Terms and Conditions

Delivery, payment and complaint conditions

A confirmed order from us to your e-mail is binding. We will deliver the goods within 5 working days, in exceptional cases within 14 days for cash on delivery, after agreement it is possible to pay for the order by bank transfer or via the tatrapay+ service. Shipments are usually shipped within 2 working days after receipt of payment.

You can return the goods without giving a reason within 14 days in the original packaging, undamaged, unused. After a telephone agreement, the goods can be exchanged. The color shades of the products may actually differ from the shades in the online store, which may be caused by the settings of your monitor. Therefore, consider the color scales as indicative and cannot be taken into account when making a complaint.

  • Slovak Post: Slovak Republic - €6.77 incl. VAT
  • Slovak Post (Package Insurance): Czech Republic - €12.92 incl. VAT
  • Slovak Post (Package Insurance): EU - €20.00 excluding VAT
  • Slovak Post: Outside the EU - €21.00 excluding VAT
  • Slovak Post: USA, Japan - €26.00 excluding VAT
  • We do not charge postage over 70 Euros in Slovakia.

The information will only be used for this transaction and will never be shared with other entities or used in any other form.

ORGANIZATIONAL GUIDELINE FOR THE PROCESSING AND PROTECTION OF PERSONAL DATA IN THE ORGANIZATION

According to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as GDPR) and according to the provisions of Act 18/2018 Coll., of 29 November 2017 on the protection of personal data and on amending and supplementing certain acts (hereinafter referred to as ZoOOÚ)

It contains the technical and organizational measures that our company has undertaken to comply with, as it is responsible under Article 24 of the GDPR, taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR.

Company:

DOHIKU, s.r.o.
Rudlovská cesta 47
974 01 Banská Bystrica
IČO: 44875118

Supervisory authority:

Úradu na ochranu osobných údajov Slovenskej republiky
Hraničná 12, 820 07 Bratislava 27
Tel: 02/ 32 31 3214
E-mail: statny.dozor@pdp.gov.sk
(hereinafter referred to as the "supervisory authority")

1. Definition of basic terms

data subject means any natural person whose personal data are processed,

operator means anyone who, alone or jointly with others, determines the purpose and means of processing personal data and processes personal data on his own behalf; the operator or specific requirements for his determination may be laid down in a special regulation or an international treaty by which the Slovak Republic is bound, if such regulation or this treaty lays down the purpose and means of processing personal data,

a processor is anyone who processes personal data on behalf of the controller,

processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, in particular collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, whether or not by automated means,

consent of the data subject means any meaningful and freely given, specific, informed and unambiguous indication of the data subject's wishes, by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of his or her personal data.

information system means any structured set of personal data that is accessible according to specified criteria, regardless of whether it is a centralized, decentralized or distributed system on a functional or geographical basis,

biometric data means personal data resulting from specific technical processing of personal data relating to the physical characteristics of a natural person, the physiological characteristics of a natural person or the behavioural characteristics of a natural person and which allow for the unique identification or confirm the unique identification of that natural person, such as in particular a facial image or dactyloscopic data,

by restricting the processing of personal data

marking of stored personal data in order to limit their processing in the future,

profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal characteristics or features relating to a natural person, in particular to analyse or predict the data subject's characteristics or features relating to his or her performance at work, financial situation, health, personal preferences, interests, reliability, behaviour, location or movements,

pseudonymisation means the processing of personal data in such a way that they cannot be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data cannot be attributed to an identified natural person or an identifiable natural person,

encryption, the transformation of personal data in a way that makes reprocessing possible only after entering a selected parameter, such as a key or password,

online identifier means an identifier provided by an application, tool or protocol, in particular IP address, cookies, login details for online services, radio frequency identification, which may leave traces which, in particular in combination with unique identifiers or other information, may be used to create a profile of the data subject and to identify him/her,

Personal data breach means a breach of security that leads to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, transmitted, stored personal data or otherwise processed personal data,

recipient means anyone to whom personal data are provided, regardless of whether they are a third party; a public authority that processes personal data on the basis of a special regulation or an international treaty by which the Slovak Republic is bound, in accordance with the personal data protection rules applicable to the given purpose of processing personal data, is not considered a recipient,

third party means anyone who is not the data subject, the controller, the intermediary or another natural person who processes personal data on the basis of the authorization of the controller or the intermediary.

2. Mapping of personal data

Our company has decided to define what personal data it processes in order to be able to analyze the processing of personal data and ensure compliance with the GDPR. We define individual categories of personal data as individual information systems.

