GTC – General Terms and Conditions

 

1. Introductory Provisions

1. Contactportal.com portal is operated by Contact Portal S.R.O. based on Mlynské nivy 48, 821 09 Bratislava, Slovakia, ID nr.: 50 971 565, TAX ID/VAT ID: SK2120542402, registered in the Commercial Register controlled by the District Court of Bratislava I, section “S.R.O”, entry no 120759/B (hereinafter referred to as “Contact Portal”). E-mail address info@contactportal.com, tel. +421 905 818 437. The Supervisory Authority is the Slovak Trade Inspection, the STI Inspectorate for the Bratislava Region, Prievozská 32, P.O. Box 5, 820 07 Bratislava 27.

2. Contactportal.com portal is marked as a second level domain of contactportal.com and the second level domain of adressportal.eu and the second level national domains contactportal.sk/cz/at/be/cn/co.uk/de/dk/es/fr/hu/it/pl/ru/si/net/org, partner-level domains that provide their services in cooperation with Contact Portal and third or higher-level domains in the form xxx.contactportal.xx / xxx.adressportal.xx

3. The provision and use of the services at Contactportal.com is governed by these terms of contactportal.com (also hereinafter referred to as “Terms”) and, in the case of some services provided by the Independent Contact Portal or in cooperation with a third party, the particular service is governed simultaneously by separate terms of use. The specific terms and conditions that apply to the use of a particular service are listed on the relevant website.

4. Services on contactportal.com include mainly transfer, processing, storage, search and collection of data and commercial communications provided free of charge unless specifically stated otherwise (hereinafter referred to as “service” or “services”).

5. Contactportal.com Terms and Conditions are binding for all visitors to contactportal.com.

II. Registration on Contactportal.com and Protection of User ́s Privacy

1. Registration on contactportal.com is voluntary and registered users have the option of using extended services upon creation of a personal account (herein after reffered to as “Account”). Unregistered visitors of contactportal.com will not have full access to some offers and services. Some sites of contactportal.com may use cookies or other tracking technologies to store information previously entered by the user/visitor. Tracking technologies can record, for example, information about internet domains, versions of web browsers and computer names, IP addresses, and date and time of contactportal.com website visit. Information which does not contain personal information of user/visitor, can be used for statistical purposes.

2. Users can create their Account on the contactportal.com website by filling out the registration form and agreeing to these Terms of Use. A condition of registration on Contactportal.com is verifying the user through a verification email sent to the email address which the user entered when registering.

3. Upon registration, Contact Portal collects and further processes information that will allow the user to be identified, directly or indirectly, by first name, surname, address, telephone number, e-mail address and other information to the extent that the user voluntarily provides Contact Portal at registration or at any time during the use of services.

4. By registering on contactportal.com, the user voluntarily grants consent to the processing of his or her personal data that he or she filled at the registration or which he enters during the time of use of the Services at

contactportal.com, in order for contactportal.com to provide services including the addition to the customer database, valid during the entire duration of the User Account. Contact Portal is authorized to process the personal information in the information system manually as well as through Information Technology throughout the entire service delivery period. The user is entitled to withdraw his consent at any time, taking note of the Contact Portal ́s authority to immediately terminate the user ́s services for which registration is required.

5. Contact Portal, as an Information System Operator, is entitled to entrust the processing of personal data to third parties, intermediaries, on the basis of a written contract agreement, and the list of authorized persons will be posted on contactportal.com upon authorization. The publication of an updated list of intermediaries is considered as a notice defined by § 8 Section 6 Act No. 122/2013 Coll. on Protection of Personal Data and on Changing and Amending of other Acts, resulting from amendments and additions executed by the Act No. 84/2014 Coll (hereinafter the “Act). In connection to the provision of services to a registered user, personal data may be part of a cross-border flow of personal data to countries within the European Union, third countries which guarantee an adequate level of protection of personal data as well as to third countries which do not guarantee an adequate level of protection of personal data in accordance with the relevant respective Act. The list of recipiects to whom the data will be provided, including the countries to which the transfer is made, will be made available by Contact Portal to registered users just as the list of intermediaries.

6. Contact portal provides data about registered user upon request for information from a legitimate state authority or in cases where the law so requires. Furthermore, Contact Portal may provide personal data of registered users to a third party that is a successor of Contact Portal in relation to the sale, transmission or other transfer of business connected to the contactportal.com websites or services on contactportal.com.

7. User ́s rights are listed in § 28 et seq. Act and the user is also entitled to receive the following from Contact Portal upon written request:

  1. confirmation whether personal data had been processed,

  2. in laic form, information about the processing of personal data in the scope of the operator ́s,

    intermediary ́s data, the purpose of the processing of personal data, list or scope of data as well as

    supplementary information regarding the processing of data,

  3. in laic form, exact information about the source from which Contact Portal obtained personal data for

    processing,

  4. in laic form, list of personal data processed,

  5. repair or deletion of any incorrect, incomplete or out-of-date personal data that is being processed

  6. deletion of person data whose purpose of processing has ended; if they are the subject of the processing

    of official documents containing personal data, they may request their remittance

  7. deletion of personal data which is being processed because of a violation of the law,

  8. blocking of his or her personal data for revocation of consent prior to the expiration of its validity if the operator processes data based on the consent of the person concerned

8. Contact Portal will accommodate the requests of the registered user and will inform him/her in writing that action was taken no longer than 30 days after receival of the request. The requests of registered users will be met free of charge with the exception of requests, according to Article II. Section 7 point (iv) of these Terms, when Contact Portal is entitled to claim the amount related to cost of material for making copies, uploading technical media and sending information to the user.

