- CONTROLLER, DECLARATIONS AND GUARANTEES
Company Wellbens s.r.o. – a limited liability company registered with Commercial register of the District court Bratislava I, Section: Sro, Insert No: 134640/B, ID Nr.: 52 073 815, Tax ID: 2120924256, VAT ID: SK2120924256 with registered seat: Ružinovská 42, Bratislava 821 03, Slovak Republic and Wellbens tax & accounting, s.r.o. – a limited liability company registered with Commercial register of the District court Bratislava I, Section: Sro, Insert No: 138540/B, ID Nr.: 52 455 386, with registered seat: Ružinovská 42, Bratislava 821 03, Slovak Republic (each hereinafter referred to as “Controller”) processes personal data of the data subjects in its systems of personal data. Controller is responsible for the protection of personal data processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “GDPR”). Contact email address is firstname.lastname@example.org.
As Controller cares about the protection of personal data and privacy of the data subject, it provides the data subjects not only with this comprehensive information about their data protection rights, but also with other information and explanations in order to provide a full transparency to the data processing and deepening mutual trust, in accordance with the provisions of Article 14 of GDPR.
Controller assures the data subject that it never sells or otherwise commercially does uses the personal data obtained from the data subject within a business cooperation with any third party and never discloses personal data without an expressed individual’s written consent or a similar authorization provided by data subject.
Controller assures the data subject that it will never provide any personal data that is subject to processing in a Third Party’s personal data information system without the Controller first obtaining a specific written consent or sufficient written authorization; this shall not apply if Controller is obliged to provide personal data to the authorized state authorities in the exercise of their legal powers even without the consent of the data subject to applicable special laws, such as Money Laundering Act and other respectable laws, that may be subject to the lawful processing of the personal data.
Controller declares, that it processes the minimum personal data necessary to achieve the purpose of processing, which is defined primarily by the need to provide the legal services, taking into account the time period of the processing as well as the extent of the data that is subject of processing. Controller guarantees data subject safe and irreversible erasure of the personal data without delay after the end of the purpose of processing.
Controller declares that in relation to the processing of personal data, there will be no decisions based solely on automated means of processing personal data, nor any kind of profiling in regards of the Article 22 (1) and Article 22 (4) of GDPR.
Controller warrants the data subject with an increased discretion and protection of their privacy by providing a special contractual liability of his employees and other co-workers for breach of confidentiality and unlawful disclosure of information related to the provision of its services, including the personal data of clients or other physical persons involved in the business affairs.
Controller declares that he has taken reasonable technical, organizational and personnel measures to ensure the security of the processing of personal data, which are documented in GDPR Compliance project, whereby both standard and specific protection of personal data under Article 25 of GDPR are ensured (“privacy by default and privacy by design” measures).
Controller declares that v any personal data breach that might lead to high risk for rights and freedoms of the data subject shall be communicated to the data subject involved to this data breach, if any occurs, as required by Article 34 of GDPR.
- PURPOSE OF PROCESSING, SCALE OF THE DATA COLLECTED AND THE LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
Controller processes personal data under the purposes of providing services under Act on trading Coll. No. 455/1991 as individual Controller.
The purpose of processing the personal data is the provision of services.
Data subject for the purposes of the Document is any physical person whose personal data are processed for the purpose of providing services irrespective of its procedural or contractual status in relation to Controller.
The legal basis for the processing of personal data for the purpose of Section 2. – Point 2. of this Document is Act on advocacy.
If you have given Controller consent to process your personal data, then the legal basis for their processing is given this consent. It is our interest to stay in touch with each other. This way, we can keep you informed about news and updates concerning our firm, as well as send you professional articles we publish. For this purpose, we hereby give you the opportunity to express your consent to the processing of your personal data for marketing purposes via Newsletter subscription.
If you grant your consent, it will be in full force and effect until your consent is revoked. We process your personal information in the following scale: email address.
You may withdraw your consent to the processing your personal data free of charge by sending a request to the email address email@example.com, the withdrawal of your consent will not affect the lawfulness of the processing of your personal data made prior to its withdrawal.
- DURATION OF PERSONAL DATA PROCESSING
Controller processes the personal data during the duration of the legal services provided by the firm. Upon termination of the provision of services, the entire database, in particular all documents which have been entrusted to Controller by the client or which were given to Controller, are handed over to the client on the basis of the transmission protocol.
In the case of the processing of personal data on the basis of consent, personal data will be processed from the date of such consent until the moment of its withdrawal.
