Personal Data Processing and Protection Policy of Kiuub s. r. o.
(updated on 1 August 2020)
This Personal Data Protection Policy stipulates the principles of personal data processing at Kiuub s. r. o., with its registered office at Hlavná 25, Trnava 917 01, Slovak Republic, company identification number: 52 507 742, registered with the Commercial Register of the Trnava District Court, section: Sro, Entry No. 44918/T (hereinafter as the “Company”), with the objective of creating an effective and consistent Personal Data Protection Policy in line with the applicable legal regulations.
1. General introduction
This Personal Data Processing and Protection Policy (hereinafter as the “Policy”) reflects the respective European legislation, i.e. the Regulation (EU) 2016/679/EU of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter as the “Regulation”), and Slovak legislation, in particular the Act No. 18/2018 Coll. on Personal Data Protection and on amendments and supplements to certain acts (hereinafter as the “Act”). Its objective is to regulate the handling of Personal data within the Company.
The Company is aware that Personal data protection is contingent on the specific Personal data processing powers and the everyday actions of the authorised personnel, or rather all parties involved in the business activities of the Company. Personal data protection as a type of information asset subject to specific regulations and protection under the Act is part of the information asset protection agenda. Observing the principles and rules of the Policy helps spread a positive culture of Personal data handling and raise the level of Personal data protection at the Company. Enforcement of the rules stipulated in this Policy is part of the permanent and goal-directed process encompassing several levels, namely, the methodical, executive and supervisory.
The Company and its statutory body, as the Controller, pursuant to the Regulation and the Act, are responsible for the supervision of the system of protection and processing of Personal data within the Company, which involves in particular adoption and approval of suitable technical and organizational measures matching the manner of Personal data processing and taking into account the available technical means, confidentiality and importance of processed Personal data, as well as the scope of possible risks that could breach the safety of Personal data processing.
For the purposes of this Policy the Company is deemed a Controller.
2. Definitions of used terms
The terms used in this Policy shall have the meanings specified below:
- Data subject means any natural person to which Personal data pertain;
- Supervisory authority means an independent public authority established by a member state pursuant to Article 51 of the Regulation; In the Slovak Republic, the Supervisory authority is the Office for Personal Data Protection of the Slovak Republic;
- Restriction of processing means the marking of stored Personal data with the aim of limiting their processing in the future;
- Personal data means any information relating to an identified or identifiable natural person which is, in every case, a Data subject. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Controller means the Company as a legal person which determines the purposes and means of the processing of Personal data;
- Recipient means a natural or legal person, public authority, agency or another body, to which the Personal data are disclosed, whether a third party or not. However, public authorities which may receive Personal data in the framework of a particular inquiry in accordance with Union or member state law shall not be regarded as recipients;
- Profiling means any form of automated processing of Personal data consisting of the use of Personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- Pseudonymization means the processing of Personal data in such a manner that the Personal data can no longer be attributed to a specific Data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal data are not attributed to an identified or identifiable natural person;
- Processor means a natural or legal person, public authority, agency or other body which processes Personal data on behalf of the Controller; On the basis of a separate contract with the Controller, a Partner or any of the entities providing services to the Company by virtue of a separate contractual relationship, can act as a Processor.
- Consent of the Data subject means any freely given, specific, informed and unambiguous indication of the Data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal data relating to him or her;
- Third country means a country which is not a member state of the European Union, or a contractual country specified in the Agreement on the European Economic Area.
- Company Website means the internet website of the Company www.kiuub.com.
- Contractdenotes, without limitation, contracts which the Company concluded with a legal ornatural person imposing certain rights and obligations on the Company.
- Lawfulness, fairness and transparency: Processing of Personal data with regard to the Data subject must be lawful and transparent;
- Purpose limitation: Personal data can only be obtained for specific, explicit and lawful purposes and must not be processed in a manner that is incompatible with those purposes;
- Data minimisation: The Personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed;
- Accuracy: Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Storage minimisation: The Personal data shall be kept in a form which permits identification of Data subjects for no longer than it is necessary for the purposes for which the Personal data are processed;
- Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate protection of the Personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Within the Company, only officials and representatives requiring access to Personal data as part of their working position will have access to Personal data;
- Accountability: The Company, as the Controller, is responsible for the compliance with the aforesaid Principles relating to processing of Personal data.
