Privacy Policy
Information Obligation of the Company Prepared in Accordance with the Data Protection Act
Identification Details of the Controller:
The company Ma&Ki s.r.o., Company ID: 54 358 558, Karpatské námestie 7770/10A, Bratislava – Rača 831 06 (hereinafter referred to as the “Company”) acts as the controller of information systems (hereinafter referred to as “IS”) when processing personal data of its employees, clients, customers, or business partners (hereinafter referred to as the “Data Subject”).
Legal Basis for Processing Personal Data of Data Subjects:
When processing personal data, the Company follows the provisions of Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments and Supplements to Certain Acts (hereinafter referred to as the “Data Protection Act”). The legal basis for processing personal data is the Data Protection Act, specific legal regulations, and consent to the processing of personal data, depending on the purpose of the processing.
In cases where the purpose of personal data processing, the scope of data subjects, and the list of personal data are established directly by an enforceable act of the European Union, an international treaty binding on the Slovak Republic, the Data Protection Act, or a specific law, the Company is authorized to process personal data without the consent of the Data Subject under the Data Protection Act.
The Company processes personal data without the consent of the Data Subject when the purpose of personal data processing, the scope of data subjects, and the list of personal data or their scope are established directly by an enforceable legally binding act of the European Union, an international treaty binding on the Slovak Republic, or this law. If the list or scope of personal data is not established, the Company may process personal data only to the extent and in the manner necessary to achieve the specified purpose of processing while adhering to the fundamental obligations under the Data Protection Act.
The Company also processes personal data without the consent of the Data Subject if the purpose of personal data processing, the scope of data subjects, and the list of personal data are established by a specific law and only to the extent and in the manner prescribed by that specific law. Processed personal data can be provided, made accessible, or disclosed from the information system only if a specific law prescribes the purpose of providing, making accessible, or disclosing the personal data, the list of personal data that may be provided, made accessible, or disclosed, and the third parties to whom the personal data is provided or the circle of recipients to whom the personal data is made accessible, unless the Data Protection Act prescribes otherwise.
The Company also processes personal data without the consent of the Data Subject in the following cases:
a) Processing personal data is necessary to fulfill a contract in which the Data Subject is one of the contractual parties, or in pre-contractual relations with the Data Subject or during negotiations to amend a contract at the request of the Data Subject,
b) Processing personal data is necessary to protect the life, health, or property of the Data Subject,
c) The subject of processing is exclusively the title, name, surname, and address of the Data Subject without the possibility of associating them with additional personal data of the Data Subject, and their use is exclusively intended for the needs of the controller in postal communication with the Data Subject and for the recording of these data,
d) Personal data that has already been lawfully disclosed are being processed, provided that the controller has duly marked them as disclosed; the person claiming to process disclosed personal data shall demonstrate to the authority, upon request, that the processed personal data has already been lawfully disclosed,
e) Processing personal data is necessary to protect the rights and legally protected interests of the controller or a third party, except when the basic rights and freedoms of the Data Subject, which are protected under this Act, prevail in such processing.
If the purpose of personal data processing established in a directly enforceable legally binding act of the European Union, an international treaty binding on the Slovak Republic, the Data Protection Act, or a specific law cannot be determined in advance, the list of personal data can be replaced by the scope of personal data.
The Company is obligated to follow the Data Protection Act when processing such personal data, except for controllers processing personal data for the purposes of legal proceedings and in connection with them.
If the Data Protection Act does not apply to the processing of personal data, the Company, as the controller, is authorized to process personal data only with the consent of the Data Subject.
The Company obtains the consent of the Data Subject without coercion and pressure, as well as without conditioning it on the threat of refusing the contractual relationship, services provided, or obligations arising for the controller from legally binding acts of the European Union, an international treaty binding on the Slovak Republic, or the law.
In case of refusal to provide personal data to the Company for purposes necessary for the provision of services or the fulfillment of legal obligations, the Company is entitled to inform the Data Subject of the possible consequences of not providing the personal data.
Data Subjects agree that the Company may authorize a processor to process personal data on its behalf when processing personal data. Upon the completion of the purpose of personal data processing, the Company will lawfully dispose of the personal data of the Data Subjects within the time limits specified by applicable legal regulations and in accordance with the Company’s internal regulations.