- IDENTIFICATION OF CONTROLLERS, SUBCONTRACTORS AND THIRD PARTIES
Controller when processing personal data of data subject for the purposes of Section 2. of this Document, uses the following trusted and professionally competent business partners capable of guaranteeing the security of personal data processing of data subject, who have, within the meaning of Article 28 of the GDPR, the status of processor:
- accounting firm for the purpose of providing accounting, billing and payroll accounting services;
- business IT management company, for the management and maintenance of IT systems and IT security;
- a web hosting company to manage the web site and web components of Controller.
Controller may involve other partners in process the personal data only after obtaining a prior written consent from the data subject. These partners are considered as independent controllers:
- a company authorized to carry out auctions and commission sales.
According to the nature of the matter, factual state or the legal obligation, Controller might be obliged to provide the personal data without a prior written consent from data subject to third parties, mainly:
- to the state authorities acting under the “Anti-money laundering Act”;
- to the Attorney Association under the conditions established by the Act on advocacy;
- to the General Courts regarding to cases regulated by the specific acts (for instance the Criminal Code, the Civil Procedure Code, the Administrative Procedure Code);
- to the Constitutional Court and its proceeding and on position of its judges;
- to the state authorities acting under the Criminal Procedure Code as amended and under the Criminal Code as amended;
- to the European Court of Justice and to the European Court of Human Rights;
- to the respective law officers and enforcement agents under Execution Code as amended;
- to the insolvency administrators;
- to the notaries under the Notary Code as amended;
- to the Ministry of Justice under the Public sector registers Act as amended;
- to the courts’ interpreters and translators in the extent necessary for the proper performance of their activities;
- to the courts’ experts in the extent necessary for the proper performance of their activities;
- to the banks under the Act on banks as amended;
- to any other state authorities as may be required by the respective legislation.
- TRANSMISSION OF PERSONAL DATA TO A PARTNER LAW FIRM
In case the data subject requests Controller to provide legal services in the Slovak Republic, the data subject grants Controller a power of attorney to represent the data subject in proceedings conducted before public authorities or other authorities acting in the Slovak Republic, the Controller shall provide the personal data of the data subject to its partner law firm – STEINIGER | law firm, s. r. o., registered seat: Jasovská 17, 851 07 Bratislava, Slovak Republic, ID No.: 47 238 135, registered in the Commercial Register of the District Court Bratislava I, section: Sro, insert no.: 80481/B, as the recipient of personal data.
Our partner law firm act as independent data controller of personal data for the purpose of providing legal services. The provision of personal data is based on a specific contractual agreement as stipulated above.
- THE SCOPE OF THE PROCESSED PERSONAL DATA
Controller processes personal data of data subjects in the extent that is necessary to achieve the purpose for which the personal data is being processed. In general, we process all personal data that are necessary and are an integral part of documents constituting the file of a particular client, including related electronic documents, and electronic mail.
Controller also processes particularly sensitive personal data belonging to a specific category of personal data within the meaning of Article 9 of GDPR in the extent necessary to prove, apply or defend any claims before competent public authorities. Internal processes and measures adopted by Controller are meant to ensure the security of the personal data being processed with an increased emphasis on the protection of this specific category of personal data.
Controller uses its own cookies (i.e. first party cookies) in order to optimize the functions of the website and better user comfort of website’s visitors, as well as foreign cookies (i.e. third party cookies) to display so called behavioral advertising.
The website also uses so called short-term cookies which are after the usage of the internet browser is finished automatically erased from computer system of the data subjects or of other program applications’ end users. However, in some cases processing of the so-called long-term cookies may occur. Long-term cookies remain in end user’s equipment, while they allow Controller to recognize that the web site is being re-visited by the end-user device, this however depends on the settings made by the user of program application associated with e.g. remembering the default password for the program application.
Controller informs data subjects and all visitors of the website about the fact that all the cookie files which the website can store in the terminal equipment of any visitor of the website can be controlled and deleted. Appropriate setting of the internet browser may ensure effective and complete prevention of cookie file usage. Concrete information and instructions on setting of certain type of internet browsers are available here: About Cookies (How to control cookies) and information on erasing cookies from the user’s technical device user can be found here: About Cookies (How to delete cookies). In some cases, you may wish to turn on a feature that is commonly referred to as “tracking protection” in an internet browser.
Controller informs Data subjects that in case of so-called third-party cookies that are used to display a behavioural advertisement, the website will require an explicit consent from data subject before installing these cookies on the device of end-user of the website.
Controller of the website also uses web analytics service from company Google Inc., however, Controller does not process any personal data, neither any other identifiers usable for indirect identification (e.g., IP address) of data subjects. This does not mean that personal data are not processed by the company Google Inc., which is a provider of services – Google Analytics and Google AdWords.
