General data protection policy

Thank you for your interest in our web site and our company. Despite the fact that we check external links carefully, we assume no liability for the contents or safety of the sites accessed by means of these external links.

We protect your personal data to the highest possible degree during collection, processing, and your visits to our web site. Your data are protected as required by law. The following contains an explanation of the type of data that we collect when you visit our web site as well as of how we use this data.

Starting on 25 May 2018, the General Data Protection Regulation or GDPR applies throughout the European Union. The GDPR stipulates how personal data may be processed and how they must be protected. You will find a summary of the basic information below. 

What is the GDPR?

The GDPR is a regulation of the European Union. It applies directly in every member state, ncluding in Slovakia. Every person whose data are processed can directly claim protection under the GDPR. 

What does the GDPR govern?

The GDPR contains regulations about the processing of your personal data. The GDPR protects all information about you including your name, telephone number, investment, and hobbies. The principles in this regulation stipulate how your personal data may be stored and processed. 

Why is the Slovak data protection law still in force?

The European Union has not only enacted the GDPR, but an entire “data protection package”. Part of this was also a new data protection directive. What is the difference between a directive and a regulation? Unlike a regulation, a directive must be implemented in national law. The GDPR also gives the member states leeway to govern individual aspects in greater detail than set forth in the GDPR itself.

Both of these aspects are being covered in Slovak through the Data Protection Act coll. 2018. We will of course also comply with the 2018 law when it is relevant for you and your relationship with us. 


Why is the protection of my data so important?

Data protection is a fundamental right. Just as your right to freedom or security, your right to data protection is enshrined in the Charter of Fundamental Rights of the European Union. This EU Charter of Fundamental Rights applies to the relationship between you and government institutions.

The law also recognises that there must be a balance between the interests of entities processing personal data and the so-called data subjects in private and business affairs – for example between you and your bank. These rules can be found in the GDPR and Data Protection Act coll. 2018.

Personal data say a lot about us and can reveal our hobbies, preferences, and wishes. And this is of course worth protecting. But we have to know your preferences in order to  be able to offer you individualised service. One core element of data protection is that we find a way together in which we can and may process your data in your interests and under your supervision. Detailed information can be found here. 

Where can I learn more about the GDPR and Personal Data Protection Act 18/2018 coll?

The text of the GDPR can be found here:

The text of the Personal Data Protection Act 18/2018 coll. can be found here:

The EU Charter of Fundamental Rights:

You can find more information about your rights on the following web sites:

Slovakian Data Protection Authority

European Commission

It is important to clarify some basic terms so that we can talk about data protection. We have also included the Article designations of the GDPR so that you can look these definitions up if you wish to do so. Please note that the information provided here is only a summary. The full text of the GDPR and the respective articles can be found here:

What are personal data?

Personal data include all information that relate to an identifiable natural person (“data subject”). A natural person is considered to be identifiable when his or her identity can be determined directly or indirectly, for example by reference to a name or code number.
More information can be found in Article 4 (1) GDPR.

What does the processing of data include?

The term “processing” means any operation performed on personal data with or without the help of automated systems. This includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
More information can be found in Article 4 (2) GDPR.

What does “controller” mean?

The term “controller” refers to the natural or legal person, public authority, agency, or other body that decides on the purposes and means of processing personal data alone or jointly with others. One example of this is us as a management company.
More information can be found in Article 4 (7) GDPR.

What does “processor” mean?

The term “processor” means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
More information can be found in Article 4 (8) GDPR.

The processing of your data in our company

Who is responsible for processing personal data?

Asset Management Slovenskej sporiteľne, správ, spol., a. s. Tomášikova 48, 832 65 Bratislava

Contact for issues relating to data protection:

Slovenská sporiteľňa, a. s., Tomášikova 48, 832 37 Bratislava

IRON MOUNTAIN SLOVAKIA, s.r.o Pri Šajbách 1, Bratislava 831 06, , IČO 36 232 734,

Ernst & Young Slovakia, spol. s r.o., Hodžovo námestie 1/A, 811 06 Bratislava, IČO 35 840 463
PricewaterhouseCoopers Slovensko, s.r.o. Karadžičova 2, 815 32 Bratislava, IČO 35 739 347 

Goldmann Systems, a.s. , Slávičie údolie 106, 811 02 Bratislava , IČO 35 794 950

Národná banka Slovenska, Imricha Karvaša 1, 813 25 Bratislava

Erste Group Bank AG, Am Belvedere 1, A 1010 Viedeň, Rakúska republika, IČO 33209m

Erste Bank der ősterreichischen Sparkassen AG, Am Belvedere 1, A 1010 Viedeň, Rakúska republika, IČO 286283f

According to articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR).

