Data subject information policy (GDPR)
Operator – the company Včelco s.r.o. is responsible for the processing of personal data according to Regulation 2016/679 of the European Parliament and of the Council of the EU on the protection of natural persons in the processing of personal data and on the free movement of such data, which repeals Directive 95/46/EC (hereinafter referred to as GDPR). Our data protection rules are in accordance with the applicable law on the protection of personal data. This information policy explains the information according to Article 13 and 14 GDPR in a transparent and clear way.
1. The administrator of personal data – the operator is the company that determines the purpose and means of processing personal data:
Company name: Včelco s.r.o.
Address: Továrenská 10A, 919 04 Smolenice
ID: 36783455
TIN: 2022385035
VAT number: SK2022385035
2. Affected persons – natural persons, employees and their family members (husbands or wives of the operator’s employees, dependent children of employees, parents of dependent children of employees, relatives), job seekers, employees of customers and suppliers, natural persons entering the facility
3. Categories of personal data that the operator processes: ordinary personal data – (name, date of birth, residential address – street, house number, zip code, city, telephone number, e-mail address, data on education, number of children, photo and others) and a special category of personal data (data that reveals membership in trade unions, data related to health and others)
4. Purposes of personal data processing (personal data must not be further processed in a way that is not compatible with these purposes) and the legal basis for providing this data:
Purposes of personal data processing | Legal basis |
---|---|
Human resources and wages – the purpose of processing contributions to the social insurance company | Fulfillment of legal obligations (Article 6(1)(c) GDPR) |
Human resources and wages – the purpose of processing contributions to the health insurance company | Fulfillment of legal obligations (Article 6(1)(c) GDPR) |
Human resources and wages – the purpose of fulfilling the obligation of Act No. 595/2003 Coll. on income tax, as amended | Fulfillment of legal obligations (Article 6(1)(c) GDPR) |
HR and payroll – the purpose of employee health and safety records and injury records | Fulfillment of legal obligations (Article 6(1)(c) GDPR) |
Human resources and wages – the purpose of fulfilling the employer’s obligations related to the employment relationship, a similar relationship (e.g. based on agreements on work performed outside the employment relationship), including pre-contractual relationships | Fulfillment of legal obligations (Article 6(1)(c) GDPR) |
Processing of accounting documents | Fulfillment of legal obligations (Article 6(1)(c) GDPR) |
Records of attendance and overtime of temporarily assigned employees, records of health and safety and accidents | Fulfillment of legal obligations (Article 6(1)(c) GDPR) |
Management of the agenda of the members of the company’s bodies according to Act No. 513/1991 Coll. from. Commercial Code and Act No. 530/2003 Coll. on the commercial register | Fulfillment of legal obligations (Article 6(1)(c) GDPR) |
Client agenda – registration and processing of business cases, contracts and related information | Art. 6 par. 1 letter f) GDPR regulations (legitimate interest) |
Client agenda – records and processing, delivery of material/goods | Art. 6 par. 1 letter f) GDPR regulations (legitimate interest) Fulfillment of the contract (Article 6(1)(b) GDPR) |
Agenda of suppliers – purpose of registration and processing of business cases, contracts and related information | Art. 6 par. 1 letter f) GDPR regulations (legitimate interest) |
Employees of contractors – fulfillment of obligations arising from Act no. 82/2005 Coll. on illegal work and illegal employment and on amendments to certain regulations as amended | Fulfillment of legal obligations (Article 6(1)(c) GDPR) |
Registry management and records of sent and received mail | Fulfillment of legal obligations (Article 6(1)(c) GDPR) |
Agenda of job seekers – purpose for the needs of selecting new employees | Art. 6 par. 1 letter a) GDPR regulations (consent of the data subject) |
Records of attendance and overtime of employees, employees on contract | Fulfillment of legal obligations (Article 6(1)(c) GDPR) |
