Personal Data Processing and Cookies

Personal Data Processing

We protect your data. We consider our client’s privacy and the protection of their personal data as a primary obligation.

We handle personal data solely in compliance with valid legislation. In this document, we introduce the principles that clarify what we do to ensure the confidentiality and security of the personal data that is processed and provide information on the rights relating to personal data processing. This document is aimed at providing information on the personal data we collect, how we handle such data, the sources from which we obtain such data and for what purposes we use them, to whom we are allowed to provide such data and where you can obtain information on the personal data we process.

Data Controller

Prague Stock Exchange, a.s., (ID No.: 47115629, hereinafter the “PSE”) is the controller of the personal data that you provided to the PSE or your personal data that the PSE obtained (see the chapter Source of Personal Data below) to fulfil one or several purposes. The PSE collects the data, disposes thereof and is liable for its due and legal processing. You can exercise your rights with the controller in the manner specified below.

You can contact the controller or its data protection officer with queries concerning personal data processing; the contact data of the administrator and the data protection officer is available in the Contacts tab.

Basic Principles of Personal Data Processing

We follow, in particular, the following principles when processing personal data:

when processing personal data, we fulfil all obligations imposed by legal regulations;
when processing personal data, we act fairly and transparently and exert our best efforts to restrict the purposes and extent of personal data processing to the necessary minimum;
we exert our best efforts to ensure that the data subject’s rights and freedoms are not infringed and that the data subject is protected against unauthorised interference with its private and personal life;
we provide information on the processing of personal data before the commencement of a contractual relationship or the provision of a service by our company;
we have implemented an information security management system pursuant to the ČSN ISO/IEC series 27000 standard (“Information Technologies – Security Techniques – Information Security Management Systems”).

Scope of Personal Data Processing

We only process such data that helps us provide you with professional services and comfortable assistance and enables us to fulfil our legal obligations and contractual undertakings and to protect our legitimate interests.

We collect data mainly on persons buying or selling investment instruments. Depending on the situation, we also process data on representatives, including members of statutory bodies and employees of the participants in the capital market and other contractual partners. We process your basic personal data, data on products and services you use and how and data from our communication and interaction, as well as other data in such a way that the scope of such data is reasonable, relevant and restricted to the necessary extent with regard to the purpose for which we collect and process your data. Our main purpose is to provide you with professional services and comfortable assistance while complying with our legal obligations and protecting our legitimate interests; below you will find a list of purposes for which we process your data, as well as a description of specific data processed for the given purpose.

We process your personal data to the following extent and for the following purposes:

Personal Data Category	Purpose of Processing
identification and contact details of investors in securities (mainly name, surname, title, ID No., date of birth, birth registration number, asset account number, cash account number),	fulfilment of legal obligations
tax residency,	fulfilment of legal obligations
transaction data and results relating to the trading of securities and transfers,	fulfilment of legal obligations
identification data and contact details of contractual partners, issuers, exchange members and participants in the capital market (in particular, name, surname, ID No., VAT No., phone numbers, emails, data box IDs, bank accounts, addresses, ID card numbers),	fulfilment of contractual and legal obligations (reporting duty of issuers, invoicing, inspection activities)
electronic means of communication used for authentication and authorisation when accessing our systems, websites and mobile applications (digital signatures, certificates, usernames, SMS codes, notifications, serial numbers, MAC addresses) and records of their use,	fulfilling legal obligations (legal obligation to secure data and to identify the person acting)
records of activity in our systems, devices and applications (log identification details, monitoring applications and systems),	fulfilling legal obligations (legal obligation to secure data), legitimate interest (optimising the availability of services)
records of client communications,	fulfilment of legal obligations (measures against the legitimisation of the proceeds of crime and financing of terrorism), legitimate interest (resolution of complaints and disputes, protection and enforcement of rights, management and collection of receivables)
contact details of entities (mainly email address, phone number, company name, job position, social network links) which have consented to the data processing,	consent (business offers to the START market)
identification data (especially name, surname, title, contact details) and other data from the CVs of job applicants,	legitimate interest (selection of suitable candidates for job positions)
identification details of persons entering the controller’s premises (visits, business partners, etc.) and video recordings of such persons via camera systems monitoring the premises used by the controller,	legitimate interest (ensuring the security of the premises and protecting property)
telephone line records to support trading,	fulfilment of legal obligations (measures against the legitimisation of the proceeds of crime and financing of terrorism, control and prevention of market abuse), legitimate interest (resolution of complaints)
arbitrators’ identification data and contact details (name, surname, address, phone, email, birth registration number, bank account, data box ID),	fulfilling agreements, legitimate interest (possible review of a decision by a court)
data on participants in arbitration proceedings (name, surname, address, phone, email, birth registration number, data provided in arbitration proceedings),	fulfilling the contract (fulfilling obligations under the Exchange Arbitration Court), legitimate interest (possible review of a decision by a court), fulfilling legal obligations
cookies	legitimate interest (website operation)

