Personal Data Processing

A) General Information on the Processing of Personal Data

The processing of personal data of data subjects is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“Regulation”) and Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Acts (“Personal Data Protection Act”).

The purpose of Part A of this document (hereinafter referred to as “General Information”) is to provide general information about the processing of data subjects’ personal data and their rights under the Regulation and the Personal Data Protection Act. More detailed information on the processing of personal data in specific processing operations is provided in Part B of this document.

1. The Controller and its Data Protection Officer

Company:

  • CZ Slovakia, a.s., with its registered office at: Pomlejská 24, 931 01 Šamorín, ID No.: 31 435 793, registered in the Commercial Register of the Municipal Court Bratislava III, Section: Sa, File No.: 10418/T, branch: CZ Slovakia, a.s., branch, with its registered office at Dvořákovo nábrežie 8/A, 811 02 Bratislava;
  • CZ Slovakia Holding, a.s., Dvořákovo nábrežie 8/A, 811 02 Bratislava, ID No.: 54 063 671, registered in the Commercial Register of the Municipal Court Bratislava III, Section: Sa, File No.: 7289/B;
  • or any other company controlled (directly or indirectly) by any of the above-mentioned companies, which is a party to the relevant contractual relationship or to which personal data has been provided;

(each individually referred to as a “company”) is the entity that, alone or jointly with others, determines the purposes and means of processing the personal data of data subjects.

2. Collection of Personal Data

The Company collects personal data in the following ways:

  • directly from its contractual partners when entering into a contract;
  • from publicly available sources, such as public registers and records;
  • from individuals who have voluntarily provided the company with their personal data and granted their consent to its processing (by phone, email, through the company’s website, etc.);
  • from individuals who enter the company’s premises (including recordings from the company’s CCTV system),
  • through the use of cookies on the company’s website.

The company collects and processes personal data only to the extent necessary for the purpose of such processing. In doing so, the company places particular emphasis on the security and protection of personal data and the rights of data subjects.

3. Legal Basis and Purpose of Processing

The Company processes personal data based on the following legal grounds established by the Regulation and the Personal Data Protection Act:

3.1 Legitimate interest

The Company may process the personal data of data subjects if it is necessary for the purposes of the legitimate interests of the Company or third parties, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child. Such legitimate interests of the Company include, in particular:

  • protection of the company’s rights arising from generally binding legal regulations and contracts in relation to contractual partners and other persons; for this purpose, the company retains personal data for a maximum of ten years from the termination of the contractual relationship;
  • the enforcement of the company’s receivables and other claims; for this purpose, the company retains personal data for a maximum period equal to the applicable statute of limitations;
  • prevention of fraudulent conduct, if the company has reasonable grounds to believe that there is a risk of such conduct; for this purpose, the company retains personal data for a maximum period as specified by generally binding legal regulations;
  • protection of property, life, and health, and maintenance of public order; for this purpose, the company retains the personal data of individuals entering the company’s premises for a maximum of one month from the date of entry;
  • the company’s marketing activities, which primarily involve providing information about selected services or company news; such communications may include surveys aimed at improving the satisfaction of contractual partners, as well as general and specialized tailored business offers; marketing communications are sent occasionally, typically several times a year, at most approximately once a month; and for this purpose, the company retains personal data for the duration of the company’s legitimate interest; at most for the duration of the contractual relationship between the company and the data subject and for a reasonable period after its termination;
  • the company’s specific legitimate interest as stated in the relevant personal data processing notice pertaining to a specific processing operation (e.g., Personal Data Processing Notice for Website Visitors); for this purpose, the company retains personal data for the period specified in such specific notice.

3.2 Performance of a Contract

The Company processes the personal data of data subjects for purposes related to the performance of contractual obligations of both contracting parties, in particular the conclusion, amendment, and termination of a contract, the granting of powers of attorney by data subjects to the Company, invoicing, and the like. The provision of personal data by the data subject to the Company to the extent necessary is a condition for the conclusion of the contract. Failure to provide personal data may prevent the Company from delivering goods and services to the data subject. The Company will inform the data subject which personal data is necessary for the conclusion of the contract and which may be provided, for example, to improve the efficiency of communication.

