These privacy terms explain how we process personal data when providing our services within the framework of PPA CONTROLL groups of companies:
PPA CONTROL, as, with registered office: Vajnorská 137, 830 00 Bratislava, Company ID: 17 055 164, registration: Commercial Register of the Municipal Court Bratislava III, section: Sa, insert No. 159/B
PPA ENERGO, sro with registered office: Vajnorská 137, 830 00 Bratislava, Company ID: 31 368 484, registration: Commercial Register of the Municipal Court Bratislava III, section: Ltd., file No. 6646/B
PPA INŽINIERING, s.r.o. with registered office: Vajnorská 137, 831 04 Bratislava, Company ID: 31 376 045, registration: Commercial Register of the Municipal Court Bratislava III, section: Ltd., file No. 7314/B
PPA TRADE spol. s ro with registered office: Vajnorská 137, 830 00 Bratislava, Company ID: 31 409 776, registration: Commercial Register of the Municipal Court Bratislava III, section: Ltd., file No. 7917/B
PPA POWER, s.r.o with registered office: Sládkovičova 47, 974 05 Banská Bystrica, Company ID: 31 618 103, registration: Commercial Register of the District Court of Banská Bystrica, section: Ltd., file No. 2302/S
PPA POWER DS, sro with registered office: Vajnorská 137, 830 00 Bratislava, Company ID: 31 368 514, registration: Commercial Register of the Municipal Court Bratislava III, section: Ltd., file No. 6649/B
PPA BUILDING MANAGEMENT, sro with registered office: Vajnorská 137, 831 04 Bratislava, Company ID: 35 751 983, registration: Commercial Register of the Municipal Court Bratislava III, section: Ltd., file No. 17810/B
LiV ELEKTRA, as. with registered office: Priemyselná 10, 821 09 Bratislava, Company ID: 35 769 840, registration: Commercial Register of the Municipal Court Bratislava III, section: Sa, file no. 2170/B
FTVE 3, sro with registered office: Vajnorská 137, 831 04 Bratislava, Company ID: 45 879 249, registration: Commercial Register of the District Court Bratislava I, section: Ltd., file No. 78769/B
(hereinafter collectively referred to as "PPA"Or"my"). Given that the PPA CONTROLL group consists of several closely interconnected and cooperating companies with their own legal personality, we process your personal data mainly as so-called joint controllers on the basis of an agreement concluded pursuant to Article 26(1) of the EU General Data Protection Regulation ("GDPR").
As a matter of principle, the PPA names one (joint) data controller as your contact point for GDPR requests, and we fulfil our information obligations under Art. 13 and Art. 14 GDPR jointly through these Privacy Policy. For your convenience, we have listed in these Terms and Conditions all common processing purposes for which your personal data may be processed within our group of companies. If you have any questions regarding the protection of your personal data, you can contact our data controller:
Correspondence address: Responsible Person (DPO), PPA CONTROLL, as Vajnorská 137, 830 00 Bratislava
The PPA group also includes several so-called "ready-made" companies that have no employees and do not carry out any activities that would involve the processing of personal data.
Our Commitment to Privacy: "Personal Data in Control"
Privacy is very important to us. We do not protect personal data only because it is a legal obligation. We also perceive effective personal data protection in the broader context of our business activity, which is the supply of secure technologies. It is therefore our goal and intention to provide our services in such a way that the basic principles and principles of privacy protection and in particular personal data protection are observed in all circumstances. When reviewing our procedures in the area of personal data processing before May 25, 2018, we decided to implement modern, effective and simple measures to ensure compliance with the GDPR. If you are our business partner and are interested in our approach to the new personal data protection regulations, please contact our responsible person.
Why do we process personal data?
The processing of personal data is necessary for us in particular to be able to:
to provide our services and products and for this purpose to process the personal data of our clients, suppliers, business partners, employees and other persons;
effectively manage our human resources;
to fulfill various legal and contractual obligations and
to protect our legitimate interests.
For what purposes and on what legal basis, including legitimate interests, do we process personal data?
The overview below explains the purposes of processing within the PPA. These are the so-called Joint purposes of processing personal data, for which all PPA companies that have entered into a joint controller agreement are entitled to process personal data to the extent necessary to achieve them. This overview also clearly identifies all legitimate interests that we pursue in processing your personal data, to which you have the right to object. Processing based on legitimate interest is highlighted by underlining in the section of the table "Further explanation of the purpose and legitimate interests".
Purpose
Legal basis
Further explanation of purpose and legitimate interests
Personnel and payroll purposes
Fulfillment of legal obligations and consent
Fulfillment of the employer's legal obligations: It includes the processing of personal data necessary for: (i) registering and deregistering employees in the registers of health insurance companies and the Social Insurance Company, (ii) managing the employees' payroll agenda (calculating wages, processing payroll documents) and maintaining payroll accounting, (iii) processing the tax return and annual tax settlement, if requested by the employee, (iv) recording work accidents and the OHS agenda (e.g. training), (v) providing data to the occupational health service and processing assessments of medical fitness to perform work, (vi) recording the working time fund, including holidays, duration of sick leave, obstacles to work, (vii) processing that is necessary for the fulfillment of any obligation of the employer under the Labor Code (e.g. creating working conditions by setting up a work email and assigning an extension, etc.), (ix) processing that is necessary for the fulfillment of any legal obligation of the employer under the relevant legal act regulations, in particular Act No. 595/2003 Coll. on Income Tax, as amended, Act No. 563/2009 Coll. on Tax Administration (Tax Code) and on amendments and supplements to certain acts, as amended, Act No. 580/2004 Coll. on Health Insurance and on amendments and supplements to Act No. 95/2002 Coll. on Insurance and on amendments and supplements to certain acts, as amended, Act No. 5/2004 Coll. on Employment Services and on amendments and supplements to certain acts, as amended, Act No. 576/2004 Coll. on Health Care, Services Related to the Provision of Health Care and on Amendments and Supplements to Certain Acts, as amended, Act No. 577/2004 Coll. on the scope of healthcare paid for under public health insurance and on payments for services related to the provision of healthcare, as amended, (x) keeping and managing employee personal files, (xi) processing personal data necessary for the reimbursement of part of the costs when applying so-called recreational vouchers pursuant to Act No. 91/2010 Coll. on the support of tourism, as amended, (xii) fulfilling the employer's obligations established in the field of public health by state authorities when applying epidemiological measures during the pandemic.
