Purpose of this Privacy Notice
This Privacy Notice is crafted to fulfill the responsibilities of the Data Controller in handling personal data. As part of our operational activities, we process personal data for various purposes, ensuring adherence to data subjects' rights and compliance with legal obligations. We believe it is crucial to transparently communicate to data subjects about the nature of personal data handling, providing insights into the key aspects of the data that has come under the purview of the Data Controller during the course of data processing activities. This notice serves to inform and empower data subjects, promoting transparency, accountability, and a clear understanding of how their personal data is managed.
Legal Basis of Personal Data Processing
The processing of personal data is conducted solely for well-defined purposes and is grounded in appropriate legal bases. Each purpose of data processing is explicitly linked to its corresponding legal basis, ensuring transparency and compliance with relevant regulations. This approach is designed to provide a clear understanding of why and how personal data is processed, fostering accountability and aligning with the principles of lawful data processing.
External Assistance in Personal Data Processing
While a significant portion of personal data processing is carried out by the Data Controller within its own premises, certain operations necessitate external assistance from data processors. The specific data processor engaged may vary depending on the nature and requirements of each data processing activity. This ensures that external assistance is enlisted only when essential, promoting efficient and secure data handling practices.
Identity of Data Processors
Detailed information about the data processors engaged by the Data Controller, along with their contact details, is available in Section II of this privacy notice. The data subject is encouraged to review this section to gain insights into the entities involved in the processing of personal data.
SECTION I.
NAME OF THE DATA CONTROLLER
The issuer of this privacy notice and the Data Controller: COMPANY NAME: TutiTours s.r.o.
REGISTERED SEAT: Senny trh 3116/7 945 01 Komarno, Slovakia
COMPANY REGISTRATION NUMBER: 53242122 TAX NUMBER: SK2121324788
EUID IDENTIFIER: SKORSR.53242122
SECTION II
NAME OF THE DATA PROCESSORS
Role of Data Processor:
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; (Regulation 2016/679 Article 4 8.)
To use a data processor, prior consent from the data subject is not required, but he or she must be notified. Accordingly, the following information is provided:
Hosting Provider:
COMPANY NAME: Tárhely.Eu Kft.
REGISTERED SEAT: 1144 Budapest, Ormánság street 4. X. floor 241. CONTACT: https://mail.tarhely.eu/
Website development:
IT and marketing service provider company.
Data processor performing invoicing and payroll tasks:
COMPANY NAME: Shark kzm s.r.o.
REGISTERED SEAT: Senný trh 3116/7, 945 01 Komárno, Slovakia
COMPANY REGISTRATION NUMBER: 52 363 813
CONTACT: https://shark-kzm.sk/hu/
Recipients:
COMPANY NAME: Google LLC
REGISTERED SEAT: Mountain View, California, USA CONTACT: https://mail.google.com/
COMPANY NAME: Facebook, Inc.
REGISTERED SEAT: Menlo Park, California, USA CONTACT: https://www.facebook.com/
COMPANY NAME: Stripe, Inc.
REGISTERED SEAT: 1 Grand Canal Street Lower, Dublin, County Dublin, IE CONTACT: https://stripe.com/en-hu
COMPANY NAME: Zendesk, Inc.
REGISTERED SEAT: 1019 Market Street, San Francisco, CA 94103, US
CONTACT: https://www.zendesk.com/
COMPANY NAME: Tatra banka, a.s.
REGISTERED SEAT: Hodžovo námestie 3, 811 06 Bratislava 1
CONTACT: https://moja.tatrabanka.sk/html-tb/
COMPANY NAME: PayPal (Európa) S.à r.l. et Cie, S.C.A. REGISTERED SEAT: 283, route d'Arlon, L-1150 Luxembourg. CONTACT: https://www.paypal.com/
When the Privacy Notice makes general references to transfers to the Company's data processors, it is to be comprehended as including transfers to the specified recipients mentioned above. This ensures a unified understanding of the disclosure of personal data to both data processors and the identified recipients.
