This privacy policy (hereinafter as “Privacy policy“) contain information on processing of personal data of data subjects by the company upvision. s.r.o. regarding the execution of its business activities, including the processing which takes place via website www.upvision.digital or profile of the company upvision. s.r.o. on social networks Facebook, ISTAGRAM, LinkedIn (hereinafter as “website”). Your personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter as “Regulation“), Act No. 18/2018 Coll. On protection of personal data as (hereinafter as “Act“) and other respective legislation in relation to personal data protection (Regulation, Act and other personal data protection legislation hereinafter as “Personal data protection legislation“).
The aim of this Privacy policy is to provide you with the information mainly on why your personal data are processed, how they are processed and on what your rights regarding the processing of your personal data are. This Privacy policy provides you also with other relevant information on the processing of your personal data and therefore, via this Privacy policy, the controller is fulfilling its information obligation according to the Art. 13 and also Art. 14 of the Regulation. Information on processing of personal data, which occurs outside the website or during the normal performance of the business activities of the controller, are specified in the general privacy policy of the controller and in other internal regulations of the controller on the protection of personal data.
- Identification of the controller and contact addresses
The controller processing your personal data is the company upvision. s.r.o., with its registered seat at Hviezdoslavova 309/1, 905 01 Senica, Slovak Republic, company ID: 48 067 989, registered with the Commercial Register of the District Court Trnava, section: Sro, insert No. 35623/T (hereinafter as the “Controller”).
In matters related to personal data processing and protection, you may contact the Controller at the address upvision. s.r.o., Hviezdoslavova 309/1, 905 01 Senica, Slovak Republic or via e-mail address dpo@upvision.sk. The Controller has not appointed a data protection officer.
- Purposes, legal basis, categories of processed personal data and retention period
The Controller processes your personal data always in accordance with the principle of minimization only for justified purposes, for a limited time, stipulated in accordance with the respective legislation and with the use of the maximum possible level of security. The Controller processes personal data only if there is a legal basis for its processing, e. g. in accordance with the principle of legality. Specific information on the purposes of the processing, the legal bases for their processing, the categories of personal data processed and the specified retention period can be found in the table below.
The Controller will provide you with the more information on the retention period of your personal data also in case of you request.
Purposes | Legal Basis | Categories of data subjects | Categories of personal data | Retention period or criteria for its determination |
Acceptance and registration of service orders and execution of pre-contractual relations | Art. 6 (1) b) of the Regulation – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract | Natural persons – customers and business partners | Ordinary personal data (name, surname, residence address / registered business address, contact details – phone No, e-mail address, bank connection details) | Until the contract is concluded or 1 year after the do delivery of the request of the data subject or the preparation of quotation |
Execution of the contractual obligations of the controller (based on the contracts concluded with the suppliers and customers – natural persons) including the distance concluded contracts (especially via online form) | Art. 6 (1) b) of the Regulation – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract | Natural persons – service suppliers and their representatives and natural persons – processors and customers and their representatives | Ordinary personal data (name, surname, residence address / registered business address, contact details – phone No, e-mail address, bank connection details) | During the duration of the contract and after its termination until the full settlement of the legal claims arising from the contract or until the expiry of the respective limitation period, whichever occurs first |
Keeping an evidence (list) of the suppliers, other business partners and customers and their representatives (in case of suppliers, customers and business partners – legal entities) and concluded contracts and fulfilment of legal obligations towards the legal entities – contract parties | Art. 6 (1) f) of the Regulation – processing is necessary for the purposes of the legitimate interests pursued by the controller, which lays in the need to keep an evidence list on its suppliers, business partners and clients and their representatives (in case of legal entities) fort the correct fulfilment of the contractual relationship and proving of legal claims | Natural persons – representatives and contact persons of the suppliers, customers and business partners | Ordinary personal data (name, surname, residence address / registered business address, contact details – phone No, e-mail address, bank connection details, function in a legal person, other personal data stated in the contract | During the duration of the contract concluded with the legal person and after its termination until the full settlement of the legal claims arising from the contract or until the expiry of the respective limitation period, whichever occurs first |
