Clients Privacy Policy

On the personal data processing activities carried out by VERTIS in relation to its clients^[1]

[1] This privacy notice has been prepared for information on data processing with regard to those persons’ personal data who act as clients (if natural persons) or as representatives, executive officers, authorised proxies, beneficial owners or similar persons acting on behalf of a client. However, in certain situations (especially in the period preceding or aiming that a person or entity become a client to Vertis Ltd) it also covers data processing relating to such persons who act on behalf of entities which are not (yet) clients but prospective clients or other business partners of Vertis Ltd.

Vertis Environmental Finance Ltd. (hereinafter referred to as “VERTIS” or “data controller”), in accordance with Article 13 and 14 of the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”, “GDPR” or the “Regulation”), hereby provides information relating to its Privacy Policy and the personal data processing carried out in the context of its relationship with its clients.

Identity and contact details of the data controller

Name of the controller:	Vertis Environmental Finance Ltd.
Seat of the controller:	Csörsz utca 45, 1124 Budapest, Hungary
Email:	privacy@vertis.com
Contact details of the data protection officer:	vertis@dataprotection.eu

Purpose, legal basis and retention period of the processing, in relation to each category of personal data processed.

A) In the context of our client onboarding and client due diligence processes with regard to services subject to AML regulation, regarding the Client’s representatives, executive officers or authorised proxies (or a natural person Client, if any) as data subjects.

_{Purpose of data processing}	_{Personal data processed}	_{Legal basis}	_{Retention period}
_{Carrying out anti money-laundering and customer due diligence measures}	_{Family name, given name} _{Family name, given name (at birth)} _Nationality _{Place and date of birth} _{Mother’s maiden name} _{Home address, or in the absence thereof, habitual residence} _{Number and type of identification document} _{Copy of identification document} _{In case of any natural person Client, the fact whether he/she acts for a beneficial owner and whether he/she is a politically exposed person, including grounds for that and information on his/her source of wealth and funds.}	_{Compliance with the legal obligation to which VERTIS is subject, as set out in (Hungarian) Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing, Article 7 and 56}	_{Eight years after the end of the business relationship or after the date of carrying out the transaction order}
_{Carrying out anti money-laundering and customer due diligence measures by the way of recorded video call}	_{If such method is applied, in addition to the above information, the image and voice of the Client’s representative acting during the video call, and the random created alphanumeric verification code used for the call}	_{VERTIS’ legitimate interest, as well as the legitimate interest of our Client in conducting the customer due diligence procedures, when it is required in line with applicable AML regulations, as a lawful alternative of a presential meeting or the provision of fully legalised documentation}	_{Eight years after the end of the business relationship or after the date of carrying out the transaction order}
_{Monitoring EU acts and UN Security Council resolutions ordering financial and asset-related restrictive measures for the purposes of our client due diligence process}	_{Family name, given name} _{Family name, given name (at birth)} _Nationality _{Place and date of birth;} _{Mother’s maiden name} _{Home address, or in the absence thereof, habitual residence} _{Type of ID document, document number} _{The fact that the data subject appears/does not appear On a sanctions list}	_{Compliance with the legal obligation to which VERTIS is subject, as set out in (Hungarian) Act LII of 2017 on the Implementation of Financial and Asset-related Restrictive Measures Ordered by the European Union and the UN Security Council}	_{Eight years from the execution of the screening}
_{Monitoring sanctions lists for the purposes of our client due diligence process and compliance checks.}	_{The fact of appearing / not appearing on other sanctions lists not mentioned above (e.g. FATF or OFAC list)}	_{VERTIS’ legitimate interest in conducting careful customer due diligence procedures, as well as the smooth processing of payments and the avoidance of possible sanctions}	_{Eight years from the execution of the screening}
_{Identifying, preventing and managing conflicts of interests}	_{Data on interests and positions held in other economic enterprises, including government organizations}	_{VERTIS’ legitimate interest and that of third parties in the exclusion of conflicts of interest that may arise during the provision of investment services and could be detrimental to the client (see Article 110 of Hungarian Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities)}	_{Five years after the end of the business relationship} To data listed here also appearing in communication or files with longer retention period, the longer retention period indicated at the relevant row may apply
_{Carrying out fitness tests, compliance tests and qualifying clients as retail/professional clients}	_{Personal data necessary for the mandatory assessment of the client’s practice, risk-bearing capacity, financial situation, investment goals, level of knowledge and experience related to the essence of the transaction, the financial instruments involved and their risks, especially the highest education and professional experience of the person concerned as well as their financial knowledge; Data required for retail/professional client qualification (specific position or scope of duties, etc.) according to Article 49 (1) of Hungarian Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities, as well as data required for possible legal claims}	_{Compliance with the legal obligation to which VERTIS is subject, as set out in (Hungarian) Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities (Art. 44,45 and 49);} _{In the event of enforcing legal claims, our legitimate interest in the availability of the necessary evidence}	Five years after the end of the business relationship In case of enforcement of legal claims, until the relating legal procedures are closed To data listed here also appearing in communication or files with longer retention period, the longer retention period indicated at the relevant row may apply

