PERSONAL DATA PROCESSING POLICY (hereinafter referred to only as the “PD”)

Within the meaning of the Regulation (EU) 2016/679 of the European Parliament and of the Council, in force and effect from 25 May 2018 (hereinafter referred to only as the “Regulation”) and the Act No. 18/2018 on the Personal Data Protection (hereinafter referred to only as the “Act” and hereinafter referred to also as the “PDPA”)

CONTENTS

1. WHO ARE WE?
2. DATA SECURITY
3. BASIC DEFINITIONS
4. WHAT PERSONAL DATA DO WE NEED AND HOW DO WE PROCESS THEM? COLLECTION AND PROCESSING OF PERSONAL DATA
5. SOCIAL NETWORKS
6. RECIPIENTS
7. UNDER 16 YEARS OF AGE
8. PROCESSING TIME
9. TRANSFER TO A THIRD COUNTRY
10. AUTOMATED PROFILING
11. RIGHTS OF THE DATA SUBJECT
12. FINAL PROVISIONS

1. WHO ARE WE?

The protection of your privacy when using our website located on the domain https://skauhouse.sk/ is extremely important to us. Therefore, in the following text, we thoroughly inform you about the processing of your personal data.

Responsible for the protection of personal data on this website is the company: Skau s.r.o., Račianska 1579/88 B, Bratislava – Nové Mesto District 831 02 , registered in the Company Register of the City Court pf Bratislava III, Section: Sro, File number: 166233/B, Company Reg. No.: 55 040 101 (hereinafter referred to only as the “Controller” or “We” or the “Company”) is the operator of the website located on the domain https://skauhouse.sk/ (hereinafter referred to only as the “Website”). When using and processing personal data, the company strictly complies with the relevant personal data regulations.

Contact details of the controller:
E-mail: gdpr@skauhouse.sk

The controller has not designated a responsible person in relation to personal data.

The company is the holder of the domain name as well as of the rights associated with and related to this website. All published content on our website (such as texts, logos, trademarks, photographs, images, audio, or audiovisual recordings) is protected by copyright and is our property or we use it under a license to which we reserve the rights. We allow the downloading of materials only for personal, non-commercial purposes and in accordance with this policy of use.
Access to our website is free of charge. You bear all costs that you incur in connection with accessing our website. The content of our website may not be available continuously, especially due to a technical error as the result of our decision, if we decide to make the content of the website or any part thereof unavailable.

We shall not be liable for any damage (direct or indirect), loss, costs and expenses of any kind that you may incur in connection with your access and/or use of our website and/or the publication of out-of-date, false or incorrect data that constitutes the content of our website, and which were created by us or caused by technical equipment, human error or software application connected with our website. We do not guarantee the compatibility of our website with your computer system or software. We also do not guarantee that this website is not infected with a malicious code, or that the server that makes it available is free of a malicious code or other malicious components.

It is expressly prohibited to link our website to another website or to select any part thereof without our permission; to use our website for illegal purposes or for the distribution of a malicious code; to change and/or to modify its content.

2. DATA SECURITY

2.1 Security of Personal Data
The company observes strict security measures for the protection of personal data in order to prevent unauthorized or accidental access to such personal data, their change, destruction or loss, unauthorized transmission, as well as their other unauthorized processing or misuse. The company requires the compliance with equally strict measures to ensure the security of personal data processing also from all the processors whose services it uses, specifically on the basis of concluded contracts on intermediation of personal data processing in accordance with Art. 28 of the Regulation.
The adopted measures are subject to regular control and are continuously adapted according to the latest state-of-the-art knowledge. Should there be a breach of the protection of your personal data, we will inform you without undue delay within 72 hours if such a breach of the protection of your personal data could lead to a high risk for your rights.

2.2 If you log in to your user account, you have the obligation to keep your login information secret and to limit access by unauthorized persons to the devices you use to log in to such account. You are responsible to take all necessary measures to ensure the security of your user account. If you believe that your login information has been used in an unauthorized manner or that your account has been misused, you are obliged to notify us of such fact immediately.

