Protection of personal data

Definitions of certain terms
under Regulation 2016/679 of the European Parliament and Council of 27 April 2016 on the Protection of natural persons with regard to the processing of personal data (the Regulation) and Act No. 18/2018 Coll. on Personal Data Protection (the Act).

“personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, regardless of whether they are carried out by automated or non-automated means;

“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

“recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Principles of personal data processing
Lawfulness principle
Personal data may be processed only lawfully and in such a way that the fundamental rights of the data subject are not violated.

Purpose limitation principle
Personal data may be collected only for a specified, explicitly stated and legitimate purpose and may not be further processed in a manner that is incompatible with this purpose.

Data minimisation principle
Processed personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed.

Accuracy principle
Processed personal data shall be accurate and, where necessary, kept up to date; reasonable and effective measures must be taken to ensure that personal data that are inaccurate, in regard to the purposes for which they are processed, are erased or rectified without delay.

Storage minimisation principle
Personal data shall be kept in a form that permits identification of a data subject no longer than is necessary for the purposes for which the personal data are processed;

Integrity and confidentiality principle
Personal data shall be processed in a manner that ensures the appropriate security of the personal data using appropriate technical or organisational measures, including protection against unauthorised processing of personal data, unlawful processing of personal data, accidental loss of personal data, destruction of personal data, or damage to personal data.

Accountability principle
The Controller shall be accountable for observing the basic principles of personal data processing, for the compliance of the processing of personal data with the principles of personal data processing, and shall be obliged to prove this compliance with the principles of personal data processing at the request of the Office.

Rights of the data subject
The data subject shall have the right to request information from the Controller,

1.about whether his/her personal data are being processed;

2.in a generally understandable form, accurate information about the source from which it obtained his/her personal data for the processing,

3.in a generally understandable form, a list of his/her personal data being processed, including the purpose of the processing, the categories of personal data processed, the recipients, the processors, the retention period, the right to rectification, erasure or limitation of the processing, the right to object to the processing of personal data, the right to file a motion for procedure under Section 100 of the Act,

4.contact information of the responsible person,

5.on the planned transfer of personal information to third countries.

The data subject shall have the right:
6.to rectification of inaccurate, incomplete, or outdated personal data that are being processed,

7.to erasure of personal data, in particular data the purpose of processing of which has ended; if the objects of processing are official documents containing personal data, he/she can request their return;

8.to object on the basis of a written request to the Controller to the processing of personal data, which are or will be processed for the purposes of direct marketing

9.to the restriction of personal data processing,

10.to revoke his/her consent at any time, if the processing of personal data is based on the data subject’s consent,

11.to the information whether there is automated decision making, including profiling, and, if there is, what its consequences are for the data subject,

12.to personal data portability,

13.to file a complaint with a supervisory authority,

14.to initiate a procedure on the protection of personal data pursuant to Section 100 of the Act.

Obligations of the Controller

The Controller, PosAm s.r.o. and its employees shall be obliged primarily to:
1.Process personal data only to the extent necessary to achieve the purpose of the processing.

2.Protect personal data from damage, destruction, loss, unauthorized modification, unauthorized access, provision or disclosure to a third party.

3.The Controller and its employees are obliged to maintain the confidentiality of the User’s personal data. They are obliged to maintain the confidentiality even after the termination of the contractual relationship with the User. The Controller has instructed its employees about the personal data protection obligations.

4.Ensure the security of personal data processing
This point is crucial and it refers to the system of technical and organizational security rules and measures to protect the physical and logical perimeters of PosAm, e.g. the access system, camera systems, general key system and key distributor, physical security of the premises, access management in information systems …

5.report to the Office for Personal Data Protection and to data subjects, if necessary, any breach of personal data protection;
6.carry out, where necessary, an impact assessment on the protection of personal data concerning the impact of processing on the protection of personal data;

7.consult with the Office for Personal Data Protection of the Slovak Republic prior to performing any processing, if the impact assessment on the protection of personal data suggests that the processing would lead to a high risk if the User has not taken measures to mitigate this risk.

Statement on the privacy protection of employees of PosAm s.r.o.
PosAm s.r.o. processes the personal data of its employees.

Extent of processed personal data
Contact data – name, surname, address of permanent residence, address of temporary residence, e-mail contact and private and business telephone contact.

Job data – employment contract, salary statement, job classification, job description, competencies, photograph for employee ID card, work performance evaluation, business trip record, attendance, CV (resume), entrusted property, access rights for applications, access rights into protected areas, record of entries into protected areas.

