hejDUDE handles your personal data with care as defined in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as GDPR) and Act No. 18/2018 Coll. on Personal Data Protection and on changes and supplements to some acts (hereinafter referred to as the “Personal Data Protection Act”). HejDUDE as the Controller is obliged to make certain information accessible on its website to the data subject (natural person whose personal data are being processed). Apart from its identification, contact data and the Data Protection Officer contact data, the public authority shall be obliged to make the data found in the bookmarks to the left accessible.
Within the meaning of Art. 24 of the GDPR Regulation and Section 31 of the Personal Data Protection Act, the Controller has adopted appropriate technical, organizational, personnel and security measures and safeguards that take into account, in particular:
- the principles of personal data processing, such as lawfulness, fairness and transparency, limitation and compatibility of the purposes of the processing of personal data, minimization of personally identifiable information, its pseudonymization and encryption as well as integrity, confidentiality and accessibility;
- the principles of necessity and proportionality (also applicable to the scope and amount of processed personal data, the retention period and access to the personal data of the data subject) of the processing of personal data in relation to the purpose of the processing operation;
- the nature, scope, context and purpose of the processing operation;
- resilience and recovery of personal data processing systems;
- instructing authorized persons working for the Controller;
- taking measures to identify the personal data protection breach without undue delay and to promptly inform the supervisory authority and the person responsible;
- adopting measures to ensure the correction or erasure of incorrect data or the realization of other rights of the person concerned;
- the risks of varying likelihood and severity for the rights and freedoms of natural persons (in particular the accidental or unlawful destruction of personal data, the loss or alteration of personal data, the misuse of personal data - unauthorized access or unauthorized disclosure, risk assessment with regard to origin, nature, likelihood and seriousness of risk related to processing and identifying best risk mitigation strategies).
One of the principles of personal data processing is the purpose limitation principle. According to this principle, personal data may be only collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
Personal data processing has to be closely linked to the purpose of the personal data processing, in particular as regards the list or extent of the processed personal data, which should be necessary to achieve the purpose by processing of the particular personal data. It is not right to extend the list or extent of the personal data artificially or additionally with respect to the purpose. If the purpose and list or extent of the personal data has been laid down by law, it has to be respected; If the list or scope of the processed personal data is determined by the controller, it shall make sure not to extend it unnecessarily, outside the purpose.
The Personal Data Protection Act lays down the obligation of the controller to provide the data subject with information about the purpose of personal data processing, his/her personal data are intended for, even in the event that the personal data are not collected from the data subject directly. The data subject has to be provided with such information at the latest when collecting his/her personal data, or sufficiently in advance, clearly and legibly, in a way that he/she could truly become familiar with such information and understood it.
Therefore, we process your personal data to comply with legal obligations in the field of taxes and accounting, to satisfy a contractual obligation (delivery of goods or provision of customer service), marketing (sending information about products and goods of the Controller), customer profiling and registration on our portals.
Time of personal data processing or information on the criteria for its determination:
Your personal data is processed in shortest time possible. Most often, we will eliminate all your personal data that we process in a safe manner immediately after we have settled our contractual obligations or after you have revoked your consent to the processing of personal data or after the expiry of a reasonable period of time with respect to the principle of minimization of storage under Article 5 (1) e) of the General Data Protection Regulation that manages the storage of personal data. As the Controller we will ensure the deletion of personal data without undue delay after:
- all contractual relationships between you and our Company have been terminated; and / or
- all your commitments to our Company have disappeared; and / or
- all your claims and requests have been answered and solved; and / or
- all other rights and obligations between you and our Company have been settled; and / or
- all the processing purposes specified by the law or processing purposes that you have given us consent to have been fulfilled if the processing was carried out subject to the consent of the person concerned; and / or
- the period for which the consent was granted has expired or the person concerned has withdrawn the consent; and / or
- the request of the person concerned for the deletion of personal data was met and one of the reasons justifying the request was satisfied; and / or
- there was a decisive legal fact for termination of the purpose of the processing and at the same time the protective retention period defined with respect to the principle of minimization of the retention period of personal data expired;
- and at the same time there is no more the legitimate interest of our Company, we have ceased all obligations of our Company set forth by generally binding legal regulations requiring the retention of personal data of the person concerned (mainly for the purpose of archiving, tax audit, etc.) or that would not be possible without their preservation.