Purposes and Duration of Personal Data Processing

We process your personal data to the extent necessary for the relevant legal purpose – for example, to keep proper records of dematerialised securities, provide legally defined data on stock exchange transactions to the Czech National Bank or to fulfil the identification obligation under Act No. 253/2008 Sb., on Certain Measures Against the Legitimisation of the Proceeds of Crime and Financing of Terrorism . We process certain data since it is necessary to protect the rights and interests of our company and third parties or to fulfil the rights and obligations arising from agreements.

The purposes of processing include the following categories:

without the data subject’s consent:

Fulfilment of obligations arising from legal regulations – the processing of personal data is necessary for this purpose since it is stipulated by law or another generally binding legal regulation (e.g. fulfilment of the obligation to act cautiously, fulfilment of the reporting duty for the given supervisory authority and public authority, fulfilment of obligations concerning the enforcement of decisions, fulfilment of the obligation to identify and check the client and other obligations in the area of the prevention of money laundering, control and prevention of market abuse, archiving duties); these are mainly the following regulations:

Act No. 256/2004 Sb., on Trading on the Capital Market,
Act No. 253/2008 Sb., on Certain Measures Against the Legitimisation of the Proceeds of Crime and Financing of Terrorism,
Act No. 164/2013 Sb., on International Cooperation in Tax Administration;
Act No. 563/1991 Sb., on Accounting;
Act No. 235/2004 Sb., on Value Added Tax;
Regulation (EU) No 596/2014 of the European Parliament and of the Council on market abuse and Directive 2014/57/EU of the European Parliament and of the Council on criminal sanctions for market abuse,
Regulation (EU) No 600/2014 of the European Parliament and of the Council on markets in financial instruments (MIFID 2 and MIFIR) and relevant implementing technical standards (RTS and ITS),
Directive 2014/65/EC of the European Parliament and of the Council on markets in financial instruments,
Agreement No. 72/2014, Collection of International Agreements, between the Czech Republic and the United States of America on Improvement of Compliance with Tax Regulations in an International Scope;
Commission Implementing Decision (EU) No. 2016/1250, on the adequacy of the protection provided by the EU-U.S. privacy shield,
Decree No. 424/2017 Sb., on reporting duties of some entities operating on the capital market.

The PSE processes personal data for such purposes for the necessary period while taking into account requirements for legally defined archiving periods of data retention.

Performance of contractual relationship – personal data processing is necessary for the due fulfilment of the rights and obligations arising for the controller from contractual relationships. The controller processes personal data for this purpose throughout the contractual relationship.