9. The user agrees to receive commercial communication, such as advertising and other information about Contact Portal, its business partners and other third parties, if the user shows interest in such communication at the time of registration or later by stating that he/she is interested in receiving messages containing information about services of news offered by the operator as well as reports containing thirdy party commercial information at the time of registation. The user ́ statement is considered to be a consent to the recieval of

advertising material and the use of personal data for the purposes of direct marketing. Contact Portal can attach current short links, including link urls, to the end of the sent and/or received messages. The user is authorized at any time to withdraw his consent to receive commercial communication by sending an e-mail notification to the address listed on contactportal.com under Contacts or contact details provided in Article I, section (1) of these Terms or in the manner speficied in a specific commercial communication e-mail (e.g., a hyperlink, etc.). If the user revokes the interest in receiving commercial communication, this has the duration of the entire user ́s usage of Contact Portal.

10. The user is required to provide truthful information at the time of registration in accordance with the reality. If the information presented later show to be false or a reasonable doubt arises as to its validity, Contact Portal is entitled to to terminate the user ́s account or temporarily restrict its use. Contact Portal is not responsible for any damage or harm to a user resulting from the cancellation or limitation of the Account.

11. Some services on contactportal.com can be used on the bases of registration of third party websites. These third parties will provide Contact Portal sign-in technology or technology to view third-party content at contalportal.com. Linking or connecting to a third-party website is only available to a user if a user on this website has logged onto a connection to a contactportal.com service. Contact Portal does not administer or control third-party websites nor is it responsible for the content of any link contained on third-party websites, nor for any changes or updates to linked sites. A user who has registered on a linked website has done so voluntarily and is responsible for reading and agreeing to the privacy and data protection policies of that site. Through the “Friends on Facebook” app (hereinafter referred to as “Application” in this section of this article), the user has the option of linking his Facebook account to the Contact Portal homepage at https://www.contactportal.com and follow on this page the currect status of people in the Facebook Friends category. Contact Portal uses the acquired user data solely to link the Facebook Application and in accordance with the personal settings made by the user on his/her Facebook account. The user is authorized to disconnect the Application at any time from the https://www.contactportal.com page displayed on his/her computer.

III. Rights and Obligations of Contact Portal

1. Contact Portal provides services on contactportal.com as they are, i.e. with any possible defects and does not provide a guarantee when it comes to the suitability of a particular utilization. Contact Portal does not provide users the guarantee of continuous functuality, faultless operation and server security. Contact Portal is not responsible for any damage that a user may incur in connection to the use of services on contactportal.com.

2. Contact Portal has the right to:

  1. terminate the user ́s registration at any time without warning without giving any reason

  2. suspend the provision of services temporarily or permanently, in whole or in part

  3. shut contactportal.com and its services down for technical reasons without any prior notice at any time

  4. exercise any other rights arising from these Terms or any other general binding legal regulations

3. Contact Portal obliges to provide cooperation in regards to legitimate requests from state authorities and other authorized natural or legal persons. In the event that a fine or other financials or non-financial penalty is imposed on Cotact Portal resulting from the user ́s activities on Contactportal.com, the user is liable to compensate for the damange or injury suffered in its entirety.

IV. The Rights and Obligations of the User

1. The user is required to comply with these Terms and Conditions as well as the specific terms and conditions applicable to any of these services on contactportal.com as well as the provisions of general binding legal regulations.

2. Sevice Users on contactportal.com are forbidden to:

  1. use vulgarism, phrases or other verbal or sign language expressions whose direct or indirect meaning is contrary to generally accepted social morality and ethics,

  2. use threats and personal attacks against other service users and/or third-parties,

  3. assert untrue, unverified, misleading, insulting or false information about another person,

  4. promote violence and to incite, in a direct or implicit form, hatred on the grounds of sex, race, skin

    color, language, religion, political or other opinions, national or social origin, nationality or ethnic

    group,

  5. promote war or to describe cruel or otherwise inhumane behavior in a manner which mitigates, excuses

    or approves of such behavior,

  6. directly or implicitly promote alcohol, smoking, the use of narcotics, poisons and precursors or to

    mitigate the consequences of the use of these substances,

  7. threaten the physical, mental, or moral development of minors or to disrupt their mental health and

    emotional state,

  8. directly or implicitly promote the products or services of another natural or legal person,

  9. directly or implicitly promote a political party or its members,

  10. repeatedly post the same submissions, meaningless or incomprehensible texts as well as performing any

    activities that may lead to a reduction or decrease in the quality of the services provided,

  11. disclose personal information about others, in particular their address or telephone number, unless the

    person has given their consent,

  12. distribute obscene, vulgar, offensive and unlawful materials, opinions and ideas and it is forbidden to

    post any reference to any website with such content,

  13. abet other users and persons to behave in a way which is in violation of the general binding legal

    regulations established in the Slovak Republic or of moral principles

  14. post any content which is in violation of general binding regulations established in the Slovak Republic

    or with good morals.

