Code of Conduct for Personal Data Processing by TURBADO Group E-Shops

Code of Conduct for Personal Data Processing by TURBADO Group E-Shops

 

under the General Data Protection Regulation (GDPR)

        

May 21, 2018, version 1.0

Preamble

  1. The processing of personal data about customers and other individuals by E-shop Operators (ES Operator) is a necessary part of the business activities of organizations, fulfilment of legal and other obligations of operators and protection of legitimate interests of customers and operators.

  1. Operators are also subject to specific legal regulation stemming in particular from the EU ePrivacy Directive and the EU Cyber Protection Directive, resulting in a specific approach by ES Operators to the protection of personal data under GDPR.

  1. The goal of the Code is to foster the relationship of trust between ES Operators and their customers as well as to increase the transparency of ES Operators in the processing of personal data about customers and other individuals.

  1. By referring to this Code, ES Operators are able to fulfil their information obligations in relation to the data subjects under Articles 13 and 14 of GDPR.

  1. In accordance with Art. 24 (3) GDPR, compliance with the Code may be used as an element to demonstrate the compliance of ES Operators obligations with GDPR. When deciding to impose a fine by the Personal Data Protection Office and its amount, Sec. 83 (2) GDPR takes into account a number of factors in each individual case, including compliance with the Code.

DUE TO THE ABOVE-MENTIONED, TURBADO GROUP, E-SHOP OPERATORS BUSINESS GROUP, HAS DECIDED TO ACCEPT THIS CODE IN THE FOLLOWING WORDING:

1 Introductory Provisions

1.1 Scope of the Code  

1.1.1 This Code applies to all ES Operators of TURBADO GROUP, which have signed a cooperation agreement.

For the purposes of this Code, ES Operator under the preceding sentence means any person authorized under the local and EU legislation to operate e-shops or commercial activities aimed at the sale of goods and services, in particular to end consumers - natural persons not domiciled in the Slovak Republic (including legal entities) within the territory of the European Union provided that this entity has an establishment in the territory of the Slovak Republic or in the territory of a member state of the EU and that the processing of personal data takes place in the context of the activity of this establishment, irrespective of whether the processing of personal data takes place in the territory of the Slovak Republic or not.
[1] 

1.1.2 The Code does not apply to such processing of personal data performed by ES Operators not covered by GDPR and the Personal Data Protection Act.  

1.3 Legal Nature of the Code

        The Code is intended to contribute to the correct application of GDPR, taking into account the specific features of the E-shops Operators sector. At the same time, this Code should help to simplify the GDPR interpretation for E-shops Operators sector.

1.4 Relationship between the Code and the Authority of the Personal Data Protection Office

1.4.1 The Code is without prejudice to the authority of the Personal Data Protection Office under GDPR or the Personal Data Protection Act in relation to ES Operators as controlled entities or a party to the proceedings unless the Code stipulates in par. 13 below.

1.4.2 While compliance with the Code may be used by ES Operators as an element to demonstrate compliance with GDPR, this Code does not relieve ES Operators of compliance with GDPR or other privacy policy rules. Each ES Operator is required to ensure compliance with GDPR and other personal data protection rules under its own responsibility and in accordance with this Code.  

1.4.3 The Code is without prejudice to the possibility for the data subject to file to the Personal Data Protection Office or to the appropriate court any submission.  

1.5 Relationship to Other Legislation

1.5.1 GDPR is the European Union general law on the protection of personal data and also covers the processing of personal data by ES Operators when its scope is applicable.

ES Operators also apply other legislation that adds, specifies or limits GDPR as a general regulation.

1.5.2 The extent of the processing of personal data for the purposes specified in the Code is the general GDPR privacy policy.

1.6 Explanation of Basic Terms         

1.6.1 Personal Data  

Personal data is any information regarding an identified or identifiable natural person (data subject). Operators should not rely on the fact that each personal data needs not be capable of identifying a person when determining the personal data. In order to be considered as the personal data, it is sufficient if certain information may be attributed to a natural person who is identified or identifiable.

Example: Your email, phone number, or IP address may not as such allow identification of a natural person. However, if this information relates to a particular identified natural person (e.g., a person known to the operator) or an identifiable natural person, it is considered personal data. The personal data is not limited typologically to name, surname, birth number, place of residence, etc. According to the definition of the personal data, it can be any information. Decisive factor is not the type of information, but the possibility of assigning it (relation) to a particular natural person.

1.6.2 Identified Natural Person

According to the Personal Data Protection Office: "A natural person can generally be identified as being identifiable if within the group of persons he/she is distinguishable from all other members of the group, so that his/her identities are unambiguously identified."[2] 

Example: An identified natural person may be a customer or an employee for the operator. Information relating to these persons is the personal data (even if it was a natural person - entrepreneur). Information about legal entities is not considered personal data.

1.6.3 Identifiable Natural Person

An identifiable natural person is a person who can be identified by means, for which there is a reasonable likelihood that the operator or any other person will use, for example by means of a specific selection, the direct or indirect identification of a natural person. Every natural person is identifiable on the theoretical level. For the purpose of assessing whether a natural person is identifiable from the point of view of the definition of personal data (i.e. personal data), the Reasonable Probability Test is decisive, as set out in Recital no. 26 of GDPR.

Example: An identifiable natural person may still be an unknown perpetrator for ES Operator, whose identities can be detected by ES Operator in criminal proceedings (e.g. a person on a camera record) in order to protect property. Information relating to an identifiable person (e.g. a camera record) is considered personal data.

1.6.4 Reasonable Probability Test

In order to determine whether it is reasonably probable that the means will be used to identify a natural person, account should be taken of all objective factors such as costs and time for identification with regard to the technology available at the time of processing as well as technological developments. Reasonable Probability Test is not met if the identification of the person concerned is forbidden by law or virtually impossible, for example because it would require a disproportionate amount of time, finance or human resources, so that the likelihood of identification actually appears to be negligible.[3] As a result of the application of Reasonable Probability Test, it may also be concluded in a specific case that the processed information does not constitute the personal data, since there is no reasonable likelihood of using means to identify the natural person to whom that information relates.

Example: In criminal proceedings, it can be shown that the perpetrator cannot be identified. Information about a person that cannot be identified should not be considered the personal data.[4]

1.6.5 Filling System

The concept of the filling system under GDPR is not a common IT system, computer program, database, or application. The GDPR filling system (GDPR) is "any organized set of the personal data that is accessible according to specified criteria, regardless of whether it is centralized, decentralized or distributed on a functional or geographic basis." This concept is in GDPR used exclusively in relation to the material scope of GDPR referred to in Article 2 (1), to determine whether personal data processed by means other than automated means fall within the scope of GDPR. In other words, the concept of the filling system is, according to GDPR, a test to assess whether the personal data processed manually (i.e., in paper or physical form) should fall under GDPR or not.

Example: Door labels or the ES Operator's office space, containing for example, name, surname and title of employees do not constitute a filling system. Although this information is in line with the definition of personal data, GDPR does not apply to its processing in this form. The customer file [5]in which ES Operator processes the personal data of the customer or the employee in paper form may already be a filling system and therefore GDPR may apply to that processing.[6] If paper documents containing personal data are scanned and sent by email or stored on a computer, personal data that is electronically processed is generated and the filling system "exception" is not applied. However, GDPR implementation on a paper or file agenda does not affect the legal and professional duties of ES Operator in relation to the documents and information concerned.

1.6.6 Data Subject

The data subject is any identified or identifiable natural person, to whom the personal data relate.

Example: For ES Operator, a customer or employee (natural persons) is typically the data subject. In relation to employees or corporate bodies, ES Operator should proceed appropriately according to par. 2.7 below.

2 Status of ES Operators and Others in the Personal Data Processing  

2.1 E-Shop Operator as an Operator

2.1.1 An operator is a person who decides on the purposes ("why") and means ("how") of the processing of personal data or a person, whose status as an operator derives from the Union or a member state law, for which the purpose and means processing.

        Example: The operator is typically an employer in relation to another employee, service provider, or seller of goods in relation to their customer, any public authority in relation to citizens.

2.1.2 In the sale of goods, leasing of goods as well as for other purposes for the processing of the personal data specified in this Code, ES Operators typically act as operators. The authorization of ES Operators to process the personal data of customers and other natural persons in their business activity explicitly results from the provisions of Act no. 513/1991 Coll., the Commercial Code:

"Sec. 411 of Act no. 513/1991 Coll., the Commercial Code - The Seller is obliged to deliver goods, deliver documents relating to the goods and to allow the Buyer to acquire ownership of the goods in accordance with the Contract and this Act, and Sec. 489 of Act no. 513/1991 Coll., the Commercial Code - (1) The Lease Agreement is negotiated by the parties in the rental agreement or after it is concluded that the lessee is entitled to buy a leased property or a leased set of items during or after the lease.

2.1.3 ES Operator is not considered to be an operator, if they obtain the personal data randomly, without prior identification of the purposes and means of processing. In this case, GDPR does not apply to the processing of the personal data. However, if ES Operator subsequently determines the purpose and means of processing after having randomly obtained the personal data, the preceding sentence does not apply.

Example: These may be situations in which ES Operator is provided with the personal data in error, by mistake, in a speculative way, or is provided with the personal data that they have not requested and are not interested in further processing of the personal data for any purpose. E.g. ES Operator is by mistake delivered an email containing personal data. Keeping this data, for example, due to its return to the authorized person or its deletion within a reasonable time, does not constitute the processing of personal data falling within the scope of GDPR. However, should ES Operator continue to use the personal data obtained in such way, they would be the operator related to the processing purposes in the operator's position and GDPR would apply.

2.2 ES Operator as Intermediary

        An intermediary is a person who processes the personal data on behalf of the operator and their instructions. The intermediary, unlike the operator, is not authorized to decide on the purposes and means of processing and is therefore not authorized to formally take decisions regarding the processing of the personal data. However, this does not mean that ES Operator cannot process the personal data as the intermediary, e.g. for other processing purposes.

2.3 ES operators as Joint Operators  

2.3.1 Joint Operators are two or more operators who jointly determine the purpose and means of the personal data processing.

Example: Joint Operators can be, for example, several ES Operators carrying out business activity in an association or using a common part of a technology facility.

2.3.2 Joint Operators are required to enter into mutual agreement with the requirements under Article 26 (1) and (2) of GDPR. Under Article 26 (2), the second sentence, the essential parts of the Joint Operator Agreement shall be made public.

        Example: The basic content of the agreement can be disclosed by ES Operators as Joint Operators, for example, through its website as part of the Privacy Policy (Annex 2 of this Code).

 

2.4 E-SHOP OPERATORS GROUP

2.4.1 Groups of E-shop Operators should transparently define the position of individual companies or persons belonging to the same group in the form of internal policies, memoranda or agreements.

2.4.2 A group of ES Operators may be Joint Operators under Article 26 of GDPR. Sharing, making available, providing and processing personal data about customers or employees within the same group of ES Operators may constitute a legitimate interest of the group, in which case the consent of the parties concerned to that sharing or joint processing is not necessary.

2.4.3 A group of ES Operators may also be entities, whose role is to participate in the provision of legal services by providing support services for the group, which may have access to personal data processed by the group. ES Operators should ensure that the entities are included in the arrangements under par. 2.4.1 above and that these entities are bound to maintain confidentiality to the same extent as the employees of the offices of ES Operators.

2.5 Employees of E-Shop Operator

2.5.1 Employees and other professional employees of ES Operator are involved in the processing of the personal data by persons acting on behalf of ES Operator whose processing of the personal data in accordance with the legal and internal regulations of ES Operator is considered to be processing of the personal data by ES Operator.

2.5.2 ES Operator may not conclude any special contractual arrangements with these persons solely because of GDPR. These persons are only allowed to process the personal data based on the instructions of ES Operator. Unlike the instructions for the intermediary, the Article 29 guidelines may not, however, be documented and may result from general working or other instructions.

        Example: If ES Operator assigns task like issuing invoices to his  employee or this task is the result of an employee's workload, the person issues an invoice following the instructions of ES Operator to process the personal data for the ES Operator´s accounting and tax purposes. ES Operator is not obliged to duplicate this instruction into an explicit mandate to process the personal information and is not required to document or store this instruction due to GDPR.

