Information on the processing of personal data

  Information on the processing of personal data

Controller's information disclosure under §19 of the Personal Data Protection Act

 

Personal Data Protection

 pursuant to Act No. 18/2018 Coll. on Personal Data Protection and on amendment of certain acts (“Act”) and Article 30 of Regulation of the European Parliament and of the Council 2016/679 (“GDPR”)

 

  1. Personal data controller

 

TERMOSTAV Bratislava, s. r. o.

Org. ID: 36 696 439

Registered office: Staviteľská 3, 831 04 Bratislava

Commercial Register registration: Bratislava I District Court, file number 43024/B, section: Sro

Contact: termostav@termostav.sk, phone no.: +421 244 872 676

 

  1. Contact for the data protection officer

A data protection officer is not defined given that TERMOSTAV Bratislava, s. r. o. does not have such obligation per the scope and subject of its activities.

 

  1. Purpose of processing personal data
  1. HR and payroll agenda
  2. Accounting agenda
  3. Pre-contractual and contractual matters
  4. Security of persons and property
  5. OHS

 

  1. Legal basis for processing personal data

The controller complies with all valid legislation concerning personal data processing when processing personal data, specifically the Personal Data Protection Act and EU regulations

  1. Legislation concerning HR and payroll – the Labour Code, the Social Insurance Act, the Health Insurance Act, the Income Tax Act, the Travel Reimbursement Act, the Employment Act and other payroll-related regulations
  2. Legislation concerning accounting and taxes – the Accounting Act, the Travel Reimbursement Act, the Income Tax Act and other accounting regulations
  3. Legislation concerning contractual matters – the Commercial Code, the Civil Code and the Trade Licensing Act. The CVs of candidates for employment are only stored with the consent of the data subject.
  4. Legislation concerning the security of persons and property – the Road Traffic Act,
  5. Legislation concerning OHS – the Occupational Health and Safety Act, the Public Health Protection, Promotion and Development Act, other laws (regulations, decrees and acts) concerning work safety

 

The controller processes personal data without the consent of the data subject if such personal data processing:

 

  • is necessary to accomplish the agreement in which the data subject is a contracting party or to act before conclusion of such agreement upon request of the data subject;
  • under a specific regulation or international treaty to which Slovakia is a signatory
  • to protect the life, health or property of the data subject,
  • to fulfil a task in the public interest or within the exercise of public authority entrusted to the controller;
  • for the purposes of the legitimate interests of the controller or a third party, except where the interests or rights of the data subject seeking protection of their personal data overrule such interests, especially in instances where the data subject is a child;
  • the purpose of processing personal data, the set of data subjects and the list of personal data is laid down in a specific law and only in the scope and manner specified in such law.

The processed personal data may only be provided, disclosed or published if a specific law lays down the purpose of such processing, disclosure or publication, a list of personal data that may be provided, as well as third parties to whom personal data is provided or a group of recipients to whom personal data is disclosed unless the personal data protection act specifies otherwise.

The data subject's consent is not necessary if personal data disclosed in accordance with the Act is processed and the controller has properly labelled such data as published; the party claiming to process published personal data shall demonstrate to the Data Protection Authority, upon request, that it is only processing personal data that was legally published.

 

The controller processes personal data with the data subject’s consent when required under personal data protection legislation and the controller has no legal basis for processing personal data.

  • The controller gains the data subject's consent freely, without coercion or pressure, and without a conditional threat of refusal to enter into a contract, provide services or meet other obligations on the part of the controller under binding EU legislation, international treaties to which Slovakia is a signatory or the Act.
  • The data subject grants consent individually for each specific purpose of personal data processing
  • A data subject may revoke consent at any time
  • The company respects privacy and considers the provided personal data confidential.

 

  1. Recipients:
    • The controller’s employees who personally process personal data shall be properly instructed as to their rights and obligations during personal data processing
    • State and local-level authorities, other state bodies and organisations, including the tax authority, health insurers, social insurance, supplemental pension management companies, the Office of Labour, Social Affairs and Family, labour inspectorate, banks, courts, executors, law enforcement bodies
    • Processors conducting supporting services in the fields of human resources and payroll, accounting, the security of persons and property and occupational health and safety (OHS).
  • In the process of selecting processors, the controller shall primarily be concerned with their professional, technical, human resources and organisational competency and their ability to guarantee the security of processed personal data through the adoption of adequate security measures as anticipated under the Act.
  • The controller shall conclude a written agreement with all such processors concerning the protection of personal data in accordance with the Act.

 

 

 

  1. Conditions and methods of processing the personal data of data subjects
    • electronic
    • in written, paper form

The controller shall not disclose processed personal data except in instances where required under a special regulation or decision issued by a court or state body.

The controller will not process personal data without the data subject’s consent or another legal basis for any other purpose or in a scope greater than specified herein and in the Processing Records.

 

  1. Transmission to third countries and international institutions

If compelled under foreign legislation, the controller shall complete transmission to third countries and international institutions and to the member states of the EU/EEA or countries providing an adequate level of protection.

