GDPR MAX INN Hotel Bratislava

The fundamental rights of natural persons include their protection in connection with the processing of their personal data. The purpose of this Directive is to harmonize the protection of the fundamental rights and freedoms of natural persons in MAXIN s.r.o. in connection with the processing of personal data and to ensure the free flow of personal data in accordance with the rules of the GDPR and the implementing regulations. By adopting this Directive, we are creating a space for the harmonization of the functioning of our information systems in the processing of personal data of natural persons with the GDPR. 

Article 1

Definition of basic terms

 'personal data' means any information relating to an identified or identifiable natural person (hereinafter referred to as 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

 

'processing' means an operation or set of operations concerning personal data or sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, whether or not carried out by automated or non-automated means;

'restriction of processing' means the marking of personal data stored in order to restrict their processing in the future;

'profiling' means any form of automated processing of personal data which consists of using those personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects of the natural person concerned relating to job performance, financial situation, health, personal preferences, interests, reliability, behaviour, location or movements;

'pseudonymisation' means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

information system' means any organised collection of personal data which is accessible according to specified criteria, whether the system is centralised, decentralised or distributed on a functional or geographical basis;

controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are laid down in Union law or in the law of a Member State, the controller or the specific criteria for determining him or her may be determined in Union law or in the law of a Member State;

processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

recipient' means the natural or legal person, public authority, agency or other body to whom the personal data are disclosed, whether or not a third party. However, public authorities which may receive personal data in the context of a specific survey in accordance with Union or Member State law shall not be considered as recipients; the processing of those data by those public authorities shall be carried out in accordance with the applicable data protection rules, depending on the purposes of the processing;

third party' means a natural or legal person, a public authority, an agency or an entity other than the data subject, the controller, the processor and persons who are entrusted with the processing of personal data on the direct authority of the controller or processor;

data subject consent' means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she consents, by means of a statement or an unambiguous affirmative act, to the processing of personal data concerning him or her;

personal data breach' means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed;

genetic data' means personal data relating to the inherited or acquired genetic characteristics of a natural person which provide unique information about the physiology or health of that natural person and which result, in particular, from the analysis of a biological sample of that natural person;

biometric data' means personal data which are the result of specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person and which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

health-related data' means personal data relating to the physical or mental health of a natural person, including data relating to the provision of healthcare services, which reveal information about his or her state of health.

Other terms are regulated in Article 4 of the GDPR.

Article 2

Personal data processing principles

The controller must comply with the following principles when processing personal data:

ELIGIBILITY - At least one of the following conditions must be met:

the data subject has consented to the processing of his or her personal data;

the processing is necessary for the performance of a contract to which the data subject is a party;

the processing is necessary for compliance with a legal obligation of the controller; 

processing is necessary to protect the vital interests of the data subject or another natural person;

the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

the processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

TRANSPARENCY and TRANSPARENCY - It is necessary to inform the data subject in the required form that his or her personal data are collected and processed pursuant to Articles 13, 14 of the GDPR. Inform of the measures taken following a request pursuant to Articles 15 to 22 GDPR without undue delay (max. within one month of receipt of the request). Point out the risks, rules, safeguards and rights in the processing of personal data, as well as how to exercise your rights. Where profiling is used, use appropriate mathematical or statistical procedures and measures to minimise the risk of errors. Inform you if the data will be used for a purpose other than that for which it was originally intended.

PURPOSE LIMITATION - Personal data is collected for specified, explicit and legitimate purposes and may not be processed in a way that is incompatible with those purposes;

DATA MINIMISATION - Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;

STORAGE MINIMISATION - Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

CORRECTNESS and UPDATING - Data that is incorrect in relation to the purposes for which it is processed shall be deleted or rectified without delay;

INTEGRITY, CONFIDENTIALITY, ACCESSIBILITY, AVAILABILITY - Personal data must be processed in a manner that ensures adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or organisational measures;

INTEGRITY: preventing undetected modification of data, excluding unauthorised interference with data during processing;

CONFIDENTIALITY: only authorised persons have access to the data;

AVAILABILITY: data is available to authorised persons whenever they need it;

RESPONSIBILITY - The controller is responsible for the compliance of the measures taken with the GDPR and must be able to demonstrate such compliance;

SPECIFICALLY DESIGNED AND STANDARD DATA PROTECTION - the controller shall, both at the time of designating the means of processing and at the time of the processing itself, incorporate the necessary safeguards into the processing in order to comply with the requirements of the GDPR and to protect the rights of data subjects;

Article 3

Consent of the data subject to the processing of personal data

If the processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data.