^{[1] This privacy notice has been prepared for information on data processing with regard to those persons’ personal data who act as clients (if natural persons) or as representatives, executive officers, authorised proxies, beneficial owners or similar persons acting on behalf of a client. However, in certain situations (especially in the period preceding or aiming that a person or entity become a client to Vertis Ltd) it also covers data processing relating to such persons who act on behalf of entities which are not (yet) clients but prospective clients or other business partners of Vertis Ltd.}

B) In the context of our client onboarding and client due diligence processes with regard to services subject to AML regulation, regarding the Client’s beneficial owners as data subjects.

Purpose of data processing	Personal data processed	Legal basis	Retention period
Carrying out anti money-laundering and customer due diligence measures	Family name, given name Family name, given name (at birth) Nationality Place and date of birth Home address, or in the absence thereof, habitual residence Nature and extent of ownership interest The fact that the beneficial owner is / is not a politically exposed person and grounds for such position; ID document (eg. passport) data, if necessary to verify the identity of the beneficial owner (document number, expiration date), in the case of a high-risk customer, a copy of the document If based on applicable regulations a declaration on the source of wealth/funds is required, the content of such declaration	Compliance with the legal obligation to which VERTIS is subject, as set out in (Hungarian) Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing, Article 9 In case we retain a copy of the ID document: our legitimate interest in keeping proper documentation of the client due diligence process and in the verifiability of the results thereof	Eight years after the end of the business relationship or after the date of carrying out the transaction order
Monitoring sanctions lists for the purposes of our client due diligence process and compliance checks	The fact of appearing / not appearing on other sanctions lists not mentioned above (e.g. FATF or OFAC list)	VERTIS’ legitimate interest in conducting careful customer due diligence procedures, as well as the smooth processing of payments and the avoidance of possible sanctions	Eight years from the execution of the screening

C) In the context of our client onboarding and “Know Your Customer” processes, with regard to services falling outside the scope of AML regulation, regarding legal entity Client’s representatives, executive officers or authorized proxies or natural person Clients (if any) as data subjects.

Purpose of data processing	Personal data processed	Legal basis	Retention period
Carrying out customer due diligence measures in accordance with our “Know Your Customer” (KYC) regulation	Full name, position; Authorization to represent the client Residential address (only in case of high risk clients) CV (only in case of medium and high risk clients) Copy of identification document (only in case of medium and high risk clients)	VERTIS’ legitimate interest in conducting careful customer due diligence procedures (which entails verifying the identity and background of the clients for risk management purposes) In case we retain a copy of the ID document: our legitimate interest in keeping proper documentation of the client due diligence process and in the verifiability of the results thereof	Eight years after the end of the business relationship or after the date of last transaction
Monitoring sanctions lists for the purposes of our KYC process and compliance checks	The fact of appearing / not appearing on FATF, EU or UN sanctions lists (only in case of medium or high risk client)	VERTIS’ legitimate interest in conducting careful customer due diligence procedures, and the avoidance of possible sanctions	Eight years after the end of the business relationship or after the date of last transaction
Monitoring US sanctions lists, in case it is required by relevant trade or other prohibitions, if these are applicable to VERTIS	The fact of appearing / not appearing on US sanctions lists	VERTIS’ legitimate interest in conducting careful customer due diligence procedures, as well as the smooth processing of payments and the avoidance of possible sanctions	Eight years after the end of the business relationship or after the date of last transaction

