Conditions for processing personal data
1. Data Controller:
The personal data controller, i.e. the entity that processes the personal data of the data subject, is the company AKULA Group s. r. o., with registered office Okružná 68, Stará Ľubovňa 06401, ID NO: 50463331 (hereinafter referred to as "Operator ").
We value the privacy of all individuals and respect their right to data protection. The controller proceeds with the processing of personal data in accordance with Act No. 18/2018 Coll., on the protection of personal data and on amendments and additions to certain laws of data subjects Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), (hereinafter referred to as "the Act").
In connection with our activities, we process personal data for various purposes. In most cases, the processing of personal data is necessary pursuant to a special regulation or an international treaty to which the Slovak Republic is bound.
The controller shall only process personal data on the following lawful legal grounds:
- the performance of a contract or pre-contractual measures;
- the performance of our legal obligation under a special regulation;
- the performance of a task carried out in the public interest;
- the pursuit of our legitimate interests, unless these interests are overridden by the legitimate interests of the data subject;
- where necessary to protect the life, health or property of the data subject or another natural person.In other cases, we process the personal data of data subjects only with the consent of the data subject, which the data subject may withdraw at any time.
2. Purposes and legal basis for processing personal data:
In the event of the existence of a contractual relationship of the data subject with the Controller, the Controller processes the personal data of the data subjects on the basis of the legal title of the contract, exclusively to the extent necessary for the fulfilment of the purposes of the contract.
For the purpose of resolving complaints, handling deficiencies and surveys, the controller processes the personal data of the data subjects on the basis of the legal title of legitimate interest or the consent of the data subject, exclusively in the scope of name, surname, address, e-mail, telephone number, the processing of which is necessary to achieve the above.
If the data subject voluntarily communicates his or her personal data to the Data Controller without prior intervention of the Data Controller, the Data Controller will process the personal data to the extent necessary on the basis of a legitimate interest (in particular, for the purpose of assessing the data subject's request and providing a response to the data subject).
Personal data is processed by the company AKULA Group s. r. o. for the purpose of
- invoicing for services supplied
- sending mail offers of the company's products AKULA Group s. r. o.
- Real estate agencies
Personal data company AKULA Group s. r. o. will not disclose to third parties, except for:
- ESPIK Group s.r.o. , Orlov 133, Orlov 065 43
the provision of services in the field of personnel and accounting - Competitions on social networks:
Some competitions may take the form of data sharing, in particular comments, via the social media profiles of the data subjects (e.g. the data subject's response to the fun page of the Controller via his/her Facebook or Instagram profile). In this case, the Operator will process the personal data of the data subjects, in particular the login name, for the purpose of the data subject's participation in the competition and the eventual announcement/disclosure of the winner of the competition (on the Operator's profile page on the social network) and contacting him/her to hand over the prize (via direct messages on the social network). The legal basis for the processing of personal data for the purposes is the consent of the data subject in the form of voluntary participation in the competition. For the purpose of handing over the prize to the winners, the controller may also process other personal data in the range of first name, surname and residence which are necessary to achieve the purpose of handing over the prize on the legal basis of the data subject's consent. The data subject may withdraw the consent at any time by contacting the Controller at the contact details below. The Controller will process these personal data for the period necessary to achieve the purpose of the competition or until the data subject's consent is withdrawn. After withdrawal of consent, the Controller will no longer process the personal data for the purpose to which the withdrawal of consent relates. However, the Controller may continue to process the data subject's personal data to a limited extent on the legal basis of legitimate interest after the withdrawal of consent, for the period of time strictly necessary to demonstrate the lawfulness of the processing of personal data or to assert legal claims or to comply with obligations arising from generally binding legal regulations (as a rule, for a period of 3 years from the withdrawal of consent to the processing of personal data).
3. Retention period of personal data:
All personal data shall be processed only to the extent necessary for the fulfilment of the purposes set out in clause 2 of these Terms and Conditions and only for the period necessary for the achievement of those purposes, but no longer than the period specified by or in accordance with the relevant legislation.