Where the data subject gives consent in the context of a written declaration which also covers other facts, the request for consent must be presented in a way that is clearly distinguishable from those other facts, in a comprehensible and easily accessible form, and formulated in a clear and simple manner. Any part of such a statement which constitutes a breach of this Regulation shall not be binding.

The data subject shall have the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. The data subject must be informed of this fact before consent is given. Withdrawal of consent must be as simple as providing it.

In assessing whether consent has been freely given, account shall be taken, as far as possible, inter alia, of whether the performance of the contract, including the provision of the service, is conditional on consent to the processing of personal data which is not necessary for the performance of the contract.

Article 4

Information systems and personal data

Information systems

For each information system in the company that contains personal data, a so-called "Information System Record Sheet" is processed, which contains this data:

Name and location of the Personal Data Information System

Personal data processed

Circle of persons concerned

Source of obtaining personal data

Retention period of personal data

Purposes of the processing of personal data

Legal basis for the processing of personal data

To whom the personal data is provided, for what purposes and the legal basis for the provision

To whom the data are disclosed, for what purpose and the legal basis for disclosure

Where personal data are disclosed, for what purposes and the legal basis for disclosure

Who processes the personal data (controller/processor)

Method of handling the data after the purpose of processing has been fulfilled and ended

A list of information systems is attached as Annex 1 to this Directive;

A specimen of the "Information System Record Sheet" is attached as Annex 2 to this Directive;

The list of persons authorised to process personal data is in Annex 3 of this Directive.

Article 5

Information and access to personal data

1. Information to be provided when obtaining personal data from the data subject

1.1 Where personal data relating to the data subject are obtained directly from the data subject, the controller is obliged to provide the data subject with information in accordance with Article 13 GDPR when obtaining the personal data, in particular:

Identity and contact details of the controller

Contact details of the responsible person (if appointed)

Purposes for which the personal data are processed and the legal basis for the processing

Legitimate interests pursued by the controller or a third party (if the processing is based on Article 6(1)(f) GDPR, the processing is necessary for the purposes of the legitimate interests pursued by the controller)

Recipients or categories of recipients of personal data (if any)

Information that the controller intends to transfer the personal data to a third country or an international organisation (Article 13(1)(f) GDPR)

Period of retention of personal data (or criteria for determining it)

The existence of the right to request access to personal data from the controller and the right to rectification or erasure or restriction of processing, or the right to object to processing, as well as the right to data portability

The existence of the right to withdraw consent at any time without affecting the lawfulness of processing based on consent given prior to its withdrawal (where the processing is based on Article 6(1)(a) or Article 9(2)(a) of the GDPR

The right to lodge a complaint with the supervisory authority;

Information on whether the provision of personal data is a legal or contractual requirement or a requirement necessary for entering into a contract, whether the data subject is obliged to provide personal data, as well as the possible consequences of not providing such data

The existence of automated decision-making, including profiling as referred to in Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the procedure used as well as the significance and foreseeable consequences of such processing for the data subject.

From what source does the data come

2. Information to be provided where personal data have not been collected from the data subject

2.1 If the personal data have not been obtained by the controller from the data subject, the following information must be provided to the data subject pursuant to Article 14 of the GDPR:

the identity and contact details of the controller and, where applicable, the controller's representative;

the contact details of the responsible person, if any; 

the purposes for which the personal data are processed, as well as the legal basis for the processing;

categories of personal data concerned;

the recipients or categories of recipients of the personal data, if any;

where applicable, information that the controller intends to transfer the personal data to a recipient in a third country or an international organisation and information on the existence or non-existence of a Commission adequacy decision or, in the case of transfers referred to in Article 46 or 47 or in the second subparagraph of Article 49(1) of the GDPR, a reference to adequate or appropriate safeguards and the means of obtaining a copy thereof or where they have been provided.

