Privacy Policy of msg life Slovakia s.r.o. and msg life ag

Thank you for visiting this page and your interest in msg life Slovakia s.r.o. Protecting your personal data is as important to us as providing the best possible comprehensive service to our customers.

Thank you for visiting this page and your interest in msg life Slovakia s.r.o. Protecting your personal data is as important to us as providing the best possible comprehensive service to our customers.

The owner of the domain www.msgtester.sk is msg life Slovakia s.r.o., a subsidiary of msg life central europe gmbh, which is owned by msg life ag (“msg life”). This privacy policy details what activities msg life performs during your visit to the site, what information msg life may collect under applicable data protection laws and in what format it processes it.

Your personal data is processed in accordance with the EU General Data Protection Regulation (“GDPR”), which also regulates your rights as a data subject, the provisions of the Data Protection Act that apply to us (in particular Sections 78 and 79), the Advocacy Act (Section 18) as well as other regulations.

We also provide your data to msg life pursuant to Article 6, paragraph 1, letter b of the GDPR, if the processing is necessary for the performance of a contract to which you, as the data subject, are a party. This also applies to data processing that must be carried out before the conclusion of a contract. The data provided to msg life complies with Act no. 18/2018 Coll. on data protection and also in accordance with the Federal Data Protection Act of the Federal Republic of Germany (“BDSG”) and the Slovak Republic (“SR”).

We will post any amendments to this privacy policy on this page to inform you about the data that msg life processes. Below are the main categories of privacy information.

according to Art. 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR”) and § 19 and § 20 of Act No. 18/2018 Coll. on the protection of personal data and on amendment and supplementation of certain acts (hereinafter referred to as the “PDP Act”).

The purpose of this information is to provide you with information about what personal data we process, how we handle it, for what purposes we use it, to whom we may disclose it, where you can obtain information about your personal data and exercise your rights in relation to the processing of your personal data.

Identification and contact details

The controller processing your personal data is msg life Slovakia, s. r. o., Hraničná 18, 821 05 Bratislava, ID No.: 35800780 (hereinafter referred to as the “Controller”).

Contact details of the person responsible for the supervision of the processing of personal data: email: dpo3@proenergy.sk.

General description

If you send us a message via the web contact form, we may process your personal data in order to handle your electronic correspondence. Depending on the subject matter and content of your message, the processing may be carried out in the context of the performance of a contractual relationship or pre-contractual relationship with you (providing information about our products/services, negotiating a contract, fulfilling a contract, handling complaints, etc.), the performance of a legal obligation (e.g. notification of antisocial activities, handling requests from data subjects, registry management), or in the context of a legitimate interest (e.g. handling complaints, keeping records of business partners, processing unexpected/unsolicited communications).

Details of the processing of personal data

1 Purpose of processing of personal data and legal basis for processing

The purpose of processing personal data is:

processing of electronic correspondence received via the web contact form

Personal data is processed on the basis of:

(1) Art. 6 para. 1 lit. (c) GDPR: compliance with a legal obligation,
(2) Art. 6 para. 1 lit. (b) GDPR: contractual, pre-contractual relations with the data subject, (3) Art. 6 para. 1 lit. (f) GDPR: legitimate interest.

2 Identification of the personal data of data subjects processed

Data subjects about whom we process personal data:

natural persons – senders of electronic correspondence.

The scope of the personal data we process:

personal data – identification and contact e.g. title, name, surname, e-mail address, job offer, details in the note, attachments.

3 Identification of recipients or other parties who may have access to personal data

Category of beneficiaries Identification of beneficiaries
(1) Institutions, organisations, contractors or other parties to whom access is permitted by specific legislation and/or the exercise of public authority (Article 6(1)(c) and (e) of the Regulation), e.g.:
-other legislation
(2) Processor under contract (Article 28 GDPR)
(3) Another controller if you have given your consent (Article 6(1)(a) of the GDPR)
(4) Contractual partner, in the performance of a contract between you and the controller (Article 6(1)(b) of the GDPR)
(5) another party on the basis of legitimate interest (Article 6(1)(f) of the GDPR)
(2) recruitis.io s.r.o., ID No.: 275 08 391

4 Transfer of personal data to a third country/international organisation

Transfer to a third country or international organisation does not take place.

5 Identification of the source from which the personal data were obtained

Directly affected person.

6 Retention period of personal data

Correspondence management 3 years.

7 Profiling

It does not.

8 Obligation to provide personal data

The provision of personal data is carried out voluntarily by the data subject, on his or her own initiative. Depending on the subject matter and content of the correspondence handled, the provision of personal data may be required (fulfilment of a legal obligation or requirements in the context of the performance of contractual or pre-contractual relations with the data subject). In the event of non-provision of personal data, the controller may not be able to ensure the handling of electronic correspondence.

Rights of the data subject

The data subject has the right to request from the controller access to the personal data processed about him or her, the right to rectification of personal data, the right to erasure or restriction of the processing of personal data, the right to object to the processing of personal data, the right to the ineffectiveness of automated individual decision-making, including profiling, the right to the portability of personal data, as well as the right to submit a petition to the supervisory authority. The data subject may exercise his or her rights by sending an email to jobs.sk@msg-life.com or by writing to the controller.

pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR”) and Act No. 18/2018 Coll. on the protection of personal data and on amendment and supplementation of certain acts (hereinafter referred to as the “PDP Act”).

The purpose of this overview is to provide you with basic information about the processing of your personal data if you are an employee of a temporary employment agency and you are performing agreed work with us.

Full information is available from the HR department and the internal website.

Identification and contact details

The controller processing your personal data is msg life Slovakia, s. r. o., Hraničná 18, 821 05 Bratislava, ID No.: 35800780 (hereinafter referred to as the “Controller”).
In case of any doubts, questions regarding the processing of your personal data, suggestions or complaints, if you believe that we are processing your personal data unlawfully or unfairly, or in case of exercising any of your rights, you can contact us at any time by sending an email to: jobs.sk@msg-life.com, or in writing to the address of the controller. Contact details of the person responsible for the supervision of the processing of personal data: email: dpo3@proenergy.sk.

Basic overview of processing activities

We may process your personal data in the following processing activities (IS):

Reporting of anti-social activities

We may process your personal data if you have made an anonymous report of possible anti-social activity or if you are the subject of, or a participant in, an investigation into possible anti-social activity pursuant to a specific legal provision.

  • Categories of data subjects – natural persons who have made a notification of an anti-social activity or a request for protection for a notification of a serious anti-social activity (or their relatives for whom protection is requested) and natural persons who are investigated on the basis of the notification.
  • Categories of personal data – personal data – included in the notification and the data necessary for its examination (in particular, routine personal identification data about the notifier, the persons involved in the breach, the details of the notification (may include data of different sensitivity).
  • Time limit for deletion of the OA – 3 years (from the date of receipt of the notification).
  • Category of recipients (external) – (1) The Office for the Protection of Whistleblowers of Anti-Social Activity, parties to the proceedings, other competent administrative authority, police force of the Slovak Republic, prosecutor’s office of the Slovak Republic, courts of the Slovak Republic, other authorized entity.

Promotion

We may process your photographs, video recordings, your reviews of us, and other information about you only to the extent and in the manner in which you have consented to the processing of your personal data. Where we have assessed that consent is not necessary (redundant, disproportionate effort, etc.) for the purpose, for example, you have attended or will attend events organised by the operator for a wide range of people, we may take and process photographs or other records within the scope of our legitimate interest. We may use the data collected for the purposes of positive promotion, documentation and presentation of the operator’s activities. It is in our interest to document the activities of the operator and to present/promote them in the context of building good internal relations as well as external relations towards the operator and to preserve our good name. If you do not want your photographs, video recordings or other related data to be used for documentary, presentation/promotional purposes, you can exercise your rights (to object to processing or withdraw consent) via the contacts listed at the beginning of this information.

  • Categories of data subjects – employees (including persons in a similar employment relationship) other natural persons.
  • Categories of personal data – personal data (common – mainly identification, captured in a photograph, video/audio recording, other related to expressions of a personal nature).
  • Time limit for deletion of OA – Duration of the employment relationship or after the end of the purpose (5 years), does not apply to documents/records with permanent documentary value within the meaning of the Law on Archives and Registers.
  • Category of beneficiaries (external) – (1) other eligible entity

Personnel agency

If you are an employee of a temporary employment agency, we may process your personal data in connection with the performance of your contract of employment with the employer and in the performance of our legal obligation, in particular to keep records about you for the purposes of securing access to our premises, recording attendance, ensuring health and safety at work, training, social services, ensuring suitable working conditions and conditions of employment.

  • Categories of persons concerned – agency workers, former agency workers.
  • Categories of personal data – personal data (routine – identification data, data within the scope of the performance of the temporary assignment contract – may be data relating to personal, professional life, data relating to health (e.g. fitness for work, accident, pregnancy, etc.).
  • Time limit for deletion of OU – 5 years.
  • Category of beneficiaries (external) – 1a) Temporary Employment Agency, (1b) Foreign Police of the Slovak Republic, (1c) other authorized entity, (2) provider of OSH and OP services, trainers.

Technical and organisational measures

In order to maintain both your and our security (including your personal data), to demonstrate compliance with our legal obligation and to prove, exercise, defend our legal claims or claims of third parties, we may process records of your personal data. Depending on the need, this can be for example:

  1. records of your consent to the processing of your data,
  2. records of our compliance with our information obligation to you,
  3. records of how your application was processed,
  4. a record of the access and assets you are allowed/assigned and how they are used, if we have allowed/assigned such access/assignment to you,
  5. records that are necessary for the investigation of security incidents and personal data breaches,
  6. records (certificates) if we have trained you,
  7. records, if you are sworn to secrecy,
  8. records, if you have been part of our control activity, audit,
  9. other records relating to the performance of the technical and organisational measures taken.

The processing is in the legitimate interest of the controller and is also an obligation under the GDPR. The records may be used to establish liability against you and as evidence to prove, assert or defend legal claims of the operator or a third party (in particular in connection with a threat to/breach of security, including the protection of human life and health, property, financial or property damage, business interruption, damage to reputation, leakage of know-how, etc.).