Controller can use Google Analytics and Google AdWords to generate online advertising through remarketing, i.e. outputs from Controller’s marketing communication may be displayed by different providers of digital service and of internet content including Google Inc., on various internet web sites which in the future, after the end of the Website visit, will be displayed on the device of end-user or data subject.
Controller also uses Google Analytics reports to ensure more effective marketing communication, which may lead to processing of demographic characteristics and interests concerning data subject (e.g., age, gender, interests) acquired by company Google Inc., which may also be used by Controller. Controller will hereby not process personal data of data subject during the data processing by using Google Analytics because Controller will not dispose with adequate identifier, which would enable direct and indirect identification of data subject.
Display of personalized advertisement banners by Google may be rejected by data subjects who use website via the following Google Ads control.
Any other information on the use of data by company Google Inc in the context of this website usage may be found here: Google – Privacy – Partners.
Controller indicate to data subjects that if data subject is signed into internet services provided by company Google Inc during the visit or the usage of website, Google Inc may process personal data of the data subject. Controller does not affect, have impact on or participate on such data processing provided by Google Inc.
- SOCIAL NETWORKS
The official web site of Controller is: www.wellbens.com (and the relevant national domains, such as www.wellbens.sk, which only functions as its language mutation with relevant content in appropriate language). Controller’s official web site contains a number of additional modules (plugins) referring to the official Controller profiles set up on social networks websites operated by independent operators in position of a third party controller. These modules (plugins) can be activated via interaction initiated by the data subject (click on a pictogram belonging to social network Facebook, Twitter, LinkedIn, Google+). If the data subject does not interact by clicking on pictogram, the plugins will not by activated and any data will not be processed. In case of initiating any of the listed plugins referring to Controller’s profiles created on the social networks, the data of the data subject may be processed by relevant controller of the social network. Controller does not affect, have impact on such data processing except the part within which Controller is capable of processing the content of Controller’s site created on the relevant social network under the terms of usage of the certain social network. Information about processing of the personal and other data of data subjects by social network operators can be found here:
Facebook – Privacy
Twitter – Privacy
Linkedin – Privacy
Google – Privacy
Controller respects and comply with privacy policies adopted by the social network controllers specified in this Section of this Document. Controller manages its official profiles on the social networks specified in this Section and ensures the prompt and immediate removal of any offensive, abusive, hateful, vulgar, sexual, or extremist manifestations of other social network users that cannot be considered compatible with the exercise of the constitutionally enshrined freedom of expression in democratic society.
The Controller does not use the social networks to obtain any other information and personal information about registered members of the social network, such as information and personal data provided or provided by the operator and/or published by the data subject within the data subject’s profile on the social network specified in this Section. The operator does not in any way use (in particular, does not acquire, disclose, store, share, disclose) any information or personal data that the person concerned states on his / her own
Controller does not use social networks specified in this Section to facilitate marketing communication, but exclusively for informational and educational purposes about its activities and about the daily functioning of its team and professional focus.
Controller monitors by cameras premises located in the interior of Controller’s office located at Ružinovská 42, 821 03 Bratislava, Slovak Republic (hereinafter referred to as “Office”) under the provisions of Article 6 (1) letter (f) of GDPR for the purposes of asset protection, crime prevention as well as support for the internal security measures of Controller.
- ACCESS OF CONTROLLER TO CLOUD SERVICES
Controller currently uses services of cloud computing service providers, primarily in the area of cloud infrastructure as a services (IaaS), cloud-based software as a service (SaaS), while data storage, including personal data on remote virtual servers of cloud services provider or other processing operations of personal data of data subjects are being carried out. When using cloud computing services, Controller eliminates risks associated with potential leak of personal and confidential information in the greatest possible extent. For this purpose, Controller uses only verified providers of such services, who use advanced security solutions and comply with the strictest safety standards.
Controller currently also uses its own data storage and own modern IT infrastructure, which provides clients with sufficient user comfort and the security of their data, including personal data.
In the case of cloud services usage, Controller is committed to:
- use cloud computing services only in justified cases, which with regard to the purpose of achieving the work objectives, costs, competitiveness and innovation cannot be equally effectively achieved by other means;
- using only verified cloud service providers capable of providing real and legal guarantees in order to achieve a sufficient level of security;
- to review cloud service providers under the internal rules set by the internal safety directive;
- conclude an agreement on guarantees of services availability (i.e. SLA – Service Level Agreement) and on confidentiality compliance with the cloud services providers and contracts which are in compliance with the requirements of personal data protection under Article 28 (3) of GDPR;
- not to use cloud computing services that may lead to the cross-border transmission of personal data to third countries not guaranteeing an adequate level of personal data protection except for the entities with their registered seat in the USA, which are certified in the system “Privacy Shield”.
