A Controller is a person who processes the personal data of the person concerned (you). The Controller is KREA SK s.r.o., with its registered office at Štúrova 71/a, 949 01 Nitra, Registration No.: 36 553 433, registered in the Commercial Register of the District Court of Nitra, Section: Sro, Insert No.: 13970/N (hereinafter referred to as "KREA SK").
If you have any questions, you can contact us (i) via e-mail at firstname.lastname@example.org or (iii) by regular mail to our address KREA SK s.r.o., Štúrova 71/a, 949 01 Nitra.
2. Person concerned
You are the person concerned, because your personal data is processed by KREA SK.
3. Personal Data
Personal data is any data that the person concerned is identified or identifiable by. The extent of your personal data processed by KREA SK depends on the purpose for which this personal data is processed.
The individual categories and types of personal data we process always depend on the purpose for which we process your personal data and the legal basis on which we process it. The personal data we may require of you is particularly
(a) identification data (name and surname, birth name, degrees in front and by name, date of birth, identity number, identity document number, identity document, photographs, online identifiers, IP addresses, signatures),
(b) contact details (address / permanent residence, temporary residence, domicile, billing address, delivery address, e-mail address, telephone number, fax number),
(c) data on social identity (sex, job positions, functions, performance data from work assessments),
(d) economic identity data (bank account numbers, numbers of tax, accounting, delivery and other documents, payment, debt and commitment data),
(e) consumer data (IP addresses, purchase and purchase preferences data, cookie data),
(f) localization data
(g) other data on the legal identity of the Persons concerned (data on contracts and other legal acts, data on non-financial liabilities, rights and entitlements, data on activities, business and behaviour).
We do not process special categories of personal data that is particularly sensitive (data revealing racial or ethnic origin (so it is not possible to process nationality data, data revealing political opinions, religious beliefs or philosophical beliefs, trade union membership / only to fulfil statutory obligations under the Labour Code, genetic data, biometric data, health data, and data on sexual life or sexual orientation).
4. Sources of personal data
KREA SK collects your personal data usually directly from you. Personal data (i) is provided in particular on the contracts we have concluded with you, or (ii) you have filled in the form on the website, or (iii) you have sent or provided it to us in the context of mutual correspondence or communication, or (iv) we deduced them from the other data you provided us.
5. The purpose of personal data processing
Company KREA SK processes your personal data for purposes arising from the law, contract, or consent that you have given. Every purpose of processing personal data is always accurately specified in the relevant document that governs it.
6. Legal basis for personal data processing
We process your personal information based on any of the following legal basis:
(a) The consent of the person concerned to the personal data processing for one or more specific purposes.
(b) The performance of the contract to which the person concerned is a party or the execution of a pre-contractual measure at the request of the person concerned.
(c) Compliance with a statutory obligation under a special regulation or an international treaty to which the Slovak Republic is bound.
(d) Protection of the vital interests of the person concerned or other natural person (the life, health or property of the person concerned or another natural person).
(e) Performance of the task of the public interest or the public authority entrusted to KREA SK.
(f) The legitimate interest of KREA SK or a third party, if this interest does not outweigh the interests or rights of the person concerned that require the protection of their personal data. You will always be informed of the legitimate interest.
7. Withdrawal of the consent
If the legal basis for the processing of your personal data is consent, you may at any time withdraw it by e-mail to email@example.com, (ii) in writing to KREA SK s.r.o., Štúrova 71/a, 949 01 Nitra, (iii) in person, (iv) through a link in the message, or (v) through the interface of the online service that you use and which enables that functionality. Withdrawal of the consent does not affect the lawfulness of the processing of personal data based on consent prior to its withdrawal. In case of withdrawal of the consent, your personal data will stop being processed without delay and will be erased.
In the event that KREA SK processes your personal data on a legal basis other than your consent, withdrawal of the consent will not void its authority to process your personal data on other legal bases.
8. The right to object and the right to file a claim for the opening of proceedings for the protection of personal data
You have the right to object to the processing of personal data directly to KREA SK (point 13 (a) and point 14 of this Policy) (i) by e-mail at firstname.lastname@example.org or (ii) by regular mail to our address KREA SK s.r.o., Štúrova 71/ a, 949 01 Nitra.
In addition to the right to object, you have the right to file a claim for the opening of proceedings for the protection of personal data to Office for Personal Data Protection of the Slovak Republic (https://dataprotection.gov.sk).
9. Personal data recipients
Company KREA SK processes your personal data primarily for its own purposes. In addition, we may provide your personal data to our business partners through which we process your personal data. These are trusted persons (so-called recipients and processors) who provide for us the development, maintenance and operation of software solutions and other services through which we process your personal data or which provide us with service (e.g. economic, legal, auditing and marketing).
