FinStat, s. r. o., the company operating the HitHorizons.com website and other services, fully respects and complies with the personal data protection requirements specified in the respective legal regulations; in particular, Regulation (EU) 679/2016 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter, the “Regulation”).

I. Who is processing your personal data?

The personal data controller is FinStat, s. r. o., with its registered office at Plynárenská 7/B, 821 09 Bratislava, the Slovak Republic, Corporate ID No.: 47 165 367, incorporated in the Business Register of the Bratislava III Municipal Court, Section Sro, File No. 89268/B (hereinafter referred to as “FinStat”, “we” or the “Controller”).

II. Whose personal data do we process?

FinStat processes data so that it can provide HitHorizons services to its customers and provide them with commercial data about entrepreneurs and companies, politically exposed persons according to the Slovak and Czech applicable law, including politically exposed persons entrusted with prominent public functions in the European Union institutions and bodies (“EU politically exposed persons”) specified in the applicable Commission Decisions and other applicable legislation, as well as family members of EU politically exposed persons and persons known to be close associates of EU politically exposed persons. FinStat also processes data about persons listed in sanctions lists issued by the United Nations, the European Union and the government of the United States of America, included in the national sanctions lists of the Slovak Republic according to Government Regulation no. 397/2005 Coll. and the Czech Republic according to Government Regulation no. 210/2008 Coll., or included in the national sanctions list kept by the Czech Ministry of Foreign Affairs, or in the sanction lists kept by the governments of the UK, France, Switzerland, Canada, Netherlands, Poland, Ukraine, Australia, Bulgaria, New Zealand or Israel.

The general reason of this processing is to enable businesses to manage their financial risks, protect against fraud, know who they are doing business with, meet compliance and regulatory obligations and better understand organisations, industries and markets. By processing personal data, FinStat also aims to enhance transparency, particularly in relation to the use of public funds. Therefore, FinStat processes personal data related to natural persons who are entrepreneurs (such as sole traders), as well as data about companies and information concerning their business activities and business results. This processing also includes the personal data of other natural persons associated with these entrepreneurs or companies, such as members of statutory bodies, individuals with management authority, shareholders, persons with significant control and ultimate beneficial owners, contact persons and other persons who are or have been involved in the companies and whose personal data was published in accordance with the relevant legislation.

III. What type of personal data do we process?

In case of individuals who are entrepreneurs (such as sole traders), we process data including their name, surname, address, registration number, business type, tax and VAT information and other business-related details. In case of other individuals, who are or have been involved in the companies or are featured in various company documents and registers, we process their names, addresses, dates of birth, and other relevant details from the company records, including information about roles in legal entities, such as statutory body members, shareholders, or controlling persons. Additionally, for contact persons or other responsible individuals within business entities, we process their name, surname, contact details (such as address, e-mail address or phone number, which are publicly accessible and include only business-related contact data, i.e. we have implemented reasonable security measures to ensure that email addresses containing names and/or surnames are not used) and information related to their role within in the legal entity.

In case of politically exposed persons, family members of EU politically exposed persons and persons known to be close associates of EU politically exposed persons, their name, surname, information about their name, surname, academic degree, date of birth, address of permanent residence, information about the public function and institution or body where the politically exposed person holds the public function, information about the family or business relationship with a politically exposed person.

IV. On what legal basis is your personal data processed?

We process your personal data in accordance with Article 6(1)(f) of the Regulation, based on the legitimate interests of FinStat, its customers, and the general public. The specific legitimate interests pursued by FinStat or a third party are described in Clause IV.

V. How and why we use your personal data

1. Enhancing Transparency, Tracking Connections Between Legal Entities and Individuals, Identifying True Business Owners and Supporting Journalistic Investigations into Corruption

We process personal data to enhance transparency, particularly in relation to the use of public funds. Additionally, we process data to enable our customers to research and link of legal entities and natural persons, especially those connected to public officials, state-owned enterprises, state suppliers, and recipients of public funds. Additionally, the processing helps FinStat's s customers identify the true owners of other business entities, such as their potential business partners. Furthermore, this processing is also essential for journalists investigating corruption.

Data subjects: sole traders, persons with significant control and ultimate beneficial owners, individuals featured in various company documents and other persons who are or have been involved in the companies.

2. Assessment of Information Accuracy

We process personal data to enable our customers and users to assess the accuracy of information for invoicing and contract-conclusion purposes and to ensure faster and efficient access to accurate data. This includes maintaining correct billing information and improving access to data necessary for business transactions, such as to verify the persons entitled to act on behalf of a legal entity.

Data Subjects: sole traders, contact persons within business entities, including directors and shareholders and individuals featured in various company documents and other persons who are or have been involved in the companies.

