Personal Data Protection Information

Data Controller: Civic Association Sauna Bobor; Address: HradnΓ© ΓΊdolie 1994/1, 811 01 Bratislava; Company ID: 55282270; Email: brunovsky.jan@gmail.com

Introductory Provisions:
The Civic Association Sauna Bobor (hereinafter referred to as "Data Controller") hereby informs members and employees of the private sauna club about the processing of their personal data and their rights in accordance with Article 12 of the Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) on the protection of individuals with regard to the processing of personal data and the free movement of such data.

Scope of Personal Data Processing:
Personal data is processed to the extent provided by the relevant data subject, in connection with the conclusion of a contractual or other legal relationship with the Data Controller, or which the Data Controller has collected otherwise and processes in accordance with applicable laws or to fulfill the legal obligations of the Data Controller.

Sources of Personal Data:

  • Directly from data subjects (e.g., emails, phone numbers, websites, contact forms on the website, business cards, etc.)

  • Publicly accessible registers, lists, and records (e.g., commercial register, trade register, real estate register, etc.) for the purpose of creating accounting documents and verifying the correctness of information.

Categories of Personal Data Being Processed:

  • Address and identification data for the unique and unmistakable identification of the data subject (e.g., first name, last name, title, birth number, date of birth, permanent address, company ID, tax ID) and contact data (e.g., contact address, phone number, email address, and other similar information).

  • Descriptive data (e.g., bank account details).

  • Other data necessary for fulfilling the contract.

  • Data provided beyond the legal requirements, processed based on the consent of the data subject (e.g., processing of photographs, use of personal data for personnel procedures, sending business or informational notices, etc.).

Categories of Data Subjects:

  • Member of the Data Controller

  • Employee of the Data Controller

  • Service provider

  • Other individuals in a contractual relationship with the Data Controller

  • Job applicant

Categories of Recipients of Personal Data:
The Data Controller does not intend to transfer personal data to third countries outside the EU. The Data Controller has the right to assign personal data processing to a processor who has entered into a processing agreement with the Data Controller and provides adequate guarantees for the protection of your personal data. Otherwise, data subjects will be fully informed about such transfers. The categories of recipients are:

  • Financial institutions

  • Public institutions

  • State and other authorities in the fulfillment of legal obligations established by relevant laws

Purpose of Personal Data Processing:

  • Purposes contained within the consent of the data subject

  • Negotiating a contractual relationship

  • Fulfilling a contract

  • Protection of the Data Controller's rights, recipients' rights, or other affected persons

  • Archiving based on legal requirements

  • Job selection for advertised positions

  • Fulfilling legal obligations of the Data Controller

  • Protection of vital interests of the data subject

  • Sending business notices or other information in the case of legitimate interests of the Data Controller

Method of Processing and Protection of Personal Data:
Personal data is processed by the Data Controller. Processing is carried out at the premises and headquarters of the Data Controller by authorized employees. The processing is done in accordance with all security principles for the management and processing of personal data. To this end, the Data Controller has adopted technical, organizational, and legal measures to ensure the protection of personal data, especially measures to prevent unauthorized or accidental access to, alteration, destruction, or loss of personal data, unauthorized transfers, unauthorized processing, and other misuse of personal data. All entities who may have access to personal data respect the data subjects' right to privacy and freedoms and are obligated to comply with applicable data protection laws.

Retention Period for Personal Data:
In accordance with the periods set forth in the relevant contracts and consents, the periods prescribed for handling in the case of legitimate interests of the Data Controller or a third party, and in relevant legal provisions, the retention period is for the time necessary to ensure the rights and obligations arising from both contractual relationships and relevant legal provisions.

Notice:
The Data Controller processes data with the consent of the data subject, except for cases where processing does not require consent under the law, meaning when there is another legal basis for processing. In accordance with Article 6(1) of the GDPR, the Data Controller can process data without the data subject’s consent if:

  • The processing is necessary to fulfill a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract,

  • The processing is necessary for compliance with a legal obligation to which the Data Controller is subject,

  • The processing is necessary to protect the vital interests of the data subject or another natural person,

  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller,

  • The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or a third party, except where such interests are overridden by the data subject's rights and freedoms that require the protection of personal data.

Rights of Data Subjects:
A. In accordance with Article 12 of the GDPR, the Data Controller will, upon request from the data subject, inform the data subject about the right of access to personal data and the following information:

  • The purpose of processing,

  • The category of personal data concerned,

  • The recipients or categories of recipients to whom the personal data have been or will be disclosed,

  • The planned duration for which the personal data will be stored,

  • All available information about the source of the personal data, if not obtained from the data subject,

  • Whether automated decision-making occurs, including profiling.

The Data Controller may charge a reasonable fee for providing the information, which will not exceed the cost of providing the information, for the second and each subsequent copy associated with the administrative costs.

B. Any data subject who believes or becomes aware that the Data Controller or a processor is processing their personal data in violation of their privacy rights or the law, especially if the personal data is inaccurate concerning the purpose of processing, may:

  • Request the Data Controller to explain,

  • Request the Data Controller to rectify the situation. This may involve blocking, rectifying, supplementing, or deleting the personal data.

If the request is found to be valid, the Data Controller will immediately rectify the situation. If the Data Controller refuses the request, the data subject has the right to contact the supervisory authority (the Office for Personal Data Protection).

C. The data subject has the right to withdraw their consent to the processing of personal data given earlier.

D. The rights of data subjects include the right to rectification, erasure, the right to be forgotten, the right to restrict processing, and further the right to data portability, if technically or organizationally feasible.