APPENDIX NO. 2 TO THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE BICYCLE AND USE OF THE Slovnaft BAjk SERVICE

Personal Data Protection

Spoločnosť Slovnaft Mobility Services, s. r. o., with registered office at Vlčie hrdlo 1, 824 12 Bratislava, ID: 51 632 187, registered in the Commercial Register of the District Court of Bratislava I, Section Sro, File No. 127285/B, e-mail: [email protected] (hereinafter referred to as the “Company”) for the purpose of providing services related to the automated rental of bicycles, under which the Company allows users to temporarily use bicycles for short periods under the conditions set out in the relevant documents, in particular the General Terms and Conditions (hereinafter only as "Bikesharing") processing the following personally identifiable information about the Data Subject who is or intends to use the Bikesharing services (hereinafter only as "the Customer"):

  • a) name and surname,
  • b) address of permanent residence,
  • c) date of birth,
  • d) nationality,
  • e) e-mail address:
  • f) telephone number,
  • g) GPS location of customer while riding a bicycle,

In case of not providing personal data required for registration and the provision of the Bikesharing Service in the scope of name and surname, permanent address, date of birth, nationality, e-mail address, phone number and GPS location of the customer while riding a bicycle, it is not possible to provide a Bikesharing service to the Customer.

I. SCOPE, PURPOSE, METHOD AND TIME OF PROCESSING OF PERSONAL DATA PROCESSING OF PERSONAL DATA FOR THE PURPOSES OF PROVIDING THE BIKESHARING SERVICE

1.1. The Company processes personal data in the scope of name and surname, permanent address, date of birth, nationality, e-mail address and telephone number, for the purpose of providing the Bikesharing service,

  • (i) customer registration to provide the Bikesharing service,
  • (ii) providing the Bikesharing service,
  • (iii) issuing an invoice for the provision of the Bikesharing service and fulfilling the remaining accounting, payment and tax obligations in relation to the Customer’s payment for the service,
  • (iv) processing, and handling of complaints submitted by Customers as part of the provision of the Bikesharing service or processing withdrawal from the agreement with the relevant Customer.

The Customer acknowledges that personal data may be provided to the extent necessary to the Subcontractor of the Operator for the purpose of providing the Bikesharing Service or handling of a Customer complaint and relating to the part of the Bikesharing service provided by that subcontractor. The specified data shall be processed and retained for at least the duration of the Customer’s registration, but for a maximum period of time determined by applicable legislation necessary for retaining the data for the proper handling of a complaint and for the purposes of meeting the accounting and tax obligations or for the period necessary to enforce the legal claims resulting from Bikesharing services, for at least 3 years. After the Customer’s valid registration has expired and the aforementioned period expires, the Customer’s personal information is deleted. The Company processes the abovementioned personal data for the abovementioned purpose on the legal basis of the processing of personal data necessary for the performance of the contract - a contract concluded under the General Terms and Conditions for Bicycle Use and Use of the Bikesharing Service, which is Appendix No. 2 of this document Personal Data Protection (hereinafter referred to as "General Conditions") and to which the Customer is a Contracting Party. The Customer acknowledges that in the event of failure to provide the personal data referred to in Point 1.1 of this document, it is no longer possible to provide the Bikesharing service and therefore, in such a case, the Company is entitled to withdraw from the contract under which the Bikesharing service is provided.

1.2. Personal data within the scope of the GPS localization of the bicycle (and hence the Customer) when cycling (tracking and recording of the bicycle’ position), which the Company processes for the purpose of safeguarding the Company’s property (bicycle) and preventing its loss or theft as well as tracking of the route of Customers, the number of kilometers traveled and the number of calories burned for the purposes specified in Point 1.3 of this document. At the same time, in order to provide the Customer with information about the length of his/her bicycle trip per km and a visual representation of the route being taken.

The Company processes the abovementioned personal data for the purposes of securing the Company’s property (bicycle) on the legal basis of the processing of personal data necessary for the legitimate interests of the Company.

Personal data processed for this purpose shall be erased immediately from the end of the valid customer registration or for as long as the abovementioned revoking of consent to the processing of personal data does not arise. Personal data will be retained for the longest time necessary to enforce the legal claims arising from the bikesharing service, i.e. at least 3 years. During the registration period, the personal data is also displayed in the Customer’s user account as a history of his or her rides.

The Company processes the abovementioned personal data for the purpose of securing the Company’s property - in particular the bicycle and the provision of information to the Customer about the length of his/her route traveled on the bicycle in km and a visual representation of the route traveled on the legal basis of the Customer’s consent with the processing of his/her personal data for this purpose.

