The Terms of Privacy Policy

This Privacy Policy explains how we process personal data in the provision of our company’s services within the PPA CONTROLL Group:

 PPA CONTROLL, a.s. (Inc.), Registered office: Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 17 055 164, Registered in: Companies Register of the Bratislava I District Court, Section: Sa, Insert No., 159/B

PPA ENERGO s.r.o. (Ltd.), Registered office: Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 31 368 484, Registered in: Companies Register of the Bratislava I District Court, Section: Sro, Insert No. 6646/B

PPA INŽINIERING (Engineering), s.r.o. (Ltd.), Registered office: Vajnorská 137, 831 04 Bratislava, Comp. Reg. No.: 31 376 045, Registered in: Companies Register of the Bratislava I District Court, Section: Sro, Insert No. 7314/B

PPA TRADE, spol. s r.o. (Ltd.), Registered office: Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 31 409 776, Registered in: Companies Register of the Bratislava I District Court, Section: Sro, Insert No. 7917/B

PPA POWER, s.r.o. (Ltd.), Registered office: Sládkovičova 47, 974 05 Banská Bystrica, Comp. Reg. No.: 31 618 103, Registered in: Companies Register of the Banská Bystrica District Court, Section: Sro, Insert No. 2302/S

PPA Power DS s.r.o (Ltd.), Registered office: Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 31 368 514, Registered in: Companies Register of the Bratislava I District Court, Section: Sro, Insert No. 6649/B

PPA SPRÁVA BUDOV (PPA Building Management), s.r.o. (Ltd.), Registered office: Vajnorská 137, 831 04 Bratislava, Comp. Reg. No.: 35 751 983, Registered in: Companies Register of the Bratislava I District Court, Section: Sro, Insert No., 17810/B

LiV ELEKTRA, a.s. (Inc.), Registered office: Priemyselná 10, 821 09 Bratislava, Slovakia, Comp. Reg. No.: 35 769 840, Registered in: Companies Register of the Bratislava I District Court, Section: Sa, Insert No., 2170/B

(Hereinafter collectively referred to as “PPA” or “we”). Due to the fact that the PPA CONTROLL Group consists of several closely interconnected and cooperating companies with their own legal personality, we process your personal data mainly as a joint controller on the basis of an agreement concluded in accordance with Art. 26 (1) of the General EU Data Protection Regulation (“GDPR”).

It follows from the basic parts of the above agreement that the PPA designates one (joint) responsible person (hereinafter the “Data Protection Officer” or “DPO”), who serves as your contact point for applying any GDPR-related requests while, at the same time, we fulfil our information obligation according to Art. 13 and Art. 14 of the GDPR together through this Privacy Policy. To make it simple, this policy specifies all common processing purposes for which your personal data may be processed within our group. If you have any questions regarding the protection of your personal data, please can contact our DPO:

E-mail: dpo@ppa.sk

Phone: +421 2 49237123

Correspondence address: Data Protection Officer (DPO), PPA CONTROLL, a.s., Vajnorská 137, 830 00 Bratislava

The PPA Group also includes several “ready-made” companies that have no employees and do not perform any activities related to personal data processing.[1]

Our commitment to protection of privacy: “Personal data under control”

Protecting your privacy is important to us. We do not protect personal data only because it is our legal duty. We also see efficient protection of personal data in the broader context of our business activity, which is the delivery of secure technologies. It is therefore our aim and intention to provide our services in a way that at all times ensures compliance with the fundamental rules and principles of privacy protection, in particular the protection of personal data. When reviewing our practices on personal data processing before 25 May 2018, we decided to introduce advanced, efficient and easy measures to ensure GDPR compliance. If you are our business partner and you are interested in our approach to the new rules on personal data protection, please contact our DPO.

Why do we process personal data?

Processing of personal data is necessary on our part, especially so that we can:

  • provide our services and products, and for this purpose process personal data of our clients, suppliers, business partners, employees and other persons;
  • effectively manage our human resources;
  • fulfil various legal and contractual obligations and
  • protect our legitimate interests.

[1] D1 PARK Infra, s.r.o., Registered office: Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 47 256 061, Registered in: Companies register of the Bratislava I District Court, Section: Sro, Insert No.: 101495/B; FTVE 3, s.r.o., Registered office: Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 45 879 249, Registered in: Companies Register of the Bratislava I District Court, Section: Sro, Insert No.: 78769/B; Power SP, s.r.o., Registered office: Vajnorská 137, 831 04 Bratislava, Comp. Reg. No.: 52 068 650, Registered in: Companies Register of the Bratislava I District Court, Section: Sro, Insert No. 132879/B; PPA 1, s.r.o., Registered office: Radlinského 297/7, 010 01 Žilina, Comp. Reg. No.: 52 798 801, Registered in: Companies Register of the Žilina District Court, Section: Sro, Insert No.: 73652/L; PPA 2, s.r.o., Registered office: Radlinského 297/7, 010 01 Žilina, Comp. Reg. No.: 52 799 212, Registered in: Companies Register of the Žilina District Court, Section: Sro, Insert No.: 73685/L;

The overview below explains what are the purposes of personal data processing within individual companies belonging to the PPA Group. For the avoidance of doubt, YES means that the company belonging to the PPA Group processes personal data for the given purpose as a data controller.

Purpose categoryPersonal data processingPrimary legal basisPPA CONTROLL,

a.s.

PPA ENERGO

s.r.o.

PPA

INŽINIERING,

s.r.o.

PPA POWER DS

s. r. o.

PPA POWER

s.r.o.

PPA TRADE,

spol. s r.o.

PPA  Správa

budov, s.r.o.

PPA CONTROLL Magyarország Kft

 

Human Resources Management1.Personnel and payroll purposesFulfilment of legal obligations and legitimate interestsYESYESYESYESYESYESNOYES
2.Photos of employeesConsentYESYESYESYESYESYESNOYES
3.Employer’s control mechanismsLegitimate interestYESYESYESYESYESNONOYES
4.Employee benefits agendaContract fulfilmentYESYESYESYESYESYESNOYES
5.Retention                 of data         about unsuccessful applicantsConsentYESYESYESYESYESNONOYES
6.Purchased performances agendaContract fulfilment and consentYESYESYESYESYESNONONO
7.Anti-radiation protection agendaFulfilment of legal obligationsNOYESNONONOYESNONO
8.Sharing employees’ data within the Group for administrative purposesLegitimate interestYESYESYESYESYESYESNOYES
Protection of Rights and Legitimate

Interests

 

 

 

 

9.Reporting and recording of anti-social

activities (Whistleblowing)

