PERSONAL DATA PROCESSING PRINCIPLES
AND INFORMATION FOR THE PERSONS CONCERNED
Data Controller, the commercial company ERFOLG s.r.o., with the registered office at Hlavná 686/114, 077 01 Kráľovský Chlmec, Slovak Republic, reg. no.: 36 608 441, registered in the Commercial Register of the District Court Košice I, section Sro, file no. 18247/V, e-mail address: firstname.lastname@example.org, phone no.: +421 56 321 0230 (hereinafter referred to as “Company” or “Data Controller”) processes the personal data of the persons concerned within its activities.
For the purpose of these Principles and Information for the Persons Concerned:
the person concerned means a natural person, to whom the personal data relate,
personal data means any information relating to an identified or identifiable natural person, such as a title, first name, surname, date of birth, personal identification number, phone number, e-mail address, IP address etc.
1. The Company declares that it processes the personal data of the persons concerned pursuant to Act no. 18/2018 Coll. on Personal Data Protection as amended (hereinafter referred to as “act”) and Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing the Directive 95/46/ES (hereinafter referred to as “directive”), effective as of 25 May 2018.
2. Proper processing of the personal data of the persons concerned is very important for our company and we put an appropriate emphasis on their protection; therefore we would like to hereby provide you with detailed information, in particular on why we process your personal data, on what basis and for what purpose and what rights you have in connection with the processing of your personal data, as well as other important information.
3. The Company deems all personal data strictly confidential and it handles them in accordance with the applicable legal provisions in the personal data protection area.
4. In order to ensure protection and security of the processed personal data, the company has adopted appropriate technical and organizational measures. Security measures of a technical and organizational nature protect the processed personal data from damage, destruction, loss, unauthorized access and disclosure, by publishing or providing them to unauthorized persons, as well as from any other inadmissible processing. Employees of the Data Controller and other persons authorized to handle the personal data of the persons concerned shall, in accordance with the directive and the act, be duly informed on their obligations, in particular on the obligation to maintain confidentiality of the personal data.
Purposes, Legal Basis and the Period of Processing the Personal Data by the Company
5. We process your personal data for the following purposes:
a. Concluding, recording and administrating business cases in relation to ensuring and/or performing the transport of goods, including customer care (hereinafter referred to as ²contract²), negotiating of business cases – contracts with customers, communication with potential customers, who have expressed interest in services and products of our company. The legal basis for processing is the performance of the contract and implementation of measures prior to the conclusion of the contract pursuant to Art. 6 par. 1 b) of the directive.
6. For the purposes of concluding, recording and administrating business contracts (letter a. of par. 6), the Data Controller shall be entitled to process the personal data during the term of the contract, until the final settlement of all obligations of the contracting parties under the contract and for a maximum of 2 years following the date of final settlement of all obligations of the contracting parties under the contract. Upon termination of the contract the Data Controller shall process the personal data for the purpose of executing the procedure for recovering of due amounts and/or filing a claim and other related procedures and only to the extent necessary to achieve this purpose. The personal data of the persons concerned may be processed for a longer period only if it is necessary under the relevant legislation or for the period of required archiving of accounting documents, contractual and other documentation and only to the extent necessary. Processing of the personal data of the person concerned, i.e. also their provision to the Data Controller for the purpose specified in this section is necessary in order to conclude, perform and maintain the contract. In case the person concerned fails to provide own personal data, the contract cannot be concluded and therefore the services and other products of the company cannot be provided either.
7. Processing for the purposes of the performance of the contractual relationship, accounting and tax purposes and the performance of other legal obligations are statutory or contractual requirements. Without providing them, the Data Controller cannot arrange the customer’s order and conclude the contract.
Scope of the Processed Personal Data
8. The persons concerned, whose personal data are processed by the Data Controller, are customers and/or business partners of the Data Controller, who are natural persons and members of statutory bodies, contact persons of legal entities or other persons authorized to act on behalf of legal entities – customers and/or business partners of the Data Controller and employees or other cooperating persons of customers and business partners of the Data Controller.
9. With regard to the relevant legal basis and purpose of the processing, the company processes the following personal data or personal data categories:
– identification and address details: first name, surname, title, residence address, delivery or other contact address, date of birth, handwritten signature;
– contact details: e.g. phone number, e-mail address;
– data related to the contractual relationship: bank account number, order history, documents on authorization to perform the relevant activity;
– data provided by a customer in an order/contact form or in other documents and in communication with the company within a business case.
10. The person concerned shall be liable and responsible for ensuring that all personal data provided to the Data Controller are true, correct and complete and that any changes shall be notified immediately to the Data Controller.
Access to Personal Data and Transfer of Data to Third Countries
11. The access to personal data shall be allowed to the following categories of recipients (our business partners, who perform activities related to the contract or to other activities and obligations of the Data Controller with regard to the services and products of the Data Controller):
– providers of accounting, financial, tax advisory,
– providers of IT services,
– providers of administration of our websites,
– providers of analytical services, providers of software solutions used by the company,
– providers of legal services, lawyers,
– providers in the area of administration and recovery of claims of the Data Controller (Timocom, T-trans)
– providers of printing, transport and delivery services,
– partners cooperating with us on loyalty programs, organizing conferences, seminars and other presentations,
12. The Data Controller may, pursuant to Art. 28 of the directive authorize another person – the data processor, to process personal data on behalf of the Data Controller, solely for the purpose of processing, for which the personal data were provided. The Data Controller declares that when selecting data processors it considers their professional, technical, organizational and personal competence and ability to guarantee security of the processed data. The Data Controller and the data processors conclude a personal data processing agreement, which binds the data processor to observe the specified personal data protection terms. The list of data processors is available at the Data Controller’s registered office upon request of the person concerned.