3. The user is responsible for his/her contributions and activities on contactportal.com and agrees not to use contactportal.com for purposes that are inconsistent with the generally binding legal regulations of the Slovak Republic and in violation of these Terms or conditions of a specific service.

4. The registered user may at any time ask Contact Portal to cancel his registration on contactportal.com in the manner and procedure defined by Article II of these Terms and Contact Portal will accommodate their request.

V. Content Publishing and Communication Rules

1. The content on contactportal.com is protected by copyright. The transcription, dissemination or any other type of disclosure of this content or portion thereof to the public in any way is prohibited unless prior consent is given by Contact Portal. Copyrights are reserved and operated by Contact Portal. Any use of the parts or whole, in particular reproduction and dissemination of texts, photographs or graphs in any mechanical or electronic manner, of text in all languages including Slovak, without written permission from Contact Portal is prohibited. Contact Portal, as an authorized representative of the authors of articles and other material published on contactportal.com reserves the right to grant permission to transmit articles as defined by § 33 section 1, point (a) and (d) of Act no.618/2003 Coll. of the Copyright Act and Copyright Related Rights (Copyright Act), as amended.

2. Users are authorized, within some services, to disclose their opinions and other information on contactportal.com while Contact Portal will not initiate the transfer of this information, select the recipient of this information and will not compile or modify the information. Contact Portal is not responsible for the information transmitted on contactportal.com. User contributions to discussions and other information and

content posted by user ́s express user opinions, and Contact Portal does not assume any responsibility and does not endorse the views, contributions, and discussions in communications between users.

3. The user is required to comply with the restrictions under Article IV, part 2 of these Terms.

4. Contact Portal reserves the right to delete the content of the postings or to limit the ability of individual users to participate in the discussion and to publish content on contactportal.com if the articles violate the Terms or a previous user’s submission are suspected of violating these Terms.

5. A user who publishes his / her word, sound, image or sound-image submissions on contactportal.com, in particular articles, videos, recordings, or photographs, publishes his / her contributions without remuneration and agrees to their public dissemination and use on the Internet. The user declares that he is entitled to publish such content and has obtained all necessary permissions and rights required under applicable law to use the content on contactportal.com, also when using smart device applications.

6. Contact Portal is not responsible for any information, data, and any other content provided or disclosed by users stored on contactportal.com. If Contact Portal becomes aware of the unlawfulness of the information or content posted on contactportal.com, it will immediately prevent access or remove it.

7. If any visitor to contactportal.com believes that the content posted on contactportal.com violates these Terms and Conditions, please let us know at info@contactportal.com.

VI. Complaints and Online Customer Dispute Resolution

1. The user is entitled to submit a complaint about services in accordance with Act no. 250/2007 Coll. on Consumer Protection as amended, in writing, at the address of the operator’s headquarters or by e-mail to info@contactportal.com. In a complaint, the user is required to provide his / her name and surname, contact details, what service the complaint relates to and in a clear and comprehensible manner describe the subject matter of the claim and what the expected outcome of the claim is.

2. If the complaint does not contain details which are necessary for the dispute resolution, the operator has the right to request the user to supplement them. The period for claim settlement begins to run from the day when the missing information is provided by the user to the operator.

3. The operator will issue a confirmation to the user once the complaint has been opened. The complaint resolution will not take longer than 30 days from the date of the claim. The operator will issue the user a confirmation once the complaint has been closed and the duration of the complaint in the same form as the complaint was received.

4. The consumer has the right to contact the operator – the service provider, to request a correction if he/she is not satisfied with the manner in which the complaint was resolved or if he/she believes that his/her rights were breached. The consumer has the right to suggest an alternative dispute solution to an ADR subject if the service provider rejects the request referred to in the previous sentence or does not reply to it within 30 days of the date of recieval. The proposal is submitted by the consumer to the competent body for an alternative dispute resolution, without prejudice to the possibility of appling to the courts in the future. The conditions for alternative dispute resolution of consumer disputes are laid down in Act No. 391/2015 Coll. on Alternative Dispute Resolution of Consumer Disputes and on Amendments to Certain Laws. The consumer can also use the online dispute resolution platform established by the European Commission at its web site https://webgate.ec.europa.eu/odr/.

VII. Concluding Provisions

1. Contact Portal is authorized at any time at its sole discretion to alter the Terms and scope of services provided on contactportal.com. The change is valid and effective on the date specified in the Terms. Contact Portal reserves the right to change or completely replace these Terms with new wording of the Terms (hereinafter reffered to as “change of terms”). The change of terms will be published at https://www.contactportal.com at the latest on the effective date.