Fulfilment of statutory

duties

YESYESNONONONONONO
10.Proving,                        exercising                 or defending of legal claims (legal agenda)Legitimate interestYESYESYESYESYESYESNONO
11.Data subjects’ rights agendaFulfilment of legal obligationsYESYESYESYESYESYESNONO
12.Registration of shareholders – natural persons/individualsFulfilment of legal obligationsYESNONONONONONONO
  13Software development, improvement and testingLegitimate interestYESYESYESYESNONONONO
B2C Contracts14.Performance of contractual relationships with natural persons (individuals)Contract fulfilmentYESYESYESYESNOYESNONO
Asset Protection

and Security

15.Asset protection and securityLegitimate interestYESYESYESYESYESYESYESYES
Marketing and PR16.Operation of profiles on social networksLegitimate interestYESNOYESYESYESNONONO
17.Marketing and PR purposesConsent             and/or

legitimate interest

YESYESYESYESYESYESNONO
Accounting and

Taxes

18.Accounting and tax purposesFulfilment of legal obligationsYESYESYESYESYESYESYESYES
Archival and

Statistics

19.Archival and registry managementArt. 89 of the GDPRYESYESYESYESYESYESYESYES
20.Statistical purposesArt. 89 of the GDPRYESYESYESYESYESYESNOYES
Accommodation21.Book of guests and registration of foreign nationals to the Slovak Ministry of Interior authoritiesFulfilment of legal obligationsYESNONONONONONONO

The overview below explains what the purposes of personal data processing within the PPA Group are. These purposes are known as the Common Purposes of Personal Data Processing, and all PPA companies, which entered into the joint controller agreement, are authorized to process personal data to the extent necessary to achieve these purposes. This overview also clearly identifies all legitimate interests pursued in the processing of your personal data, which you have the right to object to. Processing based on legitimate interest is highlighted by underlining in the section of the table “Detailed explanation of the purposes and legitimate interests”.

PurposeLegal basisDetailed explanation of the purposes and legitimate interests
1.     Personnel and payroll purposesFulfilment of legal obligations and consentFulfilment of employer’s legal obligations: It includes the processing of personal data necessary for: (i) employee registration and deregistration in the registers of health insurance companies and the Social Insurance Agency, (ii) employee payroll management (payroll calculation, payroll processing) and payroll accounting, (iii) tax returns and annual tax processing, if requested by employees, (iv) records of occupational accidents and occupational safety and health agenda (e.g., training), (v) sharing data with the occupational health service and processing of assessments of medical fitness to perform work, (vi) records of using the working time fund, including holidays, sick leaves, obstacles at work, (vii) processing necessary to fulfil any obligation of the employer under the Labour Code (e.g., creating appropriate working conditions by setting up a work email and assigning a phone extension, etc.), (ix) processing necessary to fulfil any legal obligation of the employer under the relevant legislation, in particular Act No. 595/2003 Coll. on income tax, as amended, Act No. 563/2009 Coll. on tax administration (Tax Code) and on the amendment of certain laws, Act No. 580/2004 Coll. on health insurance and on the amendment of Act No. 95/2002 Coll. on insurance and on the amendment of certain laws, as amended by Act No. 718/2004 Coll., Act No. 5/2004 Coll. on employment services, Act No. 576/2004 Coll. on health care and health care-related services, Act No. 577/2004 Coll. on the scope of health care reimbursed by public health insurance and on payments for services related to the provision of health care, (x) management and administration of employees’ personal files, (xi) processing of personal data necessary for the reimbursement of partial costs of recreational vouchers pursuant to Act No. 91/2010 Coll. on tourism promotion, as amended, (xii) fulfilment of the employer’s obligations established in the field of public health by the state authorities in the application of epidemiological measures during a pandemic.

Photos of employees: Based on the consent of the data subjects, it includes the processing of personal data necessary for: i) processing of images capturing the employees on the intranet, user accounts of certain software applications, personal questionnaire, etc., ii) sharing photos of employees within the PPA CONTROLL Group, iii) taking and disclosing photos of employees from company events on the intranet, iv) publishing stylized photos of employees on the corporate website and social networks.

Retaining data on unsuccessful job applicants: It includes the processing of personal data necessary for: i) obtaining and retaining CVs of job applicants within the PPA CONTROLL Group, ii) retaining CVs of unsuccessful applicants for the purpose of contacting them with a suitable job offer in the future.

2.     Human resources management, evaluation and developmentAgreement and legitimate interestBenefits: It includes the processing of personal data necessary in particular for: (i) providing accommodation in a recreational company cottage in Štrba at discounted prices, (ii) subsidizing the Multisport card with a contribution from the employer and sharing basic personal data of employees to the provider of this benefit, Benefit Systems, s.r.o.), provision of an allowance for children’s recreation, (iv) providing an allowance at the birth of a child, v) providing an allowance of EUR 100 for employee weddings, vi) providing a package of school supplies for a school-compulsory child, vii) providing St. Nicolaus hampers for minor children of employees. Personal data of employees’ minor children is processed only with the consent of their legal guardians.

Identity verification via electronic access control system: It includes the processing of personal data necessary in particular to verify compliance with employees’ work discipline and proper compliance with their employment obligations under employment contracts and/or internal PPA regulations during the employment relationship, in particular: (i) electronic checking of compliance with the established working hours via attendance systems; (ii) checking of compliance with health and safety on construction sites; (iii) checking the presence of alcohol in the employee’s breath during working hours; (iv) checking the use of corporate motor vehicle via GPS monitoring; (v) monitoring of electronic communications; (vi) verifying the legitimacy of excess use of mobile flat-rate packages and data services; (vii) checking expenses paid by corporate credit cards;

Verifying attendance via electronic attendance system: The system includes processing of the personal data necessary for verifying an employee attendance by taking their photo in order to assess the right to be paid and prevent misuse of the assigned access cards, as well as verification of the identity of persons as external human resources in order to meet the safety and technical requirements of the work. Electronic attendance system does not have any functionality of automated personal data processing, does not use any biometric technology for identification or authentication of the subject, or any other processing activity. The captured image of the employee’s and an external contractor’s face is an ordinary digital photograph and is used as an authenticator to verify the actual use of the assigned access card, so that it is not possible to avoid the system procedures, for instance, by lending the allocated cards to other persons. Such verification of identity may be executed via a static terminal or a mobile device, when apart from a photograph of the employee or the subjects providing purchased performance, based on the record of GPS coordinates, the location of the related person is also processed at the moment of identification.