SECTION III. LAWFULNESS OF PROCESSING
- Data Processing Based on Data Subject's Consent
When the Company intends to engage in data processing based on the data subject's consent, such consent shall be obtained through the data request form and information provided in the Data Processing Consent. Additionally, consent is considered given if the data subject actively interacts with the Company's website, configures relevant technical settings during the use of information society services, or takes any action clearly indicating consent.
Consent shall also be deemed to be given if the data subject ticks a box when viewing the Company's website, makes the relevant technical settings when using information society services, or makes any other statement or takes any other action which clearly indicates the data subject's consent to the intended processing of his or her personal data in the relevant Silence, ticking a box or inaction therefore does not constitute consent. The continuation of a telephone call after having been duly informed shall constitute consent.
Silence, checkbox ticking, or inactivity are not deemed as consent. Continuing a telephone call post-appropriate information constitutes consent. This consent encompasses all processing activities for the same purpose. In cases of multiple purposes, consent must cover all intended processing.
If the data subject grants consent within a written statement covering other matters (e.g., sales or service contract), the consent request must be presented distinctly, in a clear, easily accessible form, and in plain language, separated from other matters.
Any part of a statement containing the data subject's consent that contravenes the provisions of the Regulation shall not be legally binding.
The Company shall not condition the conclusion or performance of a contract on the data subject's consent to the processing of personal data that are not necessary for the execution of the contract.
The data subject has the right to withdraw their consent at any time by sending an email to the address specified in Chapter
Upon withdrawal of consent, the controller must cease processing the data. The controller is obligated to ensure the erasure of data unless another legal basis permits the continued processing of such data, such as legal storage requirements or the necessity to fulfill a contractual obligation. If processing has occurred for multiple purposes, the controller cannot utilize the personal data for the purpose from which the data subject has withdrawn consent.
- Data processing based on performing legal obligations
In the case of data processing based on performing legal obligations, the Company adheres to the provisions stipulated by relevant laws and regulations. The scope of the data that can be processed, the purpose of the data processing, the duration of data storage, and the recipients are all determined by the specific requirements outlined in the applicable legal framework.
It is important to note that the processing of personal data for compliance with a legal obligation is conducted in accordance with the regulatory standards, and such processing is not contingent on the data subject's consent. The Company ensures that it meets its legal obligations while respecting the privacy and rights of the data subjects.
In situations where data processing is obligatory due to legal obligations, the data subject will be provided with clear and detailed information before the commencement of data processing. The information will cover essential details related to the processing. If data processing is mandatory, the information may be conveyed by referencing the specific legislative provisions that contain the outlined details. This approach ensures transparency and informs the data subject about the processing requirements and their rights in accordance with the applicable legal obligations.
- Data processing based on legitimate interests
Data processing based on legitimate interests of the Company or a third party can serve as a legal basis, as long as it doesn't override the interests, fundamental rights, and freedoms of the data subject. This legal framework considers the reasonable expectations of the data subject, taking into account the context of the data processing. The Company will ensure that the legitimate interests pursued are balanced with the protection of the data subject's rights and privacy. This approach aligns with privacy principles and ensures that data processing activities are conducted ethically and in compliance with relevant regulations.
The assessment of whether personal data processing for contact purposes, including direct marketing, is based on legitimate interests should take into account the relationship between the data subject and the controller. In cases where there is a relevant and appropriate relationship, the processing may be considered as having a legitimate interest. However, this determination should always consider the expectations of the data subject and ensure that their rights and freedoms are adequately protected. This approach aligns with privacy principles that emphasize fairness, transparency, and respect for individual rights in data processing activities.
The processing of personal data based on legitimate interests involves a balancing of interest test, taking into account the current circumstances and the specific situation of both the data controller and the data subject. In the case of processing in the interest of the Company, the balance of interest test has been conducted separately, and it has been concluded that the processing is justified, considering the conditions described for the processing in question.
The Company has determined that the processing is necessary for its competitive operation and has implemented appropriate safeguards, as outlined in this Policy, to mitigate any potential emotional impact on data subjects and to uphold their right to privacy. This approach ensures that the processing is proportionate and respects the rights and interests of the data subjects.