2.5.3 According to Sec. 79 (2) of the Personal Data Protection Act, ES Operator is obliged to impose confidentiality on all natural persons, who come into contact with the personal data, this obligation of confidentiality must persist after the termination of employment of the data subjects. Nevertheless, the recommended procedure is that ES Operator introduces the duty of confidentiality of employees into internal regulations.

2.6 Customers

2.6.1 The processing of personal data relating to customers,  natural persons,  is the processing of the personal data by ES Operator, regardless of whether the business transaction subject is private, business or business matter of the customer. In the course of business, any natural person customers are the data subjects for ES Operator.

2.6.2 Customers, who are legal entities are not data subjects. Only natural persons may be the data subjects. However, in the course of business or other purposes, ES Operator processes the personal data relating to the natural persons, who act as statutory representatives, employees or members of other legal entities.

2.6.3 According to the Introductory Provision 14, GDPR should not apply to the personal data contained in the name of a legal entity or to the contact details of legal persons.[7] The interpretation of the provision in question is not yet clear in practice.

2.7 Other Natural Persons

        Other natural persons within the meaning of Sec. 18 (6) are natural persons other than ES Operator´s customers, and ES Operator is, to the extent necessary, entitled to process the personal data of such persons for business activity purposes. In the course of business, other natural person are data subjects for the operator. ES Operator typically does not obtain personal data directly from these other natural persons, but from customers, public sources, or public authorities. In this sense, the term "other natural person" is also mentioned in this Code.

        Example: Competition or its employees, spouses, children or other family members of an employee, etc.

3 Purposes and Legal Bases of the Personal Data Processing

3.1 Introduction

3.1.1 The purpose of the personal data processing explains why the personal data is processed. The purpose of the processing is decided by the operator or it results for the operator from legal regulation. For certain segments of the national economy, it is typical that processing purposes arise from legislation, even though the rules may allow some contractual freedom in concluding relationships that are regulated.

3.1.2 ES Operators are imposed multiple processing purposes directly from legislation that mandate or permit ES Operators to process certain personal data about their customers and other individuals. Although in some cases the legislation does not explicitly describe the specific purpose of the processing, it is not necessary to determine the status of ES Operator as the operator. It is sufficient that the legal regulation requires ES Operator to fulfil a certain obligation or to allow them to act in a particular way.  

3.1.3 It is necessary to distinguish the so-called legal basis of processing, explaining the legal title of the personal data being processed. The legal basis is, among other things, decisive for determining whether the specific processing of the personal data is legal.

3.1.4 Each purpose may have several legal bases, but at least one.[8] If the purpose has several possible legal bases, ES Operator is entitled to rely on any of them and to adapt it to fulfil all related GDPR obligations.

3.1.5 The processing purposes in this Code represent a selection of the most commonly used processing purposes for ES Operators. ES Operators are required to thoroughly analyse the actual processing purposes they are experiencing to ensure compliance with GDPR.  

3.2 Categories for the Purposes of the Personal Data Processing

When processing the personal data, ES Operator may typically process the personal data within the following categories of purposes:

Categories of processing purposes

Legal basis

Related regulations

Business activity - sale or lease of products

The consent of the data subject, Art. 6 (1)(a) of GDPR or fulfilment of the statutory obligation under Art. 6 (1)(c) of GDPR (in relation to specific categories of personal data, the additional conditions under Article 9 (2)(f) of GDPR)

The Civil and Commercial Code

Provision of other services

The consent of the data subject under Article 6 (1)(a) of GDPR or performance of a contract pursuant to Article 6 (1) (b) of GDPR as well as fulfilment of legal obligation according to Article 6 (1) (c) of GDPR

The e-Government Act, the Civil and the Commercial Code, the Non-Residential Premises Lease Act

Ensuring compliance with legislation

The fulfilment of the legal obligation under Article 6 (1) (c) of GDPR, the legitimate interest of ES Operator or third party operators under Article 6 (1) (f) of GDPR, public interest pursuant to Article 6 (1) (e) of GDPR

Act on Protection against the Legalization of Income from Crime, Act on Notification of Anti-Social Activities, GDPR

Purposes relating to the protection of legitimate interests

The legitimate interest of ES Operator or third party under Article  6 (1) (f) of GDPR

GDPR, Civil and Commercial Code, Criminal Procedure Code, Criminal Code, Civil Dispute Settlement, Civil Extra-Dispute Rules, Administrative Rules, Administrative Procedure, Offence Act

Marketing purposes

The consent of the data subject, Art. 6 (1) (a) GDPR or legitimate interest of ES Operator or third party under Art. 6 (1) (f) of GDPR

Electronic Communications Act, Advertising Act, Consumer Protection Act, the Civil Code

Statistical purposes, archival purposes in the public interest and purposes of historical and scientific research

Art. 89 of GDPR

Archives Act

Human Resources and wages

The fulfilment of the legal obligation under Art. 6 (1) (c) of GDPR, a legitimate interest according to Art. 6 (1) (f) of GDPR as well as the performance of the contract pursuant to Article 6 (1) (b) of GDPR (in relation to specific categories of personal data, the additional conditions under Article 9 (2) (b) of GDPR)

Labour Code, Advocacy Act and other regulations

Accounting and tax purposes

The consent of the person concerned, Art. 6 (1) (a) of GDPR or fulfilment of a statutory obligation under Art. 6 (1) (c) of GDPR

Special laws in the field of accounting and tax administration

3.3 Detailed Explanation of the Selected Purposes for the Personal Data Processing  

3.3.1 The above mentioned categories of processing purposes provide a framework overview of the different types of processing purposes of ES Operators. Each category of purpose may have several roles, forms, legal bases, and may involve different processing operations. In addition, some categories of purposes may require clarification or division into several separate processing purposes.        

Example:  Marketing purposes are listed as a separate category of purposes for clarity, but in practice it is recommended to distinguish at least sending newsletters as a separate purpose. Similarly, the purpose of legitimate interests should be in practice more clearly defined and should distinguish between legitimate interests as between different purposes. The above categories of purposes therefore do not have to be a complete list of ES Operators' purposes and should only serve as guidance for ES Operators, which should also take into account the following points when defining the individual purposes.

3.3.2 Business activity - the sale or rental of products may involve the processing of personal data, which is necessary, for example, for the following activities of ES Operators:

3.3.3 The provision of other services may involve the processing of personal data, which is necessary, for example, for the following activities of ES Operators:

3.3.4 Ensuring compliance with the law may involve the processing of the personal data, which is necessary, for example, for the following activities of ES Operators:

3.3.5 The protection of legitimate interests in the business of ES Operators is mainly related to the security of the premises, equipment and software of ES Operator. A legitimate interest may also serve as an additional legal basis for the processing of personal data for the purposes which the law requires, but does not sufficiently specify the conditions for the processing of personal data. A typical example of how the processing of personal data may be based on the legal basis of protection of legitimate interests but, at the same time, on other legal bases, is for example the area of personal data security in relation to the obligation of ES Operator to take reasonable security measures for the protection of personal data under GDPR, where the adoption of security measures may represent not only the protection of legitimate interests, but also the obligation arising from the generally binding legal regulation to GDPR. The choice of the legal basis for the processing of data in similar cases should be left to the IO operator as the operator, who decides on the purposes and means of processing, as well as the legal basis for their processing of the personal data.

3.3.6 In the context of security, the protection of the legitimate interests of ES Operators may represent, for example, following activities:  

3.3.7 Marketing purposes may involve the processing of personal data, which is necessary, for example, for the following activities of ES Operators:

3.3.8 ES operators acquire personal data processed for the above purposes, in particular by communicating with customers, writing correspondence, by telephone or electronically. In practice, situations may arise where the customer provides ES Operator with the personal data about other natural persons that ES Operator must or is authorized to process for their own purposes. ES Operators do not obtain consent to the provision of their personal data from natural persons because their entitlement to process the personal data in the exercise of their profession results from the valid legislation.

3.3.9 ES Operators are entitled to require customers, potential customers, or persons claiming to be customers to provide their identity, documents for identity verification purposes, or for compliance with statutory or contractual obligations of ES Operators, and are authorized to scan, copy or otherwise record such documents.

3.4 Cookies

3.4.1 Information obtained through interaction with the visitor's web browser and/or the use of cookies (such as IP address, operating system, web site visit time, geographic location, content displayed, previous content history, etc.) can be processed by ES Operator using the various analytical tools deployed on their website.

This is to store or gain access to the information stored in the end device of the user, which is, according to Sec. 55 (5) of the Electronic Communications Act, subject to the consent of the users of the websites, on the basis of clear and complete information on the purpose of its processing, and the corresponding settings of the web browser (e.g. not to block cookies).  ES Operator should check whether similar tools or technologies are used in conjunction with their website and follow the recommendations below.  

        Example: There are many free on-line solutions to check, if the website uses cookies. You can also learn more about cookies through Google Chrome browser. By clicking on the right mouse button above the website (or CTR + U), you can search for the "cookies settings" page code. E.g. "cookieSettings": {"isRestrictiveCookiePolicyEnabled": false} means that the website does not accept the use of cookies.  

3.4.2 If ES Operator uses cookies, this does not automatically mean that the personal data is processed.

        Example: If ES Operator´s website collects only basic anonymous data on the number of visits, time and location without the reasonable likelihood of the ES Operator´s or third party's means of identifying a natural person (i.e. without the practical possibility of assigning this information to specific natural persons), it is not a personal data processing. This is without prejudice to the provisions of Sec. 55 (5) of the Electronic Communications Act.  

3.4.3 In all cases of the use of cookies, ES Operator is obliged to inform the visitors on the use and purposes of the cookies, through the exemplary privacy policy outlined in Annex 2.

3.4.4 The recommended practice of ES Operators is to limit the range of information processed by cookies. This is especially true in relation to IP addresses and so- advertising IDs[9] that most likely increase the likelihood that the processing of personal data is the case here. If ES Operator determines that the processing of the personal data is processed through the use of cookies on their website, their obliged to provide additional obligations arising from GDPR. The provisions of Sec. 55 (5) of the Electronic Communications Act does not mean that, in such a case, they must rely on the legal basis for consent under Art. 7 of GDPR. That provision does not refer to the rules on the protection of personal data and the express processing of personal data does not apply. ES Operator may also decide in the context of the situation for a different legal basis than the consent of the person concerned (e.g. legitimate interest under Article 6 (1) (f) of GDPR).

4 Basic Principles of Personal Data Processing  

4.1 Introduction

The purpose of this part of the Code is to explain in detail the seven basic principles of the processing of the personal data under Article 5 of GDPR in the business activities of ES Operator. These basic principles entail almost all other ES Operators' obligations as the operators on the one hand and all the rights of the data subjects on the other. Nevertheless, these other obligations and rights have their limits and there are legitimate exceptions that cannot be interpreted as violations of the basic principles of processing that result from them.

4.2 Legality, Justice and Transparency

4.2.1 The processing of the personal data by ES Operators must be done in a lawful, fair and transparent manner in relation to the data subjects. Legitimate processing means that the processing of the personal data of ES Operator must be based on at least one of the legal bases of processing specified in GDPR. Consent to the processing of the personal data is just one of these legal bases and does not serve as a universal legal basis. The nature of consent also implies its appeal, which would make impossible to achieve some of the processing purposes. In practice, ES Operators rely heavily on legal bases arising from specific regulations, performance of the contract, and the protection of legitimate interests where consent to the processing of the personal data is not necessary. As explained below, in some cases, ES Operators, to achieve the intended purpose of processing personal data rely on multiple legal bases at the same time.

        Example: In the course of business, ES Operator does not rely on the consent to the processing of the personal data of their customers or other natural persons. ES Operator processes the personal data of these persons without their consent as part of the business purpose (sale or lease of products), as the purpose of the processing of ES Operator follows from the Commercial Code. At the same time, however, it can be argued that the processing of the personal data in a commercial activity (selling or leasing products) can be considered necessary to fulfil the contract with the data subject. ES Operator may decide to choose a more appropriate mode of legal basis (at least one) in such cases. This Code supports the choice of legal compliance mode because the scheme also covers other natural persons with whom ES Operator has no contract.