Controller’s legitimate interest – processing personal data is necessary for this purpose (e.g. physical protection of the controller’s premises, dispute resolution and protection and enforcement of the controller’s rights, management and collection of receivables, analysis and evaluation of potential risks, software testing) within the same scope as for the implementation of the contractual relationship. The controller processes personal data for this purpose throughout the contractual relationship and until the expiry of limitation periods arising from the performance of rights and obligations under the given contractual relationship. In its legitimate interest, the controller processes data on persons entering the controller’s premises for the purpose of their identification and registration, as well as while monitoring designated areas of the premises with camera systems, with or without recording, for the time necessary to protect the controller’s interests. The controller also processes data on job applicants for the purposes of assessing their suitability and comparing their CVs for the duration of the selection procedure.

with the data subject's consent:

for other purposes (such as for marketing purposes, etc.).

The data that you provide to us with your consent is provided voluntarily. If the data is processed with your consent, such consent is granted for the time stated in the consent.

In most cases, the data is processed for several legal reasons which may be in effect concurrently or follow each other.

Source of Personal Data

Depending on the situation, we process data that we received from the participants in the capital market, from entities with which we have concluded an agreement, data obtained while concluding an agreement, data from publicly available sources and registers, lists and records (such as the Commercial Register) and data from third parties if a special regulation so stipulates. In order to comply with the law or contractual relationship, the data may be transferred to affiliated entities within our PX holding group (Central Securities Depository Prague, a.s. and Prague Stock Exchange, a.s.).

Data from you or your representatives – data you provide to us or that is provided to us, e.g. as part of a request for a product/service or while implementing a contractual relationship.
Data as a result of participation in the capital market and using exchange services – data which is automatically recorded by exchange systems and devices during the execution of transactions, such as placing orders for trading via application of participants in the capital market.
Data from publicly available sources – mainly sanction lists of entities associated with terrorism and other internationally monitored entities subject to international sanction programmes, insolvency register, bankruptcy register, central enforcement register, registers of invalid or stolen documents, register of economically affiliated groups, trade register, commercial register and more.
Data from the Internet – mainly IP address, cookies, identification of devices from which you connect, browser information, etc. while visiting our website or connecting to the exchange systems.
Data from our web forms – mainly data you provide to use in connection with using our services.

Method used for Personal Data Processing

The PSE processes personal data by automated means and manually.

Disclosing Personal Data to Third Parties

In principle, we process personal data within our company. We only provide the data to third parties with your consent or if it is stipulated by law (e.g. to a supervisory authority operating in the capital market). Where it is necessary to achieve any of the above-mentioned purposes, in particular, if the relevant external entity has attained the necessary professional and expert level in the relevant area, your data may be processed by cooperating contractors.

The PSE transfers the personal data of persons buying and selling investment instruments to government supervisory authorities and other entities under legal regulations – these are mainly state administration bodies, courts, law enforcement bodies, enforcement entities, notaries (court commissioner), tax offices, etc. We are obliged to transfer your data to various national and international authorities, but always in compliance with applicable legal regulations.
The PSE processes personal data through its own employees as the personal data controller or through its suppliers. The PSE shall ensure technical, organisational and personnel measures that lead to a high level of protection and personal data security. If we commission another person to perform certain activities that constitute a part of our services, the supplier may have access to the relevant personal data. The supplier is entitled to handle personal data solely for the purposes and to the extent to which it is contractually authorised to do so by the PSE. In such an event, your consent to the performance of the activities is not required since such processing is allowed directly by law. Where we use cloud storage sites, a high level of data security is ensured. Suppliers include, in particular, the following:
- external IT service providers,
- providers of cloud storage services,
- entities collecting our claims,
- companies and persons providing legal services,
- companies providing data and document archives,
- providers of printing and postal services,
- reception and security service providers.
We may also provide your personal data to another member of the group in the Czech Republic, namely to Central Securities Depository Prague, a.s., if the conditions stipulated by legal regulations are met.

We may disclose your personal data to recipients and processors in third countries if the legal conditions are met (compliance with international tax cooperation obligations). In these cases, the same protection of your personal data is guaranteed by contractual and legal regulation as in the case of the PSE.

