In accordance with Act no. 18/2018 Coll. on the Personal Data Protection and on amending and supplementing certain acts as amended (hereinafter referred to as the “Act” in the relevant grammatical form ) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “Regulation” in the appropriate grammatical form ), SkyToll, a. s., registered office at Lamačská cesta 3 /B, 841 04 Bratislava, Slovak Republic, Company Reg. No.: 44 500 734, Tax ID No.: 2022712153, VAT ID No.: SK2022712153, recorded in the Companies Register of the City Court Bratislava III in Section: Sa, file no. 4646/B (hereinafter referred to as the „Controller” in the appropriate grammatical form), processes your personal data within the scope and under the conditions specified in the following articles.
I. Principles of Personal Data Protection
- In case of personal data processing by the Controller, you are a Data Subject, i.e. a person whose personal data is being processed.
- The Controller processes your personal data exclusively on the basis of the conditions specified in the Act or the Regulation.
- Your personal data will be stored securely, in accordance with the security policy of the Controller, only for the time necessary to fulfil the purpose of processing and only for the purpose for which they were obtained.
- Only persons authorised by the Controller to process personal data who process them on the basis of the Controller’s instructions will have access to your personal data.
- The Controller has a legal obligation to provide your personal data during inspections, supervisory activities, reporting obligations or at the request of authorised government bodies or institutions, if it ensues from specific regulations.
- The Controller may also provide your personal data to recipients who are processors. The Controller declares that it has duly concluded contracts with its processors, who ensure an appropriate level of personal data protection, in accordance with the applicable legal regulations related to the protection of personal data, including the Act and the Regulation.
- Personal data shall not be disclosed and shall not be used for automated individual decision-making, including profiling.
- The Controller, in accordance with Section 48 of the Act, does not intend to transfer the personal data to a third country or an international organization.
II. Lawfulness of Personal Data Processing
We shall process your personal data exclusively based on one of the following reasons:
- your prior consent to the processing of your personal data,
- on the basis of the needs necessary for the performance of the contract to which the data subject is a party or for the implementation of a pre-contractual measure upon the data subject’s request,
- a special regulation or an international treaty by which the Slovak Republic is bound,
- the necessity of legitimate interests of the Controller or a third party, except in cases where the interests or rights of the data subject requiring the protection of personal data prevail over these interests, especially if the data subject is a child.
III. Scope of Personal Data Processing
We process your personal data in the following scope:
Area of processing activity:
Personnel and payroll agenda
Performance of the employer’s obligations related to
the employment relationship or similar relationship
(eg on the basis of agreements on work performed
outside of the employment relationship), including
pre-contractual relationships.
Employees, spouses of employees, persons dependent
on employees, former employees, job seekers..
The period of processing of personal data:
depending on the valid legislation Legal basis of
processing:
- Act no. 311/2001 Coll. the Labor Code as amended,
- Act no. 580/2004 Coll. on Health Insurance as amended,
- Act no. 461/2003 Coll. on Social Insurance as amended,
- Act no. 595/2003 Coll. on Income Tax, as amended,
- Act no. 43/2004 Coll. on Old-Age Pension Savings, as amended,
- Act no. 650/2004 Coll. on Supplementary Pension Savings and on amending and supplementing certain acts, as amended,
- Act no. 5/2004 Coll. on Employment Services and on amending and supplementing certain acts, as amended,
- Act no. 462/2003 Coll. on Income Compensation in the Event of Temporary Incapacity for Work of an Employee and on amending and supplementing certain acts as amended,
- Act no. 152/1994 Coll. on the Social Fund and on amending and supplementing of Act no. 286/1992 Coll. on Income Taxes, as amended,
- Act no. 355/2007 Coll. on the Protection, Support and Development of Public Health and on amending and supplementing certain acts, as amended,
- Act no. 124/2006 Coll. on Occupational Health and Safety and on amending and supplementing certain acts, as amended.
health insurance companies, a law firm, a statutory
auditor
Area of processing activity:
Records of prospective job seekers with whom the
employer is not preliminarily preparing to conclude an
employment contract and records of unsolicited
applications for employment
Period of personal data processing:
3 years, if the applicant confirms consent to be
included in the records of job seekers, 30 days if the
applicant does not confirm this consent
Legal basis of processing:
Consent of the data subject
Area of processing activity:
Contractual partners – employees of contractual partners
Performance of the contractual relationship with the
data subject’s employer, including pre-contractual
relationships
Natural persons – employees (internal, external) of the
contractual partner in a contractual relationship, a
pre-contractual relationship and a terminated
relationship with the Controller
Period of personal data processing:
Legal basis of processing:
Statutory auditor, tax advisers
Area of processing activity:
Contractual partners – natural persons
Implementation of a contract with a natural person.