2. The user is required to acquaint him/herself with changes to the Terms. If the user continues to use services after changes to these Contact Portal Terms are made, is it assumed that the user agrees with the change without reservation. If a registered user does not agree with the change, he/she may request the cancellation of his/her registration in accordance with the procedure in Section VI of the Terms.

3. The eser and the Contact Portal have agreed that relationships arising from any use of contactportal.com and its services are governed by the effective wording of the Terms and Conditions of the Commercial Code No. 533/1991 Coll. as amended.

These Terms come into force on 01.06.2020.

IMPACT ASSESSMENT

FOR THE PROTECTION OF PERSONAL DATA ACCORDING TO ACT 18/2018 Z. Z.

Contents

  1. Basic terms
  2. A systematic description of the planned processing operations and processing purposes, including any legitimate interest pursued by the controller;
  3. Assessment of the necessity and adequacy of processing operations in relation to the purpose;
  4. An assessment of the risk to the rights and freedoms of data subjects arising from the very nature of the intended processing of personal data;
  5. Risk management measures, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation;
  6. Taking into account the rights and legitimate interests of the persons concerned and of other persons concerned by the intended processing.

Meaning of abbreviations used in the document:

Personal information

IS Information System

ID Identification data; Identifier

AIS Automated information system

DIS Documentary information system

BP Security Project

TP Technical means used to process personal data

IT Information technologies

VT Information technology

PC Personal computer 

OS Operating software

HW Hardware 

SW Software 

LAN Local computer network

ASW Application SW / functional program unit for data manipulation /

AV Antivirus software 

BOZP Health and safety at work

PO Fire protection

CO Civil defence

EPS Fire alarm

HaZZ Fire and Rescue Service

SHZ Stable fire extinguishing system

GDPR General Data Protection Regulation

  1. BASIC TERMS

Personal data are data relating to an identified or identifiable natural person, such person being a person who can be identified directly or indirectly, in particular by a generally applicable identifier or by one or more of the characteristics or features which make up his physical, physiological, mental, mental, economic, cultural or social identity.

the data subject shall be any natural person to whom personal data relate,

the controller means anyone who alone or jointly with others defines the purpose of the processing of personal data, determines the conditions of their processing and processes personal data in his own name; if the purpose or conditions of personal data processing are stipulated by law, a directly enforceable legally binding act of the European Union or an international agreement by which the Slovak Republic is bound, the controller is the one who is established or fulfills the law, directly enforceable by law, to fulfill the purpose of processing. a binding act of the European Union or an international agreement by which the Slovak Republic is bound, the conditions laid down,

a representative of the controller means anyone who represents a controller in the territory of the Slovak Republic with a registered office, organizational unit, establishment or permanent residence in a third country,

an intermediary is anyone who processes personal data on behalf of the controller, to the extent and under the conditions agreed with the controller in a written contract and in accordance with the law,

authorized person means any natural person who comes into contact with personal data in the course of his employment, civil service, employment, membership relationship, by delegation, election or appointment, or in the exercise of a public function, and who processes personal data to the extent and in the manner specified in the instruction,

a third party is anyone who is not the data subject, the controller providing the personal data, his representative, intermediary or authorized person,

the recipient is anyone to whom personal data are provided or made available, and the recipient may also be a third party; the controller processing the personal data and the authority carrying out the tasks provided for by law shall not be considered as recipients.

processing of personal data, the execution of operations or a set of operations on personal data, in particular their acquisition, collection, dissemination, recording, organization, processing or modification, retrieval, browsing, regrouping, combining, moving, exploiting, storing, blocking, disposing of, providing, making available or publishing; certain operations with personal data are understood according to the first sentence

by providing personal data, the transfer of personal data to a third party who further processes them,

by making personal data available, notification of personal data or allowing access to them to a recipient who does not further process them,

publishing personal data, publishing or displaying personal data to the public through the media, publicly accessible computer networks, public performance or exhibition of work, public statement, public listing, register or opera, placing them on an official notice board or other public accessible place,

cross-border transfer of personal data transfer of personal data outside the territory of the Slovak Republic and to the territory of the Slovak Republic,

liquidation of personal data, cancellation of personal data by decomposition, erasure or physical destruction of material media so that personal data cannot be reproduced from them,

blocking of personal data temporarily or permanently suspends the processing of personal data, during which only those operations with personal data which are necessary for the fulfillment of the obligation imposed by law may be performed,