- identification data, such as the name, surname, data from identification documents, nationality, photograph from identification documents;
- contact information, such as the permanent or temporary residence address, e-mail address, phone number;
- copies of documents, including identification documents;
- data related to use of the Company website (e.g. cookies);
- data related to subscriptions to the Company marketing channels;The categories of Personal data kept for a specific Data subject are always a subset of the above list.Should the processing of some categories of Personal data require the consent of the Data subject, the Data subject will be advised of this and Data subject’s consent form must include all the Personal data to be processed on the basis of the consent of the Data subject, including the purpose for which the Personal data will be processed.
- contractual partners of the Company providing administrative services and performing other activities on the basis of separate contracts;
- companies in charge of processing the wage and financial agenda;
- companies in charge of intellectual property protection and due diligence at the Company;
- Company investors and consultants;
- IT service providers or companies in charge of security at the premises of the Company.If the Data subjects’ Personal data are being processed by a contractual partner of the Company, for and on behalf of the Company, the Company must have entered with such contractual partner into a Personal Data Processing Agreement concluded in accordance with the applicable personal data protection legislation, whereby such contractual partner shall only be entitled to process Personal data by virtue of documented instructions of the Company, and both the contractual partner and its employees shall be bound by a confidentiality obligation with regard to the processed Personal data of the Data subjects.
3. Process management strategy with regard to processing of Personal data and Principles relating to processing of Personal data
The system of monitoring, management and control of activities pertaining to processing of Personal data forms an integral part of efficient Company governance.
The strategy of Personal data protection at the Company is built around the Principles relating to processing of Personal data, determined by the Company and its day-to-day operation and activities pertaining to processing operations involving Personal data. The objective of the Principles relating to processing of Personal data specified in this Policy is to guide and raise awareness with regard to processing of Personal data among the officials and representatives of the Company. The objective of this Policy is to ensure security, integrity, and protection of Personal data within the Company.
In connection to potential Personal data protection legislation changes and possible changes of technical standards, the Company provides for constant monitoring of the respective regulations and reviews potential inconsistencies between the Policy and the said regulations.
To fulfil all its obligations under the Regulation and the Act, the Company, as the Controller, identified the main principles relating to processing of Personal data (hereinafter as the “Principles relating to processing of Personal data”) It is the following principles relating to processing of Personal data:
4. Scope of processed Personal data
The Company only processes Personal data it needs in order to fulfil its contracts and comply with its legal and contractual obligations and to protect the legitimate interests it pursues.
The Company is especially careful to only process Data subjects’ Personal data necessary to accomplish the purpose of the respective processing.
The Company applies this Personal data minimisation principle also with regard to Personal data provided to the Company on the basis of the consent of the Data subject.
The processed Personal data of Data subjects may include (without limitation) the following categories of Personal data:
5. Sources of Personal data
In most cases, the Company processes Personal data provided to it in connection with Contract performance or directly by the Data subjects.
The Data subjects’ Personal data can also be obtained from public sources published in compliance with the applicable legislation.
6. Purposes of Personal data processing and the legal basis of processing
It is in the interest of the Company to process Personal data of Data subjects only for specific and valid purposes. The Company primarily processes Personal data it needs in order to perform its contractual obligations.
The Company also processes certain Personal data of Data subjects whereas such processing is necessary for the purposes of the legitimate interests pursued by the Company as the Controller. If so required with regard to the nature of the processed Personal data, the Company must request a consent from the Data subject to process their Personal data.
6.1 Contractual relationships
The purpose of Personal data processing is the signing and performance of a Contract.
The legal basis of processing is performance of the Contract, as well as legitimate interests of the Company, as the Controller, involving effective communication with Data subjects. In this case, the consent to process Personal data is not required. Provision of Personal data represents a legal or a contractual requirement, and if such data are not provided the Company cannot fulfil its legal obligations arising out of the respective legislation or cannot fulfil a Contract. The Data subject is obliged to provide their Personal data or endure provision of their Personal data in compliance with the Regulation and the Act, whereby if the Personal data are not provided, the Company cannot effectively communicate with the other contractual party or the Data subjects.
6.2 Legitimate interests of the Company
The purpose of the processing of Personal data are legitimate interests of the Company.
These are some of the legitimate interests the Company may have:
- protection of the Data subjects’ safety and interests;
- protection of Company property;
- business prudence;
- promotion of goods, services, and reputation of the Company.
The legal basis for processing is the legitimate interests of the Company, which, however, must not override the interests or the fundamental rights of the Data subjects. In this case, the consent to process Personal data is not required.
6.3 Compliance with legal obligations
The purpose of Personal data processing is the fulfilment of the legal obligations imposed on the Company by the respective legal regulations or other legislation.
