EN SK CZ DE

Privacy Policy

Company's information obligation under the Personal Data Protection Act

Identification of the operator:

Company Vital trade Ltd., ID: 46167790, Nálepkova 30, 921 01 Piešt'any, Slovakia, registered in the Commercial Register of the District Court of Trnava, section: Ltd, insert number: 27479/T (hereinafter referred to as the ""Company"") acts as an information systems operator (hereinafter referred to as ""IS"") when processing the personal data of its employees, clients, customers or business partners (hereinafter referred to as the ""Data Subject"").

Legal basis for the processing of personal data of data subjects:

When processing personal data, the company proceeds in accordance with Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments and Additions to Certain Regulations (hereinafter referred to as the ""Personal Data Protection Act""). The legal basis for the processing of personal data is the Personal Data Protection Act, special legal regulations and consent to the processing of personal data, depending on the purpose of the processing of personal data.

If the purpose of the processing of personal data, the range of data subjects and the list of personal data is provided for by a directly enforceable act of the European Union, an international treaty to which the Slovak Republic is bound, the Personal Data Protection Act or a special law, the company is entitled to process personal data without the consent of the data subject within the meaning of the Personal Data Protection Act.

The Company processes personal data without the consent of the data subject if the purpose of processing personal data, the range of data subjects and the list of personal data or their scope is provided for by a directly enforceable legally binding act of the European Union, an international treaty to which the Slovak Republic is bound or this Act. If the list or scope of personal data is not established, the company may process personal data only to the extent and in the manner necessary to achieve the established purpose of processing, while complying with the basic obligations under the Personal Data Protection Act.

The company further processes personal data without the consent of the data subject if the purpose of processing personal data, the range of data subjects and the list of personal data is provided for by a special law and only to the extent and in the manner provided for by the special law. The personal data processed may be disclosed, made available or published from the information system only if a special law provides for the purpose of disclosure, disclosure or publication, the list of personal data that may be disclosed, disclosed or published, as well as the third parties to whom the personal data are disclosed or the range of recipients to whom the personal data are disclosed, unless otherwise provided for in the law on the protection of personal data.

The company also processes personal data without the data subject's consent if:

(a) the processing of personal data is necessary for the performance of a contract to which the data subject acts as one of the contracting parties or in pre-contractual relations with the data subject or in negotiations for the amendment of a contract which are carried out at the request of the data subject,

(b) the processing of personal data is necessary to protect the life, health or property of the data subject, c) the subject of the processing is exclusively the title, name, surname and address of the data subject without the possibility of assigning other personal data to them and their use is intended exclusively for the needs of the controller in the postal contact with the data subject and the registration of these data,

(d) personal data are processed which have already been disclosed in accordance with the law and have been duly identified by the controller as having been disclosed; the person who claims to be processing disclosed personal data shall, on request, demonstrate to the Authority that the personal data being processed have already been lawfully disclosed,

(e) the processing of personal data is necessary for the protection of the rights and legitimate interests of the controller or of a third party, except where such processing of personal data is overridden by the fundamental rights and freedoms of the data subject which are subject to protection under this Act.

If, in view of the purpose of processing personal data as laid down in a directly enforceable legally binding act of the European Union, an international treaty by which the Slovak Republic is bound, the Personal Data Protection Act and a special act, the individual personal data to be processed cannot be specifically determined in advance, the list of personal data may be replaced by a range of personal data.

The Company is obliged to comply with the Personal Data Protection Act when processing personal data in this way, except for those controllers who process personal data for the purposes of and in connection with legal proceedings.

If the Personal Data Protection Act does not apply to the processing of personal data, the company as the controller is only entitled to process personal data with the consent of the data subject.

The company obtains the data subject's consent without coercion or compulsion, as well as without conditioning it on the threat of refusal of the contractual relationship, the services provided or the obligations arising for the controller from legally binding acts of the European Union, an international treaty to which the Slovak Republic is bound or a law.

In the event of refusal to provide personal data to the company for the purposes necessary for the provision of services or the fulfilment of legal obligations, the company is entitled to warn the data subject of the possible consequences of not providing personal data.

The data subjects consent to the Company entrusting the processing of personal data to an intermediary who processes personal data on behalf of the Company. After the end of the purpose of the processing of personal data, the Company shall dispose of such lawfully obtained personal data of the data subjects within the time limit set by applicable law and in accordance with the Company's internal regulations.

Purpose of processing of personal data of data subjects:

The company respects your privacy and considers the personal data you provide to be confidential.

