INFORMATION ON THE PROCESSING OF PERSONAL DATA OF THE DATA SUBJECT WHO IS NOT AN EMPLOYEE OF IN BOX AGENCY, S.R.O.
According to Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)
Company In Box Agency, s.r.o. considers compliance with the legal conditions for the processing of personal data of data subjects to be one of the priorities. All actions carried out at individual stages of the personal data processing process are carried out with maximum emphasis on the protection of the fundamental rights of data subjects, in particular the protection of personality and privacy and compliance with the principles of lawful processing of personal data.
In Box Agency, s.r.o. (hereinafter referred to as the “Controller”) processes all personal data in accordance with applicable legislation, with particular emphasis on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (GDPR) (hereinafter referred to as the “Regulation” or “GDPR”) and Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Acts (hereinafter referred to as the “Act” or “Act No. 18/2018”).
This document mainly concerns data subjects who are not employees of In Box Agency, s.r.o. The information contained in this document is information within the meaning of Article 13 of the Regulation.
DETAILS OF THE CONTROLLER
Business name: In Box Agency, s.r.o.
Residence: Palackého 8/1423 040 01 Kosice
Company ID: 36600865
TIN: 2022094976
The proper processing of personal data is supervised by an authorized person, contact details:
Email: robert.jopek@inboxagency.sk
Correspondence address: address of the registered office of the company
This information is effective from 1.1.2023, and the operator is entitled to update it.
DEFINITIONS
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data of 27 April 2016.
Data subject – any person whose personal data are processed.
Personal data – any information relating to an identified natural person or an identifiable natural person.
Controller – is a natural or legal person who has determined the method and defined the purpose of personal data processing.
WE COLLECT YOUR PERSONAL DATA
Most often, you provide us with your personal data:
- We obtain them primarily directly from you, for example from communicating with you through the contact form on our website, or you send them to us directly by email or post.
- In connection with job searching for the purpose of providing assistance in finding a suitable employer through internet portals, e.g. profesia.sk, www.bazos.sk strike.
- In the selection process to fill a vacancy of the controller, or registration of personal data of job seekers without the intention to fill a specific job position.
INFORMATION ON THE PROCESSING OF PERSONAL DATA WHEN RECRUITING FOR A JOB
When you visit our website, we want you to feel safe and comfortable. Therefore, below we inform you about how we handle the collection, processing and use of your personal data that you provide to us.
Scope of personal data processing: in the above sense, it means, in particular, personal data (including a photo inserted in a CV) and information relating to a person in the scope of: name and surname, title, date and place of birth, citizenship, contact details /phone number, e-mail, residence/, data on achieved education and experience, data on other knowledge and other data that the candidate provides in the form of a CV, Form, questionnaire, including electronic form, or during a personal or telephone interview.
Processing period: personal data is 5 years from the provision of data. During this period, you can consent to the processing of your personal data at any time. After the processing period, your personal data will be automatically deleted from our CV database.
Provision of personal data: personal data you provide to In Box Agency, s.r.o. They will be provided to business partners for the purpose of recording them in the selection process to fill the contract for the contracting authority.
Legal basis: pursuant to Article 6(1)(a), the data subject has given consent to the processing of his or her personal data for one or more specific purposes, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
ON WHAT BASIS WE MAY PROCESS YOUR PERSONAL DATA
1 PERSONNEL AND PAYROLL AGENDA OF EMPLOYEES
| Purpose of personal data processing | Fulfilment of the employer’s obligations related to the employment relationship or professional relationship (e.g. on the basis of agreements on work performed outside the employment relationship), including pre-contractual relations |
| Name of information system | IS Personnel and payroll agenda of employees |
| Legal basis | Act No. 311/2001 Coll. Labour Code, as amended. Act No. 461/2003 Coll. on Social Insurance, as amended. Act No. 43/2004 Coll. on old-age pension savings, as amended. Act No. 650/2004 Coll. on Supplementary Pension Savings and on Amendments to Certain Acts, as amended.
