PRINCIPLES OF PERSONAL DATA PROCESSING

1. Who processes your personal data ?

Your personal data is processed by ELBA, a.s. with its registered office at Československej armády 264/58, 967 01 Kremnica, ID No.: 31 615 651, registered in the Commercial Register of the District Court Banská Bystrica, Section: Sa, File No. 223/S (hereinafter referred to as the "Controller"). When processing personal data by the controller, you are in the position of a data subject, i.e. a person about whom personal data relating to him or her are processed. Your personal data will be processed securely, in accordance with the Controller's security policy.      

2. What rights do you have as a data subject?

  • Right of access - you have the right to provide a copy of the personal data we hold about you, as well as information about how we use your personal data (sample request HERE).
  • Right to rectification – if you believe that the data we hold is inaccurate, incomplete or outdated, please do not hesitate to ask us to correct, update or supplement this information (sample request HERE).
  • Right to erasure (to be forgotten) – you have the right to ask us to delete your personal data (sample request HERE).
  • Withdraw consent – in cases where we process your personal data on the basis of your consent, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of the processing of personal data that we have processed about you on the basis of it (sample request HERE).
  • Right to restriction of processing – under certain circumstances, you are entitled to ask us to stop using your personal data (sample request HERE).
  • Right to data portability – in certain circumstances, you have the right to ask us to transfer the personal data you have provided to us to another third party of your choice (sample request HERE).
  • Right to object – you have the right to object to the processing of personal data that is based on our legitimate legitimate interests (sample request HERE).
  • Right to file a motion to initiate proceedings on the protection of personal data – if you believe that we process your personal data unfairly or illegally, you can file a complaint with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic.
  • The right not to be subject to automated individual decision-making, including

The Controller will not use your personal data for automated individual decision-making, including profiling.

In the event that the provision of personal data is a legal/contractual requirement, you as a data subject are obliged to  provide such personal data. Failure to provide the personal data necessary to conclude the contract may result  in the non-conclusion of the contractual relationship.

In the event of an objection regarding the processing of your personal data, you have the right to submit a complaint or request in writing to the address of the registered office of the controller: Československej armády 264/58, 967 01 Kremnica or to the e-mail: gdpr@elba.sk.

You can use our sample forms to exercise some of your rights.

Before the start of the processing of your personal data, which is based on our legitimate interests, we carried out the so-called comparative tests, in which we have assessed the legitimacy, necessity, appropriateness, proportionality, as well as the application of appropriate safeguards to protect your rights and freedoms.

Further information on the processing of personal data

  • A. WEB
    • Contact form – general
    • Contact form – price offers
  • B. BUSINESS ACTIVITY
  • C. CLAIM
  • D. SUPPLIER RELATIONSHIPS
  • E. JOB SEEKERS
  • F. ACCOUNTING AND TAX OBLIGATIONS
  • G. EXERCISING THE RIGHTS OF DATA SUBJECTS – PROTECTION OF PERSONAL DATA
  • H. ANTI-SOCIAL ACTIVITY
  • I. ASSERTION OF LEGAL CLAIMS
  • J. NETWORK MANAGEMENT
  • K. RECORDS OF ENTRANCES TO THE COMPANY'S PREMISES
  • L. INTERNAL TRANSFER OF PERSONAL DATA
  • M. SOCIAL EVENTS
  • N. SOCIAL NETWORKS
  • O. SATISFACTION QUESTIONNAIRE

3. WEB

3. Information on the processing of personal data

A.     WEB

CONTACT FORM – GENERAL

1. Purpose of processingensuring communication via the contact form on the website, handling applications
Legal basislegitimate interest within the meaning of Article 6 (1) (f) of the GDPR. The main legitimate interest is to ensure effective communication via the web
Category of data subjects
Those interested in information
Category of personal data
name, surname, e-mail address, phone number, subject of the message
Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law
Period for erasure of personal data
10 days from the end of the month in which the inquiry was delivered

