Consent to the processing of personal data for purpose of contact form

in accordance with the Article 6 (1) (a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the „GDPR”) and in accordance with the Section 13 (1) (a) Slovak Act No. 18/2018 Coll. on Protection of Personal Data as amended (hereinafter the „Act”)

(hereinafter referred to as the „Consent“)

Controller:

Business name:  ZUTOM s.r.o.
‍Registered seat: Záhradnícka 74, 821 08 Bratislava, Slovak Republic
Company ID no: 35 740 019
Registration: with the Commercial Register maintained by Bratislava I, Section Sro Insert 16672/B
Representation: Tomáš Kurtha, executive
Contact: gdpr@zutom.com, +421 2 20633 3333

(hereinafter referred to as the „Company“ or „Controller“)

The sender of the contact form as the Data Subject (the “Data Subjects”) grants the Controller the consent to the processing of his personal data (the “PD”).

· to the extent of the information provided in the contact form, in particular name, surname, e-mail address, telephone number, the company represented by the Data Subject and his position in the company and other information provided in the text of the message sent,

· for the purpose of storing the inquiry and preparing the answer thereto.

The given personal data shall be stored for a period of 1 (one) year from the date of sending the contact form. The collected personal data obtained shall not be subject to automated decision-making. Upon receipt of a message from the Data Subject, the system evaluates the information obtained and includes the Data Subject in the CRM system, especially in connection with the Data Subject's request, but the system does not make decisions that could affect the Data Subject's rights without human intervention.

The Data Subject confirms that he has been instructed by the Controller as follows:

1. In relation to Data Subject, the Controller has a legal status of the Controller under GDPR and the Act, i.e. the person who alone or together with other persons determines the purpose and means of personal data processing and processes the personal data in its own name.

2. Legitimate interests of the Controller or of a third party if personal data are processed under Article 6(1)(f) of GDPR and Section 13(1)(f) of the Act (Article 13(1)(b) of GDPR and Section 19(1)(d) of the Act):

The Controller does not process personal data on such basis.

3. Identification of recipient or category of recipient, if any (Article 13(1)(e) of GDPR and Section 19(1)(e) of the Act):

a. an external provider of data repository and external software services,

b. external co-worker.

4. Information whether the Controller intends to transfer personal data to a third country
or international organization, identification of third country or international organization (Article 13(1)(f) of GDPR and Section 19(1)(f) of the Act):

The Controller contemplates such transfer, especially in the case of an external data storage provider with external software or an external marketing services provider, but always with an emphasis on measures taken to ensure the protection of personal data. The transfer is done to the following countries: USA, Great Britain, Australia, Colombia, Singapore, Japan.

5. Period of storage of personal data; if that is not possible, information on the criteria for determination of that period (Article 13(2)(a) of GDPR and Section 19(2)(a) of the Act):

For the period of 1 (one) year from the date of sending the contact form.

6. The purpose of personal data processing for which the personal data are intended as well as the legal basis for the personal data processing (Article 13(1)(c) of GDPR and Section 19(1)(c) of the Act):

a. Purpose of personal data processing: Processing of personal data for the purpose of storing the query and processing the answer on the basis of a request from the Data Subjects sent in the form
of a contact form. The Data Subject grants the consent to the processing of personal data by sending a contact form.

b. Legal basis of personal data processing: Data Subject’s consent to the processing of his/her personal data for at least one specific purpose (Article 6(1)(a) of GDPR and Section 13(1)(a) of the Act).

7. The existence of the right to request from the Controller access to and rectification or erasure of personal data or restriction of processing concerning the Data Subject or to object to processing as well as the right to data portability (Article 13(1)(e) of GDPR and Section 19(1)(e) of the Act):

Right of access by the Data Subject

The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a. The purposes of the processing;

b. The categories of personal data concerned;

c. The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d. Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e. The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the Data Subject or to object to such processing;

f. The right to lodge a complaint with a supervisory authority;

g. Where the personal data are not collected from the Data Subject, any available information as to their source;

h. The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR or in Section 28 (1) and (4) Act and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

The Controller will provide a copy of the personal data that is being processed. Any additional copies requested by the User may be charged by the Controller for an appropriate fee corresponding to the administrative costs. Where an application is submitted by electronic means, the information shall be provided in the commonly used electronic form, unless a different mean is requested.