  • Categories of data subjects – employees, responsible person, applicants for exercising rights, persons to whom the controller is fulfilling obligations under the GDPR, persons involved or dealt with in a security incident, intermediaries, other external entities (such as if persons were invited to the issue at hand – consultants, auditors, lawyers,) employees of authorities on the basis of specific legislation (e.g. employees of the supervisory authority in the context of consultation, control activities), etc.
  • Categories of personal data – personal data (common -identification, contact data, which may, however, be supplemented by other necessary data of a different nature depending on the nature of the matter at hand- e.g. login data, data relating to the user’s/offender’s behaviour (e.g. logs of logins, logouts, activities), data necessary to verify the identity of the person who has requested the exercise of a right, data which indicate a violation of internal regulations (e.g. circumvention of security settings, etc.), etc.
  • Deadline for deletion of the OU – According to the chapter “record keeping, archiving” of the Personal Data Protection Policy and the Personal Data Security Policy ( most records are kept for 3 years or less, records of deletion or containing contracts for 5 years, some records permanently-for example, relating to the resolution of security incidents, impact assessments, information to data subjects, etc.).
  • Category of recipients (external) – (1a,5) responsible person, Office for Personal Data Protection of the Slovak Republic, (1b,5) Police, Public Prosecutor’s Office of the Slovak Republic, courts of the Slovak Republic, (1c) other authorized entity.

Data from some of the above processing operations may be used, where applicable and to the extent necessary, in the context of proving, exercising or defending our legal claims or the legal claims of a third party (e.g. disclosure of data to law enforcement authorities, bailiffs, lawyers, etc.), in judicial or extrajudicial proceedings, debt recovery, etc.

Some of the personal data obtained (e.g. certificates, records, other documents confirming a given fact, etc.) may be stored and used as “evidence” for the purposes of audits, third-party control activities, in the context of verifying the proper performance of the obligations of the controller in terms of legislative requirements or other requirements (contractual, sectoral, etc.).

Your rights

As a data subject about whom we process personal data, you have rights under the GDPR and the DPA Act in relation to the processing of personal data, namely the right to request from the controller access to the personal data processed about you, the right to rectification (or, where applicable, the right to have your personal data rectified), the right to have your personal data rectified (or, where applicable, the right to have your personal data rectified). The right to object to the processing of personal data, the right to the ineffectiveness of automated individual decision-making, including profiling, the right to the portability of personal data, the right to withdraw consent to the processing of personal data.

If you decide to exercise any of your rights, you can do so using our application form, which is available in the complete information on the processing of your personal data. If you are not satisfied with our response, or if you believe that we have violated your rights or are processing your personal data unfairly, unlawfully, etc. you have the possibility to file a complaint – a petition to initiate proceedings with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic.

pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR”) and Act no. 18/2018 Coll. on the protection of personal data and on amendment and supplementation of certain acts (hereinafter referred to as the “PDP Act”).

The purpose of this overview is to provide you with basic information about the processing of your personal data if you have expressed an interest in our services or are using our services.

Full details are available on request from the email addresses below.

Identification and contact details

The controller processing your personal data is msg life Slovakia, s. r. o., Hraničná 18, 821 05 Bratislava, ID No.: 35800780 (hereinafter referred to as the “Controller”).
In case of any doubts, questions regarding the processing of your personal data, suggestions or complaints, if you believe that we are processing your personal data unlawfully or unfairly, or in case of exercising any of your rights, you can contact us at any time by sending an email to: jobs.sk@msg-life.com, or in writing to the address of the controller. Contact details of the person responsible for the supervision of the processing of personal data: email: dpo3@proenergy.sk.

Basic overview of processing activities

We may process your personal data in the following processing activities (IS):

Accounting documents

We may process your personal data in connection with the performance of a contract with you in order to fulfil accounting and tax obligations under specific legislation.

  • Categories of data subjects – clients/contractual partners of the controller, taxpayers of the controller
  • Categories of personal data – personal identification, contact, financial/payment, other data-similarities related to the performance of the contract, accounting and tax obligations.
  • Time limit for the deletion of the OU – 10 years.
  • Category of recipients (external) – (1a) tax administrator, (1b) auditors, (1c) other authorised entity

Reporting of anti-social activities

We may process your personal data if you have made an anonymous report of possible anti-social activity or if you are the subject of, or a participant in, an investigation into possible anti-social activity pursuant to a specific legal provision.

  • Categories of data subjects – natural persons who have made a notification of an anti-social activity or a request for protection for a notification of a serious anti-social activity (or their relatives for whom protection is requested) and natural persons who are investigated on the basis of the notification.
  • Categories of personal data personal data – included in the notification and the data necessary for its examination (in particular, common personal identification data about the notifier, the persons involved in the breach, the details of the notification (may include data of different sensitivity).
  • Time limit for deletion of the OA – 3 years (from the date of receipt of the notification).
  • Category of recipients (external) – (1) The Office for the Protection of Whistleblowers of Anti-Social Activity, parties to the proceedings, other competent administrative authority, police force of the Slovak Republic, prosecutor’s office of the Slovak Republic, courts of the Slovak Republic, other authorized entity.

Cookies

If you browse the content of our website, we may process your personal data in order to provide and improve services, develop new services, protect users and ensure effective search and advertising. In the case of data that is not purely technical, we need your voluntary consent to the use of cookies for such processing.

  • Categories of data subjects users of the website of the controller.
  • Categories of personal datapersonal data (common – directly or indirectly identifiable, location data).
  • Time limit for erasure of OA – after expiry of the consent period (unless the consent is renewed by the data subject).
  • Beneficiary category (external) – (1) other eligible entity.

Technical and organisational measures

In order to maintain both your and our security (including your personal data), to demonstrate compliance with our legal obligation and to prove, exercise, defend our legal claims or claims of third parties, we may process records of your personal data. Depending on the need, this can be for example:

  1. records of your consent to the processing of your data,
  2. records of our compliance with our information obligation to you,
  3. records of how your application was processed,
  4. a record of the access and assets you are allowed/assigned and how they are used, if we have allowed/assigned such access/assignment to you,
  5. records that are necessary for the investigation of security incidents and personal data breaches,
  6. records (certificates) if we have trained you,
  7. records, if you are sworn to secrecy,
  8. records, if you have been part of our control activity, audit,
  9. other records relating to the performance of the technical and organisational measures taken.

The processing is in the legitimate interest of the controller and is also an obligation under the GDPR. The records may be used to establish liability against you and as evidence to prove, assert or defend legal claims of the operator or a third party (in particular in connection with a threat to/breach of security, including the protection of human life and health, property, financial or property damage, business interruption, damage to reputation, leakage of know-how, etc.).

  • Categories of data subjects employees, responsible person, applicants for exercising rights, persons to whom the controller is fulfilling obligations under the GDPR, persons involved or dealt with in a security incident, intermediaries, other external entities (such as if persons were invited to the issue at hand – consultants, auditors, lawyers,) employees of authorities on the basis of specific legislation (e.g. employees of the supervisory authority in the context of consultation, control activities), etc.
  • Categories of personal datapersonal data (common -identification, contact data, which may, however, be supplemented by other necessary data of a different nature depending on the nature of the matter at hand- e.g. login data, data relating to the user’s/offender’s behaviour (e.g. logs of logins, logouts, activities), data necessary to verify the identity of the person who has requested the exercise of a right, data which indicate a violation of internal regulations (e.g. circumvention of security settings, etc.), etc.
  • Deadline for deletion of the OU – according to the chapter “record keeping, archiving” of the Personal Data Protection Policy and the Personal Data Security Policy ( most records are kept for 3 years or less, records of deletion or containing contracts for 5 years, some records permanently-for example, relating to the resolution of security incidents, impact assessments, information of data subjects, etc.).
  • Category of recipients (external) – (1a,5) responsible person, Office for Personal Data Protection of the Slovak Republic, (1b,5) Police, Public Prosecutor’s Office of the Slovak Republic, courts of the Slovak Republic, (1c) other authorized entity.

Data from some of the above processing operations may be used, where applicable and to the extent necessary, in the context of proving, exercising or defending our legal claims or the legal claims of a third party (e.g. disclosure of data to law enforcement authorities, bailiffs, lawyers, etc.), in judicial or extrajudicial proceedings, debt recovery, etc.

Some of the personal data obtained (e.g. certificates, records, other documents confirming a given fact, etc.) may be stored and used as “evidence” for the purposes of audits, third-party control activities, in the context of verifying the proper performance of the obligations of the controller in terms of legislative requirements or other requirements (contractual, sectoral, etc.).

Your rights

As a data subject about whom we process personal data, you have rights under the GDPR and the DPA Act in relation to the processing of personal data, namely the right to request from the controller access to the personal data processed about you, the right to rectification (or, where applicable, the right to have your personal data rectified), the right to have your personal data rectified (or, where applicable, the right to have your personal data rectified). The right to object to the processing of personal data, the right to the ineffectiveness of automated individual decision-making, including profiling, the right to the portability of personal data, the right to withdraw consent to the processing of personal data.

If you decide to exercise any of your rights, you can use our application form, which is available in the full information on the processing of your personal data. If you are not satisfied with our response, or if you believe that we have violated your rights or are processing your personal data unfairly, unlawfully, etc. you have the possibility to file a complaint – a petition to initiate proceedings with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic.

pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”) and Act no. 18/2018 Coll. on the protection of personal data and on amendment and supplementation of certain acts (hereinafter referred to as the “OOU Act”).

The purpose of this overview is to provide you with basic information about the processing of your personal data when you enter and move around our premises.

Full details are available from the Personnel Department on request.

Identification and contact details

The controller processing your personal data is msg life Slovakia, s. r. o., Hraničná 18, 821 05 Bratislava, ID No.: 35800780 (hereinafter referred to as the “Controller”).

In case of any doubts, questions regarding the processing of your personal data, suggestions or complaints, if you believe that we are processing your personal data unlawfully or unfairly, or in case of exercising any of your rights, you can contact us at any time by sending an email to: jobs.sk@msg-life.com, or in writing to the address of the controller.

Contact details of the person responsible for the supervision of the processing of personal data: email: dpo3@proenergy.sk.

Basic overview of processing activities

We may process your personal data in the following processing activities (IS):

Technical and organisational measures

We may process records of your personal data, in the exercise of technical and organisational measures taken by the controller to ensure an adequate level of security, to maintain compliance with the requirements of the GDPR and to prevent, where applicable. the elimination of adverse effects on data subjects and the controller. This can be, for example. o records of employee training, confidentiality of persons who come into contact with personal data, records of your consent to the processing of personal data, records related to the handling of your requests for the exercise of rights, records related to the resolution of security incidents and personal data breaches, records of control activities, audits of which you have been a part, records of the assignment/deassignment of assets, access rights, records related to the use of the assigned assets, etc. The processing is in the legitimate interest of the controller and is also an obligation under the GDPR. The records may be used to establish liability against you and as evidence to prove, assert or defend legal claims of the operator or a third party (in particular in connection with a threat to/breach of security, including the protection of human life and health, property, financial or property damage, business interruption, damage to reputation, leakage of know-how, etc.).