2.2 In addition to the information referred to in point 2.1 of this Article, the controller shall provide the data subject with the following additional information necessary to ensure fair and transparent processing with regard to the data subject:

the period of retention of the personal data or, if this is not possible, the criteria for determining it;

where the processing is based on Article 6(1)(f) of the GDPR, the legitimate interests pursued by the controller or the third party;

the existence of the right to require the controller to have access to personal data relating to the data subject and the right to rectification or erasure or restriction of processing and the right to object to processing, as well as the right to data portability;

where the processing is based on Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR, the existence of the right to withdraw consent at any time without affecting the lawfulness of processing based on consent given prior to its withdrawal;

the right to lodge a complaint with the supervisory authority;

the source of the personal data or whether the data come from publicly available sources;

the existence of automated decision-making, including profiling as referred to in Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the procedure used as well as the significance and foreseeable consequences of such processing for the data subject.

2.3 The controller shall provide the information referred to in points 2.1 and 2.2 of this Article:

within a reasonable period after receipt of the personal data, but at the latest within one month, taking into account the specific circumstances in which the personal data are processed;

if the personal data are to be used for communication with the data subject , at the latest at the time of the first communication with that data subject; or

where the personal data are intended to be disclosed to a further recipient, at the latest when the personal data are first disclosed.

2.4 If the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall, before such further processing, provide the data subject with information about that other purpose and any other relevant information referred to in point 2.1 of this Article.

2.5 Points 2.1 - 2.4 do not apply in the cases set out in Article 14(5) GDPR.

3. Right of access to personal data of the data subject

3.1 The data subject shall have the right to obtain from the controller, upon request pursuant to Article 15 GDPR, confirmation as to whether personal data relating to him or her are being processed and, if so, the right to obtain access to such personal data and to such information free of charge:

processing purposes;

categories of personal data concerned;

the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

if possible, the expected period of retention of the personal data or, if this is not possible, the criteria for determining it;

the existence of the right to require the controller to rectify personal data relating to the data subject or to erase or restrict processing or to object to such processing;

the right to lodge a complaint with the supervisory authority;

if the personal data were not obtained from the data subject, any available information as to their source;

the existence of automated decision-making, including profiling as referred to in Article 22(1) and (4) of the GDPR, and in these cases at least meaningful information about the procedure used as well as the meaning and intended consequences of such processing and for the data subject.

3.2 Where personal data are transferred to a third country or an international organisation, the data subject has the right to be informed of the appropriate safeguards under Article 46 of the GDPR relating to the transfer. 

3.3 The controller shall provide the data subject with information on the measures taken following a request pursuant to Article 15-22 of the GDPR.

3.4 The controller shall provide a copy of the personal data being processed no later than 1 month after receipt of the data subject's request. For any further copies requested by the data subject, the controller may charge a reasonable fee corresponding to the administrative costs. Where the data subject has made the request by electronic means, the information shall be provided in a commonly used electronic form, unless the data subject has requested otherwise.

3.5 The right to obtain a copy referred to in point 3 above must not adversely affect the rights and freedoms of others.

3.6 The controller has the right under Article 12 GDPR:

to extend the 1-month time limit in this point 3 by two additional months, taking into account the complexity of the application and the number of applications (of the same person, not in total),

b)    request additional information from the data subject in case of doubt as to his or her identity in order to verify the identity of the data subject. If the controller is not able to identify the data subject even then, the data subject's rights shall not apply,

c)    refuse the request, or require payment of a reasonable fee, taking into account its administrative costs, if the requests of the person concerned are manifestly unfounded or repetitive.  

4. Right to rectification

The data subject shall have the right to have inaccurate data relating to him or her rectified by the controller without undue delay. With regard to the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by providing a supplementary declaration.

5. Right to erasure ("to be forgotten")

5.1 The data subject shall have the right to have the personal data erased if the purpose of the processing has ceased, consent has been withdrawn, the legitimate interests of the controller do not prevail, or the processing was unlawful, or in other specific situations referred to in Article 17 GDPR.

5.2 Where a controller has disclosed personal data and is required to erase the personal data pursuant to 5.1, the controller shall, taking into account the technology available and the cost of implementing the measures, take reasonable steps, including technical measures, to inform controllers that process personal data that the data subject requests them to erase all references to that personal data, or a copy or replica of it.

