Slovnaft Mobility Services, s. r. o.
(hereinafter referred to as the "Privacy Notice")
Slovnaft Mobility Services, s. r. o., with registered seat at Vlčie hrdlo 1, 821 07 Bratislava – mestská časť Ružinov, Company registry number: 51 632 187, registered in the Commercial Register of the Municipal Court of Bratislava III, Section: Sro, Insert No.: 127285/B, e-mail: slovnaft.mobility@slovnaft.sk , website: https://slovnaftbajk.sk , (hereinafter referred to as the "Company" or the "Data Controller")
for the purposes of providing services related to automated bicycle rental, on the basis of which the Company allows users to temporarily use bicycles for a short period of time under the terms and conditions set out in the relevant documents, in particular the GENERAL TERMS AND CONDITIONS (hereinafter also referred to as "Bikesharing"), the Company processes personal data about the data subject who uses or intends to use the Bikesharing services (hereinafter also referred to as the "customer"):
|
Description and the purpose of data processing |
Registration of the customer on the website https://slovnaftbajk.sk/, in the Slovnaft Bajk App1 or in any other available way for the purpose of providing the Bikesharing service, making payments, etc.), performance and execution of the contract. |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (b) GDPR2 - the processing is necessary to comply with the provisions of the GENERAL TERMS AND CONDITIONS, which are available at https://slovnaftbajk.sk/ or in the Slovnaft Bajk App and which the customer has agreed to. |
|
Scope of the processed data and their cource
|
Minimum registration requirements: first name, last name, permanent address, telephone number, email address and payment details. Data related to customer registration: Information on acceptance of the GENERAL TERMS AND CONDITIONS, information on payments, password to the customer account (in encrypted form), date of registration, in case of use of the relevant card - also the ISIC, ITIC, EURO 26 card number and information on the existence of the customer's ticket and the serial number of the contactless chip card BID3 , information on the order history. Data source: data provided by customer. |
|
Period of data processing |
Company deletes all personal data and all information about the customer within 30 (thirty) days from the customer’s request or from the date defined by the GENERAL TERMS AND CONDITIONS and/or the Privacy Notice. The Company will keep the personal data for 1 year period, because claims against the Company can be made, if: (i) The Company terminates the customer’s participation in the Bikesharing, or terminate the Bikesharing itself (data retention begins on the termination date). (ii) The Company deactivates the Customer's account in the Slovnaft Bajk application (1 year data retention period begins after 30 days from the deactivation). |
|
Addressee of data transfer |
Company. The data recipient is also the data processor (see column Data processor and its activity).
|
|
Data processor and its activity |
T-systems Magyarország Zrt. Könyves Kálmán Körút 36, 1097 Budapest, Hungary. Tasks: implementation of procedural steps related to customer registration, provision of Bikesharing service. Global Payments s.r.o. V olšinách 626/80, Prague 10 - Strašnice 100 00, Czech Republic Acting in the territory of the Slovak Republic through an organisational unit: Global Payments s.r.o., organizational unit Tomášikova 48 Bratislava - New Town 831 04, Slovak republic Tasks: processing customer payments. LINK Mobility Poland sp. z o. o. Toszecka 101, 44-100 Gliwice, Poland Tasks: sending SMS messages with a PIN to unlock the bike. |
|
Description and the purpose of data processing |
Navigating customers to bikes and docking stations. |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (a) GDPR (voluntarily consent of the customer). The customer can give consent on the website https://slovnaftbajk.sk/ or in the Slovnaft Bajk App to disclose his/her GPS location data. |
|
Scope of the processed data and their cource
|
GPS location data of the customer's location. Data source: location data obtained through the customer's device. |
|
Period of data processing |
For this purpose, the Company processes personal data until the consent is withdrawn. The customer can change his/her consent in the following ways:
The Data Controller does not record data about the GPS location of the customer. It is only used by the website https://slovnaftbajk.sk/ and the Slovnaft Bajk App directly in time. |
|
Addressee of data transfer |
The recipient of the data is the data processor (see column Data processor and its activity). |
|
Data processor and its activity |
