This document describes the method and purpose of personal data processing by Bizzcom s.r.o., č.591, Bučany 919 28,, Org ID: 36814351 as the controller (“controller”), and provides all other legally required information, including information on the rights of data subjects and how to exercise such rights.
Regulation (EU) 2016/679 on personal data protection (“GDPR”) constitutes the legal regulation governing the protection of natural persons in the processing of personal data and on the free movement of such data and protects the basic rights and freedoms of natural persons, especially in relation to their personal data protection rights.
Under Article 4 (1) GDPR, the term “personal data” refers to any information concerning an identified or identifiable natural person (“data subject”).
“Processing” is an operation or set of operations involving personal data or a set of personal data performed using automated or non-automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or other form of provisioning, alignment or combination, restriction, erasure or destruction thereof (Article 4(2) GDPR).
Under Article 12 et seq. GDPR, a data subject must be provided with relevant information on the processing activities conducted by the controller and their rights as a data subject.
“Validity” given that updated information may be required in the future concerning the processing of personal data contained in this policy, the controller is authorised to update this policy at any time.This version of the policy was issued on 1 January 2021.
1. ON WHAT BASIS MAY WE PROCESS YOUR PERSONAL DATA?
Processing is only lawful when at least one of the following conditions is met in the required scope:
- the data subject has expressed consent to the processing of their personal data for one or more specific purposes,
- processing is necessary to fulfil an agreement to which the data subject is a party or to take measures prior to the conclusion of such agreement at the data subject’s request,
- processing is necessary to comply with statutory obligations,
- processing is necessary for the purposes of a legitimate interest being followed by the operator or a third party, except in such cases where the interests or basic rights and freedoms of the data subject seeking personal data protection take priority over these interests, especially if the data subject is a minor child.
2. WHAT HAPPENS IF PERSONAL DATA IS NOT PROVIDED?
If your personal data is processed within:
- the provisioning of personal data to comply with a statutory or contractual requirement, the data subject is obliged to provide such personal data. Without providing personal data, it is impossible to fulfil an order or conclude an employment agreement
- You provide any of your personal data voluntarily and you are obliged to consider the extent to which you provide personal data. We cannot respond to your suggestion or request without receiving some personal data.
3. YOUR PERSONAL DATA WE OBTAIN
You most often provide your personal data to us:
- we obtain it directly from you, for example, from communication with you via the contact form on our website,
- if you become our customer or are interested in our goods or services,
- during the controller’s hiring process to fill an open position or in records of job candidates where no specific potential position is specified,
- during the controller’s hiring process to fill an open position via the contact form on our website,
4. JOB APPLICATION
The controller processes the personal data of job candidates for the purposes of maintaining records in hiring processes to fill the controller’s open positions and to record the personal data of job candidates who have applied in general and not for a specific position. If the controller decides to conclude an employment agreement with any job candidate, or any other similar agreement outside of employment, i.e. the decision is made to hire a candidate, the personal data of such candidate will be processed by the controller to comply with its obligations when entering into an employment arrangement.
Legal basis: in accordance with the provisions of Article 6 (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”). Act 311/2001 Coll., the Labour Code, as amended.
Retention period: for a period of 1 year from the date of receipt of a CV, after which the data will be deleted.