4.2.2 If ES Operator relies on the legal basis resulting from personal regulations, it is not necessary for the specific law to determine the precise conditions for the processing of the personal data. On the contrary, in practice, it is common practice that specific regulations explicitly mention none or some of the particularities of the processing of the personal data. This is also presumed by GDPR, since Article 6 (1) (c) makes the use of the legal basis under the special rule conditional upon the processing of the personal data necessary for the fulfilment of the statutory obligation. GDPR continues in Article 6 (3) in that the purpose of the processing shall be determined in this case either by the law of the Union or by the Member State which applies to the operator. It is therefore not necessary for a specific regulation to explicitly or implicitly define the wording of the purpose. It is sufficient if the regulation clearly establishes an obligation to be fulfilled by the operator or an authorization to process personal data for a specific purpose foreseen by the law. The exact wording of the purpose is in such a case on the operator, who bears the burden of proof, that the purpose thus established results from the law.

4.2.3 The term "law of a Member State" should be understood not only as the legal regulations but also as any generally binding legislation. The term "legal obligation" should be understood as any legal obligation and therefore may also be an obligation arising from binding regulations of the Slovak Chamber of ES Operators. Where the law only regulates the possibility of processing the personal data, it does not preclude the use of the legal basis for compliance with the statutory obligation under Article 6 (1) c) of GDPR or the use of a legal basis of legitimate interest under Art. 6 (1) (f) of GDPR, in particular if, following a decision to proceed in this manner (relying on the statutory authorization), ES Operator is obliged to proceed with the processing of the personal data in a certain way.

4.2.4 If ES Operator relies on the legal basis under a separate regulation, it may be that the purpose of the processing monitored by ES Operator can also represent the legitimate interest of ES Operator or other person under Article 6 (1) f) of GDPR. If ES Operator is able to demonstrate compliance with the terms of use of the legal basis for the protection of legitimate interests, they can thereby prove the lawfulness of the processing of the personal data to a greater extent than is necessary to fulfil a legal obligation under the law.

4.2.5 ES Operators may also rely on the legal basis of "performance of the contract", as set out in Article 6 (1) (b) of GDPR. For the use of this legal basis, it is not decisive the form or nature of the contract with the person concerned and, at the same time, that legal base permits the processing of personal data under the so-called pre-contractual relationships with the data subject.

4.2.6 It is specific to the business of E-Shop Operators that the performance of contractual relationships is also subject to regulations under specific regulations. In a situation where the processing of personal data is necessary for the performance of the contract and at the same time is necessary to fulfil the legal obligation of ES Operator, they are entitled to rely on any of these legal bases and to adapt the fulfilment of other obligations under GDPR.

4.2.7 When processing of the personal data for some purposes, ES Operators may rely on the legal basis for the consent of the data subjects to process their personal data. ES Operators do so by default when it is not possible to rely on any other legal basis or if such consent is explicitly required by law. Consent may be granted in any way, whether written, electronic, audio or audiovisual, but always subject to the terms of Article 7 of GDPR. In order for the consent to be given freely, the performance of the contract, including the provision of the service, must not be conditional on it, unless such consent is necessary for such performance.

4.2.8 The principle of fair and transparent processing requires that the data subject is informed of the existence of the processing operation and its purposes. ES Operators comply with the principle of fair and transparent processing of information they provide to their customers and the public, through the processing of personal data available at the website, in other contractual documentation, in communication with customers and at the same time through this Code. Although most of this information is open to the public, the principle of fair and transparent processing is not absolute.

4.2.9 The general principle of fair and transparent processing is followed by the modification of the information obligations of ES Operators in obtaining personal data in Articles 13 and 14 of GDPR, upon request by the person concerned under Article 15 of GDPR as well as the general obligations laid down in Art. 12 of GDPR. These provisions result in a number of exceptions that this Code specifies in relation to E-Shop Operators in the following provisions.

4.3 Limitation of Purpose

4.3.1 The purpose limitation principle requires personal data to be retrieved for specifically identified, explicit and legitimate purposes, and prohibits further processing of personal data in a way that is incompatible with those purposes.

Example: This Code encourages ES Operators to communicate to the data subjects at the same time all the processing purposes, for example, through privacy terms via the website (see Annex 2 below).

4.3.2 Article 6 (4) of GDPR stipulates the so-called Compatibility Test of the new purpose of the processing with the original purpose of the processing under which the personal data was obtained. If the personal data is obtained by ES Operator from the beginning for the purposes of their simultaneous processing for multiple purposes in accordance with the principles of legality, fairness and transparency (i.e. in particular the existence of a legal basis for such processing), those purposes are not subject to Compatibility Test. The result of Compatibility Test is that the original legal basis for the processing can be used by ES Operator for a new purpose of processing. Some purposes are automatically considered to be compatible with the original purposes. This is the purpose of archiving in the public interest (the Archives Act), the purposes of scientific or historical research and the statistical purposes governed by Article 89 of GDPR.

        Example: ES Operator acquires customers' personal data for business activity (selling or leasing of their products). If ES Operator later decides to process this personal data for statistical purposes or for purposes of archiving in the public interest - that processing is automatically compatible with the original purpose and ES Operator can perform it on the same legal basis.

4.4 Data Minimization

4.4.1 The principle of data minimization requires that ES Operators only process personal data which is reasonable, relevant and limited to the extent necessary for the purposes for which it is processed. The violation of this principle is considered to be an excessive processing of personal data, which means the processing of personal data that is not necessary for the purpose of processing. ES Operator should therefore be able to demonstrate that all processed personal data is needed to achieve the intended processing purposes.

4.4.2 The principle of data minimization does not mean that each ES Operator processes the same personal data. The necessary extent of the processed personal data is always considered according to the circumstances of the particular business case.

4.4.3 The principle of data minimization is also complemented by the obligations relating to the standardized protection of personal data in Article 25 (2) of GDPR. 

4.5 Correctness

4.5.1 The principle of correctness requires ES Operator to process correct and up-to-date personal data as necessary, and the necessary measures must be taken to ensure that personal data that is incorrect in terms of the purposes for which it is processed is immediately erased or corrected. However, the principle of correctness does not refer to the absolute objective accuracy of the processed personal data but to the correctness of the personal data for the purposes for which the personal data is processed. Some purposes may, for example, require explicitly to proceed with the processing of objectively incorrect personal data. The correctness of the data is assessed by ES Operators for processing purposes.

         

4.5.2 The principle of correctness is therefore an obligation that requires reasonable efforts by the operator to ensure the accuracy of the processed personal data and the other does not exempt from the responsibility to provide correct personal data.

        Example: It complies with the principle of correctness, if the contract between ES Operator and the customer for example includes the obligation for the customer to report changes to his/her personal data to ES Operator.

4.5.3 The business activity of E-Shop Operator is that ES Operator may not, without the consent of the customer, verify the truth or completeness of factual information provided by the customer (which may include the personal data of natural persons). If having reasonable doubts about its veracity or completeness, they will inform the customer about the possible legal consequences of the information thus obtained.

        Example: It complies with the principle of correctness under GDPR, if the customer knowingly or unknowingly provides ES Operator with incorrect personal data and ES Operator, in accordance with the aforementioned obligation, processes it for business purposes in the customer's interest.

4.4 Storage Minimization

4.6.1 The storage minimization principle requires that ES Operator keeps personal data in a form that permits the identification of the persons concerned as long as necessary for the purposes, for which the personal data is processed. Due to the fact that personal data is processed by ES Operators for multiple purposes at the same time, this is not a breach of this principle, if one of the processing purposes ends, but ES Operator does not attempt to erase personal data, because they need it for other ongoing processing purposes. These other purposes may be defined as from the moment when the personal data is acquired, together or later during processing in accordance with the purpose limitation principle that allows processing for other purposes through Compatibility Test of the new purpose with the original purposes.

4.6.2 ES Operators should adopt internal rules setting retention time (storage times) of the personal data for individual purposes. The storage minimization principle serves as an aid to setting the limit, respectively upper limit of retention time. However, the retention times are set by the operator, since only the operator can assess the need for the identification of the data subjects for the purposes of the processing of the personal data. In some cases, retention times may follow from specific regulations. However, some specific regulations only provide for a minimum statutory storage period (e.g. keep for at least 5 years), with retention times longer in the cases. The storage minimization principle allows the processing of the personal data after retention periods to continue for some other specified purposes. This is the purpose of archiving in the public interest, the purposes of scientific or historical research and the statistical purposes governed by Article 89 of GDPR.

4.6.3 The purpose of archiving in the public interest under Article 89 of GDPR is further regulated in the Archives Act, and the public interest pursued by this regulation is the preservation of archival documents that have a permanent documentary value for the history of Slovakia and the Slovaks. The processing of personal data for the purpose of archiving in the public interest also includes the so-called pre-archiving activity. The Archives Act imposes on ES Operator, as the original registry, the obligation to record incoming and generated registry records during the storage period, which represents the period during which ES Operators need registry records for their activity. ES Operator may set the appropriate storage periods by themselves and are authorized to follow the recommendations and practices of the Ministry of the Interior of the Slovak Republic. The storage times under the Archives Act do not represent retention periods for the processing of the personal data under GDPR, since the storage periods under the Archives Act are only after the retention periods have expired according to the original processing purposes. Registry records may or may not contain the personal details of the data subjects, including copies of the contractual documentation. According to GDPR, reasonable guarantees for the rights and freedoms of the data subjects are covered by the public interest archiving. These guarantees will ensure the implementation of technical and organizational measures, in particular ensure compliance with the principle of data minimization. The established Registry Rules and/or schedule under the Archives Act means technical and organizational measures that monitor compliance with the principle of minimization. ES Operators should restrict access to documents retained under the Archives Act in similar internal regulations.

If ES Operator proceeds under the Archives Act, they are obligated to erase the personal data only in decommissioning according to the regulation, and this procedure is in accordance with the principle of storage minimization.

4.6.4 The principle of storage minimization is also complemented by the obligations relating to the standardized protection of personal data in Article 25 (2) of GDPR. 

4.7 Integrity and Confidentiality

The integrity and confidentiality principle requires ES Operators to process the personal data in a manner that ensures an adequate level of security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage by appropriate technical or organizational measures. This principle is underpinned by other obligations relating to the security of personal data which GDPR deals with in Section 2 of Chapter IV, namely Articles 32 to 34 of GDPR, as explained in par. 8 below.

4.8 Liability

4.8.1 Under the principle of liability, ES Operators are responsible for complying with the basic principles of the processing of personal data under Article 5 (1) of GDPR, which ES Operators must be able to demonstrate. GDPR does not stipulate the method of demonstrating compliance with the basic processing principles, that is left to the discretion of the operator.

                Example: In accordance with the principle of responsibility, ES Operators can demonstrate compliance with the basic principles of processing personal data by:

4.8.3 This Code provides recommendations regarding the adoption of minimum internal documentation by ES Operators in par. 12 below.

5 Processing of Specific Categories of Personal Data

5.1 General Conditions

5.1.1 In practice, specific categories of personal data are processed for the same purposes together with the common personal data. Where ES Operator relies on any of the legal bases referred to in Article 9 (2) of GDPR in relation to specific categories of the personal data, the necessarily related personal data may be processed on any legal basis resulting from Article 6 of GDPR.

Where it is not possible to rely on the legal bases referred to in Article 6, but there is a legal basis in relation to personal categories of personal data under Article 9 (2) of GDPR, ES Operators are authorized to continue processing in relation to the personal data. The same applies in relation to the provision of Sec. 78 (5) of the Personal Data Protection Act, according to which it is possible to process genetic data, biometric data and health data under a special regulation or an international treaty which the Slovak Republic is bound to.

5.1.2 Unlike the previous amendment under Directive 95/46/EC as implemented by Act No. 122/2013 Coll., on the Protection of Personal Data, birth numbers and personal data relating to the recognition of guilt for crimes and offences are not considered as specific categories of the personal data. This personal data may be processed on the legal bases referred to in Article 6 of GDPR. This is without prejudice to additional obligations arising in connection with the processing of personal data, in Article 10 GDPR and Sec. 78 (4) of the Personal Data Protection Act.