Any randomly obtained personal data will in any case not be further systematically processed for any purpose. If possible, we will inform the person concerned about the accidental data acquisition and, according to the nature of the case, we will provide the person with the necessary co-operation to restore control over his or her personal data. Immediately after carrying out these necessary actions aimed at solving the situation, we will eliminate all accidentally acquired personal data in a safe manner.
If you are interested in further information on the specific retention period of your personal data, please contact us via the contact details provided at our web site.
The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing the Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as "GDPR Regulation") and Act No. 18/2018 Coll. on the Protection of Personal Data and on amendments to certain laws (hereinafter referred to as the "Act"), provide you, as the Data Subject, with the following rights:
a) the right of the Data Subject to access personal data, the content of which is:
- the right to obtain from the Operator a confirmation of the processing of personal data relating to the Data Subject;
- if the personal data of the Data Subject is processed, the right to access the processed personal data and the right to obtain the following information:
- information on the purposes of the processing;
- information on the categories of personal data concerned;
- information on recipients or categories of recipients to whom personal data has been or will be made available, in particular to recipients in third countries or international organizations;
- where it is possible, information on the foreseen retention period of personal data or, if that is not possible, information on the criteria for its establishment;
- information on the existence of the right to require the Operator to correct personal data relating to the Data Subject or to erase or restrict their processing and to the right to object to such processing;
- information on the right to lodge a complaint with the supervisory authority;
- if personal data has not been obtained from the Data Subject, any available information regarding their source;
-information on the existence of automated decision-making, including the profiling referred to in the Article 22, par. 1 and 4. The Regulations and, in such cases, at least meaningful information on the procedure followed, as well as the significance and the implications of such processing of personal data for the Data Subject;
- the right to be informed of adequate safeguards pursuant to Article 46 of the Regulation concerning the transfer of personal data when personal data is transferred to a third country or to an international organization;
- the right to receive copies of the personal data being processed, however, subject to the condition that the right to receive a copy of personal data being processed must not have adverse effects on the rights and freedoms of others;
Right of the person concerned to access personal data in its essence means that the Data Subject has the right to obtain a confirmation from us that personal data concerning him/her is being processed and, if so, the Data Subject has the right to access such personal data. At the request of the Data Subject, we shall provide a copy of the personal data being processed. Any additional copies requested by the Data Subject may be subject to a reasonable fee corresponding to the administrative costs. If the Data Subject has filed an application electronically, the information will be provided in the commonly used electronic form, unless the Data Subject has requested another form. Information must be provided immediately, within 1 month at the latest. We have the right to extend the processing period of the application for another 2 months if the request is complex or frequent. However, we must notify the Data Subject within one month of the reason for the extension of the processing period. If the requests are unjustified or too frequent, we have the right to impose a reasonable charge or reject the application. We have to explain the reason for the refusal and the right of the Data Subject to refer the complaint to the supervisory authority.
b) the right of the Data Subject to correct personal data, the content of which is:
- the right of the Data Subject to require the Operator to correct without undue delay inaccurate personal data relating to the Data Subject;
- the right to supplement an incomplete personal data of the Data Subject, including the provision of a supplementary statement of the Data Subject;
- the right of the Data Subject to correct personal data means that you may ask us at any time to correct or supplement your personal data if it is inaccurate or incomplete. The Data Subject has the right to supplement his/her incomplete personal data, including by the provision of a supplementary statement of the Data Subject;
c) the Data Subject's rights to erase personal data (so-called right "to be forgotten"), the content of which is:
- the Data Subject's right to require the Operator to delete, without undue delay, the personal data relating to the Data Subject, if any of the following reasons prove as true:
- personal data are no longer needed for the purposes for which they were acquired or otherwise processed;
- The Data Subject has withdrawn his/her consent under which the processing is carried out, subject to the condition that there is no other legal basis for the processing of personal data;
- The Data Subject objects the processing of personal data in accordance with Article 21, par. 1. of the Regulation and any legitimate reasons for the processing of personal data do not preclude it, or the Data Subject objects to the processing of personal data under Article 21 par. 2 of the Regulation;
- personal data has been processed unlawfully;
- personal data must be erased in order to comply with a statutory obligation under European Union law or the law of the Member State to which the Operator is subject;
- personal data has been obtained in connection with the offer of information society services pursuant to Article 8, par. 1. of the Regulation;
- the right to ask the Operator who has made public the Personal Data of the Data Subject, taking into account the available technology and the cost of implementing the measures, to take appropriate measures, including technical measures, to inform other operators who process the personal data that the Data Subject requests them to delete all links to such personal data and the copies or replica thereof;