5. WHY DO WE PROCESS PERSONAL DATA, WHAT PERSONAL DATA DO WE PROCESS, AND HOW LONG MAY WE RETAIN YOUR PERSONAL DATA?
Your personal data will be processed pursuant to specific regulations and for purposes defined by the controller:
INFORMATION ON THE PURPOSES OF PROCESSING PERSONAL DATA, LEGAL BASIS, RECIPIENTS AND RETENTION PERIODS | CATEGORY OF RECIPIENTS | YEARS RETAINED | |
---|---|---|---|
Hiring employees | Act No. 311/2001 Coll. the Labour Code, as amended Act No. 552/2003 Coll., on Public Service, as amended Act No. 596/2003 Coll on State Administration i Education and Local Education Governance and on amendment of certain acts Act No. 317/2009 Coll. on Pedagogical Employees and Professional Employees, and on amendment of certain acts | personal data provided in a CV, personal data provided in a criminal record, or proof of education | 1 year |
Adaptation process (employee training) | Act No. 311/2001 Coll. the Labour Code, as amended Act No. 552/2003 Coll., on Public Service, as amended Act No. 5/2004 Coll. on Employment Services and on amendment of certain acts, as amended contractual arrangements Act No. 596/2003 Coll on State Administration i Education and Local Education Governance and on amendment of certain acts Act No. 317/2009 Coll. on Pedagogical Employees and Professional Employees, and on amendment of certain acts | Ministry of Interior of the Slovak Republic, other authorised state authorities, if data is provided based on regular statutory obligations | 5 years after termination or expiration of the relevant obligation |
Fulfilment of the employer’s obligations under employment and similar arrangements | Act No. 311/2001 Coll. the Labour Code, as amended Act No. 552/2003 Coll., on Public Service, as amended Act No. 5/2004 Coll. on Employment Services and on amendment of certain acts, as amended Act No. 553/2003 Coll. on Remuneration for Certain Employees Performing Public Service and on amendment of certain works, as amended contractual arrangements, Act No. 596/2003 Coll on State Administration i Education and Local Education Governance and on amendment of certain acts Act No. 317/2009 Coll. on Pedagogical Employees and Professional Employees, and on amendment of certain acts | employees, employee representatives, other authorised state authorities, if data is provided based on regular statutory obligations | 70 years |
Fulfilment of the employer’s obligations to the social insurance authority | Act No. 461/2003 Coll. on Social Insurance, as amended Act No. 43/2004 Coll. on Old-Age Pension Savings, as amended Act No. 650/2004 Coll. on Supplemental Pension Savings and on amendment of certain acts, as amended Act No. 462/2003 Coll. on Income Compensation for Temporary Employee Sick Leave and on amendment of certain acts, as amended | social insurance authority | 10 years |
Fulfilment of the employer’s obligations to health insurers | Act No. 580/2004 Coll. on Health Insurance and on amendment of Act No. 95/2002 Coll. on Insurance and on amendments of certain acts, as amended | health insurers | 10 years |
Occupational health service documentation, the information system used by the occupational health service conducting services for the controller based on a contract to maintain the required documentation | Act No. 355/2007 Coll. on the Protection, Promotion and Development of Public Health and on amendment of certain acts, as amended | state and public authorities responsible for audit and surveillance activities | 5 years after termination or expiration of the relevant obligation |
occupational health and safety (OHS) documentation, the information system used to maintain the required OHS documentation | statutory obligation, public interest, Act No. 311/2001 Coll. the Labour Code, as amended, Act No. 124/2006 Coll. on Occupational Health and Safety, Act No. 42/1994 Coll. on Civil Defence, as amened, Act No. 355/2007 Coll. on the Protection, Promotion and Development of Public Health, Constitutional Act No. 227/2002 Coll. on State Security During War, State of War, Martial Law and State of Emergency | entity providing services under a specific act, the employer, Public Health Authority | 5 years after termination or expiration of the relevant obligation |
Fulfilment of tax obligations | Act No. 595/2003 Coll. on Income Tax, as amended | tax authority | 10 years |
Employer’s remuneration policy | Act No. 311/2001 Coll. the Labour Code, as amended Act No. 553/2003 Coll. on Remuneration for Certain Employees Performing Public Service and on amendment of certain works, as amended, Act No. 580/2004 Act No. 580/2004 Coll. on Health Insurance and on amendment of Act No. 95/2002 Coll. on Insurance and on amendments of certain acts, as amended, Act No. 461/2003 Coll. on Social Insurance, as amended, Act No. 595/2003 Coll. on Income Tax, as amended, Act No. 43/2004 Coll. on Old-Age Pension Savings, as amended, Act No. 650/2004 Coll. on Supplemental Pension Savings and on amendment of certain acts, as amended, Act No. 5/2004 Coll. on Employment Services and on amendment of certain acts, as amended, Act No. 462/2003 Coll. on Income Compensation for Temporary Employee Sick Leave and on amendment of certain acts, as amended, Act No. 152/1994 Coll. on the Social Fund and on amendment of Act No. 595/2003 Coll. on Income Tax, as amended | Health insurers, social insurance authority, tax authority, supplementary pension savings management firms, | 50 years |
Execution | Act No. 59/2018 Coll. on Court-Appointed Executors and Execution Activities (Execution Code), Article 6 (1)(c) GDPR | persons authorised under the relevant regulations, notaries | 10 years |
Registry management | Article 6 (1)(c) GDPR Act No. 395/2002 Coll. on Archives and Registries and on amendment of other acts, as amended | Ministry of Interior of the Slovak Republic, other authorised entity, | records are retained for 10 years after the termination of such records |