Act No. 580/2004 Coll. on Health Insurance on Amendments to Act No. 95/2002 Coll. on Insurance and on Amendments to Certain Acts, as amended. Act No. 595/2003 Coll. on Income Tax, as amended. Act No. 5/2004 Coll. on Employment Services and on Amendments to Certain Acts, as amended. Act No. 462/2003 Coll. on Income Compensation for Temporary Incapacity of an Employee and on Amendments and Supplements to Certain Acts, as amended. |
| Categories of recipients | Intermediary for processing human resources, intermediary for processing payroll agenda, public authorities, state and public administration under relevant legislation, health insurance companies, supplementary pension savings banks, supplementary management companies. |
| Time limits for deletion of personal data | 5 -10 years, personal files – up to 70 years of age of the employee |
| Categories of data subjects | Jobseekers, employees, spouses of employees, employees’ dependent children, parents of employees’ dependent children, close persons, former employees |
| Personal data category | Common personal data |
2 JOB APPLICATIONS
| Purpose of personal data processing | It processes personal data of job seekers for the purpose of their registration in the selection process to fill the controller’s vacancy, or records personal data of job seekers without the intention to fill a specific job position or job offers on a permanent profesia.sk |
| Name of information system | IS Job Applications |
| Legal basis | Pursuant to Article 6(1)(a) of the General Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data |
| Categories of recipients | Not taking place |
| Cross-border transmission of personal data | Not taking place |
| Time limits for deletion of personal data | For a period of 5 years from the date of receipt of the CV and subsequently they will be liquidated |
| Information on the existence of automated decision-making, including profiling | Not taking place |
| Categories of data subjects | Job seekers |
3 ECONOMIC AND ACCOUNTING AGENDA
| Purpose of personal data processing | Processing of personal data of natural persons who come into payment transactions with the controller. The information system also includes processing of orders, incoming invoices and invoicing to customers, contact with the bank, cash management, securing cash receipts and expenses, warehouse management, records of fixed assets (including automatic depreciation) and small assets, keeping single/double-entry accounting of the organization, performing audits. |
| Name of information system | IS Economic-accounting |
| Legal basis | Act No. 460/1992 Coll. Constitution of the Slovak Republic, as amended, Act No. 513/1991 Coll. Commercial Code, as amended, Act of the National Council of the Slovak Republic No. 431/2002 Coll. on Accounting, as amended, Act No. 222/2004 Coll. on Value Added Tax, as amended, Personal Data Protection Act and related legislation, as amended, Act No. 145/1995 Coll. on Administrative Fees, as amended, Act of the National Council of the Slovak Republic No. 595/2003 Coll. on Income Tax, as amended, Act of the National Council of the Slovak Republic No. 461/2003 Coll. on Social Insurance, as amended, Act of the National Council of the Slovak Republic No. 563/2009 Coll. on Tax Administration (Tax Code), as amended, Act No. 40/1964 Coll. Civil Code, as amended, Act No. 152/1994 Coll. on Social Fund and on Amendments to Act No. 286/1992 Coll. on Income Taxes, as amended, Act No. 311/2001 Coll., Act of the National Council of the Slovak Republic No. 461/2003 Coll. on Social Insurance, as amended, Act of the National Council of the Slovak Republic No. 43/2004 Coll. on old-age pension savings and on amendments to certain acts, as amended regulations, Act of the National Council of the Slovak Republic No. 580/2004 Coll. on Health Insurance on Amendments and Supplements to the Act of the National Council of the Slovak Republic No. 95/2002 Coll. on Insurance and on Amendments to Certain Acts, as amended, Act No. 311/2001 Coll. Labour Code, as amended, Act no. 283/2002 Coll. on travel allowances, as amended, Act no. 106/2004 on excise duty on tobacco products, Act no. 530/2011 on excise duty on alcoholic beverages. |
| Categories of recipients | State administration bodies, public authorities and public administration according to relevant legislation, intermediary. |
| Cross-border transmission of personal data | Not taking place |
| Time limits for deletion of personal data | 10 years |
| Information on the existence of automated decision-making, including profiling | Not taking place |
| Categories of data subjects | Natural persons – employees of the operator, suppliers and customers – natural persons, employees of suppliers and customers, representatives of suppliers and customers, tenants, employees of tenants |
3 REGISTRY MANAGEMENT, RECORDS OF RECEIVED AND OUTGOING MAIL