3. BASIC DEFINITIONS

Data subject. Any natural person whose personal data are processed.
Consent of the data subject. Any serious and freely given, specific, informed, and unequivocal expression of the will of the data subject in the form of a statement or unequivocal affirmative action by which the data subject expresses consent to the processing of their personal data.
Personal data. Data relating to an identified natural person or an identifiable natural person who can be identified directly or indirectly, in particular on the basis of a generally applicable identifier such as name, surname, identification number, location data, or online identifier, or on the basis of one or more characteristics or features that make up the person´s physical identity, physiological identity, genetic identity, psychological identity, mental identity, economic identity, cultural identity or social identity.
Processing of personal data. A processing operation or a set of processing operations with personal data or with sets of personal data, in particular obtaining, recording, organizing, structuring, storing, changing, searching, browsing, using, providing by transmission, dissemination or in any other way, rearranging or combining, limiting, erasing, whether performed by automated means or non-automated means.
Breach of personal data protection. A breach of security that results in the accidental or unlawful destruction, loss, alteration, or unauthorized provision of, or unauthorized access to, transmitted, stored, or otherwise processed personal data.
Controller. Anyone who, alone or jointly with others, defines the purpose and means of personal data processing and processes personal data on their own behalf.
Processor. Anyone who processes personal data on behalf of the controller.
Recipient. Anyone to whom personal data are provided, regardless of whether it is a third party. A public authority that processes personal data on the basis of a special regulation or an international treaty to which the Slovak Republic is bound, in accordance with the personal data protection policy applicable to the given purpose of personal data processing, is not deemed to be a recipient.
Third party. Anyone who is not a data subject, controller, processor, or other natural person who processes personal data under the authority of the controller or processor.

4. WHAT PERSONAL DATA DO WE NEED AND HOW DO WE PROCESS THEM? COLLECTION AND PROCESSING OF PERSONAL DATA

4.1 Personal data provided by you
We process personal data in accordance with legal provisions on the protection of personal data in force at present.

4.2 Data subjects are:
Website visitors, job applicants, prospective clients/customers, clients/customers, clients´ employees, suppliers, subscribers, social media fans, etc.

4.3 Purpose of PD processing, legal basis, category of personal data and time limit for erasure

Order No. Category of personal data Purpose of processing Legal basis of processing Time limit for PD erasure
  1. Common personal data [stated in invoices]. Accounting agenda The purpose of personal data processing is bookkeeping and fulfilment of legal obligations.  We also include the processing of orders, incoming invoices, and invoicing for customers/ of suppliers, etc. in the agenda in question. Pursuant to Art. 6 (1) c) the fulfilment of legal obligations resulting from special regulations, e.g. the Accounting Act. Ten (10) years from the end of the financial year.
2. Common personal data [necessary for the conclusion of a contract, performance, and implementation of a contract]. Contracts The purpose of PD processing is the conclusion, performance and implementation of obligations arising from contracts with suppliers/customers. Pursuant to Art. 6 (1) b) of the Regulation – contractual/pre-contractual relationship. Until the rights and obligations from the contract are settled, but at least ten (10) years from the end of the contractual relationship.
3. Common personal data [name, surname, academic degree, company, position, contact details]. Business communication The purpose of PD processing is to maintain a database of suppliers/customers, their representatives or, as the case may be, employees of suppliers and customers for the purpose of fulfilling their work, official duties and duties arising from official positions to ensure smooth supplier-customer relations. What legitimate interest? Ensuring smooth supplier-customer relations and fulfilment of the contract. Within the meaning of Art. 6 (1) f) of the Regulation – legitimate interest. Five (5) years from the termination of the contractual relationship/submission, shorter if you file an objection.
4. Data provided in the profile. Social networks The purpose of processing personal data is to create company profiles on social networks, for the purpose of better communication with clients (former, potential). You can find more information in (4) of this Policy.   What legitimate interest? The legitimate interest of the controller is better communication with clients/potential clients. Informing about web application news. Within the meaning of Art. 6 (1) f) of the Regulation – legitimate interest. Until the data subject cancels the following of the page.
5. Common personal data [ name/surname or initials review/reference ].   References/reviews The purpose of personal data processing is the visibility, increase in sales of services and promotion of the controller. Within the meaning of Art. 6 1 a) of the Regulation – consent of the data subject. Five (5) years from the provision of a reference/review or until they withdraw their consent.
6. Common personal data, e.g. [first name, last name, e-mail, phone number]. Marketing – if you are our client The purpose of personal data processing is direct marketing, sending of electronic newsletters and e-mail/text messages about the controller´s news and services. What legitimate interest? Informing our clients about news, changes (e.g. information about new desserts). Within the meaning of Art. 6 (1) f) of the Regulation – legitimate interest. Four (4) years from the provision of a service, or until they raise objections.
7. Common personal data, e.g. [data provided in the application]. Exercising the rights of data subjects The purpose of PD processing is to exercise the rights of data subjects (complaints in the field of the GDPR). Within the meaning of Art. 6 (1) c) of the Regulation – statutory obligation. Five (5) years from the processing of the application.
8. Common personal data, e.g. [academic degree, first name, last name, address and, in the case of a foreigner (type of stay), bank account number, payment information, telephone number, e-mail, signature, company reg. number, VAT reg. number]. Legal/statutory claims (Dispute agenda) The purpose of personal data processing is the resolution of disputes between the controller and users and the recovery of receivables and other claims of the controller through extrajudicial (e.g. mediation), judicial and execution proceedings or bankruptcy proceedings, including legal representation. What is the legitimate interest? Making or defending the controller’s legal claims, preventing damage, and ensuring the fulfilment of claims and other legal claims of the controller. Within the meaning of Art. 6 (1) f) of the Regulation – legitimate interest. Five (5) years from the final termination of the proceedings or from the settlement of the legal claim.
9. Common personal data, e.g. [name, surname, telephone number, e-mail].     Contact form The purpose of personal data processing is to process the request. Within the meaning of Art. 6 (1) f) of the Regulation – pre-contractual relationship. One (1) month from processing the request.
10. Common personal data, personal data of a special category, e.g. [name, surname, address, telephone number, e-mail, personal data specified in the booking form].   Accommodation booking   The purpose of personal data processing is to book accommodation and subsequent communication – sending a confirmation an e-mail, a text message, etc. Pursuant to Art. 6 (1) b) of the Regulation – contractual/pre-contractual relationship. Until the rights and obligations from the contract are settled, but at least ten (10) years from the end of the contractual relationship.

