Povinné informovanie

With the efficiency from 25 May 2018 all the personal data are processed in compliance with the General Data Protection Regulation of the European Parliament and Council (EU) 2016/679 dated 27 April 2016 on protection of natural persons by processing personal data and on free movement of such data, which cancels Directive 95/46/EC (General Data Protection Regulation – hereinafter referred to as “Regulation“).

1. Identity and contact data of the controller:

Company ZKW Slovakia s.r.o. with the registered office at Bedzianska cesta 679/375, 956 31 Krušovce, Company Identification Number: 36657913, registered in the Business Register of the District Court, Section: Sro, File No.: 18427/N (hereinafter referred to as “ZKW Slovakia s.r.o.“ or “Controller“) is the controller who processes the personal data.

2. Contact details of a responsible person of the controller:

Responsible person of the controller may be contacted at the e-mail address zodpovednaosoba@zkw.sk or pravne@osobnyudaj.sk.

3. Rights of the data subject:

Right of access by the data subject pursuant to Article 15:

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

1. a) the purposes of the processing;
2. b) the categories of personal data concerned;
3. c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
4. d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
6. f) the right to lodge a complaint with a supervisory authority;
7. g) where the personal data are not collected from the data subject, any available information as to their

source;

1. h) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the Regulation relating to the transfer.

The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the

data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

Right to rectification of personal data pursuant to Article 16:

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (”right to be forgotten”) pursuant to Article 17:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning

him or her without undue delay and the controller shall have the obligation to erase personal data without

undue delay where one of the following grounds applies:

1. a) the personal data are no longer necessary in relation to the purposes for which they were collected or

otherwise processed;

1. b) the data subject withdraws consent on which the processing is based pursuant to Article 6 (1) (a) or

Article 9 (2) (a), and where there is no other legal ground for the processing;

1. c) the data subject objects to the processing pursuant to Article 21 (1) of the Regulation and there are no

overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) of the Regulation;

1. d) the personal data have been unlawfully processed;
2. e) the personal data have to be erased for compliance with a legal obligation in Union or Member State

law to which the controller is subject;

1. f) the personal data have been collected in relation to the offer of information society services referred

to in Article 8 (1) of the Regulation.

Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The right to erasure shall not be applied to the extent that processing is necessary:

1. a) for exercising the right of freedom of expression and information;
2. b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the

exercise of official authority vested in the controller;

1. c) for reasons of public interest in the area of public health in accordance with Article 9 (2) (h) and (i) as well as Article 9 (3) of the Regulation;
2. d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) of the Regulation in so far as the right referred to above is likely to render impossible or seriously impair the achievement of the objectives of that processing or
3. e) for the establishment, exercise or defence of legal claims.

Right to restriction of processing pursuant to Article 18:

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

1. a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
2. b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests

the restriction of their use instead;

1. c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
2. d) the data subject has objected to processing pursuant to Article 21 (1) of the Regulation pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted under the facts stated above, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing pursuant to information stated above shall be

informed by the controller before the restriction of processing is lifted.

Right to data portability pursuant to Article 20:

The data subject shall have the right to receive the personal data concerning him or her, which he or she

has provided to a controller, in a structured, commonly used and machine-readable format and have the

right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: a) the processing is based on consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) of the Regulation or on a contract pursuant to Article 6 (1) (b)of the Regulation and b) the processing is carried out by automated means.

In exercising his or her right to data portability, the data subject shall have the right to have the personal

data transmitted directly from one controller to another, where technically feasible.

The exercise of the right shall be without prejudice to Article 17 of the Regulation. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right to data portability shall not adversely affect the rights and freedoms of others.

Right to object to processing including objection to profiling (if realized) pursuant to Article 21:

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6 (1) (e) or (f) of the Regulation, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) of the Regulation, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Right to lodge a complaint to a supervisory body:

Office for Personal Data Protection of the Slovak Republic shall be the supervisory body to which the data subject submits his or her complaint in reasonable cases.

Right to withdraw the consent with processing:

In case if the consent of the data subject is the legal basis for the personal data processing, the data subject shall have the right to withdraw his or her consent at any time without impacting the legality of processing based on consent granted prior to the withdrawal thereof.