T-systems Magyarország Zrt. Könyves Kálmán Körút 36, 1097 Budapest, Hungary. Tasks: operation of the website https://slovnaftbajk.sk/ and the Slovnaft Bajk App, which includes customer navigation to bicycles and docking stations. |
|
Description and the purpose of data processing |
Operation of the information centre and hotline in connection with the provision of Bikesharing services, handling of reclamations, suggestions and complaints from customers. |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (b) GDPR - (processing is necessary for the performance of the terms of the contract) and Art. 6 (1) (c) GDPR - (processing is necessary for the performance of legal obligations), e.g. for the processing of reclamations. |
|
Scope of the processed data and their cource
|
Name, surname, ticket PIN, phone number and email address, starting location of the bicycle at the start of the ride, partial location of the bicycle during the ride - to a limited extent, final location of the bicycle at the end of the ride. Data source: data provided by the customer and location data collected by the GPS locator on the bicycle. |
|
Period of data processing |
For this purpose, personal data may be processed for a period of three (3) years from the moment the rental claim is settled (i.e. after the end of the ride). Where the data are necessary for the establishment of legal claims or for the defence of any civil claim, the period of processing of the data shall be the time necessary for the conduct of the proceeding(s) and until the final conclusion of such proceeding(s). |
|
Addressee of data transfer |
Company. The data recipient is also the data processor (see column Data processor and its activity). |
|
Data processor and its activity |
Capital City of the Slovak Republic Bratislava Primaciálne námestie č. 1, 814 99 Bratislava, Slovak Republic. Tasks: operation of the helpline and information centre on the following telephone number: +421 2 5950 5950 and e-mail address: info@slovnaftbajk.sk . For example, dealing with customer questions and complaints. |
|
Description and the purpose of data processing |
Performance of the Company's obligations in the field of invoicing and accounting, and taxes. |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (c) GDPR - processing is necessary for compliance with legal obligations (e.g. Accounting Act or Act on Value Added Tax). |
|
Scope of the processed data and their cource
|
First name, last name, permanent address, customer's payment details, order and payment history information. Data source: data provided by customer and supplier. |
|
Period of data processing |
Tax obligations: data retention period is 10 years from the last day of the calendar year in which the relevant tax should have been declared or reported or, in the absence of such declaration or report, the tax should have been paid. Accounting documents: the data retention period is 10 years according to the relevant tax and accounting regulations. In practice, this means only when the data are included in documents which support the accountancy records such as an order or on an invoice. Other data retention periods may also apply, as described at the relevant data processing purposes below.. |
|
Addressee of data transfer |
Company. The data recipient is also the data processor (see column Data processor and its activity). |
|
Data processor and its activity |
T-systems Magyarország Zrt. Könyves Kálmán Körút 36, 1097 Budapest, Hungary. Tasks: carrying out tasks related to accounting and taxes. SuperFaktura, s.r.o. Pri Suchom mlyne 6, 811 04 Bratislava – Staré mesto, Slovak Republic.
Tasks: managing the administrative and economic agenda of the Data Controller, which includes, for example, creating and sending invoices. |
|
Description and the purpose of data processing |
Sending newsletters via e-mail containing information related to the provision of the Bikesharing service. |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (a) GDPR (voluntarily consent of the customer). |
|
Scope of the processed data and their cource
|
Customer's e-mail address. Data source: data provided by customer. |
|
Period of data processing |
For this purpose, the Company processes personal data until the consent is withdrawn. The customer can change his/her consent in the following ways:
|
|
Addressee of data transfer |
Company. The data recipient is also the data processor (see column Data processor and its activity). |
|
Data processor and its activity |
T-systems Magyarország Zrt. Könyves Kálmán Körút 36, 1097 Budapest, Hungary. Crystal Call, a. s. Hálkova 1/A, 831 03 Bratislava, Slovak Republic Tasks: defining and implementing campaigns, e.g. sending marketing messages.