3. Business Collaboration and Customer Relations

Personal data is processed and provided to FinStat's customer to enable them to establish new business relationships, maintain existing ones and to simplify communication with their clients and debtors. FinStat's customers use the data also for the purpose of implementing their business and marketing strategies (such as sending newsletters and useful business tips via email marketing to potential business partners), establishing business relationships and monitoring the development of their business partners and competitors.

Data Subjects: contact persons within business entities, including directors and shareholders

4. Credit Risk Management and Due Diligence

Through data processing and provision, FinStat can help its customers to manage credit risk, verify the credibility of their business partners, and analyse the risks associated with business relationships. This process is important for preventing potential damages, ensuring compliance with deadlines, and verifying the trustworthiness of individuals in significant roles. The data also assists FinStat's customers in verifying their business partners before entering into contractual relationships, monitoring payment discipline, bankruptcies, restructuring, winding up, and changes of key individuals in the companies. Additionally, by providing the data, FinStat can support its customers during determining internal credit limits, ratings and setting payment terms.

Data Subjects: sole traders, individuals featured in various company reports and other persons who are or have been involved in the companies, contact persons within business entities, including directors and shareholders and persons with significant control and ultimate beneficial owners

5. Compliance with Legal Obligations and AML

Personal data is processed to help FinStat's customers to comply with anti-money laundering (AML) regulations, including to verify the legal entity, its managing directors and shareholders partners and to assess the connection between individuals and companies, and verify their credibility under various legal standards. Additionally, information about politically exposed persons, their family members, and known business associates is processed to enable our customers (obliged entities) to fulfil their obligations under AML regulations. Information related to individuals on sanctions lists is also processed to ensure compliance with legal obligations. This may include screening individuals against sanctions lists to prevent prohibited transactions or financial relationships, thereby helping our customers avoid engaging in business with individuals or entities subject to legal restrictions.

Data Subjects: individuals featured in various company reports and other persons who are or have been involved in the companies, persons with significant control and ultimate beneficial owners, politically exposed persons according to the Slovak and Czech law, EU politically exposed persons, their family members, business associates, and individuals listed on sanctions lists.

6. Prevention of Fraud and Ensuring Legal Compliance

We process personal data to help our clients to prevent fraud, particularly in relation to VAT and other taxes, by verifying the identity and trustworthiness of business partners. This also includes checking historical business activities to avoid legal and verifying of the reliability of VAT payers in accordance with the relevant legal obligation. The data is used in connection with the control, prevention and detection of fraudulent behaviour. It is also desirable for our clients to check the previous business activities of the relevant individuals of the business partners such as members of the statutory body, performer of control activities and the person authorised to represent or to make decisions on behalf of the legal entity due to the potential criminal liability.

Data Subjects: individuals featured in various company reports and other persons who are or have been involved in the companies, persons with significant control and ultimate beneficial owners

VI. With whom do we share your data?

We may share your personal data to our customers and users of HitHorizons services. In addition to that, your personal data may be provided or made available to certain supervisory bodies, other public administration bodies or public authorities authorised to request such data from FinStat pursuant to the respective legal regulations (in particular, to courts of justice and law enforcement authorities), and to entities providing legal or other professional services to FinStat.

Information about the politically exposed persons, their family members and business associates may only be shared with those customers who are obliged entities under the applicable AML laws.

Furthermore, to the extent necessary, your personal data may be shared with our sales representatives, legal advisors or IT service providers.

VII. How long will your personal data be processed?

Your personal data will be processed and stored for the duration necessary to fulfill the specific purposes of processing, as outlined in our privacy policy. However, the retention periods for specific categories of data are as follows:

• Contact databases: Data will be stored for a period of 10 years.
• Information on persons involved with companies and persons with significant control or ultimate ownership: Personal data will be retained for up to 25 years after the termination of an individual’s role or involvement in a commercial company.
• Information of sole traders: Data will be stored for 10 years after the termination of the business activity.
• Information on persons on sanctions lists: Data are stored during the period in which the person concerned is actively included in the source lists of sanctioned persons.
• Politically exposed persons: FinStat stores the data of politically exposed persons, their family members and business associated for as long as the person meets the definitional criteria of a politically exposed persons under the applicable AML legislation. However, personal data on certain persons who, on the basis of a risk assessment, perform significant public functions with a 'persistent risk' flag, are stored for a maximum period of five years from the date of expiry of the 12 months following the end of the performance of the significant public function by the data subject. This includes individuals who, after April 1, 2019 fulfil the following criteria: have completed performance of one of the following senior public functions of national significance in the past five years in the Slovak institutions - President, Member of the Government, Chairman of the National Council, Chairman of the Constitutional Court, Chairman of the Supreme Court, Chairman of the Judicial Council, General Prosecutor, Special Prosecutor, Chief of the General Staff of the Armed Forces, Director of Military Intelligence, Police President, Director of the National Criminal Agency, Director of the Financial Intelligence Unit, Director of the Slovak Information Service, Director of the Criminal Office of the Financial Administration, Governor of the National Bank of Slovakia, or Heads of central state administrative bodies. This also includes individuals who, after November 1, 2020, fulfil the following criteria: have completed performance of one of the following senior public functions of national significance in the past five years in the Czech institutions - President, Member of the Government, Chairman of the Chamber of Deputies of Parliament, Chairman of the Senate of Parliament, Chairman of the Constitutional Court, Chairman of the Supreme Court, Chief Public Prosecutor, Chief of the General Staff of the Army, Director of Military Intelligence, Police President, Director of the Security Information Service, Governor of the Czech National Bank, or heads of central state administrative bodies. This also includes individuals who have completed performance of one of the following senior public functions of European significance in the past five years: Chairman of the European Council, Chairman of the European Parliament, Chairman of the European Commission, Chairman of the Court of Justice of the EU, Chairman of the European Court of Auditors, President of the European Central Bank. Furthermore, these persons include persons who hold or have held a significant public function for more than 15 years (in the case of EU institutions, 10 years) and persons who have been accused or convicted of committing a serious criminal activity of an economic nature related to the performance of a significant public function that they held in the past 12 months.