Purpose of Processing Personal Data of Data Subjects:
The Company respects your privacy and treats the provided personal data as confidential.
The Company needs to know certain personal data of Data Subjects to provide high-quality services and needs to provide them to other recipients for the purpose of fulfilling its legal obligations and ensuring the highest quality services.
The Company processes the provided personal data for various purposes.
This includes personal data of job applicants and personal data of its employees for the purposes of personnel and payroll administration and related legal obligations arising from specific legal regulations.
The Company also processes the personal data of its clients, customers, and business partners to ensure its business activities, taking into account the interests of its clients, customers, and business partners.
No other purposes of processing personal data are pursued within the Company, which means that the Company collects, stores, and processes only the personal data of Data Subjects necessary for the fulfillment of its provided services. The provided personal data is strictly protected against misuse by unauthorized third parties, using means documented in the adopted security project and security directive in accordance with the Data Protection Act.
When processing personal data of Data Subjects, the Company adheres to the basic obligations of the controller under the Data Protection Act, which include the following obligations:
The Company uses the provided personal data only for the predetermined purpose of processing, which is clear, specifically defined, and concrete, and is in compliance with the Constitution of the Slovak Republic, constitutional laws, laws, and international treaties binding on the Slovak Republic.
The Company always defines the conditions for processing personal data in such a way that the rights of the Data Subject established by law are not restricted.
The Company collects only such personal data of Data Subjects that correspond in scope and content to the purpose of processing and are necessary to achieve it.
The Company ensures that the personal data of Data Subjects is processed exclusively in a manner that corresponds to the purpose for which it was originally collected.
The Company, as the controller, is obligated to process only accurate, complete, and up-to-date personal data concerning the purpose of processing. Incorrect and incomplete personal data must be blocked and corrected or supplemented without undue delay, and if it cannot be corrected or supplemented to be accurate, the Company must clearly mark and destroy such personal data without undue delay.
The Company ensures that the personal data of Data Subjects is processed in a form that allows the identification of individual Data Subjects for a period not longer than necessary to achieve the purpose of processing.
The Company will destroy the personal data whose purpose of processing has ended in the prescribed manner. After the purpose has been achieved, the Company is authorized to process personal data in an anonymous form for research or statistical purposes. The controller cannot use such processed personal data to support measures or decisions made against the Data Subject that restrict its fundamental rights and freedoms.
Processors:
The Company does not provide your personal data to third parties in violation of the Data Protection Act or for the purpose of their collection, in violation of your interests or instructions, and third parties are provided with such data only within the scope of the purposes mentioned above.
The Company collaborates with various processors in its business activities, aiming to provide high-quality services, and these entities process the personal data of Data Subjects while performing their contractual activities for the Company.
The Company declares that it has carefully selected individual processors based on their professional, technical, organizational, and personnel capabilities and their ability to guarantee the security of the processed personal data with the security measures adopted under the Data Protection Act.
Furthermore, the Company, in selecting a suitable processor, acted to avoid jeopardizing the rights and legally protected interests of Data Subjects.
The Company, as the controller, has concluded written contracts with the processors under the Data Protection Act, ensuring the protection of personal data processed by the processors, whom it has authorized to process personal data of Data Subjects only to the extent, under the conditions, and for the purpose agreed upon in the contract, and in the manner specified by the Data Protection Act.
Scope and List of Processed Personal Data:
The Company processes personal data of Data Subjects in its information systems to the extent necessary to achieve the specified purpose. This includes the scope of personal data defined by specific legal regulations or to the extent of the Data Subject’s consent to the processing of their personal data.
The Company processes only personal data that has been voluntarily provided and to the necessary extent by the Data Subject themselves. The provision of personal data to the Company beyond the scope of specific laws is voluntary.
Conditions and Manner of Processing Personal Data of Data Subjects:
The Company processes personal data of Data Subjects in its information systems by both automated and non-automated processing means.
The Company does not disclose processed personal data, except in cases required by a specific legal regulation or a court or other state authority decision.
The Company will not process your personal data without your explicit consent or another legal basis for any other purpose, nor to a greater extent than specified in this information and the records of individual information systems of the controller.
