Information on the Processing of Personal Data Provided Pursuant to Article 13 of the Regulation
With effect from 25.05.2018, all personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation - hereinafter referred to as the "Regulation").
- Identity and Contact Details of the Controller:
The Controller that processes personal data is the company MERK REALITY a. s., Gorkého 8-12, 811 09 Bratislava, ID No.: 35 787 198, Registered in the District Court of BA1, section Sa. Entry No. 2426/B
(hereinafter referred to as "MERK REALITY a. s." or the "Controller").
- Contact Details of the Controller's Data Officer:
The Data Officer of the Controller can be contacted at email@example.com.
- Data Subject´s Rights:
The Right to Require the Controller to Have Access to Personal Data Relating to Him or Her Pursuant to Article 15:
The Data Subject shall have the right to obtain confirmation from the Controller as to whether personal data relating to him or her are being processed and, if so, to obtain access to those personal data and that information:
- processing purposes;
- the data category of the Data Subject;
- the recipients or the categories of recipients to whom the personal data have been or will be provided, mainly recipients in third countries or international organizations;
- when possible, for the expected retention period of the personal data or, if that is not possible, the criteria for its determination;
- the existence of the right to require the Controller to correct personal data relating to the Data Subject or delete or restrict the processing or to oppose such processing;
- the right to file a grievance with a supervisory authority;
- if personal data have not been obtained from the Data Subject, any available information concerning their source;
- the existence of automated decision-making, including the profiling specified in Article 22, Paragraph 1 and 4 of the GDPR and, in such cases, at least meaningful information on the used procedure, as well as the significance and foreseeable results of such processing for the Data Subject.
Where personal data are transferred to a third country or an international organisation, the Data Subject has the right to be informed of the appropriate safeguards relating to the transfer pursuant to Article 46 of the Regulation.
The Controller shall provide a copy of the personal data being processed. For any further copies requested by the Data Subject, the Controller may charge a reasonable fee corresponding to the administrative cost. If the Data Subject has made the request through electronic means, the information shall be provided in a commonly used electronic form, unless the Data Subject has requested a different method. The right to obtain a copy must not result in an adverse effect on the rights and freedoms of others.
The Right to Rectification of Personal Data Pursuant to Article 16:
The Data Subject shall have the right to have inaccurate personal data concerning him or her rectified by the Controller without undue delay. With regard to processing purposes, the Data Subject is entitled to supplement incomplete personal data, also through the provision of a supplementary statement.
The Right to Deletion (Right to be Forgotten) Under Article 17:
The Data Subject shall also have the right to obtain from the Controller the deletion of personal data concerning him or her without undue delay and the Controller shall erase the personal data without undue delay if one of the following grounds is met:
- personal data are no longer needed for the purposes for which they were obtained or otherwise processed;
- the Data Subject revokes the consent under which the processing is performed in accordance with Article 6, Paragraph 1, Letter a) or Article 9, Paragraph 2(a) of the Regulation and where there is no other legal basis for the processing;
- the Data Subject objects to the processing according to Article 21, Paragraph 1 of the Regulation and there are no overriding legitimate grounds for processing or the Data Subject objects to processing pursuant to Article 21(1) of the Regulation. 2 Regulations;
- the personal data was unlawfully processed;
- the personal data must be deleted in order to meet a legal obligation according to the law of the Union or the law of the Member State to which the Controller is subject;
- the personal data were obtained in connection with the provision of information society services according to to Article 8, Paragraph 1 of the Regulation.
If the Controller discloses personal data and is obliged to delete personal data, taking into consideration available technology and the cost of implementing the measures, it shall take reasonable measures, including technical measures, to inform the Controllers who process the personal data that the Data Subject is requesting them to delete all references to such personal data, along with their copies or replicas.
The Right of Deletion Does Not Apply if Processing is Necessary:
- for the exercising of the right to freedom of expression and information;
- for meeting a legal obligation requiring processing according to Union law or the law of the Member State to which the Controller is subject, or in order to meet a task implemented in the public interest or in the exercising of public authority entrusted to the Controller;
- due to public interest in the field of public health, in accordance with Article 9, Paragraph 2, Letter h) and i) and Article 9, Paragraph 3 of the Regulation.
- for the purpose of archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes according to Article 89, Paragraph 1 of the Regulation where the right referred to above is likely to render impossible or seriously impede the achievement of the purposes of such processing, or
- to prove, enforce or defend legal claims.
