Personal Data Protection Policy

May 25th, 2018 new legislation entered into force regarding the protection of personal data, therefore we are now informing you about the processing of personal data under the Regulation of the European Parliament and of the Council (EU) No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "GDPR") and the Act No. 18/2018 Z. z. on Personal Data Protection and on Amendments to Certain Acts.

The Controller: Top privacy s.r.o., Robotnícka 11591/1J 036 01 Martin, Company's ID No.: 51421291, e-mail address: info@topprivacy.sk in connection with its operations, processes personal data for various purposes, mostly the processing of personal data is required by a special law or international agreement that is binding for the Slovak Republic.

We would like to also inform you about the manner in which we handle your personal data and about your rights and the legal bases of the processing of personal data.  While becoming familiar with the information under Articles 13 and 14 of GDPR, you may encounter terms that are defined as follows:

Definition of Basic Terms

• consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
• genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
• biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
• data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
• processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
• pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
• log means a record of the course of a user's activity in an automated information system`
• on-line identifier means an identifier provided application, tool or protocol, in particular, IP address, cookies, credentials for on-line services, radio frequency identification, which may leave traces which, in particular when combined with unique identifiers and other information may be used to create a profile of a natural person and to identify that person.
• information system is any arranged set of personal data that is accessible according to specified criteria, regardless of whether it is a centralised, decentralised system or a system distributed on a functional or geographic basis,
• data subject is any natural person whose personal data is processed,
• controller means anyone who, alone or jointly with others, defines the purpose and means of personal data processing and processes personal data in its own name; a controller or specific requirements for its definition may be provided for in a special law or an international agreement, by which the Slovak Republic is bound if such law or such agreement establishes the purpose and means of personal data processing,
• recipient means anyone who is provided with personal data, irrespective of whether it is a third party; a recipient is not a public authority that processes personal data on the basis of a special law or international agreement by which the Slovak Republic is bound in accordance with personal data protection rules applicable to the given purpose of personal data processing,
• third party means any person other than the data subject, controller, processor, and any other person who under the authority of the controller or processor, is authorised to process personal data,
• a data protection officer appointed by the controller or processor, performing tasks under GDPR and Act No. 18/2018 Z. z.
• representative means a natural or legal person with registered office, place of business, organisational unit, establishment or permanent residence in a Member State who, designated by the controller or processor in writing pursuant to Article 27 of the GDPR, represents the controller or processor,
• enterprise means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations of natural or legal persons regularly engaged in an economic activity,
• group of undertakings means a controlling undertaking and its controlled undertakings,
• main establishment:

1. means, as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment,
2. as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under GDPR and the Act No. 18/2018 Z. z.,

• international organisation means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries,
• Member State means a state which is a Member State of the European Union or a party to the Agreement on the European Economic Area,
• a third country means a country that is not a Member State.

In the next section you will find the names of information systems, which are divided according to the purpose of personal data processing, each containing detailed information under Articles 13 and 14 of GDPR, giving you a detailed explanation of why and how we process your personal data.

Purposes of personal data processing

The Controller processes personal data of employees in the following information systems:

1. PAYROLL A HUMAN RESOURCES,
2. RECORDS MANAGEMENT,
3. ACCOUNTING DOCUMENTS,
4. PROMOTION,

The Controller processes personal data of business partners in the following information systems:

1. RECORDS MANAGEMENT,
2. ACCOUNTING DOCUMENTS,
3. BUSINESS PARTNERS,
4. MARKETING AS THE CONTROLLER'S LEGITIMATE INTEREST,

The Controller processes personal data of clients in the following information systems:

1. RECORDS MANAGEMENT,
2. ACCOUNTING DOCUMENTS,
3. CLIENTS,
4. MARKETING AS THE CONTROLLER'S LEGITIMATE INTEREST,
5. PREVENTION AGAINST LEGALISATION OF PROCEEDS OF CRIME.

The Controller processes personal data of managing directors in the following information systems:

1. BENEFICIAL OWNER,
2. PAYROLL A HUMAN RESOURCES,
3. ACCOUNTING DOCUMENTS,
4. PROMOTION,

 The Controller processes personal data of website visitors in the following information systems:

1. COOKIES,
2. CONTACT FORM.

Last but not least, we would like to inform you of your rights under GDPR and Act No. 18/2018 Coll. on personal data protection as amended by certain acts.