D) In the context of our client on boarding and “Know Your Customer” processes with regard to services falling outside the scope of AML regulation, regarding the Client’s beneficial owners as data subjects.

Purpose of data processing	Personal data processed	Legal basis	Retention period
Carrying out customer due diligence measures in accordance with our “Know Your Customer” (KYC) regulation	Full name, condition of being a UBO of the client Copy of identification document (if client categorization based on our KYC matrix is medium or high risk)	VERTIS’ legitimate interest in conducting careful customer due diligence procedures (which entails verifying the identity and background of the clients for risk management purposes) In case we retain a copy of the ID document: our legitimate interest in keeping proper documentation of the client due diligence process and in the verifiability of the results thereof	Five years after the end of the business relationship or after the date of last transaction To data listed here also appearing in communication or files with longer retention period, the longer retention period indicated at the relevant row may apply
Monitoring sanctions lists for the purposes of our KYC process	The fact of appearing / not appearing on FATF, EU or UN sanctions lists (if client categorisation based on our KYC matrix is medium or high risk)	VERTIS’ legitimate interest in conducting careful customer due diligence procedures, as well as the smooth processing of payments and the avoidance of possible sanctions	Five years after the end of the business relationship or after the date of last transaction To data listed here also appearing in communication or files with longer retention period, the longer retention period indicated at the relevant row may apply
Monitoring US sanctions lists, in case it is required by relevant trade or other prohibitions, if these are applicable to VERTIS	The fact of appearing / not appearing on US sanctions lists	VERTIS’ legitimate interest in conducting careful customer due diligence procedures, as well as the smooth processing of payments and the avoidance of possible sanctions	Eight years after the end of the business relationship or after the date of last transaction

Please note that, in line with the provisions of (Hungarian) Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing, personal data collected in the context under point A) to D) above, provided such Client consents which may be required under applicable regulation are available, may be used and processed by Vertis Ltd for any due diligence process relating to other Clients if the same individual holds a position of representative, executive officer, authorised proxy or beneficial owner at that other entity. Such use for additional data processing purposes of the collected personal data shall be based on our legitimate interest in keeping record of the most accurate and all available information necessary for the due diligence process with the least administrative burden possible to our Clients, outlined in our privacy policy.

E) In the context of certain of our “F-gas” business activity,activities in the event that the Client (a quota holder or F-gas new entrant) is a private entrepreneur (not a legal entity) (eg. a private entrepreneur operator with compliance obligations or a new entrant F-gas quota holder) – please note the data processing activities listed below are additional to those listed in points A) to I) as applicable to natural person Clients.

Purpose of data processing	Personal data processed	Legal basis	Retention period
Carrying out customer due diligence measures in accordance with our “Know Your Customer” (KYC) regulation	Personal identification data, private entrepreneur registration number, VAT number, registry account number	VERTIS’ legitimate interest in conducting careful customer due diligence procedures (which entails verifying the identity and background of the clients for risk management purposes) In case we retain a copy of the ID document: our legitimate interest in keeping proper documentation of the client due diligence process and in the verifiability of the results thereof	Eight years after the end of the business relationship or after the date of last transaction
Preparing and performing client contract; Enforcement of legal claims (if any)	Full name, identification data, private entrepreneur registration number, VAT number, registry account number, bank account details, trading data and all details of the contractual relationship which qualify personal data	Performance of the contract to which the data subject is party and taking steps at the request of the data subject prior to entering into a contract; In the event of enforcing legal claims, our legitimate interest in the availability of the necessary evidence	Eight years after the end of the business relationship or after the date of last transaction In case of enforcement of legal claims, until the relating legal procedures are closed

F) In the context of our communication and business cooperation with our clients, regarding the representatives and contact persons acting on behalf of our Clients, or natural person Clients (if any) as data subjects.

