|Personal Data Processing Declaration (general information)
In accordance with Act no. 18/2018 Coll. on the Personal Data Protection and on amending and supplementing certain acts as amended (hereinafter referred to as the “Act” in the relevant grammatical form ) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “Regulation” in the appropriate grammatical form ), SkyToll, a.s., registered office at Lamačská cesta 3 /B, 841 04 Bratislava, Slovak Republic, Company Reg. No.: 44 500 734, Tax ID No.: 2022712153, VAT ID No.: SK2022712153, recorded in the Companies Register of the District Court Bratislava I in Section: Sa, file no. 4646/B (hereinafter referred to as the „Controller“ in the appropriate grammatical form), processes your personal data within the scope and under the conditions specified in the following articles.
1 Principles of Personal Data Protection
In case of personal data processing by the Controller, you are a
Data Subject, i.e. a person whose personal data is being processed.
The Controller processes your personal data exclusively on the basis of the conditions specified in the Act or the Regulation.
Your personal data will be stored securely, in accordance with the security policy of the Controller, only for the time necessary to fulfil the purpose of processing and only for the purpose for which they were obtained.
Only persons authorised by the Controller to process personal data who process them on the basis of the Controller’s instructions will have access to your personal data.
The Controller has a legal obligation to provide your personal data during inspections, supervisory activities, reporting obligations or at the request of authorised government bodies or institutions, if it ensues from specific regulations.
The Controller may also provide your personal data to recipients who are processors. The Controller declares that it has duly concluded contracts with its processors, who ensure an appropriate level of personal data protection, in accordance with the applicable legal regulations related to the protection of personal data, including the Act and the Regulation.
Personal data shall not be disclosed and shall not be used for automated individual decision-making, including profiling.
The Controller, in accordance with Section 48 of the Act, does not intend to transfer the personal data to a third country or an international organization.
2 Lawfulness of Personal Data Processing
We shall process your personal data exclusively based on one of the following reasons:
3 Scope of Personal Data Processing
We process your personal data in the following scope:
Area of processing activity: Personnel and payroll agenda
Purpose of processing: Performance of the employer’s obligations related to the employment relationship or similar relationship (eg on the basis of agreements on work performed outside of the employment relationship), including pre-contractual relationships.
Data subjects: Employees, spouses of employees, persons dependent on employees, former employees, job seekers.
The period of processing of personal data: depending on the valid legislation Legal basis of processing:
– Act no. 311/2001 Coll. the Labor Code as amended;
– Act no. 580/2004 Coll. on Health Insurance as amended;
– Act no. 461/2003 Coll. on Social Insurance as amended;
– Act no. 595/2003 Coll. on Income Tax, as amended;
– Act no. 43/2004 Coll. on Old-Age Pension Savings, as amended;
– Act no. 650/2004 Coll. on Supplementary Pension Savings and on amending and supplementing certain acts, as amended;
– Act no. 5/2004 Coll. on Employment Services and on amending and supplementing certain acts, as amended;
– Act no. 462/2003 Coll. on Income Compensation in the Event of Temporary Incapacity for Work of an Employee and on amending and supplementing certain acts as amended;
– Act no. 152/1994 Coll. on the Social Fund and on amending and supplementing of Act no. 286/1992 Coll. on Income Taxes, as amended;
– Act no. 355/2007 Coll. on the Protection, Support and Development of Public Health and on amending and supplementing certain acts, as amended;
– Act no. 124/2006 Coll. on Occupational Health and Safety and on amending and supplementing certain acts, as amended.
Recipient categories: health insurance companies, a law firm, a statutory auditor
Area of processing activity: Register of job seekers
Purpose of processing: Records of prospective job seekers with whom the employer is not preliminarily preparing to conclude an employment contract and records of unsolicited applications for employment.
Data subjects: Job seekers.
Period of personal data processing: 3 years, if the applicant confirms consent to be included in the records of job seekers, 30 days if the applicant does not confirm this consent.
Legal basis of processing: Consent of the data subject
Recipient categories: Law firm
Area of processing activity: Contractual partners – employees of contractual partners
Purpose of processing: Performance of the contractual relationship with the data subject’s employer, including pre-contractual relationships.