The company needs to know certain personal data of the data subjects for the quality of its services and needs to provide it to other recipients in order to comply with its legal obligations and to provide the highest quality services.

The company processes the personal data provided for several purposes.

Firstly, it deals with personal data of job applicants and personal data of its employees for the purposes of the personnel and payroll agenda and related legal obligations arising from specific legislation.

The Company also processes personal data of its clients, customers and business partners for the purpose of ensuring its business activities taking into account the interests of its clients, customers and business partners.

The processing of personal data for other purposes does not occur in the company, which means that the company collects, stores and processes only the personal data of the data subjects that it needs in order to fulfill its services. The personal data provided is strictly protected against misuse by unauthorized third parties by means documented in the adopted security project and security directive in accordance with the Data Protection Act.

When processing the personal data of data subjects, the company complies with the basic obligations of the controller under the Personal Data Protection Act, which include the following obligations.

The company always uses the personal data provided for a predetermined purpose of processing, which is clear, unambiguous and specific, in accordance with the Constitution of the Slovak Republic, constitutional laws, laws and international treaties to which the Slovak Republic is bound.

The company always defines the conditions for processing personal data in such a way as not to restrict the rights of the data subject provided for by law.

The company only collects personal data of the data subjects which, in terms of their scope and content, correspond to the purpose of the processing and are necessary for its achievement.

The company ensures that the personal data of the data subjects are processed only in a manner that is consistent with the purpose for which they were previously collected.

The company as a controller is obliged to process only correct, complete and, where necessary, updated personal data in relation to the purpose of processing. Incorrect and incomplete personal data shall be blocked by the controller and rectified or supplemented without undue delay; if they cannot be rectified or supplemented so as to be correct, the company shall clearly mark and destroy the personal data without undue delay.

The Company shall ensure that the personal data of the data subjects are processed in a form which permits the identification of individual data subjects for no longer than is necessary to achieve the purpose of the processing.

The company shall dispose of in the prescribed manner those personal data whose purpose of processing has ended. After the end of the defined purpose, the company is entitled to process the personal data to the extent necessary for research or statistical purposes in their anonymized form. Personal data processed in this way may not be used by the controller to support measures or decisions taken against the data subject to restrict his or her fundamental rights and freedoms.

Brokers:

The Company does not disclose your personal data to third parties in violation of the Data Protection Act and for the purpose of collecting it, contrary to your interests or instructions, and it is only disclosed to third parties within the scope of the above- mentioned purpose.

In its business activities, the company cooperates with several intermediaries whose aim is to provide quality services, and these entities process the personal data of data subjects in the performance of their contractual activities for the company.

The company declares on its honor that when selecting individual processors, it has taken care of their professional, technical, organizational and personnel competence and their ability to guarantee the security of the personal data processed by the security measures taken in accordance with the Personal Data Protection Act.

At the same time, when selecting a suitable intermediary, the company has acted in such a way as not to jeopardize the rights and legitimate interests of the data subjects.

The company as a controller has concluded written contracts with processors under the Personal Data Protection Act to ensure the protection of personal data processed by the processors it has entrusted with the processing of personal data of data subjects only to the extent, under the conditions and for the purpose agreed in the contract and in the manner provided for in the Personal Data Protection Act.

Scope and list of personal data processed:

The company processes personal data of data subjects in its information systems to the extent necessary to achieve the stated purpose. This is the scope of the personal

data provided for by specific legislation or to the extent of the data subject's consent to the processing of his or her personal data.

The company only processes personal data that have been provided to it voluntarily and to the extent necessary by the data subject. The provision of personal data to the company beyond the scope of specific laws is voluntary.

Conditions and manner of processing of personal data of data subjects:

The company processes personal data of data subjects in its information systems by automated and non-automated means of processing.

The Company does not disclose the personal data processed, except where required by a specific legal regulation or by a decision of a court or other public authority.

The Company will not process your personal data without your explicit consent or other lawful legal basis for any other purpose or to a greater extent than is stated in this information and the registration sheets of the individual information systems of the controller.

