Dear all,
we would like to informyou about the basic principles and procedures during processing of yourpersonal data by the company ISI groups. r. o., with its registered officeat Europeum Business Center, Suché mýto 1, 811 03 Bratislava, ID Number: 36 841595, registered in the Commercial Register of the District Court Bratislava I,Section: Sro, Insert No: 48184/B (the „Company“),as Controller, in accordance with the Art. 13 et seq. of the Regulation (EU) 2016/679 of European parliament and of the Council of 27 April2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive95/46/EC (General Data Protection Regulation) (the “GDPR”) and Art. 19 of the Act No.18/2018 Coll. on Personal Data Protection and on Amendments to Certain Acts asamended (the “ZOOÚ”).
I. BASIC INFORMATION
1.1 Controller: ISI group s. r. o., with its registered office at Europeum Business Center, Suché mýto 1, 811 03 Bratislava, ID Number: 36 841 595, registered in the Commercial Register of the District Court Bratislava I, Section: Sro, Insert No.: 48184/B, e-mail: info@isigroup.sk, Phone No.: +421 (0)0 2030 2355
1.2 Data Subjects: The employees withconcluded employment agreements, student temporary work agreements, work activityagreements and specific work agreements, job-candidates, suppliers (includingcontractors), customers, natural persons located in Company´s property “MalýRaj” in Slovenský Grob, natural persons located in streets Okružná, Bočná, Pri jazere,Severná, Dlhá, Dúhová, Tichá and Slnečná in Slovenský Grob (Malý Raj).
1.3 Data Protection Officer: Pursuant to Article 37of GDPR, the Company did not appoint the Data Protection Officer.
1.4 Transfer of personal data to third country or international organization: The Company does nottransfer the personal data to any third country or international organization.
1.5 Duration of Data Processing: The personal data of DataSubjects are processed during the contractual relationship and during maximumof 1 year after termination of the contractual relationship. The personal dataprocessed under special regulation are processed by the Company during periodstated in this specific regulation. In case of processing of personal data forpurposes of legitimate interest, the Company processes these personal data forperiod necessary to exercise of these legitimate interests. The Companydeclares that its legitimate interest does not override the interests andrights of these persons. Camera records are processed by the Controller duringmaximum of 15 days, if they are not commit on request to public authority thatare authorize to proceed criminal procedure or misdemeanour procedure.
1.6 Records of Processing Activities: The Company will keep records of processing activities in written and in electronic form.
1.7 Automated Individual Decision-making, including Profiling: The Company does not perform Automated individualdecision-making, including profiling.
1.8 Supervisory Authority: The supervisory authority is the Slovak Office for PersonalData Protection, with its registered office at Hraničná 12, 820 07, Bratislava27, ID No.: 36 064 220, Phone No.: 02/3231 3220, e-mail: ochrana@pdp.gov.sk.
II. PERSONAL DATA RESOURCES
2.1 The Company obtains the personal data directly from the Data Subjects:
2.1.1 from job candidates during negotiations regarding the conclusion of employment agreements, student temporary work agreements, work activity agreements and specific work agreements;
2.1.2 from employees in employment relationship /similar relationship with the Company within contractual relationship;
2.1.3 from suppliers (including contractors), during negotiations regarding the conclusion of the contract, or within contractual relationship;
2.1.4 from customers, during negotiations regarding the conclusion of the contract, or within contractual relationship.
2.1.5 from natural persons located in the streets (public areas) Okružná, Bočná, Pri jazere, Severná, Dlhá, Dúhová,Tichá and Slnečná in Slovenský Grob (Malý Raj) by making camera recordings
2.2 In order to ensure the protection of life, health and property of the Company and the natural persons situated on the property of the Company and in streets (public areas) Okružná, Bočná, Pri jazere, Severná, Dlhá, Dúhová, Tichá and Slnečná In Slovenský Grob (Malý Raj) there are camera systems located on property of Company and on lamppost with affirmation of the owner. The Data Subjects are informed on location of camera systems in the form of information schedules,inclusive of reference to their rights according to GDPR and ZOOÚ. This need comes from analysis of illegal incidents, which for this purpose Controller processed.
III. LEGAL BASIS FOR THE PROCESSING
3.1 The personal data of the Data Subjects are processed based on following legal basis:
- consent of data subject;
- processing for performance of a contract;
- processing is necessary for compliance with a legal obligation of the Controller;
- processing is necessary to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the purposes of the legitimate interest
IV. PURPOSE AND EXTENT OF PROCESSING
4.1 For the purpose and for performance of the contract, the Company processes: name, surname / company name, date of birth /identification number, address / registered office, phone number, e-mail, data relating to history of orders.
