PPA CONTROLL, a.s. (Inc.), Registered office: Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 17 055 164, Registration: Companies Register of the Bratislava I District Court, Section: Sa, Insert No., 159/B
PPA ENERGO s.r.o.(Ltd.), Registered office: Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 31 368 484, Registration: Companies Register of the Bratislava I District Court, Section: Sro, Insert No. 6646/B
PPA INŽINIERING (Engineering), s.r.o. (Ltd.), Registered office: Vajnorská 137, 831 04 Bratislava, Comp. Reg. No.: 31 376 045, Registration: Companies Register of the Bratislava I District Court, Section: Sro, Insert No. 7314/B
PPA TRADE, spol. s r.o. (Ltd.) Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 31 409 776, Registration: Companies Register of the Bratislava I District Court, Section: Sro, Insert No. 7917/B
PPA POWER, s.r.o. (Ltd.), Registered office: Sládkovičova 47, 974 05 Banská Bystrica, Comp. Reg. No. 31 618 103, Registration: Companies Register of the Banská Bystrica District Court, Section: Sro, Insert No. 2302/S
PPA Power DS s.r.o. (Ltd.), Registered office: Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 31 368 514, Registration: Companies Register of the Bratislava I District Court, Section: Sro, Insert No. 6649/B
PPA SPRÁVA BUDOV (Facility Management), s.r.o. (Ltd.), Registered office: Vajnorská 137, 831 04 Bratislava, Comp. Reg. No.: 35 751 983,
Registration: Companies Register of the Bratislava I District Court, Section: Sa, Insert No., 17810/B
(Hereinafter referred to as “PPA” or “we“). In the PPA group, there is a person responsible for personal data protection (Data Protection Officer (DPO) is your contact point for answering any questions concerning the protection of personal data or the receipt and handling of requests made by data subjects. DPO’s contact data:
Telephone number: +421 2 49237123
Correspondence address: Data Protection Officer (DPO), PPA CONTROLL, a.s., Vajnorská 137, 830 00 Bratislava
These privacy terms are primarily intended to ensure the fulfilment of the obligation to provide information pursuant to Art. 13 and 14 of the GDPR to data subjects whose personal data we process. Typically, it mainly concerns our employees or the employees of our business partners, clients or suppliers. In the processing of personal data, we primarily follow the EU General Data Protection Regulation (“GDPR“), which also governs your rights as a data subject,1 the provisions of the law on personal data protection that apply to us as well as other legislation. If you do not understand any of the information and/or the summary of the information contained herein, do not hesitate to contact our DPO.
Our commitment to protection of privacy: “Personal data under control”
Protecting your privacy is important to us. We do not protect personal data only because it is a legal obligation. We also s ee efficient protection of personal data in the broader context of our business activity, being the delivery of secure technologies. It is therefore our aim and intention to provide our services in a way that at all times ensures compliance with the fundamental rules and principles of privacy and in particular the protection of personal data. When reviewing our practices on personal data processing before 25 May 2018, we decided to introduce advanced, efficient and easy measures to ensure compliance with the GDPR. If you are our business partner and you are interested in our approach to the new rules on data protection, please contact our DPO.
Why do we process personal data?
Processing of personal data is necessary on our part, especially so that we can:
- provide our services and products, and for this purpose process personal data of our clients, suppliers, business partners, employees and other persons;
- effectively manage our human resources;
- fulfill various legal and contractual obligations and protect our legitimate interests.