The legal basis of processing is the fulfilment of the legal obligations of the Company which arise or may arise out of the respective legal regulations or other legislation. In this case, the consent to process Personal data is not required.
6.4 Direct marketing – market research and sending of general business information
The purpose of Personal data processing is direct marketing, i.e. market research and sending of business information using all means of communication including electronic ones. Market research includes assessment of Company activities related to the Company website, data on effectiveness of sent business information and the thereto related output.
The legal basis of processing is the consent of the Data subject. In order to select target Data subjects, segmentation can be performed on the basis of available data (according to age, interests, personal preferences, etc.). This type of processing is optional and the Data subject must volunteer to participate in it and may request that such processing be terminated at any time.
6.5 Litigation and other legal proceedings
The purpose of Personal data processing is keeping of records and management of litigations and other legal proceedings which the Company pursues in order to establish, exercise or defend its legal claims.
The legal basis of Personal data processing are the legitimate interests of the Company, as the Controller, pursued in order to establish, exercise or defend legal claims. In this case, the consent to process Personal data is not required.
6.6 Keeping records of mail communication
The purpose of Personal data processing is keeping of records of incoming and outgoing mail. The legal basis of the processing is the legitimate interest of the Company, as the Controller, to keep primary and general records of mail in order to have its complete index in observance of the data minimisation rule. The consent to process Personal data is not required. The Data subject is obliged to provide their Personal data, otherwise it may not be possible to send the required mail and keep records of it. The Data subject’s Personal data are not provided to other Recipients.
6.7 Registry management
The purpose of Personal data processing is the due registry management. The legal basis of Personal data processing is the fulfilment of the legal obligation stipulated by the Act No. 395/2002 Coll. on Archives and Registries and on the amendment of certain acts as amended, and by other related special legislation. In this case, the consent to process Personal data is not required. Provision of Personal data represents a legal requirement, and if such data are not provided, the Company cannot fulfil its legal obligations arising out of the respective legislation.
7. Recipients of Personal data
The Data subjects’ Personal data are processed by the Company using its appropriately trained staff, or using contractual or external service providers.
The Data subjects’ Personal data may be processed by the Company and also by Recipients or categories of Recipients, in particular by:
8. Security of Personal data processing
In order to protect the rights and freedoms of natural persons with regard to the processing of Personal data the Company takes appropriate technical and organisational measures to ensure that the requirements of the Regulation and the Act are met. The Company focuses on the security of Personal data processing and makes a constant effort to prevent security incidents that could potentially result in a risk to the rights and freedoms of Data subjects. The security of Personal data processing is regularly audited taking into account the state of the art and the nature of Personal data processing.
All Personal data which the Company obtains from the Data subject are processed while maintaining a high level of organizational and technological security. The Company regularly reviews, and if possible, applies, appropriate safeguards to protect Personal data, which may include encryption or pseudonymization.
The compliance of Personal data processing at the Company with the Regulation and the Act and the other applicable legal regulations of the EU and the internal policies of the Company is monitored by the respective employees nominated by the Company, as the Controller, to supervise Personal data protection.
9. Rights of Data subjects
It is important for the Company that each and every Data subject maintains control over their Personal data and that the Personal data of each Data subject are processed in accordance with the law.
It is in the interest of the Company to allow the Data subjects to exercise their rights in connection to the protection of their Personal data. Should a Data subject wish to exercise some of their rights stipulated in the Regulation or the Act, they may do so by sending an e-mail to [email protected], or by sending a written request to the address of the Company: Kiuub s. r. o., Hlavná 25, Trnava 917 01, Slovak Republic, or by making a call to: +421 907 394 103, or in person at the Company registered office where they can request a meeting with the person in charge of the Personal data protection agenda.
The Data subject is entitled to demand from the Company access to their Personal data. The Data subject has the right to rectification, erasure or limitation of processing of Personal data, as well as the right to object against the processing of Personal data and the right to data portability. The Data subject also has the right to withdraw the consent to process Personal data and the right to lodge a complaint with a Supervisory authority.
The Company will promptly, however, at the latest within one month of receipt of the request, provide the Data subject with information about the measures it took on the basis of the Data subject’s request submitted in accordance with this article of the Policy. If necessary, the said time limit may be extended by two further months. The Company shall inform the Data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the Data subject.
If the Company does not take action on the request of the Data subject, the Company shall inform the Data subject without delay and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a Supervisory authority and seeking a judicial remedy.
