WOLT REGISTRATION
ORDER EQIPMENT

GDPR – Data Protection Principles

 

ORGANIZATIONAL GUIDELINES FOR THE PROCESSING AND PROTECTION OF PERSONAL DATA IN THE ORGANIZATION

In accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council, dated 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), and pursuant to the provisions of Act 18/2018 Coll., dated 29 November 2017, on the protection of personal data and amendments to certain laws (ZoOOÚ), this document sets out the technical and organizational measures that our company is committed to comply with. As stated in Article 24 of the GDPR, taking into account the nature, scope, context, and purposes of processing as well as the varying risks to the rights and freedoms of natural persons, the company is responsible for ensuring and demonstrating that the processing is carried out in accordance with the GDPR.

Company Details:

  • Name: Entrega Group, s.r.o.
  • Address: Nové sady, 60200, Brno, Czech Republic
  • ID: 142 85 649

Supervisory Authority:

  • Office for Personal Data Protection of the Czech Republic
    Pplk. Sochora 27, 170 00 Praha 7
  • Tel: +420 234 665 800, +420 234 665 111
  • Email: posta@uoou.cz
    (hereinafter referred to as the “supervisory authority”)

1. DEFINITION OF KEY TERMS

  • Data Subject: Any natural person whose personal data is processed.
  • Controller: Any entity that alone or jointly with others determines the purposes and means of processing personal data and processes the data in its own name. The controller or the specific requirements for its designation may be set out in a separate regulation or international treaty binding on the Czech Republic, if such regulation or treaty specifies the purposes and means of processing personal data.
  • Processor: Any entity that processes personal data on behalf of the controller.
  • Processing of Personal Data: Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, etc.
  • Consent of the Data Subject: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of his or her personal data.
  • Information System: Any organized collection of personal data accessible according to specified criteria, regardless of whether the system is centralized, decentralized, or functionally or geographically distributed.
  • Biometric Data: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms unique identification, in particular, fingerprint data.
  • Data Processing Limitation: The labeling of stored personal data with the aim of restricting their processing in the future.
  • Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects or characteristics relating to a natural person, in particular to analyze or predict aspects related to the person’s work performance, financial situation, health, personal preferences, interests, reliability, behavior, location, or movement.
  • Pseudonymization: The processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  • Encryption: The transformation of personal data in such a way that re-processing is possible only upon the input of a chosen parameter, such as a key or password.
  • Online Identifier: An identifier provided by an application, tool, or protocol, in particular an IP address, cookies, login credentials for online services, or radio frequency identification, which may leave traces that, especially when combined with unique identifiers or other information, can be used to create a profile of the data subject and identify him or her.
  • Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to transmitted, stored, or otherwise processed personal data.
  • Recipient: Any natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, regardless of whether they constitute a third party. A public authority that processes personal data based on a specific regulation or international agreement binding on the Slovak Republic shall not be considered a recipient, provided the rules of data protection applicable to the processing purposes are observed.
  • Third Party: Any natural or legal person, other than the data subject, controller, processor, or any person who, under the authority of the controller or processor, processes personal data.

 

2. MAPPING OF PERSONAL DATA

Our company has decided to define the personal data it processes in order to analyze such processing and ensure compliance with the GDPR. We define individual categories of personal data as separate information systems.

– IS Customers
Legal Entity: company name, billing address, registration number, VAT number, registered office address, contact person’s first and last name, contact person’s job title, telephone number, email address, fax, website, cookies
Purpose of Processing: issuance of tax document, customer contact, contract fulfillment, delivery of goods, provision of services, complaints

– IS Employees / Partners
Natural/Legal Person: first and last name / company name, billing address, registration number, VAT number, registered office address, contact person’s first and last name, contact person’s job title, telephone number, email address, fax, website, cookies
Purpose of Processing: issuance of tax document, employee contact, contract fulfillment, delivery of goods, provision of services, complaints