 

5.1.3 Historically, a photograph of the data subject was also considered a special category of personal data. This GDPR approach changes, as according to Recital no. 51, processing of photographs should not systematically be considered as the processing of specific categories of the personal data, since the definition of biometric data will apply to them only if they are processed by specific technical means that allow or confirm the unique identification of a natural person. E.g. a normal security camera record or a copy of an identity document, including photographs on that document do not meet this condition.

5.2 Cases of Processing of Specific Categories of the Personal Data

5.2.1 ES Operators in the provision of legal advice may also process specific categories of the personal data. This data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or membership of trade unions, and the processing of genetic data, biometric data for individual identification of a physical person, health data or data relating to sexual life, or sexual orientation of a natural person.

5.2.2 The processing of specific categories of the personal data may be necessary, if it is needed to prove, enforce or defend legal claims under Article 9 (2)( f) of GDPR.

5.2.3. The processing of specific categories of personal data may be necessary for reasons of significant public interest under the Union or national law which are proportionate to the objective pursued, respect the essence of the data protection right and lay down appropriate and specific measures for ensuring the fundamental rights and interests of the data subject, Article 2 (g) of GDPR. Such an important public interest may arise, for example, from specific provisions to prevent criminal activities or other activities such as, for example, the Criminal Law Protection Act, the Criminal Code or the Criminal Liability Act.

5.2.4. The processing of specific categories may also be carried out subject to the consent of the person concerned in accordance with Article 9 (2)(a) of GDPR. The difference of this consent from the "usual" consent under Article 6 (1) (a) GDPR is its explicitness. The explicitness condition is fulfilled if it is sufficiently clear from the wording or way of expression of consent that it applies to specific categories of the personal data.

6 Rights of the Data Subjects  

6.1. Method of Dealing with the Requests of the Data Subjects  

6.1.1 When informing, communicating or responding to requests from the data subjects, ES Operator is obliged to proceed in accordance with Article 12 of GDPR. ES Operator should facilitate the exercise of the rights of the data subjects by providing several options for filing the requests.

        Example: The data subject who can claim their GDPR rights with ES Operator may in principle be any natural person.

Only after assessing the content of the request of the data subject, ES Operator should proceed with a possible non-compliance with the request, which should also be justified.

6.1.2 If ES Operator has reasonable doubt as to the identity of the natural person making the request, they may request additional information to confirm his/her identity.

        Example: If the client as the data subject is making claims under GDPR, but from a different e-mail address, as he/she usually uses, ES Operator should verify whether he/she is actually the customer, for example by verifying the customer's request by telephone. If this is not possible, ES Operator may request from the natural person claiming to be the client, for example, a copy of a citizens' card. ES Operator may under no circumstances provide information about the client to the wrong person.

6.1.3 The time limit for handling the request of the data subject begins to run since his/her identity has been verified. The general time limit for handling the request of the data subject under Articles 15 to 22 of GDPR is one month after the receipt of the request. ES Operator is entitled to decide to extend this month's period of up to two more months, taking into account the complexity of the request and the total number of requests received by ES Operator during the given period. Whenever ES Operator decides to extend the time limit, they are obliged to inform the data subject of any such extension together with the reasons for the missed deadline of the original one-month period.

6.1.4 If ES Operator fails to take action at the request of the data subject, they must inform the data subject about the reasons for the failure to act and the possibility to lodge a complaint with the Personal Data Protection Office or apply for remedy within one month of the receipt of the request.

6.1.5 If the requests of the data subjects are manifestly unfounded or inappropriate, in particular for their recurrent nature, ES Operator is entitled to refuse to act on request or to demand an appropriate fee, taking into account ES Operator's administrative costs according to their own decision. For an inappropriately repeated request by the same person, ES Operator may consider any identical or similar application filed within 6 months of the submission of the previous request.

Example: The request for action of the data subject shall, in particular, be regarded as manifestly unfounded:

6.1.6 When handling the requests of the data subject, ES Operator proceeds adequately according to the internal privacy policy, if adopted.

6.2 Information Provided to the Data Subjects

6.2.1 ES Operator is authorized to fulfil the information obligations under Articles 13 and 14 of GDPR in any way, regardless of the form and mean of the information provided. The substantial difference between the obligations is that ES Operator, under Art. 13 of GDPR proceeds towards the data subjects, from whom they directly obtained personal data and, under Art. 14 of GDPR proceeds towards the data subjects whose personal data have not been obtained directly from them, while under Article 14 GDPR, there are several substantial exceptions to the obligation.

        Example: ES Operator typically proceeds towards their clients, natural persons, or their employees pursuant to Art. 13 of GDPR. According to Art. 14 of GDPR, ES Operator typically proceeds towards natural persons, who are employees of the client of a legal entity or counterparty and other natural persons, about who ES Operator processes personal data in the course of their business activity.

6.2.2 If ES Operator uses a website for their presentation, it is required to disclose the basic information under Articles 13 and 14 of GDPR. If ES Operator does not have any website, information under 13 and 14 of GDPR must be provided otherwise. 

Example: The recommended practice of ES Operator is to disclose the information under Art. 13 and 14 of GDPR in the bottom of the web site under the name of e.g. "Privacy Terms", "Privacy Policy" or  "GDPR", etc.

A reference to these terms may be used by ES Operator to obtain the personal data (for example, when collecting consents), in the contractual documentation or in the signature in e-mail communication.

6.2.3 Exemplary Privacy Policy in Annex 2 below serve as guidance for meeting the information obligation of ES Operators under Art. 13 and 14 of GDPR in particular in relation to the data subjects - customers. However, ES Operators increase likelihood of becoming acquainted with them also by the data subjects to whom ES Operator has no obligation provide such information by their obligatory disclosure at the website. The privacy policy published on ES Operator´s website should be a sufficient way of meeting the information obligation of ES Operators under Art. 13 and 14 of GDPR. This does not exclude the possibility of fulfilling this obligation in another way. In cases, where it is highly unlikely that the data subject may become aware of the privacy policy on ES Operator's website (and ES Operator is under an obligation to inform them), ES Operator should also use other methods of providing basic information, under Art. 13 and 14 of GDPR.

        Example: The recommended practice of ES Operator is in such specific cases to provide privacy conditions to customers in print, within the premises of ES Operator, or by correspondence or in person, especially if the customer of ES Operator does not have access to the Internet.

6.2.4 In order to demonstrate compliance with the obligation to inform the data subject in accordance with Article 13 of GDPR, it is decisive whether the data subject has been able to acquaint himself/herself with this information and that the data subject has not actually been aware of the fact or read this information. It is not necessary for the data subject to confirm receipt of the basic information, for example by marking, consent, declaration or signature.

6.2.5 The timing of the fulfilment of the information obligation under Article 13 of GDPR is defined as the "acquisition" of personal data or "when collecting" the personal data. If a process of ES Operator takes longer (i.e. Is not immediate) and the acquisition of the personal data is linked to that process, ES Operator should be able to fulfil their information obligation under Article 13 of GDPR at any time during this process. It is in the interest of the data subject to have enough time to get acquainted with the information under Article 13 of GDPR. If, for example, the data subject decides to conclude a product lease agreement, it is sufficient if the data subject has the opportunity to familiarize himself/herself with this basic information at any time during the contract award process, during his/her presence at ES Operator or later through the familiarization with the documents sent to the data subject's email. The decisive factor is the possibility for the data subject to become acquainted with that information, if interested. The fact that the data subject has been informed of the existence and availability of this information in obtaining his/her personal data and the data subject has decided not to be aware of it cannot be considered as a breach of the information duty of ES Operator. There is an exception to this obligation, if the data subject already has the information (for example, an amendment to a contract that changes the subject matter of the contract, but the purpose and scope of the processing of personal data remains). ES Operator must be able to prove this fact.

6.2.6 The timing for the fulfilment of the information obligation under Article 14 of GDPR is set out later than under Article 13 of GDPR. This information obligation can be fulfilled by ES Operator no later than one month or earlier, at the time of the first communication of ES Operator with the person concerned or before the first submission of the personal data to the other beneficiary. This information obligation may also be met by ES Operators in any of the ways listed above.

6.2.7 ES Operator is not required to provide basic information in the cases and situations foreseen in Article 14 (5) of GDPR.

In business, these cases and situations apply especially to individuals other than the customer. For example, if personal data is collected by other individuals under a specific law applicable to ES Operator (e.g. Criminal Protection Act, etc.), information about the witness, ES Operator is not obliged to notify these persons of any information under Article 14 of GDPR. ES Operator is also entitled to argue with other natural person that the personal data must remain confidential, based on the obligation of confidentiality that ES Operator has toward the customer. If ES Operator provided some information under Article 14 of GDPR (e.g. a data source for another natural person), this could result in a breach of the confidentiality obligation, as another natural person would know the identity of the customer. This is without prejudice to the further derogations provided for in Article 14 (5) of GDPR. This paragraph is without prejudice to situations where ES Operators obtain personal data directly from the data subject. In this case, Article 13 of GDPR applies.

6.2.8 ES Operators are also authorized to fulfil their information obligations through this Code. If the conditions regarding the possibility of informing the data subjects with basic information also in relation to this Code are fulfilled, for example, by ES Operators expressly referring to this Code within the framework of the basic information provided under Articles 13 and 14 of GDPR, ES Operators are entitled to rely on the processing of personal data on the content of this Code as information already available to the data subjects.

        Example: The recommended procedure of ES Operator is to refer to this Code in a document by which ES Operator fulfils the information obligation according to Art. 13 and 14 of GDPR (e.g., Privacy Policy in Annex 2 below).

6.2.9 In order to promote transparency and inform the public about the processing of personal data by ES operators, the TURBADO parent company will publish this Code at its web site in a public section accessible to anyone without registration.

6.3 Right of Access to Personal Data

6.3.1 The data subjects have the right of access under Art. 15 of GDPR, where the right in question firstly includes the right of the data subject to obtain from ES Operator a confirmation whether ES Operator is processing his/her personal data or not. Only if ES Operator processes personal data about the data subject, the data subject has the right to request (even under one request or gradually) other rights under the right of access, namely:

  1. the right to provide information under Article 15 (1) of GDPR;
  2. the right to access the personal data processed by ES Operator;
  3. the right to provide a copy of the processed personal data.

6.3.2 When providing information under Article 15 (1) of GDPR, ES Operators are authorized to use the same method and method of providing information as is applied to provide information under Articles 13 and 14 of GDPR. Information under Article 15 (1) GDPR should however be adapted to the circumstances of the data subject.

        Example: When providing information under Art. 15 (1) of GDPR, ES Operator should assume that the data subject is already likely to be able to understand the general terms of privacy and is likely to request this generic information to be validated and adapted to its person. ES Operator should also respond in this way (e.g. select only relevant purposes from the list of all purposes in relation to that person).

6.3.3 The right to access is not the absolute right of the data subject, nor does it confer the right to gain access to the internal systems or premises of ES Operator. The right to access is conditional on the specific condition of the possibility of such access, and it must not have adverse consequences for the rights and freedoms of others. "Other" may include, in particular, the customer but also ES Operator, other ES Operators belonging to the group of ES Operators and other data subjects or other persons than the person requesting.

Example: The access of the data subject to the personal data should be considered as impossible or unfavourable to the rights and freedoms of others whenever prohibited by law or threatening the ES Operator's duty to observe the confidentiality of ES Operator resulting from the Law on Attorneys. This will always be the case if access is requested by someone other than a client without the client's consent.

6.3.4 The mere fact that ES Operator processes the personal data about a particular natural person other than the customer may have adverse consequences for the client, as it may hinder the legal preparation of ES Operator and the client, for example to bring an action. The mere fact that ES Operator processes personal information about a particular natural person may be a violation of the obligation of ES Operator to keep confidentiality because, in the context of the situation, it may be clear to another natural person that the processing relates to a particular customer. If, for example, ES Operator also confirms the source from which they obtained the personal data about another natural person, they would probably have to confirm the identity of the customer and violate the duty of confidentiality.

        Example: ES Operator protects the interests of the customer and maintains the confidentiality even by not confirming other natural persons, such as the customer, Art. 15 (1) of GDPR that they process personal data about them without their consent.