Who is responsible for the processing of personal data?

Asset Management Slovenskej sporiteľne, správ. spol., a. s.
Tomášikova 48
832 65 Bratislava

Contact for questions relevant to the protection of personal data

Asset Management Slovenskej sporiteľne, správ. spol., a. s.
Responsible person                                   
Tomášikova 48
832 65 Bratislava

Slovenská sporiteľňa, a. s.
Tomášikova 48
832 37 Bratislava

The Competent Authority for the Privacy Policy
Hraničná 12
820 07 Bratislava 27
Telefón: +421 02 3231 3220

Is there a data protection officer pursuant to Article 37 GDPR?

Article 37 of the GDPR lists instances where the controller must appoint a data protection officer in any case. Among other cases, a data protection officer must be appointed when the core activities of the company consist of processing operations  which, by virtue of their nature, their scope, and/or their purposes, require regular and  systematic monitoring of data subjects on a large scale. With regards to the “core activity”, recital 97 of the GDPR states that the core activity always pertains to data processing as the primary activity but not to data processing as an ancillary activity. 

The primary activity of Asset Management Slovenskej sporiteľne, správ. spol., a.s. is the management of investment funds. For this reason, the appointment of a data protection officer is not mandatory at this time. You can contact us at any time if you have any questions or concerns about data protection.

What personal data are processed?

We process the following personal data:

  • Master and identification data such as first and last name, e-mail address, and if necessary telephone number, date of birth, hobbies, etc. when you provide this information to us 
  • The results of processing to fulfil contracts and declarations of consent
  • Data to meet legal and regulatory requirements

Please note: This is simply a general list. We do not have all of the data specified above in every case. You have the right to receive a detailed, individual list from us upon request at any time. Please contact 

Where do you obtain the personal data that you process?

Most of your personal data that we process was provided by you: for example when you signed up for our newsletter or submitted an enquiry. 

Data can also come from the following sources:

  • Public sources such as the trade register, property register, bankruptcy database, or register of associations
  • From other institutions in the Erste Asset Management GmbH group

We may also receive data from government agencies or from individuals acting under government mandate, such as from the Financial Market Authority, guardianship or criminal courts, public prosecutors, or court-appointed notaries. You have the right to receive a detailed, individual list from us. 

For what purposes and on what legal basis are my personal data processed?

We are a management company pursuant to the Slovakian Investment Fund Act. We process your personal data in connection with this activity. In detail, this means:

The purpose of the processing of personal data is to manage the client's relationship with the Company in accordance with the provisions of the Act in accordance with § 19 of Act no. 297/2008 Coll. on Protection against the Legalization of Income from Crime and on Protection against Terrorist Financing, the Company is authorized, without the consent of the Client, to detect, obtain, record, store, use and otherwise process personal data and other data about the Client to the extent stipulated by the law, care in relation to the client and for the purpose of detecting an unusual business transaction, for the purpose of preventing and detecting the legalization of proceeds from crime and the financing of terrorism.

Personal information is required by the client to provide the Company, as provided for in a special legal regulation. Other personal information is provided by the client of the Company on a voluntary basis.

If personal data is provided on a voluntary basis, it is processed on the basis of a contract between the client and the Company or on the basis of acts establishing pre-contractual relationships or, where appropriate, measures between the client and the Company or the client's consent.

The client's obligation to provide the Company with the requested personal data and the Company's authority to process the personal data of the client and the provision to third parties as well as the purposes of the processing of personal data are set out in particular by the following legislation:

  • Act no. 203/2011 Coll. on collective investment as amended
  • Act no. 297/2008 Coll. on Protection against the Legalization of Proceeds from Crime and on the Protection of the Financing of Terrorism as amended
  • Act no. 566/2001 Coll. on securities and investment services, as amendedAct no. 595/2003 Coll. on Income Tax, as amended
  • Act 359/2015 Z.z. 
  • Act on the Automatic Exchange of Information on Financial Accounts for the Administration of Taxes and on Amendments to Certain Actsinformation in criminal proceedings against the State Prosecutor's Office and the courts as well as against the financial authorities for intentional financial crimes: the Banking Act, the Criminal Code, the Financial Crime Act

Processing for contract fulfilment

We are permitted to render certain services for you depending on the type of contracts that we have concluded with you. This can be an agreement relating to a special purpose fund, or can be a management agreement, for example. We must process your data to this end. Our offerings are just as diverse as the wide range of contracts that we enter into. The scope of data processing is specified in the terms of the respective contract. 