The Right to Restriction of Processing Under Article 18:
The Data Subject has the right to restrict the processing by the Controller for one of the following cases:
- the Data Subject asserts the accuracy of the personal data during a period allowing the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the Data Subject objects to the deletion of personal data and requests restrictions on their usage instead;
- the Controller no longer needs personal data for processing but needs the Data Subject for the proving, application or defense of legal claims;
- the Data Subject objected to the processing according to Article 21, Paragraph 1 of the Regulation, pending verification that the legitimate grounds on the part of the Controller override those of the Data Subject.
If the processing in accordance with the above-mentioned restriction has been restricted, such personal data shall, with the exception of retention, be processed only with the consent of the Data Subject or for the purpose of proving, applying or defending legal claims or for the protection of the rights of another natural person or legal entity or for reasons of significant public interest for the Union or a Member State.
A Data Subject who has attained a restriction in processing in accordance with the above-mentioned is informed by the Controller before the processing restriction is revoked.
The Right to Data Portability Under Article 20:
The Data Subject has the right to obtain personal data relating to him/her and which he/she has provided to the Controller in a structured, commonly used and machine-readable format and has the right to transfer this data to another Controller without the provider to whom the personal was provided preventing the transfer, if: a) the processing is based on the consent referred to in Article 6, Paragraph 1, Letter a) or Article 9, Paragraph 2(a) of the Regulation, or on a contract pursuant to Article 6(2)(a) of the Regulation, or on a contract pursuant to Article 6(2)(a) of the Regulation. 1(b) of the Regulation, and (b) where the processing is carried out by automated means.
In the exercising of his/her right to data portability, the Data Subject has the right to transfer personal data directly from one Controller to another Controller, as much as technically possible.
The exercise of the right shall be without prejudice to Article 17 of the Regulation. The said right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller. The right to data portability must not have an adverse effect on the rights and freedoms of others.
The Right to Object to Processing, Including Objection to Profiling (If Performed) Under Article 21:
The Data Subject shall have the right at any time to object, for reasons relating to his or her concrete situation against the processing of personal data concerning him/her, which is performed pursuant to Article 6, Paragraph 1(e) or (f) of the Regulation, including objections to profiling based on those provisions. The Controller may not further process personal data unless it demonstrates the necessary authorized reasons for processing, which outweigh the interests, rights and freedoms of the Data Subject or reasons for proving, applying or defending legal claims. If the personal data are processed for the purposes of direct marketing, the Data Subject has the right at any time to object to the processing of personal data relating to him/her for the purposes of such marketing, including profiling in the range related to such direct marketing. If the Data Subject opposes the processing for purposes of direct marketing, the personal data may no longer be processed for such purposes.
In relation to the use of information society services and regardless of Directive 2002/58/EC, the Data Subject may exercise his/her right to object to automated means by use of technical specifications. If the personal data are processed for purposes of scientific or historical research or for statistical purposes according to Article 89, Paragraph 1 of the Regulation, the Data Subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, except where the processing is necessary for the performance of a task carried out for reasons of public interest.
The Right to Lodge a Complaint with the Supervisory Authority:
The supervisory authority to which the Data Subject shall address his or her complaint in justified cases shall be the Office for Personal Data Protection of the Slovak Republic.
Right to Withdraw Consent to Processing:
In case the legal basis for the processing of personal data is the consent of the Data Subject, the Data Subject may at any time revoke his/her consent without impacting the lawfulness of the processing based on the consent granted prior to its revoking.
The Right to Withdraw Consent May Be Exercised by the Data Subject at Any Time, Even Before the Expiry of the Period for Which the Consent Was Given, in the Following Ways:
- by sending an email message to firstname.lastname@example.org,
- by phone +421 33 79 51 111 or
- by sending a written request to the address of the Controller's registered office with the text "GDPR - Withdrawal of Consent" on the envelope.
- Purpose and legal basis of the processing of personal data
The Controller Processes Your Personal Data for the Following Purposes:
- a) The purpose of monitoring premises is to protect property in the monitored area and to protect the health of natural persons in the area, as well as to obtain evidence on an ongoing basis of the causes, course and consequences of related security incidents. The legal basis for the processing of personal data is the legitimate interest pursued by the Controller or a third party within the meaning of Art. 6, Par. 1(f) of the Regulation. The legitimate interest of the Controller or a third party is the right to protect property, the right to protect the health of natural persons and the right to require compliance with public order. The retention period for personal data in the form of video recordings is 15 days. In justified cases, the recipients of personal data may be courts, law enforcement authorities or a private security service contracted by the Controller.