6. Right to restriction of processing 

6.1 If one or more of the following applies, the data subject shall have the right to have the controller restrict the processing of his or her personal data pursuant to Article 18 GDPR:

if the data subject contests the accuracy of the personal data during a period allowing the controller to verify the accuracy of the personal data,

the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of their use,

the controller no longer needs the personal data for the purposes of their processing but the data subject needs them to establish, exercise or defend legal claims,

the data subject has objected to processing pursuant to Article 21(1) of the GDPR, pending verification whether the legitimate grounds on the part of the controller outweigh the legitimate grounds of the data subject.

6.2 Where processing has been restricted pursuant to the preceding point 1, such personal data shall, with the exception of storage, be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims for the protection of the rights of another natural or legal person, or for reasons of important interest of the Union or of a Member State.

6.3 The controller is obliged to inform the data subject if he or she has reached the restriction of processing pursuant to the preceding paragraph 1 before the restriction of processing is lifted.

7. Notification obligation

The controller is obliged to notify each recipient to whom personal data have been provided of any rectification, erasure of personal data or restriction of processing carried out pursuant to Articles 16, 17(1), 18 of the GDPR, unless this proves impossible or requires disproportionate effort. The controller shall inform the data subject of these recipients if the data subject so requests.

 

8. Right to data portability

8.1 The controller is obliged to provide the data subject with the personal data concerning him or her which he or she has provided in a structured, commonly used and machine-readable format, and to transfer them to another controller without restriction if the processing is based on consent or the performance of a contract with the contracted person and if the processing is carried out by automated means.

8.2 When exercising his or her right to data accuracy pursuant to point 1, the data subject shall have the right to have the data transmitted directly from one controller to another controller, insofar as this is technically feasible. This right shall not adversely affect the rights and freedoms of others.

8.3 Any transfer of personal data that is processed or intended to be processed after the transfer to a third country or an international organisation may only take place after the controller has carried out a data protection impact assessment pursuant to Article 7 of this Directive and has drawn up an internal directive to fulfil the tasks under the GDPR for such a transfer.

9. Right to object to processing for legitimate interest purposes

The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of personal data concerning him or her which is carried out in the public interest pursuant to Article 6(1)(e) or (f) of the GDPR, including objections to profiling based on those provisions, or where the processing is for direct marketing purposes, which the controller is obliged to terminate immediately. The controller may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for establishing, exercising or defending legal claims.

10. Right to object to automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision which is based solely on automated processing, including profiling, and which has legal effects concerning him or her or similarly significantly affects him or her. This is possible in particular on the basis of consent, the performance of a contract or a specific law. Other exceptions are listed in Article 22(3), (4) GDPR.

        11. Right to be informed of reasonable safeguards

The data subject has the right to be informed of the appropriate safeguards under Article 46 GDPR relating to the transfer if his or her personal data are transferred to a third country or an international organisation. Exceptions for specific situations are set out in Article 49 GDPR.

12. Right to human intervention by the controller

In cases of automated individual decision-making, including profiling pursuant to Article 22(2)(a) and (c) of the GDPR, the controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, at least the right to obtain human intervention on the part of the controller, the right to express his or her point of view and the right to contest the decision.

13. Right to compensation

Any person (including the data subject) who has suffered pecuniary or non-pecuniary damage as a result of a breach of this Regulation shall have the right to compensation from the controller or processor.

14. The right to lodge a complaint with the supervisory authority and the right to an effective judicial remedy against a decision of the supervisory authority

Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint under Article 77 of the GDPR, any data subject shall have the right to an effective judicial remedy if he or she considers that, as a result of the processing of his or her personal data in breach of the GDPR, his or her rights under the GDPR have been infringed.

Article 6

Controller and processor

1. Operator

Taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity posed by the processing to the rights and freedoms of natural persons, the controller shall, at the time of the designation of the means as well as at the time of the processing itself, take appropriate technical and organisational measures to ensure and be able to demonstrate that the processing is carried out in accordance with this Regulation. This Directive is part of the organisational measures to ensure compliance with the GDPR. The measures taken shall be reviewed and updated by the controller as necessary. In particular, Articles 24 to 27 GDPR set out more detailed provisions on the obligations of the controller.

2. Relationship between the controller and the processor

The controller shall only use processors providing sufficient guarantees that appropriate technical and organisational measures are taken to ensure that the processing complies with the requirements of the GDPR and to ensure the protection of the data subject's rights. 

3. Intermediary

3.1 The processor shall not engage another processor without the prior specific or general written permission of the controller.