Processing based on legitimate interests

We or third-party agents have a legitimate interest in processing data in the following cases:

  • Measures
    for the prevention of fraud, fraud transaction monitoring
  • Data processing for exercising legal claims 
  • Recording telephone calls, for example for complaints and for documenting declarations that are relevant for transactions

Processing personal data for the purposes of direct marketing can also be a legitimate interest.

Processing based on declaration of consent

If there is no contract, legal obligation, or legitimate interest, data processing can also be legal when you have given us your consent or authorisation to do so. The scope and contents of this data processing are always defined by the specific consent that you have granted. You can revoke this consent at any time.

The revocation has no impact on the legality of data processing up to the point in time that the consent is revoked. In other words, revocation has no retroactive effect. 

Am I obligated to provide my personal data? What happens when I do not wish to do so?

We require certain personal data from you for our business relationship. If we do not know your name and e-mail address, we cannot send you any newsletters or information about our new products, or invitations to interesting events. We also cannot manage your special purpose fund without this information. If we cannot verify your identity, the law prohibits us from accepting you as a special purpose fund client. If you do not wish to provide your personal data to us, we may be unable to offer you certain products and services. If we are only permitted to process your data based on your consent, you are not obligated to give this consent or provide your data.

Are any decisions made based on automated processing, such as profiling?

We employ no automated decision-making processes pursuant to Article 22 GDPR at the
beginning of or during our business relationship.

To whom are my personal data passed on?

Your personal data can be passed on to:

  • Companies, units, and persons (employees and contract agents) within the group headed by Erste Asset Management GmbH when these entities need these data to fulfil contractual, legal, or supervisory obligations and to realise their legitimate interests
  • Public agencies and institutions when we are legally obligated to do so, for example the Austrian Financial Market Authority, tax authorities, etc. 
  • Third parties contracted by us, such as IT and back office service providers, when they require these data for their activities. Third parties are contractually required to treat your data confidentially and to only process them for the provision of the relevant services 
  • Third parties when this is required for contract fulfilment or based on legal regulations, for example the recipient of a wire transfer and their payment transaction service provider.  

Are my personal data forwarded to a non-EU country?

Our processors can work with sub-processors in non-EU countries. These sub-processors are obligated to comply with Austrian data protection and security standards. We will provide you with a list of current service providers in non-EU countries as well as information about the basis on which the data are forwarded upon request.

How long are my personal data stored?

Your personal data are stored for as long as required to fulfil the relevant purposes in any case. The law also stipulates for how long we must keep the data. These retention obligations may also apply when you are no longer our customer or an interested party. You can find an overview of the legal retention obligations that apply in Austria here, for example:

 What security measures are applied in data processing?

We place high value on data protection and data security. We have taken all technical and organisational measures needed to secure our data processing. This especially pertains to the protection of your personal data. We protect these data against unauthorised and unlawful processing, unintentional loss, unintentional destruction, and unintentional damage. These measures include the use of modern security software and encryption methods, physical access control, and precautions to prevent and defend against external and internal attacks.  

What about cookies, social networks, web analytics?

Cookies: We use cookies on different parts of our web site. Cookies are small text files that allow users to be recognised when they return to our web site. However, no personal information such as your name or address are stored for this. This means that the information they contain cannot be used to identify you. 

We use cookies to tailor our offerings to your needs and to analyse how these offerings are used. You can configure your browser to require your express consent before cookies are used, or to generally block the use of cookies. You can use our web site without accepting cookies. Social networks: We work together with various social networks. When you use these social networks, your browser is connected with the network in question automatically. For this, it forwards your IP address and other information such as cookies when you have already visited the platform in question before. 

We avoid this type of data transmission as far as possible until you actually interact with one of these platforms. When you click the corresponding icon (such as the Facebook logo), you indicate that you are ready to communicate with the selected platform and that information about you such as your IP address will be forwarded to this social network.