  1. IS Customers
    name, surname, title, street and number, zip code, city, email, telephone contact, title, age purpose of processing: issuing a tax document, contact with the customer, performance of the contract
  2. IS Marketing
    Email addresses, telephone contacts
    Purpose: sending marketing and advertising emails

3. Principles of personal data processing (Article 5 GDPR)

Our company will adhere to the following principles of personal data processing:

3.1. Lawfulness, fairness and transparency (Article 5(1)(a) GDPR)

Personal data will be processed lawfully, fairly and transparently in relation to the data subject (“lawfulness, fairness and transparency”);

3.1.1. Lawfulness of processing (Article 6 GDPR)

Our company is committed to processing data only in a lawful manner so as not to infringe the fundamental rights of the data subject. The processing of personal data by our company will be lawful by ensuring that it is carried out on the basis of at least one of the following legal bases:

  1. the data subject has consented to the processing of his or her personal data for one or more specific purposes;
  2. the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
  3. the processing of personal data is necessary pursuant to a special regulation or an international treaty by which the Slovak Republic is bound (Section 13(1)(c) of the Personal Data Protection Act)
  4. processing is necessary to protect the vital interests of the data subject or another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The legal basis for individual information systems (IS) is as follows:

  1. IS customers

    Legal basis – Article 6(1) 1. letter c) GDPR - processing of personal data (name, surname, title, street and number, postal code, city) is necessary according to a special regulation or an international treaty by which the Slovak Republic is bound. In particular, according to Act No. 222/2004 Coll. on Value Added Tax

    Právny základ – článok 6, ods. 1. písmeno b) GDPR - spracúvanie osobných údajov (email, telefónny kontakt) je nevyhnutné na plnenie zmluvy.

    Legal basis – Article 6(1) 1. letter a) GDPR - the data subject has consented to the processing of their personal data for at least one specific purpose,

  2. IS Marketing

    Legal basis – Article 6(1) 1. letter a) GDPR - the data subject has consented to the processing of their personal data for at least one specific purpose.

3.2. Purpose limitation principle (Article 5(1)(b) GDPR)

Our company will collect personal data only for specified, explicit and legitimate purposes and shall not further process it in a manner incompatible with those purposes. Our company will inform the data subject of the purpose of processing personal data before processing it.

In the personal data mapping section, we have set the purposes of processing individual ISs and we will process personal data only for the purposes specified in this section.

3.3. Principle of personal data minimization (Article 5(1)(c) GDPR)

Our company will process personal data in a way that is adequate, relevant and limited to the necessary extent given the purpose for which it is processed.

In order to ensure the minimization of personal data, our company has decided to analyze whether the processed data is adequate, relevant and limited to the extent necessary in relation to the purposes for which it is processed.

The following categories are analyzed, the specific types of personal data are listed in the "personal data mapping" section.

  1. IS Customers

    All processed data is necessary. It is processed for the purposes of issuing a tax document, contacting the customer and fulfilling the contract.

  2. IS Marketing

    All processed data is necessary

3.4. Principle of accuracy (Article 5(1)(d) GDPR)

Our company will process personal data in a way that is accurate and, where necessary, kept up to date; and will take appropriate and effective measures to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without undue delay.

To ensure the principle of accuracy, our company has the following wording in its written consent to the processing of personal data:

"The data subject is obliged to provide true and up-to-date personal data. In the event of a change in personal data, the data subject is obliged to notify the controller of the change without delay."

3.5. Principle of retention minimization (Article 5(1)(e) GDPR)

Our company will store personal data in a form that allows identification of the data subject for no longer than is necessary for the purpose for which the personal data are processed.

3.6. Principle of integrity and confidentiality (Article 5(1)(f) GDPR)

Personal data will be processed in our company in a manner that guarantees adequate security of personal data, including protection against unauthorized processing of personal data, unlawful processing of personal data, accidental loss of personal data, deletion of personal data or damage to personal data, through appropriate technical or organizational measures.

3.6.1. Personal data stored in electronic documents

Our company uses ESET antivirus and firewall. We back up electronic documents to an external drive. Our corporate network is password protected, known only to authorized persons, and we use the WPA protocol.

3.6.2. Personal data stored in paper (printed) form

Paper documents are stored in a lockable office, thus protecting them from access by unauthorized persons.

3.7. Principle of accountability (Article 5(2) GDPR)

Our company is responsible for adhering to the basic principles of personal data processing, for the compliance of personal data processing with the principles of personal data processing, and is obliged to demonstrate this compliance with the principles of personal data processing upon request by the authority.