Purpose of data processing	personal data processed	Legal basis	Retention period
Maintaining business communication with clients, including recording communications (except for recordings based on legal obligation, see below)	Name, contact details (business email and phone number), data contained in the communication; Personal data that may appear in the content of customer-related notes, data necessary for possible legal claims enforcement If the communication is recorded, the recording	Legitimate interest of VERTIS and its client in carrying out their business operations, maintaining business relations and in the fulfillment of concluded contracts, as well as the availability of evidence in the event of enforcement of legal claims related to the business relationship	Eight years from the end of business relationship (or, in case of enforcement of legal claims, until the respective legal procedure is closed) In case the data referred to herein is contained in invoicing or taxation document, until the end of the relevant document retention period prescribed by law (see below at “Complying with document retention obligations”)
Recording communications that relate to VERTIS’s regulated activity concerning transactions concluded for financial instruments (EU emissions allowances), including own account trading, reception and transmission of orders custody account management and other investment related services; Secondary purposes in relation to the recorded calls: Providing internal courses to VERTIS employees for quality assurance and client complaint handling Verification of the content of transactions, availability of evidences in case of disputes Compliance checks by the competent regulatory authority, internal auditor or compliance officer Internal monitoring of sales staff’s compliance with relevant legal obligations and internal regulations, prevention of fraud, corrupt or other illicit practices or behaviour	Data contained in outgoing and incoming telephone conversations and electronic messages (Teams or WhatsApp recordings), letters, faxes and e-mail messages, minutes of personal meetings, notes, data necessary for possible legal claims, account orders	Compliance with the legal obligation to which VERTIS is subject, as set out in (Hungarian) Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities, Art. 55 (4-5), (8)In relation to the secondary data processing purposes, the legal basis is VERTIS’ legitimate interest in improving quality client service and compliance enforcing legal claims, clarifying transaction details and resolving disputes ensuring effective internal and external compliance checks ensuring compliance by relevant staff and preventing fraudulent, corrupt or other illicit behaviour after the fifth year: the legitimate interest of Vertis in retaining evidence for the enforcement of legal claims related to the business relationship	Eight years after the recording of the telephone conversation or electronic message exchange, seven years in the case of a regulation by the supervisory authority; In case the data referred to herein is contained in invoicing or taxation document, until the end of the relevant document retention period prescribed by law (see below at “Complying with document retention obligations”) In case there is a legal procedure in which the recorded call or other recorded information is used, until the closing of such procedure (by a binding and final decision, where applicable)
Client complaint handling	Contact details, personal data contained in the complaint or in the response In the case of a telephone complaint, the audio recording	Compliance with the legal obligation to which VERTIS is subject, as set out in (Hungarian) Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities, Art. 121	In the complaint handling records, five years from the date of the answer given to the complaint, or from the recording of the complaint given by telephone To complaint data appearing in communication or files with longer retention period, the longer retention period indicated at the relevant row may apply
Operating a breach reporting system	Data contained in the breach reporting	Compliance with the legal obligation to which VERTIS is subject, as set out in (Hungarian) Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities, Art. 24/G, and Art. 38 of Decree No. 26/2020. (VIII. 25.) of the National Bank of Hungary	Eight years after the end of the business relationship or after the date of carrying out the transaction order
Providing the service “MyVertis”	Email address, access code, passwords, user profile data (name, company, position, telephone number, language); user data Terms acceptance, and data for any possible legal claim enforcement	The legitimate interest of VERTIS and its client in the provision and use of the MyVertis service, to the client In case of a natural person Client, Performance of the contract to which the data subject is party and taking steps at the request of the data subject prior to entering into a contract In the event of enforcing legal claims, our legitimate interest in the availability of the necessary evidence	Five years after registration To data listed here also appearing in communication or files with longer retention period, the longer retention period indicated at the relevant row may apply
Forwarding Client’s information to the brokered/introduced partner, within the framework of the provision of order reception or transmitting (brokerage) or other introducing services, or fulfilment of contractual obligations arising from engagements aiming the creation of business cooperation between clients	Contact details of representatives, executives or other personnel of the client (or of the Client him/herself, in case of natural person Client)	Legitimate interest of VERTIS and its client in providing the relevant service or fulfilling a contractual obligation In case of a natural person Client, Performance of the contract to which the data subject is party and taking steps at the request of the data subject prior to entering into a contract	The retention periods indicated at other data processing purposes (with special regard to recording communication related to regulated services) apply