– IS Accounting
Legal Entity: company name, billing address, registration number, VAT number, bank name, account number
Purpose of Processing: accounting management

– IS Marketing
First name, last name, telephone number, email address, cookies
Purpose: sending marketing and advertising emails, contact form, contact via social networks

– IS Transport
Natural Persons: first name, last name, delivery address, telephone number
Legal Entities: company name, delivery address, contact person, telephone number
Purpose of Processing: delivery of goods, transportation of persons, customer contact, contract fulfillment

– IS Legal Services
Natural Person: first name, last name, residential address, telephone number, email address
Legal Entity: company name, billing address, registration number, VAT number, telephone number, email address, managing director’s first and last name
Purpose of Processing: contract drafting, legal services, debt collection

3. PRINCIPLES OF PERSONAL DATA PROCESSING (ARTICLE 5 GDPR)

Our company will adhere to the following principles of personal data processing:

3.1. Lawfulness, Fairness, and Transparency (Article 5(1)(a) GDPR)

Personal data shall be processed in a lawful, fair, and transparent manner in relation to the data subject.

3.1.1. Legality of Processing (Article 6 GDPR)

Our company is committed to processing data in a lawful manner so as not to violate the fundamental rights of the data subject. The processing will be lawful based on at least one of the following legal bases:

  • (a) Processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
  • (b) Processing is necessary under a specific regulation or international agreement binding on the Slovak Republic (Section 13(1)(c) ZoOOÚ);
  • (c) Processing is necessary to protect the vital interests of the data subject or another natural person;
  • (d) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • (e) Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, particularly where the data subject is a child.

Legal bases for individual information systems (IS) are as follows:

  • IS Customers:

    • Legal basis: Article 6(1)(c) GDPR – Processing of personal data (name, surname, title, street and number, postal code, city) is necessary under a specific regulation or international agreement binding on the Slovak Republic, primarily according to Act No. 222/2004 Coll. on Value Added Tax.
    • Legal basis: Article 6(1)(b) GDPR – Processing of personal data is necessary for the fulfillment of a contract.

  • IS Employees / Partners:

    • Legal basis: Article 6(1)(c) GDPR – Processing of personal data (name, surname, title, street and number, postal code, city) is necessary under a specific regulation or international agreement binding on the Slovak Republic.
    • Legal basis: Article 6(1)(b) GDPR – Processing of personal data is necessary for the fulfillment of a contract.

  • IS Accounting:

    • Legal basis: Article 6(1)(c) GDPR – Processing is necessary under a specific regulation or international agreement binding on the Slovak Republic, primarily Act No. 222/2004 Coll. on Value Added Tax as amended.
    • Legal basis: Article 6(1)(c) GDPR – Act No. 431/2002 Coll. on Accounting.

  • IS Marketing:

    • Legal basis: Article 6(1)(a) GDPR – The data subject has given consent to the processing of their personal data for at least one specific purpose.

  • IS Transport:

    • Legal basis: Article 6(1)(b) GDPR – Processing of personal data (name, surname/company name and contact person’s name, delivery address, telephone contact) is necessary for the fulfillment of a contract.

  • IS Legal Services:

    • Legal basis: Article 6(1)(c) GDPR – Processing is necessary under a specific regulation or international agreement binding on the Slovak Republic, primarily according to Act No. 311/2001 Coll. Labor Code.
    • Legal basis: Article 6(1)(c) GDPR – Processing is necessary under a specific regulation or international agreement binding on the Slovak Republic, primarily Act No. 513/1991 Coll. Commercial Code.
    • Legal basis: Article 6(1)(b) GDPR – Processing of personal data (email, telephone contact) is necessary for the fulfillment of a contract.

3.2. Purpose Limitation (Article 5(1)(b) GDPR)

Our company will collect personal data solely for specific, explicit, and legitimate purposes and will not further process the data in a manner incompatible with those purposes. The data subject will be informed of the purpose of the data processing prior to processing.

