GDPR – REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA
Article 13 of the European Parliament and of the Council (EU) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “Decree”), Article 19 of Act No. 18/2018 Coll. on personal data protection (hereinafter “the Act”).
WHO WE ARE?
Company name: Marek Janíček – Marcraft
Address: Meštianska 16/18, Komárno 94501
Company identification number: 45612510
Registered at the District Office Komárno, under business registration number: 410-23453
HOW TO GET IN TOUCH WITH US?
Contact person: Marek Janicek
Phone number: +421 907 395 665
Address: Ul. Práce č.8, Komárno
WHAT RIGHTS DO YOU HAVE?
RIGHTS OF INDIVIDUALS UNDER THE GDPR
The person concerned is a natural person – not limited to employees or customers – affected by the processing of personal data. Those individuals, whose personal data are processed for specific reasons in our information system, have rights and these can be exercised in writing or electronically with the Data Controller. The person concerned is you.
RIGHT OF ACCESS TO PERSONAL DATA
Confirmation from the competent person that the personal data of the person concerned, exercising its rights, will be processed and have the right to access such data. As a person concerned, you have the right to access the following information: purpose of data processing, categories of personal data, recipients, duration of the processing and retention, the process of automatic data processing or its consequences, etc. (Article 15 of the Regulation). As a Data Controller, we will take all reasonable measures to verify the identity of those who request access to the data, particularly regarding online services and identifiers. At the request of the person concerned the Data Controller will issue a certificate with regard to the processing of personal data. If the Data Controller processes these data, at request he will provide a copy of the processed personal data. The first copy is free. The Data Controller will charge an administrative fee for the additional copies requested by the person concerned, in accordance with the costs incurred. If the person concerned requests information electronically, he will receive it electronically by e-mail, unless he chooses another way.
RIGHT TO RECTIFICATION OF DATA
If the Data Controller records inaccurate personal data, the person concerned has the right to complete them. The Data Controller shall rectify or complete such data without undue delay, at the request of the person concerned.
RIGHT TO ERASURE (RIGHT TO BE FORGOTTEN)
The person concerned shall have the right the erasure of personal data. However, this right of the person concerned is limited by its nature and importance to further prerequisites.
The Data Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the person concerned withdraws consent on which the processing is based
- the person concerned protests against the data processing
- the personal data have been unlawfully processed
- the reason for the erasure is the fulfillment of an obligation under a law, special regulation or by an international treaty binding on the Slovak Republic
- personal data was collected for individuals over 16 years in connection with the provisions of information society services
The right to erasure of the person concerned does not apply, if processing is necessary for one the following purposes:
- to exercise the right of freedom of expression and information
- fulfilment of an obligation imposed on the Slovak Republic by a law, special regulation or international contract, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller
- if the processing is necessary for public health purposes of public interest
- for archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
- for the establishment, exercise or defence of legal claims
The Data Controller shall have the obligation to erase personal data, requested by the person concerned, without undue delay, if this request is justified.
RIGHT TO DATA PORTABILITY
As a person concerned you shall have the right to transmit your personal data, provided to us, in a structured, commonly used and machine-readable format to another controller, under the condition that these personal data have been obtained with the data subject’s consent or contract and are processed automatically.
PROPOSAL FOR INITIATING A LEGISLATIVE PROCEDURE
The data subject has the right to contact The Office for Personal Data Protection of the Slovak Republic, if he or she considers that his or her rights to the protection of personal data have been breached.
RIGHT TO OBJECT
The data subject shall have the right to object at any time to processing of personal data concerning him or her, on grounds relating to his or her particular situation. You can object to processing of your personal data based on the following:
- tasks carried out in the public interest or in the exercise of official authority
- direct marketing purposes,
- scientific or historical research purposes or statistical purposes
We will review the objection received within a reasonable time. In this case, we may only continue to process personal data if we have demonstrated the legitimate interests necessary to process the personal data, which override the rights or interests of the data subject or the grounds for the legal claim.