Evidence and management of court and administrative proceedings | Art. 6 (1) b) of the Regulation – processing is necessary for compliance with a legal obligation to which the controller is subject | Natural persons – participants of the proceeding and their representatives | Ordinary personal data and special categories of personal data necessary for the compliance with legal obligations | 10 years following the year which they relate to |
Processing of service delivery complaints and keeping of respective evidence | Art. 6 (1) b) of the Regulation -processing is necessary for compliance with a legal obligation to which the controller is subject | Natural persons – customers and their employees and representatives, natural persons – representatives of the legal entities (customers and business partners) | Ordinary personal data necessary for the compliance with legal obligations | 3 years following the handling of the complaint, if the complaint is submitted by the customer – natural person and 4 years following the handling of the complaint, if the complaint is submitted by the customer – legal entity |
Fulfilment of the duties when performing care for the client obligations and when detecting an unusual business operation, including copying and scanning of official documents and storage of all written documents and data related to the execution of the business relationship when performing following business activities: “Activities of the business, organizational and economic advisors” | Art. 6 (1) b) of the Regulation -processing is necessary for compliance with a legal obligation to which the controller is subject | Natural persons – customers, their employees and representatives, natural persons – employees and representatives of the customers – legal entities, ultimate beneficial owners of the customers | Name, surnames, date of birth, social insurance number, residence or permanent residence address, citizenship, type and number of the ID, other personal data proving the UBO statute or function of the data subject in the organisation of the client, other personal data stated in the documentation of the business activity | 5 years following the year termination of the contractual relationship with the customer, Financial intelligence unit does not request in written form further retention of the documents (maximum for another 5 years) in accordance with the § 19 of the Act No. 297/2008 Coll. (anti money laundering Act) |
Handling with the rights exercised by data subjects | Art. 6 (1) b) of the Regulation -processing is necessary for compliance with a legal obligation to which the controller is subject | Natural person, who submitted request or executed their right of the data subjects towards the controller | Ordinary personal data, which are part of the request | Until the handling of with the exercised rights and submitted request |
Keeping records of the executed rights of data subjects | Art. 6 (1) letter f) of the Regulation – legitimate interest of the Controller which lays in keeping records of the rights exercised by the data subjects for proving fulfilment of the obligations arising out of legal regulations | Natural person, who submitted request or executed their right of the data subjects towards the controller | Ordinary personal data, which are part of the request | 5 years following the day when exercised right of submitted request is handled with |
Providing a response to the messages and handling with inquiries / requests from the messages delivered via contact form on the website or via profiles of the Controller on social networks | Art. 6 (1) letter f) of the Regulation – legitimate interest of the Controller, which lays in the interest of the Controller on responding to the messages in order to deal with the messages and inquiries for proper business communication with customers and quality of the provided services
|
Natural persons sending the message | Name, surname, phone No. E-makl address, other personal data stated in the message | 30 days following the receipt of the request or until the handling with the request (fulfilment of the purpose), depends on which of the conditions stated above occurs earlier |
Direct marketing – customers and former customers (newsletter) | Art. 6 (1) letter f) of the Regulation – legitimate interest of the Controller in informing customers about new offers and other information regarding the customers | Natural persons – customers and representatives of the customers (legal entities) | E-mail address, name, surname, company of the client identification | 3 years following the year of the service delivery or until the data subject unsubscribes |
Direct marketing – newsletters sending | Art. 6 (1) letter a) of the Regulation – the data subject has given consent to the processing of his or her personal data for one or more specific purposes; | Natural persons – subscribers to the newsletter, who granted consent | E-mail address | 3 years following consent granting or until its withdrawal, whichever occurs first |
Taking of photographs audio-visual recordings of the data subjects and their publication on the website of the controller and other communication channels (social networks, Facebook, Instagram, LinkedIn and Youtube service channel) | Art. 6 (1) letter a) of the Regulation – the data subject has given consent to the processing of his or her personal data for one or more specific purposes; | Natural persons, who granted consent – employees, members of the bodies, business partners, customers | Photograph, audio-visual recording | 5 years following consent granting or until its withdrawal, whichever occurs first |
Publication of name, surname, phone No., a-mail address and function of the data subjects on the website of the controller and on other communication channels (social networks, Youtube platform channel) | Art. 6 (1) letter a) of the Regulation – the data subject has given consent to the processing of his or her personal data for one or more specific purposes; | Natural persons, who granted consent – employees, members of the bodies, business partners, customers (business partners, other data subjects) | Name, surname, phone No, e-mail address, function in the company of the controller | 5 years following consent granting or until its withdrawal, whichever occurs first |
