Personal Data Protection Policy governing the registration in the Neseda, j.s.a. e-mail database

 

The following Neseda j.s.a Personal Data Protection Policy applies to the persons wishing to be included in the e-mail database.

This Policy is divided into two sections, the wording of which is identical:

    1. Section 1 details the Policy in plain English.
    2. Section 2 presents the Policy in legal English.

In Section 1, our intention is to make the Policy easier to understand for the interested parties. In the event of a conflict of meaning between the two Sections, the wording of Section 2 shall apply.

  1. Policy in plain English (legal wording can be found here)

We need your personal data to include you in the e-mail database and contact you accordingly. The security of your personal data and its legal processing is of primary importance to us.  Below you will learn how we process your personal data and make it secure.

Who does this Policy apply to?

This notice applies to you if you have subscribed to our company’s e-mail distribution list because you want to receive the news. If you are our existing customer and have already provided your personal data to us as part of an order, the notification under Article XI.of the General Terms and Conditions applies to you.

Who are we?

Your personal data is processed by our company Neseda j.s.a.,  with registered office: Staré Grunty 12, 841 04 Bratislava – Karlova Ves City District, Slovak Republic, ID no.: 51 118 327, registered in the Commercial Register of the District Court Bratislava I, Section: Sja, Item no.: 25/B (hereinafter referred to as the “Data Controller”).

What personal data do we process?

We process your first name, last name, e-mail address, IP address when signing up, and IP address when opening the e-mail.

For what purpose do we process your personal data?

We process your personal data to include you in the database and send you information, news and marketing information.

How can you give us your consent?

You can give us your consent to the processing of your personal data by checking the “I agree to the processing of my personal data” checkbox when filling out the e-mail database sign-up form.

You can give us your consent to e-mail newsletters and marketing information by checking the “I agree to the marketing communication” checkbox when filling out the e-mail database sign-up form.

How can you withdraw your consent?

You can withdraw your consent to the processing of your personal data at any time. You can withdraw your consent by clicking the “Unsubscribe from the newsletter” link, which is located in the footer of each e-mail, or by sending us a withdrawal notice to info@neseda.com.

How long do we keep your personal data?

The personal data you have provided to us is archived until you withdraw your consent, and for a maximum period of 2 years from the latest consent. We will contact you with the possibility to extend your consent for another two-year period before the expiration of said 2-year period.

Where do we transfer your personal data?

We process your personal data through the MailChimp online application and through the applications in the Google Suite (e.g. Google Sheets). These applications have their data stored on the servers located in the USA. According to the decision of the European Commission, this country guarantees an adequate level of personal data protection. In addition, the operators of online applications provide adequate guarantees for the security of your data and have guaranteed to process personal data in accordance with the GDPR.

Not satisfied or have questions?

If you are not satisfied with how we process your personal data, you can let us know by e-mail at info@neseda.com. You can ask us to:

  1. Provide information about whether we still process your personal data,
  2. Provide information about how we process your personal data,
  3. Provide information about how we collected/obtained your data,
  4. Provide information about which personal data we process about you,
  5. Erase or correct your personal data if they are incomplete, outdated or incorrect,
  6. Erase your personal data that we no longer have a reason to process (the purpose has ended),
  7. Return any documents containing your personal data,
  8. Erase your personal data in the case of breach of law,
  9. Block your personal data due to the withdrawal of consent before the expiry of its validity period.

If you believe that we are processing your personal data illegally and unlawfully, you have the option to file a complaint with the Office for Personal Data Protection.

How do we process your personal data?

We process your personal data in electronic form through the Mailchimp online application and through the applications in the Google Suite (such as Google Spreadsheets).

Who can access your personal data?

Authorized employees or associates of Neseda, j.s.a., who are in charge of marketing communication, have access to your personal data.

How do we ensure the protection of your personal data?

The security of your personal data is of primary importance to us. In order to ensure the protection of your personal data, we have adopted the necessary technical and organizational measures. The data stored on the hard drives are encrypted, and the operators of online applications provide adequate guarantees for the security of your personal data.

Final provisions

This Personal Data Protection Policy takes effect on the date of its publication, i.e. on 21/05/2018, and becomes effective on 25/05/2018.

We will notify you about any changes to this Policy in a timely manner on our website (www.neseda.com) and by e-mail. If any of the changes require you to reissue you consent, we will ask you to do so.