while it is understood that the Data Subject's right to erase personal data with the content of the rights referred to in Article 17, par 1 and 2 of the Regulation [i.e. with the content of the rights according (i) and (ii) of this section c) of the point J of this document] shall not arise, if the processing of personal data is necessary:
1. to exercise the right to freedom of expression and access to information;
2. to meet the legal obligation that requires processing under European Union law or the law of the Member State to which the operator is subject, or the performance of a task carried out in the public interest or in the exercise of public power entrusted to the Operator;
3. for reasons of public interest in the field of public health, in accordance with Article 9, par 2, section h) and i) of the Regulations, as well as Article 9, par. 3 of the Regulation;
4. for the purpose of archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes under Article 89, par. 1 of the Regulation, if it is probable that the right referred to in Article 17, par. 1 of the Regulation, will prevent or significantly limit the achievement of the objectives of such processing of personal data; or
5. for proving, enforcement or defence of legal claims;
Data Subject's right to erase personal data therefore means that we have to erase your personal data if (i) the data is not necessary for the purposes for which it has been collected or otherwise processed, (ii) the processing is unlawful, (iii) you have objected the processing, and there are no overriding legitimate reasons for processing, or (iv) the processing is stemmed from a legal obligation imposed on us.
d) the right of the Data Subject to limit the processing of personal data, the content of which is:
- the right to require the Operator to limit the processing of personal data in one of the following cases:
The Data Subject has objected the correctness, namely during a period allowing the Operator to verify the correctness of personal data;
- the processing of personal data is illegal and the Data Subject objects to the deletion of personal data and asks for the limitation of their use;
- The Operator no longer needs personal data for processing purposes, but the Data Subject needs them for proving, enforcement or defending of his/her legal claims;
- The Data Subject has objected the processing in accordance with the Article 21, par. 1 of the Regulation, until the verification whether legitimate reasons on the part of the Operator prevail the legitimate reasons of the Data Subject;
- the right of the Data Subject, if the processing of personal data has been limited in accordance with subparagraph (i) of this section d) of point J of this document, to require that such limited processing of personal data, except for its retention, shall be carried out only with the consent of the Data Subject, or carried out for the purpose of proving, enforcement or defending of legal rights, or for the protection of the rights of the other natural or legal person or for reasons of important public interests of the European Union or of a Member State;
- the right to be informed in advance of the lifting of the limitation on the processing of personal data;
The right of the Data Subject to limit the processing of personal data, means that until we resolve any disputes regarding the processing of your personal data, we have to restrict the processing of your personal data so that the personal data of the Data Subject can only be stored and not further processed.
e) the right of Data Subject to require the Operator to fulfil its notification obligation towards the recipients, the content of which is:
- the right of the Data Subject to require the Operator to notify any recipient to whom the personal data have been provided about any correction or deletion of personal data or the limitation of data processing made pursuant to the Article 16, Article 17, par 1., and the Article 18 of the Regulation, unless it proves impossible or involves a disproportionate effort;
- the right of the Data Subject to require the Operator to inform the Data Subject about such recipients, if requested by the Data Subject;
The right of the Data Subject to require the Operator to fulfil its notification obligation towards the recipients, means the obligation of the Operator to notify each recipient to whom the personal data of the Data Subject has been provided, about any correction and deletion of the personal data or limitation of their processing. The Operator is stripped of such obligation only if such notification is impossible due to objective conditions or it would require unreasonable effort.
f) the right of the Data Subject for a transfer of the personal data, the content of which is:
- the right to obtain personally identifiable data relating to the Data Subject, which has been provided to the Operator, in a structured, commonly used and machine readable format and the right to transfer such data to other Operator without being prevented by the Operator to do so, if:
- the processing is based on the consent of the Data Subject in accordance with the Article 6, par. 1, sect. a)of the Regulation or the Article 9, par. 2 sect. a) the Regulation, or based on the contract referred to in the Article 6, par. 1, sect. b) of the Regulation, and at the same time;
- the processing is carried out by automated means, and at the same time;
-the right to obtain personal data in a structured, commonly used and machine-readable format, and the right to transfer such data to other Operator without being prevented by the Operator to do so, will not adversely affect the rights and freedoms of others;
- the right to transfer personal data directly from one Operator to the other, if it is technically feasible;
The right to data portability means that you have the right to obtain from us your personal data that you have previously provided us in a structured, commonly used and machine readable format and you have the right to require us to transfer your personal data to the other Operator subject to the statutory conditions; by exercising of this right your right for personal data deletion is not affected. However, the right of data portability concerns only the personal data we have obtained from you under a contract to which you are a party.