4.2 For the purpose of compliance with legal obligations of the Company as the employer and based on following legislation, in particular(but not limited to): Act No. 311/2001 Coll. Labour Code as amended, Act No.595/2003 Coll. on Income Tax as amended, Act No. 461/2003 Coll. on Social Insurance as amended, Act No. 462/2003 Coll. on Reimbursement of Income for Temporary Work Incapacity of Employees and on Amendments to Certain Acts as amended, Act No. 580/2004 Coll. on Health Insurance and on Amendments to Certain Acts as amended, Act No. 95/2002 Coll. on Insurance and on Amendments to Certain Acts as amended, Act No. 43/2004 Coll. on Retirement Savings as amended, Act No. 650/2004 Coll. on Supplementary Retirement Savings and on Amendments to Certain Acts as amended, Act No. 5/2004 Coll. on Employment Services and on Amendments to Certain Acts as amended, Act No. 124/2006 Coll.on Safety and Health at Work and on Amendments to Certain Act as amended, etc. the Company processes, in particular (but not limited to) these personal data:wage, tax deductions, retirement information, bank account details, information on selected benefits and their using, information on the health insurance company in which the employee is insured, expert opinions on the employee´s health, information related to employee´s accidents at work, information on business trips, reservation details, passport number, company credit card number, invoices from business trips and contributions / compensations, etc.
4.3 For the purpose to protect the vital interests and the property, life and health of persons located in/on Company´s real estate property, in the streets (public areas) Okružná, Bočná, Pri jazere,Severná, Dlhá, Dúhová, Tichá and Slnečná in Slovenský Grob (Malý Raj), the Company executes camera recordings monitoring the real estate of the Company, so called “Project Malý Raj” in Slovenský Grob, in the streets (public areas) Okružná, Bočná, Pri jazere,Severná, Dlhá, Dúhová, Tichá and Slnečná in Slovenský Grob (Malý Raj).
4.4 For the purpose of administration, improving the communication within the Company and on the basis of Company´s legitimate interest, the Company processes personal data of the employees in the extent, in particular (but not limited to): registration of arrivals to/departures from the workplace, logging and monitoring the electronic communication tools, employee´s number, job description, job classification, functional classification, workplace,technical department, direct supervisor employees, direct subordinate employees, evaluation of employees, assessment and possible records of disciplinary proceedings, records of education and training of employees, career plan of employees and related information, information on the course of employment, confirmation on employment and certificate of employment, information, whether the employee is a student,information whether the employee is employed in another employment relationship, whether the employee is taking maternity / parental leave and the respective benefits, information on whether the employee is a self-employed or a person with a changed working ability, information whether the employee was registered at the Labour Office, information on the possible execution or bankruptcy of the employee and wage deductions, etc.
4.5 In case, the Company intends processing other personal data as specified in this Article, or for other purposes, it may do so only based on the consent of the Data Subject granted for processing of personal data. The consent for processing of personal data must be granted by the Data Subject on a separate document.
4.6 The Company does not process the special categoryof personal data, so called sensitive data of Data Subjects.
V. RECEIVERS OF PERSONAL DATA
5.1 The Company does not transfer the personal data toany third subjects, except within group of companies, to which the Company belongs under Art. 47 of GDPR and the processors. Transfer of such personal data is necessary for purpose of increasing the effectiveness of provided services by the Company.
5.2 The personal data processors are:
5.2.1 the payroll provider, responsible for wage accounting and the Data Subjects´ personal data are provided to it for this purpose;
5.2.2 providers of IT services if they have access to personal data of the Data Subjects based on the contract with the Controller.
5.3 The personal data processing may be performed on behalf of the Company by processors based on agreements on personal data processing, with guarantees of organizational and technical security measures of these data, while respecting the relevant GDPR and ZOOÚ provisions. The processors are aware that the personal data of Data Subjects should not be used for other purposes.
VI. BREACH OF PERSONAL DATA PROTECTION
6.1 The Company is obliged notifying the Data Subject on breach of personal data protection without undue delay, if it is likely that such specific case of breach of personal data protection will result in high risk for the rights and freedoms of this subject.
6.2 In case of a breach of personal data protection, the Controller will notify the Slovak Office for Personal Data Protection on the breach without undue delay and, if possible, no later than 72 hours after having become aware of it, unless the breach of personal data protection is unlikely to result in a risk to the rights and freedoms of Data Subjects pursuant to Article 6.1. above.
