Personal Data Processing Information
Information pursuant to Article 13 of Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR Regulation”) and pursuant to the provisions of Section 19 of Act No. 18/2018 Coll. on the protection of personal data as amended (hereinafter referred to as the “Act on Personal Data Protection”).
The controller of personal data is CRYSTAL SKI, spol. s r.o., Company ID: 00 614360, with its registered office at: Hlavná 171/209, 032 02 Závažná Poruba, registered in the Commercial Register of the Žilina District Court, Section: Sro, File No.: 91/L (hereinafter referred to as the “Controller”).
Purpose of Data Processing
The processing of personal data is necessary to the following:
- the performance of a contract to which the Data Subject is a contracting party
- The personal data of the Data Subject will be processed for the duration of negotiations on the conclusion of the contract between the Controller and the Data Subject, for the purpose of concluding a contract for the lease of sports equipment (creation of a reservation for the service “Rental of Ski, Snowboarding and Ski Mountaineering Equipment”), as well as for the duration of the contractual relationship based on the contract for the lease of sports equipment.
- purposes of legitimate interests pursued by the Controller
- The personal data of the Data Subject shall be processed even after the termination of the contractual relationship based on the contract for the lease of sports equipment in order to assert the Controller’s claims against the Data Subject.
- fulfillment of the Controller’s legal obligation
- In order to fulfill the legal obligation to archive accounting documents pursuant to Act No. 563/1991 Coll. on Accounting, as amended, the personal data of the data subject will be further processed and stored for 10 years from the year following the year in which the contract between the Controller and the data subject was concluded.
In all the above cases, the Controller does not need the consent of the Data Subject for the processing of personal data.
Scope of Data Processing
The Data Subjects whose personal data the Controller processes are the Controller’s customers.
Personal data are processed to the extent that the Data Subject has provided them to the Controller in connection with the conclusion of a contractual relationship with the Controller. The Controller receives personal data directly from the Data Subjects.
Personal data processed by the Controller include the identification data of the Data Subject serving for the unambiguous and unmistakable identification of the Data Subject.
The Controller processes the personal data of the Data Subject to the following extent:
- - title, first name, surname, date of birth, permanent residence address, personal ID card number/passport number, telephone number, e-mail address
Data Retention Period
When handling personal data, the Controller observes the principle of minimization, and thus stores personal data only for the period of full settlement of the Data Subject’s obligations towards the Controller. In some cases, the retention period of personal data results from specific regulations (for example, keeping accounting documents for 10 years).
In the event of enforcement of the Controller’s rights, the personal data of the Data Subject may be transferred to a third party (e.g. a lawyer). Pursuant to legal regulations, the Controller is obliged to make personal data available to courts and law enforcement authorities, tax authorities or other entities provided for by law in the event of a legitimate and legal request.
Data Subject’s Rights with Regard to the Processing of Personal Data
Pursuant to Articles 15 to 22 of the GDPR and Sections 21 to 29 of the Privacy Act, the Data Subject has the right, upon written request, to require the Controller the following:
Right of Access to Personal Data
The Data Subject has the right to confirm whether personal data concerning him or her are processed by the Controller. The Controller is obliged to provide copies of personal data it processes about the data subject and at the same time inform the data subject about the purpose of processing, the category of personal data processed, recipients or recipients to whom personal data have been provided or are to be provided, the retention period of personal data, the right to request the Controller to correct personal data, delete them or limit their processing, or the right to object to the processing of personal data, the right to lodge a complaint with the Office for Personal Data Protection.
Right of Correction
When changing the personal data of the Data Subject, the Controller is obliged to correct them so that only current, complete and correct personal data of the Data Subject are processed. In the event of notification of changes by the Data Subject or finding that any personal data of the Data Subject is not up-to-date or correct, the Controller is obliged to make a correction.
Right of Deletion
The Controller is obliged, at the request of the Data Subject, to delete his or her personal data, where such data is no longer necessary for the purposes for which it was processed. This obligation is not absolute and therefore any request for deletion of data is subject to review. If the Controller needs the personal data of the Data Subject to assert its legal claims, the Data Subject’s request may be rejected (e.g. when registering an outstanding claim against the Data Subject).
Right of Restriction of Processing
If the Data Subject objects to the accuracy of personal data or considers the processing of personal data to be unlawful, or if the Data Subject needs personal data to assert legal claims or objects to a legitimate interest in the processing of personal data without consent, he/she has the right to restrict the processing of personal data until the reasons for objecting to the processing have been verified. During the restriction, personal data may not be handled except by statutory exceptions.
Right to Lodge a Complaint or Appeal to the Office for Personal Data Protection
If the Data Subject is not satisfied with the manner in which the Controller processes his or her personal data, he or she may contact the Controller at the following e-mail address: email@example.com.
If the response of the Controller is not satisfactory, the Data Subject may submit a complaint to the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic.
Exercise of Data Subject’s Rights
The Data Subject may exercise his or her rights at any time in writing at the address of the Controller’s registered office or at firstname.lastname@example.org.