Employee photos: It includes, based on consent, the processing of personal data necessary for: (i) processing of image recordings capturing the likeness of employees on the intranet, user accounts of certain software applications, personal questionnaires, etc., (ii) sharing employee photos within the PPA CONTROLL group of companies, (iii) taking and making available employee photos from company events on the intranet, (iv) publishing stylized employee photos on the website and social networks. Retention of data about job applicants: It includes the processing of personal data necessary for: (i) obtaining and storing CVs of those interested in employment in the PPA CONTROLL group, (ii) storing CVs of applicants for the purpose of contacting them with a suitable job offer in the future, (iii) processing the email address obtained based on a job recommendation.
Human resources management, evaluation and development
Contract and legitimate interest
Benefits and improvement of the working environment: It includes the processing of personal data necessary in particular for: (i) accommodation at a recreational company cottage in the village of Štrba at discounted prices, (ii) subsidizing the Multisport card with a contribution from the employer and providing basic personal data of employees to the provider of this benefit, Benefit Systems Slovakia sro, (iii) providing a contribution for children's recreation, (iv) providing benefits for work and life anniversaries, (v) providing a contribution for the birth of a child, (vi) providing a contribution of EUR 100 for one's own wedding, (vii) providing a package of school supplies for a school-age child, (viii) providing so-called Santa Claus packages for minor children of employees. Personal data of minor children of employees are processed only with the consent of their legal representative, (xi) sending congratulatory emails or messages to employees or co-workers. Employer control mechanisms: It includes the processing of personal data necessary, in particular, to verify compliance with work discipline and proper compliance with the employee's work obligations under the employment contract and/or internal regulations of the PPA during the duration of the employment relationship, specifically for: (i) electronic control of compliance with established working hours through attendance systems, (ii) control of compliance with OSH on construction sites, (iii) control of the presence of alcohol in the employee's breath during working hours, (iv) control of the use of the entrusted motor vehicle through GPS monitoring, (v) monitoring of electronic communication, (vi) control of the eligibility of excessive exceeding of flat rates and data services, (vii) control of expenses paid with a company payment card.
Identity verification via electronic access control system: It includes the processing of personal data necessary in particular to verify the employee's attendance by taking a photograph of the employee for the purpose of assessing the entitlement to payment of wages and preventing misuse of assigned access cards, as well as verifying the identity of persons as external human resources for the purpose of fulfilling the security and technical requirements for the performance of work or. work. The electronic attendance system does not contain functionalities for automated processing of personal data, nor does it use biometric technology for the identification or authentication of the person concerned or for any other processing activity. The image of the employee's and external supplier's face taken is in the nature of an ordinary digital photograph and serves as an authenticator for verifying the actual use of the assigned access card, so that it is not possible to circumvent system measures, e.g. by lending assigned cards to other persons. Such identity verification can be carried out via a static terminal or mobile device, where, in addition to a photograph of the employee or the purchased service, data on the location of the person concerned is also processed at the moment of identification based on the recording of GPS coordinates.
Agenda of purchased services: It includes the processing of personal data necessary in particular for: (i) cooperation and coordination of external human resources that participate in the delivery of services for larger contracts of the PPA CONTROLL group, (ii) recording necessary personal data and documents on professional competence, completed training for the performance of work of a specific supplier, or its employees, (iii) processing permits for entry into nuclear power plant facilities, (ii) central recording and sharing of basic data on external self-employed persons, (iv) storage of data after the end of cooperation for the purposes of approaching new contracts in the future based on consent.
Educatione: It includes the processing of personal data necessary in particular for: (i) deepening knowledge in the field of personal data protection, internal PPA regulations and security measures, including in the form of e-learning, (ii) providing language education and various training courses supporting the improvement of qualifications and soft skills of employees.
Sharing employee data for internal administrative purposes:It includes the processing of personal data necessary in particular for: (i) cooperation between PPA's personnel departments in the development, management, evaluation, and remuneration of employees, (ii) use of information on professional qualifications in the sharing of human resources between several companies in the PPA group, (iii) sharing of basic contact and work data about employees within PPA for the needs of internal work communication, (iv) sharing of data related to payroll accounting in optimizing the use of personnel capacity for the administration and processing of this agenda and the preparation of statistics and reports for the needs of PPA.