  1. Policy in legal English (plain wording can be found here)

Following the provisions of Act no. 18/2018 Coll. on the protection of personal data, as amended by later legislation (hereinafter referred to as the “Act” or “Act No. 18/2018 Coll.”) we hereby provide the following information about the processing of your personal data as a Data Subject in connection with your subscription to the Neseda, j.s.a e-mail list:

  1. Definitions:
    1. Data Subject – a natural person who, by completing, sending and confirming the registration to the e-mail list, expresses their interest in being included in the Neseda, j.s.a. e-mail database.
    2. Data ControllerNeseda j.s.a., with registered office: Staré Grunty 12, 841 04 Bratislava – Karlova Ves City District, Slovak Republic, ID no.: 51 118 327, registered in the Commercial Register of the District Court Bratislava I, Section: Sja, Item no.: 25/B (hereinafter referred to as the “Data Controller”).
  2. In accordance with the provisions of Art. 13 GDPR, the Data Controller shall inform the Data Subject of the following:
    1. Data Controller’s identification data: Neseda j.s.a., with registered office: Staré Grunty 12, 841 04 Bratislava – Karlova Ves City District, Slovak Republic, ID no.: 51 118 327, registered in the Commercial Register of the District Court Bratislava I, Section: Sja, Item no.: 25/B
    2. The Data Controller can be contacted at the following e-mail address: info@neseda.com.
    3. The personal data dataset includes the first name, last name, e-mail address, IP address when signing up, and IP address when opening the e-mail.
    4. The purpose of personal data processing is the collection, storage and processing of personal data by the Data Controller and their use for marketing purposes – sending newsletters and marketing offers via bulk e-mail.
    5. The processing of personal data is carried out on the basis of consent issued by the Data Subject pursuant to the Regulation of the European Parliament and of the Council (EU) No. 2016/679 of April 27. 2016 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”).
    6. The Data Controller stores and processes personal data for a maximum period of 2 years from the last consent to their storage, or for a legally established period.
    7. The Data Controller transfers the personal data to the United States of America due to the use of MailChimp and Google Suite tools, the servers of which are located in the USA. We process personal data through the Mailchimp online application, which has its data stored on the servers located in the USA. According to the decision of the European Commission, this country guarantees an adequate level of personal data protection. In addition, the operators of online applications provide adequate guarantees for the security of Consumer data and have guaranteed to process personal data in accordance with the GDPR.
    8. The Data Controller shall make it possible for the Data Subject to exercise their right of access to personal data pertaining to the Data Subject, right to rectification, erasure and restriction of processing of personal data, right to object to the processing of personal data and right to data portability.
    9. If the Data Subject suspects that their personal data are being processed unlawfully, they can file a complaint with the Office for Personal Data Protection of the Slovak Republic to initiate a procedure for the protection of personal data according to Article 100 of the Personal Data Protection Act.
    10. The provision of personal data referred to in point 2.3. by the Data Subject is voluntary.
  3. Information about the rights of the Data Subject: 
    The person providing personal data (the Data Subject) has the following rights in accordance with the provisions of Art. 15 to 22 and Art. 34 GDPR:

 