Your personal data that you provided to us for marketing purposes is processed by MailChimp, which serves to process and send e-mail to your address. This service is operated by The Rocket Science Group, LLC, with its registered office at 675 Ponce de Leon Avenue NE, Suite 5000, Atlanta, Georgia 30308, United States of America (https://mailchimp.com/contact/).
In addition, your personal data may also be processed through cloud services provided within G Suite application when used internally. Cloud Services G Suite is operated by Google LLC, with its registered office at 1600 Amphitheater Parkway, Mountain View, CA 94043, United States of America (https://www.google.com/intl/cs/contact/).
Additionally, our employees are recipients of your personal data. We may also, with your consent, provide your personal data to third parties who will process your personal data for their marketing needs.
10. Transfer of personal data to third countries
We process your personal data primarily within the European Union and the European Economic Area. However, as noted above, your personal data is also transferred to the United States of America when processed through MailChimp and G Suite, and the United States of America which has a third-country status does not provide an adequate level of protection of personal data.
In these cases, however, cross-border transfers and processing of your personal data are secured by the Privacy Shield certification scheme created by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide European Economic Area and United States entities with the means to meet privacy requirements in their transfer from a Member State of the European Economic Area to the United States of America, and to promote transatlantic trade. This system ensures, under the European Commission's decision, the adequate protection of personal data. For more information on this system, please visit https://www.privacyshield.gov.
In addition, MailChimp and G Suite have updated their business terms and contracts to ensure the protection of processed and transmitted personal data in accordance with European regulations. Standard contractual terms of Google LCC are in accordance with the relevant European Commission's decisions.
11. The duration of personal data processing
The duration of processing of your personal data depends on the legal basis of its processing. It may be determined directly by law or listed in the agreement we have concluded with you or in the consent you have provided us with.
In the case where the duration of processing is not stated directly in the legal regulation or contract, we will process personal data (i) for 24 months from the start of processing or (ii) for the duration of the limitation period, if the legal basis is our legitimate interest (e.g. in the case of exercising of a legal claim).
After this period, the termination of the reason for the processing of your personal data, or the withdrawal of your consent, we will delete your personal data (unless we process your personal data on a legal basis other than consent). Before the expiry of the period, we may ask you to extend your consent for the next 24 months.
12. Method of processing of personal data
Company KREA SK processes your personal data primarily electronically through automated information systems that operates itself or through its business partners (e.g. The Rocket Science Group, LLC and Google LLC). We may also process your personal data in the form of documents (e.g. contracts, accounting and tax documents, written correspondence) in systematically arranged records.
13. Rights of the person concerned
(a) THE RIGHT TO OBJECT: You have the right to object to the processing of your personal data. You may object in the case that your personal data is processed for the purpose of performing KREA SK public interest or legitimate interest or for the purposes of direct marketing. Your objection will be reasoned and successful if your legitimate reasons prevail over the legitimate reasons of KREA SK or when processing your personal data for direct marketing purposes (in which case the objection is considered as a withdrawal of your consent). You can not object if the processing is necessary (i) to accomplish the task on grounds of public interest or (ii) for scientific or statistical purposes or for historical research purposes. If your objection is reasoned and successful, we will stop further processing of your personal data.
(b) THE RIGHT TO BE INFORMED: You have the right to be provided with information as to whether we process your personal data, the extent to which we process it, and information about breaches of the security of your personal data.
(c) RIGHT TO ACCESS TO THE PERSONAL DATA: You have the right to issue a certificate that we process your personal data, what personal data we process and a copy of this personal data. We will provide this certificate by e-mail if you do not request another form. We may refuse to provide you with this certificate if it would have adverse consequences for the rights of other natural persons.
(d) RIGHT TO RECTIFICATION: If your personal data which we process is incorrect or incomplete, you have the right to request a correction or addition of personal data. In the case that you use any of the online services under which you manage your personal data (e.g. Sortio), you can directly apply the right to rectification by performing a rectification at the interface of the online service.
(e) THE RIGHT TO ERASURE / RIGHT TO BE FORGOTTEN: Once you have processed your personal data (withdrawal of consent, successful objection, expiry of the period, etc.) or when we process it in breach of law, you have the right to erase it and in this case company KREA SK will delete your personal data without any delay. You can also request erasure of your personal information. Erasure is always final. The right to erasure can not be applied if personal data is needed, e.g. for the exercising of the right of freedom of expression and the right to be informed, the fulfilment of a legal obligation, the fulfilment of a public service task, public service, archiving, scientific or statistical purposes or the purpose of historical research or the exercise of legal rights.
(f) RIGHT TO RESTRICT PROCESSING: In the case that you object to the correctness of your personal data, company KREA SK will restrict its processing for the period of verification of its correctness. If your personal data is processed unlawfully and you do not require erase of it, we will restrict its processing to the extent you require it or otherwise only archive it. If your personal data is processed for the performance of a public interest task or company KREA SK´s legitimate interest, the processing will be restricted for the period of review whether the legitimate reasons for processing prevail over the legitimate reasons of the person concerned. You may also ask us to restrict the processing of your personal data. We will inform you by e-mail about the beginning and ending of the restriction of the processing of your personal data.