 

II. CUSTOMER INFORMATION RELATED TO THE PROCESSING OF PERSONAL DATA

Each Customer may exercise the following rights to the processing of his/her personal data:

2.1. The right to revoke consent to processing

The Customer has the right at any time to revoke the processing of personal data concerning him/her, to which he/she has granted his/her consent. If the Customer revokes his/her consent, this does not affect the lawfulness of the processing of personal data processed before the revoking of consent. The Customer may revoke the consent in the same manner as its granting or by sending a notification of revoking of consent to the e-mail address [email protected]

2.2. Right of Access to Personal Data

The Customer has the right to obtain from the Company a confirmation that personal data concerning him/her is being processed. In this case, the Customer has the right to access his or her personal data and information about

  • the purpose of processing the personal data
  • the category of processed personal data
  • the expected retention period of personal data; if this is not possible, information on the criteria for its determination
  • the source from which the personal data originates if it was not provided by the Customer
  • to require the Operator to correct the personal data relating to the Data Subject, to erase or restrict their processing, or to oppose the processing of personal data
  • just to file a proposal for the initiation of proceedings with the Office for the Protection of Personal Data of the Slovak Republic and if his/her rights provided for by Act No. 18/2018 Coll. on the protection of personal data are directly affected
  • The Company is obliged to provide the Customer with his/her personal data that it is processing. For the repeated provision of personal data the Customer requests, the Company may charge an appropriate fee corresponding to the administrative cost. The Company is required to provide personal data to the Customer in the manner required by the Customer (e.g. by e-mail)
  • a circle of people who, in addition to the Operator, in accordance with this agreement, work with the Customer’s personal data,
  • the right to obtain personal data under the above paragraph must not adversely affect the rights of other natural persons.

2.3. The Right to Adjust Personal Data

The Customer has the right so that the Company, without undue delay, corrects inaccurate personal data without undue delay. If a Customer considers that a larger scope of personal data is required to meet the specific purpose of the processing of personal data, the Data Subject has the right to supplement incomplete personal data.

2.4. The Right to Deletion of Personal Data

The Customer has the right so that the Company deletes the Customer’s personal data without undue delay, if:

  • personal data are no longer required for the purpose for which they were acquired or otherwise processed
  • the Customer revokes the consent he/she has granted to the processing of personal data and there is no other legal basis for the processing of personal data i.e. the Company processes personal data only on the basis of the Customer’s consent
  • if the Customer objects to the processing of personal data, in particular the GPS localization of the Customer, which is processed due to the legitimate interest of the Company in the protection of property, and it is shown that the Customer’s legitimate reasons for the protection of personal data prevail over the legitimate interests of the Company.
  • if it is demonstrated that the Customer’s personal data is being processed illegally
  • is a reason for the meeting of the deletion obligation according to Act No. 18/2018 Coll. on the protection of personal data, a special regulation or an international agreement to which the Slovak Republic is bound

2.5. The Right to Restrict the Processing of Personal Data

The Customer has the right to restrict the processing of personal data by the Company if:

  • the Customer attacks/protests the accuracy of personal data during a period allowing the Company to verify the accuracy of personal data
  • the processing of personal data is illegal and the Customer requests the deletion of personal data and requests instead to limit their use
  • The Company no longer needs personal data for the purpose of processing personal data but needs its Customer to exercise the legal entitlement
  • the Customer complains about the processing of personal data through the GPS localization of the Customer during cycling processed for purposes of legitimate interest in securing the Company’s property or name and surname, e-mail address processed for the purpose of sending newsletters until the verification or legitimate reasons on the side of the Operator prevail over the Customer’s legitimate reasons, until it has been verified that legitimate reasons on the part of the Company outweigh the Customer’s legitimate reasons.

If the processing of personal data has been limited on the basis of the above, in addition to retention, the personal data may be processed by the Company only with the consent of the Customer or for the purpose of exercising a legal claim, for the protection of people or for reasons of public interest. A Customer whose processing of personal data is limited on the basis of the abovementioned is obliged to inform the Company before the limitation of the processing of personal data is cancelled.

2.6. The Right to the Portability of Personal Data

The Data Subject has the right to obtain personal data relating to him/her, which he/she has provided to the Operator in a structured, commonly used and machine-readable format and has the right to transfer such personal data to another Operator if this is technically possible and does not require the exercising of inappropriate effort while the exercising of this right must not have an adverse effect on the rights of others.

2.7. Right to File a Complaint with the Supervisory Authority

If a Customer claims that his/her rights are directly affected, established by Act No. 18/2018 Coll. on the Protection of Personal Data, he/she has the right to file a proposal for the initiation of a procedure on the protection of personal data with the Office for Personal Data Protection of the Slovak Republic.

2.8. The Right to Object to the Processing of Personal Data

The Customer has the right to object to the processing of his/her personal data in cases of processing of his/her personal data by the Company, in particular when processing the GPS localization of the Customer when riding a Bicycle due to the legitimate interest of the Company in protecting its property and processing his/her personal data for the purpose of sending newsletters. The Company may not further process personal data unless it demonstrates the necessary legitimate interests for the processing of personal data that prevail over the rights or interests of the Customer or the grounds for exercising a legal claim.