According to the Article 13 of the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural person with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "the Regulation") and in accordance with the Section 19 of Act no. 18/2018 Coll. on the personal data protection (hereinafter referred to as "the Act").

Controller

Business Name: HOTOVO s. r. o.
Registered Office: Štúrova 44 040 01 Košice
BIN: 45635404
registered in the Business Register ot the City Court Košice, section Sro, insert No. 25976/V

Data Controller Contact Person: Ján Strelka

privacy@hotovo.com
Štúrova 44 040 01 Košice

Data Subject’s Rights

The right of access to personal data
The right to rectification
The right to data portability
The right to erasure
The right to restrict processing
The right to object
The right to lodge a complaint

The Data Subject is a natural person whose personal data we process, in particular, but not exclusively, employees and clients. Such Data Subjects, about whom personal data is processed through our information systems for specific defined purposes, have rights that they can exercise in writing or electronically with the Controller designated contact person. The Data Subject is YOU.

The right of access to personal data

i.e. the right to obtain confirmation from the competent person as to whether the personal data of the Data Subject, who has exercised their right, is being processed, as well as the right to obtain access to such data. As a Data Subject, you are entitled to access information on: the purposes of the processing, the category of personal data concerned, the range of recipients, the processing and retention time, the progress of each automatic processing, or the consequences of such processing, and so forth. (See Article 15 of the Regulation for further information). As the Controller, we have the obligation to take all reasonable steps to verify the identity of the Data Subject who is requesting access to the data, in particular in relation to online services and identifiers. At the request of the Data Subject, the Controller shall issue a certificate as to whether the personal data of the Data Subject concerning them is being processed. If the Controller processes this data, a copy of the personal data is provided of the Data Subject upon request. Issuance of the first copy is free of charge. For any additional copies requested by the Data Subject, the Controller will charge a fee corresponding to the administrative costs they will incur with the issuance of the copy. If a person requests information by electronic means, it will be provided to them in a commonly used electronic form, via e-mail, unless requested otherwise.

The right to restrict processing

Can be applied if, as the Data Subject, challenges the accuracy of personal data and other details within the meaning of Article 18, recital 67 of the Regulation, by temporarily transferring selected personal data to another processing system, denying users access to selected personal data or temporarily removing processing.

The right to rectification

In the event that the Controller holds inaccurate personal data about the Data Subject. The Data Subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement. The Controller shall correct or supplement concerned personal data without undue delay after the Data Subject concerned has issued a request.

The right to erasure

The right to be forgotten. "Removal" of personal data concerning them. However, due to its nature and gravity, this right of the Data Subject is limited by the setting of other preconditions, the Controller shall without undue delay delete all personal data after the exercise of this right by the Data Subject if any or all of the following conditions are met: (a) the personal data is no longer necessary for the purposes for which they were collected or otherwise processed; (b) the Data Subject withdraws the consent on the basis of which the processing takes place; (c) the Data Subject objects to the processing of personal data; (d) personal data have been processed illegally; e) the reason for deletion is the fulfillment of the obligation of a law, special regulation or international agreement by which the Slovak Republic is bound, or f) personal data was obtained by a company offering services to a person under the age of 16.
The Data Subject shall not have the right to have personal data erased provided that their processing is necessary: (a) to exercise the right to freedom of expression and information; b) to fulfill an obligation under the law, a special regulation or an international agreement by which the Slovak Republic is bound, or to fulfill a task carried out in the public interest or in the exercise of public power entrusted to the Controller; (c) for reasons of public interest in the field of public health; (d) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, where the right of erasure is likely to prevent or seriously impede the attainment of the objectives of such processing; or (e) to establish, assert or defend legal claims.
The Controller shall delete all the personal data of the Data Subject upon request, without delay, after assessing that the data subject’s request is justified.

The right to lodge a complaint to initiate the personal data protection proceeding

The Data Subject has the right to file a motion to initiate proceedings with the Office for Personal Data Protection of the Slovak Republic if they, the Data Subject, consider that their personal data protection rights have been violated.

More information can be found under the Regulation 2016/679 and the Act (§ 19 of Act no. 18/2018 Coll.)

The right to object

The Data Subject has the right to object at any time to the processing of their personal data on grounds relating to their specific situation. The Data Subject may object to the processing of their personal data on the basis of: (a) the legal title of the performance of tasks performed in the public interest or in the exercise of official authority, or the legal title of the legitimate interest of the controller; (b) processing of personal data for direct marketing purposes; (c) processing for scientific or historical research or for statistical purposes. The objection will be reviewed when received in a timely manner. In this instance, further processing of personal data may cease, unless demonstrated that necessary legitimate interests for the processing of personal data outweighs the rights or interests of the Data Subject or the grounds for a legal claim.

The right to data portability of personal data

As a Data Subject, you have the right to obtain and transfer the personal data you have provided to the Controller to another in a usable and machine-readable format, provided that the personal data has been obtained with the data subject’s consent or contract and is processed by automated means.

More details

The purpose of processing personal data is the reason for the Controller to process the personal data of the Data Subjects in the information systems on specific legal bases. Any processing of personal data is based on a specific legal basis and for a specific, legitimate and explicit purpose.
In order to maximize the protection of your personal data, we as the Controller have taken appropriate personnel, organizational and technical measures. Our aim is to prevent (in the event of a breach) and/or reduce the risk of leakage, misuse, disclosure or other use of your personal data against your will. Should any breach event occur, which is likely to cause a high risk situation to the rights and freedoms of a natural person, you will be contacted immediately as the Data Subject concerned (Article 34 of the Regulation).
In order to maintain the principles of personal data processing set out in the Regulation, as well as in the law, in particular the principles of minimizing personal data, we require from you, as the Data Subject, only the personal data that is necessary, for legal or contractual requirements to fulfill the purpose of their processing. Please note that failure to provide this mandatory information necessary for the conclusion of the contract, may result in the non-conclusion of the contractual relationship.