Personal data processed by the Controller on the legal basis of the data subject's consent are processed until the consent is withdrawn; however, the Controller may also process some of these data after the consent is withdrawn if it has another legal ground for doing so (e.g. to demonstrate the correctness and lawfulness of the personal data processing procedure or to enable the Controller to defend itself against legal claims).
Personal data processed by the Controller on the basis of a legitimate interest or personal data processed by the Controller for the purpose of direct marketing are processed until the data subject objects to the processing of his or her personal data.
4. Identification of recipients of personal data:
The controller may disclose the personal data of data subjects to third parties only where required or permitted by law or with the consent of the data subject. The controller shall only disclose personal data to the usual extent to processors or other recipients:
- suppliers of external services for the Operator (in particular, programming or other technical support services, server services, sending e-mails, services related to measuring traffic to our site and adapting its content to user preferences),
- operators of backup servers or operators of technologies used by the Operator, who process them to ensure the functionality of the relevant services of the Operator,
- to the extent strictly necessary to the legal, economic and tax advisors of the Operator and the auditors of the Operator who process them for the purpose of providing advisory services to the Operator.
5. Rights of data subjects:
Right of access to personal data The data subject shall have the right to request from the Data Controller, upon request, confirmation as to whether or not the personal data of the data subject are being processed and, in the affirmative, to request information on the processing of personal data relating to the data subject. The data subject shall have the right to rectification of the personal data concerning him or her and, having regard to the purpose of the processing of personal data, to the completion of incomplete personal data.
In the case of processing of personal data on the basis of a legal contract or on the basis of the data subject's consent, the data subject shall have the right to the portability of the personal data concerning him or her which he or she has provided to the Controller, in a structured, commonly used and machine-readable format, if the processing of the personal data of the data subject is carried out in an automated form and before the expiry of the period of retention of the personal data. The exercise of this right shall not adversely affect the rights of other persons. The data subject has the right to the erasure of personal data (right to erasure of personal data) which are subject to processing if:
- the personal data are processed in breach of the law; or
- on the basis of the withdrawal of the data subject's consent (in the case of processing of personal data based on the data subject's legal consent); or
- the data subject objects to the processing of personal data processed on the basis of a legitimate interest of the Data Controller and the Data Controller's legitimate grounds for processing the personal data do not prevail; or
- the personal data are no longer necessary for the purpose for which they were collected or otherwise processed; or
- after the expiry of the retention period of the personal data.
The right to the destruction of personal data pursuant to point 5(d) shall not apply if the processing of personal data is necessary for the Controller to:
- the exercise of the right to freedom of expression or
- exercise of the right to information,
- compliance with the obligations under Act No. 18/2018 on the protection of personal data and on amendments and additions to other acts (effective from 25.5.2018) or a special regulation,
- asserting a legal claim
- for archiving purposes, scientific purposes, historical research purposes or statistical purposes pursuant to Article 78(8) where the right under paragraph 1 is likely to render impossible or seriously impede the achievement of the purposes of such processing.
The right to restrict the processing of personal data if:
- the data subject objects to the accuracy of the personal data, during a period allowing the Controller to verify the accuracy of the personal data and to update the personal data, if necessary,
- the processing of the personal data is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of their use,
- the controller no longer needs the personal data for the purpose of processing the personal data but the data subject needs them to exercise a legal claim, or
- the data subject objects to the processing of personal data pursuant to Section 27(1) of Act No. 18/2018 on the Protection of Personal Data and on Amendments and Additions to Other Acts (effective as of 25 May 2018), pending verification of whether the legitimate grounds on the part of the controller outweigh the legitimate grounds of the data subject.
Right to object to the processing of personal data:
The data subject shall have the right to object to the processing of personal data concerning him or her in all cases where the legal title of the processing of personal data is the legitimate interest of the Data Controller. The data subject shall also have the right to object to the processing of personal data concerning him or her where such personal data are processed for the purpose of direct marketing, including profiling, to the extent that it is related to direct marketing.