  • Categories of data subjects – employees, responsible person, applicants for exercising rights, persons to whom the controller is fulfilling obligations under the GDPR, persons involved or dealt with in a security incident, intermediaries, other external entities (such as if persons were invited to the issue at hand – consultants, auditors, lawyers,) employees of authorities on the basis of specific legislation (e.g. employees of the supervisory authority in the context of consultation, control activities), etc.
  • Categories of personal data – personal data (common -identification, contact data, which may, however, be supplemented by other necessary data of a different nature depending on the nature of the matter at hand- e.g. login data, data relating to user/offender behaviour (e.g. logs of logins, logouts, activities), data necessary to verify the identity of the person who has requested the exercise of a right, data which indicate a violation of internal regulations (e.g. circumvention of security settings, etc.), etc.
  • Deadline for deletion of the OU – according to the chapter “record keeping, archiving” of the Personal Data Protection Policy and the Personal Data Security Policy ( most records are kept for 3 years or less, records of deletion or containing contracts for 5 years, some records permanently-for example, relating to the resolution of security incidents, impact assessments, information of data subjects, etc.).
  • Category of recipients (external) – (1a,5) responsible person, Office for Personal Data Protection of the Slovak Republic, (1b,5) Police, Public Prosecutor’s Office of the Slovak Republic, courts of the Slovak Republic, (1c) other authorized entity.

Data from some of the above processing operations may be used, where applicable and to the extent necessary, in the context of proving, exercising or defending our legal claims or the legal claims of a third party (e.g. disclosure of data to law enforcement authorities, bailiffs, lawyers, etc.), in judicial or extrajudicial proceedings, debt recovery, etc. Some of the personal data obtained (e.g. certificates, records, other documents confirming a given fact, etc.) may be stored and used as “evidence” for the purposes of audits, third-party control activities, in the context of verifying the proper performance of the obligations of the controller in terms of legislative requirements or other requirements (contractual, sectoral, etc.).

Your rights

As a data subject about whom we process personal data, you have rights under the GDPR and the DPA Act in relation to the processing of personal data, namely the right to request from the controller access to the personal data processed about you, the right to rectification (or, where applicable, the right to have your personal data rectified), the right to have your personal data rectified (or, where applicable, the right to have your personal data rectified). The right to object to the processing of personal data, the right to the ineffectiveness of automated individual decision-making, including profiling, the right to the portability of personal data, the right to withdraw consent to the processing of personal data.

If you decide to exercise any of your rights, you can use our application form, which is available in the full information on the processing of your personal data. If you are not satisfied with our response, or if you believe that we have violated your rights or are processing your personal data unfairly, unlawfully, etc. you have the possibility to file a complaint – a petition to initiate proceedings with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic.

pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR”) and Act No. 18/2018 Coll. on the protection of personal data and on amendment and supplementation of certain acts (hereinafter referred to as the “OOU Act”).

The purpose of this overview is to provide you with basic information about the processing of your personal data if you are our business partner.

Full details are available on request from the Personnel Department.

Identification and contact details

The controller processing your personal data is msg life Slovakia, s. r. o., Hraničná 18, 821 05 Bratislava, ID No.: 35800780 (hereinafter referred to as the “Controller”).

In case of any doubts, questions regarding the processing of your personal data, suggestions or complaints, if you believe that we are processing your personal data unlawfully or unfairly, or in case of exercising any of your rights, you can contact us at any time by sending an email to: jobs.sk@msg-life.sk, or in writing to the address of the controller.

Contact details of the person responsible for the supervision of the processing of personal data: email: dpo3@proenergy.sk.

Basic overview of processing activities

We may process your personal data in the following processing activities (IS):

Accounting documents

We may process your personal data in connection with the performance of a contract with you in order to fulfil accounting and tax obligations under specific legislation.

  • Categories of data subjects – clients/contractual partners of the controller, taxpayers of the controller
  • Categories of personal data – personal identification, contact, financial/payment, other data-similarities related to the performance of the contract, accounting and tax obligations.
  • Time limit for deletion of OU – 10 years.
  • Category of recipients (external) – (1a) tax administrator, (1b) auditors, (1c) other authorised entity

Reporting of anti-social activities

we may process your personal data if you have made a non-anonymous report of possible anti-social activity or if you are the subject of, or a participant in, an investigation into possible anti-social activity under a specific legal provision.

  • Categories of data subjects – natural persons who have made a notification of an anti-social activity or a request for protection for a notification of a serious anti-social activity (or their relatives for whom protection is requested) and natural persons who are investigated on the basis of the notification.
  • Categories of personal data – personal data – included in the notification and the data necessary for its examination (in particular, routine personal identification data about the notifier, the persons involved in the breach, the details of the notification (may include data of different sensitivity).
  • Time limit for deletion of the OA – 3 years (from the date of receipt of the notification).
  • Category of recipients (external) – 1) The Office for the Protection of Whistleblowers of Anti-Social Activity, parties to the proceedings, other competent administrative authority, police force of the Slovak Republic, prosecutor’s office of the Slovak Republic, courts of the Slovak Republic, other authorized entity.

Records of business partners

We may process your identification and contact data if you are our business partner (or their designated contact person) and we need this data for the performance of our business relationship. The legal basis is a legitimate interest.

  • Categories of data subjects – business partners of the controller and employees of the business partner.
  • Categories of personal data – personal data (common – identification and contact data within the scope of business cards).
  • Time limit for deletion of OU – 1 year.
  • Beneficiary category (external) – (1) other eligible entity.

Technical and organisational measures

In order to maintain both your and our security (including your personal data), to demonstrate compliance with our legal obligation and to prove, exercise, defend our legal claims or claims of third parties, we may process records of your personal data. Depending on the need, this can be for example:

  1. records of your consent to the processing of your data,
  2. records of our compliance with our information obligation to you,
  3. records of how your application was processed,
  4. a record of the access and assets you are allowed/assigned and how they are used, if we have allowed/assigned such access/assignment to you,
  5. records that are necessary for the investigation of security incidents and personal data breaches,
  6. records (certificates) if we have trained you,
  7. records, if you are sworn to secrecy,
  8. records, if you have been part of our control activity, audit,
  9. other records relating to the performance of the technical and organisational measures taken.

The processing is in the legitimate interest of the controller and is also an obligation under the GDPR. The records may be used to establish liability against you and as evidence to prove, assert or defend legal claims of the operator or a third party (in particular in connection with a threat to/breach of security, including the protection of human life and health, property, financial or property damage, business interruption, damage to reputation, leakage of know-how, etc.).

  • Categories of data subjects – employees, responsible person, applicants for exercising rights, persons to whom the controller is fulfilling obligations under the GDPR, persons involved or dealt with in a security incident, intermediaries, other external entities (such as if persons were invited to the issue at hand – consultants, auditors, lawyers,) employees of authorities on the basis of specific legislation (e.g. employees of the supervisory authority in the context of consultation, control activities), etc.
  • Categories of personal data – personal data (common -identification, contact data, which may, however, be supplemented by other necessary data of a different nature depending on the nature of the matter at hand- e.g. login data, data relating to the user’s/offender’s behaviour (e.g. logs of logins, logouts, activities), data necessary to verify the identity of the person who has requested the exercise of a right, data which indicate a violation of internal regulations (e.g. circumvention of security settings, etc.), etc.
  • Deadline for deletion of the OU – According to the chapter “record keeping, archiving” of the Personal Data Protection Policy and the Personal Data Security Policy ( most records are kept for 3 years or less, records of deletion or containing contracts for 5 years, some records permanently-for example, relating to the resolution of security incidents, impact assessments, information of data subjects, etc.).
  • Category of recipients (external) – (1a,5) responsible person, Office for Personal Data Protection of the Slovak Republic, (1b,5) Police, Public Prosecutor’s Office of the Slovak Republic, courts of the Slovak Republic, (1c) other authorized entity.

Data from some of the above processing operations may be used, where applicable and to the extent necessary, in the context of proving, exercising or defending our legal claims or the legal claims of a third party (e.g. disclosure of data to law enforcement authorities, bailiffs, lawyers, etc.), in judicial or extrajudicial proceedings, debt recovery, etc.

Some of the personal data obtained (e.g. certificates, records, other documents confirming a given fact, etc.) may be stored and used as “evidence” for the purposes of audits, third-party control activities, in the context of verifying the proper performance of the obligations of the controller in terms of legislative requirements or other requirements (contractual, sectoral, etc.).

Your rights

As a data subject about whom we process personal data, you have rights under the GDPR and the DPA Act in relation to the processing of personal data, namely the right to request from the controller access to the personal data processed about you, the right to rectification (or, where applicable, the right to have your personal data rectified), the right to have your personal data rectified (or, where applicable, the right to have your personal data rectified). The right to object to the processing of personal data, the right to the ineffectiveness of automated individual decision-making, including profiling, the right to the portability of personal data, the right to withdraw consent to the processing of personal data.

If you decide to exercise any of your rights, you can do so using our application form, which is available in the complete information on the processing of your personal data. If you are not satisfied with our response, or if you believe that we have violated your rights or are processing your personal data unfairly, unlawfully, etc. you have the possibility to file a complaint – a petition to initiate proceedings with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic.

according to Art. 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR”) and § 19 and § 20 of Act No. 18/2018 Coll. on the protection of personal data and on amendment and supplementation of certain acts (hereinafter referred to as the “PDP Act”).

The purpose of this information is to provide you with information about what personal data we process, how we handle it, for what purposes we use it, to whom we may disclose it, where you can obtain information about your personal data and exercise your rights in relation to the processing of your personal data.

Identification and contact details

The controller processing your personal data is msg life Slovakia, s. r. o., Hraničná 18, 35 800 780 (hereinafter referred to as the “Controller”).

Contact details of the person responsible for the supervision of the processing of personal data: email: dpo3@proenergy.sk.