Contractual relations

Personal Data processing purposes

Monitoring compliance with legal regulations, procurement of legal matters, review and preparation of contractual relations, property transfers, lease agreements, purchase agreements.

Furthermore, it is participating in the drafting of contracts within the framework of supplier-customer relations, exercising the right to fulfill obligations from contracts and property sanctions, rights to compensation for damages, etc.

Legal basis

Act no. 40/1964 Coll. Civil Code, as amended,
Act no. 513/1991 Coll. Commercial Code, as amended,
Act no. 250/2007 Coll. on consumer protection and on changes to Act No. 372/1990 Coll. on offenses as amended
contracts concluded in accordance with the aforementioned legal regulations.

Receiver Categories

bodies of state administration, government and public administration - according to the relevant legal regulations
Bank Institutions - Act No. 483/2001 Coll. as amended
Insurance Institutions - Act No. 39/2015 Coll. as amended
Slovak Post Office and Courier companies - Act No. 324/2011 Coll. as amended
Slovak Post Office and Courier companies - Act No. 324/2011 Coll. as amended
Suppliers - contractual basis
Courts, law enforcement agencies - Act No. 160/2015 Coll. as amended, Act No. 161/2015 Coll. as amended, Act No. 162/2015 Coll. as amended, Act No. 301/2005 Coll. as amended
Accounting auditor - Act No. 431/2002 Coll. as amended)
Intermediary: Auditor, lawyer

Due dates for Personal Data deletion

Important Contracts Register – contracts with municipalities, real estate contacts - 10 years
Other Contracts Register (Centralized tender proces documentations; Supplier, Purchase, Consulting Contracts, Insurance Contracts, Leasing Contracts, Investments, Credit Contracts, Leases etc.) - 10 years
Insurance Claims - 10 years

Data subject categories

Contracting Party – natural persons

Information about the existence of automated decision-making, including profiling - Not being carried out
Cross border transmission of the personal data outside EU - Not being carried out

Register of suppliers‘ and customers‘ representatives

Personal Data processing purposes

The purpose of processing personal data within the subject agenda is to maintain a database of representatives, employees of suppliers and customers for the purpose of fulfilling their work, official and functional responsibilities and ensuring smooth supplier-customer relations.

Legal basis

Legitimate interest per Article 6 section 1 letter f) of the Regulation. The main legitimate interest is provisioning of contacts for sake of good business relations, as well as the application of § 78 section 3 of Act No. 18/2018 Coll. on the protection of personal data and on the amendment of other related laws.

Receiver Categories

auditor, attorney at law
authorized staff

Due dates for Personal Data deletion

Within 30 days from termination of contractual relationships

Data subject categories

Natural person – representative / employee of the supplier or customer

Information about the existence of automated decision-making, including profiling - Not being carried out
Cross border transmission of the personal data outside EU - Not being carried out

Exercising data subjects rights

Personal Data processing purposes

The purpose of processing personal data within this agenda is to process requests from natural persons aimed at exercising their rights as data subjects in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of such data.

Legal basis

Art. 15 to 22 and 34 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement of such data.

Receiver Categories

bodies of state administration, government, and public administration according to the relevant legal regulations
auditor, attorney at law
authorized staff

Due dates for Personal Data deletion

1 year from the request of a natural person
Personal Data will be retained for a period of 1 year. After which time, if there is no legitimate reason to hold your data this will be deleted from our systems.

Data subject categories

Natural person, who as a data subject submits a request in framework of specific purposes for exercising their rights

Information about the existence of automated decision-making, including profiling - Not being carried out
Cross border transmission of the personal data outside EU - Not being carried out

Debt collecting

Personal Data processing purposes

The purpose of personal data processing within this agenda is to secure Controller’s claims from unpaid obligations of debtors - i.e. debt collection from debtors. This agenda includes the processing of personal data for the purpose of satisfying the creditor (the Controller) in full, from sending urgent requests, notices, submitting a proposal to the relevant court of the Slovak Republic or an arbitration court, enforcing a valid decision by submitting a proposal for execution to the executor, filing a claim for bankruptcy or restructuring and other steps associated with claiming the amount owed.

Legal basis

Act No. 460/1992 Coll. Constitution of Slovak Republic as amended,
Act No. 40/1964 Coll. Civil Code as amended,
Act No. 160/2015 Coll. as amended,
Act No. 161/2015 Coll. as amended,
Act No. 162/2015 Coll. as amended,
Act No. 300/2005 Coll.,
Act No. 301/2005 Coll.,
Act No. 71/1967,
Act No. 233/1995 Coll. as amended
Act No. 7/2005 Coll. as amended,
Act No. 153/2001 Coll. as amended,
Act No. 372/1990 Coll.,
Act No. 586/2003 Coll. and Act No. 455/1991 Coll. as amended,
Personal Data Protection Act and related legal regulations as amended

Receiver Categories

Attorney at law/ legal representative
debtor and their legal representative
intervener and other persons involved in the dispute
judicial authorities
Auditor
enforcement authorities
bodies of state administration, government and public administration according to relevant legal regulations,
authorized employees

Due dates for Personal Data deletion

3 years to 10 years from the end of the contractual relationship with the client

Data subject categories

Controller’s debtors

Information about the existence of automated decision-making, including profiling - Not being carried out
Cross border transmission of the personal data outside EU - Not being carried out