The Company retains personal data for the purpose of fulfilling the contract for the duration of the contractual relationship between the Company and the data subject. After the termination of the contractual relationship and the settlement of all obligations arising from or related to the contract, the company retains personal data for the time strictly necessary, in particular for the duration of the statute of limitations for potential claims following the termination of the contractual relationship and the settlement of all obligations (including pending legal disputes), or for a longer period if the statute of limitations is interrupted.

3.3 Compliance with a Legal Obligation

The Company may process personal data, including providing it to public authorities and other persons, if such an obligation arises from generally binding legislation. For example, due to a legal obligation, the Company may provide personal data to law enforcement authorities, courts, control or supervisory bodies, or other authorities or persons.

The Company retains personal data for the purpose of fulfilling a legal obligation for a maximum period of ten years from the termination of the contractual relationship between the Company and the data subject.

3.4 Consent Granted by the Data Subject

The Company processes the personal data of data subjects based on consent expressly granted by the data subject, in cases where none of the other legal bases can be applied.

The Company retains personal data processed based on the data subject’s consent until such consent is withdrawn, whichever occurs first. The data subject has the right to freely withdraw consent to the processing of personal data at any time. If consent is withdrawn, personal data may no longer be processed, provided that there is no other purpose for processing based on a different legal basis. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.

4. Recipients of Personal Data

The Company may entrust the processing of personal data to third parties, known as processors. The Company’s processors include, for example, persons who carry out certain marketing activities on behalf of the Company, external vendors, external service providers and service recipients, consulting firms, or security services. Processors process personal data for the Company exclusively on the basis of a personal data processing agreement, which must meet the requirements set forth in the Regulation and the Personal Data Protection Act, and in such cases, the Company strictly ensures the protection of personal data provided to processors.

In certain cases, the Company may provide the personal data of data subjects to processors located outside the Member States of the European Union and states that are not parties to the Agreement on the European Economic Area (“third countries”), which currently do not guarantee an adequate level of personal data protection. If the company transfers a data subject’s personal data to processors in third countries, it shall indicate whether or not there is an adequacy decision by the European Commission, or provide a reference to appropriate or suitable safeguards and the means to obtain a copy thereof, or the place where they are published.

5. Rights of the Data Subject

The data subject has the right to:

5.1 to request from the company:

  • confirmation as to whether or not their personal data is being processed; if the personal data was not obtained from the data subject, the data subject may request the provision of any available information regarding its source (“right of access to personal data”);
  • if their personal data is being processed, to access the personal data and other information and to receive a copy of the personal data that the company is processing (“right to be informed about processing”); the company is entitled to charge the data subject a reasonable administrative fee in connection with a request for a copy of personal data;
  • the rectification of inaccurate or incomplete personal data processed by the company (“right to rectification”);
  • erasure of personal data if any of the grounds specified in the Regulation or the Personal Data Protection Act are met; in particular, if the personal data is no longer necessary for the purposes for which the company collected or processed it, if the data subject withdraws consent and the company has no other legal basis for processing, if the data subject objects to the processing, or if the company processed the personal data unlawfully; if official documents containing personal data are the subject of processing, the data subject may request their return (“right to erasure”);
  • restriction of the processing of personal data if any of the grounds specified in the Regulation or the Personal Data Protection Act are met; for example, if the data subject reports that the company is processing incorrect personal data about them, they may request that such personal data not be processed until it is corrected (“right to restriction”);
  • to receive the personal data concerning them that they have provided to the company in a structured, commonly used, and machine-readable format; the data subject has the right to have such personal data transmitted to another controller, where technically feasible and where the conditions set forth in the Regulation and the Personal Data Protection Act are met (“right to data portability”);

5.2 to object, on grounds relating to their particular situation, to the processing of personal data concerning them that is necessary for the purposes of the legitimate interests pursued by the company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, including the right to object to profiling; to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her that is necessary for the performance of a task carried out in the public interest, including the right to object to profiling; object to the processing of personal data for direct marketing purposes without their consent, including profiling to the extent that it is related to such direct marketing (“right to object”);

5.3 object to being subject to a decision by the company that is based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless the Regulation and the Personal Data Protection Act provide otherwise (“automated decision-making, including profiling”);

5.4 to withdraw consent to the processing of personal data granted to the Company at any time, effective from the moment of withdrawal of consent (“right to withdraw consent”);

5.5 if the data subject suspects that their personal data is being processed unlawfully, to file a motion to initiate personal data protection proceedings with the Office for Personal Data Protection of the Slovak Republic, located at Námestie 1. mája 18, 811 06 Bratislava, Slovak Republic, telephone numbers: +421 2 32 31 32 14, +421 2 32 31 32 49, www.dataprotection.gov.sk.