Contact form – price offers

2. Purpose of processing  Ensuring communication via the contact form on the website – preparing price offers
Legal basispre-contractual relationship within the meaning of Article 6 (1) (b) of the GDPR
Category of data subjects
potential clients, a person authorised to act on behalf of a potential client, a contact person of a potential client
Category of personal data
name, surname, phone number, e-mail, subject of the message, subject of the potentially provided service/product
Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law
Period for erasure of personal data
10 days from the end of the month in which the inquiry was delivered via the contact form
The price offer will be kept for a period of 5 years from its delivery to the potential client, the person authorized to act on behalf of the potential client, the contact person of the potential client

 

B. BUSINESS ACTIVITY

 

1. Purpose of processing  Preparation of price offers
Legal basispre-contractual relationship within the meaning of Article 6 (1) (b) of the GDPR
Category of data subjects
potential clients, a person authorised to act on behalf of a potential client, a contact person of a potential client
Category of personal data
name, surname, title, position, e-mail, phone number, correspondence address, company identification data on the basis of which it is possible to identify the data subject, subject of the price offer
Categories of recipients
authorized persons in a contractual relationship with the Controller, including other subcontractors cooperating in the performance of the subject of the contractual relationship, entities to which the Controller is obliged to provide personal data by law
Period for erasure of personal data
5 years from the receipt of the price offer to the potential client, the person authorized to act on behalf of the potential client, the contact person of the potential client

 Prenos osobných údajov do tretích krajín alebo medzinárodným organizáciám

neuskutočňuje sa
2. Purpose of processing  concluding and managing contractual relationships/orders, providing business activities
Legal basiscontractual relationship within the meaning of Article 6(1)(b) of the GDPR
Category of data subjects
clients, a person authorised to act on behalf of a client
Category of personal data
name, surname, title, position, e-mail, phone number, correspondence address, company identification data on the basis of which it is possible to identify the data subject, subject of the contract/order
Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law
Period for erasure of personal data
10 years from the termination of the contractual relationship

 Transfer of personal data to third countries or international organisations

not taking place
3. Purpose of processing  Records of clients and contact persons
Legal basislegitimate interest within the meaning of Article 6 (1) (f) of the GDPR. The main legitimate interest is to effectively ensure communication with the contractual partner.
Category of data subjects
clients, a person authorized to act on behalf of the client, the client's contact person
Category of personal data
name, surname, title, function, e-mail, phone number, company identification data on the basis of which the data subject can be identified
Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law
Period for erasure of personal data
after the termination of the contractual relationship

 Transfer of personal data to third countries or international organisations

not taking place

  

C. CLAIM

 

1. Purpose of processing  arranging a complaint procedure 
Legal basiscontractual relationship within the meaning of Article 6(1)(b) of the GDPR Act No. 40/1964 Coll. Civil Code
Category of data subjects
clients, a person authorized to act on behalf of the client, the client's contact person 
Category of personal data
name, surname, title, position, e-mail, phone number, correspondence address, company identification data on the basis of which it is possible to identify the data subject, subject of the complaint, data specified in the order/contract
Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law
Period for erasure of personal data
5 years from the handling of the complaint agenda  

 Transfer of personal data to third countries or international organisations

not taking place

 

D. SUPPLIER RELATIONSHIPS

 

1. Purpose of processing  concluding and managing contractual relationships
Legal basiscontractual relationship within the meaning of Article 6(1)(b) of the GDPR
Category of data subjects
Suppliers, a person authorised to act on behalf of a supplier
Category of personal data
name, surname, title, position, e-mail, phone number, correspondence address, company identification data on the basis of which the data subject can be identified
Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law
Period for erasure of personal data
10 years from the termination of the contractual relationship