|
|
Description and the purpose of data processing |
Bicycle location and route tracking for the purpose of locating the bicycle in cases such as loss or theft, suspected loss or theft, or bicycle malfunction. |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (f) GDPR (processing is necessary for the purposes of fulfilling a legitimate interest of the Company). |
|
Scope of the processed data and their cource
|
We process location of the bicycle outside the rental period and possibly also during the rental period. Data source: location data are obtained via GPS locator on the bicycle. |
|
Period of data processing |
If the data are needed to exercise legal claims or for defence of any civil law claim, the period of data processing is the time necessary to the conduct of the proceeding(s) and until the definitive conclusion of such proceeding(s). If the record of the route of the bicycle during the rental until the moment of docking is not necessary to exercise legal claims or for defence against any civil law claim, the Data Controller shall anonymise the personal data immediately after the bicycle has been duly docked. |
|
Addressee of data transfer |
Company. The data recipient is also the data processor (see column Data processor and its activity). |
|
Data processor and its activity |
T-systems Magyarország Zrt. Könyves Kálmán Körút 36, 1097 Budapest, Hungary. Tasks: processing GPS location data of the bicycle outside the rental period and possibly also during the rental period. |
|
Description and the purpose of data processing |
Tracking the location of bicycle for the purpose of bicycle park management and the initiation and termination of rental contracts and handling customers complaints. |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (b) GDPR - (processing is necessary for the performance of the terms of the contract) and Art. 6 (1) (c) GDPR - (processing is necessary for the performance of legal obligations), e.g. for the processing of complaints. |
|
Scope of the processed data and their cource
|
For this purpose, the Company does not process the entire route of the customer's ride, but only records certain (partial) locations of the bicycle, namely: (a) the starting location of the bicycle at the time of the start of the ride, (b) the partial location of the bicycle during the ride, to a limited extent, and (c) the final location of the bicycle at the time of the end of the ride. As customers are also charged according to the length of time they use the Bikesharing service, the Data Controller needs to know the time and place of the start and end of the ride and the approximate location of the bicycle for the duration of the ride, to a limited extent (the Company does not track the entire route). In order to determine this, the Company needs to know exactly when the bicycle was docked and undocked. In addition, the Company needs always to know how many bicycles are in a particular docking station, so that there are a sufficient number of available free places at each station as well as a sufficient number of free bicycles. Data source: location data obtained via a GPS locator on the bicycle. |
|
Period of data processing |
For this purpose, personal data may be processed within the general limitation period of three (3) years at the end of the rental relationship (i.e. at the end of the ride). Where the data is necessary for the purposes of a complaint procedure or for the exercise of legal claims or for the defence of any civil law claim, the period of processing of the data is the time necessary for the procedure(s) to be carried out and until the final conclusion of such procedure. |
|
Addressee of data transfer |
Company. The data recipient is also the data processor (see column Data processor and its activity). |
|
Data processor and its activity |
T-systems Magyarország Zrt. Könyves Kálmán Körút 36, 1097 Budapest, Hungary. Tasks: processing of GPS location data of the bicycle at the start and end of the ride and to a limited extent during the duration of the ride. |
|
Description and the purpose of data processing |
Marketing activities (organisation of competitions on social media such as the Company's Facebook/Instagram profile, etc.). |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (a) GDPR (voluntarily consent of the customer). By entering the competition, the customer gives consent to the processing of personal data. |
|
Scope of the processed data and their cource
|
Customer's personal data in the scope of: name, surname, pseudonym and e-mail address, necessary for the evaluation of compliance with the conditions for participation in the competition. Data source: data provided by customer. |
|
Period of data processing |
For this purpose, the Company processes personal data until the consent is withdrawn. The customer has the right to consent at any time to the processing of personal data (relating to them) withdraw. The customer may withdraw his/her consent in writing at the address of the competition organiser and/or at e-mail address: info@slovnaftbajk.sk . |
|
Addressee of data transfer |
Company. The data recipient is also the data processor (see column Data processor and its activity). |
|
Data processor and its activity |
SLOVNAFT, a.s. Vlčie hrdlo 1, 824 12 Bratislava, Slovak Republic. Tasks: publication of data on the organised competition/campaign and its evaluation. Capital City of the Slovak Republic Bratislava Primaciálne námestie č. 1, 814 99 Bratislava, Slovak Republic. Tasks: contacting the winners. |
