PPA CONTROLL, a.s. (Inc.), Registered office: Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 17 055 164, Registered in: Companies Register of the Bratislava I District Court, Section: Sa, Insert No., 159/B
PPA ENERGO s.r.o. (Ltd.), Registered office: Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 31 368 484, Registered in: Companies Register of the Bratislava I District Court, Section: Sro, Insert No. 6646/B
PPA INŽINIERING (Engineering), s.r.o. (Ltd.), Registered office: Vajnorská 137, 831 04 Bratislava, Comp. Reg. No.: 31 376 045, Registered in: Companies Register of the Bratislava I District Court, Section: Sro, Insert No. 7314/B
PPA TRADE, spol. s r.o. (Ltd.), Registered office: Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 31 409 776, Registered in: Companies Register of the Bratislava I District Court, Section: Sro, Insert No. 7917/B
PPA POWER, s.r.o. (Ltd.), Registered office: Sládkovičova 47, 974 05 Banská Bystrica, Comp. Reg. No.: 31 618 103, Registered in: Companies Register of the Banská Bystrica District Court, Section: Sro, Insert No. 2302/S
PPA Power DS s.r.o (Ltd.), Registered office: Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 31 368 514, Registered in: Companies Register of the Bratislava I District Court, Section: Sro, Insert No. 6649/B
PPA SPRÁVA BUDOV (PPA Building Management), s.r.o. (Ltd.), Registered office: Vajnorská 137, 831 04 Bratislava, Comp. Reg. No.: 35 751 983, Registered in: Companies Register of the Bratislava I District Court, Section: Sro, Insert No., 17810/B
LiV ELEKTRA, a.s. (Inc.), Registered office: Priemyselná 10, 821 09 Bratislava, Slovakia, Comp. Reg. No.: 35 769 840, Registered in: Companies Register of the Bratislava I District Court, Section: Sa, Insert No., 2170/B
(Hereinafter collectively referred to as “PPA” or “we”). Due to the fact that the PPA CONTROLL Group consists of several closely interconnected and cooperating companies with their own legal personality, we process your personal data mainly as a joint controller on the basis of an agreement concluded in accordance with Art. 26 (1) of the General EU Data Protection Regulation (“GDPR”).
Phone: +421 2 49237123
Correspondence address: Data Protection Officer (DPO), PPA CONTROLL, a.s., Vajnorská 137, 830 00 Bratislava
The PPA Group also includes several “ready-made” companies that have no employees and do not perform any activities related to personal data processing.
Our commitment to protection of privacy: “Personal data under control”
Protecting your privacy is important to us. We do not protect personal data only because it is our legal duty. We also see efficient protection of personal data in the broader context of our business activity, which is the delivery of secure technologies. It is therefore our aim and intention to provide our services in a way that at all times ensures compliance with the fundamental rules and principles of privacy protection, in particular the protection of personal data. When reviewing our practices on personal data processing before 25 May 2018, we decided to introduce advanced, efficient and easy measures to ensure GDPR compliance. If you are our business partner and you are interested in our approach to the new rules on personal data protection, please contact our DPO.
Why do we process personal data?
Processing of personal data is necessary on our part, especially so that we can:
- provide our services and products, and for this purpose process personal data of our clients, suppliers, business partners, employees and other persons;
- effectively manage our human resources;
- fulfil various legal and contractual obligations and
- protect our legitimate interests.
 D1 PARK Infra, s.r.o., Registered office: Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 47 256 061, Registered in: Companies register of the Bratislava I District Court, Section: Sro, Insert No.: 101495/B; FTVE 3, s.r.o., Registered office: Vajnorská 137, 830 00 Bratislava, Comp. Reg. No.: 45 879 249, Registered in: Companies Register of the Bratislava I District Court, Section: Sro, Insert No.: 78769/B; Power SP, s.r.o., Registered office: Vajnorská 137, 831 04 Bratislava, Comp. Reg. No.: 52 068 650, Registered in: Companies Register of the Bratislava I District Court, Section: Sro, Insert No. 132879/B; PPA 1, s.r.o., Registered office: Radlinského 297/7, 010 01 Žilina, Comp. Reg. No.: 52 798 801, Registered in: Companies Register of the Žilina District Court, Section: Sro, Insert No.: 73652/L; PPA 2, s.r.o., Registered office: Radlinského 297/7, 010 01 Žilina, Comp. Reg. No.: 52 799 212, Registered in: Companies Register of the Žilina District Court, Section: Sro, Insert No.: 73685/L;
The overview below explains what are the purposes of personal data processing within individual companies belonging to the PPA Group. For the avoidance of doubt, YES means that the company belonging to the PPA Group processes personal data for the given purpose as a data controller.
|Purpose category||Personal data processing||Primary legal basis||PPA CONTROLL,|
|PPA POWER DS|
s. r. o.
spol. s r.o.