- Data Processing for the Protection of Vital Interests:
The processing of personal data for the protection of the vital interests of the data subject or another natural person serves as a legal basis when such processing is necessary to safeguard someone's life. This legal provision recognizes that in certain situations, the right to data protection must yield to the paramount right to life, particularly in emergencies or life-threatening circumstances.
- Data Processing Based on Contractual Interests:
Processing personal data based on contractual interests is a legitimate and necessary activity when it is essential for the performance of a contract to which the data subject is a party. Additionally, if data processing is required at the request of the data subject to facilitate contract preparation, it falls under this legal basis.
- Promoting Data Subject Rights:
The Company is committed to facilitating and promoting the exercise of data subject rights throughout all stages of the data processing lifecycle.
SECTION IV.
INFORMATION ABOUT DATA PROCESSING BY THE COMPANY
Processing of Customer Data:
The Company engages in the processing of customer data in accordance with legal requirements and for specific business purposes. The following outlines the key aspects of customer data processing:
The Company processes various types of personal data related to natural persons in contractual relationships, including but not limited to:
Name, name at birth, date of birth, mother's name, address
Tax identification number, tax number, entrepreneur's or self-employed person's identity card number
Personal identity card number, address of registered office, address of premises
Telephone number, e-mail address, website address, bank account number
Customer number, order number, online identifier
Medical fitness documents (if applicable)
The processing is conducted for purposes such as preparing, concluding, performing, terminating, or granting contractual benefits, supporting economic processes, and fulfilling legal obligations.
The legal basis for processing customer data includes the performance of a contract, fulfillment of legal obligations (e.g., accounting and taxation purposes), and legitimate interests.
Personal data is stored for a duration of 8 years after the termination of the contract, considering the long-term business relationship of the Company.
Recipients include Company employees involved in customer service, accounting, tax, business, and data processors appointed by the Company.
Personal data may be transferred to entities such as accounting offices, postal services, courier services, and security agents for lawful data processing purposes.
The processing is considered lawful when necessary for contract-related activities or the intention to conclude a contract. The Company ensures transparency by informing parties involved in offers about data processing.
Annex 5 of the privacy policy outlines the data processing clauses and information to be included in contracts. It is the responsibility of Company employees to ensure the inclusion of these clauses in contract texts.
This framework ensures compliance with data protection regulations, outlines the purposes of data processing, and emphasizes the importance of transparency and legal adherence in the Company's interactions with customers.
Personal Data for Sending Messages on the Company's Website:
The Company engages in the processing of personal data for the purpose of sending messages on its website. The following outlines key aspects of this data processing:
The user, a natural person using the website, provides consent for the processing of their personal data by actively ticking the relevant consent box. It is expressly prohibited to pre-tick the box.
Personal data processed includes the name of the natural person (surname, first name), e-mail address, and phone number.
The processing is carried out to enable the personalized and optimal functioning of the website.
The legal basis for processing is the explicit consent of the data subject.
Recipients include the Company's IT data controllers and data processors.
Personal data is stored for a period of 5 years or until the data subject withdraws consent (requests erasure).
The data subject acknowledges that providing data is not a prerequisite for contract conclusion, and there is no obligation to provide personal information.
This data processing framework ensures that the Company adheres to legal requirements, obtains explicit consent, and clearly communicates the purpose, duration, and recipients of the personal data processed for sending messages on the website. Additionally, it emphasizes the voluntary nature of providing personal data in this context.
Data Management in the Company's Webshop:
The Company engages in data processing related to purchases made in its webshop, and the following outlines key aspects of this data management:
Purchases made in the webshop constitute a contract as per Article 13/A of Act CVIII of 2001 on certain issues of electronic commerce services and information society services. The legal basis for data processing in this context is the contract.
The Company may process the following personal data of the customer registering in the webshop:
Natural personal identification data and address.
Telephone number, e-mail address, bank account number, and online identifier.
Data related to the use of information society services, address, delivery address, and details of service usage.
Creating, defining content, amending, and monitoring the performance of the contract.
Invoicing fees, enforcing claims related to the contract.
Billing purposes, including data related to service usage.
