Declaration on the processing of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and information for data subjects (hereinafter referred to as “GDPR”).
The controller of personal data is the business corporation SLUTO s.r.o., registered office at Týnská 1053/21, Staré Město, 110 00 Prague 1, ID No.: 25595318, registered in the public register kept at the Municipal Court in Prague, file No. C 216101 – hereinafter referred to as the “Controller”.
Personal data means any information about an identified or identifiable natural person; an identifiable natural person is a natural person who can be identified directly or indirectly, in particular by reference to a specific identifier, such as a name, identification number, location data, network identifier or to one or more specific elements of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person
We collect and process personal data in accordance with the data protection regulations under which the data controller is a data controller. When processing personal data, we honour and respect data protection standards and adhere to the following principles: we always process personal data for a clearly and comprehensibly stated purpose, by specified means and in a specified manner, and only for as long as is strictly necessary. We collect personal data of our clients and employees only to the extent necessary.
2. Scope of processing of personal data
We process personal data to the extent that the relevant data subject has provided it, in connection with the conclusion of a contractual or other legal relationship with the controller, for legitimate interest, or which the controller has otherwise collected and processes in accordance with applicable law or to fulfil the controller’s legal obligations.
3. Sources of personal data
We obtain personal data directly from you as the data subject, from third parties, from publicly available sources or from our own activities.
- directly from data subjects (registration, web and other contact forms, emails, telephone, website, business cards, etc.)
- publicly accessible registers, lists and records (e.g. commercial register, trade register, land registry, insolvency register, central execution register, etc.)
- third parties, such as a court, bailiff, insolvency administrator or other public authority
- automated recording of electronic communications – we collect some information automatically from visitors to our website and via email communications. Automated technologies may include the use of web server logs to collect IP addresses, cookies, web beacons, geo-location or social media widgets and applications. We collect this information to improve the performance, usability and effectiveness of our website and to measure the effectiveness of our marketing activities.
An IP address is a number assigned to your computer whenever you connect to the Internet. It allows computers and servers to recognise and communicate with each other. The IP addresses from which website visitors connect may be logged for IT security and system diagnostic purposes. This data can also be used in aggregate to perform analysis of website trends and performance.
A web beacon is a small graphic image placed on a web page that can be used to collect certain information from your computer, such as its IP address, the time when the page was viewed, the type of browser and the existence of cookies previously set by the same server. We use web beacons to monitor the effectiveness of third-party websites that provide marketing or recruitment services to us or to collect aggregate statistical information about site traffic and to manage cookies.
You can disable some web beacons by refusing to set the cookies associated with them. The web beacon may still record an anonymous visit from your IP address, but the information will not be recorded in the cookie.
In some of our newsletters or other forms of communication, we may confirm the recipient’s email address through links embedded in the email. We collect this information to gauge or encourage user interest.
The SLUTO Ltd. website may collect and use information about the geographic location of your computer or mobile device. This data is collected to provide personalized content based on your geographic location.
Social widgets and apps
The SLUTO Ltd. website may include social sharing functionality through third party applications such as the Facebook Like button and LinkedIn widget. These applications may collect and use information about your use of the SLUTO s.r.o. website. Any personal information you provide through these social widgets and applications may be used by members of the companies providing these applications. The processing of this information is governed by the terms and conditions of those companies. SLUTO s.r.o. has no control over, and is not responsible for, the conduct of these companies or the manner in which they use this information.
4. Categories of personal data subject to processing
- address and identification data used to uniquely and unmistakably identify the data subject (e.g. name, surname, title, birth number, date of birth, permanent address, delivery or other contact address, details of identity documents, identification number, VAT number)
- electronic contact details (e.g. telephone number, mobile number, fax number, e-mail address, data box ID and other similar information)
- other electronic data (e.g. IP addresses, cookies and other traffic and location data resulting from the services provided)
- other data necessary for the performance of the contract (e.g. bank details)
- data provided in excess of the relevant laws and processed within the scope of the data subject’s consent (processing of photographs, use of personal data for the purpose of personnel management, etc.)