Information systém of personal data, an information system in which any ordered set of personal data accessible according to specified criteria is systematically processed or is to be processed for a pre-defined or established purpose, whether the information system is centralized, decentralized or distributed on a functional or geographical basis (hereinafter referred to as the “Information System”); for the purposes of the law, an information system also means a set of personal data that are processed or prepared for processing by partially automated or non-automated means of processing,

the purpose of the processing of personal data is a clearly defined or established intention to process personal data, which is linked to a certain activity,

with the consent of the data subject, any freely given express and comprehensible expression of will by which the data subject consents to the processing of his or her personal data on the basis of the information provided,

conditions of personal data processing means and form of processing personal data, as well as other requirements, criteria or instructions related to the processing of personal data or the performance of acts that serve to achieve the purpose of processing, either before or during personal data processing,

biometric data means a personal data of a natural person indicating his or her biological or physiological property or characteristic, on the basis of which he or she is unambiguously and indistinguishably identifiable; biometric data are mainly fingerprint, palmprint, DNA analysis,

a universally applicable identifier is the permanent personal identification data of the person concerned, which ensures his or her uniqueness in information systems,

address a set of data on the stay of a natural person, which includes the name of the street, indicative or census number of the house, the name of the municipality, or the name of a part of the municipality, postal code, name of the district, name of the state,

anonymised data means personal data modified in such a way that they cannot be attributed to the data subject to whom they relate,

a space accessible to the public which is open to the public and of which it is free to stay without a time limit or within a limited time, other restrictions, if any, and fulfilled by the person do not affect the entry and free movement of the person in that area, or the space thus designated by a special law,

a Member State is a Member State of the European Union or a Contracting Party to the Agreement on the European Economic Area,

a third country is a country which is not a Member State of the European Union or a Contracting Party to the Agreement on the European Economic Area,

public interest, an important interest of the state realized in the exercise of public power, which prevails over the legitimate interest of a natural person or several natural persons, and without its implementation, extensive or irreparable damage could occur.

2. SYSTEMATIC DESCRIPTION OF PLANNED PROCESSING OPERATIONS AND PROCESSING PURPOSES, INCLUDING ANY LEGAL INTEREST OBSERVED BY THE CONTROLLER

Controller profile:

Contact portal s.r.o.
Mlynské nivy 48

821 09 Bratislava
Slovensko 

IČO: 50971565
IČ DPH: SK2120542402 

1 / Information system: IS Wages and Human Resources

List of personal data processed in payroll and human resources information systems

Also special categories of personal data, mainly due to the registration of birth numbers.

  • name, surname and title, nationality, nationality, date and place of birth, birth number,
  • contacts / telephone, e-mail, etc. /, contact addresses,
  • insurance information and bank account numbers,
  • information on work performed and salary,
  • selected information on health status – register of accidents, confirmation of medical fitness
  • for work, notifications of medical treatments and PN, personal questionnaire
  • the photo

Data on family members of employees are processed:

  • name, surname and title, nationality, date and place of birth, contacts / telephone, e-mail, etc … /, contact addresses, birth number, income information (for social benefits)

The controller processes this data in documents for the purpose of:

  • managing the personnel and payroll of employees
  • job seekers
  • book of visitors
  • attendance

List of personal data for application software:

  • name, surname and title, ID card number or passport,
  • business name, if it is a PO or FO – entrepreneur,
  • bank account number, contacts / telephone, e-mail, etc. … /, contact addresses

2 / Information system: IS Accounting and accounting documents

The controller processes this data in the application software and in documents in order to:

  • bookkeeping

List of personal data for application software:

  • name, surname and title, number of ID card or passport, ID number, if it is a natural person – entrepreneur,
  • account number, contacts / telephone, e-mail, etc. … /, contact addresses

3 / Information system: IS Registry

There are also special categories of personal data in the IS Administration of the Registry, mainly due to the registration of birth numbers.

  • name, surname and title, nationality, nationality, date and place of birth, birth number,
  • contacts / telephone, e-mail, etc. … /, contact addresses

The controller processes this data in the application software and in documents in order to:

  • records of incoming and outgoing mail

4 / Information system: IS Clients

There are no special categories of personal data in IS Clients

  • name, surname and title,
  • contacts / telephone, e-mail, etc. … /, contact addresses

The controller processes this data in the application software and in documents in order to:

  • client records
  • invoicing

5 / Information system: IS Marketing

There are no special categories of personal data in IS Marketing Report

  • name, surname and title,
  • contacts / telephone, e-mail, etc. … /, contact addresses

The controller processes this data in the application software and in documents in order to:

  • sending offers and news to clients

3. ASSESSMENT OF THE NECESSITY AND APPROPRIATENESS OF PROCESSING OPERATIONS IN RELATION TO THE PURPOSE

The controller shall implement appropriate technical and organizational measures to ensure that, by default, its systems process only personal data that are strictly necessary (and no other) for each specific processing purpose. Likewise, these systems must ensure that the data are not processed indefinitely, but only for the time necessary. Likewise, such measures must ensure that personal data are not normally accessible to an unlimited number of employees of the controller, but only to employees who strictly need access to such personal data.

4. ASSESSMENT OF THE RISK TO THE RIGHTS AND FREEDOMS OF THE PERSONS CONCERNED BY THE PURPOSE OF THE INTENDED PROCESSING OF PERSONAL DATA

The controller is aware of the importance of protecting information that is important for the activities of the organization and the fulfillment of the business plan, is determined to protect its reputation and the quality of services provided. For this reason, it has adopted an IT Security Policy, which describes how to ensure the overall security of IS. Furthermore, it undertakes to meet all the requirements of the legislation in force in the Slovak Republic, the contractual requirements, the financial and organizational conditions necessary for the implementation of security measures, to educate and train all employees in order to raise safety awareness. 