If you have expressed an interest in working for us (e.g. by submitting a job application, sending your CV, etc.), we will process your personal data as follows:

1 Purpose of processing of personal data and legal basis for processing

The purpose of processing personal data is:

selection of suitable staff.
Personal data is processed on the basis of:

  • (1) Art. 6 para. 1 lit. (b) GDPR: contractual and pre-contractual relationship with the data subject,
  • (2) Art. 6 para. 1 lit. c) GDPR regulations: law no. 311/2001 Coll. Labour Code as amended, Act No. 5/2004 Coll. Act on Employment Services and on Amendments and Additions to Certain Acts,
  • (3) Art. 6 para. 1 lit. a) GDPR: consent of the data subject (in the case of providing data via a referral employee, keeping the CV for future selection procedures),

2 Identification of the personal data of data subjects processed

Data subjects about whom we process personal data:

jobseekers.

The scope of the personal data we process:

personal data provided in the CV and supporting documents and resulting from the assessment of the suitability of the job applicant.

These are in particular identification, contact details, data concerning habits, preferences stated in the CV or directly in the job interview, financial data – e.g. desired, offered salary.

3 Identification of recipients or other parties who may have access to personal data

Category of beneficiaries Identification of beneficiaries
(1) Institutions, organisations, contractors or other parties to whom access is permitted by specific legislation and/or the exercise of public authority (Article 6(1)(c) and (e) of the Regulation), e.g.:
-Law no. 5/2004 Coll. Act on Employment Services and on Amendments and Additions to Certain Acts,
-other legislation.
(2) Processor under contract (Article 28 GDPR)
(3) Another controller if you have given your consent (Article 6(1)(a) of the GDPR)
(4) Contractual partner, in the performance of a contract between you and the controller (Article 6(1)(b) of the GDPR)
(5) another party on the basis of legitimate interest (Article 6(1)(f) of the GDPR)
(1) The Social Welfare and Family Labour Office (e.g. for the purpose of a job search certificate), another authorised entity.
(5) msg systems ag, Robert-Buerkle-Strasse 1, 857 31 Ismaning/Munich, VAT: DE 129 420 400

4 Transfer of personal data to a third country/international organisation

No transfer to a third country or international organisation shall take place.

5 Identification of the source from which the personal data were obtained

Directly by the data subject, with the consent of another person (referring employee).

6 Retention period of personal data

3 years.

7 Profiling

It does not.

8 Obligation to provide personal data

Failure to provide the personal data necessary for the selection of a suitable candidate may result in the selection not being carried out and the candidate’s abilities and qualities not being assessed.

The provision of personal data from a referring employee is only possible with your voluntary consent. If you do not provide consent, CV or other data through the referring employee, you can provide personal data directly to us.

If you are interested in participating in future competitions, you must give us your voluntary consent. In the event that consent is not given, the controller will not process the personal data for longer than is necessary to assess the suitability of the job applicant for the job.

The provision of personal data processed under the Labour Code and special laws is a legal requirement / contractual requirement, respectively. a requirement that is necessary for the conclusion of the contract. The data subject is obliged to provide personal data, in the event of failure to provide them, the controller will not ensure the conclusion or performance of the contract to the data subject.

Rights of the data subject

The data subject has the right to request from the controller access to the personal data processed about him or her, the right to rectification of personal data, the right to erasure or restriction of the processing of personal data, the right to object to the processing of personal data, the right to the ineffectiveness of automated individual decision-making, including profiling, the right to the portability of personal data, as well as the right to submit a petition to the supervisory authority.

Where the controller processes personal data on the basis of the data subject’s consent, the data subject shall have the right to withdraw his or her consent to the processing of personal data at any time. Withdrawal of consent does not affect the lawfulness of the processing of personal data based on consent prior to its withdrawal. The data subject may exercise his or her rights by sending an email to jobs.sk@msg-life.com or by writing to the controller.

If you voluntarily provide us with your consent to the processing of your personal data, we will retain evidence of your consent (within the scope of the consent) for 3 years from the end of its validity, in the context of our legitimate interest and in order to comply with our legal obligation.

We may store it as “evidence” for the purposes of audits, third-party control activities, in the context of verifying the proper performance of the controller’s obligations under legislative requirements or other requirements (contractual, sectoral, etc.), or use it for the purposes of proving, exercising or defending our legal claims (for example, the provision of data to law enforcement authorities, lawyers, etc.), in the context of judicial or extrajudicial proceedings, etc.

pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR”) and Act no. 18/2018 Coll. on the protection of personal data and on amendment and supplementation of certain acts (hereinafter referred to as the “OOU Act”).

The purpose of this overview is to provide you with basic information about the processing of your personal data if you work for us on the basis of an employment relationship or a similar employment relationship.

Full details are available from the Personnel Department on request.

Identification and contact details

The controller processing your personal data is msg life Slovakia, s. r. o., Hraničná 18, 821 05 Bratislava, ID No.: 35800780 (hereinafter referred to as the “Controller”).

In case of any doubts, questions regarding the processing of your personal data, suggestions or complaints, if you believe that we are processing your personal data unlawfully or unfairly, or in case of exercising any of your rights, you can contact us at any time by sending an email to: jobs.sk@msg-life.com, or in writing to the address of the controller.

Contact details of the person responsible for the supervision of the processing of personal data: email: dpo3@proenergy.sk.

Basic overview of processing activities

Personnel and payroll (PAM)

We process your personal data for the purpose of maintaining personnel and payroll records, in the performance of the employer’s legal obligations and duties related to the employment relationship or similar employment relationship, including pre-contractual relationships, contract change negotiations, or with your voluntary consent, or in the pursuit of a legitimate interest of the controller or a third party in connection with/with:

  1. processing of contact data in the context of the performance of job duties and the provision of crisis management and business continuity management (IS 1.10, 1.11),
  2. sharing data within the group of companies for internal administrative purposes (in particular internal record keeping, contact, collaboration, training, pay/benefits approval) (IS 1.22).
  • Categories of data subjects – job applicants, employees, former employees (including persons in a similar employment relationship), depending on the nature of the processing operation, personal data may also relate to spouses of employees, dependent children of employees, parents of dependent children of employees, close relatives.
  • Categories of personal data – individual PAM agendas contain personal data (including sensitive personal data – in particular health-related personal data) that are relevant to the work that the employee is to perform, is performing or has performed.
  • Time limit for the deletion of personal files – for the period necessary to fulfil the purpose, as defined in the Archives and Registers Act (maximum 70 years (from birth) in the case of personal files of employees).
  • Category of beneficiaries (external) – (1) institutions and organisations, contractual partners to whom processing is permitted by specific legislation, including state and public authorities for the exercise of control and supervision, (2) processors, (4) contractual partners to whom disclosure is required for the performance of a contract between the data subjects and the controller, (5) Personal data may be shared in certain cases in the context of legitimate interest, (3) In the event that you have given us your voluntary consent or have instructed us to disclose your personal data, your personal data may be disclosed to us in accordance with the following

Registry management (and correspondence)

We may process your personal data within the meaning of a legal obligation for the purposes of maintaining the administration of the registry, mail records. The processing of data from correspondence may be carried out in the context of the performance of a contractual relationship or a pre-contractual relationship (contract negotiation, contract performance, keeping accounting records, handling complaints, etc.), the performance of a legal obligation (e.g. notification of antisocial activity, handling requests from data subjects, registry management), or in the context of a legitimate interest (e.g. handling complaints, keeping records of business partners, processing unexpected/unsolicited communications).

  • Categories of data subjects – natural persons – senders and recipients of correspondence.
  • Categories of personal data – personal data (common identification e.g. title, name, surname, signature, address, e-mail address, telephone number, other data of varying sensitivity within the scope of communication pursuant to Act No. 305/2013 Coll., or voluntarily provided within the framework of communication).
  • Time limit for deletion of OU – maximum 10 years (registry log), keeping of ordinary and official correspondence 5 years.
  • Category of beneficiaries (external) – (1) Ministry of the Interior of the Slovak Republic, other authorised entity

Reporting of anti-social activities

We may process your personal data if you have made an anonymous report of possible anti-social activity or if you are the subject of, or a participant in, an investigation into possible anti-social activity pursuant to a specific legal provision.

  • Categories of data subjects – natural persons who have made a notification of an anti-social activity or a request for protection for a notification of a serious anti-social activity (or their relatives for whom protection is requested) and natural persons who are investigated on the basis of the notification.
  • Categories of personal data – personal data – included in the notification and the data necessary for its examination (in particular, routine personal identification data about the notifier, the persons involved in the breach, the details of the notification (may include data of different sensitivity).
  • Time limit for deletion of the OA – 3 years (from the date of receipt of the notification).
  • Category of recipients (external) – (1) The Office for the Protection of Whistleblowers of Anti-Social Activity, parties to the proceedings, other competent administrative authority, police force of the Slovak Republic, prosecutor’s office of the Slovak Republic, courts of the Slovak Republic, other authorized entity.

Promotion

We may process your photographs, video recordings, your reviews of us, and other information about you only to the extent and in the manner in which you have consented to the processing of your personal data. Where we have assessed that consent is not necessary (redundant, disproportionate effort, etc.) for the purpose, for example, you have attended or will attend events organised by the operator for a wide range of people, we may take and process photographs or other records within the scope of our legitimate interest. We may use the data collected for the purposes of positive promotion, documentation and presentation of the operator’s activities. It is in our interest to document the activities of the operator and to present/promote them in the context of building good internal relations as well as external relations towards the operator and to preserve our good name. If you do not want your photographs, video recordings or other related data to be used for documentary, presentation/promotional purposes, you can exercise your rights (to object to processing or withdraw consent) via the contacts listed at the beginning of this information.

  • Categories of data subjects – employees (including persons in a similar employment relationship) other natural persons.
  • Categories of personal data – personal data (common – mainly identification, captured in a photograph, video/audio recording, other related to expressions of a personal nature).
  • Time limit for deletion of the OA – duration of the employment relationship or after the end of the purpose (5 years), does not apply to documents/records with permanent documentary value within the meaning of the Law on Archives and Registers.
  • Category of beneficiaries (external) – (1) other eligible entity

Technical and organisational measures

In order to maintain both your and our security (including your personal data), to demonstrate compliance with our legal obligation and to prove, exercise, defend our legal claims or claims of third parties, we may process records of your personal data. Depending on the need, this can be for example:

  1. records of your consent to the processing of your data,
  2. records of our compliance with our information obligation to you,
  3. records of how your application was processed,
  4. a record of the access and assets you are allowed/assigned and how they are used, if we have allowed/assigned such access/assignment to you,
  5. records that are necessary for the investigation of security incidents and personal data breaches,
  6. records (certificates) if we have trained you,
  7. records, if you are sworn to secrecy,
  8. records, if you have been part of our control activity, audit,
  9. other records relating to the performance of the technical and organisational measures taken.