|PPA CONTROLL Magyarország Kft|
|Human Resources Management||1.||Personnel and payroll purposes||Fulfilment of legal obligations and legitimate interests||YES||YES||YES||YES||YES||YES||NO||YES|
|2.||Photos of employees||Consent||YES||YES||YES||YES||YES||YES||NO||YES|
|3.||Employer’s control mechanisms||Legitimate interest||YES||YES||YES||YES||YES||NO||NO||YES|
|4.||Employee benefits agenda||Contract fulfilment||YES||YES||YES||YES||YES||YES||NO||YES|
|5.||Retention of data about unsuccessful applicants||Consent||YES||YES||YES||YES||YES||NO||NO||YES|
|6.||Purchased performances agenda||Contract fulfilment and consent||YES||YES||YES||YES||YES||NO||NO||NO|
|7.||Anti-radiation protection agenda||Fulfilment of legal obligations||NO||YES||NO||NO||NO||YES||NO||NO|
|8.||Sharing employees’ data within the Group for administrative purposes||Legitimate interest||YES||YES||YES||YES||YES||YES||NO||YES|
|Protection of Rights and Legitimate|
|9.||Reporting and recording of anti-social|
|Fulfilment of statutory|
|10.||Proving, exercising or defending of legal claims (legal agenda)||Legitimate interest||YES||YES||YES||YES||YES||YES||NO||NO|
|11.||Data subjects’ rights agenda||Fulfilment of legal obligations||YES||YES||YES||YES||YES||YES||NO||NO|
|12.||Registration of shareholders – natural persons/individuals||Fulfilment of legal obligations||YES||NO||NO||NO||NO||NO||NO||NO|
|13||Software development, improvement and testing||Legitimate interest||YES||YES||YES||YES||NO||NO||NO||NO|
|B2C Contracts||14.||Performance of contractual relationships with natural persons (individuals)||Contract fulfilment||YES||YES||YES||YES||NO||YES||NO||NO|
|15.||Asset protection and security||Legitimate interest||YES||YES||YES||YES||YES||YES||YES||YES|
|Marketing and PR||16.||Operation of profiles on social networks||Legitimate interest||YES||NO||YES||YES||YES||NO||NO||NO|
|17.||Marketing and PR purposes||Consent and/or|
|18.||Accounting and tax purposes||Fulfilment of legal obligations||YES||YES||YES||YES||YES||YES||YES||YES|
|19.||Archival and registry management||Art. 89 of the GDPR||YES||YES||YES||YES||YES||YES||YES||YES|
|20.||Statistical purposes||Art. 89 of the GDPR||YES||YES||YES||YES||YES||YES||NO||YES|
|Accommodation||21.||Book of guests and registration of foreign nationals to the Slovak Ministry of Interior authorities||Fulfilment of legal obligations||YES||NO||NO||NO||NO||NO||NO||NO|
For what purposes and on what legal bases, including legitimate interests, do we process personal data?
The overview below explains what the purposes of personal data processing within the PPA Group are. These purposes are known as the Common Purposes of Personal Data Processing, and all PPA companies, which entered into the joint controller agreement, are authorized to process personal data to the extent necessary to achieve these purposes. This overview also clearly identifies all legitimate interests pursued in the processing of your personal data, which you have the right to object to. Processing based on legitimate interest is highlighted by underlining in the section of the table “Detailed explanation of the purposes and legitimate interests”.
|Purpose||Legal basis||Detailed explanation of the purposes and legitimate interests|
|1. Personnel and payroll purposes||Fulfilment of legal obligations and consent||Fulfilment of employer’s legal obligations: It includes the processing of personal data necessary for: (i) employee registration and deregistration in the registers of health insurance companies and the Social Insurance Agency, (ii) employee payroll management (payroll calculation, payroll processing) and payroll accounting, (iii) tax returns and annual tax processing, if requested by employees, (iv) records of occupational accidents and occupational safety and health agenda (e.g., training), (v) sharing data with the occupational health service and processing of assessments of medical fitness to perform work, (vi) records of using the working time fund, including holidays, sick leaves, obstacles at work, (vii) processing necessary to fulfil any obligation of the employer under the Labour Code (e.g., creating appropriate working conditions by setting up a work email and assigning a phone extension, etc.), (ix) processing necessary to fulfil any legal obligation of the employer under the relevant legislation, in particular Act No. 595/2003 Coll. on income tax, as amended, Act No. 563/2009 Coll. on tax administration (Tax Code) and on the amendment of certain laws, Act No. 580/2004 Coll. on health insurance and on the amendment of Act No. 95/2002 Coll. on insurance and on the amendment of certain laws, as amended by Act No. 718/2004 Coll., Act No. 5/2004 Coll. on employment services, Act No. 576/2004 Coll. on health care and health care-related services, Act No. 577/2004 Coll. on the scope of health care reimbursed by public health insurance and on payments for services related to the provision of health care, (x) management and administration of employees’ personal files, (xi) processing of personal data necessary for the reimbursement of partial costs of recreational vouchers pursuant to Act No. 91/2010 Coll. on tourism promotion, as amended, (xii) fulfilment of the employer’s obligations established in the field of public health by the state authorities in the application of epidemiological measures during a pandemic.|
Photos of employees: Based on the consent of the data subjects, it includes the processing of personal data necessary for: i) processing of images capturing the employees on the intranet, user accounts of certain software applications, personal questionnaire, etc., ii) sharing photos of employees within the PPA CONTROLL Group, iii) taking and disclosing photos of employees from company events on the intranet, iv) publishing stylized photos of employees on the corporate website and social networks.
Retaining data on unsuccessful job applicants: It includes the processing of personal data necessary for: i) obtaining and retaining CVs of job applicants within the PPA CONTROLL Group, ii) retaining CVs of unsuccessful applicants for the purpose of contacting them with a suitable job offer in the future.