Agenda of purchased services: It includes the processing of personal data necessary in particular for: i) cooperation and coordination of external human resources involved in the delivery of services for larger orders of the PPA CONTROLL Group, ii) recording of necessary personal data and documents of professional competence and completed work training of particular contractors and their staff, iii) processing permits to enter nuclear power plant facilities, ii) central records and sharing of basic data on external self-employed persons, iv) retaining of data after the end of cooperation for the purpose of new contracts in the future on the basis of a consent.

Training and education: It includes the processing of personal data necessary in particular for: (i) improving the knowledge of personal data protection, internal PPA rules and security measures, including via e-learning, (ii) providing language courses and various training to improve staff qualification and soft skills.

Sharing of employee data for internal administrative purposes: It includes the processing of personal data necessary in particular for: i) cooperation of PPA personnel departments in the development, management, evaluation and remuneration of employees, ii) use of information on professional qualifications in order to share human resources between several PPA Group companies, iii) sharing of basic contact and work data on employees within the PPA Group for internal business communication purposes, iv) sharing of data related to payroll accounting in order to optimize the use of personnel capacity for the administration and processing of this agenda and the preparation of statistics and reports for the needs of the PPA.

3.     Fulfilment of legal obligationsFulfilment of legal obligationsAnti-radiation protection agenda: It includes the processing of personal data necessary for the fulfilment of the Controller’s obligations under Act No. 87/2018 Coll. on radiation protection and on the amendment of certain laws and Decree No. 99/2018 Coll. on ensuring radiation protection, in particular for: (i) processing applications for the issuance of employee exposure certificates (replacement for the “personal radiation cards”) in relation to the relevant Public Health Office of the Slovak Republic; (ii) division and registration of the Controller’s employees into A and B categories in accordance with Art. 17  (3) of the Radiation Protection Decree; (iii) processing and reporting the personal radiation exposure results from the radiation exposure records, which should be reported to the Controller by the controlled zone operator; (iii) fulfilment of notification obligations on the scheduled performance of work activities leading to radiation pursuant to Art. 23 (5) of the Radiation Protection Act or on urgent one-time performance pursuant to Art. 23 (6) of the Radiation Protection Act, or also fulfilment of other notification obligations stipulated in Art. 23 of the Radiation Protection Act; (iv) ensuring dosimetric measurement of the Controller’s employees when working in the controlled zone through the dosimetric service, including through a sub-processor, and processing the results of such personal monitoring through data reported from the radiation exposure records kept by the controlled zone operator; (v) fulfilling all the obligations of the external staff employer in relation to the controlled zone operator (e.g., presenting the results of personal monitoring if they have been monitored in the past and the results of the preventive medical examination and lists of staff to enter the controlled zone); (vi) providing co-operation and information and personal data on behalf of the Controller to an authorized public authority competent to supervise the fulfilment of these legal obligations stipulated by the Radiation Protection Act and the Radiation Protection Decree; (viii) any other fulfilment of the Controller’s legal obligation stipulated by the Radiation Protection Act or the Radiation Protection Decree, based on an agreement of the parties and, at the same time, will be the subject of personal data processing under this agreement; (ix) assistance in the fulfilment of various obligations associated with entry into the controlled zone of a nuclear power plant (e.g., processing of applications for long-term entry into KP SE for the staff of external service suppliers, etc.)

Agenda of the economic mobilisation entity: includes the processing of personal data by LiV ELEKTRA, a.s., necessary for the fulfilment of obligations under Act No. 179/2011 Coll. on economic mobilisation and on amendments  to Act No. 387/2002 Coll. on the management of state in the situations of crisis outside the wartime, as amended, in particular for: i) processing and storage of personal data of employees of the subject of economic mobilisation or natural persons pursuant under Article 7 Paragraph 10 of the Act on Economic Mobilisation, ii) processing of data on the person responsible for the maintenance of the user’s account in the information system of economic mobilisation, iii) any other performance of a legal obligation provided for by the Act on Economic Mobilisation, or other legal regulation to this purpose of data processing.

Reporting and recording of anti-social activities (whistleblowing): It includes the processing of personal data necessary in particular for: (i) performing actions related to the protection of persons reporting anti-social activities by the employer pursuant to Art. 7 of Act No. 54/2019 Coll., (ii) receiving, evaluating and recording anti-social activity report within the internal report verification system, including keeping records of such reports received for a period of 3 years.

Data subjects’ rights agenda: It includes the processing of personal data for: (i) the processing of data subjects’ requests under the GDPR and related communication; (ii) records of consents, objections or withdrawals of consents; (iii) obtaining the views of data subjects, e.g., in the impact assessment; (iv) reporting and documenting violations of personal data protection; (v) keeping records of instructions or informing authorized recipients of personal data.

Accounting and tax purposes: It includes the processing of personal data necessary in particular for: (i) registration and use of accounting documents under Art. 35 of Act No. 431/2002 Coll. on accounting and on the amendment of certain laws; (ii) retaining of invoices pursuant to Art. 76 (1) of Act No. 422/2004 Coll. on value added tax; (iii) any
processing of personal data necessary for the fulfilment of the taxpayer’s obligations under Act No. 595/2003 Coll. on income tax, as amended, (iv) any processing of personal data necessary to fulfil the obligations of a tax entity under Act No. 563/2009 Coll. on tax administration (Tax Code) and on the amendment of certain laws.

 

Registration of shareholders – natural persons: It includes the processing of personal data of shareholders in the lists of shareholders of registered shares, which the joint-stock company is obliged to keep in accordance with the Commercial Code and the Securities Act.

Book of guests and registration of foreign nationals to the Slovak Ministry of Interior authorities: It includes the processing of personal data necessary to meet the legal obligations of an accommodation provider under Art. 24 (1) and (2) of Act No. 253/1998 Coll. on the registration of residence of citizens of the Slovak Republic and the register of inhabitants of the Slovak Republic.

4.     Proving, exercising or defending legal claimsAgreement and legitimate interestLegal agenda: It includes the processing of personal data in particular for: (i) ensuring the typical agenda of the internal legal department, (ii) legal control and internal legal advice, (iii) reporting various facts to public authorities (including reports of various offenses and crimes) or to insurance companies (e.g., insurance events), (iv) use of legal representation and legal advice by law firms; (v) performing audit/due diligence, including providing data to potential buyers and their advisors, e.g., in the sale of a business, shares or portfolio of assets owned by PPA CONTROLL; (vi) managing the corporate agenda and fulfilling all obligations under the Commercial Code (e.g., general meetings and invitations, annual reports), (vii) preparing, securing and storing various legal submissions and evidence containing personal data, (viii) recovering receivables, (ix) sending notices and reminders of outstanding payments, (x) conducting various administrative proceedings, litigation and other legal proceedings (e.g., concluding conciliations, settlement agreements, repayment schedules, (xi) notarization and official translations, (xii) processing of visas for staff posted to third countries.