5. SOCIAL NETWORKS 

We use hypertext links (so-called links) to third-party websites. By clicking on the links provided, you will be redirected to these websites (e.g. social network websites or our partners’ websites). We are unable to influence the style and content of linked third-party websites, and at the same time dissociate ourselves from any content on all such websites and from adopting such content as our own. This use policy does not apply to third party websites. If you are interested to learn more about the policy of use of third-party websites, please visit the relevant third-party website. 

You can find more detailed information on the processing of personal data by the controller at:
– META: https://www.facebook.com/privacy/explanation

The purpose of personal data processing is to create a company profile on social networks, in order to promote the web application and our services. 

The legal basis for the processing of personal data is Article 6, (1) f) – legitimate interest.
Personal information that you publish on our websites and social media accounts, such as comments, likes, videos, pictures, etc., will be posted through the social media platform. Subsequently, we do not process personal data for any other purpose. The controller reserves the right to delete comments and other content (videos, images, etc.) if it is a violation of applicable legislation (hate comments, racist or otherwise violating basic human rights and freedoms), and the right to share your posts if you communicate through social media networks.

Posts are archived on our “timeline” on the social network site for an unlimited period or until you delete them or we,as the controller.

6. RECIPIENTS

Your personal data may be provided to the recipients. It concerns for example postal companies; professional advisors (e.g. lawyers, executors, public notaries, courts, translators); providers of standard software equipment (e.g. Microsoft, Google); providers of technical support, development and management of IT systems and applications, data processing and storage; hosting service providers; operators of social networks; external collaborators of the CONTROLLER (e.g. accounting firm) and in relation to published data, the recipients of personal data are also persons visiting the website, users of social networks.

Personal data are provided within the framework of the fulfilment of obligations arising from legal regulations in force (e.g. law enforcement agencies, public authorities, etc.) or EU regulations that are directly enforceable and applicable also in the Slovak Republic or by processors within the framework of contractual relations in accordance with the GDPR and the Personal Data Protection Act. 

We choose our partners, inter alia, with regard to their professional care guarantees, while these entities are bound by the obligation to maintain confidentiality and by the obligation to take appropriate technical and organizational measures so that the processing of personal data meets the requirements of the GDPR and the Act.

7. UNDER 16 YEARS OF AGE

Please note that all services on our website may be used only by persons who have reached the age of sixteen (16). The use of services and the resulting data processing by persons with a lower age limit without the consent of parents/legal representatives is prohibited. If you become aware of such processing of personal data, we request you to notify us of such fact without undue delay and we will carry out rectification in question. 

8. PROCESSING TIME

The controller only processes personal data for the necessary time and adheres to the PD processing policy. If we have been granted consent, in such case for the period for which such consent was granted or revoked. In the event that we process personal data on the basis of law, e.g. accounting documents, we process such documents for the period of 10 years. The exact storage period is specified for each purpose of processing in point 4.3. 