 Transfer of personal data to third countries or international organisations

not taking place
2. Purpose of processing   Records of suppliers and contact persons
Legal basislegitimate interest within the meaning of Article 6 (1) (f) of the GDPR. The main legitimate interest is to effectively ensure communication with the contractual partner. 
Category of data subjects
clients, a person authorized to act on behalf of the client, the client's contact person
Category of personal data
name, surname, title, function, e-mail, phone number, company identification data on the basis of which the data subject can be identified
Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law
Period for erasure of personal data
after the termination of the contractual relationship

 Transfer of personal data to third countries or international organisations

not taking place

 

E. JOB SEEKERS

1. Purpose of processing 
conducting selection procedures with job seekers
Legal basis
pre-contractual relationship within the meaning of Article 6 (1) (b) of the GDPR
Category of data subjects
Job seekers
Category of personal data
name, surname, date of birth, address of residence, e-mail, phone number, data specified in the application, CV or cover letter
Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law
Period for erasure of personal data
  • in the case of a decision on the admission of a jobseeker/job to employment/work, to store personal data for a period of 1 year from the date of the last processing operation within the recruitment process,
  • in the event of a decision not to accept a jobseeker/job to a job/job, to dispose of personal data within 1 month after the last processing operation within the recruitment process has been performed.
Transfer of personal data to third countries or international organisationsnot taking place

 

2. Purpose of processing   Keeping records of job seekers
Legal basis
consent of the data subject within the meaning of Article 6(1)(a) of the GDPR
Category of data subjects
Job seekers
Category of personal data
name, surname, address of residence, date of birth, e-mail, phone number, data provided in the application, CV or cover letter
Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law
Period for erasure of personal data
1 year from the date of consent to the processing of personal data
Transfer of personal data to third countries or international organisationsnot taking place

 

F. ACCOUNTING AND TAX OBLIGATIONS

 

1. Purpose of processing   fulfilment of legal obligations in the field of taxes and accounting in the field of business relations
Legal basis
Act No. 431/2002 Coll. on Accounting, Act No. 595/2003 Coll. on Income Tax, as amended
Category of data subjects
clients/suppliers, persons authorised to act
Category of personal data
name, surname, bank account number (or e-mail), data related to payment, company ID on the basis of which the data subject can be identified, if the client/supplier is a legal entity
Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law, an intermediary ensuring the fulfilment of the Controller's legal obligations
Period for erasure of personal data
10 years from the fulfilment of the legal obligation
Transfer of personal data to third countries or international organisationsnot taking place

 

G. EXERCISING THE RIGHTS OF DATA SUBJECTS – PROTECTION OF PERSONAL DATA

 

1. Purpose of processing  records of asserted rights of data subjects and breaches of protection pursuant to Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Acts, records of asserted rights of data subjects pursuant to Chapter III and notifications pursuant to Articles 33 and 34 of Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data
Legal basislegitimate interest within the meaning of Article 6 (1) (f) of the GDPR. The main legitimate interest is the registration of asserted rights and notifications of personal data breaches
Category of data subjects
the data subjects to whom the submission relates; Data subjects affected by the personal data breach
Category of personal data
data relating to the exercise of the right, data provided by the whistleblower when reporting a breach of protection
Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law
Period for erasure of personal data
within 6 months of the expiry of 5 years from the exercise of the right or the occurrence of the data protection breach

Transfer of personal data to third countries or international organisations

not taking place

 

H. ANTI-SOCIAL ACTIVITY

 

1. Purpose of processing   reporting of anti-social activities in accordance with Act No. 54/2019 Coll. on the Protection of Whistleblowers of Anti-Social Activities and on Amendments to Certain Acts – Registration of Complaints 
Legal basisAct No. 54/2019 Coll. on the Protection of Whistleblowers of Anti-Social Activities and on Amendments to Certain Acts
Category of data subjects
whistleblowers, persons named in the complaint
Category of personal data

a) the date of receipt of the notification,

b) the name, surname and residence of the whistleblower, if it is not an anonymous whistleblower,

c) the subject matter of the notification,,

d) the result of the verification of the notification,

e) the date of completion of the verification of the notification

Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law
Period for erasure of personal data
3 years from receipt of the notification