|Category of purposes||Purpose of personal data processing||Primary legal basis||PPA CONTROLL, a.s.||PPA ENERGO s.r.o.||PPA INŽINIERING, s.r.o.||PPA POWER DS s. r. o.||PPA POWER s.r.o.||PPA TRADE, spol. s r.o.||PPA Správa budov, s.r.o.|
|Human Resources Management||1.||Personnel and payroll purposes||Fulfilment of legal obligations||YES||YES||YES||YES||YES||YES||YES|
|2.||Photos of employees||Consent||YES||YES||YES||YES||YES||YES||NO|
|3.||Employer’s control mechanisms||Legitimate interest||YES||YES||YES||YES||YES||NO||NO|
|4.||Employee benefits agenda||Contract fulfilment||YES||YES||YES||YES||YES||YES||NO|
|5.||Retaining data on unsuccessful applicants||Consent||YES||YES||YES||YES||YES||NO||NO|
|6.||Purchased performances agenda||Contract fulfilment||YES||YES||YES||YES||YES||NO||NO|
|7.||Anti-radiation protection agenda||Fulfilment of legal obligations||NO||YES||NO||NO||NO||YES||NO|
|8.||Sharing employees’ data within the Group for administrative purposes||Legitimate interest||YES||YES||YES||YES||YES||YES||YES|
|Protection of rights and legitimate interests||9.||Reporting and recording of anti-social activities (Whistleblowing)||Fulfilment of legal obligations||YES||YES||NO||NO||NO||NO||NO|
|10.||Proving, exercise or defense of legal claims (legal agenda)||Legitimate interest||YES||YES||YES||YES||YES||YES||YES|
|11.||Data subjects’ rights agenda||Fulfilment of legal obligations||YES||YES||YES||YES||YES||YES||NO|
|12.||Registration of shareholders – natural persons||Fulfilment of legal obligations||YES||NO||NO||NO||NO||NO||NO|
|B2C contracts||13.||Performance of contractual relationships with individuals||Contract fulfilment||YES||YES||YES||YES||NO||YES||YES|
|Asset protection and security||14.||Asset protection and security||Legitimate interest||YES||YES||YES||YES||YES||NO||NO|
|Marketing and PR||15.||Operation of profiles on social networks||Legitimate interest||YES||NO||YES||YES||YES||NO||NO|
|16.||Marketing and PR purposes||Consent and/or legitimate interest||YES||YES||YES||YES||YES||YES||NO|
|Accounting and taxes||17.||Accounting and tax purposes||Fulfilment of legal obligations||YES||YES||YES||YES||YES||YES||YES|
|Archival purposes and statistics||18.||Archival purposes and registry management||Art. 89 of the GDPR.||YES||YES||YES||YES||YES||YES||YES|
|19.||Statistical purposes||Art. 89 of the GDPR.||YES||YES||YES||YES||YES||YES||NO|
|Accommodation||20.||Book of guests and alien registration to the Slovak Ministry of Interior authorities||Fulfilment of legal obligations||YES||NO||NO||NO||NO||NO||NO|
|Employer’s control mechanisms||In particular, it concerns the attendance and similar systems designed to monitor the abidance to the work discipline of employees. We consider the monitoring of abidance to the work discipline to be our legitimate interest, which indirectly also results from Art. 13 (4) of the Labor Code.|
|Sharing employees’ data within the Group for administrative purposes||Pursuant to Recital 48 of the GDPR: “Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data” When sharing employee data within the PPA Group, we consider administrative purposes related thereto to be our legitimate interest.|
|Proving, exercise or defense of legal claims (legal agenda)||In rare cases, we must prove, exercise or defend our legal claims in court or out of court or we have to notify certain facts to the public authorities, which we consider our legitimate interest.|
|Asset protection and security||We consider the asset protection and security in the companies belonging to the PPA Group, but also the asset protection and security of our employees and visitors, to be our legitimate interest. We rely on it in ensuring the security of our information assets and IT systems or in the physical protection of premises, for example, by using camera systems and gatehouse access control system.|
|Operation and management of profiles on social networks, including discussion forums||If we operate our own profiles on social networks (Facebook, LinkedIn), we rely on our legitimate interest of raising awareness about the PPA Group in the online environment.|
|Marketing and PR purposes||If we organize various events to which we invite our business partners, we rely on our legitimate interest of maintaining a sound relationship with our business partners.|
For what marketing and PR purposes do we process your personal data?