3.2 The processor shall inform the controller of any intended changes in relation to the addition or replacement of additional processors, thereby giving the controller the opportunity to object to such changes.

3.3 If the processor engages another processor, the same data protection obligations shall be imposed on this second processor, subcontractor and contractually according to the principles set out in Article 28 of the GDPR .

3.4 Processing by the processor is governed by a contract which binds the processor to the controller and which sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller, pursuant to Article 28 GDPR.

3.5 The contract binds the processor to the controller and is drawn up in writing, including in electronic form, and provides in particular:

the subject matter of the processing,

processing time,

the nature and purpose of the processing,

type of personal data,

categories of data subjects,

the obligations and rights of the controller.

3.6 In particular, the Contract provides that:

The processor shall only process personal data on the basis of documented instructions from the controller, including with regard to the transfer of personal data to a third country or an international organisation;

Where the transfer to a third country is required by Union or Member State law, the processor shall notify the controller of that legal requirement before processing;

The processor shall ensure that the persons authorised to process personal data undertake to maintain the confidentiality of the information or are bound by an appropriate obligation of confidentiality under the Statute;

The processor shall take all measures required under Article 32 of the GDPR

The processor complies with the conditions for engaging an additional processor (it does not engage an additional processor without the prior specific or general written authorisation of the controller and, if it engages one through a contract, the same data protection obligations are imposed on that additional processor, in particular the provision of sufficient guarantees to implement appropriate technical and organisational measures);

If that additional processor fails to fulfil its data protection obligations, the original processor shall remain fully liable to the controller for the fulfilment of that additional processor's obligations;

The processor shall assist the controller as far as possible by appropriate technical and organisational measures in fulfilling its obligation to respond to requests to exercise the data subject's rights;

The processor shall assist the controller to ensure compliance with the obligations under Articles 32 to 36 of the GDPR (security of processing, breach of protection, assessment of the impact of processing operations on the protection of personal data);

Upon termination of the provision of processing services, the processor shall, at the controller's discretion, erase all personal data or return them to the controller and erase existing copies, unless the retention of such personal data is required by law;

The processor shall provide the controller with all the information necessary to demonstrate compliance with the obligations laid down in this Article and shall facilitate and contribute to audits as well as to controls carried out by the controller or by another auditor mandated by the controller;

The processor shall immediately inform the controller if, in its opinion, the instruction infringes this Directive, the GDPR or other Union or Member State legislation on data protection. 

Article 7

Technical and organisational measures to ensure adequate security of personal data

The controller and the processor shall, taking into account the state of the art, the cost of implementing the measures and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, take appropriate technical and organisational measures to ensure a level of security appropriate to that risk, which shall be governed by a separate internal directive.

Article 8

Breach of data protection

1. Notification of a personal data breach to the supervisory authority

In the event of a personal data breach, the controller shall notify the personal data breach to the competent supervisory authority without undue delay and, where possible, no later than 72 hours after becoming aware of the personal data breach, except where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification has not been submitted to the supervisory authority within 72 hours, it shall be accompanied by a justification for the dela

The processor shall notify the controller without undue delay after becoming aware of the personal data breach.

The notification referred to in point 8.1.1 shall include at least:

a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected;

the name and contact details of the responsible person or other point of contact where more information can be obtained;

a description of the likely consequences of a personal data breach;

a description of the measures taken or proposed by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate its potential adverse effects.

To the extent that the information cannot be provided at the same time, the information may be provided in stages without further undue delay.

The controller shall document each personal data breach, including the facts associated with the personal data breach, its consequences and the remedial measures taken. That documentation shall enable the supervisory authorities to verify compliance with this Article.

2. Notification of a personal data breach to the data subject

In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall notify the personal data breach to the data subject without undue delay.

The notification to the data subject referred to in point 8.2.1 of this Article shall contain a clear and plainly worded description of the nature of the personal data breach and at least the information and measures referred to in Article 33(3)(b), (c) and (d) of the GDPR.

The notification to the data subject referred to in point 8.2.1 shall not be required if any of the following conditions are met:

the controller has taken appropriate technical and organisational protection measures and has applied those measures to the personal data affected by the personal data breach, in particular those measures which render the personal data unreadable to any person not authorised to have access to them, such as encryption;

the controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of data subjects referred to in point 1 is no longer likely to have consequences;

it would require a disproportionate effort. In such a case, public information or a similar measure shall be taken instead, thereby ensuring that the persons concerned are informed in an equally effective manner.