Data Subject’s Rights

We process your data transparently, fairly, correctly and in accordance with the law. You have the right to access your data and a right to explanation, as well as other rights if you believe that the processing is not correct. You may also submit a complaint to the Office for Personal Data Protection. You can exercise your rights in the relevant company from our group with which you have a relationship.

You can contact the controller or its data protection officer with queries concerning the processing of personal data; the contact data of the administrator and the data protection officer is available in the Contacts tab. You can also contact the controller in writing at its address, which is also listed in the Contacts tab.

Right of access to personal data and right to be informed – you are entitled to access your personal data, in particular, the information on the processing of your personal data, without prejudice to third-party rights. For repeated requests, we may request reasonable compensation for providing the information, which must not exceed the costs necessary for the provision of the information.

Right to personal data correction – if your personal data is incorrect or inaccurate, you may request the correction of such data. It is possible to request the completion of incomplete data, taking into account the purposes for which the data is processed.

Right to removal – you are entitled to have your personal data removed if our processing is unauthorised or if your consent to its processing has been revoked.

Right to raise an objection – should the controller breach its obligations concerning the collecting or processing of personal data, you are entitled to request that the controller provides an explanation of such conduct, refrains from such conduct or remedies the relevant situation.

Right to file a complaint with the supervisory authority – you are entitled to file a complaint with the supervisory authority (Office for Personal Data Protection, https://www.uoou.cz/en/) if you believe that the processing of your personal data violated its protection.

Other rights – you have the right to restrict the processing and the right to data transferability under the conditions laid down by law.

Here are some practical tips:

You don’t wish to, or cannot, provide us with your personal data. – You can refuse to provide us with the personal data we request. However, if the provision of such data is mandatory according to the law, we cannot provide you with the related service.

Do you wish to revoke your consent? – You may withdraw your consent at any time in those cases where we have requested your consent to carry out the data processing. Revoking your consent is without prejudice to the processing of your data for the period for which your consent has been validly given or to the processing of your data for other legal reasons, where applicable (e.g. compliance with legal obligations or for the purposes of our legitimate interests).

Do you wish to restrict marketing?

If you gave us your consent for marketing or if you receive newsletters from us for any other rightful reasons, you may revoke your consent at any time or you may unsubscribe from our newsletters in the following manners:

the possibility of cancelling the newsletters is incorporated directly in our newsletters;
if you no longer wish us to call you, please inform us during a telephone conversation;
you can inform us at our registered office or in writing that you no longer wish to receive our newsletters.

If you wish to restrict or revoke your consent to data processing for marketing purposes, please fill in this document and send it to us at info(a)pse.cz . You may also change the settings of your consent at some of our electronic gateways.

Please note that if you restrict marketing, we may still contact you for servicing purposes, and therefore we may use your contact data to send you service messages and for purposes other than marketing.

Visitors to our website may revoke their consent to the processing of cookies in the manner stated below.

https://www.pse.cz/en/personal-data-processing-and-cookies

Cookie Settings

What are cookies and why do we use them?

This website uses cookies to enhance your comfort and to improve your browsing experience.

A cookie is information that is stored on your device as a small data file whenever you visit a website. Each time you visit the same server, the browser sends such data back to the server. They are used by most websites. Cookies are commonly used to differentiate individual users and help to remember their activities and preferences for a certain period of time so they do not have to re-enter them when they return to the site or go from page to page, thus making web browsing easier and more enjoyable. Information from cookies can also be used for targeted advertising and statistical evaluation of visitor behaviour. Cookies can never be used by third parties to identify visitors. Further information on this topic is available at https://www.aboutcookies.org .

Users may opt into or out of the cookies. This may be changed at any time and can be done directly via your browser settings. Further information is provided below.

What types of cookies are used on the website?

Our website collects cookies from our website and cookies from external services.

