Procesamiento de datos personales
INFORMATION ON THE PROCESSING OF PERSONAL DATA BY THE CONTROLLER FOR MARKETING PURPOSES
provided according to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation), in effect from 25.05.2018 (hereinafter referred to as “GDPR Regulation”) and according to Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Acts, as amended on 25.05.2018 (hereinafter also referred to as “Act on Personal Data Protection”).
All personal data are processed in accordance with the GDPR Regulation with effect from 25.05.2018.
I hereby acknowledge that the website controlled on behalf of X, a.s., with its registered office at Valachovej 1819/1 841 01 Bratislava – mestská časť Dúbravka, Slovak republic, ID: 35742089 (hereinafter also referred to as “X”) is not directly intended for people who cannot authorize the Controller to process their personal data themselves.
Who we are
“X” records your interest in receiving news and current information about suitable offers and marketing information related to tours in Chernobyl, Ukraine.
TRAD NAME thus processes personal data related to your person to the following extent:
name and surname;
email address;
telephone number;
(the data referred to in Points 1) to 3) above hereinafter collectively referred to as also “Personal Data”).
Information on the processing of Personal Data on behalf of “X” according to the GDPR Regulation and the Personal Data Protection Act
Identification and contact details of the Controller
The Controller, on behalf of which the Personal Data is processed, is X, a.s., with its registered office at Valachovej 1819/1 841 01 Bratislava – mestská časť Dúbravka, Slovak republic.
The purposes of processing Personal Data and the legal basis for the processing of Personal Data
“X”, as the Controller, processes Personal Data to the extent that it was provided by you as the Data Subject for the following purposes:
the purpose of direct marketing, to inform clients, as the Data Subject, about news on the individual Projects implemented also in cooperation with “X” and addressing clients with other marketing offers of the Controller, of the “X”, through direct mail, direct offers, or another suitable form. The legal basis for the processing of Personal Data is the authorized interest of “X” (Article 6, Paragraph 1, Letter f) of the GDPR) or consent if the client provides an email address and declares consent to the processing of his/her Personal Data for the purpose of sending business and marketing information from “X” as the Controller (Article 6, Paragraph 1, Letter a) of the GDPR);
the purpose of fulfilling the obligations of “X”, as the Controller, according to applicable legislation, e.g. tax obligations or obligations related to consumer protection in the internal market. The legal basis for the processing of Personal Data is the fulfillment of legal obligations (Article 6, Paragraph 1, Letter c) of the GDPR);
statistical purposes, for the purpose of combining Personal Data with other client data for the purpose of creating reports that help improve the service of “X”, as the Controller, while maintaining technical and organizational measures to ensure compliance with the principle of data minimization. The legal basis for the processing of Personal Data is thus compatible with the further processing of Personal Data (Article 5, Paragraph 1, Letter b) together with Article 89 1 of the GDPR);
the purpose of keeping a record of the requests of Data Subjects and their handling by the Controller, “X”. The legal basis for the processing of Personal Data is the authorized interest of “X” (Article 6, Paragraph 1, Letter f) of the GDPR).
Categories of Data Subjects
“X”, as the Controller, processes Personal Data for purposes of direct marketing related to clients, as the Data Subjects, for which “X” records that they have expressed interest in any of the “X” Projects.
Authorized Interests Pursued by “X” as the Controller
“X” sees an authorized interest in the possibility of acquainting clients in the future with suitable offers related to the Projects.The legal basis for the processing of Personal Data on behalf of “X” for the purpose of direct marketing is an authorized interest of “X” according to the relevant article of the GDPR and the relevant provisions of the Personal Data Protection Act, on the condition that in the case of such interests on the part of “X” they do not outweigh the interests or basic rights and freedoms of the Data Subject that require the protection of personal data.
If you are not interested in receiving news and up-to-date information on promotional offers related to the Projects as the Data Subject, you may, at any time and free-of-charge, exercise the right to object due to reasons related to your concrete situation, to the processing of Personal Data for the purpose of direct marketing by “X”, as the Controller, mainly in the following ways:
by clicking on the relevant link found in each newsletter at any time and free-of-charge;
through email: [email protected]
If you object to the processing of Personal Data for the purpose of direct marketing, “X” will not further process your Personal Data, and you will not receive any news from “X”.
In handling the requests of the Data Subject, “X” sees its authorized interest in the possibility of demonstrating compliance of the procedures with the requirements of the GDPR.