Fulfillment of legal obligations
Fulfillment of legal obligations
Radiation Protection Agenda: It includes the processing of personal data necessary to fulfill the Operator's obligations under Act No. 87/2018 Coll. on Radiation Protection and on Amendments to Certain Acts, as amended (hereinafter referred to as the "Radiation Protection Act") and Decree No. 99/2018 Coll. on Ensuring Radiation Protection (hereinafter referred to as the "Radiation Protection Decree"), in particular for: (i) processing applications for the issuance of a document on the personal benefits of a worker (a new replacement for the so-called "personal radiation cards") in relation to the relevant Public Health Office of the Slovak Republic, (ii) the division and registration of the Operator's workers into category A or B pursuant to Section 17(3) of the Act. 23 of the Radiation Protection Decree, (iii) processing and reporting the results of personal doses from the dose burden records, which should be reported to the Operator by the operator of the controlled zone, (iii) fulfilling notification obligations on the planned performance of work activities leading to radiation exposure pursuant to Section 5, paragraph 23 of the Radiation Protection Act or on urgent one-off performance pursuant to Section 6, paragraph 23 of the Radiation Protection Act, or also fulfilling other notification obligations stipulated in Section XNUMX of the Radiation Protection Act, (iv) ensuring dosimetric measurement of the Operator's workers while working in the so-called controlled zone. dosimetric service, including in the form of a sub-intermediary and processing the results of such personal monitoring through data reported from the dose burden records kept by the operator of the controlled zone, (v) fulfilling all obligations of the employer of external workers in relation to the operator of the controlled zone (e.g. submitting the results of personal monitoring, if they have already been monitored in the past, and the results of a preventive medical examination and lists of workers who are to enter the controlled zone), (vi) providing cooperation and information and personal data on behalf of the Operator to authorized state bodies exercising public power in supervising the fulfillment of these legal obligations stipulated by the Radiation Protection Act and the Radiation Protection Decree; (viii) any other fulfillment of the Operator's legal obligation stipulated by the Radiation Protection Act or the Radiation Protection Decree, which will be based on the agreement of the contracting parties and will also constitute the subject of personal data processing under this contract, (ix) assisting in the fulfillment of various obligations associated with entry into the controlled area of a nuclear power plant (e.g. processing applications for long-term entry into the KP SE for employees of external service providers, etc.).
Agenda of the economic mobilization entity: includes the processing of personal data by LiV ELEKTRA, as, necessary for the fulfillment of obligations under Act No. 179/2011 Coll. on economic mobilization and amending Act No. 387/2002 Coll. on state management in crisis situations outside wartime and state of war, as amended, in particular: i) processing and storing personal data of employees of the economic mobilization entity or natural persons pursuant to Section 7, paragraph 10 of the Economic Mobilization Act, ii) processing data on the person responsible for maintaining the user account in the economic mobilization information system, iii) any other fulfillment of a legal obligation stipulated by the Economic Mobilization Act, or other legal regulations applicable to this purpose of data processing. Reporting and recording anti-social activity (whistleblowing): It includes the processing of personal data necessary in particular for: (i) performing acts related to the protection of whistleblowers by employers pursuant to Section 7 of Act No. 54/2019 Coll. on the protection of whistleblowers and on amendments and supplements to certain acts, as amended, (ii) receiving, evaluating and recording notifications within the internal notification review system, including keeping records of received notifications for a period of 3 years.
Data subjects' rights agenda:It includes the processing of personal data in the context of: (i) handling requests from data subjects made under the GDPR and related communications, (ii) recording consents, objections or withdrawals of consents, (iii) obtaining the views of data subjects, e.g. in impact assessments, (iv) reporting and documenting personal data breaches, (v) keeping records of instruction or information of authorized recipients of personal data.
Accounting and tax purposes: It includes the processing of personal data necessary in particular for: (i) recording and using accounting documents Section 35 of Act No. 431/2002 Coll. on accounting, as amended, (ii) storing invoices pursuant to Section 76(1) of Act No. 222/2004 Coll. on value added tax, as amended, (iii) any processing of personal data necessary for the fulfillment of the obligations of a taxpayer pursuant to Act No. 595/2003 Coll. on income tax, as amended, (iv) any processing of personal data necessary for the fulfillment of the obligations of a tax subject pursuant to Act No. 563/2009 Coll. on tax administration (tax code) and on amendments and supplements to certain acts, as amended.
Registration of shareholders - natural persons: It includes the processing of personal data of shareholders in the lists of shareholders of registered paper shares, which a joint-stock company is obliged to maintain pursuant to Act No. 513/1991 Coll. Commercial Code, as amended (hereinafter referred to as the "Commercial Code") and Act No. 566/2001 on securities and investment services and on amendments and supplements to certain acts (Securities Act), as amended.
Book of accommodated persons and reporting of foreigners to the authorities of the Ministry of the Interior of the Slovak Republic: It includes the processing of personal data necessary to fulfill the legal obligations of the accommodation provider pursuant to Section 24, Paragraph 1 and Paragraph 2 of Act No. 253/1998 Coll. on the registration of the residence of citizens of the Slovak Republic and the register of residents of the Slovak Republic, as amended.
Establishing, exercising and defending legal claims
Legitimate interest and contract
Legal agenda: It includes the processing of personal data in particular for: (i) ensuring the typical agenda of the internal legal department, (ii) checking legal matters and internal legal advice, (iii) reporting various facts to public authorities (including notifications of various torts and crimes) or insurance companies (e.g. insurance claims), (iv) using legal representation and legal advice from law firms; (v) performing due diligence, including providing data to potential buyers and their advisors, e.g. when selling a business, shares or portfolio of assets owned by PPA CONTROLL, (vi) managing the corporate agenda and fulfilling all obligations under the Commercial Code (e.g. general meetings and invitations, annual reports), (vii) preparing, securing and storing various legal filings and evidence containing personal data, (viii) collecting receivables, (ix) sending summonses and reminders for unpaid payments, (x) conducting various administrative proceedings, litigation and other legal proceedings (e.g. concluding settlements, settlement agreements, payment schedules), (xi) verifying facts before a notary and providing official translations, (xii) processing visas for employees posted to third countries.
Contract agenda: It includes the processing of personal data necessary in particular for: (i) concluding, amending and fulfilling any contract concluded between the Operator and the data subject, (ii) approving and revising contracts by the legal department, (iii) communicating between the contracting parties, including processing data on contact persons and statutory officers of the contracting parties, and further processing of personal data necessary for the proper conclusion, fulfilment and changing of contractual relationships in which the data subjects do not act as contracting parties to the given legal relationship, (iv) recording of internal and external powers of attorney, (v) recording of supplier-customer contractual relationships between the Operator and its customers, partners and suppliers.