5. Lawful reason and purpose for processing personal data
The lawful reason for processing personal data is:
- performance of a contract between the subject and the controller pursuant to Article 6(1)(b) GDPR,
- the legitimate interest of the controller in providing direct marketing (in particular for sending commercial communications and newsletters) pursuant to Article 6(1)(f) GDPR,
- the subject’s consent to processing for the purposes of providing direct marketing (in particular for sending commercial communications and newsletters) pursuant to Article 6(1)(a) GDPR in conjunction with Section 7(2) of Act No. 480/2004 Coll., on certain information society services, in the event that no service order or contract has been concluded.
The purpose of processing personal data is:
- to fulfil the legal obligations of the controller,
- the purposes contained in the data subject’s consent
- to negotiate a contractual relationship
- the performance of rights and obligations arising from contractual relations,
- the protection of the controller’s property and rights and legal claims (e.g. debt recovery),
- archiving carried out on the basis of the law
- selection procedures for vacancies
- improving and developing the services of the administrator,
- sending newsletters, commercial communications and offering the Administrator’s services on the basis of a legitimate interest in the development of the Administrator’s business and services.
- When you visit our websites, we process data about your use of our services, about your visits to our websites, such as the name of the Internet service provider and the IP address you use to log on to the Internet, the date and time you accessed the website or service, the pages you visited, the queries you entered during your search, the documents you opened or the Internet address from which you directly accessed our websites and services, in addition to contact and identification data.
6. Processing and storage of personal data
The processing of personal data is carried out by the controller. The processing is carried out at its headquarters and offices by individual authorised employees of the controller or by the processor. The processing takes place
by means of computer technology or, where appropriate, manually for personal data in paper form, in compliance with all security principles for the management and processing of personal data. To this end, the controller has adopted technical and organisational measures to ensure the protection of personal data, in particular measures to prevent unauthorised or accidental access to, alteration, destruction or loss of personal data, unauthorised transfers, unauthorised processing and other misuse of personal data.
All entities to which personal data may be disclosed shall respect the right of privacy of data subjects and shall comply with applicable data protection legislation.
7. Retention period of personal data
The controller shall keep the personal data for the period necessary for the purpose of processing.
In accordance with the time limits specified in the relevant contracts or in the relevant legislation, this is the period necessary to ensure the rights and obligations arising from the contractual relationship and the relevant legislation.
In the case of processing of personal data for reasons required by law, it is the period of time specified by such law. In the case of personal data processed for purposes based on the legal ground of performance of a contract, the necessary period corresponds to the period of performance of that contract (order). For purposes based on legal grounds of legitimate interest, the necessary period is three years from the performance of the contract (order) or cancellation of the user account.
8. Transfer of personal data to other persons
The controller will only disclose personal data to its external service providers, contractual partners whose services it uses in the provision of its services (e.g. website operators, operators of mailing tools). The controller provides personal data to the extent necessary and in compliance with all principles arising from the GDPR. Furthermore, personal data may be disclosed to the extent necessary to legal, economic and tax advisors. Personal data relating to debtors may also be disclosed to debt collection agencies for the purpose of debt recovery. Personal data may also be transferred to public authorities on request or in the event of suspected infringements.
Personal data is processed mainly within the EU and is not purposefully released outside the EU.
9. Security and access to personal data
The Controller declares that it has taken all appropriate technical and organisational measures to protect the security of personal data of subjects against unauthorised access, use or disclosure. We store the data you provide to us on restricted access computer servers located in secure facilities. Only relevant SLUTO Ltd. employees who are contractually obliged to maintain the confidentiality of all facts, data and information (personal or otherwise) of which they become aware in the course of their work have access to personal data.
Selected contractors of SLUTO Ltd. have access to certain personal data as we use their systems in the provision of our services. These partners have contractually agreed to maintain confidentiality and not to use the data provided by us for purposes other than those specified.
10. Rights of data subjects
The data subject has the following rights under the GDPR:
The right of access to personal data – i.e. to know what data the controller processes about the subject, for what purpose, for how long, where it is obtained, to whom it is transferred, who processes it besides the subject, and what other rights the subject has in relation to the processing of his or her personal data.
The right to rectification if the data processed is inaccurate or incomplete.