Personal and family data – family status, date of birth, family details for tax relief and tax obligations, disability data, identifiers such as birth number, personal ID card number, passport number, driving license number.

Payroll information – banking details, annual settlement requests, annual settlement, bonuses, second and third pillar insurance.

Purposes
PosAm processes the personal data of employees for a number of purposes but only to the extent necessary for the given purpose:

The purpose of the Labour Law agenda is the keeping of records of personal data of employees of the company and employees working on the basis of an agreement on work carried out outside of an employment relationship (agreement workers) for the purpose of registration with the Social Insurance Agency and with insurance companies, the processing of the payroll agenda, preparation of Labour Law documentation, correspondence contact, records of completed education and skills for the purposes of verifying qualification requirements for tenders, allowing the use of company benefits.

Personal data for the purposes of protection of health and property and the property rights of the company, its employees, business partners and visitors are used for managing access into premises and applications in a minimized extent of contact information and for monitoring employee business trips in the company’s motor vehicles.
Records of received and sent mail in mail contact with employees in the necessary extent of contact information.

Sharing personal data (Recipients, processors, third parties)
The following also work with the employees’ personal data
Recipients: Social Insurance Agency, insurance companies, SPI (supplementary pension insurance), customers of the company – CV and lists of employees for tenders to demonstrate the qualification requirements of employees and for setting up access into customer premises;

Processors: suppliers, who were commissioned to process the personal data of employees of PosAm. Those are:
ACCACE, a company providing the processing of the payroll agenda

Team Prevent, provides mandatory health service

Edenred, provides meal vouchers

UNION insurance company, provides travel insurance of employees during business trips

PriceWaterhouse Coopers, author of the wage benchmark study PayWell

Slovnaft, provider of the fuel card benefit for employees

Qualitravel, provides airline tickets for employee business trips

PosAm has concluded a contract on the processing of personal data with these companies, in which it regulated, among other things, the terms for secure handling of the personal data of its employees.

Data storage
Employees’ personal data are not transferred to third countries; they are located exclusively in the European Union.

Retention
Personal data are retained for the duration of validity of their purpose, which generally means for the duration of the Labour Law relationship, unless the legislation of the SR requires longer periods of data archiving, for example for pensions.

Legal basis
PosAm processes the personal data of employees on multiple legal bases:
Act on Personal Data Protection – 18/2018 Coll. (disclosure and provision of organizational structure information);
Labour Code – 311/2001 Coll.;

Act on Social Insurance – 461/2003 Coll.;

Act on Health Insurance – 580/2004 Coll.;

Act on Income Tax – 595/2003 Coll.;

Act on Accounting – 432/2002;

Act on Travel Allowances – 283/2002 Coll.;

Act on Occupational Health and Safety – 124/2006 Coll.;

Act on Protection, Support of Public Health – 355/2007 Coll.;

The legitimate interest of the employer in the record keeping of completed education, for the purpose of verifying qualifications and tenders and for the purpose of providing benefits to employees.

Statement on the privacy protection of job seekers at PosAm s.r.o.
PosAm s.r.o. processes personal data of job seekers.

Extent of the processed personal data

• Contact data – name, surname, address of permanent residence, address of temporary residence, e-mail contact and telephone contact.
• Job data – resume – overview of professional career, skills and experience, declaration of clean criminal record for certain positions, references.
• Personal and family data – family status, date of birth, identifiers such as birth number, personal ID card number, driving license number.
• Salary information – requested income

Purposes
PosAm processes the personal data of job seekers for the purpose of recruiting new employees into employment by selecting candidates by assessing their professional qualifications and assessing their ability to perform the required job (especially in technical and professional positions)

Records of received and sent mail in mail contact with job seekers in the necessary extent of contact information.

Sharing personal data (Recipients, processors, third parties)
The personal data of job seekers are processed exclusively by the employees of PosAm instructed about their obligations in regard to the personal data of data subjects and they do not provide them to any recipients or processors or third parties.

Data storage
The personal data of job seekers are not transferred to third countries; they are located exclusively in the European Union.

Retention
Personal data are retained for the duration of validity of their purpose, which is 1 year from sending of the personal data by the job seeker.

Legal basis
The personal data of job seekers are processed by PosAm on the legal basis of the legitimate interest of a prospective employer in assessing the job seeker’s qualification to perform the job in question.