The purposes of processing for each IS have been defined in the personal data mapping section, and personal data will only be processed for the purposes specified therein.

3.3. Data Minimization (Article 5(1)(c) GDPR)

Our company will process personal data in a manner that is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

In order to ensure data minimization, our company has analyzed whether the data processed are adequate, relevant, and limited to what is necessary for the intended purposes. The following categories (with specific types listed in the “Mapping of Personal Data” section) are analyzed:

  • IS Customers:
    All processed data are necessary. They are processed for issuing a tax document, customer contact, and contract fulfillment.

  • IS Employees / Partners:
    All processed data are necessary. They are processed for preparing an employment contract, employee contact, and contract fulfillment.

  • IS Accounting:
    All processed data are necessary. They are processed for issuing a tax document and contract fulfillment.

  • IS Marketing:
    All processed data are necessary.

  • IS Transport:
    All processed data are necessary. They are processed for the purpose of delivering goods to the customer, customer contact, and contract fulfillment.

  • IS Legal Services:
    All processed data are necessary. They are processed for drafting contracts, debt collection, and legal advice.

3.4. Accuracy (Article 5(1)(d) GDPR)

Our company will process personal data in a manner that ensures they are accurate and, where necessary, kept up to date; and will take adequate and effective measures to ensure that inaccurate personal data, with regard to the purposes for which they are processed, are erased or rectified without undue delay.

To ensure the principle of accuracy, our company includes the following statement in the written consent for data processing:

“The data subject is obliged to provide true and up-to-date personal data. In case of any change, the data subject must immediately notify the controller.”

3.5. Storage Limitation (Article 5(1)(e) GDPR)

Personal data will be stored in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the personal data are processed.

3.6. Integrity and Confidentiality (Article 5(1)(f) GDPR)

Personal data will be processed in a manner that ensures appropriate security, including protection against unauthorized processing, unlawful processing, accidental loss, destruction, or damage of the personal data, by means of appropriate technical or organizational measures.

3.6.1. Personal Data Stored in Electronic Documents

Our company uses antivirus software from Windows / ESET and the Windows Defender Firewall. Each employee has an individual access password and access is limited only to folders within their scope.
Internet Connection: UPC Slovakia

3.6.2. Personal Data Stored in Paper Format

Physical documents are stored in envelopes and filing cabinets to protect them from damage. These filing cabinets are located:

  • In a locker
  • In a locked office
    Thus ensuring that only authorized personnel have access to these documents.
    Physical documents are disposed of using a shredder.

3.7. Accountability (Article 5(2) GDPR)

Our company is responsible for complying with the basic principles of personal data processing, ensuring that data processing complies with these principles, and must be able to demonstrate such compliance to the supervisory authority upon request.

4. CONDITIONS FOR PROVIDING CONSENT FOR DATA PROCESSING (ARTICLE 7 GDPR)

The company will ensure the following conditions are met when the data subject provides consent:

  • (a) Consent must be given freely, specifically, in an informed and unambiguous manner.
  • (b) The request for consent must be clearly distinguishable from other matters, presented in an intelligible and easily accessible form, and formulated clearly and simply.
  • (c) The data subject has the right to withdraw their consent at any time. Withdrawal shall not affect the lawfulness of processing based on consent prior to its withdrawal. The data subject must be informed of this prior to providing consent. Withdrawing consent should be as easy as giving it.

Our company has revised its written consents for data processing to ensure compliance with the GDPR requirements.

5. CONDITIONS APPLICABLE TO THE CONSENT OF A CHILD IN CONNECTION WITH INFORMATION SOCIETY SERVICES (ARTICLE 8 GDPR)

If Article 1(a) is applied in connection with an offer of information society services addressed directly to a child, the processing of the child’s personal data is lawful only if the child is at least 16 years old. If the child is younger than 16, such processing is lawful only provided that consent has been given or approved by the holder of parental responsibility.
Our company will make reasonable efforts to verify that, in such cases, consent has been given or approved by the holder of parental responsibility, taking into account available technology.

6. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA (ARTICLE 9 GDPR)

According to the GDPR, processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation, is prohibited.
This prohibition does not apply if one of the conditions of Article 9(2)(a)–(j) is met.

Our company processes health-related data based on the condition under Article 9(2)(b) GDPR, i.e. processing is necessary for the purposes of fulfilling obligations and exercising specific rights of the controller or the data subject in the area of labor law and social security.

7. RIGHTS OF THE DATA SUBJECT (CHAPTER 3 GDPR)

The rights of the data subject are set out in Chapter 3 of the GDPR, and our company undertakes to respect them. These include, for example, the following rights:

7.1. Information to Be Provided When Personal Data Are Collected from the Data Subject (Article 13 GDPR)

When processing personal data, our company will provide the data subject with the following information:

  • (a) Information about our company
  • (b) Contact details of the responsible person, if applicable
  • (c) Purposes of the processing
  • (d) Legal basis for the processing
  • (e) If processing is based on Article 6(1)(f) GDPR, the legitimate interests pursued by the controller or a third party
  • (f) Recipients or categories of recipients of the personal data, if any
  • (g) Where relevant, information that our company intends to transfer personal data to a third country or international organization
  • (h) The period for which personal data will be stored or, if not possible, the criteria used to determine that period
  • (i) The existence of the right to request access to personal data concerning the data subject, and the right to have them rectified or erased or to restrict processing, or to object to processing, as well as the right to data portability
  • (j) If processing is based on Article 6(1)(a) or Article 9(2)(a) GDPR, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
  • (k) The right to lodge a complaint with a supervisory authority
  • (l) Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and the possible consequences of failing to provide such data
  • (m) The existence of automated decision-making, including profiling, and meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.

7.2. Information to Be Provided When Personal Data Have Not Been Obtained from the Data Subject (Article 14 GDPR)

If personal data have not been obtained from the data subject, our company will provide all the information set out in point 7.1 of these guidelines, as well as the source of the personal data, or, where applicable, whether the data originate from publicly accessible sources.

This information will be provided within a reasonable period, and at the latest within one month of receiving the personal data, taking into account the specific circumstances under which the data are processed as provided in Article 14 of the GDPR.

Our company will not provide this information if:

  • (a) The data subject already has the information.
  • (b) Providing such information proves impossible or would require disproportionate effort.
  • (c) Obtaining or providing such information is expressly provided for in the Union or Member State law to which the controller is subject, and where appropriate measures are in place to safeguard the rights of the data subject.

7.3. Right of Access by the Data Subject (Article 15 GDPR)

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and if so, to obtain access to such data.

7.4. Right to Rectification (Article 16 GDPR)

The data subject has the right to have inaccurate personal data corrected without undue delay. Considering the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing a supplementary statement.

7.5. Right to Erasure (Right to be Forgotten, Article 17 GDPR)

The data subject has the right to obtain the erasure of personal data concerning them without undue delay, and the controller is obliged to erase such data without undue delay, provided one of the following conditions is met:

  • (a) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
  • (b) The data subject withdraws consent on which the processing is based, pursuant to Article 6(1)(a) or Article 9(2)(a), and no other legal basis exists for the processing.
  • (c) The data subject objects to the processing pursuant to Article 21(2) and there are no overriding legitimate grounds for processing.
  • (d) The personal data have been unlawfully processed.
  • (e) The personal data must be erased in order to comply with a legal obligation under Union or Member State law.
  • (f) The personal data have been collected in relation to the offer of information society services pursuant to Article 8.

7.6. Right to Restriction of Processing (Article 18 GDPR)

The data subject has the right to obtain from the controller restriction of processing in the following cases:

  • (a) The data subject contests the accuracy of the personal data, for a period allowing the controller to verify the accuracy.
  • (b) The processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use.
  • (c) The controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims.
  • (d) The data subject has objected to processing pursuant to Article 21(1) pending verification of whether the legitimate grounds of the controller override those of the data subject.