|
Description and the purpose of data processing |
Ensuring the fulfilment of contractual relations in the framework of supply contracts. |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (b) GDPR if one of the contracting parties is a natural person - entrepreneur and also a legitimate interest under Art. 6 (1) (f) GDPR in the case of a person authorised to act on behalf of the company with which the Company enters into a contractual relationship, or its contact person. |
|
Scope of the processed data and their cource
|
The Company processes personal data necessary to ensure contact in connection with the performance of the subject of the contract. Data source: data provided by suppliers as well as from public registers (e.g. trade register, commercial register, etc.). |
|
Period of data processing |
For this purpose, the Company processes personal data for the duration of the contractual relationship and subsequently for archiving purposes for a maximum period of 10 years from the expiry of the contract. |
|
Addressee of data transfer |
Company. |
|
Data processor and its activity |
|
Description and the purpose of data processing |
The exercise of legal claims by the Company. This includes, for example, defending legal disputes and proceedings with authorities initiated by customers in connection with the provision of Bikesharing services or pursuant to Article 17 (3) (e) of the GDPR. Source of data: listed under each point. |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (f) GDPR (data processing is necessary for the purposes of fulfilling the legitimate interests of the Company: to exercise of legal claims and the successful defence of any legal or official proceedings (e.g. legal proceedings initiated by the customer, administrative or out-of-court proceedings, etc.). |
|
Scope of the processed data and their cource
|
Name, e-mail, telephone number (only if the dispute concerns the lawfulness of its processing), data on the use of the Bikesharing services, if necessary to exercise rights or resolution of the legal disputes related to Bikesharing. |
|
Period of data processing |
The general period of data processing is defined in case of each data processing operation. If the data are needed to exercise legal claims or for defence against any civil law claims, the period of data processing is the time necessary to conduct the proceeding(s) and until the definitive conclusion of such proceedings or achievement of the legitimate interest by other means (e.g. conclusion of an out-of-court settlement). |
|
Addressee of data transfer |
Company. |
|
Data processor and its activity |
The Company is a sole Data Controller whereby it determines the purpose and the scope of the data processing individually and it is liable only for its own data processing activity.
In addition to the above, under Article 6 (1) (f) of GDPR (based on the legitimate interest of the Company), the Company uses the services of its lawyer partners to manage and successfully exercise its claims and transfers the required personal data to such lawyers for this purpose. Such lawyers act as independent controllers in accordance with the provisions of their own privacy notices. In case of engagement of lawyer partners for their specific case, and at the request of the individual, the Company shall provide information on the lawyer partner involved in a particular data processing operation, as well as the contact details and activities of that lawyer partner and the data processed in connection therewith.
Name and contact details of the Data Controller
Address for correspondence: Slovnaft Mobility Services, s. r. o., with registered seat at Vlčie hrdlo 1, 821 07 Bratislava – mestská časť Ružinov
Name and registered seat of data processors and other entities receiving data from the Data Controller
Data processors:
T-systems Magyarország Zrt.
Könyves Kálmán Körút 36, 1097 Budapest, Hungary
Global Payments s.r.o.
V olšinách 626/80, 100 00 Prague 10 - Strašnice, Czech Republic
LINK Mobility Poland sp. z o. o.
Toszecka 101, 44-100 Gliwice, Poland
SuperFaktura, s.r.o.
Pri Suchom mlyne 6, 811 04 Bratislava – Staré mesto, Slovak Republic
Capital City of the Slovak Republic Bratislava
Primaciálne námestie č. 1, 814 99 Bratislava, Slovak Republic
SLOVNAFT, a.s.,
Vlčie hrdlo 1, 824 12 Bratislava, Slovak Republic
Crystal Call , Inc.
Hálkova 1/A, 831 03 Bratislava, Slovak Republic
Where the Company uses service providers as data processors, it must ensure that appropriate personal data contracts/agreements are in place in accordance with Article 28 GDPR. The purpose of these contracts is, inter alia, to ensure that the processing of personal data is carried out by the data processor on behalf of the Company, solely on the basis of instructions provided by the Company.
Processing special personal data for the purpose defined in this Privacy Notice
The Company does not process any special categories of personal data.
Transfer of personal data to third countries
The Company does not transfer personal data to third countries.
The existence of automated decision-making, including profiling, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual:
The Company will not make any decision based on automated data processing concerning you (Article 22(1) GDPR).