In the PPA Group, we do not distribute any email newsletter and thus we do not send any unsolicited communication within the meaning of Art. 62 of the Electronic Communications Act, because we do not consider it necessary in the view of our B2B business model. Our customers are only legal persons who, however, necessarily represent natural persons (in particular the members of governing bodies) (hereinafter “business partners”). We obtain the contact data of our business partners within standard business communications related to the fulfilment of our business commitments. We consider maintaining sound relationship with our business partners to be our legitimate interest, and therefore if you are our business partner, we are pleased to send you from time to time an invitation to corporate events or events organized by the PPA Group, based on this legitimate interest. The content of this communication is not an offer of our products or services addressed to you as a natural person, but only an invitation to a social event whose purpose is to maintain a sound relationship with you.
Not with standing the above, we consider it necessary in some cases to obtain your consent or permission in connection with our marketing and PR purposes, usually at the venue of the event. This could include the production of photo or video recordings of our corporate events that we can then send to you for in memory of the event. We can obtain consents or permission explicitly in writing or by reference to certain organizational instructions applicable to a particular area (e.g. photo-wall), in which the records are made.
- other companies belonging to the PPA Group, if there is a legal basis or contractual relationship for it;
- our verified and properly legally bound intermediaries;
- our professional advisers (e.g. lawyers, auditors);
- payroll and accounting firms;
- software equipment and cloud service providers (e.g. Microsoft One Drive and Sharepoint);
- technical (IT) and organizational (event agency) support providers of our company;
- institutions in meeting our legal obligations for the above purposes of personal data processing, e.g. social insurance company, pension fund management companies, supplementary pension saving banks, health insurance companies, the Office of Social and Family Affairs and tax office;
- mail carriers and courier services;
- employees of the aforementioned entities.
If we use an intermediary for the processing of personal data, we always check in advance whether the intermediary meets the requirements of organizational and technical nature in terms of ensuring the security of the processing of your personal data. If we use our own beneficiaries (internal personnel of the PPA Group), your personal data are always processed on the basis of mandates and guidelines by which we instruct our beneficiaries not only about internal privacy policies, but also about their legal liability for their violation. If we are asked by public authorities for access to your personal data, we examine the legislatively set conditions for making them available so we do not provide your personal data before we check that the necessary terms are met. If you would like information regarding our current intermediaries, please contact us through our DPO.
To which countries do we transmit your personal information?
By default, we do not transmit personal data to third countries outside the European Economic Area (EU, Iceland, Norway and Liechtenstein), if it is not necessary. In some cases, however, the cross-border transmission of personal data to third countries may be necessary. For example, if you are our employee and/or contractor who we need to send to a third country in the fulfillment of our commitments to our clients in Cuba, Venezuela, Ukraine and/or the Russian Federation and we need your personal data to carry out the visa process, we need to provide your personal information to the authorities in that third country through consulates or embassies. Although we have never seen any problem with the misuse of any personal data in these countries, in line with the decisions of the European Commission, these countries are considered to be countries which do not ensure an adequate level of protection (of personal data), and therefore we must proceed on the basis of appropriate safeguards pursuant to Art. 47 of the GDPR or on the basis of exceptions for specific situations according to Art. 49 of the GDPR. By default, therefore we strive to conclude the so- called standard contractual clauses approved by the European Commission with the data importer in a third country – and if that is not possible – you will be asked in advance for granting specific informed consent to the performance of such processing operation in accordance with Article 49 (1) (a) of the GDPR, if you are not in such a range of employees with whom we have entered into special labor contracts fo r the fulfilment of which it is necessary to carry out the cross-border transmission of personal data to a third country.