Our cookies:

Name	Expiration	who can access the information	Description
prague_stock_exchange_session	2 hours	cookies from our website	to identify the browser’s connection to the server
XSRT-TOKEN	2 hours	cookies from our website	to secure web forms and to ensure protection against robots, misuse and theft of data entered into the form
cookie-bar	visit	cookies from our website	for the acceptance of cookies on the website by the user

These cookies are functional cookies, i.e. if you block their use in the browser settings, the functionality of the website may deteriorate significantly.

We do not use cookies for the processing of personal data and our own targeted ads based on their analysis, for the processing of which it is necessary to ensure your consent.

Third-party Cookies:

Some of our sites show content from external providers, e.g. YouTube, Twitter, Facebook and LinkedIn. These services also use cookies. These cookies are managed by third parties, and we do not have access that permits us to read or write the data stored in such cookies, nor can we set their expiration. We do not have control over them. They are mainly systems for analysing traffic and offering content from social networks. In order to view such third-party content, you must first accept their terms and conditions. This includes their cookie policy, over which we also do not have any control and which may change at any time.

Service	Description and link to the provider’s detailed information
GoogleAnalytics	Website traffic analysis. A website analysis tool from Google which stores cookies in your browser in order to make a report on the behaviour of the users of the site. The IP addresses of website visitors are anonymised, i.e. these cookies detect how you interacted with our website – as an anonymous user. https://policies.google.com/terms?hl=en&gl=be https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage https://support.google.com/analytics/answer/2763052
DoubleClick, Adsense	Measuring the effectiveness and implementation of online marketing campaigns (advertising). The tool helps to view personalised advertising based on users’ behaviour on the website. https://support.google.com/ads/answer/7395996 https://policies.google.com/technologies/partner-sites
Facebook	Displaying content from the Facebook server and evaluating the viewing of such content by visitors to the website. https://www.facebook.com/policies/cookies
LinkedIn	Displaying content from the LinkedIn server and evaluating the viewing of such content by visitors to the website. https://www.linkedin.com/legal/user-agreement
Twitter	Displaying short messages from the Twitter server and from the PSE’s Twitter account and evaluating the viewing of such content by visitors to the website. https://twitter.com/en/tos#intlTerms
YouTube	Displaying videos from the YouTube server and evaluating the viewing of such content by visitors to the website. https://www.youtube.com/t/terms

Can I influence the processing of cookies?

You can delete or block cookies from your computer at any time. Further information is available at https://www.aboutcookies.org .

Deleting Cookies

You can delete cookies in your browser, usually in the search history settings or the history of pages visited. However, keep in mind that it can also mean that you will lose some of the stored information (e.g. saved login passwords, personalisation of some websites, etc.).

Management of Cookies from Specific Websites

If you want to perform a more detailed check on cookies from specific websites, use the privacy and cookies settings in your browser.

Blocking Cookies

Browsers can be set to prevent the use of any cookies on your device. However, you may need to adjust some preferences on some websites manually each time you visit.

Google Analytics Opt-out

You can prevent Google Analytics from storing cookies by installing the Google Analytics Opt-out browser extension ( https://tools.google.com/dlpage/gaoptout ).

How can you check or change cookie settings in different browsers?

Here you will find information for settings in specific browsers:

Browser	Instructions for a given browser
Chrome	https://support.google.com/accounts/answer/61416?co=GENIE.Platform%3DDesktop&hl=cs
Opera	https://help.opera.com/cs/latest/web-preferences/
Firefox	https://support.mozilla.org/cs/kb/rozsirena-ochrana-proti-sledovani-ve-firefoxu-pro- https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop
Internet Explorer Edge	https://support.microsoft.com/cs-cz/topic/odstran%C4%9Bn%C3%AD-a-spr%C3%A1va-soubor%C5%AF-cookie-168dab11-0753-043d-7c16-ede5947fc64d
Safari	https://support.apple.com/cs-cz/guide/safari/sfri11471/mac

Personal Data Processing and Cookies