Data subjects: Natural persons – employees (internal, external) of the contractual partner in a contractual relationship, a pre-contractual relationship and a terminated relationship with the Controller.
Period of personal data processing 10 years.
Legal basis of processing: Legitimate interest
Recipient categories: a statutory auditor, tax advisers
Area of processing activity: Contractual
partners – natural persons
Purpose of processing: Implementation of a contract with a natural person.
Data subjects: Natural persons who are in a pre-contractual relationship, natural persons with whom a contractual relationship has been concluded and natural persons with whom a contractual relationship has ended.
The period of processing of personal data: depending on the valid legislation
Legal basis of processing: Contract with a natural person
Recipient categories: a statutory auditor, tax advisers
4 Data Protection Officer
Pursuant to the provisions of Section 44 of the Act, the Controller has a data protection officer (hereinafter referred to as the “Data Protection Officer” in the relevant grammatical form), who can be contacted via e-mail sent to firstname.lastname@example.org or this person can be contacted in writing at the GDPR correspondence address: SkyToll, as, Lamačská cesta 3 / B, 841 04 Bratislava, Slovak Republic.
5 Your rights under the Act
Your rights as a Data Subject referred to in Article 15 et seq. the Regulation and in Section 21 et seq. the Act include the right to information or notification about:
– the right to demand from the Controller access to personal data concerning you as the Data Subject;
– the right to object to the processing of personal data;
– the right to the portability of personal data;
– the right to withdraw consent to the processing of personal data at any time;
– the right to address the Office and file a motion to initiate proceedings to the effect that your rights have been affected under the Regulation or the Act;
– whether the disclosure of personal data is a legal requirement or a contractual requirement or a requirement necessary for the conclusion of a contract, and whether you, as the Data subject, are obliged to provide personal data, as well as possible consequences of not providing personal data;
– the existence of automated individual decision-making, including profiling; in these cases, the Controller will provide to you, as the Data Subject, with information on the procedure used, as well as on the meaning and expected consequences of such processing of personal data for you as the Data Subject;
– other purpose of processing and other relevant information referred to above, if the Controller intends to further process personal data for a purpose other than that for which they were obtained;
– the right to obtain a confirmation from the Controller as to whether personal data concerning him/her are being processed. If the Controller processes such personal data, you, as the Data Subject, have the right to access these personal data;
– the right to ask from the Controller an amendment of personal data concerning you as a Data Subject, their deletion or restriction of their processing, or the right to object to the processing of personal data and subsequently information on the correction of personal data, deletion of personal data or restrictions on personal data processing;
– the source of personal data, if personal data have not been obtained from you as the Data Subject;
– adequate safeguards regarding the transfer of personal data to third countries or to an international organization;
– the right to obtain personal data related to you and which you have provided to the Controller, in a structured, commonly used and machine-readable format, and you have the right to transfer these personal data to another Controller, if technically feasible;
– the right to object to the processing of your personal data for reasons relating to your specific situation, including profiling. The Controller may not further process your personal data unless it demonstrates the necessary legitimate interests for the processing of personal data which prevail over the rights or interests of you as a Data Subject or the reasons for asserting a legal claim;
– the right to object to the processing of personal data involving the Data Subject for the purpose of direct marketing, including profiling, in the scope as it relates to direct marketing. If you, as the Data Subject, object to the processing of personal data for the purpose of direct marketing, the Controller may not further process personal data for the purpose of direct marketing,
– the right that you are not subject to a decision which is based exclusively on the automated processing of personal data, including profiling, and which has legal effects involving the Data Subject or similarly affecting it in a significant way;
– the obligation of the Controller to notify you without unreasonable delay of a breach of personal data protection as the Data Subject, if such breach of personal data protection may lead to a high risk to the rights of a natural person.
As a Data Subject, you can exercise your rights in the following ways:
We will process your application within 30 days from the date of receipt of the application in accordance with the aforesaid paragraphs. In some specific cases, a longer period may be required to examine the application. We will process such applications within 60 days from the date of receipt of the application, while you, as the Data Subject, shall be informed in writing about the application of a longer period.
As a Data Subject, you also have the right to apply directly to the Office for Personal Data Protection (https://dataprotection.gov.sk/uoou/).