|2. Human resources management, evaluation and development||Agreement and legitimate interest||Benefits: It includes the processing of personal data necessary in particular for: (i) providing accommodation in a recreational company cottage in Štrba at discounted prices, (ii) subsidizing the Multisport card with a contribution from the employer and sharing basic personal data of employees to the provider of this benefit, Benefit Systems, s.r.o.), provision of an allowance for children’s recreation, (iv) providing an allowance at the birth of a child, v) providing an allowance of EUR 100 for employee weddings, vi) providing a package of school supplies for a school-compulsory child, vii) providing St. Nicolaus hampers for minor children of employees. Personal data of employees’ minor children is processed only with the consent of their legal guardians.|
Identity verification via electronic access control system: It includes the processing of personal data necessary in particular to verify compliance with employees’ work discipline and proper compliance with their employment obligations under employment contracts and/or internal PPA regulations during the employment relationship, in particular: (i) electronic checking of compliance with the established working hours via attendance systems; (ii) checking of compliance with health and safety on construction sites; (iii) checking the presence of alcohol in the employee’s breath during working hours; (iv) checking the use of corporate motor vehicle via GPS monitoring; (v) monitoring of electronic communications; (vi) verifying the legitimacy of excess use of mobile flat-rate packages and data services; (vii) checking expenses paid by corporate credit cards;
Verifying attendance via electronic attendance system: The system includes processing of the personal data necessary for verifying an employee attendance by taking their photo in order to assess the right to be paid and prevent misuse of the assigned access cards, as well as verification of the identity of persons as external human resources in order to meet the safety and technical requirements of the work. Electronic attendance system does not have any functionality of automated personal data processing, does not use any biometric technology for identification or authentication of the subject, or any other processing activity. The captured image of the employee’s and an external contractor’s face is an ordinary digital photograph and is used as an authenticator to verify the actual use of the assigned access card, so that it is not possible to avoid the system procedures, for instance, by lending the allocated cards to other persons. Such verification of identity may be executed via a static terminal or a mobile device, when apart from a photograph of the employee or the subjects providing purchased performance, based on the record of GPS coordinates, the location of the related person is also processed at the moment of identification.
Agenda of purchased services: It includes the processing of personal data necessary in particular for: i) cooperation and coordination of external human resources involved in the delivery of services for larger orders of the PPA CONTROLL Group, ii) recording of necessary personal data and documents of professional competence and completed work training of particular contractors and their staff, iii) processing permits to enter nuclear power plant facilities, ii) central records and sharing of basic data on external self-employed persons, iv) retaining of data after the end of cooperation for the purpose of new contracts in the future on the basis of a consent.
Training and education: It includes the processing of personal data necessary in particular for: (i) improving the knowledge of personal data protection, internal PPA rules and security measures, including via e-learning, (ii) providing language courses and various training to improve staff qualification and soft skills.
Sharing of employee data for internal administrative purposes: It includes the processing of personal data necessary in particular for: i) cooperation of PPA personnel departments in the development, management, evaluation and remuneration of employees, ii) use of information on professional qualifications in order to share human resources between several PPA Group companies, iii) sharing of basic contact and work data on employees within the PPA Group for internal business communication purposes, iv) sharing of data related to payroll accounting in order to optimize the use of personnel capacity for the administration and processing of this agenda and the preparation of statistics and reports for the needs of the PPA.
|3. Fulfilment of legal obligations||Fulfilment of legal obligations||Anti-radiation protection agenda: It includes the processing of personal data necessary for the fulfilment of the Controller’s obligations under Act No. 87/2018 Coll. on radiation protection and on the amendment of certain laws and Decree No. 99/2018 Coll. on ensuring radiation protection, in particular for: (i) processing applications for the issuance of employee exposure certificates (replacement for the “personal radiation cards”) in relation to the relevant Public Health Office of the Slovak Republic; (ii) division and registration of the Controller’s employees into A and B categories in accordance with Art. 17 (3) of the Radiation Protection Decree; (iii) processing and reporting the personal radiation exposure results from the radiation exposure records, which should be reported to the Controller by the controlled zone operator; (iii) fulfilment of notification obligations on the scheduled performance of work activities leading to radiation pursuant to Art. 23 (5) of the Radiation Protection Act or on urgent one-time performance pursuant to Art. 23 (6) of the Radiation Protection Act, or also fulfilment of other notification obligations stipulated in Art. 23 of the Radiation Protection Act; (iv) ensuring dosimetric measurement of the Controller’s employees when working in the controlled zone through the dosimetric service, including through a sub-processor, and processing the results of such personal monitoring through data reported from the radiation exposure records kept by the controlled zone operator; (v) fulfilling all the obligations of the external staff employer in relation to the controlled zone operator (e.g., presenting the results of personal monitoring if they have been monitored in the past and the results of the preventive medical examination and lists of staff to enter the controlled zone); (vi) providing co-operation and information and personal data on behalf of the Controller to an authorized public authority competent to supervise the fulfilment of these legal obligations stipulated by the Radiation Protection Act and the Radiation Protection Decree; (viii) any other fulfilment of the Controller’s legal obligation stipulated by the Radiation Protection Act or the Radiation Protection Decree, based on an agreement of the parties and, at the same time, will be the subject of personal data processing under this agreement; (ix) assistance in the fulfilment of various obligations associated with entry into the controlled zone of a nuclear power plant (e.g., processing of applications for long-term entry into KP SE for the staff of external service suppliers, etc.)|
Agenda of the economic mobilisation entity: includes the processing of personal data by LiV ELEKTRA, a.s., necessary for the fulfilment of obligations under Act No. 179/2011 Coll. on economic mobilisation and on amendments to Act No. 387/2002 Coll. on the management of state in the situations of crisis outside the wartime, as amended, in particular for: i) processing and storage of personal data of employees of the subject of economic mobilisation or natural persons pursuant under Article 7 Paragraph 10 of the Act on Economic Mobilisation, ii) processing of data on the person responsible for the maintenance of the user’s account in the information system of economic mobilisation, iii) any other performance of a legal obligation provided for by the Act on Economic Mobilisation, or other legal regulation to this purpose of data processing.
Reporting and recording of anti-social activities (whistleblowing): It includes the processing of personal data necessary in particular for: (i) performing actions related to the protection of persons reporting anti-social activities by the employer pursuant to Art. 7 of Act No. 54/2019 Coll., (ii) receiving, evaluating and recording anti-social activity report within the internal report verification system, including keeping records of such reports received for a period of 3 years.
Data subjects’ rights agenda: It includes the processing of personal data for: (i) the processing of data subjects’ requests under the GDPR and related communication; (ii) records of consents, objections or withdrawals of consents; (iii) obtaining the views of data subjects, e.g., in the impact assessment; (iv) reporting and documenting violations of personal data protection; (v) keeping records of instructions or informing authorized recipients of personal data.
