Protection of Personal Data

This document contains technical and organizational measures with which our company is committed to comply, as it is responsible under Article 24 of the GDPR, taking into account the nature, scope, context and purposes of processing, and also the risks with varying probability and severity for the rights and freedoms of natural persons, in order to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR.

1. Definitions of basic terms

data subject, any natural person whose personal data is processed,

controller, anyone who, alone or jointly with others, defines the purpose and means of the processing of personal data and processes personal data on its own behalf. The controller or specific requirements for determining the controller may be laid down in a specific regulation or international treaty by which the Slovak Republic is bound, where such a regulation or treaty provides for the purpose and means of the processing of personal data,

processor, anyone who processes personal data on behalf of the controller,

processing personal data, a processing operation or set of processing operations involving personal data or sets of personal data, in particular collection, recording, organization, storage, alteration, retrieval, browsing, use, provision by transfer, dissemination or otherwise, regrouping or combination, restriction, erasure, whether carried out by automated means or by non-automated means,

consent of the data subject, any serious and freely given, specific, informed and unambiguous expression of the data subject’s will in the form of a statement or an unambiguous affirmative action by which the data subject consents to the processing of his/her personal data

information system, any organised set of personal data accessible under specified criteria, whether centralised, decentralised or distributed on a functional or geographical basis, by the information system, whether centralised, decentralised or distributed on a functional or geographical basis,

restriction of the processing of personal data, an indication on personal data stored so that the processing thereof be limited in the future,

online identifier, an identifier provided by an application, tool or protocol, in particular an IP address, cookies, login data for online services, radio frequency identification, which may leave traces, which, in particular in combination with unique identifiers or other information, could be used to create a profile of the data subject and to identify him/her,

breach of the protection of personal data, a breach of security which leads to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data transmitted, stored or otherwise processed, or to unauthorised access to it,

recipient, a person to whom the personal data is disclosed, whether or not they are a third party. A public authority processing personal data on the basis of a specific regulation or an international treaty by which the Slovak Republic is bound is not considered to be a recipient, in accordance with the rules on the protection of personal data relating to the purpose of the processing of personal data,

a third party, anyone who is not the data subject, the controller, a processor or any other natural person processing the personal data, under the authority of the controller or processor.

2. Mapping personal data

Our company defines what personal data it processes in order to be able to analyse the processing of personal data and ensure compliance with GDPR. We define individual categories of personal data as individual information systems (IS).

(1) IS for customers

First name, surname, title, street and number, postcode, city, email, telephone contact, ID number, tax ID, VAT no.

Purpose of processing: issuing tax documents, contractual and pre-contractual relations, complaints, offering goods and services

(2) IS for wages and human resources

The personal data of employees – first name, surname, title, permanent residence – street and number, postcode, town, date of birth, birth number, bank account number (IBAN), name of health insurance company, supplementary pension savings bank, ID card number, email, telephone contact, are processed by the processor, as defined in point 10.

Purpose of processing: social security contributions, contributions to the health insurance company, fulfilment of the employer’s obligations related to the employment relationship with the employee, registration of applicants and employment.

(3) IS for marketing

Email addresses, telephone contacts, IP addresses, cookies

Purpose of processing: analysis of offer compilation, analysis of tracked metrics, remarketing offers, sending marketing and advertising emails

3. Principles for processing personal data (Article 5 GDPR)

Our company will comply with the following principles for personal data processing:

3.1. Lawfulness, fairness and transparency (Article 5(1)(a) GDPR)

Personal data will be processed lawfully, fairly and in a transparent manager in relation to the data subject (‘lawfulness, fairness and transparency’);

(1) Lawfulness of processing (Article 6 GDPR)

Our company is committed to processing data only in a lawful manner so as not to violate the fundamental rights of the data subject.

The processing of personal data by our company will be lawful. ensuring that it is carried out on the basis of at least one of the following legal bases:

(1.1) the data subject has consented to the processing of his or her personal data for one or more specific purposes;

(1.2) processing is necessary for the performance of a contract to which the data subject is a party or for measures to be taken prior to the conclusion of the contract at the request of the data subject;

(1.3) the processing of personal data is necessary under a specific regulation or international treaty by which the Slovak Republic is bound (Section 13(1)(c))

(1.4) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(1.5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority vested in the controller;

(1.6) processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

3.2. Principle of purpose limitation (Article 5(1)(b) GDPR)

Our company will collect personal data only for specific, explicit and legitimate purposes and it may not be further processed in a manner incompatible with these purposes. Our company informs the data subject about the purpose of processing personal data before processing.

In the personal data mapping section, we have established the purposes of processing individual IS and we will process personal data only for the purposes set out in that section.

3.3. Principle of minimization of personal data (Article 5(1)(c) GDPR)

Our company will process personal data in such a way that this processing is appropriate, relevant and limited to the scope necessary for the purpose for which it is processed.

3.4. Principle of accuracy (Article 5(1)(d) GDPR)

Our company will process personal data in such a way that it is accurate and updated as necessary; and take appropriate and effective measures to ensure that personal data that is inaccurate from the point of view of the purposes for which it is processed be erased or rectified without undue delay.

3.5. Principle of minimization of storage (Article 5(1)(e) GDPR)

Personal data will be stored by our company in a form that enables the identification of the data subject at the latest for as long as necessary for the purpose for which the personal data is processed.

3.6. Principle of integrity and confidentiality (Article 5(1)(f) GDPR)

Personal data will be processed in our company in a manner that guarantees adequate security of personal data, including protection against unauthorized processing of personal data, unlawful processing of personal data, accidental loss of personal data, erasure of personal data or damage to personal data, through appropriate technical or organizational measures.