If the data subject suspects that personal data are being unlawfully processed, he or she has the right to file a petition with the Office for Personal Data Protection for the initiation of data protection proceedings.
If the legal ground for processing the personal data of the data subject is his or her consent, the data subject may withdraw such consent at any time free of charge at the email address below. Withdrawal of consent shall not affect the lawfulness of processing based on consent given prior to its withdrawal. The data subject shall have the right to withdraw the consent at any time by e-mail to [email protected] or by writing to the Controller at the following address: AKULA Group s. r. o., Okružná 68, Stará Ľubovňa 06401
Organisational directive for the processing and protection of personal data in the organization
Pursuant to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as GDPR) and pursuant to the provisions of Act 18/2018 of 29 November 2017 on the protection of personal data and on amendments and supplements to certain acts (hereinafter referred to as ZoOOU)
It contains technical and organisational measures that our company has undertaken to comply with, as it is responsible under Article 24 of the GDPR, taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, to ensure and to be able to demonstrate that the processing is carried out in accordance with the GDPR.
Company:
Title: AKULA Group s. r. o.
Headquarters: Okružná 68, Stará Ľubovňa 06401
ID: 50463331
Supervisory Authority:
Office for Personal Data Protection of the Slovak Republic
Hraničná 12, 820 07 Bratislava 27
Tel: 02/ 32 31 3214
E-mail: [email protected]
(hereinafter referred to as the 'supervisory authority')
1. Definition of basic terms
the data subject is any natural person whose personal data are processed,
a controller is anyone who, alone or jointly with others, determines the purpose and means of processing personal data and processes personal data on his or her own behalf; the controller or the specific requirements for his or her determination may be laid down in a special regulation or an international treaty by which the Slovak Republic is bound, if such regulation or treaty provides for the purpose and means of processing personal data,
a processor is anyone who processes personal data on behalf of the controller,
processing of personal data a processing operation or set of processing operations concerning personal data or sets of personal data, in particular the obtaining, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise, alignment or combination, restriction, erasure, whether or not carried out by automated or non-automated means,
the data subject's consent any serious and freely given, specific, informed and unambiguous indication of the data subject's wishes, in the form of a statement or an unambiguous confirmatory act, by which the data subject consents to the processing of his or her personal data
an information system is any organised collection of personal data which is accessible according to specified criteria, whether the system is centralised, decentralised or distributed on a functional or geographical basis,
biometric data personal data which are the result of specific technical processing of personal data concerning the physical characteristics of a natural person, the physiological characteristics of a natural person or the behavioural characteristics of a natural person and which allow unique identification or confirm the unique identification of that natural person, such as in particular facial images or dactyloscopic data,
restricting the processing of personal data by marking the personal data stored in order to restrict their processing in the future,
profiling any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal characteristics or characteristics relating to a natural person, in particular to analyse or predict the characteristics or features of the data subject relating to his or her performance at work, financial situation, health, personal preferences, interests, reliability, behaviour, location or movements,
by pseudonymisation, the processing of personal data in such a way that they cannot be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data cannot be attributed to an identified natural person or to an identifiable natural person,
by encryption, transforming personal data in a way whereby reprocessing is only possible after a selected parameter such as a key or password has been entered,
an online identifier an identifier provided by an application, tool or protocol, in particular an IP address, cookies, logins to online services, radio frequency identification, which may leave traces that can be used, in particular in combination with unique identifiers or other information, to create a profile of the data subject and to identify him or her,
a data breach a breach of security that results in the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed,
the recipient is anyone to whom the personal data are disclosed, regardless of whether he or she is a third party; a public authority which processes personal data on the basis of a special regulation or an international treaty by which the Slovak Republic is bound, in accordance with the rules on the protection of personal data applicable to the purpose for which the personal data are processed, shall not be considered a recipient,
a third party anyone who is not the data subject, controller, processor or other natural person who processes personal data on behalf of the controller or processor,
Mapping of personal data
In this step, our company has decided to define what personal data it processes in order to be able to analyse the processing of personal data and ensure compliance with the GDPR.