The processing is in the legitimate interest of the controller and is also an obligation under the GDPR. The records may be used to establish liability against you and as evidence to prove, assert or defend legal claims of the operator or a third party (in particular in connection with a threat to/breach of security, including the protection of human life and health, property, financial or property damage, business interruption, damage to reputation, leakage of know-how, etc.).

  • Categories of data subjects – employees, responsible person, applicants for exercising rights, persons to whom the controller is fulfilling obligations under the GDPR, persons involved or dealt with in a security incident, intermediaries, other external entities (such as if persons were invited to the issue at hand – consultants, auditors, lawyers,) employees of authorities on the basis of specific legislation (e.g. employees of the supervisory authority in the context of consultation, control activities), etc.
  • Categories of personal data – personal data (common -identification, contact data, which may, however, be supplemented by other necessary data of a different nature depending on the nature of the matter at hand- e.g. login data, data relating to the user’s/offender’s behaviour (e.g. logs of logins, logouts, activities), data necessary to verify the identity of the person who has requested the exercise of a right, data which indicate a violation of internal regulations (e.g. circumvention of security settings, etc.), etc.
  • Deadline for deletion of the OU – according to the chapter “record keeping, archiving” of the Personal Data Protection Policy and the Personal Data Security Policy ( most records are kept for 3 years or less, records of deletion or containing contracts for 5 years, some records permanently-for example, relating to the resolution of security incidents, impact assessments, information of data subjects, etc.).
  • Category of recipients (external) -(1a,5) responsible person, Office for Personal Data Protection of the Slovak Republic, (1b,5) Police, Public Prosecutor’s Office of the Slovak Republic, courts of the Slovak Republic, (1c) other authorized entity.

Data from some of the above processing operations may be used, where applicable and to the extent necessary, in the context of proving, exercising or defending our legal claims or the legal claims of a third party (e.g. disclosure of data to law enforcement authorities, bailiffs, lawyers, etc.), in judicial or extrajudicial proceedings, debt recovery, etc.

Some of the personal data obtained (e.g. certificates, records, other documents confirming a given fact, etc.) may be stored and used as “evidence” for the purposes of audits, third-party control activities, in the context of verifying the proper performance of the obligations of the controller in terms of legislative requirements or other requirements (contractual, sectoral, etc.).

Your rights

As a data subject about whom we process personal data, you have rights under the GDPR and the DPA Act in relation to the processing of personal data, namely the right to request from the controller access to the personal data processed about you, the right to rectification (or, where applicable, the right to have your personal data rectified), the right to have your personal data rectified (or, where applicable, the right to have your personal data rectified). The right to object to the processing of personal data, the right to the ineffectiveness of automated individual decision-making, including profiling, the right to the portability of personal data, the right to withdraw consent to the processing of personal data.

If you decide to exercise any of your rights, you can do so using our application form, which is available in the complete information on the processing of your personal data. If you are not satisfied with our response, or if you believe that we have violated your rights or are processing your personal data unfairly, unlawfully, etc. you have the possibility to file a complaint – a petition to initiate proceedings with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic.

according to Art. 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR”) and § 19 and § 20 of Act No. 18/2018 Coll. on the protection of personal data and on amendment and supplementation of certain acts (hereinafter referred to as the “PDP Act”).

The purpose of this information is to provide you with information about what personal data we process, how we handle it, for what purposes we use it, to whom we may disclose it, where you can obtain information about your personal data and exercise your rights in relation to the processing of your personal data.

Identification and contact details

The controller processing your personal data is msg life Slovakia, s. r. o., Hraničná 18, 821 05 Bratislava (hereinafter referred to as the “Controller”).

In case of any doubts, questions regarding the processing of your personal data, suggestions or complaints, if you believe that we are processing your personal data unlawfully or unfairly, or in case of exercising any of your rights, you can contact us at any time by sending an email to: jobs.sk@msg-life.com, or in writing to the address of the controller. We will endeavour to deal with your correspondence as soon as possible, but we will reply within a maximum of 1 month from the date of receipt. In certain cases, we may need to supplement information to identify and verify your identity in order to process your request.

Questions received, suggestions, requests for your rights, etc. may be provided to our external data controller for processing, who provides independent oversight of the correct and secure processing of your personal data. If you are interested, you can also contact the responsible person directly: email: dpo3@proenergy.sk.

If you are aware or suspect that a security breach affecting personal data has occurred, the so-called. a data breach has occurred, please notify us immediately by sending an email to: jobs.sk@msg-life.com.

Version V1.0
Effective date From 1.5.2023
Reason for updating the original version –

Overview of processing activities

We may process your personal data in the following processing activities (IS):

  • Registry management (and correspondence) – we may process your personal data under a legal obligation for the purposes of registry management, mail registration. The processing of data from correspondence may be carried out in the context of the performance of a contractual relationship or a pre-contractual relationship (contract negotiation, contract performance, keeping accounting records, handling complaints, etc.), the performance of a legal obligation (e.g. notification of antisocial activity, handling requests from data subjects, registry management), or in the context of a legitimate interest (e.g. handling complaints, keeping records of business partners, processing unexpected/unsolicited communications).
  • Reporting of anti-social activity – we may process your personal data if you have made a non-anonymous report of possible anti-social activity or if you are the subject of, or a participant in, an investigation of possible anti-social activity under a specific legal provision.
  • Corporate agenda – we may process your personal data if you are an associate of the controller in order to fulfil the corporate obligations of the controller. The legal basis is a legal obligation.
  • Promotion – we may process your photographs, video footage, your reviews of us, and other information about you only to the extent and in the manner in which you have consented to the processing of your personal data. Where we have assessed that consent is not necessary (redundant, disproportionate effort, etc.) for the purpose, for example, you have attended or will attend events organised by the operator for a wide range of people, we may take and process photographs or other records within the scope of our legitimate interest. We may use the data collected for the purposes of positive promotion, documentation and presentation of the operator’s activities. It is in our interest to document the activities of the operator and to present/promote them in the context of building good internal relations as well as external relations towards the operator and to preserve our good name. If you do not want your photographs, video recordings or other related data to be used for documentary, presentation/promotional purposes, you can exercise your rights (to object to processing or withdraw consent) via the contacts listed at the beginning of this information.
  • Cookies – if you browse our website content, we may process your personal data in order to provide and improve services, develop new services, protect users and ensure effective search and advertising. In the case of data that is not purely technical, we need your voluntary consent to the use of cookies for such processing.
  • Technical and organisational measures – in order to maintain your security as well as ours (including your personal data), to demonstrate compliance with our legal obligation and to prove, exercise, defend our legal claims or those of third parties, we may process records of your personal data. Depending on the need, this can be for example:
  • records of your consent to the processing of your data,
  • records of our compliance with our information obligation to you,
  • records of how your application was processed,
  • records of accesses and assets granted/allocated and their use, if
  • we have allowed/assigned,
  • records necessary for the investigation of security incidents; and
  • data breach,
  • records (certificates) if we have trained you,
  • records, if you are sworn to secrecy,
  • records, if you have been part of our control activity, audit,
  • other records relating to the performance of the technical and organisational measures taken.

The processing is in the legitimate interest of the controller and is also an obligation under the GDPR.

The records may be used to establish liability against you and as evidence to prove, assert or defend legal claims of the operator or a third party (in particular in connection with a threat to/breach of security, including the protection of human life and health, property, financial or property damage, business interruption, damage to reputation, leakage of know-how, etc.).

Data from some of the above processing operations may be used, where applicable and to the extent necessary, in the context of proving, exercising or defending our legal claims or the legal claims of a third party (e.g. disclosure of data to law enforcement authorities, bailiffs, lawyers, etc.), in judicial or extrajudicial proceedings, debt recovery, etc.

Some of the personal data obtained (e.g. certificates, records, other documents confirming a given fact, etc.) may be stored and used as “evidence” for the purposes of audits, third-party control activities, in the context of verifying the proper performance of the obligations of the controller in terms of legislative requirements or other requirements (contractual, sectoral, etc.).

Some of the data collected may be used for the internal statistical purposes of the controller, to improve processes and services, but only to the extent necessary and where possible using security features of anonymisation or pseudonymisation and encryption.

Additional general information

We process your personal data in the context of the above processing activities in accordance with the principles of personal data processing so that we process your personal data to the extent necessary to achieve the intended lawful purpose and keep it for the period necessary in accordance with current legislation (in particular the Law on Archives and Registers). The individual time limits for erasure are set out in the ‘Details of processing activities’ section of this information. These periods may be extended in exceptional cases, in particular in the context of proving, exercising or defending legal claims.

We obtain your personal data primarily from you as the data subject (or from your legal representative), otherwise, if we obtain it from other sources, we will inform you transparently of this fact and make sure that this data is obtained lawfully (for example, with your consent) and is correct and up-to-date. In the event of any change to your personal data, we ask you to report this change.

Access to your personal data is restricted to our authorised persons who have been properly trained on the rules and responsibilities for processing your personal data and have undertaken to maintain the confidentiality of your personal data with which they come into contact.

Your personal data may also be accessed by external recipients and other parties who are permitted or required to do so by specific legislation or by the exercise of public authority. These are mainly organisations and institutions (including state administration and public authorities for the exercise of control and supervision), but may also be contractual partners having the status of an independent controller within the meaning of a specific regulation, or other persons/entities regulated by law. Furthermore, we may share your personal data with processors that we have contracted to process your personal data and that have committed to take appropriate safeguards to maintain the protection of the personal data processed.

Personal data may in certain cases be shared within the msg life group of companies for internal administrative purposes or with another party for legitimate interest. If you have given us your voluntary consent or have instructed us to disclose your data, your personal data may also be disclosed to other recipients. Your personal data may also be shared with contractual partners for the performance of the contract between you and the controller. The specific list of recipients for each processing activity is set out in the ‘Details of processing activities’ section of this information.

We will notify you via this information of any transfer of personal data to third countries or international organisations. In the event of such a transfer, this fact is set out in the ‘details of processing activities’ section of this information, together with the safeguards for such a transfer, which may be, in particular (i) a decision by the Commission that the country or international organisation provides adequate safeguards, (ii) signed standard contractual clauses between the data importer and data exporter, (iii) adopted binding corporate rules, (iv) or one of the exceptions for specific situations applies (for example, your explicit consent), etc.

This and other specific information on the processing of your personal data is set out separately for each processing activity in the “Details of processing activities” section of this information.