| Purpose of personal data processing | Ensuring registry administration such as proper records of records (keeping complete and accurate records in the registry log, keeping registers and indexes of records), proper disposal of files (records), ensuring planned disposal of files (records) that are not necessary for further activities and have expired storage periods, records of incoming and outgoing mail, records of electronic mail. |
| Name of information system | IS Registry management, records of received and sent mail |
| Legal basis | Act of the National Council of the Slovak Republic No. 395/2002 Coll. on archives and registries, 305/2013 Coll. on the electronic form of the exercise of the powers of public authorities and on amendments to certain acts (e-Government Act). |
| Categories of recipients | State administration bodies, public authorities and public administration according to relevant legislation |
| Cross-border transmission of personal data | Not taking place |
| Time limits for deletion of personal data | The register shall be kept for 10 years after the end of the registration |
| Information on the existence of automated decision-making, including profiling | Not taking place |
| Categories of data subjects | Data subjects within all purposes of personal data processing defined by the controller |
4 EXERCISING THE RIGHTS OF DATA SUBJECTS
| Purpose of personal data processing | Handling requests of natural persons aimed at exercising their rights as data subjects under Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. |
| Name of information system | IS Exercising the rights of data subjects |
| Legal basis | Art. 6(1)(c), in accordance with Articles 15 to 22 and 34 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data |
| Categories of recipients | State administration bodies, public authorities and public administration according to relevant legislation |
| Cross-border transmission of personal data | Not taking place |
| Time limits for deletion of personal data | 1 year from the date of processing the application |
| Information on the existence of automated decision-making, including profiling | It does not take place. |
| Categories of data subjects | A natural person who, as the data subject, turns to the controller with a request to exercise his/her rights within the purposes defined by the controller |
5 HANDLING OF COMPLAINTS BY DATA SUBJECTS
| Purpose of personal data processing | The purpose of processing is the submission of a natural or legal person seeking protection of his or her rights or legally protected interests which he considers to have been infringed |
| Name of information system | IS Handling complaints of data subjects |
| Legal basis | Article 6 (1)(c) and (e) of the General Data Protection Regulation Act No. 9/2010 Coll. on Complaints, as amended |
| Categories of recipients | State administration bodies, public authorities and public administration according to relevant legislation |
| Cross-border transmission of personal data | Not taking place |
| Time limits for deletion of personal data | 1 year from the date of processing the application |
| Information on the existence of automated decision-making, including profiling | It does not take place. |
| Categories of data subjects | A natural person who, as the data subject, turns to the controller with a request to exercise his/her rights within the purposes defined by the controller |
TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES AND AUTOMATED INDIVIDUAL DECISION-MAKING
No transfer of personal data to a third country or to an international organisation shall take place. Personal data will not be used for automated individual decision-making, including profiling.
SECRECY
We would like to assure you that our employees and co-workers who will process your personal data are obliged to maintain the confidentiality of personal data. This confidentiality continues even after the termination of the contractual relationship with us.
SECURITY OF PERSONAL DATA
In accordance with Articles 24 and 32 of the GDPR, we take appropriate technical and organizational measures to ensure a level of protection of personal data that is proportionate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of processing, as well as risks of varying probability of occurrence and severity for the rights and freedoms of natural persons. Such measures shall include, in particular, protecting the confidentiality, integrity and availability of data by controlling physical access to, entry, disclosure, ensuring availability and separation. In addition, we have put in place procedures to ensure the exercise of data subject rights, the erasure of personal data and the response to personal data breaches. In addition, we already take into account the protection of personal data when developing and selecting hardware, software and procedures in accordance with the principle of personal data protection, using technological design and presets suitable for data protection (Art. 25 GDPR).