Web analytics: We forward personal data to the service provider Google Analytics for the purposes of anonymised statistical analyses of the user flow on our web sites. You can prohibit the forwarding of your data.

The GDPR grants you the following rights pertaining to your personal data. You have the right to:

  • Access, pursuant to Article 15 GDPR
  • Rectification, pursuant to Article 16 GDPR
  • Erasure, pursuant to Article 17 GDPR
  • Restriction of processing, pursuant to Article 18 GDPR
  • Data portability, pursuant to Article 20 GDPR 
  • Objection, pursuant to Article 21 GDPR
  • No decision-making based solely on automated processing, including profiling, pursuant to Article 22 GDPR

What does the right to access mean?

You have the right to demand a confirmation of whether we process your personal data. If
this is the case, you also have the right to information about this personal data and to the following information:

  • Purposes of processing
  • Categories of personal data that are processed
  • Recipients or categories of recipients to whom the personal data have been disclosed or will be disclosed, especially recipients in non-EU countries and at international organisations 
  • If possible the planned duration that the personal data will be stored for or, if this is not possible, the criteria that are applied to determine this duration
  • The existence of the right to have your personal data rectified or erased, restriction of or objection to this processing
  • Right to file complaints with a supervisory authority
  • All available information about the source of the personal data when the data are not collected from the data subject
  • Whether automated decision-making including profiling are used pursuant to Article 22 (1) and (4) GDPR and – at least in these cases –  meaningful information about the logic involved, as well as the significance and consequences of such processing for the data subject. 

What does to right to rectification mean?

It is important to us that your data are correct and complete at all times. If you suspect that they are incorrect or incomplete, you can request that we rectify or complete the data. An explanation of how to exercise this right can be found here.

What does the “right to erasure” and the “right to be forgotten” mean?

We attach considerable importance to only processing your data in accordance with the rules of the GDPR and DSG 2018. Should you have reason to believe that this is not the case, you can request that your personal data be erased. Reasons for this can be:

  • The personal data are no longer required for the purposes for which they were
    collected or processed in some other manner.
    For example: Your personal data must be erased when they were solely collected to establish a special purpose fund or to send newsletters (sole purpose) and you have not consented to the processing of these data for other purposes. In this case, there is no need to process the data further after the termination of the special purpose fund or when you have unsubscribed from the newsletter and after the retention obligation no longer applies. 
  • You revoke your consent on which the processing was based pursuant to Article 6 (1) a) GDPR or Article 9 (2) a) GDPR, and there is no other legal basis for processing. 
    For example: You have consented to the processing of your personal data for individual product offers from a third-party provider (sole purpose). As soon as you revoke this consent, your personal data must be erased. Exceptions: There are other purposes or justifications for processing and you are also in a customer relationship with the third-party provider, for example.
  • You file an objection against processing pursuant to Article 21 (1) GDPR, and there are no overriding legitimate grounds for processing. 
    For example: You can file an objection when an entity is processing your personal data without your consent just because this entity claims to have a legitimate interest in doing so (and there is no other justification). When you contest this and there was no legitimate interest, your personal data must be erased. Your objection was successful. 
  • Your personal data were processed unlawfully
    Unlawfully processed personal data must be erased. 
  • The erasure of your personal data is mandated by EU law or the law of the member state.T
    his refers to laws or other regulations that demand the erasure of personal data.
  • The personal data were collected in connection with the offer of information society services pursuant to Article 8 (1) GDPR. 
    This is a special protection afforded to minors who use online services.

This was a brief summary of the right to erasure. This should not be confused with the “right to be forgotten”.

The “right to be forgotten” pertains to personal data that have been made public. This means that when a person who originally published the data is required to erase the data (because one of the reasons for deletion above applies), this person must also then inform all persons who received the data in question as a result of their publication that the data in question must be erased. This rule is rather complicated. These provisions of the GDPR pertain to Internet search engines in particular.

What does the right to restrict processing mean?