Accounting and tax purposes: It includes the processing of personal data necessary in particular for: (i) registration and use of accounting documents under Art. 35 of Act No. 431/2002 Coll. on accounting and on the amendment of certain laws; (ii) retaining of invoices pursuant to Art. 76 (1) of Act No. 422/2004 Coll. on value added tax; (iii) any
Registration of shareholders – natural persons: It includes the processing of personal data of shareholders in the lists of shareholders of registered shares, which the joint-stock company is obliged to keep in accordance with the Commercial Code and the Securities Act.
Book of guests and registration of foreign nationals to the Slovak Ministry of Interior authorities: It includes the processing of personal data necessary to meet the legal obligations of an accommodation provider under Art. 24 (1) and (2) of Act No. 253/1998 Coll. on the registration of residence of citizens of the Slovak Republic and the register of inhabitants of the Slovak Republic.
|4. Proving, exercising or defending legal claims||Agreement and legitimate interest||Legal agenda: It includes the processing of personal data in particular for: (i) ensuring the typical agenda of the internal legal department, (ii) legal control and internal legal advice, (iii) reporting various facts to public authorities (including reports of various offenses and crimes) or to insurance companies (e.g., insurance events), (iv) use of legal representation and legal advice by law firms; (v) performing audit/due diligence, including providing data to potential buyers and their advisors, e.g., in the sale of a business, shares or portfolio of assets owned by PPA CONTROLL; (vi) managing the corporate agenda and fulfilling all obligations under the Commercial Code (e.g., general meetings and invitations, annual reports), (vii) preparing, securing and storing various legal submissions and evidence containing personal data, (viii) recovering receivables, (ix) sending notices and reminders of outstanding payments, (x) conducting various administrative proceedings, litigation and other legal proceedings (e.g., concluding conciliations, settlement agreements, repayment schedules, (xi) notarization and official translations, (xii) processing of visas for staff posted to third countries.|
Contractual agenda: It includes the processing of personal data necessary in particular for: (i) making changes to and performing any contracts concluded between the Controller and data subjects, (ii) approving and revising contracts by the legal department, (iii) communication between contracting parties, including processing of data on contact persons and statutory bodies of the contracting parties and other processing necessary for the proper conclusion, performance and modification of contractual relationships in which data subjects do not act as parties to the legal relationship; (iv) records of internal and external powers of attorney; (v) records of supplier-customer contractual relations between the Controller and its customers, partners and suppliers.
Client care: It includes the processing of personal data necessary in particular for: (i) handling and resolving various complaints and claims about the course of contracts beyond the scope of consumer rights with B2B customers, (ii) sending and evaluating customer satisfaction questionnaires after the completion of a business transaction.
|5. Asset protection and security||Fulfilment of legal obligations and legitimate interest.||CCTV systems: It includes the processing of personal data necessary in particular for: i) operation of CCTV systems monitoring clearly marked defined areas and facilities used in the business activities of the PPA CONTROLL Group.|
Physical access control: It includes the processing of personal data necessary in particular for: i) recording personal data of external visitors entering protected areas and facilities of PPA CONTROLL, ii) providing personal data to nuclear power plant operators to allow entry to specific persons.
IT security: It includes the processing of personal data necessary in particular for: i) control, collection and management of access rights, ii) monitoring and evaluation of suspicious events based on log analysis through specific software applications using SIEM, iii) creating security logs capturing user behaviour in important applications and systems, iv) creating security backups, including special backups on LTO tapes. During this processing, we make and store special data backups, including any personal data originally processed by PPA for purposes other than IT security backups. As part of this backup, LTO tapes are stored in a secure location other than the physical storage location of operating data under the “out-of-use” conditions of data usage; (v) vulnerability and anti-malware activity scanning; (vi) management of security incidents and violations of personal data protection; (vi) information security management in the PPA CONTROLL Group, vii) penetration testing and performance of security audits with the possibility of access to protected data.
Software development, improvement and testing: It includes the processing of personal data necessary in particular for: i) development, improvement and testing of applications created by PPA CONTROLL employees for our needs, ii) integration and configuration tests of corporate information systems by processors during migration from old systems, iii) service interventions and ongoing software modifications performed remotely by our processors based on our requirements and instructions, iv) system recovery tests based on backed up data.
|6. Marketing and PR purposes||Consent and legitimate interest||Direct marketing communication: It includes the processing of personal data necessary in particular for: (i) adapting and sending marketing electronic mail (e-mail, text messages) to existing customers, subject to the restrictions of the unsolicited electronic communication regulation or to other interested parties who have granted their prior consent; (ii) creating, customizing and sending flyers or printed addressable forms of marketing;|
PPA CONTROLL awareness raising: It includes the processing of personal data necessary in particular for: (i) managing and administering content on official profiles set up on social networks (e.g., FB, LinkedIn) and broadcast channels (YouTube), (ii) organizing events, including sending invitations to events even without consent and making photos and videos capturing the participants of such events and publishing them during promotion (usually based on a consent), (iii) publishing content and posts containing personal data within various PR content (PR articles, press releases, posts published on social networks).
|7. Statistical purposes||The legal bases of the original purposes mentioned above in connection with Recital No. 50 and Art. 89 of the GDPR.||It includes the processing of personal data necessary in particular for: (i) compiling statistical outputs, statements, reports, analyses and various working and analytical documents|
necessary for the internal statistical purposes of the PPA CONTROLL Group, public authorities and other legal entities; (ii) producing anonymized and aggregated statistical data from personal data processed for other legitimate purposes of personal data processing based on the legal basis and of which data subjects have been informed in due manner in accordance with Recital 50 and Art. 89 of the GDPR.