Recipients include employees of the Company performing tasks related to customer service, money management, transport, marketing activities, and data processors. This may also include employees of the company handling tax and accounting tasks, and employees of the IT service provider for hosting services.
Personal data is processed until the registration/service is completed or until the data subject's consent is withdrawn (request for deletion). In the case of a purchase, data is retained until the end of the 5th year following the year of purchase.
Duration of the processing of personal data: until the registration/service is completed or until the data subject's consent is withdrawn (request for deletion), in case of a purchase, until the end of the 5th year following the year of
When shopping in the online shop, the Privacy Policy must be made available through a link, and the customer must explicitly accept it.
Data Management in Relation to Social Media (Facebook, Instagram):
Our Company engages in data processing related to its presence on social media platforms such as Facebook and Instagram. The following outlines key aspects of this data management:
The Company has limited influence on the data processing activities of social media platforms. However, it strives to facilitate data processing in a manner that aligns with data protection principles whenever possible.
The Company manages its own page on Facebook. Users can subscribe to news feeds by clicking the "like" or similar buttons. Interaction on the Facebook page involves the processing of personal data by Facebook. The Controller processes the personal data of followers on Facebook pages based on the voluntary consent of followers. Consent is implied when individuals like, follow, or comment on the page or posts. Users declare that they are over 16 years of age when interacting on the Facebook page. Individuals under 16 require the consent of a legal representative for their consent to be valid. The processing serves the purpose of providing information on current updates, news related to the Data Controller, advertising on social media, and promoting services. The legal basis for processing is the voluntary consent of the data subject, in accordance with the policies of Facebook and Instagram.
https://www.facebook.com/privacy/explanation/ Instagram's privacy policy can be found at: https://help.instagram.com/519522125107875 .Data subjects are users of the social media platform, including individuals who interact with the Data Controller's Facebook page. Data subjects can unsubscribe from the Facebook page by clicking the "dislike" or similar buttons. The active status of the service and the duration of data processing are subject to the user's preferences and settings.
IT Recipients include employees of the data controller involved in customer service and marketing, as well as the Company's data processors, particularly the IT service provider.
Data subjects acknowledge that providing data is not a contractual prerequisite. However, non-provision may result in the inability to receive current news and updates from the Data Controller. This data management framework emphasizes transparency, consent-based processing, and the acknowledgment of users' control over their preferences on social media platforms. It also highlights the voluntary nature of data provision and its impact on receiving information from the Data Controller.
Management of Recruitment Data, Applications, CVs:
The Company engages in the processing of personal data related to recruitment, applications, and CVs. The following outlines key aspects of this data management:
The personal data that may be processed include the applicant's name, date and place of birth, mother's name, address, qualifications, photograph, telephone number, and email address. Additionally, the employer's record of the applicant (if any) may be considered.
The processing serves the purpose of managing applications, assessing suitability, and potentially concluding an employment contract with the selected candidate. Applicants not selected for the position must be informed accordingly.
The legal basis for processing is the data subject's consent, which is deemed to have been given at the time of sending the application. Withdrawal of consent has the legal consequence of non-recruitment..
Recipients include managers and employees performing labor-related tasks who are entitled to exercise employer rights at the Company.
Personal data is stored until the application or tender is assessed, with a maximum storage duration of 2 years. Data of unsuccessful applicants will be deleted. Withdrawn applications or candidatures must also result in the deletion of related data.
Data Processing for Tax and Accounting Obligations:
The Company engages in the processing of personal data for tax and accounting obligations. Here are the key details of this data processing activity:
The processing serves the purpose of fulfilling legal obligations related to tax and accounting (bookkeeping, taxation) as mandated by applicable laws.
Data processed includes, but is not limited to, the following:
For accounting purposes (per Act of 2000 on Accounting): name, address, designation of the person or organization ordering the transaction, signature of the person ordering the transaction and the person certifying the execution of the order.
For stock movement vouchers, cash management vouchers, and counterfoils: signature of the recipient or payer.
Under Act CXVII of 1995 on Personal Income Tax: tax identification number.
