Familiarization with the Processing of Personal Data
pursuant to Article 13, REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and Act No. 18/2018 Coll. on the protection of personal data and on amending and supplementing certain laws.
- Identification data of the Controller:
ST. NICOLAUS – trade, a.s., so sídlom Trnavská cesta č. 100, 821 01 Bratislava, identifikačné číslo 35 680 261, IČ DPH SK2020326583 (ďalej len „Prevádzkovateľ)
Purpose of the processing of personal data by the Controller:
Data processing for the purposes of Communication with the customer in the context of the sale of the company’s products via the contact form on the website kaltenecker.sk and the Processing of Requests from Data Subjects,
- List of personal data:
- name, surname, title:
- phone number, e-mail address,
- Additional information
- Personal data in the range of first name, last name, email address processed for the purpose of Communication with the customer in the sale of the company’s products through the contact form on the website kaltenecker.sk pursuant to Article 6, para. 1 (b), Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) The processing is necessary for the performance of a contract to which the data subject is a party or to carry out pre-contractual measures at the request of the data subject.
- Personal data within the scope of Article C processed for the purpose of processing requests from data subjects within the meaning of Article 6, para. 1 (c) of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) – the processing of personal data is necessary pursuant to a specific regulation or an international treaty by which the Slovak Republic is bound.
- Personal data will be provided to third parties pursuant to the law and to processors, the companies BUDIŠ a.s., St.-Nicolaus TRADE, a.s. (hereinafter referred to as the “Processors”) on the basis of contracts.
- Personal data will not be used for automated individual decision-making, including profiling.
- The Controller declares that when selecting processors, it has taken into account their professional, technical, organizational and personal competence and their ability to guarantee the security of the processed personal data by means of measures pursuant to Act No.18/2018 Coll. on the protection of personal data and Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
- The Controller declares that it has taken all measures in accordance with Act No. 18/2018 Coll. on the protection of personal data and Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and hereby undertakes to protect such data against accidental as well as unlawful damage and destruction, accidental loss, alteration, unauthorized access and disclosure as well as against any other impermissible forms of processing in accordance with the measures adopted in the data protection impact assessment.
- The Processor undertakes to process personal data only to the extent and under the conditions agreed in the processor’s mandate to process personal data.
- The Controller declares that it will not provide personal data to Processors other than those listed in this notice.
- The Controller declares that it will collect personal data to the extent necessary for the fulfilment of the stated purpose and process it only in accordance with the purpose for which it was collected.
- The Controller is obliged to maintain the confidentiality of the personal data they process. The obligation of confidentiality continues after the processing of personal data has been terminated.
- A Data Protection Officer is appointed in the company. Contact data: Ing. Andrej Hronský, tel. 033/7352102
- Personal Data retention period:
- Agenda of Customer communication in the sales of the company’s products – 5 years,
- management of the agenda for the handling of applications from the Data Subjects – 10 years
- Information on the rights of the data subject:
Right of Access
- The Data Subject shall have the right to obtain confirmation from the Controller as to whether personal data relating to him or her are being processed and, if so, to obtain access to those personal data and that information:
- processing purposes;
- the data category of the data subject;
- the recipients or the categories of recipients to whom the personal data have been or will be provided, mainly recipients in third countries or international organizations;
- when possible, for the expected retention period of the personal data or, if that is not possible, the criteria for its determination;
- the existence of the right to require the Controller to correct personal data relating to the Data Subject or delete or restrict the processing or to oppose such processing;
- the right to file a grievance with a supervisory authority;
- if personal data have not been obtained from the Data Subject, any available information concerning their source;
- the existence of automated decision-making, including the profiling specified in Article 22, Paragraph 1 and 4 of the GDPR and, in such cases, at least meaningful information on the used procedure, as well as the significance and foreseeable results of such processing for the Data Subject.
- Where personal data are transferred to a third country or an international organization, the Data Subject has the right to be informed of the appropriate safeguards under Article 46 of the Regulation relating to the transfer.
- The Controller shall provide a copy of the personal data being processed. For any further copies requested by the Data Subject, the Controller may charge a reasonable fee corresponding to the administrative cost. If the Data Subject has made the request through electronic means, the information shall be provided in a commonly used electronic form, unless the Data Subject has requested a different method.
- The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
Right of Correction
The Data Subject shall have the right to have inaccurate personal data concerning him or her rectified by the Controller without undue delay. With regard to processing purposes, the Data Subject is entitled to supplement incomplete personal data, also through the provision of a supplementary statement.
Right of Deletion (“forgetting”)
- The Data Subject shall also have the right to obtain from the Controller the deletion of personal data concerning him or her without undue delay and the Controller shall erase the personal data without undue delay if one of the following grounds is met:
- personal data are no longer needed for the purposes for which they were obtained or otherwise processed;
- the Data Subject revokes the consent under which the processing is performed in accordance with Article 6, Paragraph 1(a) of the Regulation or Article 9(1)(a) of the Regulation. 2(a) of the Regulation and where there is no other legal basis for the processing;
- the Data Subject objects to the processing according to Article 21, Paragraph 1 and there are no overriding legitimate grounds for processing or the data subject objects to processing pursuant to Article 21(1). 2 Regulations;
- the personal data was unlawfully processed;
- the personal data must be deleted in order to meet a legal obligation according to the law of the Union or the law of the Member State to which the Controller is subject;
- the personal data were obtained in connection with the provision of information society services according to to Article 8, Paragraph 1 of the Regulation.