Records of received and sent mail | Article 6 (1)(c) GDPR, Act No. 369/1990 Coll. on Municipalities, as amended, Act No. 395/2002 Coll. on Archives and Registries and on amendment of other acts, as amended, Act No. 305/2013 Coll. on Electronic Form of the Exercise of the Powers of Public Authorities and amendment of certain acts (e-Government Act) | data is not provided to any recipient | 3 years |
Processing of accounting documents | Act No. 431/2002 Coll. on Accounting, as amended, Act No. 222/2004 Coll. on Value Added Tax, as amended, Act No. 145/1995 Coll. on Administrative Fees, as amended, Act No. 40/1964 Coll., the Civil Code, as amended, Act No. 152/1994 Coll. on the Social Fund and on amendment of certain acts, Act No. 595/2003 Coll. on Value Added Tax, as amended, Act No. 311/2001 Coll., the Labour Code, as amended, Act No. 583/2004 Coll on Local Government Budgetary Rules, as amended | tax authority | 10 years |
Resolving complaints | Article 6 (1)(c) and (e) GDPR Act No. 9/2010 Coll. on Complaints as amended | Law enforcement other authorised state authority | 5 years after termination or expiration of the relevant obligation |
Exercise of the rights of data subjects | personal data processing is permitted under Article 6 (1)(c) in accordance with Article 15 to 22 and 34 GDPR | state administration bodies, public authorities and public administration under relevant legislation | 5 years from the date of processing the request |
CCTV system used to protect the controller’s property | legitimate interest under Article 6 (1)(f) GDPR. The primary legitimate interest is protecting the property and safety of the controller and data subjects | Members of the Police Corps if necessary, the controller’s legal counsel | 6 days |
Control mechanism for monitoring employees | pursuant to §13 (4) of Act No. 311/2001 Coll., the Labour Code, as amended | Members of the Police Corps if necessary, the controller’s legal counsel | 6 days |
Disclosure of video recordings to law enforcement | pursuant to Article 6 (1)(c) GDPR | state administration bodies, public authorities | records may be used to demonstrate legal entitlement and the controller will process this data for the period necessary to demonstrate them |
GPS monitoring of company and private trips (if employees may use a company vehicle for personal use as well), transparent accounting of fuel costs, automatic generation of trip logs, location of stolen vehicles | the processing of personal data is permitted under §13 (4) of Act No. 311/2001 Coll. the Labour Code, as amended, Act No. 431/2002 Coll. on Accounting, as amended, Act No. 222/2004 Coll. on Value Added Tax, as amended, Act No. 595/2003 Coll. on Income Tax, as amended. pursuant to Article 6 (1)(b) GDPR | law enforcement if a crime has been committed, tax authority, administrator of the GPS system | 10 years |
Quotation form on the website | pursuant to Article 6 (1)(b) GDPR | data is not provided to any recipient | until the complete settlement of legal and other entitlements under the contractual arrangement, a minimum of 1 year from the date of termination of the contractual arrangement |
Preparation, conclusion and execution of business arrangements and agreements with suppliers, service providers and providers of human resources services | pursuant to Article 6 (1)(b) GDPR | state administration bodies, public authorities | 10 years |
Publication of photos of employees | pursuant to Article 6 (1)(a) GDPR | the controller’s website | we will process your personal data for this purpose until you revoke consent, or for a maximum of 5 years |
Records of visitors who enter the controller’s premises | pursuant to Article 6 (1)(f) GDPR | courts, law enforcement, inspectors of the Personal Data Protection Office of the Slovak Republic, other authorised entity pursuant to the Personal Data Protection Act or other specific legislation | 1 year |
Obtaining and providing the contact data of employees, the employees of service providers, state and public bodies with whom the controller is engaged in correspondence, and contact data for other persons with the controller’s lawful activities | Article 6 (1)(f) GDPR, processing is necessary to accomplish the controller’s legitimate interests | contracting parties, partners in the performance of design activities, state administration bodies, public authorities | 5 years |
Investigation of complaints pursuant to Act No. 307/2014 Coll. and Act No. 54/2019 Coll. on Whistle-blower Protections and on amendment of certain acts | Article 6 (1)(c) and (e) GDPR, Act No. 307/2014 Coll. on Specific Measures Related to Whistle-blowing Activities and on amendment of certain acts, Act No. 54/2019 Coll. on Whistle-blower Protections and on amendment of certain acts | parties to proceedings, the courts, law enforcement, inspectors of the Personal Data Protection Office of the Slovak Republic | 3 years |
Network security and safety Sharepoint – (practically a company-wide website, where employees can find everything they need for productive and efficient work) | Article 6 (1)(f) GDPR, processing is necessary to accomplish the controller’s legitimate interests | courts, law enforcement, inspectors of the Personal Data Protection Office of the Slovak Republic, other authorised entity pursuant to the Personal Data Protection Act or other specific legislation | 5 years |
Resolution of customer complaints | Act No. 250/2007 Coll. on Consumer Protection, as amended, Act No. 372/1990 Coll. on Offences, as amended, and Act No. 18/2018 Coll. on Personal Data Protection, as amended | trade inspection authorities in the context of consumer protection | 5 years |