RIGHT TO RESTRICT THE PROCESSING OF PERSONAL DATA
This right can be exercised if the person concerned objects to personal data and other data as defined in Article 18 (67) of the Regulation, requests the temporary transfer of selected personal data to another processing system, restricting users’ access to selected personal data, or temporarily removing them.
For the purposes of data processing, the Data Controller collects the personal data of the subjects in the information systems, on a specific legal basis. All processing of personal data takes place within a legal framework, with a specific, legitimate and express purpose. In order to maintain transparency and clarity of the above information, the different legal basis and purposes of the processing of personal data are listed separately, at the end of the principles of personal data protection, classified according to information systems.
In order to protect your personal data to the maximum, as Data Controller we have taken the necessary personal, organizational and technical measures. Our goal is to prevent and reduce the risk of personal information being leaked, misused, disclosed or otherwise exploited. In the event of a circumstance which is likely to constitute a serious risk to the rights and freedoms of natural persons, you will be contacted immediately (Article 34 of the Regulation).
In order to preserve the principles governing the processing of personal data contained in the Regulation and the law, in particular the principles of personal data, we only ask you, as a data subject, for personal data that are legally or contractually necessary to fulfill the purpose of the processing. Please note that failure to provide the mandatory information required to conclude the contract will result not being concluded in the contract.
PHOTOS – PHOTOBOX
- Provides services within the framework of the Operator/Data Controller: photos obtained from the SelfieCam “photobox”. The “photobox” is managed by the subordinates of the Operator/Data Controller at social personal events (for private purposes) and at social events of public-entrepreneurs and legal entities, which are business, marketing, charitable and other events. The Operator/Data Controller processes the personal data of participants ordering the services of the Operator in order to ensure the performance of the ordered services. The Operator/Data Controller handles the personal data of the customer within the framework of a Contractual Relationship – customer.
- The Operator/Data Controller shall process as necessary, the personal data (photographs) of participants, which have been voluntarily photographed using the “photobox” in order to make a copy of them, collect them, and prepare them for sending to the customer.
- The legal basis for such processing shall be the consent of the data subject, according to Article 6 (1) (a) – EU General Data Protection Regulation. The data subject shall have the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of the processing prior to the withdrawal.
Photography is completely voluntary. A “photobox” is a device that is incapable of operating on its own, meaning that it can only take pictures if the individual is voluntarily in front of the device (the background and the photographic lens – i.e. the “photobox”). Implied consent for the Operator/Data Controller is that the individual voluntarily stands in front of the “photobox” device and the photo is taken and then printed or forwarded to the email address provided on the device.
- The Operator/Data Controller shall transmit the photos taken at the event in a protected form, via USB drives or other digital media, or by electronic communication to the organizer of the social event, thus fulfilling the subject of the order. According to Article 6 (1) (f), the processing is the legitimate interest of a third party. The main legitimate interest is to obtain and preserve the media (photographs) collected during the social event organized, paid for and provided by the organizer (to the beneficiary/third party who has a legitimate interest in handing over the photographs he has ordered).
- In order to promote their services, the Operator/Data Controller may publish the photos taken by the “photobox” on the Operator’s website, social networks and in promotional materials. It will be necessary to obtain permission to post photos, which is the sole condition/legal basis for such posting.
CATEGORY OF RECIPIENTS
- Authorized employees
- The organizer of the corporate event, the customer of the “PHOTOBOX” service
DEADLINE FOR DELETION OF PERSONAL DATA
- After completing the goal
- Five years after the consent has been given, or within 30 days of its withdrawal.
CATEGORY OF PERSONS CONCERNED
Private Individuals, public persons-entrepreneurs, representatives or employees of the customer who have ordered the services of the Operator for an event organized by them or for an event in which they are present as a co-organizer.
Individuals (participants of the event with the “photobox”) who volunteered to photograph themselves through the “photobox”. Information about automated decision making, including profiling – Not profiled. Cross-border transfers of personal data to third countries – Not applicable.