Information on the Processing of Personal Data Provided in Accordance with Article 13 of the Regulation

Effective as of 25.05.2018, all personal data is processed in accordance with the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which repeals Directive 95/46/EC (General Data Protection Regulation - hereinafter referred to as the “Regulation”). 

1. Identity and Contact Details of the Controller: 

The controller processing personal data is MERK REALITY a. s., Gorkého 8-12, 811 09 Bratislava, IČO: 35 787 198, Registered in the Commercial Register of the District Court Bratislava III, Section: Sa, Insert 2426/B

 (hereinafter also referred to as “MERK REALITY a. s.” or “controller”). 

1. Contact Details of the Controller's Responsible Person: 

The responsible person of the controller can be contacted at zodpovednaosoba@hotelpark.sk. 

1. Rights of the Data Subject: 

Right to request from the controller access to personal data concerning them, in accordance with Article 15: 

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information:

1. the purposes of the processing;
2. the categories of personal data concerned;
3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
6. the right to lodge a complaint with a supervisory authority;
7. where the personal data are not collected from the data subject, any available information as to their source;
8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 

Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer pursuant to Article 46 of the Regulation. 

The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

Right to rectification of personal data according to Article 16:

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (“right to be forgotten”) according to Article 17:

The data subject shall also have the right to obtain from the controller the erasure of personal data concerning them without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. the data subject withdraws consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a) of the Regulation, and where there is no other legal ground for the processing;
3. the data subject objects to the processing pursuant to Article 21(1) of the Regulation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the Regulation;
4. the personal data have been unlawfully processed;
5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the Regulation.

Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. 

The right to erasure shall not apply to the extent that processing is necessary:

1. for exercising the right of freedom of expression and information;
2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) as well as Article 9(3) of the Regulation;
4. for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the Regulation insofar as the right referred to above is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
5. for the establishment, exercise, or defense of legal claims. 

Right to restriction of processing according to Article 18: 

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims;
4. the data subject has objected to processing pursuant to Article 21(1) of the Regulation pending the verification of whether the legitimate grounds of the controller override those of the data subject. 

Where processing has been restricted in accordance with the above, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State. 

A data subject who has obtained restriction of processing pursuant to the above shall be informed by the controller before the restriction of processing is lifted.

Right to data portability according to Article 20: 

The data subject shall have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: a) the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the Regulation or on a contract pursuant to Article 6(1)(b) of the Regulation; and b) the processing is carried out by automated means. 

In exercising their right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. 

The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17 of the Regulation. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right to data portability shall not adversely affect the rights and freedoms of others. 

Right to object to processing including objection to profiling (if carried out) according to Article 21: 

The data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on Article 6(1)(e) or (f) of the Regulation, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. 

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise their right to object by automated means using technical specifications. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the Regulation, the data subject, on grounds relating to their particular situation, shall have the right to object to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest. 

Right to lodge a complaint with a supervisory authority: 

The supervisory authority to which the data subject may lodge a complaint, in justified cases, is the Office for Personal Data Protection of the Slovak Republic.

 Right to withdraw consent for processing: 

Where the legal basis for processing personal data is the consent of the data subject, the data subject shall have the right to withdraw their consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

 The right to withdraw consent at any time, including before the expiry of the period for which consent was given, can be exercised by the data subject in the following ways:

1. by email sent to the address zodpovednaosobal@hotelpark.sk,
2. by telephone at +421 33 79 51 111 or
3. by sending a written request to the address of the controller's registered office with the text "GDPR - withdrawal of consent" on the envelope.
4. Purpose and legal basis for processing personal data 

The controller processes your personal data for the following purposes: 