Rights of the Data Subject Related to the Processing of Their Personal Data:
The Data Subject has the right, based on a written request, to require the Company to:
a) Confirm whether or not personal data about them is being processed,
b) Provide, in a generally understandable form, information about the processing of personal data in the information system within the scope specified by the Data Protection Act; in case of a decision under the Data Protection Act, the Data Subject is entitled to become familiar with the processing and evaluation procedures of the operations,
c) Provide, in a generally understandable form, accurate information about the source from which their personal data was obtained for processing,
d) Provide, in a generally understandable form, a list of their personal data that is being processed,
e) Correct or destroy their incorrect, incomplete, or outdated personal data that is being processed,
f) Destroy their personal data whose purpose of processing has ended; if the processed personal data includes official documents containing personal data, they may request their return,
g) Destroy their personal data that is being processed if there has been a violation of the law,
h) Block their personal data due to the withdrawal of consent before its expiration, if the Company processes personal data based on the consent of the Data Subject.
The aforementioned rights of the Data Subject under letters e) and f) can only be restricted if such a restriction arises from a specific law or if exercising them would violate the protection of the Data Subject or the rights and freedoms of other individuals.
According to the Data Protection Act, the Data Subject has the right, based on a written request addressed to the Company, to object to:
a) The processing of their personal data, which they believe is or will be processed for direct marketing purposes without their consent, and request its destruction,
b) The use of personal data specified in the Data Protection Act for direct marketing purposes in postal communication, or
c) The provision of personal data specified in the Data Protection Act for direct marketing purposes.
According to the Data Protection Act, the Data Subject has the right, based on a written request addressed to the Company or personally if the matter is urgent, to object to the processing of personal data in cases specified by the Data Protection Act by stating legitimate reasons or providing evidence of unauthorized interference with their rights and legally protected interests, which are or may be harmed by such processing; if there are no legal grounds to the contrary and it is proven that the Data Subject’s objection is justified, the Company is obligated to block and destroy the personal data that the Data Subject objected to as soon as circumstances allow.
According to the Data Protection Act, the Data Subject has the right, based on a written request addressed to the Company or personally if the matter is urgent, to object to and refuse to submit to a decision made by the Company that would have legal effects or significant impact on them if such a decision is issued solely based on automated processing of their personal data. The Data Subject also has the right to request the Company to review the decision by a method other than automated processing, and the Company is obligated to comply with the Data Subject’s request, ensuring that an authorized person plays the decisive role in reviewing the decision; the controller will inform the Data Subject of the review method and the findings within the period specified by the Data Protection Act. The Data Subject does not have this right only if it is prescribed by a specific law, which provides measures to protect the legitimate interests of the Data Subject, or if the controller issued a decision that met the Data Subject’s request in pre-contractual relations or during the existence of contractual relations, or if the controller adopted other appropriate measures under the contract to protect the legitimate interests of the Data Subject.
If the Data Subject exercises their right:
a) In writing, and the content of their request indicates that they are exercising their right, the request will be considered submitted under the Data Protection Act; a request submitted by email or fax must be delivered in writing no later than three days from the date of sending,
b) Personally in oral form recorded in a written protocol, which must indicate who exercised the right, what is being requested, and when and who prepared the protocol, including their signature and the signature of the Data Subject; the Company is obligated to provide a copy of the protocol to the Data Subject,
c) With a processor according to letter a) or b), the processor is obligated to deliver the request or protocol to the Company without undue delay.
If the Data Subject suspects that their personal data is being processed unlawfully, they may submit a proposal to initiate proceedings for the protection of personal data to the Office for Personal Data Protection of the Slovak Republic, located at Hraničná 12, 820 07 Bratislava 27, Slovak Republic, or contact the office via its website https://www.dataprotection.gov.sk.
If the Data Subject lacks full legal capacity, their rights may be exercised by their legal representative.
If the Data Subject is deceased, their rights under this Act may be exercised by a close person.
The Company will handle the Data Subject’s request under the Data Protection Act free of charge.
The Company will handle the Data Subject’s request under the Data Protection Act free of charge, except for a fee that cannot exceed the amount of reasonably incurred material costs associated with making copies, obtaining technical media, and sending information to the Data Subject, unless a specific law provides otherwise.
The Company is obligated to respond to the Data Subject’s request under the Data Protection Act in writing no later than 30 days from the date of receipt of the request.
The Company will promptly notify the Data Subject and the Office for Personal Data Protection of the Slovak Republic in writing of any restrictions on the Data Subject’s rights under the Data Protection Act.