions that could cause damage or harm to the Company or other payment service users, or negatively affect the reputation of the Company or the functionality of the payment institution. Based on these reasons, the Company is authorized and obliged to identify each individual, apply principles and procedures for monitoring their behavior, and actively monitor risk factors related to such individuals, as part of applying the “Know Your Customer” (KYC) policy.
5. The legitimate interest of the Company also includes obtaining, recording, organizing, structuring, storing, and processing personal data to improve service provision, enhance the security of the used system, and facilitate targeted marketing.
Art. 3: What Data is Processed and Collected
1. The Company processes all necessary personal data of the data subjects required to fulfill each purpose of personal data processing by the Company (as stated in Article 1), in the scope necessary to achieve this goal.
2. In relation to the opening of a payment account and the provision of payment services, we primarily process the following personal data:
- Identification data (name, surname, date of birth, birth number, type and number of identity document, nationality, photograph from the identity document, or other identification data),
- Contact details (e.g., permanent/temporary address, email address, phone number),
- Data necessary for performing due diligence in relation to the client under AML regulations, such as verification of the client’s identification, details of the beneficial owner, whether the person is a politically exposed person or subject to any international sanctions, nature and purpose of the business or contractual relationship, provision of at least two identification documents and documents confirming and verifying the data provided by the client (e.g., account statement, service account, or invoice),
- Data related to the use of our websites and applications (e.g., cookies), and data necessary to use the systems.
3. The Company is authorized to obtain and process data about individuals from other sources provided by the data subject. It is also authorized to collect photographs, scans (or other electronic forms of displaying the relevant documents), contracts, and confirmations in accordance with the relevant legal provisions. Personal data is processed through copying, scanning, or other recording methods, including the following personal data: image, title, first name, surname, maiden name, birth number, date of birth, place and district of birth, permanent address, temporary address, nationality, record of legal capacity limitations, type and number of identity document, issuing authority, date of issue, and validity of the identity document.
4. To fulfill legal obligations, the Company processes personal data according to Sections 88 and 88a of the Payment Services Act. The Company is also required to process personal data about the data subject to the extent necessary for identification in accordance with Act No. 297/2008 on the protection against money laundering and the financing of terrorism, and other AML regulations.
5. For the provision of all services and fulfillment of legal obligations, the Company is authorized to process biometric data of data subjects in specific cases. Biometric data processing, such as facial recognition, occurs based on the data subject’s consent. If explicit consent for the processing of biometric data is not granted, it will not be possible to perform the necessary action under legal provisions (such as the required client due diligence), and the Company will not be able to enter into a contract with such a person.
6. The Company deems it necessary to monitor places where our services are provided through video recording in specific cases, and the legal basis for processing personal data through this video system is the legitimate interest of the Company.
7. The Company processes personal data for direct marketing purposes related to the use of websites and applications (e.g., cookies), data arising from social media activity, and relevant data processed about clients in the information system, including geolocation data (e.g., transaction location data, device identification used for the transaction, location where a payment card was used, etc.).
8. In cases where personal data processing is based on the client’s consent, such as in direct marketing, providing certain data by the client is voluntary. To tailor the product and service offerings to specific clients, the Company evaluates the information it processes about them in order to provide targeted offers and minimize the sending of untargeted marketing offers.
Art. 4: Cookies
1. The website of Ultima Payments payment institution https://www.ultimapayments.com (hereinafter referred to as the “Portal”), through which you access the services of our Company, uses “Cookies.” Cookies are small files that the portal stores on the devices accessing the portal, and they serve various purposes listed below:
a) to ensure the proper functioning of the Portal (necessary cookies),
b) for personalization, analytical, and statistical purposes,
c) for marketing purposes.
2. Cookies are used to improve the functionality of the Portal for both us as the Operator and the data subjects. For example, cookies collect statistics on how users interact with the Portal, their accounts, and the services provided by our Company, including which subpages they visit, which buttons and links they click, and so on. Based on the results of these statistics and analyses, the Portal and its functionality are adapted to meet our needs and, at the same time, the needs of the data subjects for the best user experience, comfort, and functionality.
3. We also collect information about the devices used to access the Portal, including IP addresses, browser settings, information about the type of browser, and information about your mobile device, as well as the website from which you accessed our portal, etc.
4. Cookies will not be stored on the data subjects’ devices through the Portal unless they give us consent; however, this does not apply to cookies that are necessary for basic access and use of the portal (“necessary cookies”), for which consent is given by simply using the website. The storage of cookies can be configured/restricted/disabled within the data subject’s browser.
5. When using the portal, cookies necessary for the basic functionalities of the portal are stored on the data subject’s device, as well as cookies for which consent is given upon the first visit to the Company’s Portal. A description of the basic functionality of the relevant type of cookies is provided in the tool through which the data subjects can manage their cookie preferences. Consent for processing them allows their provision to the relevant persons and entities.
