Protection of personal data
Protection of personal data
The basic mission of the company Stolárstvo u Kunaja, s.r.o. is manufacturing, installation and maintenance of high-class wooden and wood-aluminium windows and doors. For successful fulfilment of this mission, it is necessary to provide adequate protection of data and of all tools for data processing, and thus provide minimisation of potential leakages in accordance with the Regulation of the European Parliament and Council (EU) 2016/679 of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and in accordance with the new Act of the Slovak Republic no. 18/2018 Coll. on protection of personal data and on the amendment of certain other Acts, as well as in accordance with the international standards and regulations. It is important for us that you are fully informed about personal data we obtain when providing our services and that you are aware of how we use them.
Directive, by which selected provisions of the Act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain other Acts, are exercised.
Principles for personal data processing
- The processor and any persons acting on behalf of the controller or the processor, who has an access to the personal data, can process this personal data only on the basis of instructions of the controller or according to the special regulation or an international contract, by which the Slovak Republic is bound, mainly according to the Act no. 18/2018 Coll. on the protection of personal data and on the amendment of certain other Acts.
- The personal data can be processed only in legal way and so that violation of basic rights of the data subject does not occur.
- The personal data can be obtained only for specifically determined, expressly specified and reasonable purpose, and it shall not be further processed in a way that is not compatible with this purpose; further processing of the personal data for the purpose of archiving, for scientific purposes, for the purpose of historic research or for statistical purpose, if it is in compliance with the particular regulation and if appropriate guarantees for data subject right protection are met, is not considered to be incompatible with the original purpose.
- Personal data being processed shall be appropriate, relevant and limited for the necessary scope defined by the purpose, for which the data is processed.
- Personal data being processed shall be correct and updated, if necessary. The personal data that are incorrect with regard to purpose, for which it is being processed, shall be deleted or repaired without undue delay.
- Personal data shall be stored in the form, which enables identification of the data subject until it is necessary for the purpose, for which the data is processed; personal data can be stored longer, only if it shall be processed solely for the purpose of archiving, for scientific purpose, for the purpose of historic research or for statistical purpose based upon a special regulation and if appropriate guarantees for data subject right protection are met.
- Personal shall be processed in a way that secures appropriate safety of personal data, including protection against unauthorised processing of personal data, deletion of personal data or damage of personal data.
- The controller is responsible for meeting the basic principles of personal data processing, for compliance of the personal data processing with principles of personal data processing.
- Processing of the personal data is legal, if it is performed based upon at least one of the following legal basis:
- The data subject expressed his/her consent with processing of his/her personal data for at least one specific purpose,
- Processing of personal data is necessary for performance of a contract, a contracting party of which is the data subject, or for performance of a measure before conclusion of a contract on the basis of data subject requirement,
- Processing of personal data is necessary according to a special regulation or an international agreement applicable to the Slovak Republic,
- Processing of personal data is necessary for protection of life, health or property of the data subject or of other natural person,
- Processing of personal data is necessary for fulfilment of a task being performed in the public interest or during performance of a public authority entrusted to the controller, or
- Processing of personal data is necessary for the purpose of reasonable interests of the controller or the third party, except for the cases when these interests are prevailed by interests or rights of the data subject that require protection of personal data, mainly if the data subject is a child;
1.10 If processing of personal data for other purpose than purpose, for which the data was obtained, is not based upon agreement of the data subject or upon a special regulation, the controller shall consider the following in order to determine if personal data processing for other purpose is compatible with a purpose, for which the personal data was originally obtained:
a) any relationship between the purpose, for which the personal data was originally obtained, and the purpose for planned further processing of the personal data,
b) circumstances, under which the personal data was obtained, mainly circumstances relating to relationship between the data subject and the controller,
c) nature of the personal data,
d) possible consequences of planned further processing of the personal data for the data subject
e) existence of adequate guarantees, which may include encryption or pseudonymisation.
1.11 Processing of special categories of the personal data is prohibited. The personal data special categories are data, which reveals race origin or ethnic origin, political opinions, religion, philosophical confession, membership in trade unions, genetic data, biometric data, data related to health or data related to sexual life or sexual orientation of a natural person.
1.12 Prohibition for processing personal data special categories does not apply, if:
a) the data subject expressed his/her explicit consent with processing of this personal data for at least one specific purpose; the consent is ineffective, if it is excluded by a special regulation,
b) processing relates to the personal data, which were demonstrably publicized by the subject data,
c) processing is necessary for making a legal claim, or for equity,
d) processing is necessary for the purpose of archiving, for a scientific purpose, for a purpose of historical research of for a statistical purpose according to this act, special regulation or an international agreement applicable to the Slovak Republic, which are adequate with regard to planned target, which respects nature of legislative for personal data protection and defined adequate and specific measures for providing of basic rights and interests of the data subject.