Guidance on the Voluntariness or Obligation to Grant Consent to the Processing of Personal Data
If the Data Subject is interested in the Controller, “X”, sending news and marketing information, the Data Subject is obliged to provide at least its email address to “X” and to grant consent to the processing of his/her Personal Data for the purposes of direct marketing, otherwise it is not possible to subscribe to the news and marketing information sent by “X”.
Recipients or Categories of Recipients of the Personal Data
It is expected that the Personal Data processed on behalf of “X”, as the Controller, will be provided to the following recipients for the purpose of direct marketing:
MailChimp c/o The Rocket Science Group, LLC, with its registered office at 675 Ponce De Leon AVE NE, Suite 5000, Atlanta, GA 30308 USA, MOSS No. EU 826 477 914 (hereinafter referred to as “MailChimp”);
The Transfer of Personal Data to a Third Country
MailChimp will transfer the Personal Data to third countries, to the United States of America. MailChimp has its own certification due to the maintenance of security rules related to personal data protection for EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield transactions and legally transfers EU/EEA personal data to the United States of America in accordance with Privacy Shield certification. Every year, MailChimp also completes a SOC II Type 2 exam in the Core Criteria for ensuring Trust, Integrity in Processing, Confidentiality, and Availability.
The transfer of personal data to a third country or to an international organization may occur if the Commission decides that a third country, territory or several designated sectors in that third country or the given international organization guarantees an adequate level of protection. No special permission is necessary for such a transfer (Article 45, Paragraph 1 of the GDPR);
From the information available at the Personal Data Protection Office of the Slovak Republic (https://dataprotection.gov.sk/uoou/sk/content/prenos-do-krajin-zarucujucich-primeranu-uroven-ochrany), companies certified under the Privacy Shield regimen with a registered office in the United States of America belongs among entities the European Commission has included in the relevant decision in the list of third-country entities that guarantee an adequate level of protection of personal data according to the GDPR.
The Decision of the Commission on the adequate protection of personal data, including the list of countries, can be found on the following Internet link: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.
The Retention Period of Personal Data, or the Criteria for Determining the Processing Period of Personal Data
Personal data will be processed until the period when the purpose of processing the Personal Data for which it was obtained expires, however, at the latest until the legal basis for the processing of Personal Data according to the GDPR and the Act on Personal Data Protection is in force.
Information Related to Automated Individual Decision-Making
“X”, as the Controller, does not use any of the automated individual decision-making or profiling procedures in the processing of Personal Data on behalf of “X”.
Information on Other Rights of Clients, as the Data Subjects, in Accordance with Valid and Effective Legislation and Information on the Procedures for Exercising the Rights of Clients, as the Data Subject, According to the Provisions of the Personal Data Protection Act
On the condition of compliance with the valid and effective legal regulations governing personal data protection according to the GDPR and according to the Act on Personal Data Protection, as the Data Subject you have the following rights:
The Right to Request Access to the Personal Data Related to Him/Her from the Controller, according to Article 15 of the GDPR:
The Data Subject has the right to obtain from “X”, as the Controller, confirmation of the processing of the personal data related to him/her and, if so, he/she has the right to access such personal data and the following information:
processing purposes;
the data category of the data subject;
the recipients or the categories of recipients to whom the personal data have been or will be provided, mainly recipients in third countries or international organizations;
when possible, for the expected retention period of the personal data or, if that is not possible, the criteria for its determination;
the existence of the right to require the Controller to correct personal data relating to the Data Subject or delete or restrict the processing or to oppose such processing;
the right to file a grievance with a supervisory authority;
if personal data have not been obtained from the Data Subject, any available information concerning their source;
the existence of automated decision-making, including the profiling specified in Article 22, Paragraph 1 and 4 of the GDPR and, in such cases, at least meaningful information on the used procedure, as well as the significance and foreseeable results of such processing for the Data Subject.
If personal data are transferred to a third country or international organization, the Data Subject shall have the right to be informed of reasonable guarantees regarding the transfer according to Article 46 of the GDPR.
“X”, as the Controller, will provide a copy of the personal data being processed. For any further copies requested by the Data Subject, the Controller may charge a reasonable fee corresponding to the administrative cost. If the Data Subject has made the request through electronic means, the information shall be provided in a commonly used electronic form, unless the Data Subject has requested a different method. The right to obtain a copy must not result in an adverse effect on the rights and freedoms of others.
Right to the Rectification of Personal Data according to Article 16 of the GDPR:
The Data Subject has the right so that “X”, as the Controller, corrects incorrect personal data relating to him/her without undue delay. With regard to processing purposes, the Data Subject is entitled to supplement incomplete personal data, also through the provision of a supplementary statement.