In addition, we use secure cloud services of a verified provider of servers located in the jurisdiction of the EU, while the cross-border transmission of data to the USA can take place on the part of the cloud services provider, who is our intermediary. This intermediary is Microsoft Inc., a company certified by the system of legal safeguards known as the Privacy Shield (URL: https://www.privacyshield.gov/welcome). Such transmissions have then the character of cross-border transmission of personal data to a third country which ensures an adequate level of protection on the basis of a decision of the European Commission. You can learn more information on specific legal safeguards for these potential cross-border data transmissions which also contain your personal data in the Microsoft statement with regard to personal data protection (URL: https://privacy.microsoft.com/sk-sk/privacystatement) as well as in the answers to specific legal safeguards for cross-border transmissions (URL: https://products.office.com/sk-sk/business/office-365-trust-center-eu-model-clauses-faq).
General retention periods for personal data for our specified purposes of personal data processing are as follows:
|Purpose||General retention period for personal data:|
|Personnel and payroll purposes||During the course of employment and expiry of statutory periods for retaining certain types of documents (usually 10 years after termination of employment).|
|Photos of employees||During the course of employment.|
|Employer’s control mechanisms||4 years.|
|Employee benefits agenda||During the term of contractual relationship.|
|Retaining data on unsuccessful applicants||2 years.|
|Purchased performances agenda||During the term of contractual relationship.|
|Anti-radiation protection agenda||5 years after termination of employment.|
|Sharing employees’ data within the Group for administrative purposes||Usually during the course of employment.|
|Reporting and recording of anti-social activities (Whistleblowing)||3 years of receipt of the complaint.|
|Proving, exercise or defense of legal claims (legal agenda)||Until the limitation of rights.|
|Data subjects’ rights agenda||Until the limitation of rights.|
|Registration of shareholders – natural persons||During the course of shareholding relationship.|
|Performance of contractual relationships with individuals||During the term of contractual relationship with a natural person.|
|Asset protection and security||3 years.|
|Operation of profiles on social networks||Until removal of text by the data subject himself/herself, until the removal of text from our profile or at the request of the data subject for erasure of personal data. Messages through social networking are normally erased once a year.|
|Marketing and PR purposes||2 months after the event. We retain photos and videos from our events for the period specified in the notice or consent to make photos or videos at the venue of event. Typically, there maybe a period of 3 years.|
|Accounting and tax purposes||During the ten years following the financial year to which the accounting documents, accounting books, lists of the books, lists of codes or other symbols and abbreviations used in accounting, depreciation plan, inventories, inventory records, chart of accounts refer.|
|Archival purposes and registry management||During the retention period according to records schedule.|
|Statistical purposes||During the term/existence of other processing purposes.|
|Book of guests and alien registration to the Slovak Ministry of Interior authorities||Maximum for a period of time in accordance with Art. 43 of Act No. 582/2004 Coll. on local taxes determined by the relevant generally binding regulation of a municipality and in relation to alien personal data, which we report to the competent public authorities according to Art. 24 (2) of Act No. 253/1998 Coll., for 2 years.|
The above mentioned retention periods provide only general periods during which the processing of personal data takes place for that purposes. In reality, however, we approach the liquidation or anonymization of personal data before the end of these general periods if we consider the personal data unnecessary in view of the aforementioned purposes of processing. On the contrary, in some specific situations, your personal data can be kept for longer, as mentioned above, if it is required by law or our legitimate interest. If you would like information on a specific retention period for retaining your personal data, please do not hesitate to contact us through our DPO.
- by registering on our website (as a job seeker);
- in the process of concluding a contract with our company;
- in communication with you;
- by participating in events organized by our company;
- by participating in the activities of our company on social network;
- by sending the contact form with your comments, questions or issues.
We may also obtain your personal data from your employer or from the company in relation to which your personal data are processed. Most often these are the cases where we enter into or negotiate contractual relationship or the terms thereof with the particular company. If the obtaining of personal data relates to the contractual relationship, the most common is a contractual requirement or requirement that is necessary to conclude a contract. Failure to provide personal data (whether yours or your colleague’s) can have negative consequences for the organization that you represent, as it may not lead to the conclusion or implementation of the contract. If you are a member of the statutory body of the organization, which is our contracted party or with whom we are negotiating the conclusion of a contractual relationship, we can obtain your from publicly available sources and registers. We do not further systematically process any accidentally collected personal data in any way for any of the purposes of personal data processing defined by us.