9.1 Right of access by the Data subject
The Data subject has the right to obtain from the Company a confirmation about the processing of their Personal data. If the Company does process such data, the Data subject has the right of access. In this regard, the Data subject has the right to obtain information about the purposes of Personal data processing, categories of Personal data concerned, Recipients or Recipient categories, the expected retention period of Personal data, the existence of Data subject’s rights in connection to Personal data processing, information about the source of data, unless the data were obtained directly from the Data subject, or information about the existence of automated decision-making including Profiling.
The information about Personal data processing is reasonably amended or updated with each change of the above facts.
9.2 Data subject’s right to have their Personal data rectified
It is in the interest of the Company to only process accurate and up-to-date Personal data of Data subjects. In this regard, the Data subject has the right to request that the Company immediately rectifies any processed incorrect Personal data of the Data subject or amends incomplete Personal data. In this regard, the Data subject must be reasonably informed about their right to rectification and asked to actively use it upon each contact with the Company.
9.3 Data subject’s right to have their Personal data erased
The Data subject has the right to have erased all their Personal data processed by the Company, if one of the following grounds applies:
a) the Personal data are no longer necessary in relation to the purpose for which they were collected or otherwise processed;
b) The Data subject withdraws the consent on which the processing of Personal data is based;
c) The Data subject objects to processing of Personal data;
d) the Personal data are being processed unlawfully;
e) the Personal data must be erased for compliance with a legal obligation;
In connection to meeting the obligations pertaining to the Data subject’s right to erasure, the Company must be able to identify the relevant Personal data in its systems and erase them to meet the requirements of the Regulation and the Act.
However, the Data subject’s Personal data will not be erased, if processing is necessary for:
a) exercising the right of freedom of expression and information;
b) due to legal obligation;
c) the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;
d) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
e) establishment, exercise or defence of legal claims of the Company.
If Personal data are erased, the Company must reasonably notify each data Recipient.
9.4 Data subject’s right to restriction of Personal data processing
The Data subject has the right to request that the Company limits processing of the Data subject’s Personal data in the following cases:
a) the Data subject contests the accuracy of Personal data;
b) the processing is unlawful and the Data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the Company no longer needs the Personal data for the purposes of the processing, but they are required by the Data subject for the establishment, exercise or defence of legal claims;
d) the Data subject objects to processing of Personal data. In this case the Company limits processing of Personal data until the proportionality test has been completed, i.e. it has been verified whether the legitimate grounds of the Company override those of the Data subject.
If Personal data processing is limited the Company must reasonably notify each data Recipient.
Methods by which to restrict the processing of Personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected Personal data unavailable to users, or temporarily removing published data from the Company website. Further processing of Personal data should be secured in a manner ensuring that the Personal data are not subject to further processing operations and cannot be changed.
9.5 Data subject’s right to portability of Personal data
Where the processing of Personal data is carried out by automated means and the legal basis of Personal data processing is the consent of the Data subject or performance of a Contract, the Data subject has the right to obtain the Personal data pertaining to him or her which he or she has provided to the Company, in a structured and machine-readable format and have the right to transmit those data to another Controller. Should the Data subject so wish, and where technically feasible, the Company will transfer the Personal data directly to another Controller.
9.6 The Data subject’s right to object to processing of Personal data and automated individual decision-making
The Data subject has the right to object at any time to processing of Personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company, or necessary for the purposes of the legitimate interests pursued by the Company and pertaining to the Data subject. The Data subject also has the right to object at any time to processing of Personal data for purposes of direct marketing. In connection to processing of Personal data pursuant to the first and second sentence the Data subjects can also object to Profiling based on such processing.
Should the Data subject choose to exercise this right, the Company shall no longer process the Personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data subject or grounds for the establishment, exercise or defence of legal claims.
The Data subject shall have the right not to be subject to a decision of the Company based solely on automated processing, including Profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
9.7 The Data subject’s right to lodge a complaint with a Supervisory authority
If the Data subject suspects that the Company processes Personal data unlawfully, they can lodge a complaint with a Supervisory authority. In the territory of the Slovak Republic, the Supervisory authority is the Office for Personal Data Protection of the Slovak Republic. When the Data subject lodges a complaint, the relevant officials and representatives of the Company involved in the processing of the Personal data concerned, shall provide all cooperation necessary to close the proceedings.
9.8 The Data subject’s right to withdraw Consent
When Personal data are being processed, which pursuant to the Regulation and the Act require the consent of the Data subject to be processed, the Company will request from the Data subject their consent to process their Personal data for the respective purpose. Such consent must be a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the Data Subjects agreement to the processing of their Personal Data. If the Data subject gave their consent to process their Personal data for a specific purpose, they will have the right to withdraw their consent at any time without affecting the lawfulness of processing based on the consent before its withdrawal.
