Personal Data Protection
Data protection is of a particularly high priority for the Stolárstvo u Kunaja GmbH. The main task of the company is the production, assembly and service of high-quality wooden and wooden-aluminium windows and doors. In order to be able to successfully fulfil this task, it is necessary to ensure adequate data protection and at the same time all means of data processing. Ensuring minimization of possible data leaks in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, at the same time in accordance with the Act no. 18/2018 on personal data protection and amending and supplementing certain Acts. It is important for us to be fully informed about the processing of personal data that we collect when providing our services.
The directive for implementing certain provisions of Act no. 18/2018 on personal data protection and amending and supplementing certain Acts.
Principles relating to processing of personal data
1.1 The intermediary and any person acting on behalf of the controller or the intermediary who has access to personal data may process such personal data only on the basis of the controller's instructions or in accordance with a special regulation or international agreement to which the Slovak Republic is bound by the Acts of the National Council of the Slovak Republic No. 18/2018 on personal data protection and amending and supplementing certain Acts.
1.2 Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
1. 3 Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with if it complies with the special regulation, not be considered to be incompatible with the initial purposes.
1.4 Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
1. 5 Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
1. 6 Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the special regulation in order to safeguard the rights and freedoms of the data subject.
1. 7 Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
1. 8 The Controller shall be responsible for compliance with the basic principles of personal data processing, compliance of personal data processing with the principles of personal data processing.
1.9 Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation or an international agreement by which the Slovak Republic is bound;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, inparticular where the data subject is a child;
1. 10 Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on the special regulation, the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account:
a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
c) the nature of the personal data,
d) the possible consequences of the intended further processing for data subjects;
e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.
1. 11 Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
1. 12 The article 1. 11 shall not apply if one of the following applies:
a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes; except where the special regulation provides that the prohibition referred to in article.
1.11 may not be lifted by the data subject;
b) processing relates to personal data which are manifestly made public by the data subject;
c) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
d) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on the special regulation or the international agreement by which the Slovak Republic is bound, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Responsibility of the controller
2. 1 The controller shall take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
2. 2 The controller shall facilitate the exercise of data subject rights under Act no. 18/2018 on personal data protection and amending and supplementing certain Acts.
2. 3 The controller shall provide information on action taken on a request of the data subject without un due delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
2. 4 If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy over compliance with Act no. 18/2018on personal data protection and amending and supplementing certain Acts.
2. 5 Information, any communication and any actions taken shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
b) refuse to act on the request.
2. 6 The controller shall regularly check the duration of the purpose of personal data processing and, after its fulfilment, to ensure the deletion of personal data without undue delay; this does not apply if personal data are part of the registration record.
Notification of a personal data breach
3. 1 The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Office for Personal Data Protection of the Slovak Republic, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
3. 2 The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
3. 3 The notification referred to in paragraph 3. 2 shall at least:
a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
c) describe the likely consequences of the personal data breach;
d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
3. 4 Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
3. 5 The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
3. 6 When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject referred to in paragraph 3 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), and (d) of this Article.
3. 7 The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure where by the data subjects are informed in an equally effective manner.
4. 2 You can accept or decline cookies - including those used to track websites - by selecting the appropriate settings on your browser. You can set your browser to notify you when you receive a new cookie or to block it entirely. Your browser also offers you the option of deleting cookies (e.g., using the Delete browser history function). For more information, see the "Help" section in the "User Help"section of your web browser.
5.1 This policy will be updated according to the needs of the controller.
5.2 The Controller will supplement and, if necessary, amend the provisions of the Policy.
5.3 This internal policy comes into force on the day of its approval by the person responsible.