6.3.4 The particularity of ES Operator's confidentiality under the applicable legislation is that ES Operator is required to maintain confidentiality even if the customer or all of his/her attorneys fail to comply with this obligation if ES Operator considers that disregarding the confidentiality obligation is to the detriment of the customer . ES Operator has the status quo in a relationship with the assessment of what is to the detriment of the customer.

Example: If a natural person as a customer asks ES Operator for access under Art. 15 of GDPR, with the consent of the customer and ES Operator considers that the access to the service would not be in the customer's interest, they are obliged not to allow the person access under Art. 15 of GDPR despite the customer´s consent.

6.3.5 The right to provide a copy of personal data pursuant to Article 15 (3) of GDPR is the supplementary right of the data subject under the right of access. By exercising the right to provide information under Article 15(1) of GDPR, ES Operator will provide the data subject with only the categories of personal data concerned that is processed about the data subject. The right to provide a copy of the personal data pursuant to Article 15 (3) of GDPR, the data subject exercises the right to provide a specific "value" of this personal data (e.g.: Jozef, 41). Copies of personal data may not be provided in any specific structured format. The right to obtain a copy does not imply an obligation on ES Operator to provide copies of documents or files. The right of access under Art. 15 of GDPR does not mean access to the entire client file (if the client has a given right - but not under GDPR).

        Example: If ES Operator provides the customer with access to his/her personal data at the premises of ES Operator, he/she does not have the duty to maintain confidentiality to other customers (e.g. visible or available files or other information). If ES Operator provides access to personal data to another natural person with the consent of the customer, that person does not provide the customer with the entire customer file, but only the information and documents containing the personal data of the data subject. ES Operator is entitled to remove (e.g., redraw) information from these documents to maintain confidentiality towards the customer.

6.3.6 Given that ES Operator may have more extensive information and documentation obligations to the customer under applicable legislation, ES Operator answers the customer in principle on all requests for information or documents, regardless of whether it is a request under Art. 15 of GDPR or not.

6.3.5 ES Operators are obliged to use the same answer in both of the following situations:

with the recommended answer being:  

Example: ES Operators are not authorized to confirm to any natural person that they do not process personal data about him/her. The reason for this is that ES Operators would be able to compromise their responses when processing the personal data of the natural person, but would be obliged, in order to maintain the confidentiality and the interests of the customer, not to confirm this fact. This means that we either do not process or process personal information about you, however, we are not allowed to confirm it. Consequently, in accordance with the Code of Conduct, ES Operators use this unified response for both situations. For legitimate reasons, we cannot provide you with any further information, neither within the meaning of GDPR. For more information, refer to Section 6.3 of the TURBADO Group Code of Conduct at wwwturbado.eu/kodexgdpr.

6.3.6 The response in par. 6.3.5 above does not apply to situations where ES Operator complies with the right of access. The response under point 6.3.5 results in ES operator not being obliged to respond to and handle further requests in GDPR and proceeding in the same way as if no personal data is processed about the data subject.

6.3.7 If the natural person other than the customer already knows that ES Operator processes the personal data in relation to the particular customer, ES Operator proceeds as follows:

        Example:

6.4 Right to Correct, Erase (Forget)

6.4.1 The data subject has the right to require ES Operator to correct any incorrect personal data concerning him/her and has the right to complete any incomplete personal data, including by providing a supplementary statement. However, ES Operator decides whether the personal data is incomplete from the processing point of view. The right to correction under Article 16 of GDPR must be interpreted in accordance with the principle of correctness under this Code.  

6.4.2 The right to delete the personal data is mistakenly perceived by the public as an absolute right, which allows the erasure of all personal data by the operator at any time. The right to delete is only applicable in the cases defined in Article 17 of GDPR, which are not general or absolute in nature. These reasons should be explained by the data subject and ES Operator should be entitled to request clarification if the data subject did not do so.

Example: If the data subject requests ES Operator to delete personal data without giving reasons for deletion under Art. 17 of GDPR, ES Operator has the right to respond (within a period of time from the submission of an incomplete application) in such a way that it requires the data subject to fill in the grounds on which the data subject requests the deletion.

If the data subject completes these reasons, the monthly time limit for the dealing with the request will begin from completion of those reasons.

6.4.3 Without prejudice to the foregoing, ES Operator is entitled to refuse to act based on a request for the deletion of personal data if one of the grounds referred to in Article 17 (3) of GDPR applies. ES Operators may apply the grounds for refusal resulting from Art. 17 (3)( b)(d)(e) of GDPR, i.e.: (i) the processing of the personal data is necessary to fulfil the statutory duty of ES Operator; (ii) the processing of the personal data is necessary for the purpose of archiving in the public interest; and (iii) the processing of the personal data is necessary for the purposes of proving, enforcing and defending claims (primarily claims of the customer, but may also be the claims of ES Operator).         

        Example: ES Operator will not delete the personal data at the request of the data subject if:

6.4.3 Without prejudice to the foregoing, ES Operator is entitled to refuse to act based on a request for the deletion of the personal data if the request is manifestly unfounded (Section 6.1.5 above).

6.5 Right to Limit Processing

The right to limit processing does not serve to protect other natural persons, legal rights against the operator customer's or against the ES Operator advisory, which must be interpreted in this way. The content of the conditions for the exercise of the right to limit processing is assessed in a similar way as when considering the reasons for deletion of the personal data explained above. Restrictions on the processing of the personal data processed by ES Operator for the business purposes should only be allowed to be requested by the customer or other natural person with the consent of the customer.

6.6 Right of Portability

6.6.1 The data subject has the right to request the provision of the personal data pursuant to Article 20 (1) GDPR only in relation to personal data that is: processed by automated means (i.e., electronically); processed on the legal basis of consent or performance of the contract (under Article 6 (1) (a) or (b) of GDPR); and which has been actively provided by the data subject to ES Operator. These conditions will in most cases not be met in relation to the personal data of other individuals as ES Operator in most of these cases processes the personal data obtained from the customer.

6.6.2 The right to portability does not apply to the personal data that ES Operators process based on other legal bases than the consent or performance of the contract.[10] Data categories that do not fall under the right of portability include, in particular, all personal data processed on the correct basis resulting from the specific rules or legitimate interests explained above. By default, personal data about other individuals are also included under this category, since these ES Operators do not process personal data under contract or consent.

6.6.3 As specific rules may use the term “consent” in a different sense than GDPR, consent under Article 20 (1) of GDPR is considered to be only consent to the processing of personal data under Article 6 (1) (a) of GDPR and not any other type or sense of consent.

6.6.4 The right to portability must not have an adverse effect on the rights and freedoms of others. Compliance with the request for portability could have adverse consequences if ES Operator would not comply with the duty of confidentiality.

6.6.5 This data is most often provided in .doc, .docx, .rtf, .xls, .pdf, .jpg, .jpeg, .png, .gif or in the text of the email. If ES Operator is required to provide personal data under the portability law in a structured, commonly used and machine-readable format, they may be able to provide the personal data in the same format as the customer provided.

6.6.6 The right to portability is without prejudice to the obligations of ES Operators to the clients regarding the provision of information or the provision of documents.

6.7 Right to Object

6.7.1 The data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data by ES Operators on a legal basis of public or legitimate interest. Upon receipt of the request of the data subject, ES Operator must, within the time limit under Article 12 of GDPR, demonstrate to the data subject the necessary legitimate reasons for processing that outweigh the interests, rights and freedoms of the data subject, or reasons for proving, enforcing or defending legal claims. If ES Operator is unable to prove these reasons for processing within the given time limit, the personal data must not be processed from the time of the expiration of this period.

        Example: If ES Operators use a camera system to protect their legitimate interests (e.g. property protection), they must be able to demonstrate that their legitimate interest prevails in the case of the objection of the data subject, Art. 21. The recommended procedure is to have a written statement of legitimate interest in relation to these purposes.

6.7.2 The data subjects have the right to object to the processing of the personal data for the purposes of direct marketing, in which case ES Operators are obliged to cease with the processing of personal data within the time limit under Article 12 of GDPR.

6.8 Automated Individual Decision Making Including Profiling

6.8.1 Although it is apparent from the nature of the e-shop business that it may also have adverse legal effects for other natural persons, in the ordinary course of business, automated individual decision under Art. 22 of GDPR does not occur. However, ES Operators should consider the possibility of automated individual decision making whenever they use modern data processing technologies.

7 Impact Assessment and Prior Consultation

7.1 Impact Assessment

7.1.1 Impact Assessment is a specific obligation for ES Operators in relation to certain types of processing of personal data likely to present a high risk to the rights and freedoms of the natural persons. The obligation to conduct Impact Assessment does not apply to all IO Operators.

7.1.2 Impact Assessments can most often be relevant to ES Operators, who:

        

  1. It is not a small ES Operator, within the meaning of point 12.1 below (i.e. ES Operator has more than 5 employees and  turnover of more than EUR 500,000);

7.1.3 Impact Assessment can be relevant for ES Operators, if they decide to deviate from the recommendations on the use of software or cloud services with a repository located in the countries of the European Economic Area (EU + Iceland, Norway and Liechtenstein).

7.1.4 However, the list of situations that may be covered by Impact Assessment may also be derived from the Personal Data Protection Office's statutes or opinions and may not only concern the business activities of ES Operators.

7.1.5 ES Operators may make one Impact Assessment for similar or recurring situations and thus use the measures resulting from the conclusions of one Impact Assessment on all similar situations. ES Operators are authorized to prepare an assessment in any way that meets the requirements of Article 35 (7) of GDPR.

7.2 Previous Consultations with the Personal Data Protection Office

        If Impact Assessment results in a high risk, ES Operators are required to request the Personal Data Protection Office for prior consultation. In the present case, the Office is empowered to adopt measures within the time limits referred to in Article 36 (2) of GDPR. If, within eight weeks of receipt of a request for prior consultation, the Office does not inform ES Operator that it considers the ES Operator's Impact Assessment to be contrary to GDPR, ES Operator may, after the expiry of that period, continue the intended processing of the personal data. This is without prejudice to the power of the Personal Data Protection Office to notify the extension of that period within one month of receipt of the request for prior consultation. If, even during this extended period, the Office does not inform ES Operator that it considers the ES Operator's Impact Assessment to be contrary to GDPR, ES Operator may continue the intended processing of the personal data after this period.

8 Personal Data Security  

8.1. Adequacy of Security Measures

8.1.1 To assess whether ES operator provides a reasonable level of protection in accordance with GDPR for personal data, a key consideration of the adequacy of the security measures taken in the light of the state-of-the-art findings, the cost of execution (implementing) the measures, the nature, scope, context and purposes of the processing, and the risks with different likelihood and severity for the rights and freedoms of the natural persons.

8.1.2 GDPR exemplifies the following security measures that can be used to demonstrate an adequate level of security of the personal data:

  1. pseudonymization and encryption of personal data;
  2. ability to ensure lasting confidentiality, integrity, availability and robustness of processing and service systems;
  3. ability to re-access and access to the personal data in a timely manner in the event of a physical or technical incident (e.g. backup, archiving);
  4. the process of periodic testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure processing security.

8.1.3 However, the above considerations of adequacy assessment as well as examples of safety measures do not mean that each ES Operator must have the same security measures taken. As a result of the application of these GDPR rules, different security measures taken by ES Operators may take into account the specific circumstances of individual ES Operators.

8.1.4 Certain security measures are ES Operator's duty, within reasonable limits of the cost of implementation. Every device used by the ES Operator to process personal data, is required to: 

8.1.5 ES Operators are required to verify that the software they use for data processing does not allow pseudonymization or encryption and, if so, this functionality should be used by ES Operators. ES Operators must also take reasonable precautions to physically protect the office premises and, in particular, those premises where client files or ES Operators´s server are stored.

8.1.6 When adopting GDPR security measures, ES Operators should proceed in accordance with business group standards and recommendations when purchasing software and/or cloud services. The Group's recommendations imply, among others:  

        Example: The business group strictly does not recommend ES Operators to use emails or storage services that provide free cloud services that are not secure, store data at locations that do not guarantee the required protection of personal data (outside the EEA) and are the target of hackers and malware for example, Gmail, Google Drive, Hotmail, or OneDrive, iCloud or Dropbox), on the contrary, paid cloud services such as OUTLOOK.COM and GSUITE can be used. Employees must be properly instructed that they are prohibited from using their own emails or storage services according to the previous sentence when performing work tasks.

