DECLARATION OF THE CONTROLLER ON THE PROCESSING OF PERSONAL DATA

In this section, we provide information on the processing and protection of personal data in accordance with Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, repealing Directive 95/46/EC (General Data Protection Regulation) and in accordance with Act No 18/2018 Coll. on the protection of personal data and on amending and supplementing certain acts (hereinafter referred to as the “Personal Data Protection Act”).

To ensure the protection of the rights of data subjects, the controller IstroSec s.r.o., registered office at Černyševského 10 Bratislava - Municipal District of Petržalka, 851 01, ID No.: 53849060 (hereinafter referred to as the “Controller”), has adopted appropriate technical and organisational measures that declare the lawful processing of personal data. Furthermore, the Controller has implemented a transparent system for recording security incidents and any questions from the data subjects as well as from other persons. If necessary, the data subjects may also obtain individual information by phone at +421 905 729 371 or by e-mail at [email protected].

1. Controller

IstroSec s. r. o.
Černyševského 10
851 01 Bratislava - Petržalka district
ID number: 53849060

We process your data for our own purposes as a Controller. This means that we determine the purpose for which we collect your personal data, determine the means of processing and are responsible for its proper execution.

2. Processors

In certain cases, the Controller may also process the personal data of data subjects by processors who are authorized to process personal data in accordance with Article 28 of the GDPR.

Processors process the personal data of data subjects on behalf of the Controller. The processing of personal data by a processor shall not adversely affect the exercising and applying of data subject’s rights. The Controller shall only use processors providing appropriate technical, organizational and other measures to ensure that the processing complies with the requirements of the GDPR and that the protection of the data subject’s rights is fully ensured.

The Controller shall use the following categories of processors when processing the personal data of data subjects:

  • supplier providing supply of technical solutions, web hosting services, maintenance and support of IT systems used by the Controller
  • supplier providing accounting and tax compliance services for the Controller

Categories of recipients of personal data: persons acting under the authority of the Controller, legal representative, auditor, state administration and public authorities for the exercise of control and supervision.

3. Purpose of the processing of personal data

As the Controller, we process exclusively such personal data that we can justify with a legitimate legal basis and a defined purpose:

  • in response to an enquiry, initiative or question made in person, by phone or by e-mail /post, for the purpose of feedback aimed at satisfying the data subject, we apply the legal basis for processing according to Article 6(1)(f) of the GDPR - the legitimate interest of the controller. As the data subject, you have the right to object to such processing at any time.
  • when expressing an interest in our services or products, in the planned establishment of cooperation, the legal basis for processing is Article 6(1)(b) GDPR - where processing is necessary to carry out the required pre-contractual measures before entering into a contract, i.e. during the pre-contractual process.
  • after the establishment of a contractual relation between the controller and the data subject, when the necessary cooperative communication takes place, data processing takes place again within the meaning of Article 6(1)(b) of the GDPR, which is necessary for the fulfilment of the contractual relation.
  • if you are looking for a job and would like to work for our company, you can leave us your CV with a cover letter based on the consent given for the processing of personal data in accordance to Article 6(1)(a) of the GDPR. The data received in this way are included in the register of job applicants. You can withdraw your consent at any time.

4. Period of processing and storage of your personal data

Your personal data that we have processed or are processing within the meaning of Article 6(1)(b) of the GDPR - in the context of the fulfilment of the obligations of the controller, we further process for the purpose of fulfilling our legal obligations in the area of taxation and accounting, which are imposed on us by generally binding legal regulations (e.g. 431/2002 Coll. on Accounting, as amended, for cases of proving compliance with tax obligations under tax legislation Act No. 595/2003 Coll. on Income Tax, Act No. 563/2009 Coll. on Tax Administration, etc.), we have to keep them for the period of time stipulated by the relevant legislation. In any case, we are guided by the principle of minimizing the retention of personal data within the meaning of Article 5(1)(e) of the GDPR and therefore your personal data that are not subject to archiving under specific legislation shall be deleted or anonymized.

Personal data processed in accordance with Article 6(1)(a) of the GDPR - based on consent given, for example, to include the data subject in the register of job applicants or for the purpose of sending marketing newsletters, shall be processed for a period of 3 years, or until revocation of the consent. In the case of the data processing period expiring, we will contact the data subject, at which point consent to the processing of personal data for the defined purpose can be renewed and extended for a further processing period. If the data subject does not give consent for the further processing period or does not respond to the contact made, we will no longer process the personal data of the data subject - i.e. we will automatically remove the data from the records, technically delete the electronic data from the systems and shred the physical data.

Personal data processed within the meaning of Article 6(1)(f) of the GDPR - based on legitimate interest, which was obtained in response to an enquiry/initiative or question made for the purpose of a feedback aimed at accommodating the data subject and have not been subsequently assigned to a pre-contractual or contractual relation after processing, shall be deleted without delay.

As the Controller, we shall ensure the erasure of personal data without undue delay after all contractual relations between you and us as Controller have been terminated; and/or

  • all your obligations to the controller have ceased; and/or
  • all your complaints and requests have been dealt with; and/or
  • all other rights and obligations between you and us as controller have been settled; and/or
  • all the processing purposes laid down by law or the processing purposes for which you have given your consent have been fulfilled, if the processing was carried out based on the consent of data subject; and/or
  • the period for which consent was given has expired or the data subject has withdrawn his or her consent; and/or
  • the data subject’s request for erasure of personal data has been granted and one of the grounds for granting the request has been met; and/or
  • a relevant legal event has occurred for the purpose of the processing to cease and at the same time the protective retention period defined with regard to the principle of minimization of the retention period of personal data has expired;
  • and at the same time the legitimate interest of the controller no longer exists, all obligations laid down by generally binding legal regulations which require the retention of the data subject’s personal data (in particular for archiving purposes, tax inspection, etc.) have ceased to exist or which could not be fulfilled without their retention.