6. Below is an overview of third-party services whose cookies are stored on the data subjects’ devices when using our portal (after consent for the relevant type of cookies has been granted):
| Type of Cookie | Purpose of Use | To Whom/What (Service) They Serve |
|---|---|---|
|
Necessary for Basic Functionality |
These cookies allow us to identify the activity when you are logged into your payment account within the Ultima Payments system, and when you use any payment service provided by Ultima Payments, ensuring the delivery and proper functioning of all systems involved in this process.
|
Company |
|
Security, Ensuring System Stability |
Support and ensure access to security systems and systems that maintain the stability of the system, ensuring the security of the service provided, all parties involved, and the stability of the system (e.g., activity logs at the relevant time, etc.). |
Company and Third Parties |
|
Advertising |
Tools such as cookies are used to understand how displayed and used advertisements appear, improve the way they are shown on the end device, increase the relevance of the displayed advertising space, and enhance its effectiveness and efficiency to meet your needs and preferences as closely as possible. |
Company and Third Parties: Google Google Ads Google Analytics Google Captcha |
|
Analytical and Localization |
These ensure the provision of a more accurate experience and improve the experience when using services, such as displaying devices related to the service in your vicinity, etc. |
Company |
7. The settings for using cookies, including the individual types of cookies defined in this section of the Policy, can be adjusted via the relevant tool on our Portal. Through this tool, data subjects can change, limit, or disable cookie storage at any time. This means that the data subject’s consent to the processing of their personal data can be revoked at any time (except for the scope defined in paragraph 5 of this article – cookies necessary for basic functionality).
Art. 5: Provision of Personal Data to Third Parties (Categories of Recipients)
Art. 6: Transfer of Personal Data Outside the European Union
We do not intend to transfer personal data of data subjects to third countries, i.e., outside the European Economic Area. Personal data of data subjects may only be transferred to third countries if such transfer complies with the conditions for transfer set forth in Chapter V of the GDPR.
Art. 7: Transfer of Personal Data Outside the European Union
1. Personal data of data subjects are stored in a form and for a period necessary for their identification.
2. If our Company processes personal data of a data subject based on a legal obligation, the applicable legal regulations specify the period during which our Company is required to store the relevant personal data. These legal regulations include:
a) The Payment Services Act, under which our Company is required to keep, secure, back up appropriately, and protect personal data of data subjects against unauthorized access, disclosure, misuse, alteration, damage, destruction, loss, or theft. In order to fulfill the legal obligation, we must archive personal data to the extent necessary for identifying the data subject for at least ten years.
b) Act No. 297/2008 Coll. on the Protection Against Money Laundering and Financing of Terrorism and Amendments to Certain Laws, under which our Company is required to store data and written documents obtained in connection with customer care and the identification of unusual business operations for five years from the end of the contractual relationship with the client (data subject) or for five years from the execution of the transaction.
c) Act No. 431/2002 Coll. on Accounting, under which we are required to store and protect personal data of data subjects and related documents that constitute accounting documentation for ten years following the year to which the accounting documentation pertains.
3. Camera footage recorded in the areas where our Company provides services is stored for 15 days. The footage is then deleted. To handle possible complaints regarding the services we provide or to protect the rights of our clients, it is necessary to retain personal data for more than 72 hours.
4. All biometric data processed based on the explicit consent of the data subject is processed for three years, unless another part of these Policies states otherwise (e.g., if the data is necessary to be retained according to paragraph 1, etc.).
5. Personal data provided/obtained for the purpose of concluding a contract or legitimate interest of the processor is stored for the period necessary to fulfill the purpose for which it was collected, primarily during the validity and effectiveness of the respective contract, until all rights and obligations arising from the contract are properly settled.
6. If personal data of a data subject is processed based on valid and specific consent, our Company will retain the personal data for the period until the consent is revoked or until the purpose of processing the personal data no longer applies. In case of the revocation of valid and effective consent, we will retain the personal data only for the period necessary to demonstrate and defend legal claims against the data subject. The above applies to personal data processed based on a contract or legitimate interest of the Company as well.
7. Once the initial purpose of processing no longer applies, we still have a legal interest in processing the personal data of the data subject, namely for the purpose of archiving. The legal basis for archiving personal data is our Company’s ability to protect the rights and legally protected interests of the data controller, as well as to defend legal claims of the data controller and provide assistance to the relevant authorities in accordance with these Policies. The retention period for archiving is a maximum of five (5) years from the date the reason for processing the data ends, unless a specific legal regulation states otherwise.