Rights of the data subject related to the processing of his or her personal data:

The data subject shall have the right, upon written request from the company, to request:

(a) confirmation of whether or not personal data about him or her are processed,

(b) in a generally comprehensible form, information on the processing of personal data in the information system within the scope of the Personal Data Protection Act; when a decision is issued pursuant to the Personal Data Protection Act, the data subject shall be entitled to acquaint himself with the procedure for processing and evaluating operations,

(c) in a generally comprehensible form, precise information about the source from which he or she obtained his or her personal data for processing,

(d) in a generally comprehensible form, a list of its personal data subject to processing,

(e) the rectification or destruction of their incorrect, incomplete or outdated personal data subject to processing,

(f) the destruction of his or her personal data for which the purpose of the processing has ceased; where official documents containing personal data are the subject of the processing, he or she may request their return,

(g) the destruction of his or her personal data subject to processing where there has been a breach of the law,

(h) blocking of his or her personal data due to the withdrawal of consent before the expiry of its validity period, if the company processes personal data on the basis of the data subject's consent.

The aforementioned rights of the data subject under points (e) and (f) may be restricted only if such restriction is based on a specific law or if its application would

violate the protection of the data subject or would infringe the rights and freedoms of other persons.

Pursuant to the Personal Data Protection Act, the data subject has the right, upon written request to the company, to object to:

(a) the processing of his or her personal data which he or she believes is or will be processed for direct marketing purposes without his or her consent, and to request its destruction,

(b) the use of personal data referred to in the Data Protection Act for the purposes of direct marketing in the postal sector; or

(c) the provision of personal data referred to in the Data Protection Act for direct marketing purposes.

Pursuant to the Personal Data Protection Act, the data subject shall have the right to object at any time to the processing of personal data in cases under the Personal Data Protection Act by submitting legitimate grounds or by submitting evidence of unjustified interference with his or her rights and legally protected interests which are or may be harmed by such processing of personal data, on the basis of a written request addressed to the company or in person, if the matter cannot be delayed; unless prevented by lawful grounds and the data subject's objection is proven to be justified, the company shall block and delete the personal data whose processing the data subject has objected to without undue delay as soon as the circumstances permit.

Pursuant to the Personal Data Protection Act, the data subject shall have the right at any time, based on a written request addressed to the company or in person if

the matter cannot be delayed, to object and not to submit to a decision of the company which would have legal effects or significant impact on him or her, if such decision is made solely on the basis of automated processing operations of his or her personal data. The data subject shall further have the right to request the company to review the decision issued by a method other than automated processing, and the company shall comply with the data subject's request, with the authorized person playing a decisive role in the review of the decision; the controller shall inform the data subject of the method of review and the result of the finding within the time limit provided for in the Personal Data Protection Act. The data subject shall not have this right only if a specific law providing for measures to safeguard the data subject's legitimate interests so provides, or if, in the context of a pre-contractual relationship or during the existence of a contractual relationship, the controller has issued a decision granting the data subject's request, or if the controller has taken other appropriate measures based on a contract to safeguard the data subject's legitimate interests.

If the data subject exercises his or her right:

(a) in writing and the content of his or her request indicates that he or she is exercising a right, the request shall be deemed to have been made under the Personal Data Protection Act; a request made by e-mail or fax shall be delivered in writing by the data subject no later than three days from the date of its dispatch,

b) in person orally in the form of a record, from which it must be clear who has exercised the right, what is claimed and when and who has drawn up the record, his signature and the signature of the person concerned; the company is obliged to give a copy of the record to the person concerned,

(c) in the case of an intermediary referred to in point (a) or (b), the intermediary shall be obliged to hand over the application or the minutes to the company without undue delay.

If the data subject suspects that his or her personal data are being unlawfully processed, he or she may file a petition for initiation of a personal data protection procedure with the Office for Personal Data Protection of the Slovak Republic, located at Hraničná 12, 820 07 Bratislava 27, Slovak Republic or contact the Office via its website http://www.dataprotection.gov.sk.

If the data subject lacks full legal capacity, his or her rights may be exercised by a legal representative.

If the person concerned is deceased, his or her rights under this Act may be exercised by a person close to him or her.

The request of the data subject under the Personal Data Protection Act shall be processed by the company free of charge.

The request of the data subject pursuant to the Personal Data Protection Act shall be processed by the company free of charge, except for the payment of an amount which may not exceed the amount of the reasonably incurred material costs associated with the making of copies, the procurement of technical media and the sending of information to the data subject, unless a special law provides otherwise.

The company is obliged to deal with the data subject's request in writing in accordance with the Personal Data Protection Act no later than 30 days from the date of receipt of the request.

The company shall notify the data subject and the Office for Personal Data Protection of the Slovak Republic in writing without undue delay of the restriction of the data subject's rights under the Personal Data Protection Act.

The company has hereby informed you as the data subject about the protection of your personal data and informed you of your rights in relation to the protection of personal data within the scope of this written information obligation.