Notification Obligation in Connection with Rectification, Erasure, or Restriction of Processing (Article 19 GDPR):
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Articles 16, 17(1), and 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller will inform the data subject of those recipients if requested.

7.7. Right to Data Portability (Article 20 GDPR)

The data subject has the right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format, and to have those data transmitted to another controller, where technically feasible, provided:

  • (a) The processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b); and
  • (b) The processing is carried out by automated means.

The data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

7.8. Right to Object (Article 21 GDPR)

The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them, which is based on Article 6(1)(e) or (f), including the right to object to profiling based on those provisions.

7.9. Automated Individual Decision-Making, Including Profiling (Article 22 GDPR)

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

8. CONTROLLER’S RESPONSIBILITIES (ARTICLE 24 GDPR)

As the controller, our company undertakes the following general obligations:

  • (a) In view of the nature, scope, and purposes of the processing, and the varying risks to the rights of natural persons, we will take appropriate technical and organizational measures to ensure and demonstrate that the processing is carried out in accordance with the GDPR.
  • (b) We will update these measures as necessary.
  • (c) We will regularly review the purpose of processing personal data and, once fulfilled, ensure the deletion of the personal data without undue delay.
  • (d) Our company will maintain the confidentiality of the personal data it processes. This obligation continues even after the processing of personal data is terminated. 

9. DATA PROTECTION BY DESIGN AND BY DEFAULT (ARTICLE 25 GDPR)

Our company undertakes to implement data protection by design before processing personal data and to maintain such measures during processing. This involves the adoption of appropriate technical and organizational measures, such as pseudonymization, to ensure effective implementation of safeguards and compliance with the GDPR.
We also commit to implementing data protection by default, ensuring that personal data are processed only for specific purposes, the amount of data collected is minimized, and the duration of storage is limited, with access restricted to authorized persons only.

10. PROCESSOR (ARTICLE 28 GDPR)

A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
Our company, as the controller, utilizes processors who process personal data on our behalf (for example, accounting and legal firms).
For our company, the following processors handle data:

  • atax, s.r.o.
    Jelačičova 8, Bratislava 82108
    ID: 45 729 310

We will only use processors that provide sufficient guarantees to implement appropriate technical and organizational measures so that processing meets GDPR requirements and protects the rights of the data subject. Processing by a processor on our behalf is governed by a “Data Processing Agreement” that obliges the processor towards the controller, specifying the subject, duration, nature, and purpose of processing, the type of personal data, categories of data subjects, and the respective rights and obligations.

Our company will sign amendments to contracts with the mentioned processors to ensure that all GDPR requirements are met.

11. RECORDS OF PROCESSING ACTIVITIES (ARTICLE 30 GDPR)

11.1. Records of Processing Activities of the Controller

As the controller, our company maintains records of processing activities and will make them available to the supervisory authority upon request. These records include:

  • (a) The name, address, and contact details of the controller and, where applicable, joint controllers, the controller’s representative, and the data protection officer;
  • (b) The purposes of processing;
  • (c) A description of the categories of data subjects and of the categories of personal data;
  • (d) The categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries or international organizations;
  • (e) Where applicable, details of any transfers of personal data to a third country or international organization, including the identification of that third country or international organization and, in the case of transfers referred to in Article 49(1)(f) GDPR, the documentation of appropriate safeguards;
  • (f) Where possible, the envisaged time limits for erasure of the different categories of data;
  • (g) Where possible, a general description of the technical and organizational security measures referred to in Article 32(1)(a) GDPR.

