(INFORMATION ON THE PROCESSING OF PERSONAL DATA)

For Parking House a.s. (hereinafter referred to as "PARKING HOUSE"), it is extremely important to transparently provide you, as a user of the web portal services of the project "Underground Parking House and City Park Kollárovo námestie Bratislava" (hereinafter referred to as the "Project"), with all relevant information regarding the processing of your personal data. For this purpose, we have prepared an overview of the most important data that you have the right to be informed about. 

1. DATA CONTROLLER

The data controller is the entity to which you provide your personal data when using the web portal of the PROJECT (Project.eu, Project.sk and Project.com) and related services. The controller determines the purposes and means of processing personal data, which in practice means that it decides how your personal data will be processed within the frameworks outlined below. 

Contact Details: 

Parking House a.s., Company ID (IČO): 35 833 459, registered office at Digital Park III, Einsteinova 19, 851 01 Bratislava – Petržalka, registered in the Commercial Register of the District Court Bratislava 1, Section: Sa, File No.: 4937/B.

Company Name: Parking House a.s.

Company ID (IČO): 35 833 459

Registration: Commercial Register of the District Court Bratislava 1, Section: Sa, File No.: 4937/B

Registered Office: Digital Park III, Einsteinova 19, 851 01 Bratislava – Petržalka

Legal Representation: Dr. Milan Maštena – Chairman of the Board 

Email Address: info@parkinghouse.sk

2. DATA PROTECTION OFFICE

The role of the Data Protection Office (DPO) is, based on a contractual relationship with the controller, to provide expert advice to the data subject as well as the controller in monitoring compliance with the provisions of Act No. 18/2018 Coll. on the processing of personal data, as amended, and the GDPR regulation.

Contact Details:

Company Name: Capitol Legal Group, law firm s.r.o.

Company ID (IČO): 47 257 211

Registered Office: Digital Park III, Einsteinova 19, 851 01 Bratislava – Petržalka, Slovak Republic

Registration Court: District Court Bratislava I, Section: Sro, File No.: 103064/B

Email Address: gdpr@clg.sk

3. PERSONAL DATA PROCESSED BY THE CONTROLLER

PARKING HOUSE processes your personal data as a data subject in the context of using the services on the Project's web portal, taking into account our legal obligations and the protection of related legitimate interests. We obtain personal data exclusively from you, and in justified cases, we verify its accuracy using publicly available sources (e.g., Finstat.sk, the commercial register, the register of financial statements, etc.) to protect the rights of the data subjects.

3A. Personal Data Collected During Registration on the Project’s Web Portal

If you choose to contact us through the Project's web portal, you provide us with the following personal data as an individual:

3B. Personal Data Collected During Purchases on the Project’s Web Portal

If you decide to purchase a product or service on the web portal and/or express interest in such products or services, you provide us with the following personal data:

3C. Personal Data Collected During Communication with You

We also collect your personal data during email or telephone communication, where you primarily provide us with your name and surname (or username), email address, or mobile number, along with any other data necessary for concluding a relevant contract in the case of your binding interest.

3D. Other Personal Data Collected During the Use of the Project's Web Portal Services

When using the services offered by the Project's web portal, additional personal data may be collected that you have not directly provided to us but are obtained and processed passively. This primarily includes your IP address, type of internet browser, or small data files known as Cookies, which serve to further improve our services according to your individual settings.

4. LEGITIMATE (JUSTIFIED) PURPOSES AND LEGAL BASES FOR PROCESSING PERSONAL DATA 

4A. Providing Services on the Project’s Web Portal

PARKING HOUSE processes your personal data to create optimal conditions for browsing the web interface and potentially carrying out the acquisition of the product or service you have selected on the Project’s website. Without providing personal data, it is not possible to complete the transaction you have chosen.