Data security measures:
The Company stores your personal data in a protected electronic data repository in order to ensure the secrecy, integrity and availability of your personal data in accordance with the IT security norms and standards. Within the framework of risk-proportionate protection and measuring the classification of personal and business data, the Company ensures the protection of data on a network, an infrastructural and an application level (with firewalls, antivirus programs, encryption mechanisms for storage and communication, content filtering and other technical and process solutions). The personal data breaches are constantly monitored and managed. In case of encryption, the encrypted data flow is not retrievable without the knowledge of the decryption code due to the asymmetric coding, in addition with content filtering and other technical and process solutions). Data breaches are constantly monitored.
Data security measures:
|
Information Security Management System |
To ensure the confidentiality, integrity and availability of organizational information by implementing policies, processes, process descriptions, organizational structures, software and hardware functions. |
|
Physical access |
To ensure physical asset protection containing information. |
|
Logical access |
To ensure that only approved and authorized users have access to data. |
|
Data access |
To ensure that only authorized users of the systems have access to data. |
|
Data transfer/ storage/ erasure |
To ensure that Company's corporate information is not transmitted, read, modified or erased by an unauthorized person while it is being transferred or stored. In addition, company data must be deleted promptly when the purpose of processing ceases. |
|
Confidentiality and integrity |
To ensure that corporate data is kept confidential and up-to-date, also preserves integrity. |
|
Availability |
To ensure that data is protected against accidental destruction or loss and, in the event of such an event, access to, and recovery of, relevant data is on time. |
|
Separation of data |
To ensure that data is handled separately from other client data. |
|
Incident management |
In the event of any breach of the information, the effect of the breach will be minimized and the owners of the Information will be notified immediately. |
|
Audit |
To ensure that the data processor periodically tests, examines and evaluates the effectiveness of the technical and organizational measures outlined above. |
Your rights concerning data processing:
The GDPR contains in detail your data protection rights, your possibilities of seeking a legal remedy and the restrictions thereof (especially Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79 and 82 of the GDPR). You can at any time request information about your personal data processed, you can request the rectification and erasure of your personal data or the restriction of their processing, furthermore you can object to the data processing based on a legitimate interest and direct marketing and you have the right to data portability. We summarize the most important provisions below. You may exercise rights and seek legal remedies by contacting any of the Company.
Right to information:
If the Company processes your personal data, it must provide you information – even without your special request thereof – concerning the main characteristics of the data processing including the purpose, legal basis and period of processing, the identity and contact details of the Company and its representative, the contact details of the data protection officer (if appointed), the recipients of the personal data (in case of data transfer to third countries indicating also the adequate and appropriate guarantees), the legitimate interests of the Company and/or third parties in case of a data processing based on a legitimate interest, furthermore your data protection rights and your possibilities of seeking a legal remedy (including the right of lodging a complaint with the supervisory authority), the source of personal data – if you are not the source – as well as the categories of personal data, in the case you have not had yet all this information. In case of automated decision-making and profiling you must be informed by the Company in an understandable way about the logic involved, as well as the significance and the envisaged consequences of such processing for you. The Company provides the abovementioned information by making this Privacy Notice available to you.
Right of access to data:
You have the right to obtain from the Company confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and certain information related to the data processing such as the purpose of the data processing, the categories of the personal data processed, the recipients of the personal data, the (envisaged) period of data processing, the individual’s data protection rights and possibilities of seeking a legal remedy (including the right of lodging a complaint with the supervisory authority), furthermore information on the source of the data where they are not collected from you.
Upon your request the Company shall provide a copy of your personal data undergoing processing. For any further copies requested by you, the Company may charge a reasonable fee based on administrative costs. Where you made the request by electronic means, and unless otherwise requested by you, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
The Company gives you information on the possibility, the procedure, the potential costs and other details of providing the copy after receiving your request.
In case of automated decision-making and profiling the individual has access to the following information: the logic involved, as well as the significance and the envisaged consequences of such processing for you.
Right to rectification:
You have the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary privacy notice.
Right to erasure:
You have the right to obtain from the Company the erasure of personal data concerning you without undue delay and the Company has the obligation to erase personal data without undue delay where certain grounds or conditions are given. Among other grounds the Company is obliged to erase your personal data upon your request for example if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; if you withdraw your consent on which the processing is based, and where there is no other legal ground for the processing; if the personal data have been unlawfully processed; or if you object to the processing and there are no overriding legitimate grounds for the processing; if the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject; or if the personal data have been collected in relation to the offer of information society services.