Following the application of the principles and measures set out in the documentation, the following risks will remain uncovered: 

  • theft or destruction of personal data in the event of the forcible intrusion of strangers into the premises of the operator,
  • destruction or damage to documents and computers due to network failure,
  • destruction of the operator’s facility and the AIS and DIS stored in it by fire, flood or other natural disaster. 

5. MEASURES TO ADDRESS THE RISKS INCLUDING (LEGAL) GUARANTEES, SECURITY MEASURES AND MECHANISMS TO ENSURE THE PROTECTION OF PERSONAL DATA AND TO DEMONSTRATE COMPLIANCE WITH THIS REGULATION

Technical measures

Personal data must be stored in the so-called secured premises of the operator and protect them from access by unauthorized persons. All areas of the operator must be secured against unauthorized entry using appropriate means of restraint (safety nets, etc.), as well as protection mechanisms (alarms, locks, etc.).

Place monitors in individual offices in such a way that an unauthorized person cannot become acquainted with the processed personal data when entering the room. If this is not possible, use private filters to restrict the view of unauthorized persons.

Those assets whose activities do not require the frequent presence of the operator to be locked and inspected at regular intervals.

From the point of view of fire safety, the law on fire protection is complied with

– the place of operation is equipped with fire extinguishing technology.

Protection against unauthorized access

Ensure data encryption so that the web host’s message does not access the access data. Ensure, as far as possible, that when an external consultant is connected to the company via remote access, he or she cannot become acquainted with any personal data – close the document containing the personal data.

Controlling the access of authorized persons

The aim of this type of measure is to allow access to information systems only to authorized users and authorized persons.

The establishment of access is performed by the operator of the company, taking care to comply with the requirement that the user should have access only to those parts of the information system that he urgently needs.

The granting of access rights is performed by the company’s controller, whereby:

– each user has a unique ID to ensure responsibility, respectively. provability of activities performed within the information system.

The user ID must be checked regularly, at least once every 6 months.

Malware protection and network security

The operator implements the measures taken against malicious code at the level of:

– malicious code detection

– repair software and change management as part of security measures for change management

– adequate access for workers to information systems.

The use of unauthorized software is prohibited in the controller’s conditions. This can only be procured from trusted sources so as not to infringe copyright. All workstations must be equipped with anti-virus detection software as well as correction software for automatic purposes: scanning of all files and media (archival, backup, etc.), scanning of e-mail and scanning of the controller’s website.

Malicious code definitions files and antivirus scanning processes must be updated regularly, but at least once a day.

In order to filter traffic and block unauthorized access to operator assets, workstations need to be secured by a firewall.

Backup

Backing up the databases of a computer system is a process in which a copy of all the database files of the program or its most important part is created, necessary to restore the functionality of all databases in the event of a crash, malfunction or theft of the computer.

Standard compression algorithms are most often used to create backup files, such as e.g. ZIP, RAR.

Backup frequency:

1. Daily backup (operational) – performing daily backups on the same hard disk counts on which the program is located, every day after finishing work in the application program through the function of the application program.

2. Weekly / Monthly backup (archiving) – performing backups on external media – server. Backups used for data archiving are created at regular intervals. Backing up to external media is a more secure way to eliminate the risk of technical or other hard drive failure. On the other hand, there is a higher risk of data breach, as the data is on multiple media.

Disposal of personal data

The authorized person is entitled to process personal data only during the time necessary to achieve the given purpose. After the end of the purpose of processing, it is necessary to ensure the disposal of documents containing personal data kept in writing on paper, unless a special law provides otherwise!

! The controller is obliged to destroy personal data when the purpose of processing is fulfilled !

Methods of disposal of personal data:

1. paper form: physically destroy in a shredder if we dispose of only part of the data – text

on paper, this information must be blacked out in such a way that its contents cannot be disclosed

2. electronic form: permanent deletion from the server, hard disk, overlaying of personal data with blank characters or other text.

OS and software application update

Regular updating of the OS and application programs, the antivirus system from the Internet environment is ensured.

Regular updates allow the user to use the latest versions of software applications and antivirus protection. The user is notified of the automatic update and the possibility of installing it by restarting the system immediately or when it is shut down.

Organizational arrangements – Personnel arrangements

The aim of personnel measures to ensure the protection of personal data is to reduce the risk of human failure to protect personal data, in particular such manifestations as theft, loss, damage, alteration, dissemination, unauthorized disclosure of personal data or their provision to unauthorized persons.