|8. Archival purposes||The legal bases of the original purposes mentioned above in connection with Recital No. 50 and Art. 89 of the GDPR.||It includes the processing of personal data necessary in particular for: (i) keeping registry records according to the deadlines specified in the bank’s registry plan (registry administration); (ii) keeping records of incoming mail; (iii) liquidation of registry records after the expiry of their retention periods; (iv) forwarding of archival documents to the state archives; (v) discarding procedures; (vi) re-disclosure and use of registry or archival documents under the compatibility test conditions (e.g., for the purposes of proving, asserting and defending legal claims).|
Whom do we provide your personal data
We take the confidentiality of personal data very seriously, and therefore we have adopted internal policies, thanks to which your personal data is shared only with authorized employees of the PPA Group or verified third parties. Our employees and workers may have access to your personal information solely on the “need-to-know” basis, which means that only authorized employees of a particular department to which the processing of personal data relates may have the right to access this data, where this access is typically limited by the position, function and job description of a particular employee. We only provide personal data of our clients, employees, business partners and other natural persons to the necessary extent to the following categories of personal data beneficiaries:
- other companies belonging to the PPA Group under the joint controller agreement;
- social network operators;
- software development, improvement and testing service providers;
- our professional advisers (e.g., lawyers, auditors);
- payroll and accounting firms;
- software equipment and cloud service providers (e.g., Microsoft One Drive and Sharepoint);
- web hosting service providers;
- technical (IT), organizational (event agency) and marketing support providers of our company;
- our verified and properly legally bound processors;
- institutions in fulfilling our legal obligations as an employer, e.g., Social Insurance Agency, pension management companies, supplementary pension savings banks, health insurance companies;
- The Ministry of Economy of the Slovak Republic as the administrator of the Unified Information System of Economic Mobilisation;
- banks and payment service providers;
- notaries, executors, experts, administrators of bankruptcy estates, official translators, interpreters, if necessary for proving, asserting or defending our legal claims;
- mail carriers and courier services;
- employees of the aforementioned entities.
If we use a processor for the processing of personal data, we always check in advance whether the processor meets the requirements of organizational and technical nature in terms of ensuring the security when processing your personal data. If we use our own beneficiaries (internal personnel of the PPA Group) to process personal data, your personal data is always processed on the basis of mandates and instructions by which we instruct our beneficiaries not only about internal privacy policies, but also about their legal liability for their violation. If we are asked by public authorities for access to your personal data, we examine the legislatively set conditions for making it available, so we do not provide your personal data before we check that the necessary terms are met. If you would like information regarding our current processors, please contact us through our DPO.
To which countries do we transfer your personal data?
By default, we do not transfer personal data to third countries outside the European Economic Area (EU, Iceland, Norway and Liechtenstein), if it is not necessary. In some cases, however, the cross-border transfer of personal data to third countries may be necessary. For example, if you are our employee and/or contractor who we need to send to a third country to fulfil our commitments to our clients in Cuba, Venezuela, Ukraine and/or the Russian Federation and we need your personal data to carry out the visa process, we need to provide your personal data to the authorities in that third country through consulates or embassies. Although we have never seen any problem with the misuse of any personal data in these countries, in line with the decisions of the European Commission, these countries are considered to be countries which do not ensure an adequate level of protection (of personal data), and therefore we must proceed on the basis of appropriate safeguards pursuant to Art. 47 of the GDPR or on the basis of exceptions for specific situations according to Art. 49 of the GDPR. By default, therefore we strive to conclude the so-called standard contractual clauses approved by the European Commission with the data importer in a third country – and if that is not possible – you will be asked in advance for granting specific informed consent to the performance of such processing transaction in accordance with Article 49 (1) (a) of the GDPR, if you are not in the range of employees with whom we have entered into special labour contracts for the fulfilment of which it is necessary to carry out the cross-border transfer of personal data to a third country.
Furthermore, we can also carry out cross-border transfers to third countries, which guarantee an adequate level of personal data protection on the basis of the European Commission’s decision on adequacy in accordance with Art. 45 of the GDPR, namely the United Kingdom due to the use of a processor, Chancellors LLP.
In addition, we use the secure cloud services of a trusted provider with servers located in EU jurisdictions, which may also include cross-border transfers of data to the United States by our cloud services provider, Microsoft Inc., who is our processor. This can also happen when using other services of different companies. These service providers are located in the United States, which is considered a third country not providing an adequate level of protection. Personal data is transferred outside the EU and/or European Economic Area solely in strict compliance with the protection of personal data as required by the GDPR. This is based on the judgment issued by the Court of Justice of the EU in the Schrems II case on 16 July 2020, which abolished the EU-US Privacy Shield mechanism. As regards the use of services from these companies, the cross-border transfer of personal data to the United States takes place on the basis of (new) standard contractual clauses approved by the European Commission. According to the above judgment, controllers should also accept additional safeguards if necessary. You can find a link below to reasonable and appropriate safeguards for transferring data to the United States, which we can apply when using some services:
|Standard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.||Based on an analysis, they are sufficient. More information is available at https://www.crowdstrike.com/data-protection-agreement/|
|https://policies.google.com/privacy?hl=en-US||Standard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.|
|Based on an analysis, they are sufficient. More information is available at https://services.google.com/fh/files/misc/workspace_and_workspace_edu_safeguards_for_international_data_transfers.pdf|
|Standard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.|
|Based on an analysis, they are sufficient. More information is available at https://about.fb.com/news/2021/03/steps-we-take-to-transfer-data-securely/|
|https://www.linkedin.com/legal/privacy-policy||Standard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.|
|Based on a specific analysis, they are sufficient. More information is available at https://www.linkedin.com/legal/l/dpa|
|Microsoft Corporation||https://privacy.microsoft.com/en-us/privacystatement||Standard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.|
|Based on a specific analysis, they are sufficient. More information is available at:|
|Proofpoint||https://www.proofpoint.com/us/legal/privacy-policy||Standard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.||Based on a specific analysis, they are sufficient. More information is available at:|
|Rapid7||https://www.rapid7.com/privacy-policy/||Standard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.||Based on a specific analysis, they are sufficient. More information is available at:|
|Tenable||https://www.tenable.com/gdpr-alignment||Standard contractual clauses approved by the European Commission pursuant to Art. 46 (2) (c) of the GDPR.|
|Based on a specific analysis, they are sufficient. More information is available at:|
 Recommendations of the European Data Protection Board No. 1/2020 on measures complementary to transfer instruments to ensure compliance with the level of personal data protection in the EU
General periods for retaining personal data for our specified personal data processing purposes are as follows:
|Purpose of personal data processing||Maximum retention periods for personal data|
|1. Personnel and payroll purposes||Fulfilment of legal obligations of the employer||In general, during the employment relationship and the expiry of the legal deadlines for the retention of certain types of documents, e.g., the employee payslips and personal files are kept for 70 years from the employee’s birth. Unnecessary data is deleted from the personal file and personnel systems at the latest upon the employment relationship is terminated.|
|Photos of employees||Until the consent to the processing of personal data is withdrawn or the employment relationship is terminated, whichever occurs first.|
|Retaining data on unsuccessful job applicants||Until the consent is withdrawn or 2 years from the start of processing, whichever occurs first.|
|2. Human resources management, evaluation and development|
|Benefits||Until an objection to the processing of personal data is settled, if the rights and freedoms of the data subject prevail in a specific case, otherwise until the employment relationship or the provision of benefits is terminated.|
The data of employees’ minor children may be deleted sooner even if the legal representative’s consent to their processing is revoked.