6. WHO ARE THE RECIPIENTS OF YOUR PERSONAL DATA?
Categories of recipients: state and public administration bodies, local government, the administrator of the Company’s website, auditor, lawyer, information technology administration and support provider, the providers of information services in justified instances, the courts and law enforcement.
7. PUBLICATION OF PERSONAL DATA
Personal data is processed on the basis of a specific need and requirement. During events organised by the controller, data subjects may be involved in the controller’s promotional activities by having their photographs, a visual recording or an audio-visual recording published on the controller’s website.
8. AUTOMATED INDIVIDUALISED DECISION-MAKING
Personal data will not be used forautomated individualised decision-making, including profiling.
9. TRANSMISSION OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION
No personal data is transmitted to any third country or international organisation.
10. CONFIDENTIALITY
Please allow us to assure you that our employees and collaborators who will process your personal data are obliged to maintain confidentiality regarding personal data. Such confidentiality endures after termination of contractual arrangements with us.
11. SECURITY FOR PERSONAL DATA
Your personal data is safe with us. To prevent unauthorised access and misuse of your personal data, we have taken suitable measures of a technical and organisational nature. The security of your personal data is important to us. As such, we regularly check their security and continue to improve on security measures. We strive to employ security measures that provide an adequate level of security given with respect to the latest technology. The security measures that are deployed are updated on a regular basis.
12. DATA SUBJECTS
They are primarily employees, clients, and any natural person whose personal data is processed.
13. RIGHTS OF DATA SUBJECTS
To revoke consent – in instances where we process your personal data based on your consent, you have the right to revoke such consent at any time. You may revoke consent electronically at the specified email address, in writing, or in person at the controller’s registered office. The revocation of consent has no impact on the lawfulness of the processing of your personal data processed on this basis. Regardless, you have the right to object to the processing of your personal data at any time.
Right to access – you have the right to be provided with a copy of your personal data that we have available and to informationabout how we use your personal data. In the majority of cases, your personal data will be provided in written paper form, unless otherwise required by you. If you request such information electronically, the information will be provided to you electronically if technically feasible.
Right to correction – we will take appropriate measures to ensure the accuracy, completeness and currency of all information that we have available about you. If you believe that the information we have available is inaccurate, incomplete or no longer current, please do not hesitate to request that we change, update or amend such information.
Right to deletion (to be forgotten) – you have the right to request that we delete your personal data, for instance if the personal data we received from you is no longer necessary to accomplish the original purpose of processing. However, your right must be considered from the aspect of all relevant circumstances. For example, we may have certain legal or regulatory obligations, which means that we may not comply with your request.
Right to restrict processing – under specific circumstances, you are authorised to request that we stop using your personal data. For instance, if you believe that the personal data we have about you is inaccurate or if you believe that we no longer need to use your personal data.
Right to transmit data – under specific circumstances, you have the right to request that we transmit the personal data you provided to use to a third party of your choosing. However, the right to transmit data only refers to personal data obtained from you based on your consent or based on a contract that you are a party to.
Right to object – you have the right to object to the processing of your personal data based on our legitimate interests. If we have no convincing legitimate reason for such processing and you object, we will no longer process your personal data.
Right to file a complaint
To file a complaint regarding the manner in which we process your personal data, including the exercise of any of the above rights, you may contact us electronically at gdpr@bizzcom.sk or use the contact details provided in the heading of this document. We will thoroughly review all your suggestions and complaints. You have the right to file a complaint with the supervising authority, the Personal Data Protection Office of the Slovak Republic.
We will respond to your request at no charge within 30 days. If your request is complex or you send a large number of requests, we may extend this term by an additional 60 days. We will inform you if such eventuality occurs.
If you make a repeated request, we are authorised to charge a reasonable administrative fee to cover the costs associated with providing such services.