Consent to the sending of advertising material
1. I, as the Data Subject, hereby give my consent to the company ZUTOM s.r.o., with registered office at Záhradnícka 74, 821 08 Bratislava, Slovak Republic, ID No. 35 740 019, registered with the Business Register kept by the District Court Bratislava I, Section: Sro, Insert No.: 16672/B, contact data: gdpr@zutom.com, +421 2 2063 3333 (the “Controller”) to send me general advertising (marketing) messagesabout the Controller’s products and services and newsletters about the Controller’s business, to the e-mail address I have provided.
2. By entering and sending the e-mail address on the Controller’s website (www.zaip.one), the Data Subject gives to the Controller the consent to the processing of his/her personal data:
a. in the following scope: e-mail address,
b. for the purposes of sending general advertising (marketing) messages about the Controller’s products and services and newsletters about the Controller’s business, to the e-mail address I have provided.
3. Data Subject has the right to withdraw his or her consent to the processing of personal data concerning him or her. The withdrawal of consent shall not affect the lawfulness of personal data processing based on the consent before its withdrawal.
Instruction:
1. In relation to Data Subject, the Controller has a legal status of the Controller under GDPR and the Act, i.e. the person who alone or together with other persons determines the purpose and means of personal data processing and processes the personal data in its own name.
2. The legitimate interests pursued by the Controller or by a third party, if the processing is based on point (f) of Article 6(1) of the GDPR and point (f) of Section 13 (1) of the Act (Article 13(1)(d) of GDPR and Section 19(1)(d) of the Act):
Personal data shall not be processed on the basis of such a legal basis.
3. Identification of recipient or categories of recipients, if any (Article 13(1)(e) of GDPR and Section 19(1)(e) of the Act):
a. an external provider of data repository and external software services,
b. external co-worker.
4. Information whether the Controller intends to transfer personal data to a third party or international organization, the identification of third country or international organization (Article 13(1)(f) of GDPR and Section 19(1)(f) of the Act): The Controller contemplates such transfer, especially in the case of an external data storage provider with external software or an external marketing services provider, but always with an emphasis on measures taken to ensure the protection of personal data. The transfer is done to the following countries: USA, Great Britain, Australia, Colombia, Singapore, Japan.
5. Defining, whether the provision of personal data is a statutory or contractual requirement,
or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the personal data and of the possible consequences of failure to provide such data (Article 13(2)(e) of GDPR and Section 19(2)(e) of the Act):
Provision of personal data on a voluntary basis. Possible consequences of a failure to provide personal data: failure to provide personal data will cause that the Data Subject will not be sent the defined materials and information.
6. Period of personal data processing (Article 13(2)(a) of GDPR and Section 19(2)(a) of the Act):
For the period of 3 (three) years or until withdrawal of the consent.
7. The existence of the right to request from the Controller access to and rectification or erasure of personal data or restriction of processing concerning the Data Subject or to object to processing as well as the right to data portability:
Right of access by the Data Subject
The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
a. The purposes of the processing;
b. The categories of personal data concerned;
c. The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d. Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e. The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the Data Subject or to object to such processing;
f. The right to lodge a complaint with a supervisory authority;
g. Where the personal data are not collected from the Data Subject, any available information as to their source;
h. The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR or in Section 28 (1) and (4) Act and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject
The Controller will provide a copy of the personal data that is being processed. Any additional copies requested by the User may be charged by the Controller for an appropriate fee corresponding to the administrative costs. Where an application is submitted by electronic means, the information shall be provided in the commonly used electronic form, unless a different mean is requested.
Information must be provided immediately, not later than within 1 month. The Controller has the right to prolong the processing time of the application for another 2 months if the request is complex or frequent. However, the notification must be made within one month of the reason for the extension of the processing period.
In the case of an unjustified or too frequent request, the Controller has the right to charge a reasonable charge or to reject the application. It must explain the reason for the refusal and the right to refer the complaint to the supervisory authority.
Right to rectification
The Data Subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Information must be provided immediately, not later than within 1 month. The Controller has the right to prolong the processing time of the application for another 2 months if the request is complex or frequent. However, the notification must be made within one month of the reason for the extension of the processing period.
In the case of an unjustified or too frequent request, the Controller has the right to charge a reasonable charge or to reject the application. It must explain the reason for the refusal and the right to refer the complaint to the supervisory authority.
Right to erasure (‘right to be forgotten’) or right to restriction of processing
The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a. The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b. The Data Subject withdraws consent on which the processing is based according, and where there is no other legal ground for the processing;
c. The Data Subject objects to the processing and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing;
d. The personal data have been unlawfully processed;
e. The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
f. The personal data have been collected in relation to the offer of information society services referred.
Previous two sentences shall not apply to the extent that processing is necessary:
a. For exercising the right of freedom of expression and information;
b. For compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
c. For reasons of public interest in the area of public health
d. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e. For the establishment, exercise or defence of legal claims.
The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
a. The accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;
b. The processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
c. The Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d. The Data Subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data Subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Right to object
Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to data portability
The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where:
a. The processing is based on consent or on a contract; and
b. The processing is carried out by automated means.
The Controller has a data portability period of time of 1 month; it can be extended by 2 months if the portability is complicated. They must provide information about this and explain why the extension has occurred. In the event that the Controller does not take the steps required for data portability, they must inform the Data Subject about the reasons and on their right to file a complaint with the supervisory authority
8. Right to withdraw consent to processing of personal data at any time (Article 13(2)(c) of GDPR and Section 19(2)(c) of the Act):
The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. The right to file an application under Section 100 of the Act or a complaint to the supervisory authority pursuant to Article 77 GDPR:
Without prejudice to any other administrative or judicial remedy, every Data Subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the Data Subject considers that the processing of personal data relating to him or her infringes GDPR.
The User has the right to file a petition for personal data protection with the Personal Data Protection Office. The purpose of the procedure is to determine whether the rights of natural persons have been violated in the processing of their personal data or that a law or a specific privacy policy has been breached and, if it is found to be inappropriate, to impose remedies or a fine for violation of the Act or a special regulation for the protection of the personal data. The petition must include:
a. Name, surname, correspondence address and signature of the petitioner,
b. Identification of the subject against which the proposal is directed, including the name, surname, permanent address or name, registered office and identification number, if assigned,
c. The subject of the proposal, indicating the rights to be violated in the processing of personal data,
d. Evidence to support the claims made in the proposal,
e. A copy of the document or other evidence of the exercise of the right under the law or a special regulation, if such a right is invoked by the User, or a statement of reasons worthy of special consideration for the non-application of the right in question, if the application was filed by the User.
A petition´s template will be published at the Personal Data Protection Office´s website (https://dataprotection.gov.sk/uoou/en).
10. The existence of automated decision-making, including profiling (Article 13(2)(f) of GDPR and Section 19(2)(f) of the Act):
The Controller does not use automated decision-making or profiling.