1. a) The purpose of monitoring premises is to protect property in the monitored area and to protect the health of individuals present in this area, as well as the ongoing collection of evidence regarding the causes, course, and consequences of related security incidents. The legal basis for the processing of personal data is a legitimate interest pursued by the controller or a third party pursuant to Article 6(1)(f) of the Regulation. The legitimate interest of the controller or third party is the right to protect property, the right to protect the health of individuals, and the right to require the maintenance of public order. The retention period for personal data in the form of video recordings is 15 days. In justified cases, recipients of personal data may be courts, law enforcement authorities, or a private security service contracted by the controller.
2. The purpose of processing personal data in the area of accounting and business agenda is to fulfill the legal obligations of the controller arising from specific regulations (the Accounting Act, the VAT Act, the Income Tax Act, etc.). The legal basis for processing personal data (including their provision to third parties) is the fulfillment of a legal obligation pursuant to Article 6(1)(c) of the Regulation. The retention period for personal data is 10 years. Recipients of personal data are external accountants, public authorities, the parent company, auditors, and lawyers.
3. The purpose of processing personal data in the area of business communication is the preparation and implementation of the controller's business activities. The legal basis for processing personal data is the legitimate interest pursued by the controller pursuant to Article 6(1)(f) of the Regulation. The legitimate interest of the controller is the right to conduct business within the scope of its activities. The retention period for personal data is determined by the preparation and duration of the commercial relationship, as well as a period of 2 years after the end of this relationship. Recipients of personal data are companies performing IT management and support, entities providing external audit services, telecommunications service providers, data storage providers, and, in justified cases, courts and law enforcement authorities.
4. The purpose of processing personal data in the area of personnel and payroll agenda is the preparation and conclusion of an employment contract or agreement on work outside of employment, recording documents on work capability, salary payment, deductions, fulfillment of obligations to state authorities, attendance records, education records, records of issued authorizations and powers of attorney, records of provided protective work equipment, property or equipment, conclusion of agreements on material responsibility, records of cash disbursements, provision of employee benefits, records of damages caused by employees to the employer's property, provision of meals, copying of documents necessary for employment or similar relationship purposes, as well as the fulfillment of other legal and contractual obligations. The legal basis for processing is the fulfillment of a legal obligation pursuant to Article 6(1)(c) of the Regulation and an employment contract or agreement pursuant to Article 6(1)(b) of the Regulation concluded with the data subject under the Labor Code. The data subject is obliged to provide personal data to the necessary extent; in case of non-provision of personal data, it is not possible to conclude an employment or similar contract. Employee personal data will be provided to these recipients: health insurance companies, supplementary pension savings companies, pension management companies, entities ensuring statistics, security service, educational agencies and trainers, entities ensuring occupational health services, occupational health assessments and fitness assessments, entities ensuring postal services, entities ensuring development, management and support of information technologies, entities ensuring external audit services, telecommunications service providers, catering service provider, company on whose servers personal data are stored, employer's customers, employer's suppliers, public authorities, lawyers, and, in justified cases, courts, law enforcement authorities, and executors. The retention period for personal data in the employee's personal file is the period limited by the preparation of the employment relationship and the completion of the employee's (or former employee's) seventieth 70th year of life.
5. The purpose of processing personal data in the area of health and safety at work (H&S) is the fulfillment of related employer obligations, particularly, but not limited to, training, accident records, and medical examinations. The legal basis for processing personal data (including their provision to third parties) is the fulfillment of the controller's legal obligations pursuant to Article 6(1)(c) of the Regulation (especially obligations arising from the H&S Act). Employee personal data will be provided to these recipients: external company providing H&S services, Labor Inspectorate, and, in justified cases, law enforcement or misdemeanor authorities. The retention period for personal data is the period limited by the preparation of the employment relationship and the expiration of 2 years from the termination of this relationship. Providing personal data is a legal obligation of the data subject
6. Personal data for the purpose of registry management is processed in the fulfillment of the controller's legal obligations pursuant to Article 6(1)(c) of the Regulation (especially obligations arising from Act No. 395/2002 Coll. on Archives and Registries and on Amendments to Certain Acts, as amended, and obligations arising from Act No. 305/2013 Coll. on the Electronic Form of Performance of the Competence of Public Authorities and on Amendments to Certain Acts - e-Government Act). Providing personal data is a legal obligation of the data subject. Employee personal data will be provided to the following recipients: entities ensuring development, management and support of information technologies, entities ensuring external audit services, telecommunications service providers, catering service provider, company on whose servers personal data are stored. Retention periods are established by specific regulations and the Registry Plan.