4B. Legal Basis for Processing

The legal basis for processing is:

  • Article 6(1)(b) of the GDPR, i.e., processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.
  • Article 6(1)(f) of the GDPR, i.e., processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.
  • Act No. 431/2002 Coll. on Accounting
  • Act No. 595/2003 Coll. on Income Tax
  • Act No. 222/2004 Coll. on Value Added Tax
  • Act No. 395/2002 Coll. on Archives and Registries
  • General Terms and Conditions for the Use of the Project’s Portal and Services

4C. Marketing Purposes

We also process your personal data to send you offers that may interest you, especially if you have chosen this option through the Project’s web portal. We will inform you about offers mainly via email or other messages. You have the right to decide whether you want to receive marketing messages, either through your user account, by clicking on the "unsubscribe" link (or a similar link) at the end of our emails, or by sending us an email at the above-mentioned address.

4D. Legal Basis for Processing

The legal basis for processing is Article 6(1)(a) of the GDPR, i.e., as the data subject, you have given consent for the processing of your personal data for one or more specific purposes.

4E. Fraud Prevention

Personal data provided when ordering a product may be used to verify whether the registration or ordering process is being carried out in an unusual or malicious manner (e.g., ordering a large quantity of the same product or service under the same personal details using multiple accounts). There is a legitimate interest in conducting such a review to prevent abusive practices and criminal activities.

4F. Legal Basis for Processing

The legal basis for processing is Article 6(1)(f) of the GDPR, i.e., processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.

5. DATA RETENTION PERIOD 

We process and store your personal data only for as long as necessary for the purposes stated above or to fulfill legal requirements. After this period, personal data will be deleted or anonymized.

If we process your personal data based on a legitimate interest, processing lasts for as long as the legitimate interest persists. You may object to the processing of your personal data based on legitimate interest at any time.

6. RECIPIENTS OF PERSONAL DATA 

PARKING HOUSE provides your personal data to the following categories of recipients:

6A. Sales Representatives

Due to significant interest in products and services within the Project, PARKING HOUSE may use the services of sales representatives who are provided with your data to the necessary extent for the purpose of contacting you, specifying your requirements and interests, and preparing transaction documents in their final form.

6B. Online Marketing Platform Provider – Mailchimp

For the continuous improvement of services related to the operation of the Project’s web portal, as well as for informing relevant clients and interested parties, we process your personal data electronically through the online application Mailchimp, which stores it on a server located in the USA. This company, The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA, acts as a data processor, with PARKING HOUSE determining the purposes and method of processing your personal data.

Since this data is transferred to a third country, Mailchimp guarantees an adequate level of data protection under the European Commission’s decision, as it is part of the so-called Privacy Shield framework.

6C. Web Hosting

As part of web hosting, personal data processed in connection with the operation of the Project’s web portal is stored to ensure its functionality. We process data based on our legitimate interests under Article 6(1)(f) of the GDPR. The web hosting provider processes your personal data in the form of digital data for the proper operation of the Project’s web portal and implements encryption measures to enhance the protection of your personal data.

7. AUTOMATED DECISION-MAKING INCLUDING PROFILING

As part of processing your personal data, automated decision-making, including profiling, takes place solely based on your given consent.

8. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANIZATION

In the course of processing your personal data, the transfer of personal data to a third country or international organization occurs to the necessary extent on the server of the online marketing platform provider Mailchimp in the USA. HOWEVER, THIS COMPANY GUARANTEES AN ADEQUATE LEVEL OF DATA PROTECTION ACCORDING TO THE DECISION OF THE EUROPEAN COMMISSION, AS IT IS PART OF THE PRIVACY SHIELD FRAMEWORK. 

9. RIGHTS OF THE DATA SUBJECT

9A. Right of Access to Personal Data

The data subject has the right to obtain confirmation from the controller as to whether personal data concerning them is being processed, and if so, they have the right to access this personal data and the following information:

  • The purposes of the processing of personal data.
  • The categories of personal data being processed, including whether it involves special categories of personal data, data concerning children, and/or data related to criminal convictions and offenses.
  • The recipients or categories of recipients of personal data, particularly regarding recipients in non-EU countries and/or international organizations.
  • The expected period for which personal data will be stored, or if not possible, the criteria used to determine that period.
  • The existence and scope of the right to rectify personal data, erase personal data, restrict the processing of personal data, as well as the right to object.
  • The right to lodge a complaint with a supervisory authority.
  • The existence of automated decision-making, including profiling, and in such cases, meaningful information about the logic involved and the significance and anticipated consequences of such processing for the data subject.
  • Appropriate safeguards in place if personal data is transferred outside the European Union and/or to an international organization.