The basic measures include in particular:

a) Only authorized persons of a specific workplace may handle personal data. Data processing must be in accordance with the law on personal data protection, as amended.

b) Ensure that access to personal data in the IS has only authorized persons and the operator.

c) The use of technical means for the processing of personal information is permitted only to persons authorized to acquaint themselves with personal information. Employees who have allocated technical resources are responsible for their proper operation and must follow all principles of working with them.

d) Every authorized person is obliged to maintain the confidentiality of the personal data they process. The duty of confidentiality continues even after the end of processing. They shall not be bound by the obligation of professional secrecy if, in accordance with a special law, this is necessary for the performance of the tasks of bodies active in criminal proceedings. The duty of confidentiality also applies to other natural persons who come into contact with personal data in the course of their activities. The duty of confidentiality continues even after the termination of the function of the entitled person or after the termination of his employment or similar employment relationship. The duty of confidentiality also applies to other natural persons who come into contact with personal data as part of their activities – an IT technician. The duty of confidentiality continues even after the termination of the function of the entitled person or after the termination of his employment or similar employment relationship.

In the event of a breach of information security in the area of ​​the information system and the local network, the activities are coordinated by the authorized informatics. In the event of a breach of information security in the area of ​​documents, telephone and mobile networks, the activities are coordinated by an authorized employee.

Management of access of authorized persons to IS

Protection of the computer against unauthorized access by setting rules for the IS operator using passwords to the LAN / WIFI network, PC system as well as application programs.

In particular use:

  • A password to log in to the computer’s operating system
  • computer key security
  • password when entering the application program
  • in the future to solve access to a PC with some of the modern hardware means (chip cards, hardware key)
  • other passwords for different levels of access to the information system, which change regularly.

The aim of this type of measure is to allow access to the operator’s network resources and information systems only to authorized users and authorized persons.

Login and login passwords

The authorized person is obliged to secure the computer on which he processes personal data with a password in accordance with the provisions of the relevant security documentation, ie the password must have a min. 6 characters and must consist of combinations of letters and numbers, lowercase and uppercase letters resp. special characters (+, *, @, &, # …).

Organization of personal data processing

Paper documentation handling

Personal data are also processed in a non-automated manner in the information system in written form on paper stored in paper envelopes. The authorized person stores these documents in lockable containers or other lockable devices and in a lockable room. Documents containing personal data must be inaccessible during the absence of the authorized person, either by locking the room or the cabinet in which the personal data is stored. In no case may documents containing personal data be accessible to anyone entering the room where the personal data are processed during the absence of the authorized person. The authorized person is obliged to lock and close the windows where the PC and information systems containing personal data are located when leaving the workplace, if there is no longer any authorized person at the workplace. Lock doors and close windows.

Transmission of documents containing personal data

a) Documents with personal data in the form of orders, invoices, receipts of payment may be transferred outside the workplace only in a sealed envelope or sealed package, with an opening sealed with adhesive tape and cross-stamped with the operation stamp and the signature of the authorized person.

b) Documents prepared in this way are transmitted only by the operator’s authorized personnel for this activity.

c) Documents containing personal data shall, if necessary, be sent exclusively by registered first-class postal item or courier.

d) In the event that the operator receives a consignment containing personal data in damaged packaging, it shall check the reason for the damage with the delivering person and agree on the contents of the consignment with the sender.

Reproduction of documents containing personal data

a) Reproduction means the repeated printing of documents from an automated system, making photocopies, copies and extracts of documents with sensitive personal data.

b) Documents may be reproduced by the responsible person or a person authorized by him, who is authorized to work with personal data in the IS. This person is required to print and copy documents so that an unauthorized person cannot become familiar with them – the authorized person must not leave the output from the printer freely in the printer tray. Any output from the printer that is not and will not be subject to further processing must be disposed of by an authorized person by shredding.

Roles and responsibilities of the controller when working with automated IS

a) The authorized person uses only those assets that have been approved by the controller for the processing of personal data. It is inadmissible to use private laptops, mobile phones for processing without the designated employee of the operator – an authorized IT employee approving such use.

b) Continuously during the work with the IS monitors its activities and consults any incorrect behavior with the superior or the IT employee.

c) The authorized person is obliged to immediately inform his / her responsible IT employee in case of suspicion of the occurrence of a technical failure on electronic technical equipment, which could result in a breach of the security of personal data.

d) When working with a PC, the authorized person must not ignore the so-called warning messages or signs of errors, or other incorrect or unusual operation of the PC, but immediately report such “deviation” to the person responsible for maintenance and service of computers in which personal data is located, i. IT staff.

e) When processing personal data via a PC, the authorized person is obliged to ensure that the monitor screens do not make the personal data of the data subjects accessible to other natural persons (eg anyone who enters the room where personal data is processed).

f) The authorized person must avoid actions that would result in infecting the computer with malicious code, downloading socially unacceptable content and installing software, unless it has been approved in advance by the operator.

g) The authorized person is obliged to use technical means in such a way as not to allow the sharing of copyrighted data as well as personal data by other users of the Internet.

h) The authorized person may not use the assets of the operator for any unauthorized attack, attempted attack or intrusion into other information systems and similar activities not approved by the operator or illegal.

i) The authorized person may use the technical means of the operator for private purposes only with his consent. Auxiliary service personnel must not have access to the information system. In the absence of authorized persons, the space with the IS must be locked and access to the computer must be password protected.

j) The authorized person is obliged to ensure that his behavior does not cause other, non-material damage, damage to the good name and reputation of the operator.

k) The stay of persons, including authorized persons, in premises where information systems containing personal data are located, after working hours is possible only with the consent of the statutory body of the operator.