 

Contractual agenda: It includes the processing of personal data necessary in particular for: (i) making changes to and performing any contracts concluded between the Controller and data subjects, (ii) approving and revising contracts by the legal department, (iii) communication between contracting parties, including processing of data on contact persons and statutory bodies of the contracting parties and other processing necessary for the proper conclusion, performance and modification of contractual relationships in which data subjects do not act as parties to the legal relationship; (iv) records of internal and external powers of attorney; (v) records of supplier-customer contractual relations between the Controller and its customers, partners and suppliers.

 

Client care: It includes the processing of personal data necessary in particular for: (i) handling and resolving various complaints and claims about the course of contracts beyond the scope of consumer rights with B2B customers, (ii) sending and evaluating customer satisfaction questionnaires after the completion of a business transaction.

 

5.     Asset protection and securityFulfilment of legal obligations and legitimate interest.CCTV systems: It includes the processing of personal data necessary in particular for: i) operation of CCTV systems monitoring clearly marked defined areas and facilities used in the business activities of the PPA CONTROLL Group.

 

Physical access control: It includes the processing of personal data necessary in particular for: i) recording personal data of external visitors entering protected areas and facilities of PPA CONTROLL, ii) providing personal data to nuclear power plant operators to allow entry to specific persons.

 

IT security: It includes the processing of personal data necessary in particular for: i) control, collection and management of access rights, ii) monitoring and evaluation of suspicious events based on log analysis through specific software applications using SIEM, iii) creating security logs capturing user behaviour in important applications and systems, iv) creating security backups, including special backups on LTO tapes. During this processing, we make and store special data backups, including any personal data originally processed by PPA for purposes other than IT security backups. As part of this backup, LTO tapes are stored in a secure location other than the physical storage location of operating data under the “out-of-use” conditions of data usage; (v) vulnerability and anti-malware activity scanning; (vi) management of security incidents and violations of personal data protection; (vi) information security management in the PPA CONTROLL Group, vii) penetration testing and performance of security audits with the possibility of access to protected data.

 

Software development, improvement and testing: It includes the processing of personal data necessary in particular for: i) development, improvement and testing of applications created by PPA CONTROLL employees for our needs, ii) integration and configuration tests of corporate information systems by processors during migration from old systems, iii) service interventions and ongoing software modifications performed remotely by our processors based on our requirements and instructions, iv) system recovery tests based on backed up data.

 

6.     Marketing and PR purposesConsent and legitimate interestDirect marketing communication: It includes the processing of personal data necessary in particular for: (i) adapting and sending marketing electronic mail (e-mail, text messages) to existing customers, subject to the restrictions of the unsolicited electronic communication regulation or to other interested parties who have granted their prior consent; (ii) creating, customizing and sending flyers or printed addressable forms of marketing;

 

Ad content targeting and personalization: It includes the processing of personal data necessary in particular for: (i) tailoring and displaying ads on social networks and YouTube; (iv) customizing and displaying banner ads and sponsored links when using the Internet; Where the law requires us to request the consent to use cookies, we use GDPR-compliant consent as the legal basis, while we consider any further processing of personal data to be in our legitimate interest.

 

PPA CONTROLL awareness raising: It includes the processing of personal data necessary in particular for: (i) managing and administering content on official profiles set up on social networks (e.g., FB, LinkedIn) and broadcast channels (YouTube), (ii) organizing events, including sending invitations to events even without consent and making photos and videos capturing the participants of such events and publishing them during promotion (usually based on a consent), (iii) publishing content and posts containing personal data within various PR content (PR articles, press releases, posts published on social networks).

7.     Statistical purposesThe legal bases of the original purposes mentioned above in connection with Recital No. 50 and Art. 89 of the GDPR.It includes the processing of personal data necessary in particular for: (i) compiling statistical outputs, statements, reports, analyses and various working and analytical documents
necessary for the internal statistical purposes of the PPA CONTROLL Group, public authorities and other legal entities; (ii) producing anonymized and aggregated statistical data from personal data processed for other legitimate purposes of personal data processing based on the legal basis and of which data subjects have been informed in due manner in accordance with Recital 50 and Art. 89 of the GDPR.
8.     Archival purposesThe legal bases of the original purposes mentioned above in connection with Recital No. 50 and Art. 89 of the GDPR.It includes the processing of personal data necessary in particular for: (i) keeping registry records according to the deadlines specified in the bank’s registry plan (registry administration); (ii) keeping records of incoming mail; (iii) liquidation of registry records after the expiry of their retention periods; (iv) forwarding of archival documents to the state archives; (v) discarding procedures; (vi) re-disclosure and use of registry or archival documents under the compatibility test conditions (e.g., for the purposes of proving, asserting and defending legal claims).

Whom do we provide your personal data

We take the confidentiality of personal data very seriously, and therefore we have adopted internal policies, thanks to which your personal data is shared only with authorized employees of the PPA Group or verified third parties. Our employees and workers may have access to your personal information solely on the “need-to-know” basis, which means that only authorized employees of a particular department to which the processing of personal data relates may have the right to access this data, where this access is typically limited by the position, function and job description of a particular employee. We only provide personal data of our clients, employees, business partners and other natural persons to the necessary extent to the following categories of personal data beneficiaries:

  • other companies belonging to the PPA Group under the joint controller agreement;
  • social network operators;
  • software development, improvement and testing service providers;
  • our professional advisers (e.g., lawyers, auditors);
  • payroll and accounting firms;
  • software equipment and cloud service providers (e.g., Microsoft One Drive and Sharepoint);
  • web hosting service providers;
  • technical (IT), organizational (event agency) and marketing support providers of our company;
  • our verified and properly legally bound processors;
  • institutions in fulfilling our legal obligations as an employer, e.g., Social Insurance Agency, pension management companies, supplementary pension savings banks, health insurance companies;
  • The Ministry of Economy of the Slovak Republic as the administrator of the Unified Information System of Economic Mobilisation;
  • banks and payment service providers;
  • notaries, executors, experts, administrators of bankruptcy estates, official translators, interpreters, if necessary for proving, asserting or defending our legal claims;
  • mail carriers and courier services;
  • employees of the aforementioned entities.

If we use a processor for the processing of personal data, we always check in advance whether the processor meets the requirements of organizational and technical nature in terms of ensuring the security when processing your personal data. If we use our own beneficiaries (internal personnel of the PPA Group) to process personal data, your personal data is always processed on the basis of mandates and instructions by which we instruct our beneficiaries not only about internal privacy policies, but also about their legal liability for their violation. If we are asked by public authorities for access to your personal data, we examine the legislatively set conditions for making it available, so we do not provide your personal data before we check that the necessary terms are met. If you would like information regarding our current processors, please contact us through our DPO.