Obligations of the controller
2.1 The controller is obliged to provide the data subject with information and notices, which relate to processing of his/her personal data, in brief, transparent, comprehensible and easily available form; it shall be formulated clearly, mainly in case of information dedicated specially to a child. The controller is obliged to provide information in paper or electronic form, generally in a form, in which the application was filed. Upon a request of the data subject, the controller can provide information verbally, if the data subject demonstrates his/her identity in some other way.
2.2 The controller shall assist the data subject with claiming his/her rights according to the Act no. 18/2018 Coll. on protection of the personal data and on the amendment of certain other Acts.
2.3 The controller is obliged to provide the data subject with information on measures taken on the basis of his/her request within one month from delivery of the request. The controller can prolong the specified period by another two months in reasonable cases with regard to complexity and number of requests. The period can be prolonged repeatedly. The controller is obliged to inform the data subject about every such prolongation within one month from delivery of the request together with reasons for period prolongation. If the data subject filed the request in an electronic form, the controller shall provide information in an electronic form also, unless the data subject does not request another form of providing of information.
2.4 If the controller does not take any measures on the basis of the data subject´s request, he/she is obliged to inform the data subject about reasons of such inactivity within one month from delivery of the request and also about a possibility of filing a motion to the Office for personal data protection of the Slovak Republic for start of initiating procedures of supervision of fulfilment of the Act no. 18/2018 Coll. on protection of the personal data and on the amendment of certain other Acts.
2.5 Information, notices and taken measures shall be provided free of charge. If the request of the data subject is clearly groundless or inadequate, mainly due to its repeated nature, the controller can:
a) ask for an appropriate fee that will consider administrative costs for noticing, or an appropriate fee that will consider administrative costs for performance of requested measure, or
b) refuse to perform any activity on the basis of the request.
2.6 The controller is obliged to regularly check duration of a purpose for personal data processing, and after the purpose is fulfilled, the controller is obliged to provide deletion of the personal data without undue delay. The previous sentence does not apply, if the personal data is a part of the registry record.
Notifications of violation of personal data protection
3.1 The controller is obliged to inform the Office for personal data protection of the Slovak Republic about any violation of personal data protection within 72 hours after discovery of such violation. The previous sentence does not apply, if it is reasonable to assume that violation of personal data protection will not lead to any risk for natural person rights. If the controller fails to fulfil this noticing obligation, he/she shall explain such inactivity.
3.2 The processor is obliged to inform the controller any violation of personal data protection without undue delay, after he/she discovers such violation.
3.3 Notification according to the point 3.2 of this Article shall contain mainly
a) description of a nature of personal data protection violation, including, if it is possible, categories and probable number of involved persons violation relates to and categories and probable number of involved personal data records,
b) contact data of a responsible person or of other contact point where more information can be obtained,
c) description of probable consequences of personal data protection violation,
d) description of measures taken or proposed by the controller for rectification of personal data protection violation, including measures for mitigation of its potential negative consequences, if it is necessary.
3.4 The controller is obliged to provide all information he/she is aware of in the time of notification. If the controller is not aware of all information in the time of notification, he/she shall provide it immediately after he learns it.
3.5 The controller is obliged to document each case of personal data protection violation, including facts related to personal data protection violation, its consequences and measures taken for rectification.
3.6 Without undue delay, the controller is obliged to inform the data subject about personal data protection violation, if such personal data protection violation could lead to a high risk for natural person rights. The notification shall contain clear and simply formulated description of nature of personal data protection violation and information and measures according to the point 3.3, letters b) to d) of this Article.
3.7 Notification, according to 1, is not required, if
a) the controller took appropriate technical and organisational protective measures and he/she applied them for personal data related to personal data protection violation, especially encrypting or some other measures, on the basis of which the personal data are illegible for persons that are not authorised to access it,
b) the controller took subsequent measures for protection against a high risk of data subject right violation,
c) it would require inappropriate effort; the controller is obliged to inform the public, or to take other measures to secure that the data subject is informed in a similarly effective way.
Technical measures, using of COOKIES web browser
4.1 For user´s web pages and for adapting our web pages to your needs, our web pages may use cookie files. The cookie file is a small file, which is stored locally in your computer when you visit web pages. When you visit a web page from the same device, the cookie file indicates for example that you have repeatedly visited the web page. The cookie files enable us to analyze using of our web pages. They do not contain any personal date, and it is not possible to identify you at the web pages of the third parties through these cookie files, including the pages of analysis providers.
4.2 You can either accept or reject the Cookies – including those used for monitoring of the web pages – by selecting appropriate settings for your web browser. You can set the web browser so that it alerts you when you receive a new cookie file, or you can completely block cookies. Your web browser offers you also a possibility to remove the cookie files (e.g. by means of the option “Delete browsing history”). You can find further information in the function User´s help in the part Settings in your web browser.
5.1 This directive is subjected to updating according to needs of the controller.
5.2 Supplementation and potential changes of the provisions of this directive shall be made by the controller.
5.3 This internal directive comes into effect on the date of its approval by the controller.