Right to erasure
The controller shall erase the personal data without undue delay if one of the following grounds is met:
- the personal data is no longer needed for the purposes for which we processed it;
- the subject withdraws consent to the processing of the personal data and at the same time the data is data for which his or her consent is necessary and the controller has no other reason why we need to continue processing it;
- the subject exercises his or her right to object to processing (see below under Right to object to processing) in respect of personal data which the controller processes on the basis of his or her legitimate interests and the controller finds that he or she no longer has such legitimate interests to justify such processing;
- the subject considers that the controller’s processing of the personal data is no longer in accordance with generally applicable law.
Even if this is one of the listed reasons, this does not mean that the controller is obliged to erase all personal data immediately. This right shall not apply if the processing of personal data is still necessary for compliance with a legal obligation of the controller or for the establishment, exercise or defence of legal claims.
Right to restriction of processing
This right allows the subject, in certain circumstances, to request that his or her personal data be marked and not be subject to any further processing operations – in this case, however, not forever (as is the case with the right to erasure), but for a limited period of time. The controller must restrict the processing of personal data when:
- the subject disputes the accuracy of the personal data before agreeing with the controller what data are correct;
- the controller processes the subject’s personal data without a sufficient legal basis (e.g. beyond what it is required to process), but the subject would prefer only to restrict such data before erasing it (e.g. if it expects to provide the controller with such data in the future anyway);
- the controller no longer needs the personal data for the above processing purposes but the subject requires them for the establishment, exercise or defence of legal claims;
- the subject objects to the processing; for the period during which the controller investigates whether the objection is justified, the controller is obliged to restrict the processing of the personal data.
Right to portability
The subject has the right to obtain from the controller all of his or her personal data which he or she has provided to the controller and which the controller processes on the basis of his or her consent and on the basis of the performance of a contract. The controller shall provide the personal data to the subject in a structured, commonly used and machine-readable format where the processing is automated.
Right to object to processing
The subject has the right to object at any time to the processing of personal data based on a legitimate interest. In such a case, the personal data shall no longer be processed unless there are compelling legitimate grounds for the processing which override the interests of the subject or his/her rights and freedoms, or unless the processing is for the establishment, exercise or defence of legal claims. In the case of marketing activities, the controller shall cease processing the subject’s personal data without further action. The data subject may object to the processing using the contact details below. In the e-mail, the subject shall indicate the specific situation that leads him or her to believe that the controller should not process his or her data. In the case of data processing for direct marketing purposes, it is always possible to object without further justification.
Right to lodge a complaint with the competent supervisory authority
The subject may exercise this right in particular if he or she considers that his or her personal data are being processed unlawfully by the controller or in breach of generally binding legal provisions. The subject may lodge a complaint against the processing of personal data with the Office for Personal Data Protection at Pplk. Sochora 27, 170 00 Prague 7.
How to exercise individual rights
You can contact us in the following ways for all matters relating to the processing of personal data, whether it is to make an enquiry, exercise a right, make a complaint or otherwise:
- by post to the address of the company’s registered office: SLUTO s.r.o., Týnská 1053/21, 110 00 Prague 1; please mark the letter “processing of personal data”;
- by electronic mail to the e-mail address firstname.lastname@example.org.
We will inform the applicant immediately of the receipt of each request according to the above points and will provide the requested information or information on the measures taken without undue delay, but no later than within 1 month. This time limit may be extended by a further two months if necessary and in view of the complexity and number of applications. In certain specific cases defined in the GDPR, we are not obliged to comply with the request in whole or in part. This will be the case in particular if the request is manifestly unfounded or unreasonable, especially because it is repetitive. In such cases, we may impose a reasonable fee taking into account the administrative costs involved in providing the requested information or refuse to comply with the request. The applicant will always be informed of this.
Where we have reasonable doubt as to the identity of a requester, we may ask the requester to provide additional information necessary to confirm their identity.
We will retain information about the exercise of the data subject’s rights for a reasonable period of time (typically 3 years) to record and document this, for statistical purposes, to improve our services and to protect our rights.
11. Contact information
You can contact us at any time regarding the protection of your personal data at:
110 00 Prague 1
PO Box: 3h62wcw
12. Final provisions
These terms and conditions will take effect on 1 January 2019.