Natural persons who are in a pre-contractual
relationship, natural persons with whom a contractual
relationship has been concluded and natural persons
with whom a contractual relationship has ended.
The period of processing of personal data:
Depending on the valid legislation
Legal basis of processing:
Contract with a natural person
Statutory auditor, tax advisers
Area of processing activity:
Monitoring of employees by a camera system
Protection of the company’s assets, protection of
employees at exposed workplaces, which are border
distribution points and contact points
Employees working at exposed workplaces with an
increased probability of robberies, visitors to customer
points
Period of personal data processing:
Legal basis of processing:
Law enforcement authorities
IV. Data Protection Officer
Pursuant to the provisions of Section 44 of the Act, the Controller has a data protection officer (hereinafter referred to as the “Data Protection Officer” in the relevant grammatical form), who can be contacted via e-mail sent to gdpr@skytoll.sk or this person can be contacted in writing at the GDPR correspondence address: SkyToll, a. s., Lamačská cesta 3 / B, 841 04 Bratislava, Slovak Republic.
V. Your rights under the Act
Your rights as a Data Subject referred to in Article 15 et seq. the Regulation and in Section 21 et seq.
the Act include the right to information or notification about:
- the right to demand from the Controller access to personal data concerning you as the Data Subject,
- the right to object to the processing of personal data,
- the right to the portability of personal data,
- the right to withdraw consent to the processing of personal data at any time,
- the right to address the Office and file a motion to initiate proceedings to the effect that your rights have been affected under the Regulation or the Act,
- whether the disclosure of personal data is a legal requirement or a contractual requirement or a requirement necessary for the conclusion of a contract, and whether you, as the Data subject, are obliged to provide personal data, as well as possible consequences of not providing personal data,
- the existence of automated individual decision-making, including profiling; in these cases, the Controller will provide to you, as the Data Subject, with information on the procedure used, as well as on the meaning and expected consequences of such processing of personal data for you as the Data Subject,
- other purpose of processing and other relevant information referred to above, if the Controller intends to further process personal data for a purpose other than that for which they were obtained,
- the right to obtain a confirmation from the Controller as to whether personal data concerning him/her are being processed. If the Controller processes such personal data, you, as the Data Subject, have the right to access these personal data,
- the right to ask from the Controller an amendment of personal data concerning you as a Data Subject, their deletion or restriction of their processing, or the right to object to the processing of personal data and subsequently information on the correction of personal data, deletion of personal data or restrictions on personal data processing,
- the source of personal data, if personal data have not been obtained from you as the Data Subject,
- adequate safeguards regarding the transfer of personal data to third countries or to an international organization,
- the right to obtain personal data related to you and which you have provided to the Controller, in a structured, commonly used and machine-readable format, and you have the right to transfer these personal data to another Controller, if technically feasible,
- the right to object to the processing of your personal data for reasons relating to your specific situation, including profiling. The Controller may not further process your personal data unless it demonstrates the necessary legitimate interests for the processing of personal data which prevail over the rights or interests of you as a Data Subject or the reasons for asserting a legal claim,
- the right to object to the processing of personal data involving the Data Subject for the purpose of direct marketing, including profiling, in the scope as it relates to direct marketing. If you, as the Data Subject, object to the processing of personal data for the purpose of direct marketing, the Controller may not further process personal data for the purpose of direct marketing,
- the right that you are not subject to a decision which is based exclusively on the automated processing of personal data, including profiling, and which has legal effects involving the Data Subject or similarly affecting it in a significant way,
- the obligation of the Controller to notify you without unreasonable delay of a breach of personal data protection as the Data Subject, if such breach of personal data protection may lead to a high risk to the rights of a natural person. As a Data Subject, you can exercise your rights in the following ways:
- in writing with an officially certified signature, the content of the application must show that the Data Subject is exercising its right. An application submitted by e-mail or fax must also be received in writing no later than three days from the date of its dispatch,
- in person at the Controller’s point of sale, where the identity of you as the Data Subject shall be verified by the Controller’s employee, and at the Processor, in ways already specified above, while the Processor shall submit this application or minutes to the Controller without unreasonable delay,
- In cases where we process your personal data on the basis of your consent, you may revoke this consent electronically, by delivering an e-mail message to the address of the Data Protection Officer or in the ways specified above.
We will process your application within 30 days from the date of receipt of the application in accordance with the aforesaid paragraphs. In some specific cases, a longer period may be required to examine the application. We will process such applications within 60 days from the date of receipt of the application, while you, as the Data Subject, shall be informed in writing about the application of a longer period.
As a Data Subject, you also have the right to apply directly to the Office for Personal Data Protection (https://dataprotection.gov.sk/uoou/).