g) Right of the Data Subject to object, the content of which is:
- the right to object at any time on grounds relating to the specific situation of the Data Subject the processing of personal data, which is carried out under Article 6, par. 1, sect. e) or (f) of the Regulation, including the objection to the profiling based on these provisions of the Regulation;
- [in the case of exercising of the right to object at any time on grounds relating to the specific situation of the Data Subject the processing of personal data, which is carried out under Article 6, par. 1, sect. e) or (f) of the Regulation, including the objection to the profiling based on these provisions of the Regulation] the right to ask the Operator to stop further processing of the personal data of the Data Subject, until it proves the necessary legitimate reasons for data processing, which prevail the legitimate interests, rights and freedoms of the Data Subject, or the reasons for proving, enforcing or defending its legal claims;
- the right of the Data Subject to object at any time the processing of personal data relating to the Data Subject for the purposes of direct marketing, including profiling to the extent that it relates to the direct marketing; it should be understood that if the Data Subject has objected to the processing of his/her personal data for the purpose of direct marketing, the personal data may no longer be processed for such purposes;
- (in connection with the use of the information society services) the right to exercise the right to object the processing of personal data by automated means using the technical specifications;
- the right to object for reasons relating to the particular situation of the Data Subject against the processing of personal data relating to the Data Subject if the personal data are processed for the purposes of scientific or historical research or for statistical purposes according to the Article 89, par. 1 of the Regulation, however, except for cases where the processing is necessary for the fulfilment of tasks in the public interest;
The right of the Data Subject to object, therefore means that you, as the Data Subject, may object to the processing of your personal data processed by us for the purposes of direct marketing or due to legitimate reasons. We shall cease the processing of your personal data for the purpose of direct marketing immediately upon receipt of the objection.
h) Right of the Data Subject related to the automated individual decisions, the content of which is:
- the right not to apply to the Data Subject a decision based solely on the automated processing of personal data, including profiling, which has legal effects affecting the Data Subject, or has similar significant effect, except for cases referred to in the Article 22, par. 2 of the Regulation [i.e. except for cases where the decision: (a) is necessary for the conclusion or performance of a contract between the Data Subject and the Controller, (b) is authorized by European Union law or the law of the Member State to which the operator is subject and which also provides for the appropriate measures to ensure the protection of rights and freedoms and legitimate interests of the Data Subject or (c) based on the explicit consent of the Data Subject];
The right of the Data Subject related to the automated individual decisions means that you as the Data Subject are entitled to be exempted from a decision that is based solely on automated processing, including profiling, and has legal effects affecting you, or has similar significant effect. In cases where such processing is necessary for the conclusion or performance of a contract or is based on the explicit consent of the Data Subject, the Operator shall take appropriate measures to protect the rights and freedoms and the legitimate interests of the Data Subject, in particular, as a minimum, to take measures, such as the right to human intervention by the Operator, the right of the Data Subject to express his/her opinion and the rights of the Data Subject to challenge such decision.
i) Right of the Data Subject to file a motion to initiate proceedings according to the Article 100 of the Personal Data Protection Act, the content of which is:
- the right of the Data Subject, who believes that his or her personal data are being misused or their processing is unauthorized, submit to the Office for the Protection of Personal Data of the Slovak Republic (hereinafter referred to as "the Office") a motion to initiate the procedure for the protection of personal data;
- The application may be filed in writing, in person orally in the form of a report, by electronic means, where it must be signed by a guaranteed electronic signature, by telegram or by fax, but it must be completed in writing or verbally in the report within 3 days at the latest;
- The filing must, in accordance with the provisions of the Article 100, par. 3 of the Personal Data Protection Act, include:
- name, surname, permanent address and signature of the petitioner;
- designation of the person against whom the filing is directed; designation or name, surname, place of residence or permanent address, or legal form and the identification number;
- the subject of the filing, indicating which rights of the petitioner have been violated during the processing of personal data;
- the evidence supporting the claims made in the filing;
- a copy of the document proving the exercise of the right under the Article 28, if such a right may be invoked, or the provision of reasons worthy of special consideration;
- The Office subsequently decides on the petitioner's filing within 60 days of the opening of the proceedings. In justified cases, the Office may extend this period adequately, but not exceeding six months. The Office shall inform in writing the parties to the proceedings about the extension of time;
- You can find the template of the petition for opening of the procedure for the protection of personal data at the Office's web site (https://dataprotection.gov.sk).