Your rights

As a data subject about whom we process personal data, you have rights under the GDPR and the DPA Act in relation to the processing of personal data. Below is an overview. If you decide to exercise any of your rights, you can do so by using our application form attached hereto, which you can send to the contact details at the beginning of this information. If you are unsure of your rights or need help completing your application, you can contact our external responsible person – contact details are available at the front of this information.

Right of access

You can request information from us about how we process your personal data, including information about:

  • for what purpose we process your personal data,
  • what categories of personal data we process,
  • with whom we share your personal data,
  • how long we keep your personal data or what are the criteria for determining this period,
  • what your rights are,
  • where we obtain your personal data from (unless we have obtained it directly from you),
  • whether the processing involves automated decision-making (‘profiling’),
  • whether your personal data has been transferred to a country outside the European Union or the European Economic Area or to an international organisation and, if so, how we ensure the protection of your personal data.

All of the above information is available in this information. If you request, we will provide you with a copy of the personal data we process about you. We may charge a reasonable fee for any additional copies you request, which will be in line with our administrative costs.

The right to obtain a copy shall not adversely affect the rights and freedoms of others. The controller will provide you with information about the option, the procedure used, the possible costs and further details about the provision of the copy after receiving your request. If you have made a request by electronic means, the information will be provided to you in a commonly used electronic format, unless you request otherwise.

Note: The right of access can be easily exercised by filling in the application form – point “D” in Annex 1 of this information.

Right to data portability

You have the right to obtain from us your personal data that you have provided to us for processing on the basis of consent or for the performance of a contract, in a structured, commonly used and machine-readable format. You also have the right to request the transfer of this information to another controller.

Note: You can easily exercise your right to data transfer by filling in the application form – point “E” as per Annex 1 of this information.

Right to repair

It is important that we have correct and complete information about you to avoid mistakes, unpleasant situations and unwanted consequences. Not only do you have the right to have incorrect or incomplete personal data that we process about you corrected without delay, but we also ask you to immediately notify us of any changes or additions to your personal data, in particular if you have changed your identification/contact details, etc.

Note: The right to correct (or add) data can be easily exercised by filling in the application form – points “A or B” as per Annex 1 of this information.

Right to erasure (right to be “forgotten”)

You have the right to request the erasure of personal data relating to you. We will comply with such a request without delay if any of the following reasons are met:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; or
  • you withdraw the consent on the basis of which the processing is carried out and there is no other legal basis for the processing, or
  • you object to processing and there are no overriding legitimate grounds for processing, or you object to processing for the purpose of direct marketing (including profiling), or
  • the personal data have been unlawfully processed, or
  • the personal data must be erased in order to comply with a legal obligation under Union law or the law of a Member State to which the controller is subject; or
  • personal data was collected in connection with the offer of information society services.

For example, you can ask us to delete your personal data on the grounds that we are processing your personal data unlawfully, for example if we are processing your personal data for longer than necessary or without any reason.

However, in some cases we may not be able to comply with your request, e.g. where the processing of personal data is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation which requires processing under Union law or the law of a Member State to which the controller is subject, or for the performance of a task carried out in the public interest, for reasons of public interest in the field of public health, for archiving purposes in the public interest, or for the establishment, exercise or defence of legal claims.

Note: You can easily exercise your right to erasure by completing the application form – point “C” in Annex 1 of this information.

Right to restriction of processing

You have the right to have us restrict the processing of your personal data in one of the following cases:

  • you challenge the accuracy of the personal data, during the period allowing us to
  • verify the accuracy of personal data, or
  • the processing is unlawful and you, as the data subject, object to the erasure of the personal data and request instead a restriction on their use, or
  • we, as the controller, no longer need your personal data for the purposes of the processing, but you, as the data subject, need them to establish, exercise or defend legal claims, or
  • you object to the processing, pending verification that the legitimate grounds on our part as the controller outweigh the legitimate grounds of you as the data subject.

Where processing has been restricted on the grounds set out above, we may only process such personal data (with the exception of storage) with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

We will inform you before the restriction on processing by the controller is lifted.

We also want to assure you that if you exercise your right to rectification, erasure or restriction of the processing of personal data by means of a request, we will immediately communicate this fact (rectification, erasure or restriction of processing) to each recipient to whom we have provided personal data, unless this proves impossible or requires disproportionate effort.
Note: You can easily exercise your right to restriction of data processing by filling in the application form – point “F” as per Annex 1 of this information.

Right to object to processing

If you believe that we do not have the right to process your personal data, you can object to our processing. These are situations where the processing is carried out on the basis of a legitimate interest pursued by us as a controller or a task carried out in the public interest, including objecting to profiling. In such cases, we can only continue processing if we can demonstrate compelling legitimate grounds that outweigh your interests, rights and freedoms. However, we may always process your personal data if this is necessary for the establishment, exercise or defence of legal claims. If we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purposes of such marketing.
Note: You can easily exercise your right to object to data processing by filling in the application form – point “G” as per Annex 1 of this information.

The right not to be subject to a decision based solely on automated processing, including profiling.

If we carry out profiling, we will inform you in detail about this in the context of the specific processing activities. We also want to reassure you that if we state that such processing is not carried out, this means that your personal data is not and will not be used to evaluate or predict personal aspects of your job performance, wealth, health, personal preferences, interests, reliability, behaviour, location or movements.

Where we carry out such processing, you have the right to ask us not to include you in the profiling. However, in some cases we may not be able to comply with your request, e.g. where the decision is necessary for the conclusion or performance of a contract between the data subject and the controller, or where the decision is authorised by Union or Member State law and also provides for appropriate measures guaranteeing the protection of the rights and freedoms and legitimate interests of the data subject, or where the decision is based on the data subject’s explicit consent.
Note: You can easily exercise this right by filling in the application form – point “H” as per Annex 1 of this information.

Right to withdraw consent to the processing of personal data

If you have previously given us your consent to the processing of your personal data, you have the right to withdraw this voluntary consent at any time. We will respect your decision and ensure that your personal data is no longer processed for this purpose. At the same time, however, withdrawal of consent does not affect the lawfulness of the processing of personal data based on consent prior to its withdrawal (in practice, this may mean that if your data has been disclosed in accordance with the consent given, for example, in distributed promotional materials, the destruction of these sent materials will not be carried out, since the consent was valid at the time of distribution).
If you have given us consent electronically by technical means, you have the right to withdraw your consent by these means. Alternatively, simply write to us at the contact listed at the beginning of this information that you no longer wish us to process your data and withdraw your consent.

Right to lodge a complaint with the supervisory authority

If you are not satisfied with our response, or if you believe that we have violated your rights or are processing your personal data unfairly, unlawfully, etc. you have the possibility to file a complaint – a petition to initiate proceedings with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic. Further information on the complaints procedure is available at www.dataprotection.gov.sk.

Security when processing your personal data

We would like to show you that we take the security of your personal data and the protection of your privacy seriously, so in this section of the information we provide you with at least some basic information about our practices for securing your personal data.

We ensure the security of information, including personal data, by selecting appropriate technical and organizational measures based on international standards for information security (in particular ISO/IEC 27001:2013, ISO/IEC 27002:2013).

We secure the premises where we process your personal data with an adequate level of physical protection by means of mechanical barriers, technical safeguards and organisational measures.

In processing and maintaining the security of personal data, we follow a set of regularly updated policies and procedures, with clearly defined and assigned responsibilities.

We have documented all processes relating to the processing of your personal data and update them regularly. Each new process is properly assessed and approved.

When processing personal data, we take into account the risk to you in the event of loss of confidentiality, availability or integrity, and processing operations with a higher risk are treated with more measures to guarantee greater protection.

We periodically conduct inspection/audit activities to ensure compliance with the established rules and assess compliance with privacy and security requirements and work diligently to remedy any deficiencies identified.

We use the services of an independent (impartial) external data controller who oversees the correct, lawful and secure processing of personal data by us.

Authorised persons who have access to your personal data within their job function/function are bound by confidentiality obligations in relation to personal data, are properly trained prior to the first processing and are subsequently retrained as necessary on the requirements and responsibilities when processing personal data.

We only use the services of verified intermediary suppliers who have contractually committed to take appropriate security measures when processing your personal data.

Access to your personal data by authorised persons is governed by the “need to know” and “need to use” rules. We have a security incident/ data breach management system in place and ensure business continuity.

We maintain an up-to-date register of both primary and supporting assets in connection with the processing of personal data, which is reflected by appropriate security measures, including secure deletion/destruction rules, backup, encryption, protection against malicious code, elements of appropriate authentication, pseudonymisation or anonymisation, rules on the use of assets, including their transfer, and many others.

Details of processing activities (IS)

IS registry management

1 Purpose of processing of personal data and legal basis for processing

The purpose of processing personal data is:

keeping and managing the registry, processing electronic and written correspondence.

Personal data is processed on the basis of:

(1) Art. 6 para. 1 lit. (c) of the GDPR:
– Act No. 395/2002 Coll. on archives and registers and on the amendment of certain laws, as amended,
– Act No. 305/2013 Coll. on the electronic form of exercising the powers of public authorities and on amendment and supplementation of certain acts (e-Government Act), as amended,
(2) Art. 6 para. 1 lit. (f) GDPR: legitimate interest.

2 Identification of the personal data of data subjects processed

Data subjects about whom we process personal data:

natural persons – controllers and processors, authorised persons of controllers and processors, data subjects, other natural persons in the capacity of parties to the proceedings.

The scope of the personal data we process:

personal data – identification data, e.g. title, name, surname, signature, address, e-mail address, telephone number, other data of different sensitivity within the scope of communication pursuant to Act No. 305/2013 Coll. or voluntarily provided within the scope of communication.

3 Identification of recipients or other parties who may have access to personal data

Category of beneficiaries Identification of beneficiaries
(1) Institutions, organisations, contractors or other parties to whom access is permitted by specific legislation and/or the exercise of public authority (Article 6(1)(c) and (e) of the Regulation), e.g.:
-Law no. 395/2002 Coll. on archives and registers and on the amendment of certain acts, as amended
-other legislation
(2) Processor under contract (Article 28 GDPR)
(3) Another controller if you have given your consent (Article 6(1)(a) of the GDPR)
(4) Contractual partner, in the performance of a contract between you and the controller (Article 6(1)(b) of the GDPR)
(5) another party on the basis of legitimate interest (Article 6(1)(f) of the GDPR)
(1) The Ministry of the Interior of the Slovak Republic, another authorized entity,

4 Transfer of personal data to a third country/international organisation

Transfer to a third country or international organisation does not take place.

5 Identification of the source from which the personal data were obtained

Directly affected person.