G) In the context of transferring client information to Financing Partners

Please note that the below data processing activities take place only if Your company is affected by services we engage from banks, insurers or other financing partners as well as their brokers or agents (“Financing Partners”), in relation to factoring and similar services, also involving financing and/or insurance related to the collection of outstanding debt/receivables of our business partners. For that aim VERTIS requests a data sharing consent from its client (either within an agreement or in a separate document), so transfer of the personal data is also dependent on such client consent.

Purpose of data processing	Personal data processed	Legal basis	Retention period
Enabling the Financing Partner to contact the client in relation to the enforcement of the rights (claims, receivables) assigned to it by VERTIS, in particular to communicate with the client in payment-related matters or other matters related to its services	Name and position; contact details (business email address, business phone number), language preferences, if any	VERTIS’ and the Financing Partner’s legitimate interest in carrying out their business operations under the services provided by the Financing Partner to VERTIS, in relation to the business relationship between the client and VERTIS	One-time data forwarding, no retention period applies

H) In the context of our own or group-level marketing activities

Please note that the below data processing activities take place only if You or Your company are affected by the relevant marketing initiative or campaign. For information relating to subscription to VERTIS’ newsletter via our webpage, please consult the privacy policy prepared for the visitors of our webpage.

Purpose of data processing	Personal data processed	Legal basis	Retention period
Sending newsletter to you (which may include invitation to VERTIS marketing events)	Full name, business e-mail address, company, position	your consent	Until revocation of your consent
Monitoring whether you have opened the newsletter and on what content you clicked on	Fact of opening the newsletter and chosen content	Our legitimate interest in monitoring the efficiency of our marketing (newsletter sending) activity	Until revocation of the consent given to newsletter sending
Sending You Christmas seasons or other similar greetings, gift	Full name, business e-mail address, company, positionIn case of sending a gift, company mailing address and business mobile number (so the courier can contact You for delivery)	Our legitimate interest in constructing and maintaining good business relationship	Until the end of our client business relationship or the end of your role/position at our client which gave us grounds for maintaining business contact To data listed here also appearing in communication or files with longer retention period, the longer retention period indicated at the relevant row may apply
Introducing You to other Vertis/STX Group members for services these may offer to you / services earlier provided by VERTIS, later offered by another group member due to internal re-structuring or other reasons	Full name, business e-mail address, business phone number, company, positionin situations onboarding at VERTIS has already been commenced or performed earlier, such onboarding data which is necessary for the onboarding at the receiving group entity	Your Consent or, if a consent was given to that by the entity you act on behalf of, our and the Client’s legitimate interest in further business cooperation between the Client and Vertis/STX Group	One-time data forwarding, no retention period applies

I) In the context of our internal administrative processes, regarding all data subjects mentioned above.