What are cookies?
Cookies are small text files that may be sent to your Internet browser when you visit a website and stored on your device (computer or other device with access to the Internet, such as smartphone or tablet). Cookies are stored in the file folder of your Internet browser. Cookies usually contain the website title they are coming from and their date of origin. When you next visit the website, the browser reads the cookies and sent the information back to the website originally creating the cookies. The cookies we are using are not harmful to your computer.
How can you change your cookies settings?
Most of the Internet browsers are set to automatically accept cookies as a default. These settings can be changed by blocking cookies or by notification if cookies are to be sent to your device. You can find the instructions for changing cookies in the “Help” option of every browser. If you use different devices to access the websites (e.g. computer, smartphone, tablet), we recommend to adjust the browser on each of your devices to your cookie preferences.
Why keep the cookie settings?
It is up to you whether or not you decide to use the cookies and enable them on your Internet browser. However, if you change the settings, the functionality of some of our web pages may be restricted and the user comfort reduced.
Information on the right to require access to personal data of the data subject from the relevant authority, correction, erasure or restriction of processing thereof
The data subject has a right to obtain confirmation from the relevant authority of personal data concerning them which are being processed, and if this is the case, to obtain access to such personal data and information about
a) The purpose of the personal data processing and the legal basis of the personal data processing,
b) The categories of the processed personal data,
c) The recipient or categories of recipients who were or should be provided with the personal data, in particular the recipients in a third country or international organisation,
d) The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period,
e) The existence of the right to request from the relevant authority rectification or erasure of personal data or restriction of processing of personal data as well as the right to object to the personal data processing,
f) The Office contact details,
g) The existence of the right to file the proceedings under Art. 100,
h) The source of the personal data, if available.
Natural person should have the right of access to personal data which have been collected concerning him/her, and to exercise that right easily, in order to be aware of, and verify, the lawfulness of the processing. Every data subject shall have the right to be aware and to be informed in particular about the purposes of data processing, categories of the personal data concerned and on the period for which the data will be processed as well as the personal data recipients, etc. To comply with this right, it is sufficient if the data subject has access to full summary of the data concerned in an intelligible form, i.e. the form enabling the data subject to be informed about the data concerned and to exercise the rights granted by this Act.
The relevant authority may fully or partially restrict the access to their personal data, in particular within the extent and for the period as necessary and reasonable with respect to the rights and legitimate interests of the data subject in a democratic society, to prevent obstruction of the official or judicial detection, investigation or proceedings, to prevent threats to the performance of tasks for the purposes of criminal proceedings, to protect public security or national security or to protect the rights and freedoms of others. The relevant authority should assess, through specific and individual review of every case, whether or not the right of access should be partially or fully restricted.
The data subject should be notified of the restriction of access in principle in writing, including the fact or law reasons such decision is based on.
The data subject also has the right to rectification of any incorrect personal data concerning him/her, as well as the right to erasure if the processing of such data infringes the law. However, the content of witness testimony, for example, should not be affected by the right to rectification.
The data subject has the right to restriction of processing, if the accuracy of the personal data is contested by the data subject and it is not possible to determine their correctness or incorrectness or if the personal data shall be stored for the substantiation purposes. Processing should be restricted instead of erasure in mainly if, in a particular case, it can be reasonably considered that the erasure could impact the data subject's legitimate interests. In such case, the restricted data should be only processed for the purposes preventing the erasure thereof. Methods by which to restrict the processing of personal data could include, inter alia, moving the selected data to another processing system, for example for archiving purposes or making the selected personal data unavailable. In the automated information systems, the restriction of processing should in principle be ensured by technical means. The fact that the processing of personal data is restricted should be clearly indicated in the system so that it was clear that the personal data processing is restricted. The recipients who were provided the data and the relevant authorities the incorrect data originate from should be notified of such rectification or erasure of personal data or restriction. The relevant authorities should also refrain from further distribution of such data.
Certificate number: Osobnyudaj.sk-2018-12185
Ing. Peter Prusák
0948 515 925