Right of Deletion (Right to “Obscurity”) according to Article 17 of the GDPR:
The Data Subject also has the right to obtain from “X”, as the Controller, the deletion of the personal data concerning him/her without undue delay and “X”, as the Controller, is obliged to delete personal data without undue delay if any of the following reasons are met:
personal data are no longer needed for the purposes for which they were obtained or otherwise processed;
the Data Subject revokes the consent under which the processing is performed in accordance with Article 6, Paragraph 1, Letter a) or Article 9, Paragraph 2, Letter a) of the GDPR, and when there exists no other legal basis for processing;
the Data Subject objects to the processing according to Article 21, Paragraph 1) of the GDPR and do not preclude any authorized reason for processing, or the Data Subject objects to the processing according to Article 21, Paragraph 2 of the GDPR);
the personal data was unlawfully processed;
the personal data must be deleted in order to meet a legal obligation according to the law of the Union or the law of the Member State to which the Controller is subject;
the personal data were obtained in connection with the provision of information society services according to to Article 8, Paragraph 1 of the GDPR);
If the Controller discloses personal data and is obliged to delete personal data, taking into consideration available technology and the cost of implementing the measures, it shall take reasonable measures, including technical measures, to inform the Controllers who process the personal data that the Data Subject is requesting them to delete all references to such personal data, along with their copies or replicas.
The right of deletion does not apply if processing is necessary:
for the exercising of the right to freedom of expression and information;
for meeting a legal obligation requiring processing according to Union law or the law of the Member State to which the Controller is subject, or in order to meet a task implemented in the public interest or in the exercising of public authority entrusted to the Controller;
due to public interest in the field of public health, in accordance with Article 9, Paragraph 2, Letter h) and i) and Article 9, Paragraph 3 of the GDPR);
for the purpose of archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes according to Article 89, Paragraph 1 of the GDPR, unless it is probable that the above-mentioned law will seriously disallow or severely impair the reaching of the objectives of such processing, or
to prove, enforce or defend legal claims.
The Right to Restrict Processing according to Article 18 of the GDPR:
The Data Subject has the right to restrict the processing by the Controller for one of the following cases:
- a) the Data Subject asserts the accuracy of the personal data during a period allowing the Controller to verify the accuracy of the personal data;
- b) the processing is unlawful and the Data Subject objects to the deletion of personal data and requests restrictions on their usage instead;
- c) the Controller no longer needs personal data for processing but needs the Data Subject for the proving, application or defense of legal claims;
- d) the Data Subject objected to the processing according to Article 21, Paragraph 1 of the GDPR, until verification whether authorized reasons on the part of the Controller outweigh the authorized reasons of the Data Subject.
If the processing in accordance with the above-mentioned restriction has been restricted, such personal data shall, with the exception of retention, be processed only with the consent of the Data Subject or for the purpose of proving, applying or defending legal claims or for the protection of the rights of another natural person or legal entity or for reasons of significant public interest for the Union or a Member State.
A Data Subject who has attained a restriction in processing in accordance with the above-mentioned is informed by the Controller before the processing restriction is revoked.
The Right to Data Portability according to Article 20 of the GDPR:
The Data Subject has the right to obtain personal data relating to him/her and which he/she has provided to the Controller in a structured, commonly used and machine-readable format and has the right to transfer this data to another Controller without the provider to whom the personal was provided preventing the transfer, if: a) the processing is based on the consent referred to in Article 6, Paragraph 1, Letter a) or Article 9, Paragraph Article 2, Letter a) of the GDPR or the contract referred to in Article 6, Paragraph 1, Letter b) of the GDPR, and b) where the processing is performed through automated means.
In the exercising of his/her right to data portability, the Data Subject has the right to transfer personal data directly from one Controller to another Controller, as much as technically possible.
The application of the law does not affect Article 17 of the GDPR. This right does not apply to the processing necessary to meeting a task performed in the public interest or in the exercise of public authority entrusted to the Controller. The right to data portability must not have an adverse effect on the rights and freedoms of others.