RIGHTS OF DATA SUBJECTS UNDER THE REGULATION AND THE PERSONAL DATA PROTECTION ACT
We consider it important that you understand that the personal data we process is your data and that rights are associated with its processing. In addition to the right to withdraw consent to the processing of personal data , you also have other rights that arise from the Regulation and the Personal Data Protection Act, namely:
Right of access – you have the right to be provided with a copy of the personal data we have about you, as well as information about how we use your personal data. In most cases, your personal data will be provided to you in written paper form, unless otherwise required by you. If you have requested this information by electronic means, it will be provided to you electronically, if technically feasible.
Right to rectification – we take reasonable measures to ensure the accuracy, completeness and timeliness of the information we have about you. If you believe that the data we hold is inaccurate, incomplete or out of date, please do not hesitate to ask us to modify, update or supplement this information.
Right to erasure – under certain circumstances, you have the right to ask us to erase your personal data, for example if the personal data we have collected about you are no longer necessary to fulfill the original purpose of processing or if you withdraw your consent to processing. However, your right must be assessed in the light of all relevant circumstances. For example, we may have certain legal and regulatory obligations, which means that we will not be able to comply with your request.
Right to restriction of processing – under certain circumstances, you are entitled to ask us to stop using your personal data. For example, if you think that the personal data we hold about you may be inaccurate or if you think that we no longer need to use your personal data.
Right to data portability – under certain circumstances, you have the right to ask us to transfer the personal data you have provided to us to another third party of your choice. However, the right to portability applies only to personal data that we have obtained from you on the basis of consent or under a contract to which you are one of the parties.
Right to object – you have the right to object to data processing that is based on our legitimate interests (for example, we process personal data for the purpose of network and infrastructure security). If we do not have a convincing legitimate reason for processing and you object, we will no longer process your personal data.
Rights related to automated decision-making – you have the right to refuse automated decision-making, including profiling, which results in a legal or similar significant consequence for you. The controller usually does not use automated decision-making or profiling in the context of employment.
Right to withdraw consent – in most cases, we do not process your personal data based on your consent. However, we may ask for your consent in specific cases. Where we do so, you have the right to withdraw your consent to further use of your personal data. (e.g. photography)
Right to lodge a complaint – if you wish to lodge a complaint about the way your personal data is processed, including the exercise of the above rights, you can contact our Data Protection Officer (contact details are provided above). We will properly investigate all your suggestions and complaints.
If you are not satisfied with our response or you believe that we process your personal data unfairly or illegally, you may file a complaint with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic, https://dataprotection.gov.sk, Hraničná 12, 820 07 Bratislava 27; E-mail: statny.dozor@pdp.gov.sk. However, we will be glad if you resolve your objections with us first.
HOW TO EXERCISE YOUR RIGHTS
You always exercise your rights with the person who processes your personal data, i.e. with a specific controller. If the controller has a data protection officer, you can also address your request to this person.The request can be oral, written, electronic or submitted by other means (the General Data Protection Regulation does not prescribe a specific form). We recommend using mainly written or electronic form.
Prepare identification data such as contract number, your ID at the controller, username or password, etc. i.e. an identifier on the basis of which the operator will be able to identify you in its environment and provide you with data concerning you.
We will respond to your request free of charge within 30 days. In case of complexity or a large number of requests, we are entitled to extend this period by another 60 days. If this happens, we will inform you about it and the reasons. In the event of a repeated request, we are entitled to charge a reasonable administrative fee to cover the costs associated with the provision of this service.
The data subject’s right to object to automated decision-making cannot be exercised because the described processing activity does not contain automated decision-making.
The right of the data subject to request from the controller information from which source the personal data originate is irrelevant, because the controller processes personal data obtained from the data subject.
CONCLUSION
If you have any questions about personal data protection, you can contact us at any time via e-mail or by post at the registered office of the controller. In the event that you exercise any of the rights of a data subject under data protection legislation with us and it is not possible to verify the identity of the applicant from your request, or if we have reasonable doubts regarding the identity of the person making the request, we reserve the right to ask that person to provide additional information necessary to confirm the identity of the person making the request.