(g) THE RIGHT TO DATA PORTABILITY: In the case that (i) it is technically possible, (ii) the processing of your personal data is subject to your consent or performance of the contract, (iii) and not for the performance of a public service task, (iv) processing is carried out by automated means (v) the transfer of personal data does not have adverse consequences for the rights of others, you have the right to have your personal data processed in a structured, commonly used and machine-readable format (e.g., .xml). With personal data processed in such manner, you have the right to request their transfer to another controller.
(h) RIGHTS IN RELATION TO AUTOMATED DECISION MAKING AND PROFILING: You have the right to refuse a decision that is based on automated processing of personal data and profiling if it has legal effects or if the person concerned is significantly affected. The right can not be invoked if such a decision is necessary for the conclusion or performance of the contract or is performed by law or by the consent of the person concerned. Any decision based on automated processing of personal data and profiling must be manually inspectable. The person concerned is entitled to challenge that decision or give opinion in writing. Company KREA SK does not currently use automated individual decision making and profiling. However, they may submit bids specifically designed for you based on the information and personal data we have received from you.
14. How to apply rights and instructions
You may apply for your rights and requirements via e-mail at email@example.com, or (iii) by regular mail to our address KREA SK s.r.o., Štúrova 71/a, 949 01 Nitra, in person or in the above manner. If you submit your request, objection, opinion, or withdrawal of the consent in other way than by letter with your signature, e-mail with a qualified electronic signature or in person, we may require additional trusted verification of your identity, otherwise we will not have to comply with your request. We are not obliged to meet your request even in the cases governed by law.
Your requests will be delivered within one month of delivery. We can extend this deadline by another two months, even repeatedly, if this is a justified case and with regard to the complexity and the number of requests. We will inform you about the time extension.
We will provide you with information, confirmations and notices free of charge. In the case of repeated requests or requests that are manifestly unfounded or inappropriate, we may require you to pay the administrative costs incurred for its handling, or we may refuse to handle such a request.
15. Principles relating to personal data processing
(a) THE LEGALITY PRINCIPLE: We process the personal data fairly, transparently and only for a legitimate reason (consent of the person concerned, fulfilment of the contract, performance of the statutory duty, protection of the vital interests of the person concerned or other natural person, fulfilment of the public service task or the exercise of public authority, company KREA SK's legitimate interest). We will not violate the rights of the person concerned in processing.
(b) THE PRINCIPLE OF PURPOSE LIMITATION: Personal data may only be processed for a specific, well-defined, explicitly and legitimately intended purpose, for archival, scientific or statistical purposes or historical research purposes only.
(c) THE PRINCIPLE OF PERSONAL DATA MINIMISATION: We can only process the personal data we absolutely need or this that is allowed for us to process by the law. We will not process or require unnecessary personal information. It is also up to you to provide us only with the personal data that is necessary for the purpose for which we will process it and do not provide us with excessive data (e.g., when communicating with each other, etc.).
(d) THE PRINCIPLE OF ACCURACY: We only process correct and up-to-date personal data. If personal data is processed incorrectly or incompletely, we will correct or complete it. We will erase incorrect personal information. The accuracy of personal data also depends on you, so it is essential that you always provide us with correct and complete personal information.
(e) THE PRINCIPLE OF STORAGE LIMITATION: Personal data will only be processed for the duration required to meet the purpose or set by law. We will process it longer only for archival, scientific or statistical purposes or for historical research purposes.
(f) THE PRINCIPLE OF INTEGRITY AND CONFIDENTIALITY: We protect personal data against loss, accidental erasure, damage, theft or destruction. We will ensure that personal data is not processed unlawfully. Personal data security is important and we ensure it through standardized technical and other appropriate measures.
(g) THE PRINCIPLE OF ACCOUNTABILITY: We are responsible for the security and protection of your personal data and the Office for Personal Data Protection of the Slovak Republic, which is entitled to review the processing of personal data in the framework of the procedure for the protection of personal data.
16. Processing of children´s personal data
Personal data of children under 16 can only be processed in special and justified cases. If you are under 16 years and you have given us permission to process your personal data, it is necessary that this consent is granted and confirmed by your legal representative. In this regard, we may ask you for the date of birth as one of your personal data to verify your age. If we process your personal data on a legal basis other than your consent, we may require the confirmation and consent of your legal representative.
17. Other information and relationship with other KREA SK rules and conditions
This Policy has been developed to explain the protection of personal data and to enhance transparency in its processing. This Policy will be regularly updated and posted on KREA SK's web sites. The Policy will take effect on May 25, 2018.