The controller shall provide the data subject with a copy of the personal data being processed. For any additional copies requested, the controller may charge a reasonable fee based on administrative costs. If the request is made electronically, the information will be provided in a commonly used electronic format unless the data subject requests otherwise. If providing such information entails material costs for the controller, the controller may charge a reasonable fee corresponding to those necessary expenses.

9B. Right to Rectification of Personal Data

Every data subject has the right to have inaccurate personal data concerning them rectified without undue delay. Considering the purposes of processing, the data subject has the right to have incomplete personal data completed, including by providing a supplementary statement.

Upon request, the controller will inform the data subject of the rectification of personal data through a Confirmation of Personal Data Rectification and, if necessary, notify the relevant recipients of the corrected personal data, unless it proves impossible or requires disproportionate effort.

9C. Right to Erasure of Personal Data ("Right to Be Forgotten")

The data subject has the right to request the controller to erase personal data concerning them without undue delay, and the controller is obliged to carry out such erasure without undue delay if any of the following conditions are met:

  • The relevant personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
  • The data subject withdraws their consent for the processing of such personal data, and there is no other legal basis for the processing.
  • The data subject exercises the right to object below in accordance with the provisions of the GDPR, Act No. 18/2018 Coll. on the Protection of Personal Data, and the Data Protection Policy as amended, and no legitimate grounds for processing prevail.
  • The personal data has been processed unlawfully.
  • The personal data must be erased to comply with a legal obligation under applicable laws that the controller is subject to.
  • The personal data was collected in connection with the offer of information society services to a child.

If the controller has made the personal data public and is required to erase it, considering available technology and the cost of implementation, the controller shall take reasonable steps, including technical measures, to inform controllers processing such personal data that the data subject has requested the erasure of all links to this personal data as well as its copies and/or replications.

The controller is not obliged to erase personal data if its processing is necessary:

  • For exercising the right to freedom of expression and information.
  • To comply with a legal obligation requiring its processing under applicable laws and/or to fulfill a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • For reasons of public interest in the area of public health, if the processing of such personal data is conducted under applicable laws and/or under a relevant contract with a healthcare professional, who processes such personal data personally and/or within their responsibility and/or through a qualified third party, under an existing confidentiality obligation, where necessary for purposes such as:
    • Preventive or occupational medicine,
    • Assessment of an employee’s work capacity,
    • Medical diagnosis, provision of healthcare or social care, or treatment, and/or
    • Management of healthcare or social care systems and services.
  • Where necessary for reasons of public interest in public health, such as protection against serious cross-border health threats or ensuring high standards of quality and safety in healthcare, medicines, or medical devices, based on applicable laws that establish appropriate and specific measures to protect the rights and freedoms of the data subject, particularly confidentiality obligations.
  • For scientific, historical, or statistical purposes, provided that adequate safeguards are in place, for archival purposes in the public interest, or if providing such information is likely to render impossible or seriously impair the achievement of the objectives of personal data processing for such purposes.
  • For the establishment, exercise, or defense of legal claims.

The controller shall notify the data subject without undue delay of the erasure of relevant personal data by issuing a Confirmation of Erasure of Personal Data.