The right to withdraw the consent at any time, even prior to the lapse of the period for which the consent

was provided, may be exercised by the data subject in the following ways:

1. a) via e-mail message sent to zodpovednaosoba@zkw.sk or pravne@osobnyudaj.sk,
2. b) via telephone + 421 38 7466 308 or
3. c) via sending the written application to the legal address of the controller with “GDPR – withdrawal of

consent“ on the envelope.

4. Purpose and legal basis of personal data processing

The controller processes your personal data for the following purposes:

1. a) Protection of property in the monitored area and protection of health of natural persons present in this

area as well as continuous collecting of evidence on causes of occurrence, course and consequences of

related safety incidents is the purpose of monitoring of premises. Justified interest of the controller or a third party within the meaning of Article 6 (1) (f) of the Regulation is the legal basis of the personal data processing. The right for property protection, right for health of natural persons protection and right to require compliance of public order is the justified interest of the controller or a third party. The period for storage of the personal data in the form of video recordings is 15 days. In justified cases, courts, law enforcement authorities or private security service contracted by the controller may be the recipients of the personal data.

1. b) Protection of the property in the monitored area, protection of health of natural persons present in this

area as well as protection of the public order is the purpose of record-keeping and inspection of one-time entrance of natural persons to the premises of the controller. Justified interest of the controller within the meaning of Article 6 (1) (f) of the Regulation is the legal basis of the personal data processing. The right for property protection and the right for inspection of entrance of natural persons to the premises of the controller generally as well as within the organizational security measure is the justified interest of the controller. The period for storage of the personal data is 1 year. In justified cases, courts, law enforcement authorities or private security service contracted by the controller may be the recipients of the personal data.

1. c) Compliance with the legal obligations of the controller resulting from the special laws (Act on Bookkeeping, Act on VAT, Act on Income Tax etc). is the purpose of personal data processing in the area of bookkeeping and business agenda. Compliance with the legal obligation within the meaning of Article 6 (1) (c) of the Regulation is the legal basis of personal data processing (including providing thereof to the third parties). The period for storage of the personal data is 10 years. External bookkeeper, public authorities, mother company, auditor and attorney are the recipients of the personal data.
2. d) Preparation and realization of entrepreneurial activities of the controller is the purpose of personal data processing in the area of business communication. Justified interest of the controller within the meaning of Article 6 (1) (f) of the Regulation is the legal basis of the personal data processing. The right to do the business within the scope of its activity is the justified interest of the controller. The period for storage of the personal data is determined by the preparation and duration of business-legal relation, as well as by the period of 2 years from the termination of this business-legal relation. Companies carrying out the administration and support of information technologies, subjects providing external audit, telecommunication operators, data storage providers and in justified cases also courts and law enforcement authorities are the recipients of the personal data.
3. e) Preparation and concluding contract of employment or agreement on works outside the employment, record-keeping of data on job capability, payment of salary, deductions, compliance of obligations against the state administrative authorities, record-keeping of the attendance, record-keeping of the education, record-keeping of the issued powers and authorizations, record-keeping of the provided personal protection tools, property or devices, concluding agreement on material responsibility, record-keeping of rendering cash funds, providing employee benefits, record-keeping of damage caused by the employees on the property of the employer, provision of catering services, copying of documents inevitable for the purposes of employment or similar relation as well as meeting further legal and contractual obligations are the purposes of personal data protection in the area of personal and salary agenda. Meeting the legal obligation within the meaning of Article 6 (1) (f) of the Regulation and employment contract or agreement within the meaning of Article 6 (1) (b) of the Regulation concluded with the data subject pursuant to the Labour Code is the legal basis of the personal data processing. The data subject is obliged to provide personal data in the inevitable extent. Failure to do so may result into impossibility to conclude employment or similar contract. Personal data of an employee will be provided to these recipients: health insurance companies, supplementary pension insurance companies, pension administration companies, subject providing statistics, security service, education agencies and trainers, subject providing work medical service, job related evaluations and evaluations of health capability, post services providers, subjects providing development, administration and support of information technologies, subjects providing external audit, telecommunication operators, catering services providers, a company on the servers of which the personal data are stored, customers of the employer, suppliers of the employer, public authority bodies, attorneys and in justified cases also courts, law enforcement authorities and bailiffs. Period determined by the preparation of the employment relation and achieving 70 years of age of the employee (even former one) is the period for storage of the personal data in the personal file of the employee.
4. f) Meeting the related obligations of the employer, mainly, however not only realization of trainings, record-keeping of work accidents and ensuring medical check-ups is the purpose of personal data protection in the area of Health and Safety at Work. Meeting the legal obligations of the controller within the meaning or Article 6 (1) (c) of the Regulation (mainly the obligation resulting from Health and Safety at Work Act) is the legal basis of the personal data processing. Personal data of the employee will be provided to these recipients: external company providing Health and Safety at Work, Labour Inspectorate and in justified cases also the law enforcement authorities. The period for storage of the personal data is determined by the preparation of employment relation and by the lapse of 2 years from the termination of this relation. Providing personal data is the legal obligation of the data subject.
5. g) Transfer and usage of the personal data within the group of ZKW entities is the content of internal administrative purposes of the personal data processing. Justified interest of the controller within the meaning of Article 6 (1) (f) of the Regulation based on the fact that the controller is the part of the group of entities interconnected with the managing entity is the legal basis of the personal data processing. Personal data of an employee will be provided to the following recipients: companies creating the group of ZKW entities. The period for storage of the personal data is determined by the duration of membership of the controller in ZKW group.
6. h) Personal data for the purpose of registry administration are processed within the meeting of legal obligations of the controller within the meaning of Article 6 (1) (c) of the Regulation (mainly the obligations resulting from Act No. 395/2002 Coll. on Archives and Registries and on change and amendment of some acts as later amended and obligation resulting from Act No. 305/2013 Coll. on Electronic Form of Execution of Public Authority Bodies Competence and on change and amendment of some acts – e-Government Act). Providing personal data is the legal obligation of the data subject. Personal data of the employee shall be provided to the following recipients: subjects providing development, administration and support of information technologies, subjects providing external audit, telecommunication operators, and a company on the servers of which the personal data are stored. The periods of storage are determined by the special regulations.
7. i) Presentation of ZKW activities is the purpose of personal data processing in the area of issuing the corporate magazine. Justified interest of the controller within the meaning of Article 6 (1) (f) of the Regulation in connection with Section 78 (1) of Act No. 18/2018 Coll. (literary activities) is the legal basis of the personal data processing (including the providing thereof to the third parties). The right for promotion of own activities is the justified interest of the controller and the right to free access to information is the justified interest of the third parties. The period for storage of the personal data is 10 years. Public administration authorities are the recipients of the personal data.
8. j) The purpose of processing personal data in the selection process is to select a suitable candidate for a job position in the company of the Controller. The legal basis for the processing of personal data is the consent of the person concerned, Section 6 article 1 letter a) of the Regulation. The personal data of the person concerned will be provided to the following beneficiaries:

