(updated on 1 August 2020)
This Personal Data Protection Policy stipulates the principles of personal data processing at Kiuub s. r. o., with its registered office at Hlavná 25, Trnava 917 01, Slovak Republic, company identification number: 52 507 742, registered with the Commercial Register of the Trnava District Court, section: Sro, Entry No. 44918/T (hereinafter as the “Company”), with the objective of creating an effective and consistent Personal Data Protection Policy in line with the applicable legal regulations.
This Personal Data Processing and Protection Policy (hereinafter as the “Policy”) reflects the respective European legislation, i.e. the Regulation (EU) 2016/679/EU of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter as the “Regulation”), and Slovak legislation, in particular the Act No. 18/2018 Coll. on Personal Data Protection and on amendments and supplements to certain acts (hereinafter as the “Act”). Its objective is to regulate the handling of Personal data within the Company.
The Company is aware that Personal data protection is contingent on the specific Personal data processing powers and the everyday actions of the authorised personnel, or rather all parties involved in the business activities of the Company. Personal data protection as a type of information asset subject to specific regulations and protection under the Act is part of the information asset protection agenda. Observing the principles and rules of the Policy helps spread a positive culture of Personal data handling and raise the level of Personal data protection at the Company. Enforcement of the rules stipulated in this Policy is part of the permanent and goal-directed process encompassing several levels, namely, the methodical, executive and supervisory.
The Company and its statutory body, as the Controller, pursuant to the Regulation and the Act, are responsible for the supervision of the system of protection and processing of Personal data within the Company, which involves in particular adoption and approval of suitable technical and organizational measures matching the manner of Personal data processing and taking into account the available technical means, confidentiality and importance of processed Personal data, as well as the scope of possible risks that could breach the safety of Personal data processing.
For the purposes of this Policy the Company is deemed a Controller.
The terms used in this Policy shall have the meanings specified below:
The system of monitoring, management and control of activities pertaining to processing of Personal data forms an integral part of efficient Company governance.
The strategy of Personal data protection at the Company is built around the Principles relating to processing of Personal data, determined by the Company and its day-to-day operation and activities pertaining to processing operations involving Personal data. The objective of the Principles relating to processing of Personal data specified in this Policy is to guide and raise awareness with regard to processing of Personal data among the officials and representatives of the Company. The objective of this Policy is to ensure security, integrity, and protection of Personal data within the Company.
In connection to potential Personal data protection legislation changes and possible changes of technical standards, the Company provides for constant monitoring of the respective regulations and reviews potential inconsistencies between the Policy and the said regulations.
To fulfil all its obligations under the Regulation and the Act, the Company, as the Controller, identified the main principles relating to processing of Personal data (hereinafter as the “Principles relating to processing of Personal data”) It is the following principles relating to processing of Personal data:
The Company only processes Personal data it needs in order to fulfil its contracts and comply with its legal and contractual obligations and to protect the legitimate interests it pursues.
The Company is especially careful to only process Data subjects’ Personal data necessary to accomplish the purpose of the respective processing.
The Company applies this Personal data minimisation principle also with regard to Personal data provided to the Company on the basis of the consent of the Data subject.
The processed Personal data of Data subjects may include (without limitation) the following categories of Personal data:
In most cases, the Company processes Personal data provided to it in connection with Contract performance or directly by the Data subjects.
The Data subjects’ Personal data can also be obtained from public sources published in compliance with the applicable legislation.
It is in the interest of the Company to process Personal data of Data subjects only for specific and valid purposes. The Company primarily processes Personal data it needs in order to perform its contractual obligations.
The Company also processes certain Personal data of Data subjects whereas such processing is necessary for the purposes of the legitimate interests pursued by the Company as the Controller. If so required with regard to the nature of the processed Personal data, the Company must request a consent from the Data subject to process their Personal data.
The purpose of Personal data processing is the signing and performance of a Contract.