    1. Right of access by the Data Subject according to Art. 15 GDPR: The Data Subject has the right to know whether the Data Controller processes personal data about the Data Subject. The Data Subject has the right to access these personal data and the right to information specified in point 13.8.
    2. Right to rectification of personal data according to Art. 16 GDPR: The Data Subject has the right to make the Data Controller rectify incorrect personal data relating to the Data Subject without undue delay. Taking into account the purpose of personal data processing, the Data Subject has the right to supplement incomplete personal data.
    3. Right to erasure of personal data according to Art. 17 GDPR: The Data Subject has the right to have the Data Controller erase the personal data relating to the Data Subject without undue delay if the Data Subject exercised its right to erasure and:
      1. the personal data are no longer necessary for the purpose for which they were obtained or otherwise processed,
      2. the Data Subject revokes the consent on the basis of which the processing of personal data is carried out, and there is no other legal basis for the processing of personal data,
      3. the Data Subject objects to the processing of personal data and there are no valid reasons for the processing of personal data, or the Data Subject objects to the processing of personal data for the purpose of direct marketing,
      4. The personal data are processed illegally,
      5. The erasure is necessary due to the fulfillment of obligations according to the GDPR, Personal Data Protection Act, special regulations or international treaties by which the Slovak Republic is bound,
      6. The personal data were obtained in connection with offers of information society services.
    4. Right to restriction of processing of personal data according to Art. 18 GDPR: The Data Subject has the right for the Data Controller to restrict the processing of personal data if:
      1. The Data Subject objects to the correctness of personal data during the period allowing the Data Controller to verify the correctness of personal data,
      2. The processing of personal data is unlawful and the Data Subject objects to the erasure of personal data and instead requests the restriction of their use,
      3. The Data Controller no longer needs the personal data for the purpose of processing, but the Data Subject needs them to assert a legal claim,
      4. The Data Subject objects to the processing of personal data until it is verified whether the legitimate reasons on the part of the Data Controller prevail over the legitimate reasons on the part of the Data Subject.
        The Data Subject whose processing of personal data is to be restricted shall be informed by the Data Controller before the restriction of personal data processing is canceled.
    5. On the basis of Art. 19 GDPR, the Data Controller  is obliged, if the Data Subject so requests, to inform the Data Subject about the recipients who the Data Controller has notified regarding the correction, erasure or restriction of processing of personal data.
    6. Right to data portability according to Art. 20 GDPR: The Data Subject has the right to receive their personal data, which they provided to the Data Controller, in a structured, commonly used and machine-readable format, and has the right to transfer these personal data to another Data Controller.
    7. Right to object to the processing of personal data according to Art. 21 GDPR: The Data Subject has the right to object to the processing of their personal data for reasons related to their specific situation on a legal basis when the processing of personal data is necessary to fulfill a task carried out in the public interest or on the grounds that the processing is necessary for the purpose of legitimate interests of the Data Controller or a third party, including profiling based on these provisions. The Data Controller shall not continue to process the personal data if it cannot justify the legitimate interests of processing that override the interests of the Data Subject or the rights or reasons for the application of a legal claim. The Data Subject has the right to object to the processing of their personal data on the grounds relating to direct marketing, including profiling, in the extent related to direct marketing.
    8. On the basis of Art. 22 GDPR, the Data Subject has the right not to be subject to decisions based solely on the automated processing of personal data, including profiling, and having legal effects that concern or significantly affect the Data Subject.
    9. On the basis of Art. 34 GDPR, the Data Subject has the right to be notified by the Data Controller of any personal data protection violation without undue delay if such a personal data protection violation may lead to a high risk for the rights of natural persons.
    10. Provision of information to the Data Subject
      1. The Data Controller is obliged to provide the Data Subject with all information according to Art. 13 of GDPR and notices pursuant to Art. 15 to 22 and Art. 34 GDPR, which relate to the processing of their personal data. The information shall be provided in print or electronic form, and as a rule, in the same format in which the application was made. If so requested by the Data Subject, the Data Controller shall provide the information orally if the Data Subject verifies their identity by other means. When exercising the rights under Art. 15 to 22 GDPR, the Data Controller is obliged to provide cooperation to the Data Subject.
      2. The Data Controller is obliged to provide the Data Subject with all information according to point 1 within one month from the delivery of the request. This period can be extended by the Data Controller in substantiated cases, taking into account the complexity and number of requests, by additional two months, and even repeatedly. The Data Controller is obliged to inform the Data Subject about any such extension within one month from the receipt of the application together with the justification thereof.
      3. Information under point 1 shall be provided by the Data Controller free of charge.
      4. If the request of the Data Subject is clearly unsubstantiated or inappropriate, in particular due to its recurring nature, the Data Controller may demand a reasonable fee taking into account the administrative costs to provide the information, or a reasonable fee taking into account the administrative costs of issuing a notice, or a reasonable fee taking into account the administrative costs of the implementation of the required measures, or refuse to act upon the request.
    11. Restriction of the rights of the Data Subject
      The Data Controller shall inform the Data Subject on the restriction of the rights of the Data Subject in accordance with Art. 23 GDPR and Article 30 of the Personal Data Protection Act if the purpose of the restriction is not thereby jeopardized.
  2. The Data Controller is authorized to process personal data beyond the scope specified in Article XI, point 1 of these GTC, the processing of which is not compatible with the legal basis specified in Article XI, point 1 of these GTC, only on the basis of prior consent provided by the Consumer voluntarily and for a predetermined purpose, scope and time. The Consumer has the right to revoke the consent in writing at any time. The withdrawal of consent is effective on the day of delivery to the Data Controller.
  3. The Data Controller undertakes not to use or provide personal data beyond the scope necessary to provide the agreed e-mail marketing communication to which the granted consent applies.
  4. All personal data are protected in accordance with the applicable legal regulations, in particular the Personal Data Protection Act.
  5. The Data Controller undertakes to take all steps to ensure the highest level of protection of personal data of the Data Subject against loss, damage or destruction.
  6. Final provisions
    1. The wording dated May 21, 2018 represents the full version of this Privacy Policy and the Privacy Policy becomes effective on May 25, 2018.
    2. The Data Controller shall inform the Data Subjects about any changes to this Policy in a reasonable period before the effective date of such changes by publishing them in the Data Controller’s premises and on the Data Controller’s website (www.neseda.com).