Information on the processing of personal data of data subjects pursuant to §19 and §20 of Act No.18/2018Z.z. on the protection of personal data and on amending and supplementing certain acts (hereinafter referred to as „the Act“) and Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as „the Regulation“)
The purpose of this information is to provide you with information about what personal data we process, how we handle it, what we use it for, who we may disclose it to, where you can obtain information about personal data and exercise your rights in relation to the processing of personal data.
1. Identification and contact details:
The controller processing personal data is the REGIONAL ORGANIZATION OF TRAVEL TRAFFIC, Main 73, 080 01 Prešov, ID No.: 50076515, +421 910 847 011, info@regionsaris.sk
2. Contact details of the responsible person of the Operator
For matters relating to the processing and protection of personal data, you can contact the Controller's responsible person by email at the following email address info@regionsaris.sk
3. General information
The Controller shall proceed with the processing of personal data in accordance with the Regulation and also in accordance with the Act.
The controller shall obtain the personal data directly from the data subject or from another person who provides them to the controller. All personal data processed by the Data Controller about the Data Subject shall be processed only for justified purposes, for a limited period of time and using the maximum possible level of security, for which the Data Controller has taken appropriate technical, organisational and personnel measures to ensure the level of security and protection of the personal data processed.
4. Purposes of the processing of personal data
The controller processes the personal data of the data subjects solely in accordance with the principle of lawfulness, on the following legal grounds/for the following purposes:
Performance of contractual obligations - The controller processes personal data in the performance of the contract with the data subject, to the extent necessary for the performance of contractual obligations. The processing of personal data in the performance of contractual obligations occurs, for example, in connection with the conclusion of employment contracts or other agreements under the Labour Code with the Operator's employees and their performance, contracts for the performance of functions concluded with members of the Operator's bodies and their performance, the conclusion of various types of contracts under the Commercial Code, the Civil Code and the Copyright Act with the Operator's suppliers or partners and their performance, the conclusion of subsidy contracts with the Ministry of Transport of the Slovak Republic or purchase contracts.
Fulfilling legal obligations - The controller shall also process the personal data of the data subject in the performance of its legal obligations. These legal obligations are e.g. obligations arising from employment and tax law, regulations related to audits, accounting, in relation to the members of the Controller, in particular obligations arising from Act No. 91/2010 Coll. on the promotion of tourism.
Protection of vital interests - the processing of the data subject's personal data may also occur if the Controller protects the vital interests of the data subject.
Legitimate interest Controller - The Controller also processes personal data on the basis of a legitimate interest, but only if the processing is necessary for the pursuit of the legitimate interests of the Controller or of a third party, and if those interests are not overridden by the interests or fundamental rights and freedoms of the data subject. The legitimate interest is applied by the Controller, for example, when monitoring the premises of the Controller's operation for the protection of property, in activities related to the presentation and promotion of the Controller's entity, in the implementation of direct marketing.
If the data subject objects to the processing of personal data for the purpose of direct marketing, the Controller shall cease further processing of personal data.
Consent to the processing of personal data - The controller shall also process the personal data of the data subject on the basis of the data subject's consent. The controller shall obtain the data subject's consent whenever it is necessary for the processing of personal data. The processing of personal data on the basis of consent occurs, for example, in connection with a visit to the Operator's website when using preference, analytical and marketing cookies, when carrying out direct marketing on the basis of the data subject's consent, when participating in the Operator's competition.
5. Categories of personal data
The controller processes personal data necessary for the processing of personal data always in accordance with the principle of minimisation so that the Data Controller may fulfil contractual and legal requirements, protect vital interests, if necessary, carry out tasks in the public interest, or process personal data for which the data subject has given consent, or process personal data for which he or she has a legitimate interest in the processing.
The controller processes mainly identification data of natural persons, representatives of legal entities and their contact data - name, surname, address (permanent residence / place of business), date of birth, ID card number, signature, e-mail address, telephone number, or other necessary data.