We attach considerable importance to always processing your data in accordance with the rules of the GDPR and DSG 2018. Should you have reason to believe that this is not the case, you can request that the processing of your personal data be restricted. However, this is only possible for the following legitimate reasons:

  • You contest the correctness of your personal data. You can demand that the processing of your personal data be restricted for the duration of the period required by the data controller to verify the correctness of your personal data. 
    Opinions can differ. But further processing can be restricted for the time during which a matter is being clarified so that the contested personal data do not have to be erased or changed immediately. It could turn out that the data were correct after all. 
  • The processing of personal data is unlawful. But instead of having your personal data erased, you “only” wish to have their use restricted.
    The GDPR gives you the right to choose. If you do not wish to have unlawfully processed data erased immediately, you can demand that they remain stored, but that they may no longer be used. 
  • Data controllers no longer need your personal data for processing. However, they
    need the data to assert, exercise, or defend legal claims. 
    When your personal data should in fact be erased but are needed so that you can exercise or defend your own rights, they can still  be processed for these purposes.
  • You have filed an objection against processing pursuant to Article 21 (1) GDPR. Restricted processing can be demanded until it is determined whether the legitimate interests of the controller override your interests.
    Further processing can be restricted for the time during which a matter is being clarified so that the contested personal data do not have to be erased immediately. It could turn out that the processing was justified after all. 

What does the right to data portability mean?

Your personal data belong to you. Because of this, you have the right to receive this data in a structured, common, and machine-readable format. This pertains to data that you have provided to us and that are processed by means of automated systems based on your consent or for contract fulfilment. You can also demand that we forward these personal data directly to another controller.

In what form will I be given the data?

We provide the data as an XML file. An explanation of how to exercise this right can be found here.

Was does the right to object mean?

Your data may only be processed when there is a legitimate interest in doing so. If such a legitimate interest is claimed, you must be informed of this. If you feel that there is no legitimate interest, you can raise an objection. This is especially the case when yourpersonal data are used for direct marketing. If the controller is unable to prove any legitimate reasons for further processing, the controller will not be permitted to continue processing your data after you object. Except for processing for the purposes of direct marketing. Your objection has absolute effect here.

What does your right to not be subject to decision-making based solely on automated processing, including profiling, mean?

We do not employ automated decision-making pursuant to Article 22 GDPR for entering into or fulfilling business relationships. More information can be found here. For this reason, the right to object to this does not apply.

What information am I required to provide?

We must verify your identity for every enquiry so that your financial data do not fall into the wrong hands and so that another person cannot erase your data against your will. Please understand that we will demand additional information about your identity in cases of doubt. This serves your own protection so that only authorised persons can access your data.

How can I submit a request?

Regardless of which right you wish to exercise, you can submit your request to us in any of three ways:

  • By regular mail (please sign and include a copy of a
    photo ID) to:
    Asset Management Slovenskej sporiteľne, správ. spol., a. s
    Tomášikova 48
    832 65 Bratislava
  • In person at our offices
  • By e-mail (only with a qualified electronic signature) to or


Please explain your case as concretely as possible so that we can process it without delay. Please pay particular attention to the information about your right to data portability.

How long will it take for my request to be processed?

We will provide you with the information about relevant measures immediately, in any case within one month after receipt of your request. This period can be extended by a further two months when the complexity and number of requests requires this additional time. We will inform you of a possible deadline extension and the reasons for this within one month after the receipt of your request in any case. 

How will my request be processed?

We treat the data that you provide to us confidentially. But e-mails cannot always be 
trusted. In terms of security, e-mails can be compared with a postcard, not with a letter in a sealed envelope. Because we do not want to send you your data on a postcard, we will send you the information by regular mail.

What are the key considerations relating to my right to data portability?

We only forward data directly to third parties when youe

  • expressly instruct us to do so, 
  • release us from our obligation to banking secrecy, and
  • when the third party in question is a financial services provider, attorney, notary, tax consultant, accountant, or government agency.

Does it cost anything when I exercise my rights?

No, the requests are processed free of charge. Exception: When requests are submitted for reasons that are clearly unjustified or to an excessive extent, we are entitled to demand a reasonable fee. This covers the administrative costs for the notification, refusal, or implementation of the requested measure.

Can I file a complaint?

Our employees will be pleased to assist you with all complaints, questions, and suggestions relating to data protection. We are certain that we can work together to find a solution to nearly every problem. If you do not receive an answer to a request in good time, feel that your data protection rights have been violated, or feel that we have not processed your request in accordance with the law, you can file a  complaint with the responsible supervisory authority:

Slovakian Data Protection Authority

Hraničná 12
820 07 Bratislava 27
Tel.: +421 02 3231 3220