Principles for the use of laptops

a) When working with a laptop, store files with personal data, confidential information only when necessary. The user is responsible for the physical protection of the portable device against theft, misuse, damage.

b) It is forbidden to work with confidential information and personal data in publicly accessible places. (cafes, waiting rooms, etc.)

c) Files with personal data and confidential information stored on the physical medium during the transfer must be stored in encrypted form, encrypted by specialized software using a sufficiently strong cryptographic algorithm, or executable only by a special application.

d) In the event that the authorized person works with the personal data of the operator in the home environment, he may not use private e – mail boxes on freely available e – mail servers for this purpose, but only work e – mail boxes. It must also take measures to ensure that personal data processed in the home environment is not unauthorisedly made available, provided, published or to avoid any inadmissible forms of processing in which personal data may be disclosed to unauthorized persons.

Principles of working with electronic mail

a) It is forbidden to disseminate confidential information of the IS operator via email, telephone calls or other means of communication.

b) When sending personal data via e – mail, the authorized person always thoroughly verifies the correctness of the e – mail address. The authorized person is obliged to use the anti-virus protection of incoming and outgoing mail and never turn it off.

c) When sending e-mail, the authorized person uses security. Do not respond to “send this email to all your friends” to an authorized person. It is a violation of Internet ethics, it bothers other users and it overwhelms communication lines.

d) It is forbidden to send and open attachments – attached files in e-mail, which may in some way endanger or damage the operation of the information system, permanently or temporarily reduce its performance or endanger its security.

Security incidents

Data recording is necessary to take appropriate ongoing measures as well as subsequent analysis of the course of the security incident in order to prevent recurrence. If necessary, the responsible employee of the operator implements measures to prevent further consequences of the incident, as well as the possibility of its recurrence. Subsequently, the incident must be reported if personal data have been leaked within 72 hours of the Personal Data Protection Authority at the latest. The control activity is provided by a designated employee.

6. TAKING INTO ACCOUNT THE RIGHTS AND LEGAL INTERESTS OF THE PERSONS CONCERNED AND OTHER PERSONS CONCERNED BY THE INTENDED PROCESSING.

The basic security purpose of this document is the protection of personal data of all concerned persons – employees of the operator (also potential), who provided their personal data for the purpose of establishing an employment relationship. This fact also includes the protection of personal data of external collaborators with whom the operator may come into contact within the scope of its business. The personal data of the persons concerned, clients – customers of the operator will also be protected. Furthermore, all persons who are allowed to enter the operator’s premises may be affected persons within the meaning of this security plan.

The operator shall provide the persons concerned with the following:

  • clearly and specifically define the purpose of the processing before the start of the processing,
  • the obligation to report the incident to the person concerned in serious cases,
  • the right to the portability of the data of the persons concerned,
  • the right to delete the data subject (if the data is processed illegally),
  • the possibility to withdraw the consent of the person concerned at any time,
  • to collect personal data separately for different purposes,
  • not to combine personal data obtained for different purposes,
  • process only correct, complete and up-to-date personal data,
  • block, correct or supplement incorrect and incomplete personal data,
  • incorrect data that cannot be corrected or supplemented, destroyed,
  • ensure that personal data are processed in a form which permits identification of data subjects for no longer than is necessary to achieve the purpose of the processing,
  • destroy personal data whose purpose of processing has ended,
  • process personal data in accordance with good morals,
  • not enforce the consent of the person concerned by threatening to refuse a contractual relationship, supply of services or goods,
  • provide information in a generally comprehensible form on the status of the processing of personal data to the extent: name, registered office or permanent residence, legal form and identification number of the controller; name and surname of the statutory body of the operator; identification system of the information system; the purpose of the processing, the list of personal data and the circle of data subjects; the range of recipients to whom the data are or will be made available, third parties to whom the personal data are or will be provided; third countries to which personal data are transferred; the legal basis of the information system; the form of disclosure, if the disclosure of personal data is carried out; a general description of the measures to ensure the protection of personal data and the date of commencement and time of processing,
  • accurate information in a generally comprehensible form about the source from which the personal data were obtained,
  • a copy of personal data in a generally comprehensible form,
  • correct incorrect, incomplete or outdated personal data,
  • dispose of personal data after fulfilling the purpose of processing; return official documents if they have been processed,
  • liquidation of personal data if the law has been violated.
  • immediate written notification to the data subject and to the Office for Personal Data Protection of the Slovak Republic that on the basis of a written request of the authorized person, whose rights were restricted, his / her incorrect, incomplete or outdated personal data were corrected,
  • possibly disposed of; if official documents containing personal data that they have been returned have been processed,
  • implementation of technical, personnel and organizational measures and oversees their application in practice,
  • supervising the selection of the intermediary and preparing a written contract or mandate for the intermediary; verifies compliance with the agreed conditions,
  • supervision of the cross-border flow of personal data.

Created by:  Peter Jurák

Approved by: Mgr. Michal Miklós, executive manager Contact portal s.r.o.