(2) Personal data stored in electronic form

Use of cookies

Our company may use cookies on its website. A cookie is information that a website stores in a user’s system to remember certain information about the user the next time they visit this or related site.

“Cookies” are processed only if cookies are enabled in your web browser (they are processed to improve the operation of websites operated by our company and internet advertising).

“Cookies” on digitalpartner.sk sites are

(1) Necessary cookies (JSESSIONID, PHPSESSIONID) help create websites using basic features such as page navigation and access to secure website areas. We recommend that you accept them, the website may not work properly without them.

(2) Statistical cookies – Google Analytics (dc_gtm_UA-#, _ga, _gat, _gid): help website owners understand how visitors interact with websites by collecting anonymous statistics.

(3) Marketing cookies – Google Analytics (collect), Facebook and others: are used to track the movement of visitors on different websites. The idea is to show ads that are relevant and individually customized for each user, making them more valuable to third-party publishers and advertisers.

Information about how you use this site is shared with Google, Facebook and others to create analysis of page traffic and to track visitor movements across different websites.

The first time you visit our site, you will be asked to give your consent to the use of cookies from this site with a link to detailed information (this site).

If you do not want to receive cookies from our website, you can limit the scope of acceptance of cookies through the settings of your internet browser.

Effective cookie management tools are available, for example, on

http://www.youronlinechoices.com/

You can also disable cookies altogether and delete those already stored on your computer, but this can reduce your user experience when visiting the site.

Connection to social networks

Our website uses links to social networks – Facebook, Instagram, LinkedIn, and YouTube.

The buttons show the logos of each social network. However, the buttons are not standard plugins provided by social networks, but links to button icons. These buttons are activated only by intentional action (click). Unless you click on the buttons, no data will be transferred to social networks. By clicking the buttons, you accept communication with social network servers to activate the buttons and create a link. If you do not want social networks to collect data about you, do not click on the buttons mentioned above.

For information on the purposes and scope of data collection, on further processing and use of data by a particular social network and on rights and privacy settings, please refer to the information provided by the following social media sites:

Facebook: http://www.facebook.com/about/privacy

Google: http://www.google.com/intl/de/policies/privacy

Instagram: https://help.instagram.com/519522125107875?helpref=page_content

LinkedIn https://www.linkedin.com/legal/privacy-policy

YouTube: http://www.youtube.com/t/privacy_at_youtube

(3) Personal data stored in paper (printed) form

Physical documents are stored in envelopes and folders, thereby ensuring protection against damage and that only authorized persons receive these documents.

3.7. Principle of accountability (Article 5(2) GDPR)

Our company is responsible for compliance with the basic principles of personal data processing and for personal data to be processed in conformance with the principles of personal data processing.

4. Conditions for granting consent to the processing of personal data (Article 7 GDPR)

The company will ensure that the following conditions are met when the consent is given by the data subject

(1) Consent to the processing of personal data must be expressed freely, specifically, informedly and in an unambiguous expression of will.

(2) The request for consent must be made in such a way as to be clearly distinguishable from those other facts, in an intelligible and easily accessible form and formulated in a clear and simple manner.

(3) the data subject has the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal. Before giving consent, the data subject must be informed of this fact. The withdrawal of consent must be as simple as providing it.

7. Rights of the data subject (Chapter 3 GDPR)

The rights of the data subject are regulated by Chapter 3 of the GDPR and our company is committed to respecting them.

10. Processor (Article 28 GDPR)

A processor is a natural or legal entity, public authority, agency or other entity that processes personal data on behalf of the controller.

As the controller, our company uses processors who process personal data on its behalf. These include, for example, accounting and law firms.

Data is processed for our company by the following processors

UPKZ, s.r.o., Rosná 34, 903 01 Senec, Slovakia

Our company will use only processors providing sufficient guarantees they will adopt appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and to ensure the protection of the rights of the data subject.

Our company will sign amendments to the contracts with the aforementioned intermediaries so that the contracts meet all the requirements of the GDPR.

12. Security of processing (Article 32 GDPR)

Our company will adopt appropriate technical and organizational measures to ensure a level of security commensurate with this risk, taking into account the latest knowledge, the costs of implementing the measures and the nature, scope, context and purposes of processing, and also risks of varying probability and severity for the rights and freedoms of natural persons.

Instruction to process personal data (Article 32(4) GDPR)

Our company will take steps to ensure that any natural person acting under the authority of the controller or processor who has access to personal data processes such data only on the basis of our instructions, except where required to do so under Union or Member State law.

13. Notification of a personal data breach to the supervisory authority (Articles 33 and 34 GDPR)

In the event of a personal data breach, our company will notify the supervisory authority of the personal data breach without undue delay after becoming aware of this fact.

The notification of a personal data breach shall include at least:

(a) a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected by the breach and the categories and approximate number of personal data records affected;

(b) contact details of the data protection officer in our company, from whom more information can be obtained about the personal data breach;

(d) a description of the measures adopted or proposed by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate its potential adverse consequences.

Our company documents any breach of personal data, including the facts associated with the breach of personal data, its consequences and the remedial measures taken.

In the event of a breach of personal data likely to lead to a high risk to the rights and freedoms of natural persons, our company will notify the data subject about the personal data breach without undue delay.

17. Confidentiality

Our company is obliged to maintain the confidentiality of the personal data it processes. The obligation of confidentiality persists even after the completion of the processing of personal data.

Our company is also obliged to bind natural persons to the confidentiality of personal data where they come into contact with personal data through the controller or processor.

Bratislava, 25.5.2018

Company name: Digital Partner s.r.o.

Registered office: Cernysevskeho 10, 851 01 Bratislava, Slovakia

ID: 50 321 927