If the data subject lacks full legal capacity, their rights under the Regulation and the Personal Data Protection Act may be exercised by a legal representative. The rights of a deceased data subject under the Regulation and the Personal Data Protection Act may be exercised by a close relative.

The data subject may exercise their rights in the following ways:

  • in person at the company’s registered office;
  • by mail sent to the company’s registered office;
  • by email to the company’s address office@novyruzinov.sk

In view of the potential risks of misuse and to ensure the protection of data subjects’ personal data, the company establishes the means of communication through which it may receive and respond to a data subject’s request regarding the personal data processed by the company. The company also takes into account the technical aspects of certain rights of the data subject and adapts the means of communication to ensure these rights of the data subject. In case of doubt regarding the identity of the data subject, the company is entitled to request additional verification of their identity.

6. Automated Decision-Making, Including Profiling

The Company does not engage in automated decision-making, including profiling of the data subject’s personal data, that produces legal effects concerning the data subject or similarly significantly affects the data subject.

B) Information on the processing of the data subject’s personal data – website visitors

The purpose of Section B of this document (hereinafter referred to as the “Information”) is to provide visitors to our website with information on why and how we collect and use personal data obtained from visitors to our website. At the same time, this Information, together with the General Information, provides you with information about your rights as a data subject regarding the processing of your data by our company.

When you visit our website, you provide or may provide us with certain information that constitutes personal data, which we subsequently process in accordance with the principles set forth below in this Notice. In general, when you visit our website, you are in control of the personal data you share with us, and in most cases, you decide what personal data to provide to us, particularly through contact forms. We may collect a limited amount of your personal data through the use of cookies on our website.

We ask that you not provide us with sensitive information (such as racial or ethnic origin, political opinions, information about your religious beliefs or philosophical convictions, trade union membership, physical or mental health, genetic data, biometric data, data concerning your sex life or sexual orientation, and criminal records) when using our website. If you decide to provide us with such sensitive data for any reason, you do so based on your explicit consent that we may collect and use this information in the ways described in this Notice.

1. Who is responsible (the controller) for the processing of your personal data on this website?

CZ Slovakia, a.s., with its registered office at: Pomlejská 24, 931 01 Šamorín, Company ID No.: 31 435 793, registered in the Commercial Register of the Municipal Court Bratislava III, Section: Sa, File No.: 10418/T, branch: CZ Slovakia, a.s., branch, with its registered office at Dvořákovo nábrežie 8/A, 811 02 Bratislava;

CZ Slovakia Holding, a.s., Dvořákovo nábrežie 8/A, 811 02 Bratislava, ID No.: 54 063 671, registered in the Commercial Register of the Municipal Court Bratislava III, Section: Sa, File No.: 7289/B

(hereinafter referred to as the “Operator”)

The Operator is not required to designate a representative or a responsible person under the relevant provisions of the Regulation and the Personal Data Protection Act.

2. What categories of personal data do we collect and process through our website:

  • identification data, which primarily includes first and last name;
  • contact information, which includes, in particular, your phone number, email address, mailing address, and any other contact details you provided in the relevant form on our website;
  • information provided in the “Your Message” section, which you have voluntarily provided to us;
  • cookies; if we can identify a specific data subject visiting our website based on cookies, this constitutes the processing of personal data. We primarily use the following cookies on our website:
  • (i) essential cookies – these enable the use of basic functions such as logging in as a registered user or pre-filling forms;
  • (ii) conversion cookies – these allow us to analyze the performance of individual traffic channels;
  • (iii) tracking cookies – in combination with conversion cookies, they help us analyze the performance, volume, and qualitative parameters of various traffic channels;
  • (iv) remarketing cookies – we use these to personalize ad content and ensure proper targeting;