A data subject has the right to access his/her data. At the request of a data subject, the controller shall issue a certificate whether personal data related to the data subject is processed. Where the controller processes such personal data, it shall issue a copy of the personal data at the request of the data subject. Where the data subject requests information by electronic means, the data subject shall be provided the information in a commonly used electronic form, via e-mail, unless the information is explicitly requested to be provided in a different manner.

The data subject shall have the right to rectification of personal data if the controller has inaccurate personal data concerning him or her. At the same time the data subject has the right to complete incomplete personal data. The controller shall correct or complete personal data without undue delay after being requested to do so by the data subject.

The data subject has the right to erasure (right to be forgotten) of personal data relating to him or her, provided that:

1. personal data is no longer needed for the purposes for which it was obtained or otherwise processed,
2. the data subject withdraws consent on which the processing is based,
3. the data subject objects to the processing of personal data,
4. the personal data has been unlawfully processed,
5. the personal data have to be erased for compliance with a legal obligation, special law or an international agreement by which the Slovak Republic is bound, or
6. personal data has been collected in connection with the offer of information society services to a person under 16 years of age.

The data subject shall not have the right to erasure of personal data provided that the processing is necessary:

1. for exercising the right of freedom of expression and information,
2. to comply with an obligation under legislation, special law or international agreement binding the Slovak Republic, or to perform a task carried out in the public interest or in the exercise of official power vested in the controller.
3. for reasons of public interest in the area of public health,
4. for archiving purposes in the public interest, for purposes of scientific or historical research or for statistical purposes, provided that is likely that the right to erasure prevents or seriously impedes the achievement of the objectives of such processing, or
5. for the establishment, exercise or defence of legal claims.

The controller shall erase personal data of the data subject upon request and without undue delay after it assesses the request of the data subject as reasoned.

The data subject has the right to restrict processing of personal data where the following applies:

1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
2. the processing is unlawful, and the data subject requests the restriction of the use of the personal data instead erasing it;
3. the Controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims,
4. the data subject has objected to personal data processing on the basis of legitimate claims of the controller until verification whether the legitimate grounds of the controller override those of the data subject.

Where the data subject has requested to restrict the processing of his or her personal data, the controller shall not carry out any processing operations with the data concerned except storage, without the consent of the data subject.

The controller shall inform the data subject in the event the restriction of processing of this data is lifted.

The data subject has the right to data portability which means obtaining personal data it has given to the Controller with the right to transfer such data to another controller in commonly used and machine-readable format, provided that the personal data has been obtained with the consent of the data subject or under an agreement and its processing is carried out by automated means.

The data subject has the right to object to the processing of personal data concerning his or her on grounds relating to his or her particular situation at any time. The data subject may object to the processing of personal data on the following grounds:

1. a legal title for the performance of tasks carried out in the public interest or in the exercise of official authority or a legal title of the legitimate interest of the controller,
2. processing of personal data for direct marketing purposes,
3. processing for the purposes of scientific or historical research or statistical purposes.

If the data subject objects to the processing of personal data for the purposes of direct marketing, the controller may not further process his or her personal data.

The controller shall assess any objection delivered within a reasonable period. The controller shall not further process personal data, unless it proves that there are inevitable legitimate interests for the processing of personal data that outweigh the rights or interests of the data subject, or reasons for exercise of a legal claim.

The data subject shall have the right not to be subject to a decision based on automated processing, including profiling, which produces any effects concerning him or her if the controller processes personal data by profiling, or a similar method based on automated individual decisions.

The data subject shall have the right to withdraw at any time his or her consent to the processing of personal data where such processing of personal data was based on this legal basis. The data subject withdraws his or her consent in a manner provided in the consent or in this information, if there is no such information, (s)he shall withdraw consent by contacting the controller with its request in any chosen way. The controller's contact details are provided above. Lawfulness of the processing of personal data before the withdrawal of consent on the basis of the consent given shall not be affected by its withdrawal.

The data subject has the right to file a complaint / initiate proceedings with the supervisory authority – the Office for Personal Data Protection of the Slovak Republic, Hraničná 4826/12, 820 07 Bratislava - Ružinov, phone number: +421 /2/ 3231 3214; mail: statny.dozor@pdp.gov.sk , https://dataprotection.gov.sk, if it considers that his or her rights have been violated in the field of personal data protection. If the application is submitted electronically, it is necessary that it complies with the requirements pursuant to Section 19(1) of the Act No. 71/1967 Zb. on Administrative Procedure (The Code of Administrative Procedure).

The data subject may address his or her comments and requests concerning the processing of personal data to the controller in writing or by electronic means using the contact details provided above.