Client care:It includes the processing of personal data necessary in particular for: (i) handling and resolving various claims and complaints regarding the progress of orders beyond the scope of consumer protection rights for B2B customers, (ii) sending and evaluating customer satisfaction questionnaires after the completion of a business case.
Protection of property and security
Fulfillment of legal obligations and legitimate interest
Camera systems: It includes the processing of personal data necessary in particular for: (i) the operation of camera systems monitoring clearly marked, defined premises and objects used in the business activities of the PPA CONTROLL group.
Physical access control: It includes the processing of personal data necessary in particular for: (i) recording personal data of external visitors entering protected areas and facilities of PPA CONTROLL, (ii) providing personal data to nuclear power plant operators to allow entry to a specific person.
IT security: It includes the processing of personal data necessary in particular for: (i) managing, withdrawing and managing access rights, (ii) monitoring and evaluating suspicious events based on log analysis through specific program applications using the SIEM solution, (iii) creating security logs capturing user behavior in important applications and systems, (iv) creating security backups, including special backups on LTO tapes. During this processing, we create and store special data backups including any personal data processed by PPA originally for purposes other than IT security backups. As part of this backup, these LTO tapes are stored in a secure location different from the physical storage location of operational data under the conditions of compliance with the use of data "out of use", (v) vulnerability scanning and anti-malware activity, (vi) management of security incidents and personal data protection violations, (vi) managerial management of information security in the PPA CONTROLL group, (vii) penetration testing and performance of security audits with the possibility of access to protected data.
Software development, improvement and testing: It includes the processing of personal data necessary in particular for: (i) development, improvement and testing of our own applications created by PPA CONTROLL employees for our needs, (ii) integration and configuration tests of corporate information systems by intermediaries during migration from old systems, (iii) service interventions and ongoing software modifications performed by remote access by our intermediaries based on our requirements and instructions, (iv) system recovery tests based on backed up data.
Marketing and PR purposes
Consent and legitimate interest
Direct marketing communication: It includes the processing of personal data necessary in particular for: (i) customizing and sending marketing electronic mail (e-mail, SMS) to existing customers in compliance with the restrictions of the regulation of unsolicited electronic communication or to other interested parties who have given their prior consent, (ii) creating, customizing and sending leaflets or printed addressable forms of marketing.
Targeting and personalizing advertising content: It includes the processing of personal data necessary in particular for: (i) personalising and displaying advertising on social networks and YouTube, (iv) personalising and displaying banner advertising and sponsored links when searching while using the internet. Where the law requires us to consent to cookies, we use consent that meets the requirements of the GDPR as the legal basis, we consider any further processing of personal data to be our legitimate interest.
Raising awareness about the PPA CONTROLL group: It includes the processing of personal data necessary in particular for: (i) management and administration of content on official profiles established on social networks (e.g. FB, LinkedIn) and broadcasting channels (YouTube), (ii) organizing events, including sending invitations to the event even without consent and taking photos and videos capturing event participants and publishing them for promotion (usually based on consent), (iii) publishing content and posts containing personal data as part of various PR content (PR articles, press releases, posts published on social networks).
Statistical purposes
Legal basis for the original purposes set out above in conjunction with recital 50 GDPR and Art. 89 GDPR
It includes the processing of personal data necessary in particular for: (i) compiling statistical outputs, statements, reports, reports, analyses and various working and analytical documents necessary for internal statistical purposes of the PPA CONTROLL group, state authorities and other legal entities, (ii) creating anonymised and aggregated statistical data from personal data processed for other legitimate purposes of processing personal data which have a legal basis and of which the data subjects have been duly informed in accordance with recital 50 and Article 89 of the GDPR.
Archival purposes
Legal basis for the original purposes set out above in conjunction with recital 50 GDPR and Art. 89 GDPR
It includes the processing of personal data necessary in particular for: (i) storing registry records according to the periods specified in the registry plan (registry management), (ii) storing records of incoming mail, (iii) destroying registry records after the expiry of the storage periods, (iv) transferring archival documents to state archives, (v) disposal proceedings, (vi) re-accessing and using registry or archival documents subject to the conditions of the compatibility test (e.g. for the purposes of proving, exercising and defending legal claims).
To whom we provide your personal data
We take the confidentiality of personal data very seriously and have therefore adopted internal policies that ensure that your personal data is only shared with authorised PPA Group employees or vetted third parties. Our employees and workers may only have access to your personal data on "need-to-know" basis, i.e. only authorized employees of a specific department to which the processing of personal data is related may have authorized access, and this access is typically limited by the position, function and job description of the specific employee. We provide personal data of our clients, employees, business partners and other individuals only to the extent necessary to the following categories of recipients of personal data:
other companies belonging to the PPA group based on a joint operator agreement;
social network operators;
providers of software development, improvement and testing services;
our professional advisors (e.g. lawyers, auditors);
payroll and accounting companies;
providers of various software and cloud services (e.g. Microsoft One Drive and Sharepoint);
providers of technical (IT), organizational (event agency) and marketing support;
our other verified and duly legally bound intermediaries;
institutions in fulfilling our legal obligations as an employer, e.g. Social Insurance Institution, pension management companies, supplementary pension savings banks, health insurance companies;
The Ministry of Economy of the Slovak Republic as the administrator of the Unified Information System for Economic Mobilization;
banks and payment service providers;
notaries, bailiffs, experts, bankruptcy administrators, official translators, interpreters, if necessary for proving, exercising or defending our legal claims;
postal carriers and courier services;
employees of the above-mentioned persons.