Art. 8: Rights of the Data Subject
If the Company processes personal data of a data subject based on their consent to data processing, the data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The withdrawal of consent does not eliminate our right to process the personal data of the data subject under another specific legal basis (such as the provision of consent). To exercise the right to withdraw consent to data processing, please send an email to [email protected]
The data subject has a broad range of rights regarding the protection of personal data, which they may invoke. Our Company briefly outlines the individual rights of the data subject and how they can exercise them in these Policies. The applicable legal provisions grant the data subject the following rights:
a) Right of Access to Personal Data – Under Article 15 of the GDPR, the data subject has the right to access their personal data. The data controller (our Company) will provide the data subject with a copy of their personal data being processed, electronically via email.
b) Right to Rectification of Personal Data – Under Article 16 of the GDPR, the data subject has the right to rectify their personal data. The data subject has the right to ensure that our Company processes complete and accurate information about them. In cases where the data subject discovers that the personal data we process is incomplete or inaccurate, they can notify us and exercise their right to correction or supplementation.
c) Right to Erasure (“Right to be Forgotten”) of Personal Data – Under Article 17 of the GDPR, the data subject has the right to erasure. The data subject has the right to erasure if at least one of the conditions specified in Article 17 of the GDPR is met.
d) Right to Restrict the Processing of Personal Data – Under Article 18 of the GDPR, the data subject has the right to restrict the processing of their personal data. The data subject has the right to limit our Company’s ability to process their personal data in specific, legally defined situations. In cases where the right to restrict processing is successfully exercised, we will inform the data subject about the possibility of lifting the restriction on the processing of personal data.
e) Right to Data Portability – Under Article 20 of the GDPR, the data subject has the right to data portability. The data subject has the right to transfer their personal data to another data controller, unless otherwise stipulated by specific regulations.
f) Right to Object to the Processing of Personal Data – Under Article 21 of the GDPR, the data subject has the right to object to the processing of personal data. The data subject has the right to object to the processing of personal data carried out for the performance of a task carried out in the public interest or for the purposes of legitimate interest pursued by our Company. This right does not apply to personal data that is necessary for the fulfillment of the Company’s purposes.
g) Right to Object to Automated Individual Decision-Making and Profiling of Personal Data – Under Article 22 of the GDPR, the data subject has the right to object to automated individual decision-making and profiling. If decisions regarding the rights of data subjects are made based on automated individual decision-making, the data subject has the right to object. However, the data subject does not have this right if our Company is fulfilling a legal or contractual obligation, or if the data subject has explicitly consented to such decision-making. In cases where the data subject does not have the right to object to automated individual decision-making, they have the right to human intervention from the data controller, the right to express their point of view, and the right to contest the decision.
Art. 9: Security of Personal Data
We pay significant attention to the security of our clients’ personal data. We implement and, if necessary, regularly review appropriate and reasonable technical and organizational measures to maintain the confidentiality and security of your personal data, taking into account the latest knowledge, the cost of implementing measures, and the nature, scope, context, and purposes of processing, as well as the risks with varying probabilities and severities to the rights and freedoms of individuals. These measures include appropriate technical and organizational actions to ensure a level of security corresponding to the risk (e.g., encryption of personal data where appropriate and feasible, the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services, the ability to promptly restore access to personal data and its availability in the event of a physical or technical incident, and processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure processing security, etc.).
We have implemented internal procedures regarding the security of acquiring, storing, accessing, and otherwise handling personal data, as well as access control rules for personal data by specific authorized persons. These technical and organizational measures include actions to address any suspicion of personal data protection breaches. In the event of a risk resulting from a personal data breach, we will promptly inform you if we are unable to address the adverse consequences of such a breach in a timely manner.
Art. 10: Supervisory Authority of the Company and Filing Complaints
If you believe that your rights have been violated and wish to file a complaint regarding how we process your personal data, including submitting a proposal to initiate proceedings under Section 100 of the Personal Data Protection Act, the supervisory authority to which you have the right to submit a complaint is: The Office for Personal Data Protection of the Slovak Republic, located at Hraničná Street No. 12, Bratislava, Slovakia.
Art. 11: Changes to the Privacy Policy
The Privacy Policy has been in effect since June 1, 2022. The information we are obligated to make available to you may change depending on changes in the scope of personal data we process. Any change in the scope of the personal data we process is tied to a change in this Policy. Our Company reserves the right to change these Policies at any time, in any scope. In the event of any changes, our Company is obligated to notify the data subject of the changes to these policies either via email or by publishing the new rules on the website. The changes to the Policy take effect at the time of their publication, delivery, or notification, whichever occurs first.
Art. 12: Contact Information
We welcome constructive feedback regarding our use of the Ultima Payments system and Portal in processing personal data according to these Policies. If you have any suggestions or wish to exercise your rights under these Policies, to clarify specific rights and obligations related to personal data, or to submit any other request, please contact us using the contact details provided below:
Contact Information: Ultima Payments a.s.
Phone: +421 2 5930 5711
Email: [email protected]
Website: https://ultimapayments.com
