Personal Data Processing
Dear all, we would like to inform you about the basic principles and procedures during processing of your personal data by the company Vizion s. r. o., with its registered office Kapitulská 6, 917 01 Trnava, ID Number: 45 909 750, registered in the Commercial Register of the District Court Trnava (the "Company"), as Controller, in accordance with the Art. 13 et seq. of the Regulation (EU) 2016/679 of European parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR") and Art. 19 of the Act No. 18/2018 Coll. on Personal Data Protection and on Amendments to Certain Acts as amended (the "ZOOÚ").
- The purpose of processing personal data shall mean for the Provider to collect, store and process personal data and to use them for invoicing purposes, domain registrations and for other acts connected with ordered and provided Services, including further communication with a User (e.g. complaint, withdrawal from contract), Provider’s marketing, sending further Service offers and information regarding products also by electronic means (e-mail, sms, telemarketing). The User shall be fully liable for damage caused by inaccurate and out-of-date personal data.
- Only upon the User’s prior voluntary consent and to a previously set purpose, extent and period, the Provider shall be empowered to process personal data above the scope as defined in para 13.1 of these GTCs and when the processing of these personal data is not compatible with the legal base as set out in para 13.1 of these GTCs. ArticleThe User is entitled to revoke their given consent anytime in writing. Revocation of consent shall become effective on the day of its delivery to the Provider.
- The Provider shall not make use of and provide personal data beyond the extent inevitable for the operation of ordered Services. Personal data shall not be provided to any third parties with the exception of products the descprition of which clearly states otherwise. In such a case the Provider shall agree within the contractual relationship with the third party on the protection of personal data pursuant to valid legal provisions, mainly the Personal Data Protection Act, and at the same time, the Provider shall inform the User in the Agreement that providing personal data to a third party is necessary for the performace of the Agreement otherwise it would not be possible to provide the Service. For these purposes it is essential for the Provider to obtain the User’s consent.
- All personal data shall be protected under valid legal regulation, particularly under the Act on personal data protection.
- The Provider is not entitled to interfere in contents of internet presentations of the User or to monitor or store e-mails of the User, except performing regular backup for the User in accordance with their Order.
- The Provider undertakes to take all steps towards the highest personal data protection of the User, as well as towards protection of all data, database and mail files of the User in order to protect them from loss, damage or devaluation.
- In relation to the User’s clients the Provider shall take the role of a Controller under Article 28 of the GDPR. Therefore, the Agreement between the Provider and the User shall comply with the following:
- The Provider shall not entrust the processing of personal data to other Controller without the User’s prior individual written consent. In case the User’s written consent has been provided, the Provider shall impose in a contract or by other legal act the same obligations regarding personal data protection onto the next Controller as is set out in this Agreement, whereas the liability towards the User rests with the Provider, if the next Controller fails to comply with their obligations regarding personal data protection.
- The Provider shall process personal data only for the purposes of providing Services.
- The Provider shall process personal data during the whole period of validity and effectiveness of the Agreement between them and the User.
- The Provider shall process personal data in the same scope as the User.
- Data Subjects are the User’s clients.
- The Provider is entitled to perform only processing operations with personal data that are necessary in order to fulfil the purpose of processing, mainly: collection, organisation, storage and destruction.
- The Provider shall process personal data only to the extent necessary in order to fulfil the purpose of processing and only in line with the terms and conditions of this Article of the GTCs, or upon receipt of the User’s written instructions and also in cases when personal data is being transferred to a third country or to an international organisation. In case of a personal data transfer to a third country or to an international organisation based on specific regulations or an international agreement, by which the Slovak Republic is bound, the Provider shall inform the User of such a request before processing personal data provided that a specific regulation or an international agreement, by which the Slovak Republic is bound, does not prohibit such notice due to reasons of public interest.
- The Provider shall ensure the protection of processed personal data against damage, destruction, loss, change, disclosure, unauthorised access, against making them available or public and against other unlawful methods of processing.
- The Provider declares that they guarantee the safety and security of processed personal data and take technical and organisational measures in order to ensure the protection of the User’s clients’ rights and of their personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed while taking into account the nature, extent, context and purpose of personal data processing and the risks that may disrupt the safety and security of personal data protection and their relevance.
- The Provider shall not disclose personal data to third parties or use personal data to other than the agreed purpose, nor misuse personal data for their own gain or the gain of a third party or handle personal data in breach of this Article of these GTCs.
- The Provider and their employees shall be bound by secrecy concerning personal data of the User’s clients. Personal data shall not be used for personal needs nor published, disclosed or made available. They shall be bound by secrecy also after the Agreement has terminated and expired. The Provider is responsible for their employees to be also subject to the obligation of secrecy, as well as for other external associates and persons authorised by the Provider or their employees.
- The Provider shall ensure that collected personal data is processed in a way that enables to identify the User’s clients only during the period necessery for fulfilling the purpose of processing.
- The Provider shall cooperate and enhance synergies with the User when complying with the User’s obligations, react to the User’s clients’ requests when the clients exercize their rights under the provisions of Chapter III of the GDPR, including the obligation to inform the User regarding every written request to access submitted to the Provider in relation to the User’s obligations under the GDPR, Act no. 18/2018 Coll. on the Protection of Personal Data as amended (hereinafter referred to as the Personal Data Protection Act) and other related provisions.