The Company processes data related to the driver's logbook, including the name of the driver, type of vehicle, registration number, date and purpose of the journey, route taken, and name of the business partner visited. This processing is carried out for legal obligations, cost accounting, supporting documents, tax assessment, and fuel saving. The relevant legislation is Act No. CXVII of 1995 (Tax Act), § 27/2/, Annex 3, item 6 and Annex 5, item
Recipients include employees and data processors of the Company performing tax, accounting, payroll, and social security-related tasks.
Payer Authentication Processing
The Company shall process the personal data of the data subjects - employees, their family members, workers, recipients of other benefits - with whom it has a relationship as a paying agent (Act 2017: on the Order of Taxation (Art.), § 7.31.) for the purposes of fulfilling its legal obligations, tax and contribution obligations (tax, advance tax, contributions, payroll, social security, pension administration). The scope of the data processed is defined in Art. Article 50 of the Act defines the data subject of the data subject, specifically highlighting: the natural person's natural person identification data (including previous name and title), gender, nationality, tax identification number, social security number (social security number). If the tax laws impose a legal consequence, the Company may process data relating to employees' membership of health (Section 40 of the Social Security Act) and trade unions (Section 47(2) b) of the Social Security Act) for the purposes of meeting tax and contribution obligations (payroll accounting, social security administration).
The period of storage of personal data shall be 8 years after the termination of the legal relationship giving rise to the legal
Recipients of personal data: employees and data processors of the Company performing tax, payroll, social security (payroll)
Processing of documents of lasting value under the Archives Act
The Company shall, in the performance of its legal obligation, process documents of permanent value pursuant to Act LXVI of 1995 on public records, public archives and the protection of private archival material (Archives Act), in order to ensure that the permanent value of the Company's archival material is preserved intact and in a usable condition for future Duration of storage: until the transfer to the public archives.
Recipients of the personal data: the head of the Company, employees of the Company who are responsible for the management and archiving of the records, employees of the public
SECTION V.
COOKIE POLICY ON THE COMPANY'S WEBSITE
Cookies are text files containing small data pieces stored on the user's computer or phone (HDD, SSD) until their expiration date. Upon the user's return to the site, the web browser retrieves this data. These files aim to store information about website visits and personal preferences, yet they do not constitute personal user data. Cookies play a crucial role in creating a user-friendly website and enhancing the overall user experience. If the user chooses not to consent to the use of cookies, access to the website may be interrupted.
Purpose of Personal Data Processing: Enhancing the user's internet experience and storing personal preferences
Legal Basis of Data Processing: Freely given consent of the data subject
Categories of Processed Personal Data: The Data Controller retains analytical information devoid of any names or other personal identifiers.
Storage Period for Personal Data: The data subject has the option to delete cookies at any time from their computer or phone.
SECTION VI.
INFORMATION ABOUT THE RIGHTS OF DATA SUBJECT
You can find further information about the rights of the data subject in General Data Protection Regulation (https://eur-lex.europa.eu/legal- content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN)
Information and access to personal data (Article 13 and 14)
Right of access by the data subject (Article 15)
Right to rectification (Article 16)
Right to erasure (‘right to be forgotten’ – Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object (Article 21)
Right to not be subject to automated individual decision-making, including profiling (Article 22),
Right for remedies (Article 77-82).
Right to Lodge a Complaint with a Supervisory Authority:
Every data subject possesses the right to lodge a complaint with a supervisory authority.
The complaint can be filed, especially in the Member State of the data subject's habitual residence, place of work, or the place of the alleged infringement.
The right to complain arises when the data subject believes that the processing of personal data concerning them violates the provisions of the General Data Protection Regulation (GDPR).
Further information regarding available remedies and procedures for lodging a complaint can be found under Article 77 of the GDPR.
Contact of the supervisory authority:
Office for Personal Data Protection of the Slovak Republic
(Úrad Na Ochranu Osobných Údajov) Hraničná 12 820 07 Bratislava 27
Tel. + 421 2 32 31 32 14
Fax + 421 2 32 31 32 34
Email: statny.dozor@pdp.gov.sk
Website: http://www.dataprotection.gov.sk/
Place and date: Slovakia, 10th November 2022