4. Conditions for providing consent to the processing of personal data (Article 7 GDPR)

The company will ensure that the following conditions are met when the data subject expresses consent:

  1. Consent to the processing of personal data must be expressed freely, specifically, informedly and by an unambiguous expression of will.
  2. The request for consent must be presented in a way that is clearly distinguishable from these other facts, in an intelligible and easily accessible form and formulated in a clear and simple manner.
  3. The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The data subject must be informed of this fact before consent is given. The withdrawal of consent must be as easy as giving it.

Our company has revised written consents for the processing of personal data to meet GDPR requirements.

5. Conditions applicable to the consent of a child in relation to information society services (Article 8 GDPR)

Where Article 6(1)(a) applies, in relation to the offering of information society services addressed directly to a child, the processing of a child's personal data shall be lawful only if the child is at least 16 years of age. Where the child is under 16 years of age, such processing shall be lawful only on the condition that and to the extent that such consent has been given or approved by the holder of parental responsibility.

Our company will make reasonable efforts to verify in such cases that the holder of parental rights and responsibilities has expressed consent or approved it, taking into account available technology.

6. Processing of special categories of personal data (Article 9 GDPR)

The GDPR prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the individual identification of a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

However, this prohibition does not apply if any of the conditions of Article 9(2)(a) – (j) of the GDPR apply.

7. RIGHTS OF THE DATA SUBJECT (Chapter 3 GDPR)

The rights of the data subject are regulated by Chapter 3 of the GDPR and our company undertakes to comply with them. These include, for example, the following rights:

7.1. Information to be provided when collecting personal data from the data subject (Article 13 GDPR)

Our company will provide the data subject with the following information when processing personal data:

  1. data about our company,
  2. contact details of any responsible person,
  3. purposes of processing,/li>
  4. the legal basis for processing,
  5. if the processing is based on Article 6(1)(f) of the GDPR, the legitimate interests pursued by the controller or a third party,
  6. recipients or categories of recipients of personal data, if any,
  7. where relevant, information that our company intends to transfer personal data to a third country or international organization,
  8. the period of retention of personal data or, if this is not possible, the criteria for determining it,
  9. the existence of the right to request from the controller access to personal data concerning the data subject and the right to rectify or erase them or to restrict processing, or the right to object to processing, as well as the right to data portability,
  10. where the processing is based on Article 6(1)(a) or Article 9(2)(a) of the GDPR, the existence of the right to withdraw consent at any time without affecting the lawfulness of processing based on consent given before its withdrawal,
  11. the right to lodge a complaint with a supervisory authority,
  12. information on whether the provision of personal data is a legal or contractual requirement, or a requirement that is necessary for the conclusion of a contract, whether the data subject is obliged to provide personal data, as well as the possible consequences of failure to provide such data,
  13. the existence of automated decision-making, including profiling referred to in Article 22(1) and (4) of the GDPR, and at least in these cases, meaningful information about the process involved, as well as the significance and envisaged consequences of such processing for the data subject.

7.2. Information to be provided where personal data have not been obtained from the data subject (Article 14 GDPR)

Our company will provide the data subject, if these personal data were not obtained from them, with all the information specified in point 7.1 of this organizational guideline, as well as the source from which the personal data originates, or information on whether the data originates from publicly accessible sources.

Our company will provide this information to the data subject within a reasonable period of time after obtaining the personal data, but no later than one month, taking into account the specific circumstances under which the personal data are processed as referred to in Article 14(3) of the GDPR.

Our company will not provide this information to the data subject in the cases referred to in Article 14(5) of the GDPR, in particular if:

  1. the data subject already has the information,
  2. the provision of such information proves impossible or would require a disproportionate effort,
  3. the acquisition or provision is expressly provided for in Union law or in the law of a Member State to which the controller is subject and which lays down suitable measures to safeguard the legitimate interests of the data subject.

7.3. The data subject's right to access data (Article 15 GDPR)

The data subject has the right to obtain from the controller confirmation as to whether personal data concerning him or her are being processed and, if so, the right to access those personal data.

7.4. Right to rectification (Article 16 GDPR)

The data subject shall have the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by providing a supplementary statement.

7.5. Right to erasure (right to be forgotten, Article 17 GDPR)

The data subject also has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller is obliged to erase personal data without undue delay where one of the following grounds applies:

  1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed,
  2. the data subject withdraws consent on the basis of which the processing is carried out, pursuant to Article 6(1)(a) or Article 9(2)(a), and where there is no other legal basis for the processing,
  3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing or the data subject objects to the processing pursuant to Article 21(1) 2,
  4. personal data was processed unlawfully,
  5. the personal data must be erased in order to comply with a legal obligation under Union law or the law of a Member State to which the controller is subject,
  6. the personal data were collected in connection with the offer of information society services pursuant to Article 8(1) 1..