|Identity verification via electronic access control system||Until an objection to processing is settled, if the rights and freedoms of the data subject prevail in a specific case, otherwise until the employment relationship is terminated. If personal data is used to infer legal liability to the employee, the data obtained in this way may be processed for longer for the compatible purposes of proving, asserting and defending legal claims.|
|Training and education||Until an objection to processing is settled, if the rights and freedoms of the data subject prevail in a specific case, otherwise until the employment relationship is terminated.|
|Agenda of purchased services||Until the termination of the contractual relationship with the data subject or the withdrawal of consent, if the data subject has agreed to the retention of his/her contact details even after the cooperation is terminated.|
|Sharing of employee data for internal administrative purposes||During the course of employment.|
|3. Fulfilment of legal obligations||Anti-radiation protection agenda||5 years following the termination of employment|
|Agenda of the economic mobilisation entity||For a maximum period of time that complies with Act No. 179/2011 Coll. on economic mobilisation and on amendments to Act No. Act No. 387/2002 Coll. on the management of state in the situations of crisis outside the wartime, as amended.|
|Reporting and recording of anti-social activities (whistleblowing)||3 years from the date of delivery of the complaint.|
|Data subjects’ rights agenda (GDPR)||3 years from the processing of the data subject’s request.|
|Registration of shareholders – natural persons||During the legal relationship of the shareholder and 12 months after the loss of the shareholder’s position, where this does not affect the longer retention of data for archival purposes.|
|Book of guests and registration of foreign nationals to the Slovak Ministry of Interior authorities||At most during the period in accordance with Art. 43 of Act No. 582/2004 Coll. on local taxes determined by the relevant general binding regulation of the municipality and in relation to personal data of foreigners, which we report to the relevant public authorities according to Art. 24 (2) of Act No. 253/1998 Coll., for 2 years.|
|Accounting and tax purposes||During a period of ten years following the fiscal year to which the accounting documents, accounting books, lists of the books, lists of codes or other symbols and abbreviations used in accounting, depreciation plan, inventories, inventory records, chart of accounts refer.|
|4. Proving, exercising or defending legal claims||Legal agenda||Until the legal claim expires, the right is properly exercised, and the legal claim is satisfied or the legal matter is substantively terminated and available remedies are exhausted.|
|Contractual agenda||Until the contractual relationship is terminated or an objection to the processing is filed, if in a specific case the rights and freedoms of the data subject prevail.|
|Client care||Until the assessment of customer satisfaction questionnaires after completion of an order – no longer than 1 year from the end of the order.|
|5. Asset protection and security||CCTV systems||Max. 72 hours|
|Physical access control||Max. 1 year.|
|IT security||Max. 1 year. Data stored on LTO tapes can be stored in a limited mode until they have been deleted by new backed up data – e.g., once every 6 months.|
|Software development, improvement and testing||Until software development, enhancement, and testing is complete. Unnecessary data is regularly deleted at least once a year.|
|6. Marketing and PR purposes||Direct marketing communication||Until an objection to direct marketing is received or the consent to the processing of personal data is withdrawn, if the consent is the legal basis for the processing.|
|Ad content targeting and personalization||Until the consent is withdrawn, if the consent is the legal basis for processing or until the time for using cookies expires – whichever comes first.|
Until an objection to the processing of personal data is properly settled, if the legal basis is a legitimate interest.
|PPA CONTROLL awareness raising||Until an objection to processing is settled, if the rights and freedoms of the data subject prevail in a specific case – otherwise until the employment relationship is terminated. Unnecessary data is deleted at least once a year.|
|7. Statistical purposes||During the course/existence of other processing purposes, while minimizing their retention until the necessary statistical output is generated; this is without prejudice to the possibility of retaining personal data used for the original processing purposes.|
|8. Archival purposes||For the original processing purposes, during the statutory or retention period specified in the registry plan. The Bank’s registry plan is available to the data subject upon request.|
The above-mentioned retention periods provide only general periods during which the processing of personal data takes place for that purposes. In reality, however, we approach the liquidation or anonymization of personal data before the end of these general periods, if we consider the personal data unnecessary in view of the aforementioned processing purposes. On the contrary, in some specific situations, your personal data can be kept for longer, as mentioned above, if it is required by law or our legitimate interest. If you would like more information on a specific retention period for retaining your personal data, please do not hesitate to contact us through our DPO.