To which countries do we transfer your personal data?

By default, we do not transfer personal data to third countries outside the European Economic Area (EU, Iceland, Norway and Liechtenstein), if it is not necessary. In some cases, however, the cross-border transfer of personal data to third countries may be necessary. For example, if you are our employee and/or contractor who we need to send to a third country to fulfil our commitments to our clients in Cuba, Venezuela, Ukraine and/or the Russian Federation and we need your personal data to carry out the visa process, we need to provide your personal data to the authorities in that third country through consulates or embassies. Although we have never seen any problem with the misuse of any personal data in these countries, in line with the decisions of the European Commission, these countries are considered to be countries which do not ensure an adequate level of protection (of personal data), and therefore we must proceed on the basis of appropriate safeguards pursuant to Art. 47 of the GDPR or on the basis of exceptions for specific situations according to Art. 49 of the GDPR. By default, therefore we strive to conclude the so-called standard contractual clauses approved by the European Commission with the data importer in a third country – and if that is not possible – you will be asked in advance for granting specific informed consent to the performance of such processing transaction in accordance with Article 49 (1) (a) of the GDPR, if you are not in the range of employees with whom we have entered into special labour contracts for the fulfilment of which it is necessary to carry out the cross-border transfer of personal data to a third country.

Furthermore, we can also carry out cross-border transfers to third countries, which guarantee an adequate level of personal data protection on the basis of the European Commission’s decision on adequacy in accordance with Art. 45 of the GDPR, namely the United Kingdom due to the use of a processor, Chancellors LLP.

In addition, we use the secure cloud services of a trusted provider with servers located in EU jurisdictions, which may also include cross-border transfers of data to the United States by our cloud services provider, Microsoft Inc., who is our processor. This can also happen when using other services of different companies. These service providers are located in the United States, which is considered a third country not providing an adequate level of protection. Personal data is transferred outside the EU and/or European Economic Area solely in strict compliance with the protection of personal data as required by the GDPR. This is based on the judgment issued by the Court of Justice of the EU in the Schrems II case on 16 July 2020, which abolished the EU-US Privacy Shield mechanism. As regards the use of services from these companies, the cross-border transfer of personal data to the United States takes place on the basis of (new) standard contractual clauses approved by the European Commission. According to the above judgment, controllers should also accept additional safeguards if necessary. You can find a link below to reasonable and appropriate safeguards for transferring data to the United States, which we can apply when using some services:

SupplierPrivacy PolicyAdequate safeguards under Art. 46 of the GDPR Additional safeguards under the EDPB[1]
Crowdstrikehttps://www.crowdstrike.com/privacy-notice/

 

Standard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.

https://www.crowdstrike.com/data-protection-agreement/

Based on an analysis, they are sufficient. More information is available at https://www.crowdstrike.com/data-protection-agreement/

https://www.crowdstrike.com/why-crowdstrike/crowdstrike-compliance-certification/

https://www.crowdstrike.com/resources/white-papers/ebook-crowdstrike-cloud-security-on-aws/

Googlehttps://policies.google.com/privacy?hl=en-USStandard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.

https://privacy.google.com/businesses/controllerterms/mccs/

https://cloud.google.com/terms/data-processing-termshttps://cloud.google.com/terms/eu-model-contract-clause

Based on an analysis, they are sufficient. More information is available at https://services.google.com/fh/files/misc/workspace_and_workspace_edu_safeguards_for_international_data_transfers.pdf
Facebookhttps://www.facebook.com/policy.php

https://www.whatsapp.com/legal/#privacy-policy-our-global-operations

Standard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.

https://www.facebook.com/help/566994660333381

https://www.facebook.com/legal/terms/dataprocessing

https://www.facebook.com/legal/EU_data_transfer_addendum/update

Based on an analysis, they are sufficient. More information is available at https://about.fb.com/news/2021/03/steps-we-take-to-transfer-data-securely/
LinkedInhttps://www.linkedin.com/legal/privacy-policyStandard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.

https://www.linkedin.com/legal/l/dpa

https://www.linkedin.com/help/linkedin/answer/62533/eu-eea-and-swiss-data-transfers?lang=en

Based on a specific analysis, they are sufficient. More information is available at https://www.linkedin.com/legal/l/dpa
Microsoft Corporationhttps://privacy.microsoft.com/en-us/privacystatementStandard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.

https://docs.microsoft.com/en-us/compliance/regulatory/offering-eu-model-clauses

https://docs.microsoft.com/en-us/legal/gdpr

https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

Based on a specific analysis, they are sufficient. More information is available at:

https://www.microsoft.com/licensing/docs/view/Microsoft-supplemental-terms-and-conditions

https://microsoft365compliance.de/microsoft-with-new-strong-commitment-to-privacy-in-europe-and-new-measures-and-addendum

Proofpointhttps://www.proofpoint.com/us/legal/privacy-policyStandard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.

https://www.proofpoint.com/us/legal/trust/dpa

Based on a specific analysis, they are sufficient. More information is available at:

https://www.proofpoint.com/us/legal/trust

https://www.proofpoint.com/sites/default/files/misc/pfpt-us-data-transfer-assessment-20201028.pdf

Rapid7https://www.rapid7.com/privacy-policy/Standard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.

https://www.rapid7.com/legal/dpa/

Based on a specific analysis, they are sufficient. More information is available at:

https://www.rapid7.com/blog/post/2020/07/29/rapid7-statement-on-privacy-and-status-of-eu-us-data-transfers-post-schrems-ii/

https://www.rapid7.com/legal/dpa/

Tenablehttps://www.tenable.com/gdpr-alignmentStandard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.

https://static.tenable.com/prod_docs/Tenable-Master-Agreement-Data-Processing-Addendum-9-24-2021.pdf

https://www.tenable.com/gdpr-alignment

Based on a specific analysis, they are sufficient. More information is available at:

https://www.tenable.com/trust-and-assurance

[1] Recommendations of the European Data Protection Board No. 1/2020 on measures complementary to transfer instruments to ensure compliance with the level of personal data protection in the EU

We retain personal data for as long as necessary for the purposes for which personal data is processed. In general, the period for retaining personal data follows the applicable legislation. If the legislation does not provide otherwise, we always determine the period for retaining your personal data in relation to the specific purpose through our group’s internal policies and/or our registry plan. If we process your personal data based on your consent, after its withdrawal, we are obliged not to process your personal data for the given purpose. This does not preclude that your personal data can be further processed on a different legal basis, especially if concerning the fulfilment of statutory obligations.