8.1.7 Business group recommendations include, among other things, cloud checklist that contains privacy guidelines.

This Code adds the following to GDPR's recommendations:

        Example: In deciding whether to use the cloud solution and when deciding on cloud provider selection, ES Operators should assess, whether the cloud provider complies with the Code of Conduct on Privacy (if adopted). When choosing the provider, ES Operators must not forget to entrust the processing of the personal data to another intermediary, only if they provide sufficient guarantees that GDPR will be respected. If the cloud provider rejects their intermediary status, for example, by not wishing to conclude a contract with ES Operator under Art. 28 of GDPR, this should be a signal to ES Operator that the provider does not provide sufficient guarantees.

8.1.8 When adopting GDPR security measures, ES Operators may also follow the recommendations of other organizations, e.g. The Open Web Application Security Project (OWASP)

8.2 Notification of Personal Data Protection Breach to the Personal Data Protection Office

8.2.1 ES Operators are required to report breach of personal data protection within 72 hours (i.e. 3 days), unless it is unlikely that the personal data breach will lead to a risk to the rights and freedoms of the natural persons. The decisive factor for the start of this period is when ES operator verifies that a personal data breach has occurred and what risks can pose to the rights and freedoms of individuals rather than the discovery that the personal data breach may have occurred. ES Operators are required to perform the verification under the preceding sentence immediately upon detection of any personal data breach. If the notification cannot be submitted within the given time limit, a delay justification should be attached to the notification and the information may be provided in several stages without further unnecessary delay.

        Example: ES Operator will lose a work laptop, file, or portable data repository and, considering their content, will believe that the leakage of that information is likely to lead to risks to the rights and freedoms of the natural persons.

8.2.2. Under Art. 33 (5) of GDPR, ES Operator shall document each case of the personal data breach, including the facts related to the violation of the personal data protection, its consequences and the corrective actions taken.

8.3 Restricting the Reporting Personal Data Protection Breach to Some Natural Persons under Articles 34 and 23 of GDPR

8.3.1 In the case of breach of the protection of personal data pursuant to Art. 34 of GDPR, the operator should have notified the breach to the data subject affected by the breach.

9 Data Protection Officer  

9.1 Responsible Person of ES Operator

        ES Operators have an obligation to appoint a responsible person only after meeting the conditions in Art. 37 (1) of GDPR. The conditions under Art. 37 (1) a) and b) GDPR are not met in the ordinary course of business. For ES Operators, the obligation to appoint a responsible person will apply in particular to the reference to Art. 37 (1) c) GDPR when the main activity of ES Operator is the processing of personal data in a large scale. In order to determine whether ES Operator has the obligation to appoint a responsible person within the meaning of the preceding sentence, ES Operator proceeds appropriately according to point 7.1.2 above.

        Example: If ES Operator consider that they should carry out Impact Assessment within the meaning of par. 7.1.2 of this Code, they also have the obligation to appoint the responsible person. This is without prejudice to other circumstances requiring the appointment of the person responsible.

9.2 ES Operator as Responsible Person

9.2.1 ES Operator is authorized to perform the functions of the responsible person in the course of business either individually or in conjunction with other persons (if the responsible person is a group or a team of persons) for their clients. All the tasks of the responsible person under Art. 39 of GDPR may, however, not be carried out by ES Operator in the context of providing legal services.

9.2.2 The recommended procedure under this Code is, in any case, the performance of the function of the responsible person by ES Operator to modify all the details of the performance of the function in a separate agreement.  

10 Rules of Ethics and GDPR

10.1 ES Operator proceeds in business activities in such a way as to respect the basic ethical principles.

10.2 GDPR should not serve as a tool in a competing struggle among ES Operators. If it is shown that ES Operator or their employees or other persons authorized by ES Operators have applied against the other ES Operator the rights of the data subjects under GDPR in order to cause other ES Operator damage, hinder or prevent proper business activity, to obtain advantage for ES Operator, such conduct may constitute a violation of rules of ethics by ES Operator.

11 Monitoring Mechanisms

This Code has been approved without the existence of a compliance monitoring body under Article 41 of GDPR.

12 Appropriate Documentation of ES Operators according to GDPR

12.1 The Code should, according to Art. 40 (1) of GDPR to contribute to the correct application of GDPR, taking into account the specific features of different sectors of processing and the specific needs of micro-enterprises and SMEs. For this reason, the Code distinguishes between ES Operators according to the EU Commission's methodology and adds a further definition for ES Operator sector (hereinafter referred to as the "Small E-Shop Operator"):[11]

Category of business

Number of employees

Annual turnover

Total annual balance amount  

Medium enterprise

Less than 250

Less than EUR 50 mil.

Less than EUR 43 mil.

Small business

Less than 50

Less than EUR 10 mil.

Less than EUR 10 mil.

Micro-enterprise

Less than 10

Less than EUR 2 mil.

Less than EUR 2 mil.

Small ES Operator

Less than 5

Less than EUR 500,000

Less than EUR 500,000

12.2 If ES Operator is a small or medium-sized enterprise, it is obliged to adopt adequate internal policies on the protection of personal data, Art. 24 (2) of GDPR regardless of other circumstances. 

12.3 If ES Operator is a micro-enterprise, it is not automatically obliged to adopt internal policies for the protection of personal data, Art. 24 (2) of GDPR. However, the micro-enterprise ES operator has an obligation to assess whether it would be inappropriate to adopt internal policies in their case. In assessing whether an internal privacy policy is appropriate, the micro-enterprise ES Operator may be guided by the following:

        Example: Adoption of the internal policy for the protection of the personal data is appropriate if at least half of the following statements are true for ES Operator:

12.3 Small ES Operator is under no obligation to adopt an internal policy for the protection of personal data, compliance is demonstrated in particular by observing this Code.

12.4 When developing the internal privacy policy, ES Operator proceeds appropriately in accordance with the content requirements of the internal privacy policy set out in Annex 3 below. The internal policy must correspond to the real situation.

12.5 The recommended procedure in GDPR compliance documentation for ES Operators is to collect all documentation related to the privacy policy agenda in the same file or storage as "GDPR Compliance Documentation".

Example: Among other things, GDPR compliance documentation may include, as appropriate, preferences and circumstances of a particular case:

13 Authorities of the Personal Data Protection Office in relation to ES Operators

13.1 Article 90 of GDPR allows the member states to adopt specific rules on the powers of the supervisory authorities laid down in Article 58 (1) (e) and (f) with regard to operators or intermediaries who, under the Union law or the law of a member state or the rules laid down by the competent national authorities, are subject to the obligation of professional secrecy or other equivalent obligation to maintain confidentiality where this is necessary and proportionate to harmonize the right to the protection of personal data with the obligation to maintain confidentiality.

13.2 Investigation Powers of the Personal Data Protection Office:

         

14  Final Provisions

14.1 The Code has been drafted in accordance with GDPR and, to the extent necessary, with specific legislation.

14.2 An integral part of this Code is its annexes. Each reference to this Code also includes its annexes.

14.3 This Code and all relationships arising therefrom are governed by the laws of the Slovak Republic. Counting time under this Code is governed by the Civil Code. For the purpose of this Code, terms or abbreviations with a capital letter have the meaning given in Annex 1.  All terms defined in GDPR used in this Code are used in the same meaning unless expressly provided otherwise in this Code. In case of conflict, this Code takes precedence. Unless the context requires otherwise, the words in the single number also contain the plural and vice versa.

        

 


Annex 1

List of Definitions

For the purpose of this Code, terms with a capital letter or abbreviations have the following meanings:

"GDPR" means EU Regulation n. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);

"Code" means the Code of Conduct for the Processing of Personal Data by the Slovak Chamber of ES Operators;

"Civil Code" means Act no. 40/1964 Coll., the Civil Code, as amended;

"Commercial Code" means Act no. 513/1991 Coll., the Commercial Code, as amended;

"Personal Data Protection Office" means the Personal Data Protection Office of the Slovak Republic;

 "Archives Act" means Act No. 395/2002 Coll., on Archives and Registers, as amended;

"Personal Data Protection Act" means Act no. 18/2018 Coll., on Protection of Personal Data;

"Protection Against Legalization Act" means Act no. 297/2008 Coll., on Protection against the Legalization of Income from Crime and on the Protection against Terrorist Financing and on amendments to certain acts, as amended;

"Accounting Act" means Act No. 431/2002 Coll., on Accounting, as amended;

"Labour Code" means Act no. 311/2001 Coll., the Labor Code as amended;

"Public Sector Partners Register Act" means Act No. 315/2016 Coll., on the Registry of Public Sector Partners, as amended.


Annex 2

Privacy Policy

Privacy of our customers and other natural persons is important to us. These terms and conditions explain how we process personal data in the course of the business operation of the Internet shop [business name / designation], established: [X], ID: [X] (hereinafter “We"). If you have any questions, you can contact us by phone at [X], by e-mail at ahoj@obchod,.xx or by mail to our headquarters address.

[If ES Operator appoints the responsible person:] In our company, Data Protection Officer is your contact point for addressing any questions concerning the protection of personal data or the reception and handling of requests by the data subjects.

Contact details of the responsible person: [
X]. 

When processing the personal data, we are primarily governed by the EU General Data Protection Regulation ("GDPR"), which also governs your rights as the data subject[12], the provisions of the Personal Data Protection Act applicable to us as well as other regulations. We abide the Code of Conduct adopted by the TURBADO Business Group, which explains the processing of personal data by E-Shop Operators. More about the Code of Conduct on www.stranka.xx/gdpr.  

Why do we process the personal data?

The processing of the personal data is necessary for us, especially in order to:

For what purposes and on what legal bases do we process the personal data?

Purpose

Legal basis under GDPR

Related regulations

[To be completed]

[To be completed]

[To be completed]

What are the legitimate interests we follow when processing the personal data?

[Only if ES Operator relies on legitimate interests (e.g property protection by cameras).]

Who do we make your personal data available to?

The personal data of our customers and other natural persons is made available only to the extent necessary and always while maintaining the confidentiality of the data recipient, our employees, the persons we entrust with the execution of individual acts of legal services, the cooperating ES Operators, [other companies belonging to our group], our accounting adviser, [our professional consultant (e.g. auditors)], including the employees of these persons. Also to carriers, standard software facilities providers (e.g. Microsoft) or technical support to our company; cloud or hosting provider (e.g. Google).

While we have a limited obligation to provide your personal data to public authorities[13], we have a duty to spoil committing of a crime, and we also have a duty to report information on money laundering and terrorist financing.

If we use subcontractors for the processing of the personal data, we verify that they meet the requirements of organizational and technical nature in order to ensure the security of the processing of your personal data under GDPR.

 If we are requested by the public authorities to make your personal data available, we will examine the conditions laid down in the legislation to make it available and without such verification your personal data is not disclosed. If we are requested by the public authorities to make your personal data available, we will examine the conditions laid down in the legislation to make it available and without such verification your personal data is not disclosed.

[In the case of the joint operators, ES Operators should, in this section, explain at least the essential parts of the joint operator agreement referred to in Art. 26 of GDPR]

Which countries do we transfer your personal information to?

The cross-border transfer of your personal data to third countries outside the European Economic Area (EU, Iceland, Norway and Liechtenstein) is not intended. [We use secure cloud services from a verified provider with servers located in EU jurisdictions.]

However, some of our subcontractors and above mentioned recipients of the personal data may be established or their servers may be located in the United States of America which, as such, represent a third country which does not guarantee the protection of the personal data with adequate protection in the EU. However, companies that have been certified in the so-called The EU-US Privacy Shield Mechanism, according to the EU Commission's decision, are considered to provide adequate protection of personal data like the EU. If, however, we are conducting a transfer of personal data to third countries, we do so only on the basis of a EU Commission Privacy Decision (such as EU-US Privacy Shield) or require other safeguards to protect personal data (e.g. the so-called contractual clauses).

What automated individual decision-making do we carry out?

[Only if ES Operator performs processing under Art. 22 of GDPR.]

How long do we keep your personal data?