The legal basis of processing is performance of the Contract, as well as legitimate interests of the Company, as the Controller, involving effective communication with Data subjects. In this case, the consent to process Personal data is not required. Provision of Personal data represents a legal or a contractual requirement, and if such data are not provided the Company cannot fulfil its legal obligations arising out of the respective legislation or cannot fulfil a Contract. The Data subject is obliged to provide their Personal data or endure provision of their Personal data in compliance with the Regulation and the Act, whereby if the Personal data are not provided, the Company cannot effectively communicate with the other contractual party or the Data subjects.
The purpose of the processing of Personal data are legitimate interests of the Company.
These are some of the legitimate interests the Company may have:
- protection of the Data subjects’ safety and interests;
- protection of Company property;
- business prudence;
- promotion of goods, services, and reputation of the Company.
The legal basis for processing is the legitimate interests of the Company, which, however, must not override the interests or the fundamental rights of the Data subjects. In this case, the consent to process Personal data is not required.
The purpose of Personal data processing is the fulfilment of the legal obligations imposed on the Company by the respective legal regulations or other legislation.
The legal basis of processing is the fulfilment of the legal obligations of the Company which arise or may arise out of the respective legal regulations or other legislation. In this case, the consent to process Personal data is not required.
The purpose of Personal data processing is direct marketing, i.e. market research and sending of business information using all means of communication including electronic ones. Market research includes assessment of Company activities related to the Company website, data on effectiveness of sent business information and the thereto related output.
The legal basis of processing is the consent of the Data subject. In order to select target Data subjects, segmentation can be performed on the basis of available data (according to age, interests, personal preferences, etc.). This type of processing is optional and the Data subject must volunteer to participate in it and may request that such processing be terminated at any time.
The purpose of Personal data processing is keeping of records and management of litigations and other legal proceedings which the Company pursues in order to establish, exercise or defend its legal claims.
The legal basis of Personal data processing are the legitimate interests of the Company, as the Controller, pursued in order to establish, exercise or defend legal claims. In this case, the consent to process Personal data is not required.
The purpose of Personal data processing is keeping of records of incoming and outgoing mail. The legal basis of the processing is the legitimate interest of the Company, as the Controller, to keep primary and general records of mail in order to have its complete index in observance of the data minimisation rule. The consent to process Personal data is not required. The Data subject is obliged to provide their Personal data, otherwise it may not be possible to send the required mail and keep records of it. The Data subject’s Personal data are not provided to other Recipients.
The purpose of Personal data processing is the due registry management. The legal basis of Personal data processing is the fulfilment of the legal obligation stipulated by the Act No. 395/2002 Coll. on Archives and Registries and on the amendment of certain acts as amended, and by other related special legislation. In this case, the consent to process Personal data is not required. Provision of Personal data represents a legal requirement, and if such data are not provided, the Company cannot fulfil its legal obligations arising out of the respective legislation.
The Data subjects’ Personal data are processed by the Company using its appropriately trained staff, or using contractual or external service providers.
The Data subjects’ Personal data may be processed by the Company and also by Recipients or categories of Recipients, in particular by:
In order to protect the rights and freedoms of natural persons with regard to the processing of Personal data the Company takes appropriate technical and organisational measures to ensure that the requirements of the Regulation and the Act are met. The Company focuses on the security of Personal data processing and makes a constant effort to prevent security incidents that could potentially result in a risk to the rights and freedoms of Data subjects. The security of Personal data processing is regularly audited taking into account the state of the art and the nature of Personal data processing.
All Personal data which the Company obtains from the Data subject are processed while maintaining a high level of organizational and technological security. The Company regularly reviews, and if possible, applies, appropriate safeguards to protect Personal data, which may include encryption or pseudonymization.
The compliance of Personal data processing at the Company with the Regulation and the Act and the other applicable legal regulations of the EU and the internal policies of the Company is monitored by the respective employees nominated by the Company, as the Controller, to supervise Personal data protection.
It is important for the Company that each and every Data subject maintains control over their Personal data and that the Personal data of each Data subject are processed in accordance with the law.