General periods for retaining personal data for our specified personal data processing purposes are as follows:

Purpose of personal data processingMaximum retention periods for personal data
1.    Personnel and payroll purposesFulfilment of legal obligations of the employerIn general, during the employment relationship and the expiry of the legal deadlines for the retention of certain types of documents, e.g., the employee payslips and personal files are kept for 70 years from the employee’s birth. Unnecessary data is deleted from the personal file and personnel systems at the latest upon the employment relationship is terminated.
Photos of employeesUntil the consent to the processing of personal data is withdrawn or the employment relationship is terminated, whichever occurs first.
Retaining data on unsuccessful job applicantsUntil the consent is withdrawn or 2 years from the start of processing, whichever occurs first.
2.    Human resources management, evaluation and development

 

BenefitsUntil an objection to the processing of personal data is settled, if the rights and freedoms of the data subject prevail in a specific case, otherwise until the employment relationship or the provision of benefits is terminated.

The data of employees’ minor children may be deleted sooner even if the legal representative’s consent to their processing is revoked.

Identity verification via electronic access control systemUntil an objection to processing is settled, if the rights and freedoms of the data subject prevail in a specific case, otherwise until the employment relationship is terminated. If personal data is used to infer legal liability to the employee, the data obtained in this way may be processed for longer for the compatible purposes of proving, asserting and defending legal claims.
Training and educationUntil an objection to processing is settled, if the rights and freedoms of the data subject prevail in a specific case, otherwise until the employment relationship is terminated.
Agenda of purchased servicesUntil the termination of the contractual relationship with the data subject or the withdrawal of consent, if the data subject has agreed to the retention of his/her contact details even after the cooperation is terminated.
Sharing of employee data for internal administrative purposesDuring the course of employment.
3.    Fulfilment of legal obligationsAnti-radiation protection agenda5 years following the termination of employment
Agenda of the economic mobilisation entityFor a maximum period of time that complies with Act No. 179/2011 Coll. on economic mobilisation and on amendments to Act No. Act No. 387/2002 Coll. on the management of state in the situations of crisis outside the wartime, as amended.
Reporting and recording of anti-social activities (whistleblowing)3 years from the date of delivery of the complaint.[1]
Data subjects’ rights agenda (GDPR)3 years from the processing of the data subject’s request.
Registration of shareholders – natural personsDuring the legal relationship of the shareholder and 12 months after the loss of the shareholder’s position[2], where this does not affect the longer retention of data for archival purposes.
Book of guests and registration of foreign nationals to the Slovak Ministry of Interior authoritiesAt most during the period in accordance with Art. 43 of Act No. 582/2004 Coll. on local taxes determined by the relevant general binding regulation of the municipality and in relation to personal data of foreigners, which we report to the relevant public authorities according to Art. 24 (2) of Act No. 253/1998 Coll., for 2 years.
Accounting and tax purposesDuring a period of ten years following the fiscal year to which the accounting documents, accounting books, lists of the books, lists of codes or other symbols and abbreviations used in accounting, depreciation plan, inventories, inventory records, chart of accounts refer.
4.    Proving, exercising or defending legal claimsLegal agendaUntil the legal claim expires, the right is properly exercised, and the legal claim is satisfied or the legal matter is substantively terminated and available remedies are exhausted.
Contractual agendaUntil the contractual relationship is terminated or an objection to the processing is filed, if in a specific case the rights and freedoms of the data subject prevail.
Client careUntil the assessment of customer satisfaction questionnaires after completion of an order – no longer than 1 year from the end of the order.
5.    Asset protection and securityCCTV systemsMax. 72 hours
Physical access controlMax. 1 year.
IT securityMax. 1 year. Data stored on LTO tapes can be stored in a limited mode until they have been deleted by new backed up data – e.g., once every 6 months.
Software development, improvement and testingUntil software development, enhancement, and testing is complete. Unnecessary data is regularly deleted at least once a year.
6.    Marketing and PR purposesDirect marketing communicationUntil an objection to direct marketing is received or the consent to the processing of personal data is withdrawn, if the consent is the legal basis for the processing.
Ad content targeting and personalizationUntil the consent is withdrawn, if the consent is the legal basis for processing or until the time for using cookies expires – whichever comes first.

Until an objection to the processing of personal data is properly settled, if the legal basis is a legitimate interest.

PPA CONTROLL awareness raisingUntil an objection to processing is settled, if the rights and freedoms of the data subject prevail in a specific case – otherwise until the employment relationship is terminated. Unnecessary data is deleted at least once a year.
7.    Statistical purposesDuring the course/existence of other processing purposes, while minimizing their retention until the necessary statistical output is generated; this is without prejudice to the possibility of retaining personal data used for the original processing purposes.
8.    Archival purposesFor the original processing purposes, during the statutory or retention period specified in the registry plan. The Bank’s registry plan is available to the data subject upon request.

The above-mentioned retention periods provide only general periods during which the processing of personal data takes place for that purposes. In reality, however, we approach the liquidation or anonymization of personal data before the end of these general periods, if we consider the personal data unnecessary in view of the aforementioned processing purposes. On the contrary, in some specific situations, your personal data can be kept for longer, as mentioned above, if it is required by law or our legitimate interest. If you would like more information on a specific retention period for retaining your personal data, please do not hesitate to contact us through our DPO.

[1] Art. 11 (1) of Act No. 54/2019 Coll. on the protection of whistleblowers

[2] Art. 107o (15) of Act No. 566/2001 Coll.on securities and investment services and on the amendment of certain laws (Securities Act)

How do we obtain personal data?

Most often, we obtain your personal data directly from you. In this case, personal data is obtained on a voluntary basis. You can provide personal data to our company in different ways, for example:

  • by registering on our website (as a job applicant);
  • by concluding a contract with our company;
  • in our mutual communication;
  • by participating in events organized by our company;
  • by participating in the activities of our company on the social network and our website in the event of your consent to cookies;
  • by using Facebook and LinkedIn social networks in accordance with the terms of their use;
  • by sending the contact form with your comments, questions or enquiries.

We may also obtain your personal data from your employer or from the company in relation to which we process your personal data. Most often, it concerns the cases where we enter into or negotiate contractual relationship or the terms thereof with the particular company. If the obtaining of personal data relates to a contractual relationship, the most common is a contractual requirement or requirement that is necessary to conclude a contract. Failure to provide personal data (whether yours or your colleague’s) can have negative consequences for the organization that you represent, as it may not lead to the conclusion or implementation of a contractual relationship. If you are a member of the statutory body in an organization, which is our contracted party or with whom we are negotiating the conclusion of a contractual relationship, we can obtain your personal data from publicly available sources and registers. We do not systematically process any accidentally collected personal data in any way for any of the purposes of personal data processing defined by us.