The Right to Object to Processing, Including Objection to Profiling (If Performed) according to Article 21 of the GDPR:
The Data Subject shall have the right at any time to object, for reasons relating to his or her concrete situation against the processing of personal data concerning him/her, which is performed pursuant to Article 6, Paragraph 1, Letter e) or f) of the GDPR, including objection to profiling, based on the above-mentioned provisions. The Controller may not further process personal data unless it demonstrates the necessary authorized reasons for processing, which outweigh the interests, rights and freedoms of the Data Subject or reasons for proving, applying or defending legal claims. If the personal data are processed for the purposes of direct marketing, the Data Subject has the right at any time to object to the processing of personal data relating to him/her for the purposes of such marketing, including profiling in the range related to such direct marketing. If the Data Subject opposes the processing for purposes of direct marketing, the personal data may no longer be processed for such purposes.
In relation to the use of information society services and regardless of Directive 2002/58/EC, the Data Subject may exercise his/her right to object to automated means by use of technical specifications. If the personal data are processed for purposes of scientific or historical research or for statistical purposes according to Article 89, Paragraph 1 of the GDPR, the Data Subject has the right to object, for reasons related to his/her concrete situation, to the processing of personal data concerning him/her, except in cases when processing is necessary for meeting a task due to public interest.
The Right to File a Grievance to the Supervisory Authority Pursuant to Article 77 of the GDPR:
The supervisory authority to which the Data Subject addresses his/her complaint in justified cases shall be understood as the Office for the Protection of Personal Data of the Slovak Republic, with its registered office at Hraničná 12, 820 07 Bratislava 27.
The Right to Revoke Consent to Processing according to Article 7 of the GDPR:
In case the legal basis for the processing of personal data is the consent of the Data Subject, the Data Subject may at any time revoke his/her consent without impacting the lawfulness of the processing based on the consent granted prior to its revoking.
The right to revoke consent at any time, even before the expiration of the period for which it was granted, may be exercised by the Data Subject mainly through the following ways:
by clicking on the relevant link found in each newsletter at any time and free-of-charge;
through e-mail: [email protected].
“X” is obliged to take appropriate measures and provide information to the Data Subject according to Section 19 and 20 of the Personal Data Protection Act and notifications according to Sections 21 to 28 and 41 of the Personal Data Protection Act concerning the processing of his/her personal data, in a concise, transparent, comprehensible and easily accessible form, clearly worded, mainly for information intended specifically for a child. “X” is obliged to provide information paper or electronic form, regularly in the same format as the sent request. If requested by the Data Subject, “X” may also provide orally information if the Data Subject can prove his/her identity through another method.
“X” provides assistance to the Data Subject in exercising his/her rights according to Sections 21 to 28 of the Personal Data Protection Act. In the cases specified in Section 18, Paragraph 2 “X”, as the Controller , cannot refuse to act on the basis of the request of a Data Subject in the exercising of his/her rights according Sections 21 to 28 of the Personal Data Protection Act, unless it proves that it is not able to identify the Data Subject.
“X” is obliged to provide the Data Subject with information on the measures that were taken at his/her request according to Sections 21 to 28 of the Personal Data Protection Act within one month of receiving the request from the Data Subject. In justified cases the above-mentioned period can be extended by “X” for another two months, with regard to the complexity and the number of applications, also if repeated. However, “X” is obliged to inform the Data Subject of any such extension within one month of receiving the request along with the reasons for the extension of the period. If the Data Subject has sent in a request in electronic form, “X” will provide the information in electronic form if the Data Subject did not request that the information be provided through another method.
If “X” fails to carry out measures at the request of the Data Subject, it shall, within one month from receiving the request, inform the Data Subject of the reasons for the failure to take measures and the possibility of filing a proposal according toSection 100 of the Personal Data Protection Act at the Office for the Protection of Personal Data of the Slovak Republic, with its registered office at Hraničná 12, 820 07 Bratislava 27.
Information according to Sections 19 and 20 of the Personal Data Protection Act and the notifications and measures taken according to Sections 21 to 28 and 41 of the Personal Data Protection Act are provided free-of-charge. If the request of the Data Subject is manifestly unfounded or inappropriate mainly due to its recurring nature, “X” may:
require a reasonable fee, considering the administrative costs of providing information or a reasonable fee considering the administrative costs of communication or a reasonable fee considering the administrative costs of implementing the requested measure; or
refuse to act on the basis of the request.
“X” shall prove the irrelevance or inappropriateness of the request.
“X” may request the provision of additional information necessary to verify the identity of the Data Subject if it has reasonable doubts as to the identity of the natural person who submitted the request according to Section 21 to 27 of the Personal Data Protection Act; laid down by Section 18 of the Personal Data Protection Act.
In case of any questions, you can contact “X” at any time through the contact form specified and found on the website.
Besides our contact form, you can also contact us at any time through the e-mail [email protected].