6 Retention period of personal data

– a maximum of 10 years (registry diary),
– keeping current and official correspondence for 5 years.

7 Profiling

It does not.

8 Obligation to provide personal data

If the provision of personal data is a legal requirement (registry management, mail registration, electronic communication with public authorities), the processing of personal data is mandatory. The person concerned has an obligation to provide personal data, in case of failure to provide it, he/she violates the law.
The provision of personal data processed under legitimate interest is voluntary – the person makes it on his/her own initiative. In the event of non-provision of data, the controller may not be able to ensure the handling of the communication.

IS notification of anti-social activities

1 Purpose of processing of personal data and legal basis for processing

The purpose of processing personal data is:

investigation of notifications pursuant to Act No. 54/2019 Z. z. on the protection of whistleblowers of antisocial activities and on the amendment and supplementation of certain laws.

Personal data is processed on the basis of:

(1) Art. 6 para. 1 lit. (c) of the GDPR:
– Act No. 54/2019 Z. z. on the protection of whistleblowers of antisocial activities and on the amendment and supplementation of certain laws,
(2) Art. 9 para. 2 lit. (g) GPPR Regulations: significant public interest based on Union or Member State law.

2 Identification of the personal data of data subjects processed

Data subjects about whom we process personal data:

natural persons who have made a notification of anti-social activity or a request for protection in the notification of serious anti-social activity (or their relatives for whom protection is requested) and natural persons who are being investigated on the basis of the notification.

The scope of the personal data we process:

the personal data contained in the notification and the data necessary for its examination (in particular, routine personal identification data on the notifier, the persons involved in the infringement, the details of the notification (which may contain data of varying sensitivity).
Presumed list of personal data: title, name, surname, date of birth and residence of the whistleblower, place of work, employer’s name, data on a close person if he/she is in an employment relationship with the same employer as the whistleblower or is in an employment relationship with an employer who is a dependent in relation to the whistleblower’s employer and the whistleblower also requests protection for this close person, and other data necessary to verify the notification.

3 Identification of recipients or other parties who may have access to personal data

Category of beneficiaries Identification of beneficiaries
(1) Institutions, organisations, contractors or other parties to whom access is permitted by specific legislation and/or the exercise of public authority (Article 6(1)(c) and (e) of the Regulation), e.g.:
-Law no. 54/2019 Z. z. Act on the Protection of Whistleblowers of Anti-Social Activities and on Amendments to Certain Acts
-Law no. 301/2005 Coll. Criminal Procedure Code
-law no.171/1993 Coll. on the Police Force (in particular §76a)
-other legislation
(2) Processor under contract (Article 28 GDPR)
(3) Another controller if you have given your consent (Article 6(1)(a) of the GDPR)
(4) Contractual partner, in the performance of a contract between you and the controller (Article 6(1)(b) of the GDPR)
(5) another party on the basis of legitimate interest (Article 6(1)(f) of the GDPR)
(1) The Office for the Protection of Whistleblowers of Anti-Social Activity, the parties to the proceedings, another competent administrative authority, the Police Force of the Slovak Republic, the Public Prosecutor’s Office of the Slovak Republic, the courts of the Slovak Republic, another authorized entity.

4 Transfer of personal data to a third country/international organisation

Transfer to a third country or international organisation does not take place.

5 Identification of the source from which the personal data were obtained

Directly by the data subject (in person, in the mailbox, by email, by phone).

6 Retention period of personal data

3 years (from the date of receipt of the notification).

7 Profiling

It does not.

8 Obligation to provide personal data

The data subject provides his/her personal data voluntarily, according to the law, in case of failure to provide it, it will not be possible to notify the data subject of the outcome of the investigation of the complaint/notification, nor to contact him/her for supplementing the information if necessary.

IS corporate agenda

1 Purpose of processing of personal data and legal basis for processing

The purpose of processing personal data is:

keeping a register of shareholders for the fulfilment of the corporate obligations of the operator in relation to its shareholders.

Personal data is processed on the basis of:

(1) Art. 6 para. 1 lit. c) of the GDPR, in particular:
– Act No. 513/1991 Coll. Commercial Code as amended,
– Act No. 455/1991 Coll. on trade business (Trade Licensing Act), as amended,
– Act No. 40/1964 Coll. Civil Code as amended,
– Act No. 431/2002 Coll. on accounting, as amended,
– Act No. 563/2009 Coll. on tax administration (Tax Code) and on amendments and supplements to certain laws, as amended,
– Act No. 595/2003 Coll. on income tax, as amended,
– Act No. 530/2003 Coll. on the Commercial Register and on Amendments and Additions to Certain Acts, as amended,
(2) Art. 10: the processing of data relating to guilty pleas for criminal offences and misdemeanours is permitted by Union or Member State law.

2 Identification of the personal data of data subjects processed

Data subjects about whom we process personal data:

partners in the operator’s company.

The scope of the personal data we process:

personal data necessary for the performance of corporate duties, in particular name, surname and title, birth number, date of birth, place of birth, signature, nationality, citizenship, permanent residence, temporary residence, telephone number, e-mail address, legal capacity, dividends and other financial matters, bank account details, data from proof of integrity, other personal data discovered or provided in the course of the shareholder’s participation in the company of the controller

3 Identification of recipients or other parties who may have access to personal data

Category of beneficiaries Identification of beneficiaries
(1) Institutions, organisations, contractors or other parties to whom access is permitted by specific legislation and/or the exercise of public authority (Article 6(1)(c) and (e) of the Regulation), e.g.:
a-Law no. 586/2003 Coll. on advocacy and on amendment and supplementation of Act No. 455/1991 Coll. on trade business (Trade Licensing Act), as amended
b-law no. 513/1991 Coll. Commercial Code as amended
b-law no. 530/2003 Coll. on the Commercial Register and on Amendments and Supplements to Certain Acts, as amended
c-law no. 595/2003 Coll. on income tax as amended by other legislation
d-law no. 461/2003 Coll. on social insurance, as amended
d-law no. 43/2004 Coll. on old-age pension savings and on amendment and supplementation of certain laws, as amended
e-law no. 580/2004 Coll. on health insurance and on amendment and supplementation of Act No. 95/2002 Coll. on insurance and on amendment and supplementation of certain acts, as amended
f-law no. 461/2003 Coll. on social insurance as amended
f-law no. 43/2004 Coll. on old-age pension savings and on amendment and supplementation of certain laws, as amended
g-other legislation
(2) Processor under contract (Article 28 GDPR)
(3) Another controller if you have given your consent (Article 6(1)(a) of the GDPR)
(4) Contractual partner, in the performance of a contract between you and the controller (Article 6(1)(b) of the GDPR)
(5) another party on the basis of legitimate interest (Article 6(1)(f) of the GDPR)
(1a) Slovak Bar Association,
(1b) Commercial register,
(1c) the tax administrator,
(1d) social insurance company,
(1e) health insurance companies,
(1f) pension management companies,
(1g) another eligible entity.

4 Transfer of personal data to a third country/international organisation

No transfer to a third country or international organisation shall take place.

5 Identification of the source from which the personal data were obtained

Directly affected person.

6 Retention period of personal data

after the end of the purpose within the meaning of the Archives and Registers Act.

7 Profiling

It does not.

8 Obligation to provide personal data

The provision of personal data is a legal requirement / contractual requirement, respectively. a requirement that is necessary for the conclusion of the contract. The data subject is obliged to provide personal data, in the event of failure to provide them, the controller will not ensure the fulfilment of corporate obligations in relation to the shareholders.

IS promotion

1 Purpose of processing of personal data and legal basis for processing

The purpose of processing personal data is:

positive promotion of the activities of the operator for documentation and presentation purposes (in particular, processing of identification data, photographs, other video/audio recordings with personal data, reviews).

Personal data is processed on the basis of:

(1) Art. 6 para. 1 lit. a) of the GDPR: consent of the data subject,
(2) Art. 6 para. 1 lit. (f) GDPR: legitimate interest.

2 Identification of the personal data of data subjects processed

Data subjects about whom we process personal data:

employees (including persons in a similar employment relationship) other natural persons.

The scope of the personal data we process:

Personal data of employees and persons in a similar employment relationship – title, name, surname, job title, photographs, audio, visual and audio-visual records.

3 Identification of recipients or other parties who may have access to personal data

Category of beneficiaries Identification of beneficiaries
(1) Institutions, organisations, contractors or other parties to whom access is permitted by specific legislation and/or the exercise of public authority (Article 6(1)(c) and (e) of the Regulation), e.g.:
-other legislation
(2) Processor under contract (Article 28 GDPR)
(3) Another controller if you have given your consent (Article 6(1)(a) of the GDPR)
(4) Contractual partner, in the performance of a contract between you and the controller (Article 6(1)(b) of the GDPR)
(5) another party on the basis of legitimate interest (Article 6(1)(f) of the GDPR)
(1) another eligible entity,

4 Transfer of personal data to a third country/international organisation

Transfer to a third country or international organisation does not take place.

5 Identification of the source from which the personal data were obtained

Directly by the data subject (or his/her legal representative) by participating in the photography/video recording or the event/activity being documented; by publishing his/her review.

6 Retention period of personal data

Duration of the employment relationship or after the end of the purpose (5 years), does not apply to documents/records with permanent documentary value within the meaning of the Law on Archives and Registers.

7 Profiling

It does not.

8 Obligation to provide personal data

The data subject (or his/her legal representative) provides his/her data voluntarily, the provision is not a legal/contractual requirement. It is in the interest of the controller to process personal data on the basis of voluntary consent, however, where it appears impossible (or disproportionate) to obtain consent for objective reasons, the controller may carry out the processing in the context of its legitimate interest.

If the data subject decides not to grant or withdraw consent to the processing of personal data, or decides to object to the processing of his or her personal data, the controller shall respect his or her decision and ensure that the personal data of that data subject are not processed. At the same time, the withdrawal of consent shall not affect the lawfulness of the processing of personal data based on consent prior to its withdrawal.

IS cookies

1 Purpose of processing of personal data and legal basis for processing

The purpose of processing personal data is:

providing and improving services, developing new services, protecting users and ensuring effective search and advertising.

Personal data is processed on the basis of:

(1) Art. 6 para. 1 lit. a) of the GDPR: consent of the data subject,
(2) Art. 6 para. 1 lit. (f) GDPR: legitimate interest.

2 Identification of the personal data of data subjects processed

Data subjects about whom we process personal data:

users of the website of the operator.

The scope of the personal data we process:

– personal data (routine – directly or indirectly identifiable, location data).