- CROSS-BORDER TRANSMISSION OF PERSONAL DATA
Controller will not perform any cross-border transmission of personal data obtained from the data subjects to a third countries which does not provide an adequate level of personal data protection.
None of the personal data that will be processed by Controller’s business partners listed in Section 4. of this Document shall be transmitted from the territory of the Member States of the European Union to third countries.
- SOURCE OF PERSONAL DATA
The source of personal data, which are the subject of Controller’s data processing for the purpose of Section 2 of this Document, is primarily always the data subject or other natural or legal person authorized to act on behalf of data subject based on written power of attorney or agreement, who is in position of a client in relation to Controller.
Personal data which are the subject of data processing for the purposes of Section 2 of this Document may also come from:
- publicly available resources or from information sources of third parties if Controller has legal entitlement to obtain them when providing services;
- procedural acts and documents of third parties that are being executed within various legal proceedings in which Controller participates;
- procedural acts and documents of an advocate presuming that the advocate was in a certain legal matter awarded a substitute power of attorney by Controller, to execute legal services acts.
- INFORMATION AND GUIDANCE ON RIGHTS OF A DATA SUBJECT
Controller cares for protection of your personal data, therefore, Controller seeks to ensure strong security through individual, modern, technical and organizational security measures, as well as through the ability to enforce rights of data subject under GDPR, any time using a written, signed application from which your identity and the right you are applying for are clearly stated. The application for the exercise of the data subject´s rights may be addressed to Controller’s address of its registered seat. In case of any questions relating to the exercise of your rights as a data subject, please, do not hesitate to contact us. The contact details are listed in Section 1 of this Document.
Since May 25, 2018, you are entitled to new rights that should provide you with more effective control and overview on your personal data processed by our company in a position of Controller. Specifically, it is the right to data access (GDPR, Article 15), the right to rectification (GDPR, Article 16), the right of deletion (GDPR, Article 17), the right to limit the processing (GDPR, Article 18), the right for accuracy of data (GDPR, Article 20). As a data subject you also have the right to file a complaint at any time to the supervisory authority – more information can be found at www.dataprotection.gov.sk
With regard to the terms of personal data processing adopted by Controller, we would like to inform you that you are not entitled to object individual decisions based on automated processing (GDPR, Article 21 and Article 22) because we do not execute any such processing operations with your personal data. The purpose of the information mentioned above does not deter you from exercising your rights, but to provide you some guidance for the purpose of a more efficient handling of this agenda.
Every request for the exercise of the data subject rights of the under GDPR can be done using a written and signed application letter sent on the address of Controller’s registered seat. Please note that when processing your request, we may ask you for a trusted verification of your identity in case you request us to exercise your right in any other way than by a written letter with your own signature (e.g. by e-mail application) or personally at Controller’s headquarters.
Enforcement of your rights as a data subject stated in Section 13 of this Document may also be done at Controller’s premises, however, personal verification of your identity by submitting your Identification Card is always required.
In case, we process your personal data based on your consent to personal data processing, you always have the option to withdraw this consent at any time, even by e-mail sent from the e-mail address which is being processed with your other personal data and information.
Every application for the exercise of the data subject’s rights delivered to us will be individually and competently assessed, while we will inform you about the results of your application within one month of receipt of your application at the latest. Processing your application associated with the exercise of your data subject’s rights under GDPR is free of charge. If the response to your application is not in line with your opinion, you are, pursuant to GDPR, entitled to file a complaint to the supervisory authority (www.dataprotection.gov.sk) or reach for judicial protection directly at the adequate court.
In case you have any questions regarding your personal data protection and exercise of your rights, please do not hesitate to contact us through the contact details posted at our website www.wellbens.com.
Controller is entitled to limit the exercise of the data subject’s right under certain legally set conditions, mainly if requested personal data (information) must remain confidential under the obligation of professional secrecy pursuant to individual agreements.
- CONTACT INFORMATION OF A RESPONSIBLE PERSON
Controller has entitled the supervision of the personal data protection to its employee, who is a Controller’s contact person for the personal data protection.
If you have any questions regarding the issue of personal data protection and the privacy protection or regarding the application for exercise of the data subject’s rights, you may directly contact Controller’s responsible person via following e-mail: firstname.lastname@example.org.
Contact information on the supervisor authorities are as follows:
For Slovak Controller:
Úrad na ochranu osobných údajov Slovenskej republiky
820 07 Bratislava
+421 /2/ 3231 3214
Approved in Bratislava, Slovak Republic, on February 2, 2019
Mgr. Lukas Steiniger
Managing director of Wellbens s. r. o. and Wellbens tax & accounting s.r.o.