We will define the individual categories of personal data as individual information systems
IS Customers
Legal entity: company name, company billing address, company ID number, VAT number, VAT number, registered office address, contact person's name and surname, contact person's job title, telephone number, email address, fax, website, cookies
purpose of processing: issue of tax invoice, contact with customer, performance of contract, delivery of goods, delivery of services, complaints
IS Accounting
Legal entity: company name, company billing address, company ID number, VAT number, VAT number, bank name, account number
purpose of processing: bookkeeping
IS Marketing
Name, surname, phone number, email address, cookies
Purpose: sending marketing and advertising emails, contact form, contact on social networks
IS Transport
Natural persons: name, surname, delivery address, telephone number
Legal entities: company name, delivery address, contact person, telephone number
purpose of processing: delivery of goods, transport of persons, contact with the customer, performance of the contract
IS Legal Services
Natural person: name, surname, home address, telephone number, email address
Legal entity: company name, billing address, company ID number, VAT number, VAT number, telephone number, email address, name and surname of the managing director
purpose of processing: drawing up contracts, legal services, debt recovery
3. Principles of personal data processing (Article 5 GDPR)
Our company will adhere to the following personal data processing principles:
3.1 Legality, fairness and transparency (Article 5(1)(a) GDPR)
Personal data will be processed lawfully, fairly and transparently in relation to the data subject ("lawfulness, fairness and transparency");
3.1.1 Lawfulness of processing (Article 6 GDPR)
Our company is committed to processing data only in a lawful manner so as not to violate the fundamental rights of the data subject.
The processing of personal data by our company will be lawful by ensuring that it is carried out on at least one of the following legal bases:
- the data subject has consented to the processing of his or her personal data for one or more specific purposes;
- the processing is necessary for the performance of a contract to which the data subject is a party or to carry out pre-contractual measures at the request of the data subject;
- the processing of personal data is necessary pursuant to a special regulation or an international treaty by which the Slovak Republic is bound (§ 13 (1) (c) of the GDPR)
- processing is necessary to protect the vital interests of the data subject or another natural person;
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- the processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
The legal basis for each information system (IS) is as follows:
IS customers
Legal basis - Article 6 (1) (c) GDPR - processing of personal data (name, surname, title, street and number, postcode, city) is necessary pursuant to a special regulation or an international treaty by which the Slovak Republic is bound. In particular according to Act No. 222/2004 Coll. on Value Added Tax
Legal basis - Article 6 (1) (b) GDPR - the processing of personal data is necessary for the performance of the contract.
IS Accounting
Legal basis - Article 6(1)(c) GDPR - the processing of personal data is necessary pursuant to a special regulation or an international treaty by which the Slovak Republic is bound. In particular according to Act No. 222/2004 Coll. on Value Added Tax, as amended
Legal basis - Article 6, paragraph 1. letter c) GDPR Article 6, paragraph 1. letter c) GDPR - Act No. 431/2002 Coll. on Accounting
IS Marketing
Legal basis - Article 6(1)(a) GDPR - the data subject has consented to the processing of his or her personal data for at least one specific purpose
IS Transport
Legal basis - Article 6 (1) (b) GDPR - the processing of personal data (name, surname / company name and name of the contact person, delivery address, telephone contact) is necessary for the performance of the contract.
IS Legal Services
Legal basis - Article 6(1)(c) GDPR - the processing of personal data is necessary pursuant to a special regulation or an international treaty by which the Slovak Republic is bound. In particular under Act No 311/2001 Coll., the Labour Code
Legal basis - Article 6(1)(c) GDPR - the processing of personal data is necessary pursuant to a special regulation or an international treaty by which the Slovak Republic is bound. In particular under Act No. 513/1991 Coll., the Commercial Code
Legal basis - Article 6 (1) (b) GDPR - the processing of personal data (email, telephone contact) is necessary for the performance of the contract.