7.6. Right to restriction of processing (Article 18 GDPR)

The data subject has the right to obtain from the controller restriction of processing where one of the following applies:

  1. the data subject contests the accuracy of the personal data, during a period allowing the controller to verify the accuracy of the personal data,
  2. the processing is unlawful and the data subject objects to the erasure of the personal data and requests the restriction of their use instead,
  3. the controller no longer needs the personal data for the purposes of processing, but the data subject needs them to establish, exercise or defend legal claims,
  4. the data subject has objected to processing pursuant to Article 21(1), pending verification whether the legitimate grounds of the controller override those of the data subject.

Notification obligation in connection with the rectification or erasure of personal data or restriction of processing (Article 19 GDPR)

The controller shall communicate to each recipient to whom the personal data have been disclosed any rectification or erasure of personal data or restriction of processing carried out pursuant to Article 16, Article 17(1) and Article 18, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject of these recipients if the data subject so requests.

7.7. Right to data portability (Article 20 GDPR)

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where:

  1. the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a), or on a contract pursuant to Article 6(1)(b), and
  2. if the processing is carried out by automated means.

When exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible.

7.8. Right to object (Article 21 GDPR)

The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of personal data concerning him or her which is carried out on the basis of point (e) or (f) of Article 6(1), including profiling based on those provisions.

7.9. Automated individual decision-making, including profiling (Article 22 GDPR)

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

8. Responsibility of the CONTROLLER (Article 24 GDPR)

Our company, as the operator, undertakes to comply with the following general obligations:

  1. Taking into account the nature, scope and purpose of the processing of personal data and the risks of varying likelihood and severity for the rights of natural persons, we undertake to take appropriate technical and organizational measures to ensure and demonstrate that the processing of personal data is carried out in accordance with the GDPR.
  2. We will update the above measures as necessary.
  3. We will regularly review the duration of the purpose of processing personal data and, after its fulfillment, ensure the deletion of personal data without undue delay.
  4. Our company will maintain confidentiality regarding the personal data it processes. The obligation of confidentiality continues even after the processing of personal data has ended.

9. Data protection by design and by default (Article 25 GDPR)

Our company undertakes to implement and maintain a specifically designed personal data protection policy before processing personal data, which consists of adopting appropriate technical and organizational measures, for example in the form of pseudonymization, to effectively implement adequate safeguards for the protection of personal data and comply with the GDPR.

Our company undertakes to take into account the latest knowledge of personal data protection, the costs of implementing the measures, the nature, scope, context and purpose of the processing of personal data, and the risks of personal data processing of varying likelihood and severity that the processing of personal data poses to the rights of the data subject when specifically designed for personal data protection.

Our company is committed to implementing standard personal data protection, which consists of adopting appropriate technical and organizational measures to ensure that personal data is processed only for a specific purpose, minimizing the amount of personal data obtained and the scope of its processing, the retention period and availability of personal data. Our company will ensure that personal data are not accessible to an unlimited number of natural persons without the intervention of the natural person by default.

10. Processor (Article 28 GDPR)

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Our company, as the controller, uses processors who process personal data on its behalf. These include, for example, accounting and law firms.

The following intermediaries process data for our company:

  • Vladimíra Áčová, Továrenská 50, 975 31 Vlkanová, ID number: 40963314

Our company will only use processors providing sufficient guarantees that appropriate technical and organizational measures will be taken to ensure that the processing meets the requirements of the GDPR and that the rights of the data subject are protected.

Processing by the processor for our company is governed by a "personal data processing agreement", a template of which is attached to this document. It binds the processor to the controller and sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller and the processor.

Our company will sign amendments to the contracts with the aforementioned intermediaries so that the contracts meet all GDPR requirements.

11. Records of processing activities (Article 30 GDPR)

11.1. Records of the controller's processing activities

Our company, as the controller, keeps records of processing activities and will make them available to the supervisory authority upon request. These records contain the following data:

  1. name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the responsible person,
  2. purposes of processing,
  3. description of the categories of data subjects and categories of personal data,
  4. the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations,
  5. where applicable, transfers of personal data to a third country or an international organisation, including the identification of the third country or international organisation in question and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, documentation of appropriate safeguards,
  6. where possible, the expected deadlines for erasing different categories of data,
  7. where possible, a general description of the technical and organisational security measures referred to in Article 32(1). 1. GDPR.