13. The transfer of personal data of the person concerned to third countries or international organizations shall not be performed.
14. The Data Controller does not process personal data by profiling or by any other similar method based on automated individual decision-making.
Rights of the Persons Concerned
15. The person concerned shall have the right to access his/her data. Based on the request of the person concerned, the Data Controller shall issue a confirmation on whether the personal data of the person concerned are being processed. If the Data Controller processes such personal data, it shall issue a copy of these personal data upon request of the person concerned.
16. If the person concerned requests information by electronic means, it will be provided in a commonly used electronic form by e-mail, unless expressly requested otherwise.
17. The person concerned has the right to rectify the personal data, if the Data Controller records incorrect personal data in relation to the person. At the same time, the person concerned has the right to complete the incomplete personal data. The Data Controller shall make a rectification or completion of the personal data without undue delay, upon request of the person concerned.
18. The person concerned shall have the right to the deletion of personal data relating to him/her, provided that:
a. personal data are no longer needed for the purposes for which they were collected or otherwise processed;
b. the person concerned revokes the consent, based on which the processing is carried out,
c. the person concerned objects to the processing of personal data under par. 25. of this Article,
d. personal data were processed unlawfully,
e. the reason for deletion is the fulfilment of an obligation under a law, special regulation or international treaty that is binding for the Slovak Republic or
f. personal data were collected in connection with the provision of information society services to the person under the age of 16.
19. The person concerned shall not have the right to the deletion of personal data, provided that their processing is necessary:
a. to exercise the right to freedom of expression and information;
b. to fulfil an obligation under a law, special regulation or international treaty that is binding for the Slovak Republic or to fulfil a task performed in the public interest or in the execution of public authority entrusted to the Data Controller,
c. on the ground of public interest in the public health area,
d. for the purposes of archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes, as long as it is likely that the deletion right will prevent or seriously impair the fulfilment of objectives of such processing or
e. to demonstrate, enforce or defend legal claims.
20. The Data Controller shall, upon request, delete the personal data of the persons concerned, without undue delay, after evaluating the concerned person’s request as reasonable.
21. The person concerned has the right to the restriction of personal data processing, as long as:
a. he/she impugns the correctness of the personal data by an objection under par. 25. of this Article, during the period allowing the Data Controller to verify the correctness of the personal data;
b. processing is illegal and the person concerned requests a restriction of use of the personal data instead of their deletion;
c. the Data Controller no longer needs the personal data for processing, but the person concerned needs them to demonstrate, enforce or defend legal claims;
d. the person concerned has objected to the processing of the personal data on the basis of the eligible right of the Data Controller, until verifying whether eligible grounds of the Data Controller outweigh the eligible grounds of the person concerned.
22. As long as the person concerned requests the restriction of the personal data processing, the Data Controller shall not perform any processing operations with them, except for archiving, without the consent of the person concerned.
23. The person concerned shall be informed by the Data Controller in case the restriction of the processing of such data is abrogated.
24. The person concerned has the right to data transferability, which means the acquisition of personal data he/she has provided to the Data Controller, while he/she has the right to transfer such data to another Data Controller in a commonly used and machine-readable format, provided that the personal data were acquired with the consent of the person concerned or under a contract and their processing is performed by automated means.
25. The person concerned has the right, at any time, to object to the processing of his/her personal data on the grounds related to his/her specific situation. The person concerned may object to the processing of his/her personal data on the ground of:
a. a legal title to the fulfilment of tasks performed in the public interest or in the execution of public authority or a legal title of an eligible interest of the Data Controller,
b. processing of personal data for the purpose of direct marketing,
c. processing for the purpose of scientific or historical research or for statistical purposes.
26. If the person concerned objects to the processing of his/her personal data for direct marketing purposes under par. 25. point b. of this Article, the Data Controller may not continue in processing his/her personal data.
27. The Data Controller shall assess the delivered objection within a reasonable time. The Data Controller may not continue in processing the personal data, unless it demonstrates necessary eligible interests for the processing of the personal data, which outweigh the rights or interests of the party concerned or the grounds for exercising a legal claim.
28. The person concerned has the right to ineffectiveness of an automated individual decision-making, including profiling, if the Data Controller processes personal data by profiling or by any similar method based on automated individual decision-making.
29. The person concerned has the right, at any time, to withdraw his/her consent to the processing of personal data, if the processing of personal data was based on such legal basis.
30. The person concerned shall withdraw his/her consent by contacting the Data Controller with the request by any chosen method. The contact details of the Data Controller are provided in the above section ²Introductory Provisions².
31. However, the lawfulness of personal data processing on the basis of the consent provided shall not be affected by its withdrawal.
32. The person concerned has the right to bring a case to the Office for Personal Data Protection of the Slovak Republic, if he/she suspects that his/her personal data protection rights were violated.
33. The person concerned may submit own suggestions and requests related to the processing of personal data to the Data Controller, in writing or by electronic means to the contact details specified above.
These Personal Data Processing Principles of the company ERFOLG s.r.o. shall come into force as of 25 May 2018.