 

 

  1. Archiving period for personal data:

The archiving periods for personal data are laid down by the purpose of their processing and under the requirements of a special regulation.

The specific archiving periods are laid down in an internal guideline, specifically the Records Administration guideline and the Records Plan, approved by the State Archive in Bratislava under the Ministry of Interior and in accordance with the Act on Archives and Records.

The controller shall delete personal data for which the purpose of processing and archiving period have lapsed in the defined manner (the disposal procedure involving the State Archive in Bratislava and subsequent shredding)

 

6. Data subject rights:

Right to access – a data subject has the right to confirmation from the controller as to the processing of their personal data. If the controller processes such personal data, the data subject has the right to access this personal data and information concerning:

  1. the purposes of processing personal data,
  2. the categories of processed personal data,
  3. identification of the recipient or category of a recipient to which personal data is or should be provided, specifically third-country recipients or international organisations, if feasible,
  4. the archiving period for personal data,
  5. the right to request the controller correct the data subject’s personal data, deletion of the data and restriction on the processing of data or the right to object to the processing of personal data,
  6. the right to file a petition to commence proceedings under the Personal Data Protection Act,
  7. the sources of personal data if such personal data is not obtained directly from the data subject,
  8. the existence of automated individual decision-making practices, including profiling. In such cases, the controller shall provide the data subject with information on the procedure used and the significance and expected consequences of such personal data processing for the data subject.

 

Right to correction – a data subject has the right to request the controller correct any inaccurate personal data without any undue delay. With respect to the purpose of personal data processing, the data subject has the right to amend incomplete personal data.

 

Right to restrict processing - a data subject has the right to request that the controller restrict the processing of their personal data if:

  • the data subject objects to the accuracy of the personal data and allows the controller to verify the accuracy of the personal data during such period,
  • personal data processing is unlawful and the data subject objects to the deletion of such personal data and instead requests limits on their usage,
  • the controller no longer requires the personal data for the purpose of personal data processing, or the data subject requires such data to exercise its legal rights, or
  • the data subject objects to personal data processing until the controller’s verified and legitimate reasons are found to supersede the data subject’s legitimate reasons.

Right to transfer – a data subject has the right to obtain the personal data concerning them and that was provided to the controller in a structured and commonly used, machine-readable format, and the right to transfer such personal data to another controller, if technically feasible, and if:

  1. personal data is processed with the data subject’s consent to such processing, this processing is necessary to fulfil an agreement to which the data subject is a contracting entity,

b) the processing of personal data is conducted using automated means.

The right of a data subject to obtain personal data and transmit such personal data to another controller may not be to the detriment of the rights of other parties.

 

Right to object to processing, including rejection of profiling (if performed) - a data subject has the right to object to the processing of their personal data for reasons concerning their unique situation. The controller may not continue to process such personal data if it cannot demonstrate the necessity of its legitimate interest to process this personal data, which must outweigh the rights and interests of the data subject or the reasons for the exercise of their legal entitlement.

 

A data subject has the right to an exemption from a decision based exclusively on the automated processing of their personal data, including profiling, and which has legal effects that concern or otherwise affect them in a significant manner. Such right to not applicable if the decision:

  1. is necessary for the conclusion of the agreement or the performance of the agreement between the data subject and the controller,
  2. is based on the explicit consent of the data subject.

 

Right to deletion – a data subject as the right to request the controller delete their personal data without any undue delay.

The controller shall delete personal data without undue delay if:

  1. the personal data is no longer needed for the purposes for which it was obtained or processed,
  2. the data subject revoked consent required for the processing of such personal data or there is no other legal basis for the processing of such personal data,
  3. the data subject objects to the processing of personal data and none of the legitimate reasons for processing personal data outweigh the objection,
  4. personal data is processed in an unlawful manner,
  5. the reason for deletion is the fulfilment of obligations under the Personal Data Protection Act, a special regulation or international treaty to which Slovakia is a signatory.

The controller shall notify the recipient of any correction, deletion or restrictions on the processing of personal data completed in accordance with the Personal Data Protection Act.

 

 Right to file a petition to commence personal data protection proceedings – if you believe that we are not processing your personal data in a manner compliant with the GDPR, you are entitled to file a petition to commence personal data protection proceedings with the data protection authority at the following address: Úrad na ochranu osobných údajov Slovenskej republiky, Hraničná 12, 820 07 Bratislava 27, or contact the data protection authority at: www.dataprotection.gov.sk

 

If a data subject does not have full legal capacity, their legal guardian may exercise such rights.

If a data subject is deceased, their rights under the Act may be exercised by a close relative.

Requests made by a data subject under the Personal Data Protection Act shall be resolved by the controller at no charge, except for any payments that may not exceed the reasonably incurred material costs associated with making copies, delivering technical media and sending information to the data subject, unless otherwise specified in a specific law.

The controller shall comply with the data subject’s request within 30 days of receipt of such request at the latest. The company shall report in writing any limitations on the rights of the data subject under the Personal Data Protection Act to the data subject and the data protection authority, i.e. the Office for Personal Data Protection of the Slovak Republic.

 

 

Bratislava, 25/5/2018