If the data processing is based on your consent the consequence of the withdrawal of the consent: we do not send or offer tailored, personalised marketing (advertising) messages, promotional offers, coupons.
We inform you that the withdrawal of your consent does not affect the legality of the data processing carried out before the withdrawal, based on your consent.
Right to restriction of processing:
You have the right to obtain from the Company restriction of processing where one of the following applies:
|
(a) |
the accuracy of the personal data is contested by you, for a period enabling the Company to verify the accuracy of the personal data; |
|
(b) |
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; |
|
(c) |
the Company no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; |
|
(d) |
you have objected to processing, pending the verification whether the legitimate grounds of the Company override your legitimate grounds. |
Where processing has been restricted according to the abovementioned reasons, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
You shall be informed by the Company before the restriction of processing is lifted.
Right to data portability:
You have the right to receive the personal data concerning you, which you provided to the Company in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Company to which the personal data have been provided, where:
|
(a) |
the processing is based on your consent or on the performance of a contract (to which you are a party); and |
|
(b) |
the processing is carried out by automated means. |
In exercising your right to data portability, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Right to data portability shall be without prejudice to the provisions governing the right to erasure; furthermore, it shall not adversely affect the rights and freedoms of others.
Right to object:
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, which is based on the legitimate interests of the Company or where the Company processes personal data in the public interest, including profiling based on those provisions. The Company shall no longer process the personal data unless the Company demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where you object to processing, the personal data shall no longer be processed for such purposes.
Framework for the exercise of rights:
The Company shall provide information on action taken on a request based on your abovementioned rights without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Company shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Where you make the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by you.
If the Company does not take action on your request, the Company shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the competent data protection supervisory authority in Slovak republic: The Office for Personal Data Protection of the Slovak Republic and seeking a judicial remedy. Contact details of The Office for Personal Data Protection of the Slovak Republic: Hraničná 12, 820 07 Bratislava 27, tel.: +421 /2/ 3231 3214, e-mail: statny.dozor@pdp.gov.sk, web: https://dataprotection.gov.sk .
This information must be provided by the Company in writing or by other means, including electronic means, where appropriate. If you so request, the information may be provided to you orally, as long as your identity is established by other means.
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. You can read about how to contact supervisory authorities within the EU here: https://edpb.europa.eu/about-edpb/board/members_en. You shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning you. You shall further have the right to an effective judicial remedy where the competent supervisory authority does not handle your complaint or does not inform you within three months on the progress or outcome of the complaint lodged. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, you shall have the right to an effective judicial remedy where you consider that your rights under the GDPR have been infringed as a result of the processing of your personal data in non-compliance with the GDPR. Proceedings against the Company or its partner company or processor partner shall be brought before the courts of the Member State where the Company, the partner´s company controller or the processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where you have your habitual residence.
Such litigation falls within the competence of the general courts of the Slovak Republic.
The court may order the controller (the Company) to provide the relevant information, to rectify, block or erase it, to annul the decision taken by means of automated data processing or to respect your right to object. The court may order the publication of its decision, specifying the identity of the Data Controller or any other data controllers and the breach committed.
The data controller concerned is liable for any damage you suffer as a result of unlawful processing or any breach of data protection requirements. If any data controller infringes the data subject's personality rights as a result of unlawful processing or any breach of data protection requirements, the data subject has the right to claim compensation from the data controller concerned.
The Data Controller may be exempted from liability for damages or compensation if it proves that the damage was caused or the violation of the data subject's personal data protection rights was due to unavoidable causes beyond its reasonable control.
No compensation shall be paid and no restitution may be demanded where the damage was caused by or the violation of rights relating to personality is attributable to intentional or negligent conduct on the part of the data subject.
1 For the definition of the Slovnaft Bajk App, see 1.1 (i) of the GENERAL TERMS AND CONDITIONS
2 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR")
3 Bratislavská integrovaná doprava, a.s., with registered seat: Jankolova 6, 851 04 Bratislava, Company registry number.: 35 949 473, registered in the Commercial Register of the Municipal Court of Bratislava III, Section: Sa, Insert No.: 4799/B
You can read and download the privacy policy here