Presentation of the organization – promotion of the company’s activities on the website | Art. 6 par. 1 letter a) GDPR regulations (consent of the data subject) |
Records of complaints | Fulfillment of legal obligations (Article 6(1)(c) GDPR) |
External responsible person – fulfillment of the obligation of the GDPR Regulation on the designation of a responsible person (Art. 37-39) | Art. 37 to 39 of the GDPR Regulations |
E-shop – business purpose – concluding a purchase contract and providing the product to the person concerned using electronic commerce | Art. 6 par. 1 letter b) GDPR regulations (contract) Art. 6 par. 1 letter f) GDPR regulations (legitimate interest) |
E-shop – business purpose (client registration) – concluding a purchase contract and providing the product to the person concerned using electronic commerce with the condition of registration | Art. 6 par. 1 letter b) GDPR regulations (contract) Art. 6 par. 1 letter f) GDPR regulations (legitimate interest) |
E-shop – marketing newsletter – sending marketing materials to natural persons | Art. 6 par. 1 letter a) GDPR regulations (consent of the data subject) |
The purpose of familiarization with staffing and promotion of the organization – photos of employees | Art. 6 par. 1 letter a) GDPR regulations (consent of the data subject) |
Investigation of complaints according to Act no. 54/2019 Coll. on the protection of whistleblowers of anti-social activity and on the amendment of certain laws | Fulfillment of legal obligations (Article 6(1)(c) GDPR) |
Camera system – area not accessible to the public – protection of the company’s property or the health of persons located in the monitored areas, detection of crime | Art. 6 par. 1 letter f) GDPR regulations (legitimate interest) Art. 6 par. 1 letter c) GDPR regulations (fulfilment of legal obligations) |
Camera system – space accessible to the public – protection of the company’s property or the health of persons located in the monitored premises, detection of crime | Art. 6 par. 1 letter f) GDPR regulations (legitimate interest) Art. 6 par. 1 letter c) GDPR regulations (fulfilment of legal obligations) |
Reservation records – reservation records | Art. 6 par. 1 letter f) GDPR regulations (legitimate interest) |
Selection procedure – records used for the needs of the selection procedure to fill a job position | Art. 6 par. 1 letter b) GDPR regulations (contract) |
External responsible person – handling the rights of affected persons, control findings in accordance with the Personal Data Protection Act | Art. 37 to 39 of the GDPR Regulations |
5. Personal data retention period – Your personal data is processed for no longer than is necessary for the purposes for which the personal data is processed. We usually stop processing your personal data after:
-
-
- expiry of the storage periods set by the registry plan for registry records containing your personal data and after approval of the removal procedure;
- expiry of the maximum retention period of your personal data processed for a specific purpose, which we defined in the internal policy governing the retention of your personal data processed for specific purposes;
- the full settlement of our mutual contractual obligations;
- withdrawal of your consent to the processing of personal data.
-
More specific personal data retention periods follow from our personal data retention policy (listed in the records of processing activities). In no case do we systematically process any accidentally obtained personal data further for any purpose defined by the Operator and/or established for the Operator by law. If possible, we will inform the affected person, to whom the accidentally obtained personal data belong, about their accidental acquisition and, depending on the nature of the case, we will provide him with the necessary cooperation leading to the restoration of control over his personal data. Immediately after these necessary actions aimed at resolving the situation, we will immediately dispose of all accidentally obtained personal data in a secure manner.
6. Intermediaries – our business partners, who may have access to your personal data, also comply with the rules of personal data protection and we have concluded a contract with them on the processing of personal data (the list of intermediaries is available on request at the e-mail address responsible zodpovednaosoba@iqideas.sk).