VIII. Where did we acquire your personal data?

The personal data we process is sourced from a variety of publicly accessible and other legitimate sources, including:

• State and public registers: These include official government databases and registries such as business and company registers, tax and VAT registries, insolvency records, and other public institutions that make business-related data available for transparency and legal purposes.
• Websites of business entities: We collect data directly from publicly available information on company websites.
• Third-party data providers: In some cases, we collaborate with verified external data providers who supply business information.

IX. Where are your personal data processed?

We process your personal data exclusively in the territory of the Slovak Republic or the European Union in compliance with the legal regulations applicable in this territory. Your personal data are stored exclusively on our technical equipment, whereby the data are stored in an encrypted form so as to be protected from unauthorised access. However, some of our customers with whom we share the data may be based outside the EU, or EAA. In case there is no decision of the European Commission on adequacy, we implement appropriate security measures, including the conclusion of standard clauses for the protection of personal data. You can find the text of standard contractual clauses on data protection as well as adequacy decisions issued by the Commission on the website of the European Commission.

X. What rights do you have as a data subject?

As a data subject whose personal data are being processed, you have the following rights against FinStat:

• the right of access to personal data – you have the right to obtain confirmation from FinStat as to whether or not your personal data is being processed, and, if so, you are entitled to request access to your personal data and to receive information about the processing;
• the right to rectification of personal data – you have the right to obtain from FinStat without undue delay the rectification or completion of inaccurate or incomplete personal data that concern you;
• the right to restriction of the processing of personal data – you have the right to obtain from FinStat in certain cases restriction of the processing of your personal data so that the data would, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another person or for reasons of important public interest; you may request restriction of processing, in particular if you have doubts as to the accuracy of your personal data, for a period that allows FinStat to verify the accuracy of such data.;
• the right to erasure (right to be forgotten) – you have the right to obtain the erasure of your personal data from all paper or electronic FinStat databases and the Controller shall erase the personal data if the legal requirements are met, such as if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, or if the data subject objects to the processing of personal data and there are no overriding legitimate grounds for the processing of personal data;
• the right to data portability – you have the right to receive the personal data concerning you that you provided to us, in a structured, commonly used and machine-readable format, and transmit them to another controller (you can exercise this right if the processing is based on your consent or on a contract or carried out by automatic means);
• in addition, you have the right to lodge a complaint with a supervisory authority, such authority being the Office for Personal Data Protection of the Slovak Republic. You can reach our office at the following address/numbers: Hraničná 12, 820 07 Bratislava 27, the Slovak Republic, or via email at: statny.dozor@pdp.gov.sk, or by sending a fax to: +421 2 3231 3234, or by phone on the following number: +421 2 3231 3214.
  You also have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data, which is based on the legitimate interest. In such a case, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. If you object to processing of your personal data for direct marketing purposes, your personal data shall no longer be processed for such purposes.

XI. Who supervises the correct processing of your personal data?

The compliance of the personal data processing with the respective legal regulations pertaining to personal data protection is supervised by the Controller’s Data Protection Officer, which you can reach via email at: dpo@finstat.sk.

XII. How can you contact us?

Should you have any concerns or questions, or should you wish to exercise your rights pertaining to the processing or protection of your personal data, you can contact FinStat s. r. o. via email to podnety@finstat.sk.

If you wish to exercise any of your rights as a data subject and from your request it is not possible to verify the identity of the person making the request or if we have reasonable doubts about the identity of the person making the request, we reserve the right to ask for further information necessary to confirm the identity of the person submitting the request.

XIII. Changes or updates to this document

This Privacy Notice can be changed, amended or updated from time to time, in order to reflect changes in the legislation or the terms of our personal data processing.