3.2 Purpose limitation principle (Article 5(1)(b) GDPR)
Our company will only collect personal data for specifically identified, explicitly stated and legitimate purposes and may not be further processed in a way that is incompatible with those purposes. Our company shall inform the data subject of the purpose of the processing of the personal data before processing.
In the personal data mapping section, we have set out the purposes for processing individual IS and we will only process personal data for the purposes set out in this section.
3.3 Principle of data minimisation (Article 5(1)(c) GDPR)
Our company will process personal data so that this processing is proportionate, relevant and limited to the necessary extent given by the purpose for which it is processed.
In order to ensure the minimisation of personal data, our company has decided to analyse whether the data processed is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
The following categories are analysed, the specific types of personal data are listed in the 'mapping of personal data' section.
IS Customers
All processed data is necessary. They are processed for the purposes of issuing a tax invoice, contacting the customer and fulfilling the contract.
IS Accounting
All processed data is necessary. They are processed for the purpose of issuing a tax invoice and the performance of the contract.
IS Marketing
All processed data is necessary.
IS Transport
All processed data is necessary. They are processed for the purpose of delivering the goods to the customer, contacting the customer and fulfilling the contract.
IS Legal Services
All processed data is necessary. They are processed for the purposes of drawing up contracts, debt recovery, legal advice
3.4 Principle of accuracy (Article 5(1)(d) GDPR)
Our company will process personal data so that it is correct and updated as necessary; and will take reasonable and effective measures to ensure that personal data that is incorrect in relation to the purposes for which it is processed is erased or rectified without undue delay.
To ensure the principle of accuracy, our company has the following wording in the written consent to the processing of personal data:
"The data subject is obliged to provide true and up-to-date personal data. In the event of a change in the personal data, the data subject shall immediately notify the controller of the change."
3.5 Principle of minimising retention (Article 5(1)(e) GDPR)
Personal data will be stored by our company in a form which permits identification of the data subject at the latest for as long as necessary for the purpose for which the personal data are processed.
3.6 Principle of integrity and confidentiality (Article 5(1)(f) GDPR)
Personal data will be processed by our company in a manner that ensures adequate security of personal data, including protection against unauthorised processing of personal data, unlawful processing of personal data, accidental loss of personal data, erasure of personal data or damage to personal data, by means of appropriate technical or organisational measures.
3.6.1 Personal data stored in electronic documents
Our company uses Avast antivirus. Service and maintenance of computers is provided by the managing director.
Internet connection: Nortell, technology: fiber optics
3.6.2 Personal data stored in paper (printed) form
Physical documents are stored in sleeves and binders to protect them from damage.
Binders with physical documents are stored:
- in the locker
- in a locked office
This ensures that only authorised persons have access to these documents
Physical documents are disposed of using a shredder.
3.7 Responsibility principle (Article 5(2) GDPR)
Our company is responsible for compliance with the basic principles of personal data processing, for the compliance of the processing of personal data with the principles of personal data processing and is obliged to demonstrate this compliance with the principles of personal data processing upon the request of the Authority.
4. Conditions for consent to the processing of personal data (Article 7 GDPR)
The company shall ensure that the following conditions are met when the data subject gives consent
- consent to the processing of personal data must be freely given, specific, informed and unambiguous.
- the request for consent must be presented in a way that is clearly distinguishable from these other facts, in a comprehensible and easily accessible form and formulated in a clear and simple manner.
- the data subject has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. The data subject must be informed of this fact before consent is given. Withdrawal of consent must be as simple as providing it.
Our company has revised the written consents to the processing of personal data to comply with the requirements of the GDPR.
5. Conditions applicable to the child's consent in relation to information society services (Article 8 GDPR)
Where Article 6(1)(a) applies, in the context of an offer of information society services addressed directly to a child, the processing of the child's personal data is lawful only if the child is at least 16 years old. If the child is under 16 years of age, such processing shall be lawful only on the condition and to the extent that such consent has been given or authorised by the holder of parental responsibility.
In such cases, our company will make reasonable efforts to verify that the holder of parental rights and responsibilities has consented or approved, taking into account available technology.