11.2. Records of the processor's processing activities

Our company, as a processor, keeps records of processing activities and will make them available to the supervisory authority upon request. These records contain the following data:

  1. the name and contact details of the processor or processors and of each controller on whose behalf the processor acts and, where applicable, of the controller's or processor's representative and the responsible person,
  2. the categories of processing carried out on behalf of each controller,
  3. where applicable, transfers of personal data to a third country or an international organisation, including the identification of the third country or international organisation in question and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
  4. where possible, a general description of the technical and organisational security measures referred to in Article 32(1). 1. GDPR.

12. Security of processing (Article 32 GDPR)

Taking into account the latest knowledge, the costs of implementing the measures and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, our company will adopt appropriate technical and organizational measures to ensure a level of security appropriate to that risk.

Authorization to process personal data (Article 32(4) GDPR)

Our company will take steps to ensure that any natural person acting on behalf of the controller or processor who has access to personal data processes such data only on our instructions, except where required to do so by Union or Member State law.

13. Notification of a personal data breach to the supervisory authority (Articles 33 and 34 GDPR)

In the event of a personal data breach, our company shall notify the personal data breach to the supervisory authority without undue delay and, where possible, no later than 72 hours after having become aware of it. If the notification has not been submitted to the supervisory authority within 72 hours, it shall be accompanied by a justification for the delay.

The personal data breach notification will include at least:

  1. a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected by the breach and the categories and approximate number of personal data records affected,
  2. contact details of the responsible person in our company, where more information about the personal data breach can be obtained,
  3. a description of the likely consequences of a personal data breach,
  4. a description of the measures taken or proposed by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate its potential adverse consequences.

Our company documents each case of a personal data breach, including the facts associated with the personal data breach, its consequences, and the remedial measures taken.

In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, our company will notify the data subject of the personal data breach without undue delay.

14. Data protection impact assessment (Article 35)

If the type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out an assessment of the impact of the planned processing operations on the protection of personal data prior to processing.

A data protection impact assessment is required in particular in cases of:

  1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and which results in decisions having legal effects concerning the natural person or having a similarly significant effect on him/her,
  2. processing on a large scale of special categories of data pursuant to Article 9(1) or personal data relating to the conviction of criminal offences and misdemeanours pursuant to Article 10, or,
  3. systematic monitoring of publicly accessible places on a large scale.

Our company's processing activities do not include the cases listed above, therefore it is not necessary to conduct a personal data protection impact assessment.

15. Designation of the responsible person (Chapter 4 Section 4 GDPR)

The operator is obliged to designate a responsible person if:

  1. the processing of personal data is carried out by a public authority or a public institution, except for courts in the exercise of their judicial powers,
  2. the core activities of the controller or processor are processing operations which, by virtue of their nature, scope or purpose, require regular and systematic monitoring of the data subject on a large scale or,
  3. the main activities of the controller or processor are the processing of special categories of personal data pursuant to Article 9 of the GDPR on a large scale or the processing of personal data relating to the admission of guilt for a criminal offence or misdemeanour pursuant to Article 10 of the GDPR on a large scale.

Since our company does not meet any of the aforementioned conditions, it does not designate a responsible person.

16. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANIZATION

The transfer of personal data that are being processed or are intended to be processed after transfer to a third country or an international organisation may only take place if the controller and the processor comply with the conditions, including the conditions for the onward transfer of personal data from the third country or international organisation in question to another third country or another international organisation.

The Personal Data Protection Office publishes on its website a list of third countries, territories and designated sectors within a given third country and international organisations for which the European Commission has decided that an adequate level of protection is guaranteed or that an adequate level of protection is no longer guaranteed.

The list is available on the website https://dataprotection.gov.sk/uoou/sk/content/prenos-do-krajin-zarucujucich-primeranu-uroven-ochrany

Our company will regularly monitor this list and, if it transfers personal data to countries outside the list of the Personal Data Protection Authority, it will proceed in accordance with Chapter 4 of the GDPR.

17. Confidentiality (Section 79 of the Privacy Act)

Our company is obliged to maintain confidentiality regarding the personal data it processes. The obligation of confidentiality continues even after the processing of personal data has ended.

Our company is also obliged to maintain confidentiality regarding the personal data of individuals who come into contact with personal data at the controller or intermediary. The confidentiality obligation according to the first sentence must continue even after the termination of the employment, civil service, service relationship or similar employment relationship of this individual.