VII. DATA SUBJECTS´ RIGHTS
7.1 Each Data Subject has the following rights:
a) Right to access the personal data: The data subject has the right to obtain from the Company a confirmation as whether or not the personal data concerning him / her are being processed, access to personal data and the following supplementary information: (i) purpose of processing by the Controller;(ii) specifically, which personal data are processed by the Controller /Processor; (iii) who receives the personal data from the Controller /Processor; (iv) duration of personal data retention; (v) source of personal data processing of the Controller (source information, if the personal data were not provided by the data subject); (vi) reasonable measures adopted by the Controller to protect the personal data in case they are transferred to the third country or international organisation. The data subject is entitled to obtain the first and one extract or copy of the processed personal data for free.
b) Right to rectification of personal data: The data subject is entitled to rectification of inaccurate personal data from the Company without undue delay, or to complete the incomplete personal data concerning him/her. The Controller is also obliged to notify such rectification of the personal data to the data subject and all recipients to whom the data have been provided.
c) Right to erasure of personal data: Data subject is entitled to erasure of personal data concerning him/her from the Company without undue delay, if: (i) the personal data are no longer necessary in relation to the purpose for which they were collected or other wise processed by the Controller; (ii) the data subject has withdrawn the consent for processing of personal data for the purpose and there is no other legal basis for their processing; (iii) the data subject objects the processing carried out for the performance of a public-service task or the exercise of public authority entrusted to the Controller, or the processing carried out for purpose of the legitimate interests of the Controller or third parties, and no legitimate reasons for processing do override; (iv) the data subject objects the processing of personal data for purpose of direct marketing; (v) the personal data have been processed unlawfully; (vi) the reason for erasure of personal data is the fulfilling of an obligation under ZOOÚ, special legislation or international treaty by which Slovakia is bound; (vii) the personal data have been collected in relation to the offer of information society. The right to erasure will not apply, if the processing is necessary for: (a) the exercise of the right to freedom of expression or the right to information; (b) the fulfillment of a legal obligation which requires processing under EU legislation or the legislation of the Member State, to which the Controller is subject, the international treaty by which Slovakia is bound, or the fulfillment of a public service task, in the exercise of public authority entrusted to the Controller; c) on grounds of public interest in the field of public health; d) for the purpose of archiving,for scientific purposes or for the purpose of historical research or for statistical purposes, i. e. for privileged purposes, where it is likely that the right for erasure will prevent or seriously impair the attainment of the objectives of such processing; (e) for identification, application or defense of legal claims.
d) Right to restriction of processing: The data subject is entitled to restriction of processing by the Controller, where one of the following applies: a) the accuracy of the personal data is objected by the data subject, for a period enabling the Controller to verify the accuracy of the personal data; b) the processing is unlawful and the data subject objects the erasure of the personal data and requests the restriction of their use instead;c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment,exercise or defense of legal claims; d) the processing is necessary for public interest or in the exercise of public authority entrusted to the Controller or necessary for the purposes of the legitimate interests pursued by the Controller or a third party (except where such interests prevail over the interests or fundamental rights and freedoms of the data subject concerned that require the protection of personal data, in particular, where such subject is a child), and the data subject has objected the processing in cases referred to in this Article, has the right to limit the processing until the verification whether the legitimate grounds on the part of the Controller override the legitimate grounds of the Data Subject.
e) Right to data portability: The data subject is entitled to (i) obtain the personal data relating to him/her and provided to the Controller; b) transfer of personal data without restriction to another controller without obstruction of the original controller; c) request the Controller to transfer his/her personal data to other controller, if technically possible; d) continue using the “services” of the Controller. In particular, the following types of data are included: (i) data actively and knowingly provided by the data subject; (ii) traced data provided by the data subject on the basis of using the service or device. However, the data subject is not entitled to transfer of personal data in an unlimited extent.
f) Right to object the personal data processing: The data subject is entitled to object the processing of his/her personal data on the following legal bases: (i) processing is necessary to fulfill the task carried out in the public interest or in the exercise of public authority entrusted to the Controller; (ii) processing is necessary for the purpose of legitimate interests of the Controller or a third party; (iii) for purposes of direct marketing, including profiling in the extent, relating to direct marketing. If the data subject objects the processing of personal data for purpose of direct marketing, the Controller is not entitled processing the data for this purpose anymore. The data subject is entitled to submit a request to the Slovak Office for Personal Data Protection, which must inform the data subject on the status of his/her request. The personal data processing may not be objected, when the processing of personal data of the data subject is necessary for performance of a task on grounds of a public interest, and when data are processed for scientific purposes, for purpose of historical research or for statistical purposes.
g) Right to ineffectiveness of automated individual decision-making, including profiling: Pursuant to Art. 22 of GDPR and Art. 28 of ZOOÚ, the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him / her. The Company does not perform such processing activity.
Effectiveness from 25.5.2018