What are your rights under the GDPR if you are a data subject?

GDPR lays down the general conditions governing the exercise of your individual rights. Their existence does not automatically mean that in the exercise of individual rights, they will be accommodated on our part as exceptions can also apply in specific cases since some rights are linked to specific conditions which may not be met in any case. We will always handle and examine your request regarding a particular right in terms of legislation and our internal policy for handling complaints of data subjects. As a data subject you have in particular:

  • The right to request access to your personal data we process in accordance with Art. 15 of the GDPR. This right includes the right to confirmation whether we process your personal data, the right to obtain access to such data and the right to obtain a copy of your personal data that we process, if technically feasible;
  • The right of rectification and completion of your personal data in accordance with Art. 16 of the GDPR if we process incorrect or incomplete personal data;
  • The right to erasure of your personal data in accordance with Art. 17 of the GDPR.
  • The right to restrict the processing of your personal data in accordance with Art. 18 of the GDPR;
  • The right to data portability in accordance with Art. 20 of the GDPR.
If we process personal data based on your consent to the processing of personal data, you have the right to withdraw your consent. However, such withdrawal does not affect the lawfulness of the processing of personal data before the consent is withdrawn. You have the right to effectively object to the processing of personal data for direct marketing purposes, including profiling, at any time.”

“You have the right to object to the processing of your personal data based on legitimate interests pursued by us, as explained above. Your also have this right to the processing of personal data on the legal basis of public interest.” In the event of an objection or upon request, we will be happy to show you the conclusions of our balance test showing the predominance of the legitimate interest pursued.

If you believe that we process incorrect personal data concerning you with regard to the purpose and circumstances and you are unable to change such personal data through features of the application, account or website, you can request the rectification of incorrect or completion of incomplete personal data by filling in a supplementary statement (all information is optional) and/or by contacting us via our contact details:

Supplementary statement of rectification of personal data
Name and surname:
Contact details:
Relevant purpose of processing by the PPA Group:Please specify what kind of PPA Group purpose of processing does your request concern.
Context or relationship between you and the PPA Group:Please indicate whether you are our employees, business partner, job applicant and the like.
Nature of your rectification:Please explain whether you request rectification of incorrect personal data or completion of incomplete personal data.
Context of your request for rectification:Please explain why you believe we process your inaccurate or incomplete personal data.
Rectification:Please indicate which specific personal data you request to rectify or complete.
Please send this supplementary statement of rectification to dpo@ppa.sk

You also have the right to file a complaint with the Office for Personal Data Protection of the Slovak Republic or bring an action before the competent court. In any case, we recommend that you solve any disputes, questions or objections addressed primarily by communicating with us.

Is there an automated individual decision-making used?

No, currently we do not perform such processing transactions, based on which decisions are taken having legal effect or other major impact on your person that would be based solely on the fully automated processing of your personal data in accordance with Art. 22 of the GDPR.

External websites

Our websites may contain links to other websites and/or services of other providers (e.g., the so-called. reCAPTCHA by Google Inc.) We are not responsible for the content and administration of the websites or services of other providers to whom we provide links. This privacy policy does not apply to the processing of personal data associated with your browsing on other websites.

How do we protect your personal data?

It is our duty to protect your personal data in an appropriate manner and therefore we pay adequate attention to its protection. Our company has implemented generally accepted technical and organizational standards to maintain the security of personal data, in particular to protect the data against loss, misuse, unauthorized modification, destruction, or other impact on the rights and freedoms of data subjects. In situations where sensitive data is transferred, we use encryption technology, see, for example, communication with a payment gateway. Your personal data is stored on our secure servers or servers of our website operators that are located in data centres in the Slovak Republic and the Czech Republic. When using third party analytic tools of third parties, data is stored on the servers of third parties (see cookies).

What type of cookies do we process?

Cookies are small text files that improve the use of websites, for example, by allowing to recognize previous visitors when logging into the user interface, remembering visitor’s choices when opening a new window, measuring traffic on a website or the method of its use for the purpose of user improvement. Our website uses cookies especially for measuring the traffic. You can prevent these files from being saved to your device at any time by setting up your web browser (or through the support tools available on the web, which we refer to below). Setting up your browser is according to Art. 55 (5) of the Electronic Communications Act considered to be your consent to the use of cookies on our website.

How do we use cookies?

After the visitor’s consent to the use of cookies, our websites directly store information in the cookies on permanent hiding of the cookies bar with a message about using cookies. On www.ppa.sk, we also use “session cookies” which only contain non-personal visitor information and are automatically deleted after the browser is closed. These provide us with a lot of useful information, such as how many visitors were on the website or what browsers they use, allowing us to optimize and improve our website. We also use the “functional cookies” to remember our website visitor’s credentials and guarantee their security after login. In addition, cookies also use third-party tools implemented at our website mainly to support the marketing, statistical and analytical activities that enable us to operate a modern website. Our cookies can be categorised as i) necessary, ii) statistical and iii) marketing cookies. Necessary cookies help make our website usable by enabling basic functions such as website navigation and access to secure web areas. Without them, the website cannot function properly. Statistical cookies collect and report information anonymously to help us understand how visitors interact with the website. Marketing cookies are used to track visitors on the website. The intention is to display ads that are relevant and engaging for individual users and thereby more valuable for publishers and third party advertisers. In addition, cookies use third-party tools that are implemented on the PPA Group websites. We use the following cookies in particular:

Cookies namePurpose of useProviderPeriod of useType
_grecaptchaUsed to distinguish between people and robots. It is beneficial for a website to be able to make valid reports about its usage.www.ppa.sk

 