If we use a processor to process personal data, we always check in advance whether the processor meets the organizational and technical requirements in terms of ensuring the security of the processing of your personal data. If we use our own recipients (internal staff of the PPA Group) to process personal data, your personal data is always processed on the basis of authorizations and instructions, by which we inform our recipients not only about the internal rules for the protection of personal data, but also about their legal liability for their violation. If we are asked by a public authority to disclose your personal data, we examine the conditions set out in the legislation for their disclosure and do not provide your personal data without checking whether the conditions are met. If you are interested in information regarding our current processors, please do not hesitate to contact us through our responsible person.
To which countries do we transfer your personal data?
By default ("by default"), we do not transfer personal data to third countries outside the European Economic Area (EU, Iceland, Norway and Liechtenstein) unless it is necessary. However, in some cases, cross-border transfers of personal data to third countries may be necessary. For example, if you are our employee and/or supplier who we need to send to a third country in order to fulfil our obligations to our clients in third countries and we need to carry out a visa process with your personal data, we must provide your personal data to the authorities in the third country via consulates or embassies. Although we have never experienced any problems with the misuse of any personal data in these countries, according to the decisions of the European Commission, these countries are considered to not ensure an adequate level of protection (of personal data) and therefore we must proceed on the basis of adequate safeguards pursuant to Art. 47 GDPR or on the basis of exceptions for specific situations pursuant to Art. 49 GDPR. As a standard, we therefore strive to conclude so-called Standard contractual clauses approved by the European Commission with data importers in a third country - and if this is not possible - you will be asked in advance to grant specific informed consent to carry out such processing operations in accordance with Article 49(1)(a) of the GDPR, unless you are among the employees with whom we have concluded specific employment contracts, the performance of which also requires the cross-border transfer of the employee's personal data to a third country.
Furthermore, we may also carry out cross-border transfers to third countries that guarantee an adequate level of protection of personal data based on decisions European Commission on adequacy in accordance with Article 45 of the GDPR, specifically the United Kingdom due to the use of the intermediary Chancellors LLP.
In addition, we use secure cloud services from a verified provider with servers located in the EU jurisdiction, however, cross-border data transfers to the USA may also occur on the part of the cloud service provider Microsoft Inc., which is our intermediary. This may also occur when using other services from various companies. On July 10, 2023, the European Commission adopted a new implementing decision approving the “EU-US Data Privacy Framework”, which constitutes an adequacy decision under Art. 45 GDPR. On its basis, transfers of personal data to certified organizations (data importers) in the USA can be carried out without the need for further authorization or the need to adopt additional safeguards and measures. If we cannot rely on the European Commission’s decision on the adequacy of a third country under Art. 45 GDPR, we require the adoption of specific safeguards under Art. 46 GDPR (most often so-called standard contractual clauses) or Art. 47 (so-called binding corporate rules) and, if necessary, the adoption of additional measures to protect the rights and freedoms of data subjects. An overview of such importers and the safeguards applicable to transfers of personal data to the USA can be found in the overview table below:
Merchant
Privacy Policy
Appropriate specific legal safeguards within the meaning of Article 46 GDPR or Article 47 GDPR
Yes, it applies to CrowdStrike Inc. The data importer's registration with the EU-US Data Privacy Framework can be verified here: Data Privacy Framework
Standard contractual clauses approved by the European Commission pursuant to Article 46(2)(c) of the GDPR. https://www.linkedin.com/legal/l/dpahttps://www.linkedin.com/help/linkedin/answer/62533/eu-eea-and-swiss-data-transfers?lang=en
Yes, it applies to LinkedIn Corporation. The data importer's registration with the EU-US Data Privacy Framework can be verified here: Data Privacy Framework
Standard Contractual Clauses approved by the European Commission pursuant to Article 46(2)(c) GDPR. https://static.tenable.com/prod_docs/Tenable-Master-Agreement-Data-Processing-Addendum-9-24-2021.pdfhttps://www.tenable.com/gdpr-alignment
Yes, it applies to Tenable Inc. The data importer's registration with the EU-US Data Privacy Framework can be verified here: Data Privacy Framework
[1] Recommendation No 1/2020 of the European Data Protection Board on measures supplementing the transfer instruments to ensure compliance with the level of personal data protection in the EU
How long do we keep your personal data?
We store personal data for no longer than is necessary for the purposes for which the personal data are processed. In general, the retention period is determined by law. If not specified by law, the retention period for your personal data is always determined by us in relation to the specific purposes through our group internal policy and/or our registry plan. If we process your personal data on the basis of consent, after its withdrawal we are obliged to no longer process the personal data for the given purpose. However, this does not exclude that we cannot further process your personal data on another legal basis, in particular if it concerns the fulfillment of legal obligations.
The general retention periods for personal data for the purposes of personal data processing defined by us are as follows:
Purpose of processing personal data
Maximum retention periods for personal data
Personnel and payroll purposes
Fulfillment of the employer's legal obligations
In general, during the duration of the employment relationship and the expiry of the statutory retention periods for certain types of documents, e.g. pay slips and the employee's personal file are kept for 70 years from the employee's birth. Unnecessary data is deleted from the personal file and personnel systems at the latest upon termination of the employment relationship.
Employee photos
Until you withdraw your consent to the processing of personal data or until your employment ends - whichever comes first.
Retention of data on job applicants
Until consent is withdrawn or 3 years have passed since the start of processing, whichever comes first.
Human resources management, evaluation and development
Benefits and improving the working environment
Until the objection to the processing of personal data is resolved, if in a specific case the rights and freedoms of the data subject prevail - otherwise until the termination of the employment relationship or the termination of the provision of benefits. The data of minor children of employees will be deleted earlier even if the legal representative withdraws their consent to their processing.
Employer control mechanisms
Until the objection to the processing is resolved, if the rights and freedoms of the data subject prevail in a specific case - otherwise until the termination of the employment relationship. In the case of using personal data to establish legal liability against the employee, the data obtained in this way may be processed for a longer period for the compatible purposes of proving, exercising and defending legal claims.