10. Period of Personal data retention
The Company retains Personal data of Data subjects for the duration of their processing, i.e. for a period of time the duration of which depends on the purpose of processing. In general, the Company processes Personal data of Data subjects:
- for the period required by the respective generally binding legal regulation, where Personal data are processed to comply with its legal obligations,
- for the duration of the contractual relationship based on a Contract, or duration of pre- contractual relationship, where Personal data are being processed to perform its contractual obligations;
- for the duration of a legitimate interest pursued by the Company, where Personal data processing is necessary for this purpose;
- for the duration specified in the Data subject’s Consent or until the withdrawal of such Consent, where the Personal data are being processed on the basis of the consent of the Data subject.
To ensure that the Personal data are not kept longer than necessary, time limits will be established by the Company for erasure or for a periodic review of Personal data. Personal data can only be processed while the purpose of their processing exists. After this time period the Personal data will be liquidated without an undue delay in compliance with the Personal data minimisation rule, whereby upon the expiry of the purpose of processing the Personal data will be liquidated in all forms in which they were processed.
The Data subject may at any time request information from the Company regarding the duration of retention of their Personal data.
At the expiry of the respective retention periods the Company may only process the Data subject’s Personal data for compatible or special purposes, such as archiving or statistics.
11. Transfer of Personal data to Third countries
Personal data of Data subjects may be subject to cross-border transfer to Third countries which guarantee an adequate level of Personal data protection.
In case of such transfer of Personal data to Third countries the Company undertakes to ensure during the transfer an adequate level of protection of the Data subjects’ Personal data.
The Company does not transfer Personal data to any Third countries which don’t guarantee an adequate level of Personal data protection.
If, in the future, the Company does transfer Personal data to Third countries which don’t guarantee an adequate level of Personal data protection, it undertakes to proceed in compliance with the Regulation and the Act and all other generally binding legal regulations.
12. Data processors
The Company may use Processors to process Personal data. In this case the relationships between the Processors and the Company are regulated by a contract.
In connection to performance of the Contract, Processors are in particular persons providing services to the Company by virtue of a separate contractual relationship.
The Company undertakes to only cooperate with Processors who have contractually agreed to implemented appropriate technical and organizational measures in such a manner that their processing of Personal data will meet the requirements of the Regulation and the Act and who ensure the protection of the rights of the Data subject.
Besides the Partners, Processors can be for example:
- cloud solution and cloud service providers and other suppliers of technologies and Company website functionality support;
- contractual partners providing different administrative services and performing other activities for the Company;
- contractual partners of the Company providing archiving services,
- companies organizing marketing activities and providers of different marketing tools;
- companies providing to the Company data analysis services for purposes of statistics andreporting;
- companies providing legal, accounting and tax consulting services to the Company;
13.Automated processing of Personal data, individual decision-making including Profiling
As part of Contract performance, automated processing of Personal data can take place. The automated processing of Personal data uses automated IT systems, e.g. software, IT applications and other auxiliary systems. The objective of automated processing of Personal data is to ensure efficient performance of the Contract.
In connection with processing of Data subjects’ Personal data the Company does not use decision- making processes based solely on automated processing, including Profiling, which produces legal effects concerning the Data subject or similarly significantly affects the Data subject.
14. Processing of Personal data using cloud solutions
The Company also uses cloud solutions for internal communication and communication with business partners. In order to protect the Personal data shared within such cloud solutions the Company uses state-of-the-art data encryption hardware and software tools, to ensure protection and integrity of the shared (personal) data.
15. Cookies and Web beacons
The Company Website may also contain the so-called web beacons (internet tools helping track the user’s interactions with the Company Website, set cookies, determine the number of visitors or determine how many messages out of the total number of messages sent have been opened, etc.) Web beacons or special code links can be included in leaflets and marketing e-mails of the Company to determine whether the messages have been read, or whether the links therein contained have been clicked.
IP addresses are never provided to any third parties and the Company uses all necessary security measures to ensure their security. The Data subject has the right to information about the use of their IP address.
16. Analysing user data for the Company Website using Google Universal Analytics
Should you have any questions related to the protection of your Personal data, please contact the Company using any of the methods available to Data subjects.
The Company may modify, amend or change this Policy in order to incorporate legislation changes, update the purposes and means of Personal data processing or similar. By amending this Policy, the Company does not limit the rights of Data subjects arising out of the Regulation or the Act. Should this Policy be modified, the Company will notify the Data subjects in an appropriate manner, and publish the amended wording at the Company Website.