We keep the personal data as long as necessary for the purposes for which the personal data is processed. When keeping the personal data, we follow the recommended storage times within the Group's internal guidelines:

The general storage periods for personal data set up for the purpose of the processing personal data are as follows:

Purpose                 General personal data storage time

Provision of goods and services During the contractual relationship with the customer.

Sending marketing messages (newsletter) Until the submission of a complaint against the processing or marking "unsubscribe" from the newsletter.

Accounting and tax purposes (accounting agenda)         During ten years following the accounting year to which the accounting records, accounting books, lists of figures or other symbols and abbreviations used in accounting, depreciation plan, inventory, inventory, accounting schedule relate.

Proving, implementation or defending legal claims (legal agenda)         Until the legal claim is barred.

Performance of a contract with natural persons - performance of the contract During the contractual relationship with a natural person.

Social networks profiles keeping   Until the post is removed by the data subject, deleting the post by us, deleting our profile, or requesting the person to delete the personal data.

Archival purposes and registry administration During storage times according to the registry plan.

Statistical purposes  For duration / existence of other processing purposes.

The above storage times only specify the general times during which the personal data is processed for the purposes. In fact, however, we proceed to disposal or anonymization of personal data before the expiry of these general periods if the personal data we consider to be unnecessary in view of the above-mentioned processing purposes. E.g. ..:

Business communication (e-mail) is kept for 2 years;

Received business offers are kept for 2 years;

Issued business offers are kept for 5 years;

Received business orders are kept for 5 years;

Issued business orders are kept for 5 years;

Phone records are kept for 1 year;

Customer or other contracts are kept for 5 years after expiry.

If you are interested in knowing whether we are currently processing your personal data for specific purposes, please contact us to confirm whether we process personal information about you.

How do we acquire the personal data about you?

Your personal data is most often obtained directly from you. In such a case, obtaining personal data is voluntary and does not constitute a contractual or statutory obligation. You can provide us with personal information in a variety of ways:

However, we may also obtain your personal data from your employer or from the company in relation to which we process your personal information. The most common are cases when we sign or negotiate a contractual relationship with the company or its terms. If the acquisition of the personal data relates to a contractual relationship, it is most often a contractual requirement or a requirement that is required to conclude a contract. Failure to provide personal data (whether yours or your colleagues) may have negative consequences for the organization you represent, as contractual relationship may not be entered into or implemented. If you are a member of a statutory body of an organization that is a contracting party to us or with whom we are negotiating a contractual relationship, we may obtain your personal data from publicly available sources and registers. In any case, we will not systematically redirect any random personal data obtained to any of the purposes for which we process the personal data.

What rights do you have as the data subject?

“If we process your personal data based on your consent to do so, you have the right to revoke your consent at any time. You have the right at any time to effectively object to the processing of the personal data for the purposes of direct marketing, including profiling.” It is only a marketing newsletter. You can do that by either "unsubscribe" in the text of each marketing e-mail or by submitting an objection to our contact details listed above.

You have the right to object to the processing of your personal data on the basis of the legitimate interests we pursue. In our case, these processing purposes are:

In exercising this right, we will be happy to show you how we have assessed these legitimate interests as prevailing over the rights and freedoms of the individuals data subjects.

GDPR lays down general conditions for the exercise of your individual rights. However, their existence does not automatically mean that they will be accepted by us in the application of the individual rights because, in a particular case, exceptions may apply or as a case may be some rights are linked to specific conditions that do not have to be met in every case. Your request for a specific right will always be dealt with and examined in terms of legal regulations and applicable exemptions.

As the data subject, you have in particular:

You also have the right to file a complaint at any time to the Personal Data Protection Office of the Slovak Republic or refer the case to the appropriate court. In any case, we recommend that any disputes, questions or objections are dealt primarily by communicating with us.

Cookies processing [Only if ES Operator uses cookies on their website]

Cookies are small text files that improve website usage, for example, by allowing to recognize previous visitors when logging in to a user environment, remembering a visitor's choice when opening a new window, measuring website traffic, or how to use it for user improvement.

Our websites use cookies primarily for the purposes of basic/general traffic measurement. In addition, these technologies help us to better understand user behaviour. Although information is collected through cookies and other similar technologies of a non-personal nature, to the extent that the Internet Protocol (IP) and similar identifiers are considered to be personal data, we treat these identifiers as the personal data.

Our website directly stores cookie information about the permanent hiding of the cookie bar after the visitor's consent. The website [Only if ES Operator uses cookies on their website] stores a session ID in a cookie so that it can memorize and display the content of its shopping cart and other order settings without registering and signing to the appropriate visitor. The session is active until the purchase is completed by paying, for a maximum of 14 days.

How do you disable or restrict the use of cookies? Use your browser to manage your cookies. You always have the option to delete previously saved cookies. Additionally, depending on your browser, it is possible to restrict the use of cookies for a particular website, restrict their storage, or set the forced deletion of all cookies after the browser is closed.

Learn more about each browser here:

Google Chrome

https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=sk

Mozilla Firefox

https://support.mozilla.org/cs/kb/vymazani-cookies

Microsoft Edge

https://support.microsoft.com/sk-SK/help/17442/windows-internet-explorer-delete-manage-cookies

Safari

https://support.apple.com/kb/ph21411?locale=sk_SK

Opera

http://help.opera.com/Mac/8.5/cs/cookies.html

In addition, cookies use third-party´s instruments that are implemented on websites:

Google Analytics - an analytical tool that allows to generate statistics on website traffic by storing information in cookies. This functionality is not essential for browsing and serves us to monitor and improve the site's performance. Permanent cookies are used, the third-party tool is provided. View details.

Information stored in cookies will not be used for your personal identification. Cookies are not used for purposes other than those contained herein. Within the implemented tools of the third-party, cookies beyond our reach can be used and their storing and processing takes place outside of any possibility of being affected.

How to control cookies? You can check and/or delete cookies at your discretion. Use the tools that are part of your internet browser or third-party add-ins. You can clear all cookies stored on your computer and set most browsers to prevent them from being stored. In this case, however, you may have to manually modify some settings for each website visit, and some services and features will not work.

Social Networks

We recommend that you familiarize yourself with the privacy conditions of providers of social media platforms through which we communicate. Our privacy policy explains only basic questions about managing our profiles or our clients' profiles. We only have typical administrator privileges when processing your personal data through our or client profiles. We assume that by using social networks you understand that your personal data is primarily processed by social networking providers (such as Facebook, LinkedIn and YouTube) and that processing, by further providing your personal data to third parties through transferring to third countries providers of social networking platforms, we have no control and we assume no responsibility.

Our Commitment to Privacy

Privacy is of utmost importance to us. It is our aim and intent to provide our services in such a way that the basic principles and principles of privacy protection, and in particular the protection of personal data, are respected in all circumstances. It is our priority to collect and store personal data only to the extent necessary and for the necessary time.

Changes to Privacy Policy

Privacy does not mean a one-time issue for us. The information we are obliged to provide you with due to our personal data processing may change or cease to be up to date. For this reason, we reserve the right to modify and change these terms at any time. If we change these terms in a meaningful way, we will notify you, for example, by a general announcement on this website or by specific email notification.


Annex no. 3

Content Requirements of Internal Privacy Policy

Introduction

The intent of the internal policy on the protection of personal data is to ensure, in an organizational and practical manner, that if ES Operator fulfils the obligation under GDPR, ES Operator has been prepared and capable and able to assess fulfilling or implementing the request of the data subject within the time frame and in accordance with GDPR. The internal privacy policy is also a tool for managing the organization's data protection agenda, is used to separate tasks and responsibilities in this area, as well as set out other procedures, policies and rules relating to the protection of the personal data. The ES Operator's internal policy must correspond to the actual status and its observance must be regularly evaluated. The content of the internal policy must be appropriate to the processing operations performed by ES Operator. The recommended procedure is to adopt the internal policy as part of the working order in accordance with the Labour Code.

Basic Content Requirements of Internal Policy

The internal policy of ES Operator can address the following areas:

  1. Division of Tasks and Responsibilities in the Area of Personal Data Protection
  1. Who is entitled to make a decision (e.g. responding to a data subject's request, deciding to report a security incident, etc.)?

  2. Who is responsible for preparing the documents for the decision and evaluation of the request?
  3. Who is to be informed internally about the course and outcome of a particular task?
  4. What are the alternative roles in case of unavailability of a particular person?
  5. Who has the right to intervene in this process?
  6. Is it possible for ES Operator to pre-categorize and define different processes and tasks in the area of ​​personal data protection, or can it only be a general responsibility setting?

  7. Who is responsible for information security issues in the organization?
  8. Who is responsible for supervising and coordinating the data protection security agenda?

  1. Procedure for Dealing with the Requests of the Data Subjects
  1. Who receives the request and evaluates its content by GDPR?
  2. What is the next step after the evaluation?
  3. Who is informed that the application has arrived?
  4. How is each application registered and marked (does ES Operator receive a ticket allocation system)?
  5. Who oversees this process (responsible person)?
  6. What are the time steps for each step?
  7. Who prepares the draft final answer?
  8. Who is obliged to provide co-operation to whom?
  9. Who receives the final decision to the answer?
  10. Who sends the answers?
  11. Is it possible to prepare sample answers?  (note: some already result from the Code)

  1. Reporting Personal Data Protection Breach Procedure
  1. What techniques for detecting security incidents with the nature of privacy violations ES Operator uses?
  2. Who will assess the detected personal data breach? What is the background?
  3. Who and how will ensure the processes related to the security incident reporting to the Office and the data subjects?
  4. How are processes related to the lessons learned from a security incident and the effectiveness of an internal system for protecting personal data (e.g. by supplementing and/or enhancing appropriate technical and organizational security measures)?

  1. Appointment, Position and Roles of Responsible Person
  1. Who will act as responsible person?
  2. Does this person have the guaranteed independence in a sufficiently independent manner to fulfil his/her statutory tasks?
  3. Will the responsible person due to his/her position and possibly cumulative functions be in the conflicts of interest?
  4. Are the roles and responsibilities of the responsible person adequately defined internally?
  5. Does the responsible person perform annual reports on the status of the personal data privacy?

  1. General Principles of Care for Information Assets
  1. Does ES Operator classify their information assets that are important for the processing of the personal data?
  2. Does ES Operator have classified information according to the degree of their sensitivity to ES Operator and also to the client in case of their compromise by an unauthorized person?
  3. Do the most sensitive information and personal data increase the organizational and technical security measures taken?
  4. Is backing up important information and personal data secure enough?
  5. How are the cases and situations secured when foreigners access our assets?

  1. Access and Password Management Policy
  1. It is essential that "everyone has access to everything" - how can ES Operator efficiently ensure the minimization of the scope of processing of personal data in relation to specific employees?
  2. Are there different roles with different access privileges?
  3. Who decides on the allocation of roles and access permissions? On what basis?
  4. Can these decisions on granting access rights be formally proven (e.g. by issuing the credentials and instructions for the data recipient)?
  5. Is it possible to effectively remove access rights and user permissions, and check their proper removal if the need to the access within the given scope (for example, change and termination of employment) is terminated?
  6. What are the password requirements and how often do they change?
  7. What is the password change procedure?

  1. Terms of Use
  1. Internet, WiFi, mobile devices, computers, files, notes, specific programs, e-mail, social networks, etc.;
  2. Is it allowed to use your own devices for work purposes?
  3. Is work equipment allowed to be used for private purposes?
  4. There are set rules for the use of easily portable media, respectively material carriers of electronically writable data (e.g. USB, external HDD, CD/DVD) (e.g. the obligation to encrypt data, the obligation not to include sensitive information and personal data on these media, the insertion of foreign media into own devices, etc.)?

  1. Communication Principles
  1. Sending encrypted or password-protected documents to clients with a password/key sent by different communication channels, SMS?
  2. Using e-mail communication encryption?
  3. What are the facts that employees cannot communicate outside of the office with respect to the obligation of confidentiality and protection of the personal data?
  4. What means can employees use to communicate with each other and with clients (can they use Whatsapp, Facebook messenger, social media, etc.);
  5. What facts are the employees of ES Operator obliged to notify and to whom (a suspected security incident or a personal data breach)?