The recipients of the personal data of the persons concerned are various groups of entities to whom we provide your personal data most often in the context of fulfilling our legal obligations and/or they are our own employees with whom you come into contact as the persons concerned. Personal data will be provided to public institutions such as administrative authorities, courts or law enforcement authorities only to the extent permitted by law. Below you will find a list of categories of recipients of personal data:
-
- Administrative IT services
- Suppliers of software equipment and technical support
- Consulting and consulting companies
- Lawyers, executors, notaries
- Accountants, payroll companies and auditors
- Mail carriers and postal companies
- Use of external recruitment agencies to carry out the selection of suitable employees and/or to participate in the selection of suitable job applicants
- Providing web hosting services
- External responsible person determined on the basis of the obligation from the Regulation on the Protection of Personal Data.
7. Data protection at the operator: we take technical and organizational security measures to protect your data as widely as possible from unwanted access. Only authorized persons of the operator who are instructed in the processing and protection of this personal data have access to the relevant personal data.
8. The processing of personal data is carried out within the member states of the European Union and the European Economic Area. Processing of personal data in the territory of a third country can only take place with the consent of the operator and subject to the fulfillment of special conditions set out in the GDPR regulation.
9. Personal data will not be used for automated individual decision-making, including profiling.
10. Proper processing of your personal data is for Včelco s.r.o. important and their protection is a matter of course. You can exercise the following rights when processing personal data:
-
- Withdraw consent – in cases where we process your personal data based on your consent, you have the right to withdraw this consent at any time. You can withdraw your consent electronically, at the address of the responsible person, in writing, with a notice of withdrawal of consent or in person at the office. Withdrawal of consent does not affect the legality of the processing of personal data that we processed about you on the basis of it.
- Right of access to data: You have the right to confirm whether or not personal data is being processed and, if so, you have access to information about the processing, the categories of personal data concerned, the recipients or categories of recipients, the retention period of the personal data, as well as the right to information about your rights, about the right to file a complaint with the Office for Personal Data Protection, information about the source of personal data, information about whether automated decision-making and profiling takes place, information and guarantees in case of transfer of personal data to a third country or international organization. You have the right to provide copies of processed personal data, as long as this act does not have adverse consequences on the rights of other natural persons.
- Right to rectification: you have the right to have your incorrect personal data rectified without undue delay
- The right to erasure: you are entitled to request that your personal data be deleted without undue delay, if the conditions set out in the GDPR are met (you have the right to erasure in particular if your personal data are no longer necessary for the purposes for which they were processed, or if the personal data was processed illegally. The right to erasure does not apply in particular if the processing of personal data is necessary to demonstrate, exercise or defend the legal claims of the operator or third parties)
- The right to restrict processing: in the cases specified in the GDPR (e.g. if you challenge the correctness of personal data or the processing is not in accordance with legal regulations or we no longer need the personal data for the specified purposes, but you need them to prove, exercise or defend legal claims) you have the right to request that we restrict their processing
- The right to data portability – in certain circumstances, you have the right to ask us to transfer the personal data you have provided to us to another third party of your choice. However, the right to portability only applies to personal data that we have obtained from you on the basis of consent or on the basis of a contract to which you are a party.
- The right to object: if the processing of personal data is carried out on a legal basis, a legitimate interest according to the GDPR, you have the right to object to such processing. We may not process this data further unless it demonstrates necessary legitimate reasons for processing that outweigh your interests, rights and freedoms, or reasons for proving, exercising or defending our legal claims or those of third parties.
11.You have the right to file a complaint with the Office for the Protection of Personal Data of the Slovak Republic or with another competent supervisory authority, especially if it assumes that there has been a violation of the processing of personal data.
12. Contact to exercise the affected rights: if you contact us by e-mail to the address of the responsible person zodpovednaosoba@iqideas.sk or by mail to the address Továrenská 10A, 919 04 Smolenice, we will save the data you have provided (your e-mail address or your name, surname and your phone number) to answer your questions or to process your request. The data will be deleted after they are no longer necessary for the purpose of processing, or we will limit their processing if there are legal obligations to keep them. We will provide you with statements and any information about the measures taken as soon as possible, but within one month at the latest. If necessary and taking into account the complexity and number of requests, we can extend this period to two months. We will inform you about the extension, including the reasons.