 Art. 11 (1) of Act No. 54/2019 Coll. on the protection of whistleblowers
 Art. 107o (15) of Act No. 566/2001 Coll.on securities and investment services and on the amendment of certain laws (Securities Act)
How do we obtain personal data?
Most often, we obtain your personal data directly from you. In this case, personal data is obtained on a voluntary basis. You can provide personal data to our company in different ways, for example:
- by registering on our website (as a job applicant);
- by concluding a contract with our company;
- in our mutual communication;
- by participating in events organized by our company;
- by participating in the activities of our company on the social network and our website in the event of your consent to cookies;
- by using Facebook and LinkedIn social networks in accordance with the terms of their use;
- by sending the contact form with your comments, questions or enquiries.
We may also obtain your personal data from your employer or from the company in relation to which we process your personal data. Most often, it concerns the cases where we enter into or negotiate contractual relationship or the terms thereof with the particular company. If the obtaining of personal data relates to a contractual relationship, the most common is a contractual requirement or requirement that is necessary to conclude a contract. Failure to provide personal data (whether yours or your colleague’s) can have negative consequences for the organization that you represent, as it may not lead to the conclusion or implementation of a contractual relationship. If you are a member of the statutory body in an organization, which is our contracted party or with whom we are negotiating the conclusion of a contractual relationship, we can obtain your personal data from publicly available sources and registers. We do not systematically process any accidentally collected personal data in any way for any of the purposes of personal data processing defined by us.
What are your rights under the GDPR if you are a data subject?
GDPR lays down the general conditions governing the exercise of your individual rights. Their existence does not automatically mean that in the exercise of individual rights, they will be accommodated on our part as exceptions can also apply in specific cases since some rights are linked to specific conditions which may not be met in any case. We will always handle and examine your request regarding a particular right in terms of legislation and our internal policy for handling complaints of data subjects. As a data subject you have in particular:
- The right to request access to your personal data we process in accordance with Art. 15 of the GDPR. This right includes the right to confirmation whether we process your personal data, the right to obtain access to such data and the right to obtain a copy of your personal data that we process, if technically feasible;
- The right of rectification and completion of your personal data in accordance with Art. 16 of the GDPR if we process incorrect or incomplete personal data;
- The right to erasure of your personal data in accordance with Art. 17 of the GDPR.
- The right to restrict the processing of your personal data in accordance with Art. 18 of the GDPR;
- The right to data portability in accordance with Art. 20 of the GDPR.
|“If we process personal data based on your consent to the processing of personal data, you have the right to withdraw your consent. However, such withdrawal does not affect the lawfulness of the processing of personal data before the consent is withdrawn. You have the right to effectively object to the processing of personal data for direct marketing purposes, including profiling, at any time.” |
“You have the right to object to the processing of your personal data based on legitimate interests pursued by us, as explained above. Your also have this right to the processing of personal data on the legal basis of public interest.” In the event of an objection or upon request, we will be happy to show you the conclusions of our balance test showing the predominance of the legitimate interest pursued.”
If you believe that we process incorrect personal data concerning you with regard to the purpose and circumstances and you are unable to change such personal data through features of the application, account or website, you can request the rectification of incorrect or completion of incomplete personal data by filling in a supplementary statement (all information is optional) and/or by contacting us via our contact details:
|Supplementary statement of rectification of personal data|
|Name and surname:|
|Relevant purpose of processing by the PPA Group:||Please specify what kind of PPA Group purpose of processing does your request concern.|
|Context or relationship between you and the PPA Group:||Please indicate whether you are our employees, business partner, job applicant and the like.|
|Nature of your rectification:||Please explain whether you request rectification of incorrect personal data or completion of incomplete personal data.|
|Context of your request for rectification:||Please explain why you believe we process your inaccurate or incomplete personal data.|
|Rectification:||Please indicate which specific personal data you request to rectify or complete.|
|Please send this supplementary statement of rectification to firstname.lastname@example.org|
You also have the right to file a complaint with the Office for Personal Data Protection of the Slovak Republic or bring an action before the competent court. In any case, we recommend that you solve any disputes, questions or objections addressed primarily by communicating with us.
Is there an automated individual decision-making used?
No, currently we do not perform such processing transactions, based on which decisions are taken having legal effect or other major impact on your person that would be based solely on the fully automated processing of your personal data in accordance with Art. 22 of the GDPR.
How do we protect your personal data?
It is our duty to protect your personal data in an appropriate manner and therefore we pay adequate attention to its protection. Our company has implemented generally accepted technical and organizational standards to maintain the security of personal data, in particular to protect the data against loss, misuse, unauthorized modification, destruction, or other impact on the rights and freedoms of data subjects. In situations where sensitive data is transferred, we use encryption technology, see, for example, communication with a payment gateway. Your personal data is stored on our secure servers or servers of our website operators that are located in data centres in the Slovak Republic and the Czech Republic. When using third party analytic tools of third parties, data is stored on the servers of third parties (see cookies).