Transfer of personal data to third countries or international organisations

not taking place

 

I. ASSERTION OF LEGAL CLAIMS

 

1. Purpose of processing  assertion of legal claims arising from contractual relationships
Legal basislegitimate interest within the meaning of Article 6 (1) (f) of the GDPR. The main legitimate interest is the assertion of legal claims.
Category of data subjects
Clients/suppliers, former clients/suppliers, persons authorised to act on behalf of clients/suppliers
Category of personal data
name, surname, title, position, e-mail, phone number, correspondence address, company identification data on the basis of which the data subject can be identified
Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law
Period for erasure of personal data
In the case of the right to compensation, the limitation period runs from the day on which the injured party learned or could have learned about the damage and who is obliged to compensate for it (four-year subjective period), but it ends no later than 10 years from the date on which the breach of duty occurred.
Transfer of personal data to third countries or international organisationsnot taking place

 

J. NETWORK MANAGEMENT

 1. Purpose of processing

network management security (network security, information security)
Legal basislegitimate interest within the meaning of Article 6(1)(f) of the Regulation. The main legitimate interest is to ensure information and network security
Category of personal data
personal data located in specified workstations, personal data in electronic form, the processing of which is necessary for the proper provision of information and network security
Period for erasure of personal data
depending on the processing operation, the criterion for its determination – personal data are processed on a regular basis
Categories of recipients entities to which the Controller is obliged to provide personal data by law, authorised persons and other persons in a contractual relationship with the Controller
Category of data subjects
persons who are part of the contractual documentation, whistleblowers, whistleblowers, data subjects exercising rights, clients, contact persons of clients, suppliers, contact persons of suppliers, persons authorized to act in my capacity entities in the case of legal entities
Transfer of personal data to third countries or international organisations not taking place

 

K. RECORDS OF ENTRANCES TO THE COMPANY'S PREMISES

 1. Purpose of processing

registration of entrances to the company's premises, in order to ensure the safety and protection of the company's property 
Legal basislegitimate interest within the meaning of Article 6(1)(f) of the Regulation. The main legitimate interest is to ensure the safety and security of the company's assets
Category of personal data
name, surname, subject of visit, vehicle registration number, vehicle speed reached in the Controller's premises, in case of exceeding the speed limit
Period for erasure of personal data
5 years from the date of registration
Categories of recipients entities to which the Controller is obliged to provide personal data by law, authorised persons and other persons in a contractual relationship with the Controller
Category of data subjects persons entering the company's premises once
Transfer of personal data to third countries or international organisations
not taking place

 

L. INTERNAL TRANSFER OF PERSONAL DATA

 1. Purpose of processing

Intra-company transfer of personal data within the ELBA group of undertakings – internal administrative purpose  
Legal basislegitimate interest within the meaning of Article 6(1)(f) of the Regulation. The main legitimate interest is the internal administration of businesses 
Category of personal data
name, surname, title, position, e-mail, phone number, correspondence address, company identification data on the basis of which it is possible to identify the data subject, subject of the price offer/contract/order
Period for erasure of personal data
for the duration of the contractual or pre-contractual relationship 
Categories of recipients entities to which the Controller is obliged to provide personal data by law, authorised persons and other persons in a contractual relationship with the Controller
Category of data subjects clients, persons authorised to act on behalf of clients, client contacts, potential clients – in the case of quotes
Transfer of personal data to third countries or international organisations
not taking place

 