Identity verification via electronic access control system
Until the objection to processing is processed, if in a specific case the rights and freedoms of the data subject prevail - otherwise by the 15th day of the month immediately following the month in which the photograph was taken.
Education
Until the objection to processing is resolved, if the rights and freedoms of the data subject prevail in a specific case - otherwise until the termination of the employment relationship.
Purchased services agenda
Until the termination of the contractual relationship with the data subject or until the withdrawal of consent, if the data subject has agreed to the storage of their contact details even after the termination of cooperation.
Sharing employee data for internal administrative purposes
During the duration of the employment relationship.
Fulfillment of legal obligations
Radiation Protection Agenda
5 years after termination of employment.
Agenda of the economic mobilization entity
At most for a period that is in accordance with Act No. 179/2011 Coll. on economic mobilization and amending Act No. 387/2002 Coll. on state management in crisis situations outside wartime and a state of war, as amended.
Reporting and recording anti-social activity (whistleblowing)
3 years from the date of receipt of the complaint.[1]
Data Subject Rights Agenda (GDPR)
3 years from the date of processing the request of the data subject.
Registration of shareholders - natural persons
During the duration of the shareholder's legal relationship and 12 months after losing shareholder status [2], without prejudice to longer storage of data for archival purposes.
Book of accommodated persons and reporting of foreigners to the authorities of the Ministry of the Interior of the Slovak Republic
At most during the period determined by the relevant municipal council in accordance with Section 43 of Act No. 582/2004 Coll. on local taxes and local fees for municipal waste and small construction waste, as amended, and in relation to personal data of foreigners, which we notify to the relevant state authorities pursuant to Section 24, paragraph 2 of Act No. 253/1998 Coll. on reporting the residence of citizens of the Slovak Republic and the register of residents of the Slovak Republic, as amended, for a period of 2 years.
Accounting and tax purposes
During the ten years following the accounting year to which the accounting documents, accounting books, lists of accounting books, lists of numerical characters or other symbols and abbreviations used in accounting, depreciation plan, inventory lists, inventory entries, accounting schedule relate.
Establishing, exercising and defending legal claims
Legal agenda
Until the legal claim becomes statute-barred, the right is properly exercised and the legal claim is satisfied, or the legal matter is concluded on the merits and available remedies are exhausted.
Contract agenda
Until the termination of the contractual relationship or until an objection is filed to the processing, if in a specific case the rights and freedoms of the data subject prevail.
Client care
Until the evaluation of customer satisfaction questionnaires after the completion of the contract - no longer than 1 year from the completion of the contract.
Protection of property and security
Camera systems
Maximum 72 hours. In special cases of monitoring the exterior of a protected object, 7 days, and in the case of separate guarded areas in selected buildings, up to 30 days.
Physical access control
Maximum 1 year.
IT security
Maximum 1 year. Data stored on LTO tapes can be kept in a limited mode until overwritten by new backup data – e.g. once every 6 months.
Software development, improvement and testing
Until the development, improvement and testing of the software is completed. Unnecessary data is regularly deleted at least once a year.
Marketing and PR purposes
Direct marketing communication
Until you object to direct marketing or withdraw your consent to the processing of personal data, if consent is the legal basis for the processing.
Targeting and personalizing advertising content
Until the withdrawal of consent, if consent is the legal basis for processing or until the expiration of the period of use of cookies - whichever occurs first. Until the proper handling of an objection to the processing of personal data, if the legal basis is legitimate interest.
Raising awareness and the PPA CONTROLL group
Until the objection to processing is processed, if the rights and freedoms of the data subject prevail in a specific case. Unnecessary data is deleted at least once a year.
Statistical purposes
During the duration/existence of other processing purposes, while we minimize their storage until the necessary statistical output is created; this does not affect the possibility of storing the personal data used for the original processing purposes.
Archival purposes
For the duration of the original purposes of the processing, the statutory period or the storage period set out in the registration plan. The registration plan is available to the data subject upon request.
The above retention periods only set out general periods during which personal data is processed for the given purposes. In fact, we proceed to destroy or anonymize personal data before the expiry of these general periods if we no longer consider the personal data to be necessary for the above-mentioned purposes of processing. On the contrary, in some specific situations we may retain your personal data for a longer period than stated above, if required by law or our legitimate interest. If you are interested in information regarding the specific retention period for the storage of your personal data, please do not hesitate to contact us via our data protection officer.
[1] Section 11, paragraph 1 of Act No. 54/2019 Coll. on the protection of whistleblowers of antisocial activities, amending and supplementing certain acts, as amended
[2] Section 107o, paragraph 15 of Act No. 566/2001 Coll. on securities and investment services and on amendments and supplements to certain acts (Securities Act), as amended
How we collect personal data about you
We most often collect your personal data directly from you. In such cases, the collection of personal data is voluntary. You can provide personal data to our company in various ways, e.g.:
by registering on our website (as a job seeker);
in the process of concluding a contract with our company;
communicating with you;
participation in events organized by our company;
participating in our company's activities on the social network and our website if you consent to cookies;
by using the social networks Facebook and LinkedIn in accordance with their terms of use;
by sending a contact form with your comments, inquiries or questions.
However, we may also obtain your personal data from your employer or from the company in connection with which we process your personal data. Most often, these are cases where we conclude or negotiate a contractual relationship or its terms with the given company. If the acquisition of personal data concerns a contractual relationship, it is most often a contractual requirement or a requirement that is necessary for the conclusion of a contract. Failure to provide personal data (whether yours or your colleagues') may have negative consequences for the organization you represent, as the conclusion or implementation of the contractual relationship may not occur. If you are a member of the statutory body of an organization that is our contractual party or with which we are negotiating the conclusion of a contractual relationship, we may obtain your personal data from publicly available sources and registers. We may also obtain personal data about you from an acquaintance who recommends our offer for an open job position to you, while the person concerned will do so in the context of protecting his or her own interests and with the consent of the person concerned. In this case, we will only process your email address. We will not systematically process any randomly obtained personal data for any purpose of personal data processing defined by us.