6. Retention period of personal data
The controller shall store personal data depending on the purpose of the processing of personal data. For the retention period, the Data Controller shall take into account the principle of minimisation retention of personal data, i.e. it shall retain personal data only for the period for which the retention of the personal data is necessary.
The controller shall store personal data in accordance with the requirements of the valid legislation of the Slovak Republic, in particular Act No 395/2002 Coll. on archives and registers and on the amendment of certain acts, which stipulates the retention periods of individual groups of personal data in accordance with the applicable legislation.
7. Rights of Affected Persons
The protection of personal data of data subjects is governed by the provisions of the Regulation and, in certain cases, the Act.
The data subject may exercise the following rights with the Controller by means of a request:
The data subject shall have the right to be provided with a copy of the personal data held about him or her by the Data Controller, as well as with information on how the personal data are used by the Data Controller.
The controller shall take appropriate measures to ensure the accuracy, completeness and timeliness of the information held on the data subject. If the personal data held by the Data Controller are inaccurate, incomplete or out of date, the Data Controller shall amend, update or supplement such personal data at the initiative of the data subject.
In certain circumstances, the data subject has the right to request the Data Controller to erase the personal data of the data subject, in particular if the personal data which the Data Controller has obtained about the data subject are no longer necessary for the fulfilment of the original purpose of the processing or if the data subject withdraws his or her consent to the processing of the personal data. However, the data subject's right must be assessed in the light of all the relevant circumstances.
The data subject has the right to request the Controller not to process his or her personal data further.
In certain circumstances, the data subject has the right to transfer personal data to another entity of his or her choice. However, the right of portability only applies to personal data processed by the Controller on the basis of a contract to which the data subject is a party, on the basis of consent granted by the data subject to the Controller or where the Controller processes personal data by automated means.
The data subject has the right to object to the processing of personal data, for example, in the case of processing of personal data on the basis of legitimate interest (direct marketing) or in the case of processing involving profiling. If the data subject objects to such processing of personal data, the Controller shall no longer process the personal data of the data subject.
Should the Controller process personal data by profiling or automated decision-making, the data subject shall have the right to refuse automated individual decision-making, including profiling, which produces a legal or similar significant result for the data subject. The controller does not currently use automated individual decision-making or profiling when processing personal data.
If the personal data of the data subject are processed by the Controller on the basis of his or her consent, the data subject shall have the right to withdraw his or her consent to further processing of his or her personal data. You may withdraw your consent in writing, by e-mail or orally (in person).
The data subject may lodge a complaint with the supervisory authority, which is Office for Personal Data Protection of the Slovak Republic, with registered office at Hraničná 12, 820 07 Bratislava 27; website: dataprotection.gov.sk, phone number: 02 3231 3214; E-mail: statny.dozor@pdp.gov.sk.
8. Exercise of the data subject's rights
The data subject may exercise his or her rights with the Controller:
Unless the Controller notifies the data subject of a longer period in justified cases, the Controller shall provide the data subject with a reply within one month of the date on which the data subject exercised his or her rights.
9. Profiling
The controller does not process personal data by profiling or by any form of automated individual decision-making.
10. Transfers to third countries and international organisations
The Controller does not actively transfer personal data to third countries and international organisations.
For the purpose of using Google Analytics, the personal data of visitors to the Operator's website is transferred to servers in the USA. The level of protection of personal data in the U.S. is comparable to the level of protection in the E.U. On 12 July 2016, the European Commission ruled, pursuant to Article 45 of the Regulation, that there is an adequate level of protection of personal data in the U.S., subject to the conditions and provisions of the so-called „E.U.-U.S. Privacy Shield“ in the U.S.
11. Beneficiaries
The personal data of the data subjects may, if necessary, be disclosed to recipients - mainly intermediaries, but also to third parties. Processors include mainly companies with which the Controller cooperates - companies providing IT services, legal, tax and accounting services, etc. The Controller exclusively uses processors who have adopted appropriate technical and security measures, through which the requirements of the Regulation, the Act and other regulations relating to the security and protection of personal data are met, to ensure the secure processing of personal data.
Other recipients are mainly public authorities that are authorised to process personal data obtained by the Controller.