3 Identification of recipients or other parties who may have access to personal data

Category of beneficiaries Identification of beneficiaries
(1) Institutions, organisations, contractors or other parties to whom access is permitted by specific legislation and/or the exercise of public authority (Article 6(1)(c) and (e) of the Regulation), e.g.:
-other legislation
(2) Processor under contract (Article 28 GDPR)
(3) Another controller if you have given your consent (Article 6(1)(a) of the GDPR)
(4) Contractual partner, in the performance of a contract between you and the controller (Article 6(1)(b) of the GDPR)
(5) another party on the basis of legitimate interest (Article 6(1)(f) of the GDPR)
(1) another eligible entity.

4 Transfer of personal data to a third country/international organisation

The Data Controller transfers personal data to (third country USA to the international organisation Google Ireland Limited, the Data Controller has adopted appropriate safeguards in the form of standard data protection clauses adopted by the Commission pursuant to Article 46(2)(c) of the GDPR.

5 Identification of the source from which the personal data were obtained

Directly by the data subject (through the use of the website of the controller).

6 Retention period of personal data

After the consent period has expired (unless the data subject renews the consent).

7 Profiling

Not performed

8 Obligation to provide personal data

The data subject provides his/her personal data voluntarily, on the basis of consent (the provision is not a legal/contractual requirement), in the event of non-provision, the operator will not monitor and evaluate the behaviour of the website user to ensure the provision, improvement and development of new services, user protection and ensuring effective search and advertising.

IS technical and organisational measures

1 Purpose of processing of personal data and legal basis for processing

The purpose of processing personal data is:

the performance of technical and organisational measures taken by the controller to ensure an adequate level of security and to maintain compliance with the requirements of the GDPR, which is in the legitimate interest of the controller and an obligation under the GDPR.

Personal data is processed on the basis of:

(1) Art. 6 para. 1 lit. (f) GDPR: legitimate interest,
(2) Art. 6 para. 1 lit. (c) of the GDPR:
– GDPR,
– Act No.18/2018 Coll. on the protection of personal data and on amendment and supplementation of certain laws.

2 Identification of the personal data of data subjects processed

Data subjects about whom we process personal data:

employees, responsible person, applicants for exercising rights, persons to whom the controller is fulfilling obligations under the GDPR, persons involved or dealt with in a security incident, intermediaries, other external entities (such as if persons were invited to the issue at hand – consultants, auditors, lawyers,) employees of authorities on the basis of specific legislation (e.g. employees of the supervisory authority in the context of consultation, control activities), etc.

The scope of the personal data we process:

identification and contact data, which may, however, be supplemented by other necessary data of a different nature depending on the nature of the matter at hand – e.g. login data, data relating to the user’s/offender’s behaviour (e.g. logs of logins, logouts, activities), data necessary to verify the identity of the person who has requested the exercise of a right, data which indicate a violation of internal regulations (e.g. circumvention of security settings, etc.), etc.

3 Identification of recipients or other parties who may have access to personal data

Category of beneficiaries Identification of beneficiaries
(1) Institutions, organisations, contractors or other parties to whom access is permitted by specific legislation and/or the exercise of public authority (Article 6(1)(c) and (e) of the Regulation), e.g.:
a
-GDPR regulation,

a-law no.18/2018 Coll. on the protection of personal data and on amendment and supplementation of certain laws,
b-law no. 301/2005 Coll. Criminal Procedure Code,
b-law no.171/1993 Coll. on the Police Force (in particular §76a),
c-other legislation
(2) Processor under contract (Article 28 GDPR)
(3) Another controller if you have given your consent (Article 6(1)(a) of the GDPR)
(4) Contractual partner, in the performance of a contract between you and the controller (Article 6(1)(b) of the GDPR)
(5) another party on the basis of legitimate interest (Article 6(1)(f) of the GDPR)
(1a,5) the responsible person, the Office for Personal Data Protection of the Slovak Republic,

(1b,5) Police, Prosecutor’s Office of the Slovak Republic, courts of the Slovak Republic,

(1c) other authorised body.

4 Transfer of personal data to a third country/international organisation

Transfer to a third country or international organisation does not take place.

5 Identification of the source from which the personal data were obtained

Directly by the data subject or his/her legal representative.

6 Retention period of personal data

According to the chapter “record keeping, archiving” of the Personal Data Protection Policy and the Personal Data Security Policy ( most records are kept for 3 years or less, records of deletion or containing contracts for 5 years, some records permanently-for example, relating to the resolution of security incidents, impact assessments, information of data subjects, etc.).

7 Profiling

It does not.

8 Obligation to provide personal data

Data provided voluntarily on the data subject’s own initiative – in particular, by submitting a request in connection with the exercise of his/her rights – are voluntarily provided by the data subject in the context of his/her legitimate interest (the provision is not a legal/contractual requirement), in the event of non-provision of personal data, it is possible that the controller will not be able to process his/her request.

The data subject is obliged to provide his or her personal data that the controller requires from him or her in connection with the performance of the technical and organisational measures of the controller (e.g. confirmation of familiarisation, training, allocation of accesses and assets, data on their correct use, etc.), which are in the legitimate interest and also a legal obligation of the controller. Failure to provide personal data may result in consequences for the data subject, e.g. refusal of access to personal data, resources or services of the controller, drawing consequences in the context of the employment relationship (for employees) or other relationship with the controller, in certain cases, the data subject may endanger the security, property, health, life, financial and other interests of the controller or third parties, which may also violate the law.

Attachments

Annex 1

[] (header – title, name, surname, address of the applicant)

[] (name of operator)
[] (address)
[] (REGISTRATION NUMBER)

At [], on []

Request in relation to the exercise of rights in the processing of personal data

Dear [] (responsible person, company, operator),

in accordance with the relevant data protection legislation, you are hereby notified as a data subject

I request

[] (specify one or more of the options A-H below according to the type of your request, delete unnecessary)

(A) – to rectify personal data you process about me in connection with [] (specify the relationship with the controller or other circumstances in which personal data may be processed that will help the controller to identify you)

Application Details:

Due to the processing of incorrect personal data, I ask you to correct it as follows:

Incorrect personal data:
[] (provide incorrect personal data if known to you)

Correct personal data:
[] (enter correct – up-to-date personal details)

———————————————————————————————————————

(B) – to supplement the personal data you process about me in connection with [] (specify the relationship with the controller or other circumstances in which personal data may be processed that will help the controller to identify you)

Application Details:

Due to the processing of incomplete personal data, I ask you to complete it as follows:

Incomplete personal data:
[] (provide incomplete personal data if known to you)

Added personal data:
[] (provide additional personal data)

———————————————————————————————————————

(C) – for erasure of personal data that you process about me in connection with [] (specify the relationship with the controller or other circumstances in which personal data may be processed that will help the controller to identify you)

Application Details:

I request the deletion of my personal data for the following reason:

(tick one or more of the options to which your request relates)

the personal data are no longer necessary for the purposes for which you collected and processed them

withdrawal of my consent to the processing of personal data

on the basis of my objection to the processing of personal data, it has been established that the controller’s legitimate grounds for processing do not override my interests, rights and freedoms

my objection to the processing of my personal data for direct marketing purposes (including profiling)

my personal data have been unlawfully processed

personal data must be erased on the basis of a specific legal provision

the personal data were collected in connection with the offer of information society services to the child

Justification:
[] (add a more detailed description of the situation)

———————————————————————————————————————

(D) – to provide you with a copy of the personal data you process about me in connection with [] (provide a specification of the relationship with the controller or other circumstances in which the personal data may be processed that will help the controller to identify you)

Application Details:

If you confirm that you hold personal data relating to me, I request access to that data by sending a copy to [] (indicate the form of disclosure of personal data requested, e.g. electronically to the email address/ hard copy to the address)

———————————————————————————————————————

(E) – to provide a copy of the personal data you process about me in connection with [] to another controller (specify the nature of the relationship with the controller or other circumstances in which the personal data may be processed that will help the controller to identify you)

Application Details:
Controller to whom the personal data will be transferred: [] (provide identification data of the controller)

Form and location of data provision: [] (specify in what form and to which location to deliver the transferred data, e.g. electronically to an email address/printed to an address)

———————————————————————————————————————

(F) – to restrict the processing of personal data that you process about me in connection with [] (provide a specification of the relationship with the controller or other circumstances in which personal data may be processed that will help the controller to identify you)

Application Details:

I request the restriction of processing for the following reason:

(tick one or more of the options to which your request relates)

the personal data you are processing about me is incorrect and I request that you restrict the processing during the period of verification of the correctness of my personal data

the processing of my personal data is unlawful, but I object to the erasure of my personal data and instead consider it sufficient to restrict its use

I need my personal data to establish, exercise or defend legal claims

on the basis of my objection to the processing of my personal data, I request the restriction of processing throughout the period of verification that the controller’s legitimate grounds for processing do not override my legitimate grounds

Justification:
[] (Add a more detailed description of the situation)

Required form of restriction of processing:
[] (indicate if you also have a request for a specific form of restriction, e.g. temporary transfer of personal data to another processing system/restriction of users’ access to personal data subject to restriction/temporary removal of personal data published on the controller’s website/other form)

Requested period of restriction of processing:
[] (indicate if you also have a request for a specific period of restriction, e.g. for the time necessary for the defence of my legal claims, which I will inform you of the end of/for the period of verification of the request specified above/other period)

———————————————————————————————————————

(G) – not to process my personal data (I object to the processing of personal data) that you process about me in connection with [] (specify the relationship with the controller or other circumstances in which personal data may be processed that will help the controller to identify you)

Application Details:

I object to the processing of my personal data carried out on the basis of:

(tick one or more of the options to which your request relates)

public interest or in the exercise of public authority vested in the operator

a legitimate interest of the controller or of a third party

Justification:
[] (add a more detailed description of the situation, e.g. I do not want you to process my personal data for direct marketing purposes (including profiling)

———————————————————————————————————————

(H) – not to be subject to a decision based solely on automated processing of personal data, including profiling, which you process about me in connection with [] (specify the nature of the relationship with the controller or other circumstances in which personal data may be processed which will help the controller to identify you)

Application Details:
[] (indicate the specific requirements and justification for the request, e.g. as the above processing may have adverse effects on me, such as [] I request processing of my data in a way other than purely automated)

———————————————————————————————————————

If you have any questions or concerns, please contact me at [] (include contact information such as email, phone number or address, etc.)

Thank you in advance for the processing of the request.

Regards,

___________________________
[] (name, surname and signature of the person concerned)

Let us know about you