What rights do you have as a data subject?
The GDPR establishes general conditions for the exercise of your individual rights. However, their existence does not automatically mean that we will comply with them when exercising individual rights, as exceptions may apply in a specific case, or some rights are linked to specific conditions that may not be met in every case. We will always deal with and examine your request regarding a specific right from the perspective of legal regulation and our internal policy for handling complaints from data subjects. As a data subject, you have in particular:
the right to request access to the personal data we process about you pursuant to Article 15 of the GDPR. This right includes the right to obtain confirmation as to whether we are processing personal data about you, the right to access that data and the right to obtain a copy of the personal data we process about you, where technically feasible;
the right to rectification and completion of personal data pursuant to Article 16 of the GDPR if we process incorrect or incomplete personal data about you;
the right to erasure of your personal data pursuant to Article 17 of the GDPR;
the right to restrict the processing of personal data pursuant to Article 18 of the GDPR;
the right to data portability under Article 20 GDPR.
"If we process personal data about you based on your consent to the processing of personal data, you have the right to withdraw your consent at any time.. However, its withdrawal does not affect the lawfulness of the processing of personal data before its withdrawal. You have the right to effectively object at any time to the processing of personal data for direct marketing purposes, including profiling.""You also have the right to object to the processing of your personal data based on the legitimate interests we pursue, as explained above. You also have this right to the processing of your personal data based on the legal basis of public interest."In the event of an objection or upon request, we will be happy to show you the conclusions from our balancing test demonstrating the predominance of the pursued legitimate interest.”
If you believe that we are processing incorrect personal data about you, having regard to the purpose and circumstances, and you cannot change such personal data through the functions of the application, account or website, you may request the correction of incorrect or completion of incomplete personal data using the additional statement below (all information is voluntary) and/or contact us via our contact details:
Supplementary statement on correction of personal data
Your name and surname:
Contact information:
Relevant purpose of processing of the PPA group:
Please indicate which PPA group processing purpose your request relates to.
Context or relationship between you and the PPA group:
Please indicate whether you are our employee, business partner, job seeker, etc.
Nature of your repair:
Please explain whether you are requesting the correction of incorrect personal data or the completion of incomplete personal data.
Context of your repair request:
Please explain why you believe we are processing your incorrect or incomplete personal data.
Repair:
Please indicate which specific personal data you would like to correct or supplement.
Please send this supplementary statement on correction of personal data to us at dpo@ppa.sk
You also have the right to file a complaint with the Personal Data Protection Office of the Slovak Republic at any time or file a lawsuit with the competent court. In any case, we recommend that any disputes, questions or objections be resolved primarily by communicating with us.
Is automated individual decision-making taking place?
No, we currently do not carry out processing operations that would result in decisions having legal effects or other significant effects on you, which would be based solely on fully automated processing of your personal data pursuant to Article 22 of the GDPR.
External websites
Our websites may contain links to other websites and/or services of other providers (e.g. reCAPTCHA from Google Inc.). We are not responsible for the content and administration of websites or services of other providers to which we link. These privacy terms do not apply to the processing of personal data within the framework of your movement on other websites.
How do we protect your personal data?
It is our obligation to protect your personal data in an appropriate manner and for this reason we pay due attention to their protection. Our company has implemented generally accepted technical and organizational standards in order to maintain the security of processed personal data, in particular against their loss, misuse, unauthorized modification, destruction or other impact on the rights and freedoms of the data subjects. In situations where sensitive data is transferred, we use encryption technologies. Your personal data is stored on our secure servers or servers of our website operators located in data centers located in the Slovak Republic and the Czech Republic. In the case of using third-party analytical tools, the data is stored on third-party servers (see cookies).
How do we use cookies?
The law states that we can store cookies on your device if they are strictly necessary for the operation and proper functioning of our website that you wish to view. For all other types of cookies, we need your consent, which you can freely grant or withdraw at any time and just as easily via the cookie bar, which should always be displayed when you first visit our website or whenever you use the "Cookie settings" function (in the lower right corner of the screen). Our website uses different types of cookies. For more information on how we process cookies in accordance with GDPR and e-Privacy regulations, please view Information about the use of cookies.
Social networks
We recommend that you familiarize yourself with the privacy policies of the social media platform providers through which we communicate. Our privacy policies only explain basic issues related to the management of our profiles or our clients' profiles. We only have typical administrator rights when processing your personal data through our or client profiles. We assume that by using social networks you understand that your personal data is primarily processed by social media platform providers (such as Facebook and LinkedIn) and that we have no control over and are not responsible for this processing, the further provision of your personal data to third parties and the cross-border transfer to third countries carried out by these social media platform providers for their own purposes. PPA is not interested in processing your personal data from a special category of personal data on any social network profile. Any additional information provided by you that would reveal such sensitive data will be considered as an accidental acquisition of the so-called observed data, which will not be further systematically processed, except for their deletion or anonymization.
Facebook and Instagram
Our website has integrated social media plugins ("plugins") of the social network Facebook or Instagram, which is operated by Meta Platforms Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA ("Facebook"). You can recognize them by the Facebook or Instagram logo on the website. When you visit our website, Facebook receives the information that you have visited the website with your IP address. If you click on the "like" button or the Facebook icon available on our website while you are logged in and/or registered with your Facebook account, the content of the website will be redirected to your Facebook profile. Facebook can then assign your visit to the website to your user account. The data transfer takes place regardless of whether you have a Facebook account or not.