It is in the interest of the Company to allow the Data subjects to exercise their rights in connection to the protection of their Personal data. Should a Data subject wish to exercise some of their rights stipulated in the Regulation or the Act, they may do so by sending an e-mail to privacy@kiuub.com, or by sending a written request to the address of the Company: Kiuub s. r. o., Hlavná 25, Trnava 917 01, Slovak Republic, or by making a call to: +421 907 394 103, or in person at the Company registered office where they can request a meeting with the person in charge of the Personal data protection agenda.
The Data subject is entitled to demand from the Company access to their Personal data. The Data subject has the right to rectification, erasure or limitation of processing of Personal data, as well as the right to object against the processing of Personal data and the right to data portability. The Data subject also has the right to withdraw the consent to process Personal data and the right to lodge a complaint with a Supervisory authority.
The Company will promptly, however, at the latest within one month of receipt of the request, provide the Data subject with information about the measures it took on the basis of the Data subject’s request submitted in accordance with this article of the Policy. If necessary, the said time limit may be extended by two further months. The Company shall inform the Data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the Data subject.
If the Company does not take action on the request of the Data subject, the Company shall inform the Data subject without delay and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a Supervisory authority and seeking a judicial remedy.
The Data subject has the right to obtain from the Company a confirmation about the processing of their Personal data. If the Company does process such data, the Data subject has the right of access. In this regard, the Data subject has the right to obtain information about the purposes of Personal data processing, categories of Personal data concerned, Recipients or Recipient categories, the expected retention period of Personal data, the existence of Data subject’s rights in connection to Personal data processing, information about the source of data, unless the data were obtained directly from the Data subject, or information about the existence of automated decision-making including Profiling.
The information about Personal data processing is reasonably amended or updated with each change of the above facts.
It is in the interest of the Company to only process accurate and up-to-date Personal data of Data subjects. In this regard, the Data subject has the right to request that the Company immediately rectifies any processed incorrect Personal data of the Data subject or amends incomplete Personal data. In this regard, the Data subject must be reasonably informed about their right to rectification and asked to actively use it upon each contact with the Company.
The Data subject has the right to have erased all their Personal data processed by the Company, if one of the following grounds applies:
a) the Personal data are no longer necessary in relation to the purpose for which they were collected or otherwise processed;
b) The Data subject withdraws the consent on which the processing of Personal data is based;
c) The Data subject objects to processing of Personal data;
d) the Personal data are being processed unlawfully;
e) the Personal data must be erased for compliance with a legal obligation;
In connection to meeting the obligations pertaining to the Data subject’s right to erasure, the Company must be able to identify the relevant Personal data in its systems and erase them to meet the requirements of the Regulation and the Act.
However, the Data subject’s Personal data will not be erased, if processing is necessary for:
a) exercising the right of freedom of expression and information;
b) due to legal obligation;
c) the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;
d) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
e) establishment, exercise or defence of legal claims of the Company.
If Personal data are erased, the Company must reasonably notify each data Recipient.
The Data subject has the right to request that the Company limits processing of the Data subject’s Personal data in the following cases:
a) the Data subject contests the accuracy of Personal data;
b) the processing is unlawful and the Data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the Company no longer needs the Personal data for the purposes of the processing, but they are required by the Data subject for the establishment, exercise or defence of legal claims;
d) the Data subject objects to processing of Personal data. In this case the Company limits processing of Personal data until the proportionality test has been completed, i.e. it has been verified whether the legitimate grounds of the Company override those of the Data subject.
If Personal data processing is limited the Company must reasonably notify each data Recipient.
Methods by which to restrict the processing of Personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected Personal data unavailable to users, or temporarily removing published data from the Company website. Further processing of Personal data should be secured in a manner ensuring that the Personal data are not subject to further processing operations and cannot be changed.