M. SOCIAL EVENTS

 1. Purpose of processing

carrying out promotional activities of the Controller, taking and publishing photographs and/or video recordings on social networks (FACEBOOK) and/or the Controller's website www.elba.sk
Legal basisLegitimate interest within the meaning of Article 6(1)(f) Regulation. The main legitimate interest is to ensure the Controller's promotional activities through the creation and publication  of personal data on social networks and/or  the  Controller's website
Category of personal data
Photography, video recording 
Period for erasure of personal data
5 years from the publication or taking of photographs/video recordings  
Categories of recipients entities to which the Controller is obliged to provide personal data by law, authorised persons and other persons in a contractual relationship with the Controller 
Category of data subjects participants of an event organized by the Controller

Transfer of personal data to third countries or international organisations
not taking place

 Exercise of the right to object

As an event participant, you have the opportunity to object to:

  1. taking photos and/or video recordings of you,
  2. posting your photos and/or video on social networks or the website.

You can exercise your right to object to the taking and/or publication of photographs:

  • electronically to the e-mail: gdpr@elba.sk.
  • orally on the day of the event with an authorized person.

If you exercise your right to object to the taking and/or publication of your photographs and/or video recordings, the Controller will not process this personal data  about you.

 

N. SOCIAL NETWORKS

1. Purpose of processing   ensuring communication through social networks
Legal basislegitimate interest within the meaning of Article 6 (1) (f) of the GDPR. The main legitimate interest is to ensure effective communication.
Category of data subjects
Those interested in information
Category of personal data
data provided when communicating via social networks
Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to whom the Controller is obliged to provide personal data by law, the controller of social networks
Period for erasure of personal data
for the period of active use of your social media account

 Transfer of personal data to third countries or international organisations

not taking place

 

O. SATISFACTION QUESTIONNAIRE

Purpose of processing  Obtaining feedback to improve the quality of the company's services and products by providing satisfaction questionnaires and their subsequent recording
Legal basislegitimate interest within the meaning of Article 6 (1) (f) of the GDPR. The main legitimate interest is to improve the services and products provided. 
Category of data subjects
clients, persons authorised to act on behalf of clients, contact persons of clients
Category of personal data
name, surname, (e-mail in special cases) identification data of the company on the basis of which it is possible to identify the data subject if the client is a legal entity, data in terms of the feedback provided
Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law
Period for erasure of personal data
the data will be deleted within 1 month after the end of the calendar year in which the questionnaire was sent to you

 Transfer of personal data to third countries or international organisations

not taking place

 

P. SPONSORSHIP CONTRIBUTIONS

Contract for the provision of a financial contribution

1. Purpose of processing  processing and administration of the contractual relationship, provision of sponsorship financial contribution
Legal basiscontractual relationship within the meaning of Article 6(1)(b) of the GDPR 
Category of data subjects
beneficiaries of sponsorship financial contributions, persons authorized to act on behalf of recipients of sponsorship financial contributions 
Category of personal data

in the case of i, the beneficiary is a natural person - name, surname, title, address of residence, bank account number, information on the purposes of the sponsorship contribution, amount of the sponsorship contribution

if the beneficiary is an entity other than a natural person, name, identification data of the entity, bank account number, information on the purposes of the sponsorship contribution, the amount of the sponsorship contribution, the title, name and surname of the person authorized to act on behalf of the said entity

Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law
Period for erasure of personal data
10 years from the termination of the contractual relationship

Promotion of the company's activities

2. Purpose of processing  promotional activity consisting in the processing and publication of personal data on the website/social networks 
Legal basisconsent of the data subject within the meaning of Article 6(1)(a) of the GDPR
Category of data subjects
beneficiaries of sponsorship financial contributions, persons authorized to act on behalf of recipients of sponsorship financial contributions    
Category of personal data
photo/video recording 
Categories of recipients
authorized persons in a contractual relationship with the Controller, entities to which the Controller is obliged to provide personal data by law, website administrator, social network controller 
Period for erasure of personal data

Consent is granted for a period of 5 years from the end of the year in which the consent was granted

the deletion of personal data will take place within 1 month after the expiry of the specified period