11.2. Records of Processing Activities of the Processor

As a processor, our company maintains records of processing activities and will make them available to the supervisory authority upon request. These records include:

  • (a) The name, address, and contact details of the processor (or processors) and of each controller on whose behalf the processor is acting, and where applicable, the controller’s or processor’s representative and the data protection officer;
  • (b) The categories of processing carried out on behalf of each controller;
  • (c) Where applicable, details of any transfers of personal data to a third country or international organization, including the identification of that third country or international organization and, in the case of transfers referred to in Article 49(1)(f) GDPR, the documentation of appropriate safeguards;
  • (d) Where possible, a general description of the technical and organizational security measures referred to in Article 32(2) GDPR.

12. PROCESSING SECURITY (ARTICLE 32 GDPR)

Our company will adopt appropriate technical and organizational measures considering the latest knowledge, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risks varying in likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to those risks.

Delegation of Personal Data Processing (Article 32(4) GDPR):
Our company will take steps to ensure that any natural person acting on behalf of the controller or processor, who has access to personal data, processes such data only on the instructions provided by us, except where required by Union or Member State law.

13. NOTIFICATION OF A PERSONAL DATA BREACH TO THE SUPERVISORY AUTHORITY (ARTICLES 33 AND 34 GDPR)

In the event of a personal data breach, our company will notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach.
If notification is not made within 72 hours, the reasons for the delay shall be provided.

The breach notification will include at least:

  • (a) A description of the nature of the breach, including, where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records concerned;
  • (b) Contact details of the data protection officer or another contact point where more information can be obtained;
  • (c) A description of the likely consequences of the breach;
  • (d) A description of the measures taken or proposed to be taken by the controller to address the breach, including any measures to mitigate its possible adverse effects.

Our company will document each personal data breach, including the facts relating to the breach, its effects, and the remedial measures taken.

In the case of a breach that is likely to result in a high risk to the rights and freedoms of natural persons, our company will notify the data subject without undue delay.

14. DATA PROTECTION IMPACT ASSESSMENT (ARTICLE 35 GDPR)

If a type of processing, especially using new technologies and considering the nature, scope, context, and purposes of processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller will conduct a Data Protection Impact Assessment (DPIA) before processing.
A DPIA is required in particular cases:

  • (a) Systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing including profiling, which produces legal effects or similarly significantly affects the data subject;
  • (b) Processing on a large scale of special categories of data pursuant to Article 9(1)(a) or personal data relating to criminal convictions and offenses pursuant to Article 10;
  • (c) Systematic monitoring of publicly accessible areas on a large scale.

Since our company’s processing activities do not include the above cases, a DPIA is not required.

15. DESIGNATION OF THE DATA PROTECTION OFFICER (CHAPTER 4, SECTION 4 GDPR)

The controller is required to designate a Data Protection Officer if:

  • (a) The processing is carried out by a public authority or body (excluding courts acting in their judicial capacity);
  • (b) The core activities of the controller or processor consist of processing operations which, by virtue of their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • (c) The core activities consist of processing on a large scale of special categories of data pursuant to Article 9 GDPR or personal data relating to criminal convictions and offenses pursuant to Article 10 GDPR.

Since our company does not meet any of these conditions, a Data Protection Officer is not designated.

16. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANIZATION

Transfer of personal data processed or intended for processing to a third country or an international organization may only take place if the controller and processor comply with the conditions, including conditions for further transfers from the respective third country or international organization to another third country or international organization.

The Data Protection Authority publishes on its website a list of third countries, territories, and specified sectors in a given third country and international organizations for which the European Commission has decided that an adequate level of protection is ensured, or where such a level is no longer ensured.

Our company will regularly monitor this list, and when transferring personal data to countries not included on the list, will proceed in accordance with Chapter 4 of the GDPR.

17. CONFIDENTIALITY (§ 79 ZoOOÚ)

Our company is obliged to maintain the confidentiality of the personal data it processes. This duty of confidentiality continues even after the processing of personal data has ceased.

Furthermore, our company is required to impose confidentiality obligations on any person who comes into contact with personal data at the controller or processor. The duty of confidentiality, as stated above, must continue even after the termination of the employment, state service, or any similar working relationship of such person.