Statement on the privacy protection of customers and employees of customers of PosAm s.r.o.
PosAm s.r.o. processes the personal data of its customers’ employees with the following parameters:

Extent of processed personal data
Contact data – name, surname, address of employer, work e-mail and work telephone contact.
Work data – work position, in the case of provision of end-device maintenance services also a list of IT devices assigned to the name of the employee, IP address of the device.

Purposes
PosAm processes the personal data of its customers and their employees for the purposes of pre-contractual and contractual relationships and direct marketing always only in the extent necessary for these purposes.

PosAm s.r.o. has concluded a Contract on the provision of operating type services with some customers. Within the provisions of such contract it processes the personal data of the customer’s employees in the extent necessary for the identification of the employee and his/her device and the provision of end-device maintenance services under the valid contract between the supplier of the service (PosAm) and its customer.

Sharing personal data (Recipients, processors, third parties)
PosAm s.r.o. processes personal data in the specified extent and for the specified purpose only by its own employees and it has no sub-contracts or contracts on the processing of personal data concluded with other sub-contractors.

In cases where the fulfilment of contractual terms with the customer requires the involvement of other solvers from third parties and if, during the course of this activity, the processing of personal data may occur, PosAm will request the customer’s consent. In such cases, PosAm will commit the subcontractor to the obligations for the personal data protection of data subjects.

Data storage
The personal data of customers and their employees are not transferred to third countries; they are located exclusively in the European Union.

Retention
Personal data are retained for the duration of validity of their purpose, which generally means for the duration of the contractual relationship, unless the legislation of the SR requires longer periods of personal data archiving, for example the archiving of accounting documents.

Legal basis
The personal data of customers and their employees are processed by PosAm on the legal basis of contractual and pre-contractual relations and legitimate interest for the purpose of direct marketing pursuant to the Act and the Regulation.

Statement on the privacy protection of suppliers of PosAm s.r.o.
PosAm s.r.o. processes the personal data of its suppliers and their employees.

Extent of processed personal data
Contact data – name, surname, address of employer, work e-mail and work telephone contact.

Purposes
PosAm processes the personal data of suppliers and their employees for the purposes of pre-contractual and contractual relationships always only in the extent necessary for these purposes.

Sharing personal data (Recipients, processors, third parties)

PosAm s.r.o. processes personal data in the specified extent and for the specified purpose only by its own employees and it has no sub-contracts or contracts on the processing of personal data concluded with other sub-contractors.

Data storage
The personal data of suppliers and their employees are not transferred to third countries; they are located exclusively in the European Union.

Retention
Personal data are retained for the duration of validity of their purpose, which generally means for the duration of the contractual relationship, unless the legislation of the SR requires longer periods of personal data archiving, for example the archiving of accounting documents.

In compliance with § 55 par. 5 Act of the National Council of the SR No. 351/2011 Coll. on Electronic Communications as amended we kindly inform you about using cookies and draw your attention to a possibility of changing the settings of your browser in case the current settings for using cookies is not convenient for you.

What are cookies?
Cookies are small text files which can be sent to browser when you visit websites and saved to your device (computer or other device with Internet access, i.e. smartphone or tablet). Cookies are saved in the folder for files of your browser. Cookies usually contain the name of the website they come from and the date of origin. Upon your next visit the browser loads cookies again and sends these information back to the website which originally created cookies. Cookies we use do not harm your computer.

Using cookies
By using the websites operated by PosAm you give your consent to using cookies in compliance with your browser settings. If you visit our websites, acceptance of cookies is allowed in your browser, you do not change your browser settings and continue visiting our websites we consider it as accepting our conditions for using cookies.

Why are we using cookies?
Cookies are used to optimally create and constantly improve the quality of our services, adjust them to your interests and needs and improve their structure and contents. PosAm does not use data obtained by using cookies to contact users by mail, e-mail or telephone.

How to change settings of cookies?
Majority of browsers has been originally set to automatically accept cookies. This settings can be changed by blocking cookies or by a notification in case cookies are to be sent to your device. Instructions for changing cookies are available in the option “Help” of every browser. If you use different devices to access websites (e.g. computer, smartphone, tablet), we recommend you to adjust every browser on each of them to your preferences regarding cookies.

Why to keep settings of cookies?
Using cookies and permitting cookies in your browser is your decision. However, in case you change settings of cookies, functionality of some of our websites can be limited and their user comfort reduced.