3. For what purposes do we process your data collected through our website?

We use the personal data you provide to us or that we collect about you through our website primarily for purposes arising from our legitimate business interests, to fulfill legal obligations, and for the purposes for which you provided us with your personal data based on your consent, specifically:

  • a) responding to your specific requests and questions submitted via the web form;
  • b) to inform you about our services, products, news, and events through direct marketing;
  • c) to offer you the best possible specific settings for the website environment; to statistically track website traffic and your preferences; to personalize ad content and ensure its proper targeting;
  • d) administering and managing the website and ensuring its security;
  • e) collecting aggregate data for website analytics and improvements;
  • f) monitoring and enforcing compliance with the terms of use of our website;
  • g) fulfilling legal obligations imposed on us by applicable laws (for example, in the area of preventing the laundering of proceeds from criminal activity).

4. On what legal basis do we process your personal data collected on our website?

  • a) Article 6(1)(a) of the Regulation – we process your personal data based on your consent to such processing;
  • b) Article 6(1)(c) of the Regulation – processing is necessary for compliance with a legal obligation to which we are subject;
  • c) Article 6(1)(f) of the Regulation – processing is necessary for the purposes of our legitimate interests;

5. When and how do we share your personal data collected on our website? Recipients or categories of recipients of personal data.

We provide personal data collected on our website primarily to the following recipients or categories of recipients:

  • a) our legal, financial, business, tax, and other advisors;
  • b) our business partners and persons cooperating in the implementation and sale of our development projects;
  • c) persons within our group, i.e., entities controlled by and controlling our company;
  • d) our service providers, in particular IT service providers and event marketing service providers;
  • e) law enforcement authorities, regulatory and supervisory bodies, courts, or other public authorities, if required by applicable laws.

We do not transfer personal data about you obtained through our website to third countries or international organizations.

6. How long do we retain your personal data?

We retain your personal data collected through our website:

  • for as long as the purpose of our legitimate interest in processing this personal data persists, in the case of processing your personal data based on our legitimate interest;
  • for the duration of your consent to the processing of your personal data, in cases where your personal data is processed based on your consent; or
  • for the period specified by generally applicable legal regulations in the case of processing your personal data based on compliance with a legal obligation.

7. What are your rights:

In connection with the processing of your personal data through our website, you have the rights specified in more detail above in the General Information, namely:

  • a) the right of access to personal data concerning the data subject;
  • b) the right to rectification of the data subject’s personal data;
  • c) the right to erasure of the data subject’s personal data;
  • d) the right to restrict the processing of the data subject’s personal data;
  • e) the right to object to the processing of the data subject’s personal data; in such a case, we will no longer process your personal data for that purpose unless we have compelling legitimate grounds to continue such processing;
  • f) the right to data portability of the data subject;
  • g) the right to lodge a complaint with the Office for Personal Data Protection, Slovak Republic;

8. Can you withdraw your consent to the processing of your personal data obtained through our website?

You may withdraw your consent at any time by sending an email to office@novyruzinov.sk or in writing to the Controller’s registered office. In the case of messages sent via direct marketing, you may withdraw your consent at any time by clicking on the link provided in the body of the message.

You can control and/or delete cookies at your discretion. You can delete all cookies stored on your computer, and you can set most browsers to prevent them from being stored. However, in that case, you will likely have to manually adjust certain settings each time you visit the website, and some services and features will not work. For details, please visit www.allaboutcookies.org.

9. Information on whether the provision of personal data is a legal or contractual requirement, or a requirement necessary to enter into a contract

(including information on whether the data subject is required to provide personal data and the possible consequences of not providing it): The data subject is not required to provide personal data and is entitled to object to the processing of their personal data (if you exercise your right to object to the processing of your personal data, we will no longer process your personal data in such a case unless we have compelling legitimate grounds to continue such processing).

10. Information on the existence of automated decision-making, including profiling

(including information on the procedure used, as well as the significance and anticipated consequences of such processing for the data subject): We do not use automated decision-making, including profiling, when processing your personal data obtained through our website.