9D. Right to Restriction of Personal Data Processing

The data subject has the right to have the controller restrict the processing of personal data in any of the following cases:

  • The data subject contests the accuracy of personal data, for a period enabling the controller to verify its accuracy.
  • The processing of personal data is unlawful, and the data subject opposes the erasure of personal data and requests the restriction of its processing instead.
  • The controller no longer needs the personal data for processing purposes, but the data subject requires it for the establishment, exercise, or defense of legal claims.
  • The data subject exercises the right to object below, until it is verified whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data, except for storage, shall only be processed with the consent of the data subject or for the establishment, exercise, or defense of legal claims, or for the protection of another natural or legal person, and/or for important reasons of public interest of the European Union or a Member State.

The controller shall notify the data subject of the restriction of processing before the restriction is lifted, by issuing a Confirmation of Restriction of Personal Data Processing.

9E. Right to Data Portability

The data subject has the right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format, and has the right to transmit such data to another controller without hindrance from the controller to whom the data was provided, if:

  • The processing of personal data is based on the data subject’s consent or is necessary for the performance of a contract to which the data subject is a party or to take pre-contractual steps at their request, and/or
  • The processing is carried out by automated means.

The data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The exercise of the right to data portability does not affect the right to erasure ("right to be forgotten"). The right to data portability must not adversely affect the rights and freedoms of others.

The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller.

The controller shall notify the data subject of the data transfer by issuing a Confirmation of Data Transfer

9F. Right to Withdraw Consent to Data Processing

The data subject has the right to withdraw their consent to data processing at any time, and such withdrawal shall not affect the lawfulness of processing carried out based on consent before its withdrawal.

9G. Right to Object

The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them, which is carried out for:

  • The performance of a task carried out in the public interest and/or the exercise of official authority vested in the controller under applicable laws.
  • The purposes of legitimate interests pursued by the controller and/or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child. 

This includes objecting to profiling based on the above cases.

The controller may no longer process personal data unless it demonstrates compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object at any time, including profiling related to direct marketing.

If the data subject objects to processing for direct marketing purposes, personal data must no longer be processed for such purposes.

9H. Rights Related to Automated Decision-Making

The data subject has the right not to be subject to automated decision-making, except in the following cases:

  • Automated decision-making is demonstrably necessary for the conclusion or performance of a contract between the data subject and the controller.
  • Automated decision-making is explicitly permitted by generally binding legal regulations to which the controller is subject, and such regulations also establish appropriate measures to guarantee the protection of the rights, freedoms, and legitimate interests of the data subject.
  • Automated decision-making is demonstrably based on the explicit consent of the data subject.

In cases where automated decision-making is demonstrably necessary for the conclusion or performance of a contract between the data subject and the controller and/or is based on the explicit consent of the data subject, the controller shall implement appropriate measures to protect the rights, freedoms, and legitimate interests of the data subject, including at least: 

  • The right to human intervention by the controller,
  • The right to express their opinion, and
  • The right to challenge the decision resulting from automated decision-making.

Automated decision-making based on special categories of personal data is prohibited, even in cases where it is demonstrably necessary for the conclusion or performance of a contract between the data subject and the controller and/or is based on the explicit consent of the data subject (related to automated decision-making), except in cases where:

  • The data subject has given explicit consent for automated decision-making related to any special category of personal data, and/or
  • Automated decision-making regarding the relevant special category of personal data is necessary for reasons of significant public interest under generally binding legal regulations, provided that these reasons are proportionate to the intended objective, respect all principles and the essence of data protection, and establish appropriate and specific measures to ensure the fundamental rights and interests of the data subject.

9I. Right to Lodge a Complaint with a Supervisory Authority

The data subject has the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work, or place of the alleged infringement of data protection, if they believe that the processing of personal data concerning them is in violation of the GDPR.

The data subject also has the right to an effective judicial remedy under the applicable general legal regulations if they believe that their rights have been violated as a result of the processing of personal data concerning them in breach of the GDPR and/or Act No. 18/2018 Coll. on the Protection of Personal Data, as amended.

The supervisory authority for the Slovak Republic is the Office for Personal Data Protection of the Slovak Republic (www.dataprotection.gov.sk), and the procedure for data protection proceedings is regulated by Section 99 et seq. of Act No. 18/2018 Coll. on the Protection of Personal Data, as amended.