Personal data protection
- Principles of personal data processing
The company VGD Slovakia s. r. o. with its registered office at Moskovská 13, 811 08 Bratislava, IČO 36 254 339 (hereinafter referred to as the “Operator”) pursuant to Regulation 2016/679 GDPR on the Protection of Individuals in Processing of Personal Data and on the Free Movement of such Data. 18/2018 Coll. on the protection of personal data and on amendments and supplements to certain acts (hereinafter the “Act”) has elaborated security measures, which are regularly updated. They shall define the scope and manner of security measures necessary to eliminate and minimize threats and risks to the information system in order to ensure:
- availability, integrity and reliability of management system using state-of-the-art information technologies,
- protect personal data from loss, damage, theft, modification, destruction and keep them confidential,
- identify and prevent potential problems and sources of disruption.
- Regulation of Personal Data Protection
Your personal data will be stored securely, in accordance with operator’s security policy and only for the time necessary to fulfill the purpose of processing. Your personal data will only be accesses by person authorized by the controller to process personal data in accordance with the controller’s security policy. Your personal data will be backed up in accordance with the retention policy of the operator. The personal data stored on the backup sites serves to prevent security incidents that could arise in particular due to security breaches or damage to the integrity of the processed data.
- Definitions:
• “Personal data” means any information relating to an identified or identifiable natural person (“the data subject”); an identifiable natural person is an person that can be identified directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, online identifier or reference to one or more elements specific to physical, physiological, genetic, mental, economic, cultural or social identify of that individual.
• “Processing” means an operation or a set of operations involving personal data or personal data sets, such as the acquisition, recording, organization, structuring, storage, reprocessing or alteration, search, browsing, use, provision by transmission, dissemination or otherwise, regrouping or combining; restriction, erasure or disposal, whether carried out by automated or non-automated means.
• “Processing restriction” means the making of stored personal data with a view to limiting their processing in the future.
• “Profiling” means any form of automated processing of personal data consisting of the use of such personal data for the evaluation of certain personal aspects relating to a natural person, in particular for the analysis or prediction of aspects of the natural person concerned in relation to work performance, property, health, personal preferences, interests, reliability, behavior, position or movement.
• “Pseudonymisiation” means the processing of personal data such a way that personal data can no longer be attributed to a particular data subject without the use of additional information, provided that such additional information is stored separately and is subject to technical and organizational measures to ensure that personal data are not assigned to an identified or identifiable natural person.
• “Information system” means any structured set of personal data that is accessible according to specified criteria, whether centralized, decentralized or distributed on a functional or geographical basis.
• “Controller” means a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purpose and means of the processing or personal data; where the purposes and means of such processing are laid down in Union law; or in the law of a Member State. The operator or specific criteria for determining it may be determined in Union law or in the law of a Member State.
• “Intermediary” means a natural or legal person, public authority, agency or entity processing personal data on behalf of the controller.
• “Recipient” means a natural or legal person, public authority, agency or other body to whom personal data is disclosed, whether or not it is a third party. However, public authorities which may receive personal data in particular survey in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by the said public authorities shall take place in accordance with the applicable data protection rules, depending on the purpose of the processing.
• “Third party” means a natural or legal person, public authority, agency or any entity other than the person concerned, the controller the processor and the person entrusted with the processing of personal data by direct authorization of controller or processor.
• “Data subject’s consent” means any freely given, specific, informed and unambiguous expression of the will of the data subject, by means of a declaration or unambiguous confirmatory act, which expresses consent to the processing of personal data concerning him or her.
• “Personal data breach” means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or authorized access to, personal data that are transmitted, stored or otherwise processed.
• “Cross-border processing” means either:
a) the processing of personal data which takes place in the Union in the context of the activities of the controller or processor in more than one Member State, where the controller or processor is established in more than one Member State, or
b) the processing of personal data that takes place in the Union in the context of the activities of a single controller or processor in the Union but which substantially affects or is likely to significantly affect data subjects in more than one Member State.
• Relevant and reasoned objection” means an objection to the draft decision as to whether or not there has been infringement of this Regulation, or whether the envisaged measure vis-à-vis the controller or intermediary complies with this Regulation, which must clearly demonstrate the seriousness of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subject and within the Union.
• “Information society service” means a service as a defined in Article 1 (1) (a); (b) Directive (EU) 2015/1535 of the European Parliament and of the Council.
• “International organization” means an organization and its subordinate entities governed by public international law or any other body established by or on the basis of an agreement between two or more countries.
- Purposes of personal data processing
• Processing of accounting and accounting documents
The processing is necessary in order to fulfill the legal obligation of the operator within the meaning of Article 6 (1), par. (b) of the Regulation or Article 6 (1); 1, par. c) directive. Scope of personal data processed; Title, First name, Surname, Adress, Account number, Signature. Subsequently, they are kept in accordance with Act No. 395/2002 Coll. on archives and registered.
• Wage records
The processing is necessary in order to fulfill the legal obligation of the operator within the meaning of Article 6 (1). 1, par. (b) the Regulation or the meaning of Article 6 (1). 1, par. c) directive. The list of personal data is precisely specified by the specific laws that economists and accountants follow when processing the payroll agenda. These are mainly identification, contact data and data on permanent and temporary residence of the employees and temporary residence of the employees of the operator and their close person. Subsequently, they are kept in accordance with Act No. 395/2002 Coll. on archives and registered.