Purpose of data processing	Personal data processed	Legal basis	Retention period
Preparing back-up copies of documents kept in our IT systems, implementing measures of data loss prevention	All data stored in our IT system	Compliance with the legal obligation to which VERTIS is subject, as set out in (Hungarian) Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities, Art. 12 (7); For the data not affected by legal obligations, the legitimate interest of VERTIS in ensuring the uninterrupted operation of its IT processes and taking the necessary steps to ensure data security	Five years
Complying with document retention obligations	Data contained in documents relating to invoicing/accounting or taxes	Compliance with the legal obligation to which VERTIS is subject, as set out in the Hungarian Investment Services Act, Accounting Act and Act on Taxation Procedures	Investment services related documents: five years (or seven years if requested by the regulatory authority) accounting documents: eight years, taxation documents: the end of the calendar year affected by the tax declaration obligation + five years

Sources of personal data

The sources of the personal data are normally you as the data subject or your company, in the course of our client business communication. Should the Client be introduced by an engaged introducer or broker, some data as for example contact details of representatives and other persons acting on behalf of the Client, may be provided by such introducer or broker.

In the context of our anti money-laundering and/or KYC customer due diligence processes, or other onboarding processes, we may also rely on public registries, other publicly accessible data sources and sanctions lists in order to obtain your data.

In the context of business communications, minutes or messages, the source of data is the sender of the communication or the person who took the minutes.

In the context of the breach reporting system, the source of your data is the breach reporter.

Other information on our data processing

Provision of your personal data is a statutory requirement in all those events where we refer to a legal obligation VERTIS is subject to. Provision of your data is not a requirement necessary to enter into a contract directly with you, (except for natural persons acting as Clients, the data required for such contract) but it may be necessary to enter into a contract with the company you represent or on behalf of which you act towards us. Consequently, you are generally not obliged to provide the personal data, but it might be an obligation for your company or for VERTIS to obtain and process them. Possible consequences of failure to provide your data may be that VERTIS cannot enter into or maintain business relationship with or provide services to its clients.

Where the legal basis for the data processing is your consent, You can withdraw the consent at any time; however, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Recipients of the personal data

In the context of the data processing activities referred to in this privacy notice, personal data shall be shared with the following addressees, in relation to the below detailed services VERTIS has engaged in order to be able to operate its systems and pursue its business activities. Most of such addressees, if they provide services to VERTIS, act as data processors providing the guarantees to implement appropriate technical and organisational measures in line with the rules of GDPR, in order to ensure protection of your data. International service providers such as Microsoft, Zoom and others mentioned in the below list, when acting as data processors, involve numerous sub-processors, which are published and updated from time to time on their respective webpages.

Data category	Addressee	Activity or role which serves as grounds for the data sharing
All data contained in e-mail correspondence, Skype for business or Teams application	Microsoft Ireland Operations Limited	Cloud based system for e-mail correspondence, Skype for business and Teams application
Data related to transactions where Vertis International Trading SE acts as an agent for VERTIS	Vertis International Trading SE (Hungary)	Agency activity
Data related to transactions where Vertis Brussels SA acts as an agent for VERTIS	Vertis Brussels SA (Belgium)	Agency activity
Data related to transactions where Purple Consulting acts as an agent for VERTIS	Purple Consulting (France)	Agency activity
Data contained in Eikon messages (if we contact You through Eikon)	London Stock Exchange Group (UK)	“Eikon” Instant messaging service for business purposes
Data contained in ICE chat messages (only if You contact us through ICE chat)	International Exchange Ltd. (USA)	“ICE chat” Instant messaging service for business purposes
Data contained in WhatsApp chat messages (only if You contact us through WhatsApp)	WhatsApp Ireland Limited (Ireland) and its involved service providers Global Relay Communications Inc (for recording; Canada)	“WhatsApp” Instant messaging service for business purposes and recording of WhatsApp messages
Data contained in Zoom messages or calls (if we contact You through Zoom)	Zoom Video Communications, Inc. (USA) and its sub-processors	“Zoom” application for calls and messages
Business contact data in case of brokerage services or other services aiming creating business cooperation between clients	The other client affected by the service / business cooperation	Brokerage services or other services aiming creating business cooperation between clients
Data used for reporting obligations, procedures or audits by authorities and by the statutory auditor	Supervisory or other authorities, internal auditor safeguarding officer compliance advisor; KPMG Hungária Kft. (Hungary; appointed statutory auditor)	Compliance with legal (eg. reporting) obligations, supervisory audits or administrative procedures; performance of annual statutory audit
Contact data as referred to in point G) above	Financing Partner (as defined in point G) above)	See description of the data transfer in point G) above
Data processed in relation to newsletter subscription	The Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000 Atlanta, Georgia 30308, USA	Providing Mailchimp newsletter or other communication sending service
Data necessary for the delivery of a gift	The courier service provider involved in delivery	Sending Christmas or other gift to clients
All data retained in back-ups (see point I) above)	Keepit A/S (Denmark)	Storage of back-ups
All data stored in electronic format	MesterCom Kft. (Hungary)	IT support service
Data contained in documents necessary for enforcement of legal claims	Legal advisors, courts	Enforcement of legal claims