Where the processing of Personal data is carried out by automated means and the legal basis of Personal data processing is the consent of the Data subject or performance of a Contract, the Data subject has the right to obtain the Personal data pertaining to him or her which he or she has provided to the Company, in a structured and machine-readable format and have the right to transmit those data to another Controller. Should the Data subject so wish, and where technically feasible, the Company will transfer the Personal data directly to another Controller.
The Data subject has the right to object at any time to processing of Personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company, or necessary for the purposes of the legitimate interests pursued by the Company and pertaining to the Data subject. The Data subject also has the right to object at any time to processing of Personal data for purposes of direct marketing. In connection to processing of Personal data pursuant to the first and second sentence the Data subjects can also object to Profiling based on such processing.
Should the Data subject choose to exercise this right, the Company shall no longer process the Personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data subject or grounds for the establishment, exercise or defence of legal claims.
The Data subject shall have the right not to be subject to a decision of the Company based solely on automated processing, including Profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
If the Data subject suspects that the Company processes Personal data unlawfully, they can lodge a complaint with a Supervisory authority. In the territory of the Slovak Republic, the Supervisory authority is the Office for Personal Data Protection of the Slovak Republic. When the Data subject lodges a complaint, the relevant officials and representatives of the Company involved in the processing of the Personal data concerned, shall provide all cooperation necessary to close the proceedings.
When Personal data are being processed, which pursuant to the Regulation and the Act require the consent of the Data subject to be processed, the Company will request from the Data subject their consent to process their Personal data for the respective purpose. Such consent must be a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the Data Subjects agreement to the processing of their Personal Data. If the Data subject gave their consent to process their Personal data for a specific purpose, they will have the right to withdraw their consent at any time without affecting the lawfulness of processing based on the consent before its withdrawal.
The Company retains Personal data of Data subjects for the duration of their processing, i.e. for a period of time the duration of which depends on the purpose of processing. In general, the Company processes Personal data of Data subjects:
- for the period required by the respective generally binding legal regulation, where Personal data are processed to comply with its legal obligations,
- for the duration of the contractual relationship based on a Contract, or duration of pre- contractual relationship, where Personal data are being processed to perform its contractual obligations;
- for the duration of a legitimate interest pursued by the Company, where Personal data processing is necessary for this purpose;
- for the duration specified in the Data subject’s Consent or until the withdrawal of such Consent, where the Personal data are being processed on the basis of the consent of the Data subject.
To ensure that the Personal data are not kept longer than necessary, time limits will be established by the Company for erasure or for a periodic review of Personal data. Personal data can only be processed while the purpose of their processing exists. After this time period the Personal data will be liquidated without an undue delay in compliance with the Personal data minimisation rule, whereby upon the expiry of the purpose of processing the Personal data will be liquidated in all forms in which they were processed.
The Data subject may at any time request information from the Company regarding the duration of retention of their Personal data.
At the expiry of the respective retention periods the Company may only process the Data subject’s Personal data for compatible or special purposes, such as archiving or statistics.
Personal data of Data subjects may be subject to cross-border transfer to Third countries which guarantee an adequate level of Personal data protection.
In case of such transfer of Personal data to Third countries the Company undertakes to ensure during the transfer an adequate level of protection of the Data subjects’ Personal data.
The Company does not transfer Personal data to any Third countries which don’t guarantee an adequate level of Personal data protection.
If, in the future, the Company does transfer Personal data to Third countries which don’t guarantee an adequate level of Personal data protection, it undertakes to proceed in compliance with the Regulation and the Act and all other generally binding legal regulations.
The Company may use Processors to process Personal data. In this case the relationships between the Processors and the Company are regulated by a contract.
In connection to performance of the Contract, Processors are in particular persons providing services to the Company by virtue of a separate contractual relationship.
The Company undertakes to only cooperate with Processors who have contractually agreed to implemented appropriate technical and organizational measures in such a manner that their processing of Personal data will meet the requirements of the Regulation and the Act and who ensure the protection of the rights of the Data subject.