• Evidence of attendace
The processing is necessary in order to fulfill the legal obligation of the operator within the meaning of Article 6 (1). 1, par. Article 6 1, par. c) directive. Scope of personal data processed: Title, First name, Surname, Personal number, and other data necessary to record attendance. Subsequently, they are kept in accordance with Act No. 395/2002 Coll. On archives and registries.
• Processing of tax returns to individuals
Personal data processed for the purposes of tax return processing shall be processed under a contract within the meaning of Article 6 (1). 1, par. b) directives. The scope of processed personal data is defined by Slovak legislation. Subsequently, they are kept in accordance with Act No. 395/2002 Coll. On archives and registries.
• Registration of suppliers and customers representatives
Registration of suppliers “and customers” representatives shall be carried out in accordance with the legitimate interest of the operator within the meaning of Article 6 (1). 1, par (f) of the Regulation. Scope of personal data processed: Title, First name, Surname, Job title, Service classification, Position, Personnel number, Professional department, Place to work, Telephone number, Fax number, E-mail address for the workplace and Employer identification data. Subsequently, they are kept in accordance with Act No. 395/2002 Coll. On archives and registers.
• Preventing and detecting money laundering and terrorist financing
The legal basis for the processing of your personal data is Article 6 (1) (a). c) of the Regulation, Act no. 297/2008 Coll. On protection against money laundering and protection against terrorist financing and on amendments to certain acts, as amended. This means what we do not require your consent for the processing of your personal data to the extent permitted by that law for the purpose of preventing and detecting money laundering and terrorist financing. Subsequently, they are kept in accordance with Act No. 395/2002 Coll. On archives and registries.
• Complaints
In the case of complaints, personal data shall be processed within the meaning of Article 6 (2). 1, par. c) directives. Scope of processed personal data: Title, Name, Surname, Address, Telephone, E-mail. Subsequently, they are kept in accordance with Act No. 395/2002 Coll. On archives and registries.
• Recovery of claims
In the case of recovery, personal data shall be processed within the meaning of Article 6 (1) 1, par. c) directives. Scope of processed personal data: Title, Name, Surname, Address, Telephone, E-mail. Subsequently, they are kept in accordance with Act No. 395/2002 Coll. On archives and registries.
• Seizure
The processing of personal data is necessary to fulfill the legal obligation of the controller within the meaning of Article 6 (1). 1, par. c) directives. Scope of processed personal data: Title, Name, Surname, Social Security number, Address. Subsequently, they are kept in accordance with Act No. 395/2002 Coll. On archives and registries.
• Monitoring of premises to protect property
The monitoring of premises shall be carried out in accordance with the legitimate interest of the operator within the meaning of Article 6 (1). 1, par. (f) of the Regulation. Recordings from the monitored area are kept for 6 days.
• Registration of job seekers
The processing of personal data by job seekers shall be carried out on the basis of the “Consent” to the processing of personal data within the meaning of Article 6 (1) (a). (a) of the Regulation to be provided by the tenderer.
The operator will only contact successful bidders.
No personal data shall be transferred to a third country.
Personal data is sorted for 12 months after consent has been given. You have the right to withdraw your consent to the processing of personal data at any time before expiry of this period by sending an application to the following e-mail address: dpo.vgdslovakia@vgd.eu or by sending and application to the Operator with the text. The controller declares that in the case of a written request of the data subject to terminate the processing of personal data before the specified time limit, the data will be deleted within 30 days of receipt of the withdrawal of consent.
- Rights of the data subject
- Right to Revoke Consent – in case where we process your personal data with your consent, you have the right to revoke that consent at any time. You may withdraw the consent electronically, at the address of the responsible person, in writing, by the notice of withdrawal of consent or in person at our registered office. Revocation of consent does not affect the lawfulness of the processing of personal data that we have processed on your basis.
- Right of Access – you have the right to provide a copy of the personal information we have about you available, as well as information about how we use your personal information. In most cases, your personal data will be provided to you in written form, unless otherwise requested. If you have request this information by electronic means, it will be provided to you electronically, if technically possible.
- Right to repair – we take reasonable steps to ensure accuracy, completeness and the timeliness of the information we have about you. If you believe that the information we hold is inaccurate, incomplete or outdated, please feel free to ask us to modify, update or complete this information.
- Right to be deleted (forgotten) – you have the right to ask us to delete your personal data, for example if the personal data we have collected about you is no longer necessary to fulfill the original purpose of processing. However, your riht must be assessed in the light of all relevant circumstances. For example, we may have certain legal and regulatory obligations, which means that we will not be able to comply with your request.
- Right to Restrict Processing – under certain circumstances, you may ask to stop using your personal data. For example, if you think the personal information we have about you may be inaccurate, or if you think we no longer need to use your personal information.
- Right to Data Portability – under certain circumstances, you have the right to ask us to transfer the personal information we have about you to another third party of your choice. However, the right to portability only applies to personal data that we have obtained from you under consent or under a contract to which you are a party.
- Right to object – you have the right to object to the processing of data based on our legitimate interests. If we do not have a valid legitimate reason for processing and you object, we will no longer process your personal data.
If you believe that any personal information we hold about you is incorrect, you can ask us to disclose this information, correct it, or delete it. Please contact us for more information.
If you wish to object to the way we process your personal data, please contact the responsible person by e-mail to: dpo.vgdslovakia@vgd.eu or in writing to the Operator's correspondence address. Our responsible person will investigate your dispute and will work with you to resolve the issue.
If you believe that your personal data is being processed unfairly or unlawfully, you may file a complaint with the supervisory authority, the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27; tel. No .: +421 / 2/3231 3214; E-mail: statny.dozor@pdp.gov.sk, https://dataprotection.gov.sk.