Please be kindly informed that in case of the service “MyVertis” we use our own system so no data processor or other third party is involved in the processing of your data.

Data transfer to third countries

Data transfer to third countries is carried out by VERTIS in the following events, in relation to the involvement of the following service providers. The chart below also provides you with information regarding the safeguards applied in relation to such data transfers.

Service provider / other addressee	Third country to which data are transferred	Safeguards for ensuring proper protection for the data	When does it happen?
London Stock Exchange Group	United Kingdom	Adequacy decision of the EU Commission	In case of communication through Eikon instant messaging service
International Exchange Ltd.	USA	Standard Contractual Clauses	In case of communication through ICE chat service
Zoom Video Communications, Inc.	USA	Standard Contractual Clauses	In case of communication through the Zoom application
Global Relay Communications Inc	Canada	Standard Contractual Clauses	In case of communication through recorded WhatsApp instant messaging
The Rocket Science Group LLC	USA	Standard Contractual Clauses	If you subscribe to our newsletter or your email address is confirmed by You for the receipt of other communication to be sent by VERTIS

If, for the purposes of our data processing relating to the provision of brokerage services, or other engagements we have for creating business cooperation between our clients, it is necessary to transfer personal data to third countries or international organisations, we will ensure that proper safeguards are implemented to protect your personal data, either because there is an adequacy decision regarding the receiving country, or by using other safeguards such as standard data protection clauses adopted by the European Commission, or specific contractual clauses concluded with the receiving party.

Automated decision making, including profiling

Automated decision making, including profiling, does not occur in the context of the data processing referred to in this Privacy Notice.

Your rights in relation to our data processing activity

As a data subject, you can exercise

the right to access;
the right to rectification;
the right to erasure (right to be forgotten);
the right to restrict the processing;
the right to object to the processing of your personal data;

Subject to the conditions as set out by the GDPR

In addition, where the legal basis of the data processing is the performance of a contract You are a party to or Your consent, You shall also have the right to data portability.

Right to acces

You as data subject shall have the right at any time to request information whether your personal data are processed, and if so, in what manner such data are processed by the data controller, including the purposes of the processing, recipients to whom the personal data have been or will be disclosed, the source of information from where the data controller obtained such data, the retention period of such data, any right that they may have concerning the processing, and where personal data are transferred to a third country or any international organisation, you as data subject shall have the right to be informed of the appropriate safeguards relating to the transfer. When exercising the right of access, the data subject shall also be entitled to request copies of such data. In the event the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in an electronic form. If the right of access exercised by the data subject would affect adversely the rights and freedoms, in particular the business secrets or intellectual properties of others, the data controller shall have the right to refuse the request of the data subject to the extent necessary and proportionate. For any further copies of the above information requested by the data subject, the data controller may charge a reasonable fee that is proportionate to the related administrative costs.

Right to rectification

The data controller shall rectify or supplement the personal data of the data subject based on any related request from the data subject. Where there is any doubt concerning any rectified data, the data controller may call upon the data subject to adequately verify, preferably by an official document, the rectified data for the data controller. If the data controller has disclosed the personal data affected by such right to any other persons (i.e. to another recipient e.g. the data processor), the data controller shall inform such persons of the rectification of such data without delay, provided that it is not impossible or does not require a disproportionate effort from the data controller. At the request of the data subject, the data controller shall inform the data subject of the identity of these recipients.

