Definitions of certain terms
under Regulation 2016/679 of the European Parliament and Council of 27 April 2016 on the Protection of natural persons with regard to the processing of personal data (the Regulation) and Act No. 18/2018 Coll. on Personal Data Protection (the Act).
"personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
"processing" means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, regardless of whether they are carried out by automated or non-automated means;
"controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
"processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
"recipient" means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
Principles of personal data processing
Personal data may be processed only lawfully and in such a way that the fundamental rights of the data subject are not violated.
Purpose limitation principle
Personal data may be collected only for a specified, explicitly stated and legitimate purpose and may not be further processed in a manner that is incompatible with this purpose.
Data minimisation principle
Processed personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed.
Processed personal data shall be accurate and, where necessary, kept up to date; reasonable and effective measures must be taken to ensure that personal data that are inaccurate, in regard to the purposes for which they are processed, are erased or rectified without delay.
Storage minimisation principle
Personal data shall be kept in a form that permits identification of a data subject no longer than is necessary for the purposes for which the personal data are processed;
Integrity and confidentiality principle
Personal data shall be processed in a manner that ensures the appropriate security of the personal data using appropriate technical or organisational measures, including protection against unauthorised processing of personal data, unlawful processing of personal data, accidental loss of personal data, destruction of personal data, or damage to personal data.
The Controller shall be accountable for observing the basic principles of personal data processing, for the compliance of the processing of personal data with the principles of personal data processing, and shall be obliged to prove this compliance with the principles of personal data processing at the request of the Office.
Rights of the data subject
The data subject shall have the right to request information from the Controller,
1.about whether his/her personal data are being processed;
2.in a generally understandable form, accurate information about the source from which it obtained his/her personal data for the processing,
3.in a generally understandable form, a list of his/her personal data being processed, including the purpose of the processing, the categories of personal data processed, the recipients, the processors, the retention period, the right to rectification, erasure or limitation of the processing, the right to object to the processing of personal data, the right to file a motion for procedure under Section 100 of the Act,
4.contact information of the responsible person,
5.on the planned transfer of personal information to third countries.
The data subject shall have the right:
6.to rectification of inaccurate, incomplete, or outdated personal data that are being processed,
7.to erasure of personal data, in particular data the purpose of processing of which has ended; if the objects of processing are official documents containing personal data, he/she can request their return;
8.to object on the basis of a written request to the Controller to the processing of personal data, which are or will be processed for the purposes of direct marketing
9.to the restriction of personal data processing,
10.to revoke his/her consent at any time, if the processing of personal data is based on the data subject's consent,
11.to the information whether there is automated decision making, including profiling, and, if there is, what its consequences are for the data subject,
12.to personal data portability,
13.to file a complaint with a supervisory authority,
14.to initiate a procedure on the protection of personal data pursuant to Section 100 of the Act.
Obligations of the Controller
The Controller, PosAm s.r.o. and its employees shall be obliged primarily to:
1.Process personal data only to the extent necessary to achieve the purpose of the processing.
2.Protect personal data from damage, destruction, loss, unauthorized modification, unauthorized access, provision or disclosure to a third party.
3.The Controller and its employees are obliged to maintain the confidentiality of the User’s personal data. They are obliged to maintain the confidentiality even after the termination of the contractual relationship with the User. The Controller has instructed its employees about the personal data protection obligations.
4.Ensure the security of personal data processing
This point is crucial and it refers to the system of technical and organizational security rules and measures to protect the physical and logical perimeters of PosAm, e.g. the access system, camera systems, general key system and key distributor, physical security of the premises, access management in information systems ...
5.report to the Office for Personal Data Protection and to data subjects, if necessary, any breach of personal data protection;
6.carry out, where necessary, an impact assessment on the protection of personal data concerning the impact of processing on the protection of personal data;
7.consult with the Office for Personal Data Protection of the Slovak Republic prior to performing any processing, if the impact assessment on the protection of personal data suggests that the processing would lead to a high risk if the User has not taken measures to mitigate this risk.