Facebook Ads (Meta) uses Facebook Pixel or Conversions API (CAPI) to track activities. This includes tracking data such as Cookies and Facebook ID, IP address and device information (e.g. operating system, device type), Website interactions (visits, clicks, adding to cart, purchase), Conversions (e.g. submitting a form, completing an order), Email or phone number or time and date of interaction. Facebook Pixel – tracks website visitors and enables retargeting and Facebook Conversions API (CAPI) – sends data directly from the server, not via cookies.
The operator would like to point out that when using our website, it has no influence on the collected data and data processing processes, and we are also not aware of the total scope of the collected data, the purpose of the processing or the storage period of this data. Facebook stores the collected data about you as user profiles and uses them for its own purposes of advertising, market research and/or adapting its services and tools to registered users. Such an evaluation is carried out in particular in order to inform other Facebook users about your activities on our website. You have the right to object to the creation of such user profiles, and you must contact Facebook with your objection. After you have finished using Facebook, we always recommend that you log out, in particular in order to avoid your online activity being assigned to your profile. Further information on the purpose and scope of data collection and processing by Facebook can be found in Facebook's Privacy Policy at the following link: https://www.facebook.com/policy.php.
When managing our user profiles set up on the social network Facebook, your personal data may also be processed for statistical purposes. When you visit our profiles set up on Facebook, Facebook records, among other things, your Internet IP address as well as other information that is stored on your computer in the form of “cookies”. This information is used to provide us, as the operator of the Facebook pages, with statistical information about the use of the Facebook page. You can find more information about this statistical information (“insights”) at: https://www.facebook.com/help/pages/insightsIn this processing, we act as joint controllers with Facebook, and the essential elements of the joint controller agreement for this case are available here: https://www.facebook.com/legal/terms/page_controller_addendum
We also inform you that we may use services provided by Facebook Ireland Limited, with its registered office at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, which are designated as “data file custom audiences” – audience management for the implementation of advertising campaigns, whereby the data processed by us may be linked to personal data processed in Facebook databases, and “measurement and analytics”, within which Facebook processes personal data on our behalf in order to measure the performance and reach of our advertising campaigns and provide us with reports on users who have seen and responded to our advertising content. This processing of your personal data may therefore occur if you interact with our advertising content or our websites as part of the use of your user profile established on Facebook. In such cases, we use Facebook as an intermediary, and the following legal guarantees apply to the processing of your personal data: https://www.facebook.com/legal/terms/businesstools, https://www.facebook.com/legal/terms/dataprocessing.
If you are bothered by the processing of personal data explained above, you can object to it or you can also use the available self-regulatory tools developed for the online marketing sector, which are available here: http://www.aboutads.info/choices a http://www.youronlinechoices.eu/). These online tools will allow you to automatically identify third-party digital identifiers (including those from Facebook) in your browser and delete them, thereby preventing the possible processing of your personal data.
LinkedIn
If you visit and use our profile set up on this social network, we may process your personal data together with LinkedIn Corporation, with registered office at 1000 W Maude Ave Sunnyvale (HQ), California, USA, which is part of the Microsoft group, for statistical purposes within the framework of the use of the “page insights” service. More information can be found in privacy protection conditions LinkedIn, as well as in the essential parts of the joint operator agreement, which are available at this link: https://legal.linkedin.com/pages-joint-controller-addendum.
However, the use of this social network is primarily important for us in that through our professionally managed account we build awareness of the PPA group in the online environment (e.g. by adding PR content) and secondly to establish internal communication with experts and professionals whom we might be interested in employing or establishing another form of professional cooperation with. Through our account, our HR staff can communicate with our potential business partners or suitable candidates for filling a vacant position. In addition, we can also use the services of LinkedIn Irelend Unlimited Company aimed at supporting our marketing and PPC (Pay Per Click) campaigns, the aim of which is mainly to increase traffic to our websites or purpose-built sub-pages (microsites). We can also use LinkedIn tools for managing our campaigns such as (Campaign manager) and personalized internal mail for sending our content when building PR and awareness of the PPA group, or when informing about a vacant position suitable for your profile. If we use these services, LinkedIn will act as our processor, and the following legal safeguards apply to the processing of your personal data: https://legal.linkedin.com/dpa
You can find more information about the processing of your personal data by the operator of the LinkedIn social network for its own purposes at the following URL link: https://www.linkedin.com/legal/privacy-policy.
YouTube
Our website includes YouTube videos from YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, which are stored on www.youtube.com and can be played directly from our website. When you visit our website, YouTube receives information that you have accessed a subpage of our website. YouTube stores the data collected about you as user profiles and uses them for advertising, market research and/or to tailor its website to the needs of users. The data is transferred regardless of whether YouTube provides a user profile through which you are logged in or whether there is no user account. If you have a user profile on YouTube and do not want it to be assigned to your profile, you must log out before activating the YouTube button. The user profile is also evaluated for users who are not logged in, in particular in order to provide suitable advertising and to inform other YouTube users about your activities on our website. You have the right to object to the creation of such user profiles, and you must contact YouTube with your objection. Rádio Vlna has no influence on the data transfer and use of your data by YouTube and you can use the link to obtain further information regarding your data protection: https://policies.google.com/privacy.
When using YouTube through Google Ads, the following data is collected: Cookies and Device ID, YouTube viewing history, Ad interactions, Geographic data, Device type and browser, Demographic data (age, gender - if available). In the case of engaging the above tools, YouTube remarketing – allows targeting to viewers who have already seen ads and YouTube conversion tracking – measures whether a user took an action after seeing an ad.
Change of privacy terms
The protection of personal data is not a one-time issue for us. The information that we are obliged to provide you with in relation to our processing of personal data may change or cease to be up-to-date. For this reason, we reserve the right to modify and change these terms and conditions at any time to any extent. If we change these terms and conditions in a material way, we will bring this change to your attention, e.g. by a general notice on this website or by a separate notice via email.