  1. Principle of Handling with Printed Documents
  1. Is it allowed and specially stipulated to remove files from the protected office premises (e.g. home study, participation at the hearing, personal submission to the offices, etc.)?
  2. The so-called clean desk policy in relation to employees?
  3. Are unnecessary and/or broken documents containing sensitive information and personal data shredded without delay?

  1. Supplier Selection Policy with Data Access Option
  1. Is the supplier differentiation properly set in terms of their substantive status in the area of ​​personal data protection (operator / intermediary)?
  2. Do we, according to the nature of the supplier, have concluded proper contracts with intermediaries or issued appropriate credentials and instructions for each type of data recipient, if possible and appropriate?
  3. Do we adequately commit our internal staff to contractual confidentiality?
  4. Do we have proven processes and rules for evaluating suppliers to verify their ability to provide sufficient security for the processing of personal data and compliance with mandatory obligations in the field of personal data protection (e.g. audits, defined claims to basic standards, etc.)?
  5. Do we have the main contractual relationships with suppliers drafted in such a way that we can easily end cooperation in cases of inadequate protection of the personal data?
  6. Is internal policy devoted to cleaning service providers - do they have access to all documentation? Is the risk treated?

  1. Internal Processes of Control, Training and Education
  1. Does ES Operator perform internal checks on compliance with accepted organizational and technical security measures?
  2. Does ES Operator perform subsequent internal controls in the case of identifying a personal data breach?
  3. ES Operator control mechanisms are put in place in a transparent and proportionate manner, and modern IT information protection tools available as legalized employer control mechanisms (e.g. DLP - Data Loss Prevention software solutions) are used;
  4. Does ES Operator perform regular staff training on internal policies, security measures taken, and real threats to compromise sensitive information with emphasis on specificities?
  5. Does ES Operator mainly provide initial training for new employees who have not previously worked in advocacy?

  1. Retention of Personal Data and Processes of Disposal
  1. Is compliance aligned with the business group's recommendation with file agenda management?
  2. Does ES Operator know which documents cannot be disposed of? Are these documents labelled?
  3. Does ES Operator know at any time when and which personal data must be deleted?
  4. Are the different stages of personal data storage, from acquiring to disposal, defined?
  5. Are they defined and in what technically reliable (irreversible) way the disposal will be in practice?

  1. Confidentiality
  1. It is the formal training of all employees of ES Operator to instruct and commit to confidentiality according to the Personal Data Protection Act;
  2. Employees' obligation to notify ES Operator of breaches or suspicions of breach of confidentiality.


Annex 4

Sample Form for Documenting Personal Data Protection Breach

This personal data protection breach notice has been prepared in accordance with Art. 33 (5) of GDPR[14] and serves to document violations and records of adopted security and risk mitigation practices for for the rights and freedoms of natural persons (hereinafter referred to as the "Record").

Company / ES Operator:

Registered office:

Reg. No.:

Registration:

Contact information:

(hereinafter referred to as the "Operator")

Whereas:

  1. In the sense of Art. 4(12) of GDPR: "Personal Data Protection Breach" is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized provision of personal data that is transmitted, stored or otherwise processed or unauthorized access to it (hereinafter referred to as the "Breach").

  1. In the sense of Art. 33(5) of GDPR: "Operator shall document each case of personal data breach, including the facts related to the violation of personal data protection, its consequences and the corrective actions taken. That documentation must enable the supervisory authorities to verify compliance with this Article. "

Operator decided to document the Breach as follows:

1.

Date, location and time of the detecting the Breach and its internal designation:

/indicate the date, location and exact time of the Breach, it is advisable to number records of the Breach or otherwise indicate/

2.

Contact details of the responsible person, if appointed:

/indicate the title, first name, surname, email and telephone number of the responsible person, if appointed/

3.

Contact details of IT consultant or IT department:

/indicate the title, first name, surname, email and telephone number of the contact person of IT Department Head Consultant/

4.

Contact details of others with important knowledge of the Breach:

/e.g. an internal employee who discovered or reported the Breach to ES Operator/

5.

Basic description of the Breach:

/ES Operator describes in their own words what happened/

6.

How to detect the Breach:

/e.g. missing documents or files, receiving automatic notification from security software, notifying unusual network activity phenomena, notifying logging data analysis, employee reporting, IT consultant reporting, notification from the intermediary, responsible person activity, mediation, receiving suspicious mails, accepting a cyber criminal request in the case of a ransomware attack, a drop in on-line services due to the Ddos attack, the knowledge gained through the application of employers' control mechanisms toward employees, etc.

7.

Description of the nature of the Breach:

/a particular event that has been identified and that has the potential to jeopardize or violate the integrity, confidentiality, or availability of data that contains personal information is characterized. Also, an event that has led to the accidental or unlawful destruction, loss, alteration, unauthorized provision of the personal data or unauthorized access to data containing the personal data is also always accurately characterized. At the same time, the list of potentially compromised personal data being processed and quantification of the number of threatened or infringed data (e.g. number of records and data size in MB, GB, TB) will be reported to the data subjects affected by the Breach and their (approximate) number.

8.

Identification of the security measures taken to prevent the occurrence of the Breach:

/specify the security measures and procedures that were intended to protect against the emergence of the identified Breach/

9.

Possible causes of the Breach:

/in the case of the Breach with a real risk and/or high risk for the rights and freedoms of the data subjects, the internal investigation and control activity of the Company will also focus on identifying the causes of the Breach, describing all relevant facts that have had an impact on the origin, and impacts of the identified Breach/

It is also advisable to provide a chronological description of the course of the incident, a description of the threats that have been made, the identification of the vulnerabilities that have been used and the way it has taken place, it is also recommended to list the affected assets affected by the Breach, to identify and define the overriding security measures, if the Breach has occurred despite the adoption of an adequate security measure and the foreseeable reason for overcoming such a security measure/

/it is also advisable to record what specific security measures or practices were violated if there is a causal link between the occurrence of the Breach and the breach and attempt to identify the person or persons responsible for the violation of the obligation and the internal rules and the related occurrence of the Breach/

10.

Relationship of the Breach and residual risk for the rights and freedoms of natural persons:

/the nature of the Breach in relation to residual risks and uncovered risks that ES Operator documented, for example, in their security project under previous legislation will be specifically assessed/

11.

Description of the likely consequences of the Breach:

/the identified and likely negative impacts of the Breach not only on ES Operator and their assets will be described, but also, the obligation to maintain confidentiality, the persons to whom the personal data in question was concerned, the legitimate interests of the client/

12.

Description of the measures taken or proposed to remedy the Breach:  

/ES Operator shall indicate all acts performed or proposed to be executed in specific terms by specific officers in order to remedy the Breach/

13.

Description of the measures intended to mitigate the adverse effects of the Breach:

/ES Operator shall indicate all acts performed or proposed to be executed in specific terms by specific officers in order to mitigate the adverse impacts of the Breach/

14.

Proposed addition to the security measures:

/ES Operator documents what measures have been taken to prevent similar incidents such as the Breach in the future./

15.

Assessment of the obligation to report Breach to the Personal Data Protection Office under Article 33 of GDPR:

/ES Operator answers the question: Is the Breach likely to lead to risk for the rights and freedoms of the natural persons? ES Operator shall state the reasoning for the response. /

16.

Assessment of the obligation to report the Breach to the data subject under Article 34 of GDPR:

/ES Operator answers the question: Is the Breach likely to lead to high risk for the rights and freedoms of the natural persons along with reasoning? See point 8.3 of the Code - ES Operator should notify the Breach under Art. 34 of GDPR only to customers and employees but not to other natural persons/

17.

Date and time of notification of the Breach to the Personal Data Protection Office;

/the exact date and time of the notification is provided, attach documentary evidence of the action executed - to be filled in only if there is a positive conclusion to the notification/

18.

Reasons for missing deadline for notification of the Breach to the Personal Data Protection Office:

/reasoning for failure to comply with the relevant deadline of 72 hours (3 days) - to be filled in only if there is a positive conclusion of the notification and a missed deadline/

19.

Date, time and method of notification of the Breach to the data subjects

/specify the exact date and time of the notification as well as the method of notification of the Breach in relation to the data subjects - See point 8.3 of the Code - ES Operator should notify the Breach under Art. 34 of GDPR only to customers and employees but not to other natural persons/

20.

Statement of the Statutory Body of the Operator on the Breach and follow-up:

/the statutory body expresses its views on the above content and approves the next procedure (in particular, the decision on the notification / non-notification of the Breach/

Based on the above documentation, the Operator took the decision:

not to disclose the Breach to the Personal Data Protection Office of the Slovak Republic pursuant to Art. 33 of GDPR (in which case the Breach is only documented by this record);

"since the breach is unlikely to lead to risks to the rights and freedoms of the natural persons"

to disclose the Breach to the Personal Data Protection Office of the Slovak Republic pursuant to Art. 33 of GDPR (in which case the notification of the Breach is attached to this record).

"since the breach is likely to lead to risks to the rights and freedoms of the natural persons"

to notify the Breach to the data subject referred to in Art. 34 of GDPR and in accordance with point 8.3 of the Business Group Code

"since the breach is likely to lead to high risks to the rights and freedoms of the natural persons"

not to notify the Breach to the data subject referred to in Art. 34 of GDPR and in accordance with point 8.3 of the Business Group Code

"since the breach is unlikely to lead to high risks to the rights and freedoms of the natural persons"

Prepared by:

Approved by:

On:

Annexes (if applicable):


[1]The Code should apply to such persons whenever the Slovak law applies to the processing of personal data, which the data subject performs in accordance with GDPR. 

[2] Methodological guidance of the Personal Data Protection Office no. 1/2013 on the concept of personal data, 1.7.2013, p. 2

[3] Judgement of the Court of Justice of the European Union in Case C582 / 14 (Breyer v. Germany) of October 19, 2016, 46 

[4] In these cases, ES Operator cannot determine whether or not the perpetrator will be identified. By reporting the crime and providing co-operation, however, ES Operator increases the probability of identifying the perpetrator. The recommended practice is therefore to treat such information as the personal data in similar situations, and this Code helps ES Operators to ensure that the additional processing obligations of the personal data of the data subjects interfere as little as possible with its normal course of action.

[5] For example, Claim proceeding file, Terms of the contract file, Dispute file etc.

[6] For the term "filling system", refer to the judgement of the Court of Justice of the European Union in case C25/17.

[7] GDPR in the Introductory Provision 14 expressly provides: "This Regulation shall not apply to the processing of the personal data concerning legal persons and, in particular, undertakings established as legal persons, including the name, form and contact details of a legal person."

[8] Working group Art. 29 (Committee) in its Opinion No. 15/2001 on the definition of consent, p. 8: "Several legal bases could apply at the same time to some transactions. In other words, every processing of data must always be consistent with one or more legal bases. This does not preclude the concurrent use of different bases, provided they are used in the correct context. "

[9] These are especially the identifiers they use to identify the Google user and Facebook. Although ES Operator may not be able to associate the identifier with a particular person, it is sufficient to define the personal data that there is a reasonable likelihood of using third-party identification (Google and Facebook). Based on information obtained, for example, from the website of ES Operator, then these companies can display similar content to their visitors on their or other platforms as they know that a particular user is viewing a product and service offer website at a specific location and time.

[10] Introductory Provision no. 68 of GDPR: "It should not apply if the processing is based on a legal basis other than the consent or the contract. It follows from the very nature of that law that it should not apply to the operators who process personal data in the performance of their public tasks. It should therefore not be applied where the processing of the personal data is necessary for the fulfilment of the statutory obligation to which the operator is subject, or for the performance of a task carried out in the public interest or in the exercise of public authority entrusted to the operator.”

[11]Commission User Guide to SMEs Definition available at https://ec.europa.eu/docsroom/documents/15582/attachments/1/translations/sk/renditions/native 

[12] See Art. 12 to 22 of GDPR: http://eur-lex.europa.eu/legal-content/SK/TXT/HTML/?uri=CELEX:32016R0679&from=EN 

[13] In the sense of Art. 4 (9) of GDPR are not considered as recipients. 

[14]Art. 33 (5) of GDPR: "ES Operator shall document each case of a personal data breach, including the facts related to the violation of personal data protection, its consequences and the corrective actions taken. That documentation must enable the supervisory authorities to verify compliance with this Article. "