6. Processing of special categories of personal data (Article 9 GDPR)
The GDPR prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of individually identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
However, this prohibition does not apply if any of the conditions of Article 9(2) GDPR(a) - (j) apply
Our company processes health-related data on the basis of the condition of Article 9(2) GDPR (b) the processing is necessary for the purposes of the performance of the obligations and exercise of the special rights of the controller or the data subject in the field of labour law and social security and social protection law
7. Rights of the affected person (Chapter 3 GDPR)
The rights of the data subject are governed by Chapter 3 of the GDPR and our company is committed to respecting them.
For example, the following rights:
7.1 Information to be provided when obtaining personal data from the data subject (Article 13 GDPR)
Our company will provide the following information to the data subject when processing personal data:
- data about our company
- the contact details of the responsible person, if any;
- processing purposes
- legal basis for processing
- where the processing is based on Article 6(1)(f) of the GDPR, the legitimate interests pursued by the controller or the third party;
- the recipients or categories of recipients of the personal data, if any;
- where applicable, information that our company intends to transfer personal data to a third country or international organisation
- the period of retention of the personal data or, if this is not possible, the criteria for determining it;
- the existence of the right to require the controller to have access to personal data relating to the data subject and the right to rectification or erasure or restriction of processing or to object to processing, as well as the right to data portability;
- where the processing is based on Article 6(1)(a) or Article 9(2)(a) of the GDPR, the existence of the right to withdraw consent at any time without affecting the lawfulness of processing based on consent given prior to its withdrawal;
- the right to lodge a complaint with the supervisory authority;
- information on whether the provision of personal data is a legal or contractual requirement or a requirement necessary for entering into a contract, whether the data subject is obliged to provide personal data, as well as the possible consequences of not providing such data;
- the existence of automated decision-making, including profiling as referred to in Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the procedure used as well as the significance and foreseeable consequences of such processing for the data subject.
7.2 Information to be provided where personal data have not been collected from the data subject (Article 14 GDPR)
Our company shall provide the data subject, if the personal data have not been obtained from him or her, with all the information referred to in point 7.1 of this organisational directive, as well as the source of the personal data or, where applicable, information on whether the data come from publicly accessible sources.
Our company shall provide this information to the data subject within a reasonable period after obtaining the personal data, but at the latest within one month, taking into account the specific circumstances in which the personal data are processed as referred to in Article 14(3) of the GDPR
Our company will not provide the data subject with this information in the cases referred to in Article 14(5) of the GDPR, in particular if:
- the data subject has already been given the information
- the provision of such information proves impossible or would require disproportionate effort
- the acquisition or disclosure is expressly provided for in Union law or in the law of the Member State to which the controller is subject and which lays down appropriate measures to protect the legitimate interests of the data subject
7.3 Data subject's right of access (Article 15 GDPR)
The data subject shall have the right to obtain confirmation from the controller as to whether personal data relating to him or her are being processed and, if so, to obtain access to those personal data
7.4 Right to rectification (Article 16 GDPR)
The data subject shall have the right to have inaccurate personal data concerning him or her rectified by the controller without undue delay. With regard to the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by providing a supplementary declaration.
7.5 Right to erasure (right to be forgotten, Article 17 GDPR)
The data subject shall also have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall erase the personal data without undue delay if one of the following grounds is met:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- the data subject withdraws the consent on the basis of which the processing is carried out pursuant to Article 6(1)(a) or Article 9(2)(a) and where there is no other legal basis for the processing;
- the data subject objects to processing pursuant to Article 21(1) and there are no overriding legitimate grounds for processing or the data subject objects to processing pursuant to Article 21(2);
- personal data have been unlawfully processed;
- the personal data must be erased in order to comply with a legal obligation under Union law or the law of a Member State to which the controller is subject;
- the personal data were collected in connection with the offer of information society services pursuant to Article 8(1).