Besides the Partners, Processors can be for example:
- cloud solution and cloud service providers and other suppliers of technologies and Company website functionality support;
- contractual partners providing different administrative services and performing other activities for the Company;
- contractual partners of the Company providing archiving services,
- companies organizing marketing activities and providers of different marketing tools;
- companies providing to the Company data analysis services for purposes of statistics andreporting;
- companies providing legal, accounting and tax consulting services to the Company;
As part of Contract performance, automated processing of Personal data can take place. The automated processing of Personal data uses automated IT systems, e.g. software, IT applications and other auxiliary systems. The objective of automated processing of Personal data is to ensure efficient performance of the Contract.
In connection with processing of Data subjects’ Personal data the Company does not use decision- making processes based solely on automated processing, including Profiling, which produces legal effects concerning the Data subject or similarly significantly affects the Data subject.
The Company also uses cloud solutions for internal communication and communication with business partners. In order to protect the Personal data shared within such cloud solutions the Company uses state-of-the-art data encryption hardware and software tools, to ensure protection and integrity of the shared (personal) data.
The Company website uses the so-called cookies. Cookies are small text files stored on the Data subject’s computer in a special internet browser folder. Their use, which is fully anonymous, enables the full functionality of the Company website. Cookies thus facilitate use of the Company Website and improve its functionality. Cookies are also used to monitor the behaviour of visitors (as Data subjects) to the Company Website and subsequently personalise its contents, to improve the ease of use of the individual sub-pages of the Company Website, provide log-in functionality, allow customization and limitation of advertisement campaigns and similar functionalities which would otherwise not be possible. The Data subject, naturally, has the right to modify the settings of their internet browser to refuse the use of cookies. If, however, the Data subject refuses all cookies, they will not be able to use the full functionality and all the features of the Company Website.
The Company Website may also contain the so-called web beacons (internet tools helping track the user’s interactions with the Company Website, set cookies, determine the number of visitors or determine how many messages out of the total number of messages sent have been opened, etc.) Web beacons or special code links can be included in leaflets and marketing e-mails of the Company to determine whether the messages have been read, or whether the links therein contained have been clicked.
IP addresses are never provided to any third parties and the Company uses all necessary security measures to ensure their security. The Data subject has the right to information about the use of their IP address.
The Company Website uses, or may use in the future, Google Universal Analytics, i.e. a web analytics service provided by Google Inc. (hereinafter as “Google”). Google Universal Analytics uses cookies - small text files stored on the Data subjects’ computers - to help the Company Website analyse how users navigate and use it. The information created by cookies regarding the use of the Company Website (including the Data subject’s IP address) are usually sent to and stored on Google servers in the United States. When an anonymised IP address is activated at the Company Website, Google first shortens the IP address of the Data subject from an EU member state or from another state of the Agreement on the European Economic Area. Google uses these information to analyse the use of the Company Website by its visitors (Data subjects) to compile an activity report for the Company Website and provide other services related to the use of the Company Website. Only in exceptional cases the full IP address is transferred to a Google server in the USA and shortened there. Google will not associate the Company Website visitor’s IP address with any other data held by Google. Data subjects may refuse the use of cookies by selecting the appropriate settings on their internet browser. If they, however, refuse the use of cookies, they will not be able to use all the features of the Company website. The Company Website users (as Data subjects) may also prevent Google from collecting and using data (cookies and IP addresses) by downloading and installing the browser plug-in available at https://tools.google.com/dlpage/gaoptout?hl=sk. For more information regarding the Privacy and Data Protection Guidelines of Google, please visit https://www.google.com/analytics/terms/gb.html, or https://policies.google.com/technologies/cookies?hl=sk.
-
Should you have any questions related to the protection of your Personal data, please contact the Company using any of the methods available to Data subjects.
The Company may modify, amend or change this Policy in order to incorporate legislation changes, update the purposes and means of Personal data processing or similar. By amending this Policy, the Company does not limit the rights of Data subjects arising out of the Regulation or the Act. Should this Policy be modified, the Company will notify the Data subjects in an appropriate manner, and publish the amended wording at the Company Website.