Right to erasure (“right to be forgotten”)

Where You as data subject request the erasure of any or all of your personal data, the data controller shall have the obligation to erase those without undue delay, if:

the data controller does not need the affected personal data in relation for the purposes for which they were collected or otherwise processed;
processing was based on your consent, however, you have withdrawn your consent, and there is no other legal ground for the processing;
processing was based on the legitimate interest of the data controller or a third party, however, You have objected to the processing, and there are no overriding legitimate grounds for the processing, except for objection to data processing for direct marketing purposes;
the personal data have been unlawfully processed by the data controller, or the personal data have to be erased for compliance with a legal obligation.

If the data controller has disclosed the personal data affected by such right to any other persons (i.e. to another recipient e.g. the data processor), the data controller shall inform such persons of the rectification of such data without delay, provided that it is not impossible or does not require a disproportionate effort from the data controller. At the request of the data subject, the data controller shall inform the data subject of the identity of these recipients. The data controller shall not always be required to erase the personal data, in particular where e.g. the data processing is necessary for the establishment, exercise or defense of legal claims.

Right to restriction of processing

You as data subject may request restriction of processing in relation to your personal data where one of the following applies:

the accuracy of the personal data is contested by the data subject, in this case restriction of processing shall be applied for a period enabling the data controller to verify the accuracy of the personal data;
the processing is unlawful, but the data subject opposes the erasure of the data, and requests the restriction of their use instead;
the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise and defence of legal claims; or
the data subject has objected to the processing, in this case restriction of processing shall be applied until it is verified whether the legitimate grounds of the data controller override those of the data subject.

Restriction of processing means that such personal data shall not be processed by the data controller or shall, with the exception of storage, only be processed with the data subject’s consent, or in the absence of such consent the data controller may also process these data for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a member state of it. The data subject shall be informed by the data controller before the restriction of processing is lifted. If the data controller has disclosed the personal data affected by such right to any other persons (i.e. to another recipient e.g. the data processor), the data controller shall inform such persons of the rectification of such data without delay, provided that it is not impossible or does not require a disproportionate effort from the data controller. At the request of the data subject, the data controller shall inform the data subject of the identity of these recipients.

Right to object

Where processing of data concerning You as data subject is based on the legitimate interest of the data controller or a third party, You as data subject shall have the right to object to processing of data. The data controller shall not be obliged to accept such objection, unless the data controller demonstrates

compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or
that the data processing is related to the submission, enforcement or protection of the data controller’s legal claims.

The right to data portability

Right to data portability generally means that the data subject shall have the right to receive the personal data concerning him/her, which he/she provided to the data controller based on consent or on a contract, and are processed by the data controller by automated means (e.g. in a computer system), in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller, or the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

In addition to the above, as a data subject, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of the EU of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. For a list of the data protection supervisory authorities, see https://www.edpb.europa.eu/about-edpb/about-edpb/members_en. You may also enforce your rights in court pursuant to the provisions of the GDPR and the Hungarian Civil Code or other legislation applicable to you.

Additionally, according to Art. 25 of the Hungarian Act CXII of 2011 on the right to informational self-determination and freedom of information, the close relative of the deceased data subject or the person authorized by the deceased data subject might exercise data subject rights as determined by that Act within 5 years from the date of the death.

How we handle your requests or questions in relation to our privacy policy and data processing activities

We shall provide information on the action taken on your questions or requests submitted to us relating to the processing of your personal data or to the exercise of your rights as data subject, in accordance with our privacy policy, without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests we receive. We shall inform You of any such extension within one month of receipt of the request, together with the reasons for the delay. If You make the request by electronic means, we shall also provide you our answer by electronic means where possible, unless otherwise requested by You. Should it be the case that we do not take action on your request, we shall inform You on that without delay and at the latest within one month of receipt of the request, explaining you the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.