What type of cookies do we process?
|Cookies name||Purpose of use||Provider||Period of use||Type|
|_grecaptcha||Used to distinguish between people and robots. It is beneficial for a website to be able to make valid reports about its usage.||www.ppa.sk|
|Permanently until deleted||HTTP|
|_GRECAPTCHA||Used to distinguish between people and robots. It is beneficial for a website to be able to make correct reports about its usage.||google.com||179 days||HTTP|
|rc::a||Used to distinguish between people and robots. It is beneficial for a website to be able to make valid reports about its usage.||google.com||Permanently until deleted||HTTP|
|rc::b||Used to distinguish between people and robots.||google.com||During connection time||HTTP|
|rc::c||Used to distinguish between people and robots.||google.com||During connection time||HTTP|
|_ga||Registers a unique ID to generate statistics on how the website is used. It serves solely to anonymously aggregate statistical data to help us understand how visitors use our website.||ppa.sk||2 years||HTTP|
|_ga_#||Used by Google Analytics to collect data about the number of visits by website users and the dates of their first and following visits.||ppa.sk||2 years||HTTP|
|_gat||It is used to speed up calculations by Google Analytics. It processes statistics about our website’s usage.||ppa.sk||1 day||HTTP|
|_gid||Registers a unique ID to generate statistics on how the website is used. It serves solely to anonymously aggregate statistical data to help us understand how visitors use our website.||ppa.sk||1 day||HTTP|
|ads/ga-audiences||Used by Google AdWords to retarget visitors likely to become customers based on their online behaviour on our website.||During connection time||Pixel|
|_fbp||Used by Facebook to display third-party advertising and marketing offers.||ppa.sk||3 months||HTTP|
|VISITOR_INFO1_LIVE||Analyses user behaviour on websites with embedded videos from Youtube||Youtube.com||179 days||HTTP|
|YSC||Registers a unique ID to store statistics on how many YouTube videos a particular user has seen.||Youtube.com||During connection time||HTTP|
|Registers a unique ID to store statistics on how many YouTube videos a particular user has seen.||Youtube.com||Permanently until deleted||HTML|
|Stores the user’s video player settings when watching videos embedded from Youtube on the website.||Youtube.com||During the connection time||HTML|
|Stores the user’s video player settings when watching videos embedded from Youtube on the website.||Youtube.com||Permanently until deleted||HTML|
How to check cookies?
You can check and/or delete cookies at your own discretion – for details, please visit www.aboutcookies.org. You can delete all cookies that are already saved in your computer and also set most browsers to prevent them from being stored. Alternatively, you can use self-regulatory tools in order to identify and remove cookies, which will allow you to significantly reduce the impact of direct marketing in an online environment (e.g., http://www.youronlinechoices.eu/). In this case, deterioration of the user experience on our websites for an individual user cannot be excluded.
Social media add-ons are integrated on our website, e.g., Facebook Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA (“Facebook”). You can recognize them by the Facebook logo or by the “like” button on the website. When you visit our website, Facebook receives information that you have visited the website with your IP address. If you click the “like” button or the Facebook icon available on our website while you are signed in and/or registered to your Facebook account at the same time, the content of the website is redirected to your Facebook profile. Consequently, Facebook may associate your visit to the website with your user account. Data is transferred regardless of whether you have a Facebook account or not. When using our websites, please note that the PPA Group has no influence on the data collected and processed and is not aware of the overall scope of the data collected, the purpose of the processing or the retention time of such data. Facebook stores your information in the form of a user profile and uses it for its own advertising and market research purposes and/or to customize its services and tools of registered users. Such an assessment is mainly carried out to inform other Facebook users about your activities on our website. You are entitled to object to the creation of such user profiles, in which case you must contact Facebook. We always recommend that you sign out of your Facebook account, especially to avoid associating your online activity with your profile. For more information about the purpose and scope of your data collection and processing by Facebook, please visit the Facebook Privacy Statement at: https://www.facebook.com/policy.php.
We would also like to inform you that we can use the services provided by Facebook Ireland Limited, which are labeled as “data file custom audiences” and mean the audience management for advertising campaigns, and we may associate the data that we process with personal data processed in Facebook databases and “measurement and analytics”, within which Facebook processes personal information on our behalf to measure the performance and reach of our advertising campaigns and provide us with reports of users who have seen and responded to our advertising content. Therefore, this processing of your personal data may occur if you interact with our advertising content or our websites when using your user profile on Facebook. In such cases, we use Facebook as a processor, using the following legal safeguards to process your personal data: https://www.facebook.com/legal/terms/businesstools, https://www.facebook.com/legal/terms/dataprocessing.
Whenever the “page insights” service or site statistics related to our Facebook established profile is used, we have the status of a joint controller together with Facebook. The joint controller agreement, referred to in Art. 26 of the GDPR, is available at https://www.facebook.com/legal/terms/page_controller_addendum
If the above-described processing of personal data bothers you, you can object to it or use the self-regulatory tools developed for the online marketing sector available at http://www.aboutads.info/choices a http://www.youronlinechoices.eu/). These online tools allow you to automatically identify third-party digital identifiers (including those from Facebook) in your browser and delete them, thus preventing the possible processing of your personal data.
The use of this social network is primarily important to us because through our professionally managed account we build awareness of the PPA Group in the online environment (e.g., by adding PR content) and secondly we establish internal communication with experts and professionals whom we might be interested in employing or developing another form of professional cooperation with. Through our account, our HR specialists can communicate with our prospective business partners or eligible candidates to fill job vacancies. In addition, we can also use LinkedIn Ireland Unlimited to support our marketing and PPC (Pay Per Click) campaigns, which aim to increase the traffic to our websites or microsites. We can also use LinkedIn Campaign Manager and personalized internal mail to send our content to raise our PR and PPA awareness, or to inform you of a vacant job suitable for your profile. If we use these services, LinkedIn will act as our processor, using the following legal safeguards to process your personal data: https://legal.linkedin.com/dpa
For more information about your personal data processing by LinkedIn social network operator for its own purposes, please visit the following URL: https://www.linkedin.com/legal/privacy-policy
Personal data protection is not a one-off matter for us. The information that we are obliged to provide to you with regard to our personal data processing, can change or become out-of-date. For this reason, we reserve the right to modify or change these terms at any time and to any extent. If we change these terms significantly, we will advise you of such change, for example, by a general notice on this website or a separate notification by e-mail.
The Management of PPA CONTROLL, a.s.
Bratislava, 6th February 2023