- The purpose of the processing of personal data in the field of accounting and commercial agenda is the fulfilment of the legal obligations of the Controller arising from special regulations (Accounting Act, Value Added Tax Act, Income Tax Act, etc.). The legal basis for the processing of personal data (including the provision of personal data to third parties) is the performance of a legal obligation under Art. 6, Par. 1(c) of the Regulation. The retention period for personal data is 10 years. The recipients of personal data are the external accountant, public authorities, the parent company, the auditor and the lawyer.
- The purpose of processing personal data in the area of business communication is the preparation and implementation of the business activities of the operator. The legal basis for the processing of personal data is the legitimate interest pursued by the Controller or a third party within the meaning of Art. 6, Par. 1(f) of the Regulation. The legitimate interest of the Controller is the right to do business within the scope of its activities. The period of retention of personal data is determined by the preparation and duration of the business relationship, as well as a period of 2 years from the end of the business relationship. The recipients of personal data are companies providing information technology administration and support, external audit providers, telecommunications service providers, data storage providers and, where justified, courts and law enforcement authorities.
- The purpose of processing personal data in the area of personnel and payroll is the preparation and conclusion of an employment contract or an agreement on work outside employment, the registration of documents on work capacity, payment of wages, deductions, the fulfilment of obligations towards state administration authorities, attendance records, training records, records of issued credentials and authorizations, records of provided protective work equipment, property or equipment, entering into agreements on material liability, keeping records of the issue of cash, the provision of employee benefits, keeping records of damage caused by employees to the employer's property, the provision of catering, copying documents necessary for the purposes of the employment or similar relationship, as well as the fulfilment of other statutory and contractual obligations. The legal basis for processing is the performance of a legal obligation under Art. 6, Par. 1(c) of the Regulation and an employment contract or agreement within the meaning of Art. 6, Par. 1(b) of the Regulation concluded with the person concerned pursuant to the Labour Code. The Data Subject is obliged to provide personal data to the extent necessary; in the event of failure to provide personal data, it is not possible to conclude an employment or similar contract. The employee's personal data will be provided to the following recipients: health insurance companies, supplementary pension savings institutions, pension management companies, statistical bodies, security services, educational agencies and trainers, occupational health services, occupational health assessments and medical fitness assessments, postal services, development bodies, information technology administration and support, external audit providers, telecommunications service providers, catering service providers, the company on whose servers the personal data is stored, the employer's customers, the employer's suppliers, public authorities, lawyers and, where justified, courts, law enforcement authorities and bailiffs. The period of retention of personal data in an employee's personnel file is the period limited to the preparation of the employment relationship and the employee's (also former) 70th birthday.
- The purpose of the processing of personal data in the field of OSH is the fulfilment of the employer's related obligations, in particular, but not limited to, the implementation of training, the recording of accidents at work and the provision of medical examinations. The legal basis for the processing of personal data (including their disclosure to third parties) is the fulfilment of the legal obligations of the Controller under Art. 6, Par. 1(c) of the Regulation (in particular the obligations under the OSH Act). The employee's personal data will be disclosed to the following recipients: the external OSH company, the Labour Inspectorate, and in justified cases, criminal or offence law enforcement authorities. The retention period for personal data is the period limited to the preparation of the employment relationship and the expiry of 2 years after the termination of that relationship. The provision of personal data is a legal obligation of the Data Subject
- Personal data for the purpose of registry management are processed in the context of the fulfilment of the legal obligations of the Controller within the meaning of Art. 6, Par. 395/2002 Coll. on archives and registers and on the amendment of certain acts as amended and the obligations arising from Act No. 305/2013 Coll. on the electronic form of exercising the powers of public authorities and on the amendment and supplementation of certain acts - Act on e-Government). The provision of personal data is a legal obligation of the Data Subject The employee's personal data will be provided to the following recipients: entities providing information technology development, administration and support, entities providing external audit, telecommunications service providers, catering service providers, the company on whose servers the personal data is stored. Retention periods are laid down by specific regulations and the Registry Plan.