7.6 Right to restriction of processing (Article 18 GDPR)
The data subject shall have the right to have the controller restrict the processing in respect of one of the following cases:
- the data subject contests the accuracy of the personal data during a period allowing the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of their use;
- the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them to establish, exercise or defend legal claims;
- the data subject has objected to processing pursuant to Article 21(1), pending verification that the legitimate grounds on the part of the controller override those of the data subject.
Notification obligation in relation to rectification or erasure of personal data or restriction of processing (Article 19 GDPR)
The controller shall notify each recipient to whom the personal data have been disclosed of any rectification or erasure of personal data or restriction of processing carried out pursuant to Article 16, Article 17(1) and Article 18, unless this proves impossible or requires disproportionate effort. The controller shall inform the data subject of those recipients if the data subject so requests.
7.7 Right to data portability (Article 20 GDPR)
The data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to the controller in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without being prevented by the controller to whom the personal data have been provided if:
- the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b), and
- where the processing is carried out by automated means.
When exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another controller, insofar as this is technically feasible.
7.8 Right to object (Article 21 GDPR)
The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of personal data concerning him or her which is carried out on the basis of Article 6(1)(e) or (f), including to profiling based on those provisions.
7.9 Automated individual decision-making, including profiling (Article 22 GDPR)
The data subject shall have the right not to be subject to a decision which is based solely on automated processing, including profiling, and which has legal effects concerning him or her or similarly significantly affects him or her.
8. The responsibility of the PROVIDER (Article 24 GDPR)
Our company, as the operator, undertakes to comply with the following general obligations:
- Taking into account the nature, scope and purpose of the processing of personal data and the risks of varying likelihood and severity to the rights of the natural person, we undertake to take appropriate technical and organisational measures to ensure and demonstrate that the processing of personal data is carried out in accordance with the GDPR.
- We will update these measures as necessary.
- We will periodically review the duration of the purpose for processing personal data and ensure that the personal data is deleted without undue delay after the purpose has been fulfilled
- Our company will maintain the confidentiality of the personal data it processes. The obligation of confidentiality continues even after the processing of personal data has been terminated.
9. Specifically designed and standard data protection (Article 25 GDPR)
Our company undertakes to put in place, prior to the processing of personal data and during the processing of personal data, specifically designed data protection measures consisting of the adoption of appropriate technical and organisational measures, for example also in the form of pseudonymisation, to effectively implement adequate safeguards for the protection of personal data and to comply with the GDPR.
Our company undertakes to take into account the state of the art of data protection, the costs of implementing the measures, the nature, scope, context and purpose of the processing of personal data and the risks of processing personal data with different probability and severity that the processing of personal data poses to the rights of the data subject when specifically designing the protection of personal data.
Our company undertakes to implement standard data protection, which consists in the adoption of appropriate technical and organisational measures to ensure that personal data is processed only for a specific purpose, minimising the amount of personal data collected and the scope of its processing, the retention period and the availability of personal data. Our company will ensure that personal data is not accessible by default to an unlimited number of natural persons without the intervention of the natural person.
10. Intermediary (Article 28 GDPR)
A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Our company, as the controller, uses processors who process personal data on its behalf. These include, for example, accounting and law firms.
The following intermediaries process data for our company
- ESPIK Group s.r.o.,Orlov 133, Orlov 065 43
the provision of services in the field of personnel and accounting
Our company will only use processors providing sufficient guarantees that appropriate technical and organisational measures are taken to ensure that the processing complies with the requirements of the GDPR and to ensure the protection of the rights of the data subject.
Processing by an intermediary for our company is governed by a "personal data processing agreement". It binds the processor to the controller and sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller and the processor.
Our company will sign amendments to the contracts with the aforementioned intermediaries to ensure that the contracts comply with all the requirements of the GDPR.