9. TRANSFER TO A THIRD COUNTRY

The operator restricts the PD transfer to a third country or an international organization, including the identification of the country or the international organization. However, some of the recipients may have servers located outside the EU (Google, Facebook). These servers may be located in the United States of America (the USA). The transfer of personal data is based on the European Commission’s adequacy decision and organizations are registered in the Data Privacy Framework (DPF). You may check whether organizations are registered in the DPF at https://www.dataprivacyframework.gov/s/ . 
Article 45 of the GDPR stipulates the transfer of data based on the European Commission’s adequacy decision. The European Commission’s adequacy decision for the EU-US DPF entered into force on 10 July 2023. 
Such transfers are carried out only on the basis of standard contractual clauses approved by the Commission, and adequate guarantees have been provided within the meaning of Article 46 of the GDPR:

Conditions of privacy protection 
Google https://policies.google.com/privacy?hl=en-US
META https://www.facebook.com/privacy/explanation
INSTAGRAM https://help.instagram.com/519522125107875
LinkedIn https://www.linkedin.com/legal/privacy-policy

Adequate guarantees provided within the meaning of Article 46 of the GDPR.
Google https://privacy.google.com/businesses/controllerterms/mccs/
META https://www.facebook.com/help/566994660333381?ref=dp
https://www.facebook.com/legal/EU_data_transfer_addendum 

10. AUTOMATED PROFILING

The company does not use automated profiling within the meaning of Art. 22 of the Regulation.

11. RIGHTS OF THE DATA SUBJECT

You have the right to exercise your rights within the meaning of the GDPR, namely (i) the right to rectification, (ii) the right to erasure, (iii) the right to data portability, (iv) the right to object, (v) the right to withdraw consent, (vi) the right to access information, (vii) the right to restriction. You can exercise these rights directly in the company by sending a notification to the e-mail address gdpr@skauhouse.sk or in writing to the address Skau s.r.o., Račianska 1579/88 B, Bratislava – Nové Mesto District 831 02.

● Right of access

You can request from us confirmation/information as well as a copy of the processed personal data, whether and to what extent your personal data are processed. We, as a company, are obliged to provide information based on your request within thirty (30) days from the delivery of such request. We can extend this time limit by another sixty (60) days. We would inform you about any postponement.

● Right to rectification

You have the right to request from us to correct your incorrect PD concerning you or to supplement your incomplete PD without undue delay.

● Right to erasure

As a data subject, you have the right to request the controller to delete personal data concerning you without undue delay. The controller is obliged to delete personal data without undue delay for any of the following reasons:

  • personal data are no longer necessary for the purpose for which the controller obtained or processed such data,
  • if you withdraw your consent to the processing of personal data for at least one (1) specific purpose or the consent is invalid if its provision is excluded by a special regulation,
  • if you object to the processing of personal data and there are no prevailing legitimate grounds for the processing of personal data or you object to the processing of personal data related to direct marketing, including profiling,  
  • if we process personal data unlawfully,
  • if the ground for the erasure is the fulfilment of an obligation under this Act, a special regulation, or an international treaty by which the Slovak Republic is bound, or 
  • if personal data were obtained in connection with the offer of information society services according to (Section 15 (1) of the draft act) and you are under 16 years of age.

● Right to data portability

You may request us to make the personal data you have provided to us available in a structured, commonly used, and machine-readable format to another controller, if it is technically possible and provided that the PD are processed based on the consent of the data subject, on the basis of the contract and the PD processing is carried out by automated means.

● Right to object

If we process your personal data on the basis of a legitimate interest, you may lodge an objection to the processing of your personal data at any time for reasons related to your specific situation. We may not further process personal data unless we demonstrate our necessary legitimate reasons for processing that outweigh your interests, rights, and freedoms, or if there are grounds for demonstrating, exercising or defending legal claims.

● Withdrawal of consent

In cases you have given us your consent, we inform you that you may revoke such consent at any time.  You can revoke it in the same way as you have granted it. Revocation does not affect the lawfulness of processing based on consent before its revocation.

● You have the right to request the restriction of the processing of your data when

– you object to the correctness of these data, specifically for the period that allows us to verify the correctness of the data,
– the processing of your data is unauthorized, but you will refuse the erasure and instead you request the restriction of use of the data,
– we no longer need the data for the planned purpose, but you still need these data to make, exercise or defend legal claims, or
– you have raised an objection to data processing.

● The right to file a petition to commence proceedings by the data subject

If you are of the opinion that we have violated the Act and/or the GDPR when processing your personal data, please contact us so that we may clarify any issues. However, you have, of course, the right to file a complaint with the Office for Personal Data Protection.  The sample petition is published on the website of the Office for Protection of Personal Data, Hraničná 12, 820 02 Bratislava, the Slovak Republic.  The Office will examine your request within thirty (30) days and will decide within ninety (90) days, or it may adequately extend the time limit.

12. FINAL PROVISIONS

This information enters into force and effect on 1.11.2023. The controller reserves the right to change this policy in case of a change in the company’s PD processing and in case of changes in legislation.