Statement on the processing of personal data

Statement on the processing of personal data according to the regulation of the European Parliament and of the Council (EU) 2016/679 on data protection
of private individuals with regard to the processing of personal data and notification of the data subjects (hereinafter referred to as “GDPR”)

1. Introduction

This statement is processed and published for reasons of provision of information on procedures and obligations of our company in the field of application of requirements of the GDPR regulation. The following text uses the following terms:

• PD = personal data, i.e. any information leading to the identification of a specific person
• PD owner – the entity which is the holder of personal data which is kept and processed by our company
• Administrator – our company, which records, processes, archives and protects your PD

2. The range of processing of personal data

Personal data is processed to the extent in which the data subject provided any such to the Administrator, in the context and on the basis of a freely-made decision at the time of creation of a relationship or registration, and furthermore  within the framework of a contractual or other legal relation with the Administrator, or which the Administrator collected by other means and processes in accordance with the applicable legal regulations, or in order to perform legal obligations as the Administrator.

3. Personal data sources

Personal data is collected from PD owners (business communication, purchases, delivery of products and services, contact form on the web, communication by telephone, business cards, etc.) Another source of personal data is the necessary scope of information provided by job seekers and employees. If personal data is obtained from public sources, it is used solely for the need of implementation of a business relationship or in accordance with the consent granted by the personal data holder.

4. Categories of personal data which is the subject matter of processing

• This is the identification information used for clear and unmistakable identification of the PD owner (name and surname, date of birth, birth certificate number, permanent address of residence, etc.)
• Descriptive information (such as bank account details)
• Information necessary for implementation of the contract (email, telephone, address of workplace, function) etc.
• Any information provided above and beyond of the relevant laws and legislative regulations is processed within the framework of a consent granted by the PD owner.

5. Categories of PD owners

This is in particular in respect of:

• Customers
• Customers´ customers
• Employees and workers engaged on the basis of agreements on non-business activities and job candidates
• Owners of personal data of suppliers and associates providing services necessary for the operation of our company
• Other entities, who are in a contractual relationship with the PD Administrator

6. Categories of recipients of personal data

• The State and other authorities within the framework of performance of statutory obligations laid down by the relevant legislation
• Financial institutions and organizations of public administration
• Third parties and organizations on the basis of a consent granted by a PD owner
• Our company as a PD Administrator

7. Purpose of personal data processing

• The purpose contained within the framework of consent granted by the data subject
• Negotiations on a contractual relationship
• Performance of a contract
• Protection of the rights of the Administrator, recipient or other interested persons
• Archives kept on the basis of the law
• selection procedures to fill vacancies
• Fulfilment of legal obligations on the part of the administrator
• Protection of vital interests of the PD owner or other entities

8. Method of processing and protection of personal data

Personal data processing is performed by the Administrator which guarantees that all obligations in the processing of PD and rights of the PD owner will be met.

The processing is carried out at the registered address and business premises of the Administrator. The processing takes place using computer technology or manual procedures in respect of PD in paper form in compliance with all the security policies for the administration and processing of personal data. To this end, the Administrator adopted technical and organizational measures for the protection of PD, in particular measures against unauthorized or inadvertent access to PD, its alteration, destruction or loss, unauthorized use or transfer of PD, or other abuse of PD. All entities, to which PD may be made available, respect the right of the PD owner for the protection of privacy and are obliged to proceed in accordance with the laws relating to PD protection.

9. Period of personal data processing

In accordance with the time limits referred to in the relevant contracts, filing and shredding regulations of the Administrator or the relevant legislation, this is a period strictly necessary for the safeguarding of the rights and obligations resulting from the contractual relationship and the relevant legislation.

10. Notification

• The State and other authorities within the framework of performance of statutory obligations laid down by the relevant legislation
• Financial institutions and organizations of public administration
• Third parties and organizations on the basis of a consent granted by a PD owner
• Our company as a PD Administrator

11. Purpose of personal data processing

The Administrator processes the data with the consent of the PD owner with the exception of cases provided for by law, where the processing of personal data does not require the consent of the PD owner.

In accordance with Article 6, Paragraph 1 of the GDPR the Administrator may process personal data without the consent of the PD owner if:

• The processing is necessary for the performance of a contract, where the Contracting Party is the PD owner, or in order to implement pre-contractual measures taken at the request of such PD owner;
• The processing is necessary for compliance with a legal obligation on the part of the Administrator;
• The processing is necessary to protect vital interests of the PD owner or another private entity;
• The processing is necessary for the performance of a task carried out in public interest or in the exercise of official authority to which the Administrator was entrusted;
• The processing is necessary for the purpose of protection of legitimate interests of the relevant administrator or a third party, except cases where such interests are secondary to interests or fundamental rights and freedoms of a PD owner requiring personal data protection.
• In other cases, personal data processing is subject to a consent of a PD owner, granted under the terms of GDPR.

12. Rights of the data subject

• In accordance with Article 12 of GDPR at a request of the PD owner the Administrator provides information on the right of access to personal data and the following information:
  • Purpose of personal data processing
  • Category of personal data concerned
  • Recipients or categories of recipients to whom the PD was made available
  • Planned time for which the personal data will be stored
  • All information available on the source of personal data
  • Of the fact whether automatic decision making is being carried out, including PD profiling
• Each PD owner, who determines or believes that the Administrator performs processing of his PD in conflict with the protection of personal and private life of the PD owner or in conflict with the law, in particular, if the personal data is inaccurate with regard to the purpose of its processing, he may:
• Request the Administrator to remedy such defective state of affairs. In particular he may request blocking, correction, supplementation or deletion of personal data.
• If such a request of the PD owner according to Paragraph 1 of this Chapter is found to be justified, the Administrator shall remove the defective state without delay.
• If the Administrator fails to comply with the request of the data subject in accordance with Paragraph 1, the PD owner shall be entitled to apply directly to the supervisory authority, i.e. the Office for Personal Data Protection (ÚOOÚ)
• The procedure in accordance with Paragraph 1 shall not preclude the PD owner to address the supervisory authority directly.
• The Administrator has the right to request adequate compensation for the provision of information not exceeding the cost necessary to provide any such.