11: Records of processing activities (Article 30 GDPR)
11.1 Records of the processing activities of the controlle
Our company, as the controller, shall keep records of processing activities and make them available to the supervisory authority upon request. These records shall contain the following data:
- the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the responsible person;
- the purposes of the processing;
- a description of the categories of data subjects and categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including an indication of the third country or international organisation concerned and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, documentation of the appropriate safeguards;
- where possible, the time limits foreseen for the erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1). GDPR
11.2 Records of processing activities of the processor
Our company, as processor, keeps records of processing activities and makes them available to the supervisory authority upon request. These records shall contain the following data:
- the name(s) and contact details of the processor(s) and of any controller on whose behalf the processor is acting and, where applicable, of the controller's or processor's representative and the person responsible;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of the third country or international organisation concerned and, in the case of transfers referred to in the second subparagraph of Article 49(1), documentation of appropriate safeguards;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1). GDPR
12. Security of processing (Article 32 GDPR)
Our company shall take appropriate technical and organisational measures, taking into account the state of the art, the cost of implementing the measures and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to that risk.
Authorisation to process personal data (Article 32(4) GDPR)
Our company will take steps to ensure that any natural person acting under the authority of the controller or processor who has access to personal data processes that data only on our instructions, except where required to do so by Union or Member State law.
13. Notification of a personal data breach to the supervisory authority (Articles 33 and 34 GDPR)
In the event of a data breach , our company will notify the data breach to the supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of this fact.
If the notification has not been submitted to the supervisory authority within 72 hours, it shall be accompanied by a justification for the delay.
The data breach notification will include at least:
- a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected;
- the contact details of the responsible person in our company where more information about the data breach can be obtained;
- a description of the likely consequences of the personal data breach;
- a description of the measures taken or proposed by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate its potential adverse effects.
Our company will document each instance of a data breach, including the facts associated with the data breach, its consequences, and the remediation measures taken.
In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, our company will notify the data subject of the personal data breach without undue delay.
14. Data Protection Impact Assessment (Article 35)
Where the type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data prior to the processing.
In particular, a data protection impact assessment is required in cases where:
- a systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing, including profiling, and on which decisions having legal effects concerning or having a similarly significant impact on the natural person are based;
- large-scale processing of special categories of data pursuant to Article 9(1) or of personal data relating to criminal convictions and offences pursuant to Article 10; or
- systematic monitoring of publicly accessible places on a large scale.
The processing activities of our company do not include the cases mentioned above, for this reason it is not necessary to carry out a data protection impact assessment.
15. Designation of the responsible person (Chapter 4, Section 4 of the GDPR)
The operator shall designate a responsible person if
- the processing of personal data is carried out by a public authority or a public body, other than the courts in the exercise of their jurisdiction,
- the main activities of the controller or processor are processing operations which, by their nature, scope or purpose, require regular and systematic monitoring of the data subject on a large scale; or
- the main activities of the controller or processor are the large-scale processing of special categories of personal data pursuant to Article 9 of the GDPR or the large-scale processing of personal data relating to a plea of guilty to a criminal offence or an offence pursuant to Article 10 of the GDPR.
As our company does not meet either of these conditions, it does not designate a responsible person.
16. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR AN INTERNATIONAL ORGANISATION
The transfer of personal data which are processed or intended to be processed after the transfer to a third country or an international organisation may only take place if the controller and the processor comply with the conditions, including the conditions for the onward transfer of the personal data from the third country in question or from the international organisation in question to another third country or another international organisation.
The Data Protection Authority publishes on its website a list of third countries, territories and designated sectors in the third country concerned and international organisations for which the European Commission has decided that an adequate level of protection is guaranteed or is no longer guaranteed.
The list is available at https://dataprotection.gov.sk/uoou/sk/content/prenos-do-krajin-zarucujucich-primeranu-uroven-ochrany
Our company will regularly monitor this list and will follow Chapter 4 of the GDPR when transferring personal data to countries outside the DPA's list.
17. Silence (§ 79 ZoOOÚ)
Our company is obliged to maintain the confidentiality of the personal data it processes. The obligation of confidentiality continues even after the processing of personal data has been terminated.
Our company is also obliged to oblige individuals who come into contact with personal data at the controller or processor to respect the confidentiality of personal data. The obligation of confidentiality pursuant to the first sentence must continue after the termination of the employment, civil servant relationship, service relationship or similar employment relationship of the natural person.