- law enforcement agencies,

- The Labor Inspectorate,

- On-line recruitment database provider.

The profiling will not be performed. Personal data will be retained during the selection process and 6 months after its termination. A successful contract or agreement will be signed with the successful candidate who will be interested in the job offer and the personal data will be stored in accordance with specific regulations.

1. k) The purpose of the processing of personal data in the field of registration of jobseekers is the processing of personal data in the Controller’s information systems. The legal basis for the processing of personal data is the consent of the person concerned, Section 6 article 1 letter a) of the Regulation. The personal data of the person concerned will be provided to the following beneficiaries:

- law enforcement agencies,

- The Labor Inspectorate,

- On-line recruitment database provider.

The profiling will not be performed. Personal data will be kept for three years from the date of the consent. The person concerned has the right to withdraw his consent at any time without affecting the legality of the processing before withdrawal of consent. The right of the person concerned to withdraw his consent to the processing of personal data may also be invoked before the expiry of the period for which the consent was granted.

1. l) Personal data for the purposes of recording complaints relating to anticompetitive activity shall be processed in the course of fulfilling the legal obligations of the Controller within the meaning of Section 6 article 1 letter a) of the Regulation (in particular obligations under Act No. 307/2014 Coll. on Certain Measures Relating to the Announcement of Anti-Social Activities and on Amendments to Certain Acts). The provision of personal data is the legal obligation of the person concerned. The personal data of the employee will be provided to the following beneficiaries: the courts, the law enforcement authorities, the Labor Inspectorate, the Ministry of Justice of the Slovak Republic. The retention periods for personal data are three years.