- Where a Controller has disclosed personal data and is required to erase the personal data pursuant to paragraph 1, he or she shall, taking into account the technology available and the cost of implementing the measures, take reasonable measures, including technical measures, to inform the Controllers carrying out the processing of the personal data that the Data Subject has requested them to erase all references to those personal data, or a copy or replicas thereof.
- Paragraphs 1 and 2 shall not apply insofar as the processing is necessary:
- for the exercising of the right to freedom of expression and information;
- for meeting a legal obligation requiring processing according to Union law or the law of the Member State to which the Controller is subject, or in order to meet a task implemented in the public interest or in the exercising of public authority entrusted to the Controller;
- due to public interest in the field of public health, in accordance with Article 9, Paragraph 2(h) and (i) of the Regulation, as well as Article 9(2)(h) and (i) of the Regulation. 3 of the Regulations;
- for the purpose of archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes according to Article 89, Paragraph 1 of the Regulation where the right referred to in paragraph 1 is likely to render impossible or seriously impede the achievement of the purposes of such processing, or
- to prove, enforce or defend legal claims.
Right of Restriction of Processing
- The Data Subject has the right to restrict the processing by the Controller for one of the following cases:
- the Data Subject asserts the accuracy of the personal data during a period allowing the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the Data Subject objects to the deletion of personal data and requests restrictions on their usage instead;
- the Controller no longer needs personal data for processing but needs the Data Subject for the proving, application or defense of legal claims;
- the Data Subject objected to the processing according to Article 21, Paragraph 1 of the Regulation, pending verification that the legitimate grounds on the part of the controller override those of the Data Subject.
- Where processing has been restricted pursuant to paragraph 1, such personal data shall, with the exception of storage, be processed only with the consent of the Data Subject or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
- The Controller shall inform the Data Subject who has obtained the restriction of processing pursuant to paragraph 1 before the restriction of processing is lifted.
Right to Portability
- The Data Subject shall have the right to obtain the personal data concerning him or her which he or she has provided to the Controller in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another Controller without being prevented by the Controller to whom the personal data have been provided if:
- the processing is based on consent pursuant to Article 6(1) of Directive 95/46/EC 1(a) of the Regulation or Article 9(1)(a) of the Regulation. 2(a) of the Regulation, or on a contract pursuant to Article 6(2)(a) of the Regulation, or on a contract pursuant to Article 6(2)(a) of the Regulation. 1(b) of the Regulation, and
- where the processing is carried out by automated means.
- When exercising his or her right to data portability pursuant to paragraph 1, the Data Subject shall have the right to have the personal data transmitted directly from one controller to another Controller, insofar as this is technically feasible.
- The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17 of the Regulation. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
- The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
Right to Object
- The Data Subject shall have the right at any time to object, for reasons relating to his or her concrete situation against the processing of personal data concerning him/her, which is performed pursuant to Article 6, Paragraph 1(e) or (f) of the Regulation, including objections to profiling based on those provisions. The Controller may not further process personal data unless it demonstrates the necessary authorized reasons for processing, which outweigh the interests, rights and freedoms of the Data Subject or reasons for proving, applying or defending legal claims.
- If the personal data are processed for the purposes of direct marketing, the Data Subject has the right at any time to object to the processing of personal data relating to him/her for the purposes of such marketing, including profiling in the range related to such direct marketing.
- If the Data Subject opposes the processing for purposes of direct marketing, the personal data may no longer be processed for such purposes.
- The Data Subject shall be explicitly reminded of the right referred to in par. 1 and 2 at the latest at the first communication with her, presenting this right clearly and separately from any other information.
- In relation to the use of information society services and regardless of Directive 2002/58/EC, the Data Subject may exercise his/her right to object to automated means by use of technical specifications.
- Where personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Art. 9 par. 1 of the Regulation, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, except where the processing is necessary for the performance of a task carried out for reasons of public interest.
Notification to Third Parties
The Controller shall notify each recipient to whom the personal data have been disclosed of any rectification or deletion of personal data or restriction of processing carried out pursuant to Article 16, Article 17(1) or (2) of Directive 95/46/EC. 1 and Article 18 of the Regulation, unless this proves impossible or involves disproportionate effort. The Controller shall inform the Data Subject of these recipients if the Data Subject so requests.
Initiation of Proceedings at the Request of the Data Subject
The Data Subject has the following rights pursuant to §100 of Act 18/2018 Coll. to file a petition for initiation of proceedings in the event that he/she is directly affected by his/her rights provided for in this Act. The Authority shall consider the complaint within 30 days from the date of receipt of the complaint. The Authority shall inform the complainant of the manner in which the complaint has been dealt with within 30 days from the date of receipt of the complaint.