“You have the right to object to the processing of your personal data based on legitimate interests pursued by us, as explained above. Your also have this right to the processing of personal data on the legal basis of public interest, which we do not perform.”
If you exercise this right, we will be happy to show you the way by which we have evaluated these legitimate interests as outweighing the rights and freedoms of data subjects.
GDPR lays down the general conditions governing the exercise of your individual rights. Their existence does not automatically mean that in the exercise of individual rights, they will be accommodated on our side as exceptions can also apply in specific cases as some rights are linked to specific conditions which may not be met in any case. We will always address and examine your request regarding a particular right in terms of legislation and our internal policy for handling complaints of data subjects. As a data subject you have in particular:
- The right to request access to your personal data in accordance Article 15 of the GDPR that we process. This right includes the right to confirmation whether we your personal data, the right to obtain access to this data and the right to obtain a copy of your personal data that we process, if technically feasible;
- The right of rectification and completion of your personal data in accordance with Article 16 of the GDPR if we process incorrect or incomplete personal data;
- The right to erasure of your personal data in accordance with Article 17 of the GDPR;
- The right to restriction of processing your personal data in accordance with Article 18 of the GDPR;
- The right to data portability in accordance with Article 20 of the GDPR.
If you believe that we process incorrect personal data concerning you with regard to the purpose and circumstances and you are unable to change such personal data through features of the application, account or website, you can request the rectification of incorrect or completion of incomplete personal data by filling in a supplementary statement (all information is optional) and/or by contacting us via our contact details:
|Supplementary statement of rectification of personal data|
|Your name and surname:|
|Relevant purpose of processing by the PPA Group:||Please specify what kind of PPA Group purpose of processing does your request concerns.|
|Context or relationship between you and the PPA Group:||Please indicate whether you are our employees, business partners, interested in employment and the like.|
|Nature of your rectification:||Please explain whether you request rectification of incorrect personal data or completion of incomplete personal data.|
|Context of your request for rectification:||Please explain why do you believe we process your inaccurate or incomplete personal data.|
|Rectification:||Please indicate which specific personal data you request to rectify or complete.|
Please send this supplementary statement of rectification to email@example.com
You also have the right to lodge a complaint with the Office for Personal Data Protection of the Slovak Republic or bring an action before the competent court. In any case, we recommend solving any disputes, questions or objections addressed primarily by communicating with us.
Is there automated individual decision-making?
No, currently we do not perform such processing operations, based on decisions are taken having legal effect or other major impact on your person that would be based solely on the fully automated processing of your personal data in accordance with Art. 22 of the GDPR.
How do we use your personal data?
It is our duty to protect your personal data in an appropriate manner and therefore we pay adequate attention to their protection. Our company has implemented generally accepted technical and organizational standards to maintain the security of personal data, in particular against loss, misuse, unauthorized modification, destruction, or other impact on the rights and freedoms of data subjects. In situations where sensitive data is transmitted, we use encryption technology; see e.g. communication with the payment gateway. Your personal information is stored on our secure servers or servers of our website operators that are located in data centers in the Slovak Republic and the Czech Republic. When using third party analytic tools of third parties, data are stored on the servers of third parties (see cookies).
Personal data protection is not a one-off exercise for us. The information that we are obliged to provide to you with regard to our personal data processing can change or become out-of-date. For this reason, we reserve the right to modify or and change these terms at any time and to any extent. If we change these conditions significantly, we will advice you of such change, for example, by a general notice on t his website or a special notification by e-mail.
The management of PPA CONTROLL, a.s.
Bratislava, 25. May 2018
1 Viď čl. 12 až 22 GDPR: http://eur-lex.europa.eu/legal-content/SK/TXT/HTML/?uri=CELEX%3A32016R0679&from=EN