Permanently until deletedHTTP
_GRECAPTCHAUsed to distinguish between people and robots. It is beneficial for a website to be able to make correct reports about its usage.google.com179 daysHTTP
rc::aUsed to distinguish between people and robots. It is beneficial for a website to be able to make valid reports about its usage.google.comPermanently until deletedHTTP
rc::bUsed to distinguish between people and robots.google.comDuring connection timeHTTP
rc::cUsed to distinguish between people and robots.google.comDuring connection timeHTTP
_gaRegisters a unique ID to generate statistics on how the website is used. It serves solely to anonymously aggregate statistical data to help us understand how visitors use our website.ppa.sk2 yearsHTTP
_ga_#Used by Google Analytics to collect data about the number of visits by website users and the dates of their first and following visits.ppa.sk2 yearsHTTP
_gatIt is used to speed up calculations by Google Analytics. It processes statistics about our website’s usage.ppa.sk1 dayHTTP
_gidRegisters a unique ID to generate statistics on how the website is used. It serves solely to anonymously aggregate statistical data to help us understand how visitors use our website.ppa.sk1 dayHTTP
ads/ga-audiencesUsed by Google AdWords to retarget visitors likely to become customers based on their online behaviour on our website.GoogleDuring connection timePixel
_fbpUsed by Facebook to display third-party advertising and marketing offers.ppa.sk3 monthsHTTP
VISITOR_INFO1_LIVEAnalyses user behaviour on websites with embedded videos from YoutubeYoutube.com179 daysHTTP
YSCRegisters a unique ID to store statistics on how many YouTube videos a particular user has seen.Youtube.comDuring connection timeHTTP
yt.innertube::nextId

yt.innertube::requests

Registers a unique ID to store statistics on how many YouTube videos a particular user has seen.Youtube.comPermanently until deletedHTML
yt-remote-cast-available

yt-remote-cast-installed

yt-remote-fast-check-period

yt-remote-session-app

yt-remote-session-app

Stores the user’s video player settings when watching videos embedded from Youtube on the website.Youtube.comDuring the connection timeHTML
yt-remote-connected-devices

yt-remote-connected-devices

Stores the user’s video player settings when watching videos embedded from Youtube on the website.Youtube.comPermanently until deletedHTML

How to check cookies?

You can check and/or delete cookies at your own discretion – for details, please visit www.aboutcookies.org. You can delete all cookies that are already saved in your computer and also set most browsers to prevent them from being stored. Alternatively, you can use self-regulatory tools in order to identify and remove cookies, which will allow you to significantly reduce the impact of direct marketing in an online environment (e.g., http://www.youronlinechoices.eu/). In this case, deterioration of the user experience on our websites for an individual user cannot be excluded.

Social networks

We recommend you familiarize yourself with the privacy policy of social media platform providers through which we communicate. Our privacy policy explains only basic questions regarding the management of our profiles or profiles of our clients. We only have typical administrator privileges in the processing of your personal data via our or client profiles. We assume that by using social networks you understand that your personal data is primarily processed by social network platform providers (like Facebook and LinkedIn) and that we have no control over such processing, further provision of your personal data to third countries and its cross-border transfer to third countries carried out by these social network platform providers and that we are not liable for their actions. PPA is not interested in processing any personal data from a special category of personal data on any social network profiles. Any possible provision of additional information by you, which would reveal such sensitive data, will be considered as an accidental acquisition of the so-called observed data, which will not be further processed in any way other than by their deletion or anonymization.

Facebook

Social media add-ons are integrated on our website, e.g., Facebook Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA (“Facebook”). You can recognize them by the Facebook logo or by the “like” button on the website. When you visit our website, Facebook receives information that you have visited the website with your IP address. If you click the “like” button or the Facebook icon available on our website while you are signed in and/or registered to your Facebook account at the same time, the content of the website is redirected to your Facebook profile. Consequently, Facebook may associate your visit to the website with your user account. Data is transferred regardless of whether you have a Facebook account or not. When using our websites, please note that the PPA Group has no influence on the data collected and processed and is not aware of the overall scope of the data collected, the purpose of the processing or the retention time of such data. Facebook stores your information in the form of a user profile and uses it for its own advertising and market research purposes and/or to customize its services and tools of registered users. Such an assessment is mainly carried out to inform other Facebook users about your activities on our website. You are entitled to object to the creation of such user profiles, in which case you must contact Facebook. We always recommend that you sign out of your Facebook account, especially to avoid associating your online activity with your profile. For more information about the purpose and scope of your data collection and processing by Facebook, please visit the Facebook Privacy Statement at: https://www.facebook.com/policy.php.

We would also like to inform you that we can use the services provided by Facebook Ireland Limited, which are labeled as “data file custom audiences” and mean the audience management for advertising campaigns, and we may associate the data that we process with personal data processed in Facebook databases and “measurement and analytics”, within which Facebook processes personal information on our behalf to measure the performance and reach of our advertising campaigns and provide us with reports of users who have seen and responded to our advertising content. Therefore, this processing of your personal data may occur if you interact with our advertising content or our websites when using your user profile on Facebook. In such cases, we use Facebook as a processor, using the following legal safeguards to process your personal data: https://www.facebook.com/legal/terms/businesstools, https://www.facebook.com/legal/terms/dataprocessing.

Whenever the “page insights” service or site statistics related to our Facebook established profile is used, we have the status of a joint controller together with Facebook. The joint controller agreement, referred to in Art. 26 of the GDPR, is available at https://www.facebook.com/legal/terms/page_controller_addendum

If the above-described processing of personal data bothers you, you can object to it or use the self-regulatory tools developed for the online marketing sector available at http://www.aboutads.info/choices a http://www.youronlinechoices.eu/). These online tools allow you to automatically identify third-party digital identifiers (including those from Facebook) in your browser and delete them, thus preventing the possible processing of your personal data.

LinkedIn

If you visit and use our profile set up on this social network, we may process your personal data together with LinkedIn Corporation, based at 1000 W Maude Ave Sunnyvale (HQ), California, USA, which is part of the Microsoft Group, for statistical purposes when using the “page insights’ service. More information can be found in the LinkedIn Privacy Policy as well as in the basic parts of the joint controller agreement, which are available at https://legal.linkedin.com/pages-joint-controller-addendum

The use of this social network is primarily important to us because through our professionally managed account we build awareness of the PPA Group in the online environment (e.g., by adding PR content) and secondly we establish internal communication with experts and professionals whom we might be interested in employing or developing another form of professional cooperation with. Through our account, our HR specialists can communicate with our prospective business partners or eligible candidates to fill job vacancies. In addition, we can also use LinkedIn Ireland Unlimited to support our marketing and PPC (Pay Per Click) campaigns, which aim to increase the traffic to our websites or microsites. We can also use LinkedIn Campaign Manager and personalized internal mail to send our content to raise our PR and PPA awareness, or to inform you of a vacant job suitable for your profile. If we use these services, LinkedIn will act as our processor, using the following legal safeguards to process your personal data: https://legal.linkedin.com/dpa

For more information about your personal data processing by LinkedIn social network operator for its own purposes, please visit the following URL: https://www.linkedin.com/legal/privacy-policy

Changing the terms of privacy policy

Personal data protection is not a one-off matter for us. The information that we are obliged to provide to you with regard to our personal data processing, can change or become out-of-date. For this reason, we reserve the right to modify or change these terms at any time and to any extent. If we change these terms significantly, we will advise you of such change, for example, by a general notice on this website or a separate notification by e-mail.

The Management of PPA CONTROLL, a.s.

Bratislava, 6th February 2023

Version 1.7