- The Provider shall cooperate and enhance synergies with the User when complying with the obligations as laid down in the provisions of Articles 32 to 36 of the GDPR, namely:
- Maintain security of processing;
- Notify a personal data breach to the Personal Data Protection Office and other relevant parties if necessary;
- If necessary carry out a data protection impact assessment concerning the impact of processing on the personal data protection,
- Prior to the start of any processing activity, Personal Data Protection Office should be consulted where a data protection impact assessment indicates that the processing would, in the absence of security measures to mitigate the risk, result in a high risk;
- The Provider shall make available to the User all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits including inspections conducted by the User or another auditor mandated by the User.
- The Provider shall immediately inform the User if, in their opinion, the User’s instruction infringes the Personal Data Protection Act, a specific provision or international agreement, by which the Slovak Republic is bound, which concern personal data protection.
- The Provider is obliged to erase or return personal data to the User and delete existing copies, which contain personal data, when the Agreement is terminated and no longer effective, unless a specific provision or international agreement, by which the Slovak Republic is bound, require to store these personal data.
- Pursuant to Article 13 of the GDPR the Provider provides the User as a Data Subject with the following information:
- Provider’s identification data: Vizion, s.r.o., Address: Kapitulská 6, 917 01 Trnava, Company ID No 45 909 750, registered with the Commercial Register of the District Court Trnava; E-mail: info@vizion.sk
- Controller’s contact data:
- The purpose as well as the legal base for processing personal data is outlined in paragraph 13.1 of this Article.
- The list of personal data is outlined in paragraph 13.1 of this Article.
- In special cases when it is necessary for the provision of Services to disclose personal data to a third party or transfer personal data to a third country, the Provider shall inform the User thereof.
- The Provider shall store personal data during the entire period when providing Services.
- The User has the right to request from the Provider access to personal data regarding a Data Subject, furthermore the User has the right to have personal data corrected, the right to erasure of personal data, the right to restriction of personal data processing, the right to object to processing of personal data as well as the right to data portability.
- If suspicious that their personal data is unlawfully processed, the User may bring proceedings on personal data protection before the Personal Data Protection Office of the Slovak Republic in accordance with § 100 of the Personal Data Protection Act.
- It is necessary for the User to provide personal data as set out in paragraph 13.1 in order to enter into an Agreement and to be provided Services.
- Information regarding the Rights of Data Subjects - Users:
- Right of access to personal data under Article 15 of the GDPR: data subject shall have the right to obtain from the Provider confirmation as to whether or not personal data concerning him or her are being processed. Where that is the case, Data Subject shall have the right to access the personal data and the following information as set out on paragraph 13.8:
- Right of rectification of personal data under Article 16 of the GDPR: Data Subjects shall have the right to obtain from the Provider without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed.
- Right to erasure personal data under 17 of the GDPR: The data subject shall have the right to obtain from the Provider the erasure of personal data concerning him or her without undue delay when Data Subjects exercise their right to erasure if:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the Data Subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing for direct marketing purposes,
- the personal data have been unlawfully processed
- the personal data have to be erased for compliance with the GDPR, the Personal Data Protection Act, a specific provision or an international agreement, by which the Slovak Republic is bound,
- the personal data have been collected in relation to the offer of information society services,
- Right to restriction of processing of personal data under Article 18 of the GDPR: The Data Subject shall have the right to obtain from the Provider restriction of processing where one of the following applies: The Provider shall inform a Data Subject, who has obtained restriction of processing, before the restriction of processing is lifted.
- the accuracy of the personal data is contested by the Data Subject, for a period enabling the Provider to verify the accuracy of the personal data;
- the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Provider no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the exercise of legal claims;
- the Data Subject has objected to processing pending the verification whether the legitimate grounds of the Provider override those of the Data Subject.
- Under Article 19 of the GDPR the Provider shall inform the Data Subject upon their request about those recipients, to whom the Provider communicated any rectification or erasure of personal data or restriction of processing.
- Right to data portability under Article 20 of the GDPR: The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Provider, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
- Right to object to personal data processing under Article 21 of the GDPR: The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her on a legal basis due to the fact that the processing of personal data is necessary for the performance of a task carried out in the public interest or on grounds of legitimate interests of the Provider or a third party, including profiling based on those provisions. The Provider shall no longer process personal data unless the Provider demonstrates compelling legitimate grounds for the processing which override the interests or rights of the Data Subject or for the exercise of legal claims. The Data Subject shall have the right to object at any time to processing of personal data concerning him or her for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.
- Under Article 22 of the GDPR the Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- Under Article 34 of the GDPR the Provider shall communicate the personal data breach to the Data Subject without undue delay when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons,
- Information to be provided to the Data Subject
- Under Article 13 of the GDPR and information provided in line with Articles 15 to 22 and Article 34 of the GDPR the Provider shall provide information, which relate to the processing of personal data, to the Data Subject upon their request. The information shall be provided in writing, or by electronic means, typically in the same way as the request was submitted. When requested by the Data Subject, the information may be provided orally, provided that the identity of the Data Subject is proven by other means. The Provider shall facilitate the exercise of data subject rights under Articles 15 to 22 of the GDPR.
- The Provider shall provide information in line with paragraph 1 of this Article on action taken on a request without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months, and where necessary, repeatedly, taking into account the complexity and number of the requests. The Provider shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
- Information provided under paragraph 1 of this Article shall be provided free of charge.
- Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Provider may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or refuse to act on the request.
- Restrictions to the Rights of Data Subjects
Under Article 23 of the GDPR and § 30 of the Personal Data Protection Act, the Provider shall inform the Data Subject of restrictions to their rights unless the purpose of restriction is not threatened.