We do not systematically further process any personal data collected incidentally for any purpose defined by us. Where possible, we shall inform the data subject to whom the incidentally collected personal data belong of their accidental acquisition and, according to the nature of the case, provide them with the necessary cooperation to regain control over their personal data. Immediately after these necessary actions to resolve the situation, we shall immediately dispose of all incidentally collected personal data in a secure manner.

If you would like further information about the specific retention period of your personal data, please contact us using the contact details provided.

5. Disclosure of data

Our company does not disclose the collected data in any case.

6. Cross-border transfer of personal data

Cross-border transfer does not take place.

7. Rights and obligations of the data subject

  • the data subject is obliged to provide only complete and truthful data.
  • the data subject undertakes to update his/her data in the event of a change, at the latest before the first order following the change.
  • The data subject undertakes that if he/she provides personal data of a third party (name, surname, telephone number), he/she does so only with his/her consent and that the data subject is aware of the procedures, rights and obligations set out on this website.
  • As our client and the data subject, you have the right to decide, within the specified scope, on your personal data handling. You can exercise the aforementioned rights in person at the Controller’s registered office or by phone - in writing (by post / e-mail).

We will endeavor to reply as soon as possible, but will always reply to you within 30 days of receiving your request. In particular, the applicable legislation and the GDPR or the Personal Data Protection Act mainly provide you with:

Right of access - You have the right to request confirmation from us as to whether your personal data is being processed and, if so, to obtain a copy of that data and additional information pursuant to Article 15 of the GDPR or Article 21 of the Personal Data Protection Act. Where we collect a large amount of data about you, we may require you to specify your request for the range of specific data we process about you.

Right to rectification - In order to ensure that we only process up-to-date personal data about you at all times, we need you to notify us of a change as soon as it occurs. If we process incorrect data about you, you have the right to request its correction.

Right to erasure - If the conditions of Article 14 of the GDPR or Article 23 of the Personal Data Protection Act are met, you may request the erasure of your personal data. You can therefore request erasure if, for example, you have withdrawn your consent to the processing of your personal data and there is no other legal basis for processing, or if we are processing your personal data unlawfully, or if the purpose for which we processed your personal data has ceased and we are not processing it for another compatible purpose. However, we will not delete your data if it is necessary for the establishment, exercise or defense of legal claims.

Right to restriction of processing - If the conditions of Article 18 of the GDPR or Article 24 of the Personal Data Protection Act are met, you may request us to restrict the processing of your personal data. You can therefore request a restriction, for example, while you object to the accuracy of the data being processed or if the processing is unlawful and you do not want us to delete the data but need the processing to be restricted while you exercise your rights. We will continue to process your data if there are grounds for proving, exercising or defending legal claims.

Right to object to processing - If we process your personal data for the performance of a task carried out in the public interest or in the exercise of public authority vested in us, or if the processing is carried out on the basis of our legitimate interests or the legitimate interests of a third party, you have the right to object to such processing. Upon your objection, we will restrict the processing of your personal data and, unless we can demonstrate compelling legitimate grounds for processing which outweigh your interests, rights, and freedoms or for the establishment, exercise or defense of legal claims, we will no longer process your personal data and will delete your personal data. You have the right to object at any time to the processing of personal data for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. Once you have objected, we will no longer process your personal data for this purpose.

Right to lodge a complaint - If you believe that the processing of your personal data is in breach of the GDPR or the Personal Data Protection Act, you have the right to lodge a complaint with one of the competent supervisory authorities, in particular in the member state of your habitual residence, place of work or place of the alleged breach. For the territory of the Slovak Republic, the supervisory authority is the Office for Personal Data Protection, with its registered office at Hraničná 4826/12, 820 07 Bratislava, Slovak Republic, website: www.dataprotection.gov.sk, telephone: +421 /2/ 3231 3220.

Right to withdraw consent - If the processing of your personal data is based on consent, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the processing already carried out. If at any later time you decide that you wish to receive sales and marketing offers from us again about our products and services, you may re-grant your withdrawn consent (or an objection lodged) at any time by using any of the forms of contact set out above.

8 . Contact details of the Office and of the person responsible

Office for Personal Data Protection of the Slovak Republic

Address:
Hraničná 12
820 07, Bratislava 27
Slovak Republic
ID number: 36 064 220

Mailroom:
Monday - Thursday: 8:00 - 15:00
Friday: 8:00 - 14:00
Telephone consultations in the area of personal data protection:
Tuesdays and Thursdays from 8:00 a.m. to 12:00 p.m. +421 2 323 132 20
Secretariat of the President’s Office +421 2 323 132 11
Secretariat of the Office +421 2 323 132 14
Fax: +421 2 323 132 34

Spokesperson:
Mobile: 0910 985 794
E-mail: [email protected]

E-mail :
(a) general: [email protected]
(b) for the provision of information pursuant to Act No 211/2000 Coll.: [email protected]
(c) website: [email protected]
(d) for submitting requests for information pursuant to Act No 211/2000 Coll. on free access to information, use the online form.
(e) email address through which the Authority will provide you with advice on personal data protection. It is intended for children, young people, students, teachers, parents who suspect that their personal data has been misused: [email protected]

You can find a template for a personal data protection procedure on the Office’s website (https://dataprotection.gov.sk/uoou/en/content/personal-data-protection-proceeding).