Information must be provided immediately, not later than within 1 month. The Controller has the right to prolong the processing time of the application for another 2 months if the request is complex or frequent. However, the notification must be made within one month of the reason for the extension of the processing period.

In the case of an unjustified or too frequent request, the Controller has the right to charge a reasonable charge or to reject the application. It must explain the reason for the refusal and the right to refer the complaint to the supervisory authority.

Right to rectification

The Data Subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Information must be provided immediately, not later than within 1 month. The Controller has the right to prolong the processing time of the application for another 2 months if the request is complex or frequent. However, the notification must be made within one month of the reason for the extension of the processing period.

In the case of an unjustified or too frequent request, the Controller has the right to charge a reasonable charge or to reject the application. It must explain the reason for the refusal and the right to refer the complaint to the supervisory authority.

Right to erasure (‘right to be forgotten’) or right to restriction of processing

The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a. The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b. The Data Subject withdraws consent on which the processing is based according, and where there is no other legal ground for the processing;

c. The Data Subject objects to the processing and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing;

d. The personal data have been unlawfully processed;

e. The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;

f. The personal data have been collected in relation to the offer of information society services referred.

Previous two sentences shall not apply to the extent that processing is necessary:

a. For exercising the right of freedom of expression and information;

b. For compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

c. For reasons of public interest in the area of public health

d. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e. For the establishment, exercise or defence of legal claims.

The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:

a. The accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;

b. The processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;

c. The Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

d. The Data Subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data Subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Right to object

Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Right to data portability

The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where:

a. The processing is based on consent or on a contract; and

b. The processing is carried out by automated means.

The Controller has a data portability period of time of 1 month; it can be extended by 2 months if the portability is complicated. They must provide information about this and explain why the extension has occurred. In the event that the Controller does not take the steps required for data portability, they must inform the Data Subject about the reasons and on their right to file a complaint with the supervisory authority.

8. Right to withdraw consent to processing of personal data at any time (Article 13(2)(c) of GDPR and Section 19(2)(c) of the Act):

The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9. The right to file an application under Section 100 of the Act or a complaint to the supervisory authority pursuant to Article 77 GDPR:

Without prejudice to any other administrative or judicial remedy, every Data Subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the Data Subject considers that the processing of personal data relating to him or her infringes GDPR.

The User has the right to file a petition for personal data protection with the Personal Data Protection Office. The purpose of the procedure is to determine whether the rights of natural persons have been violated in the processing of their personal data or that a law or a specific privacy policy has been breached and, if it is found to be inappropriate, to impose remedies or a fine for violation of the Act or a special regulation for the protection of the personal data. The petition must include:

a. Name, surname, correspondence address and signature of the petitioner,

b. Identification of the subject against which the proposal is directed, including the name, surname, permanent address or name, registered office and identification number, if assigned,

c. The subject of the proposal, indicating the rights to be violated in the processing of personal data,

d. Evidence to support the claims made in the proposal,

e. A copy of the document or other evidence of the exercise of the right under the law or a special regulation, if such a right is invoked by the User, or a statement of reasons worthy of special consideration for the non-application of the right in question, if the application was filed by the User.

A petition´s template will be published at the Personal Data Protection Office´s website (https://dataprotection.gov.sk/uoou/en).

10. Defining, whether the provision of personal data is a statutory or contractual requirement,
or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the personal data and of the possible consequences of failure to provide such data (Article 13(2)(e) of GDPR and Section 19(2)(e) of the Act):

The consent to the processing of personal data for the purpose of the contact form is provided by submitting the form. Granting consent is voluntary. The Data Subject shall have the right to withdraw his or her consent at any time. In case of non-provision of personal data, the Controller may have a problem with the identification of the Data Subject and the processing of the answer to the question of the Data Subject.

11. The existence of automated decision-making, including profiling (Article 13(2)(f) of GDPR and Section 19(2)(f) of the Act):

The Controller does not use automated decision-making.