If the controller has not yet notified the personal data breach to the data subject, the supervisory authority may, after considering the likelihood of a personal data breach giving rise to a high risk, require the controller to do so or may decide that one of the conditions set out in point 8.2.3 is met.

Article 9

Common and final provisions

1. The provisions of this Directive shall be complied with by all employees who, within the scope of their employment or function, are acquainted with personal data processed in our information systems.

2. The statutory representative of the controller shall demonstrably acquaint all employees with the contents of this Directive within 10 days of its issue and shall oblige them to confidentiality of personal data with which they have come into contact during the processing of such data. The obligation of confidentiality shall continue even after the processing of personal data has ceased and after the end of their relationship with the controller.

3. This Directive is processed pursuant to Article 24(1) GDPR

4. This Directive shall enter into force and effect on the date of its issue.

 

This Directive was issued on ................ 2018

 

The following Annexes form an integral part of this Directive:

Annex:

No 1 List of information systems

No 2 Information system record sheet

No 3 List of persons authorised to process personal data

LIST OF INFORMATION SYSTEMS 

INFORMATION SYSTEM

DESCRIPTION

ACCOMMODATION

BUILDING

LOCATION

TECH

INFORMATION SYSTEM RECORD SHEET

 

1.  Name and location of the Personal Data Information System

2.  Personal data processed 

 

3.  Circle (category) of persons concerned  

4.  Source of personal data 

5.  Retention period of personal data 

6. Purposes of the processing of personal data 

7.  Legal basis for the processing of personal data 

8.  To whom the personal data are disclosed, for what purposes and the legal basis for disclosure

9.  To whom the data are disclosed, for what purposes and the legal basis for disclosure

10.  Where personal data are disclosed, for what purposes and the legal basis for disclosure

11.  Who processes this personal data 

12.  Where the data is stored and how it is secured 

13.  Archiving and disposal of personal data 

THE CONTENT OF THE INTERNAL DIRECTIVE

on data protection.


 

Article 1. Definition of basic terms ...............................................................................p.     2

Article 2. Personal Data Processing Policy .......................................................................     p. 4

Article 3. Consent of the data subject to the processing of personal data ......................................     page 5

Article 4 Information systems and personal data .......................................................................     page 5

Article 5 Information and access to personal data

    1. Information to be provided when obtaining personal data from the data subject 

    persons ........................................................................................................................... p. 6

              2. Information to be provided where personal data have not been obtained from the data subject 

persons ...........................................................................................................................     p. 6

              3. The right of the data subject to access to personal data ............................................     p. 8 

    4. Right to rectification ....................................................................................................... p. 9

               5. Right to erasure ("oblivion") .......................................................................     p. 9

6. Right to restriction of processing ..........................................................................     page 9

7. Notification obligation ..........................................................................................     p. 9 

8. Right to data portability ....................................................................................     page 10

9. Right to object to processing for legitimate interest purposes ..........................     page 10

10. The right to object to automated individual decision-making, including         

                    profiling ............................................................................................................     page 10

    11. Right to be informed of reasonable safeguards ................................................... p. 10

    12. Right to human intervention on the part of the controller ..................................................p. 10 

    13. Right to compensation ..........................................................................................p. 11

14. The right to lodge a complaint with the supervisory authority and the right to an effective judicial remedy against a decision of the supervisory authority ........................................................................... p. 11  

Article 6 Controller and processor ......................................................................... page 11

1. Operator .........................................................................................................p.     11

2. The relationship between the controller and the processor ......................................................... ...page 11

                 3.  Intermediary ........................................................................................... ..........p. 11

Article 7 Technical and organisational measures to ensure adequate security of personal 

data ............................................................................................................................ page 13

Article 8. Breach of data protection

                 1. Notification of a personal data breach to the supervisory authority ......................p. 13

                  2. Notification of a data breach to the data subject ......................  ...page 14

Article 9. Common and Final Provisions ........................................................................... page 14

 

Attachments:

List of information systems

Information system record sheet

List of persons authorised to process personal data

                             

 

Do you have a question? Send it to us.

Send

Verified ratings

Hodnotenia