Organization of competitions and publications of the winners | Art. 6 (1) letter a) of the Regulation – the data subject has given consent to the processing of his or her personal data for one or more specific purposes; | Natural persons who participate in the competition (out of public) | Ordinary personal data (title, name, surname, residence address, photograph) | 2 years following consent granting or until its withdrawal, whichever occurs first |
Publication of the references on the services of the controller (on website, other communication channels and in presentation and business materials of the controller) | Art. 6 (1) letter a) of the Regulation – the data subject has given consent to the processing of his or her personal data for one or more specific purposes; | Natural persons, who granted consent with the reference publication | Name, surname, function in the company of the customer | 3 years following consent granting or until its withdrawal, whichever occurs first |
Processing of personal data in order to measure traffic on the website and online advert targeting (via cookies) | Art. 6 (1) letter a) of the Regulation – the data subject has given consent to the processing of his or her personal data for one or more specific purposes; | Natural persons, who visited the website and granted consent | IP address and other data on the activity on the website of the controller and online preferences | 2 years following consent granting or until its withdrawal, whichever occurs first (depends on the type of cookie) |
Processing of accounting documents | Art. 6 (1) c) of the Regulation processing is necessary for compliance with a legal obligation to which the controller is subject | Natural persons – suppliers, customers and business partners and their employees and representatives | Ordinary personal data necessary for the compliance with the legal obligations (name, surname, residence address / registered business address, service delivery address, contact details – phone No and e-mail address, bank connection details) | 10 years following the year, which they relate to |
In relation to securing the personal data, the Controller has adopted internal documentation, in which adequate security measures are further specified. Security measures have been adopted in order to secure the processing of your personal data.
- Source of the personal data
The Controller obtains your personal data directly from you as a data subject, in case you provide the Controller with your personal data (for example by submitting your request to the Controller via the contact form on the website, when you subscribe to the newsletter, when you order a service from the Controller, or when you join a public competition organized by the Controller) or directly via your visit of the website of the Controller (online identifiers), when you grant your consent to this kind of processing.
In some cases, especially if a service is ordered from the Controller by a business company or other entity of which you are a representative or contact person, the source of your personal data is this entity.
- To whom the Controller provides your personal data?
Your personal data may be in some cases provided to public authorities or to other recipients, which are entitled to process your personal data. These types of recipients include courts, law enforcement authorities, tax administrator, supervisory authorities (Slovak Trade Inspection) or Úrad na ochranu osobných údajov (personal data supervisory authority).
Other recipients of your personal data also include companies operating social networks and the Youtube platform if you contact the Controller via a message on a social network, enter a competition organized by the Controller on a social network or website or if you grant the Controller a consent to publish your reference about its services or your photo (companies Meta Platforms Ireland and LinkedIn Ireland Unlimited Company). If you visit the Controller´s website and grant it with your consent to the use of analytical and marketing online tools (cookies), the recipients of your personal data are also companies providing online advertising and analysis tools (companies Meta Platforms Ireland, Google Ireland Limited).
Data processors
In some cases, the Controller also provides your personal data to its processors, i.e. external entities that process your personal data on behalf of the Controller. Processors process personal data on the basis of a contract concluded with the Controller, in which they have undertaken to take appropriate technical and security measures in order to securely process your personal data. The processors of the Controller are the following companies:
- commercial companies and natural persons – entrepreneurs with which the Controller cooperates and which supply its services to the Controller (provision of marketing services, IT services, web hosting services and services in the field of personal data protection and information security),
- a company providing online accounting and invoicing software (application),
- companies providing software (application) services for recording time worked, orders placed and client records,
- a company providing an online cloud storage service,
- a company providing newsletter services, and
- companies providing hosting services.
- Are your personal data transferred to third countries and international organisations?
When processing your personal data by the Controller, in some cases your personal data is transferred to third countries:
- if you subscribe to the newsletter or if a client newsletter is sent to you, your personal data is transferred to the USA, to the company The Rocket Science Group, LLC, which is the operator of the Mailchimp service, which the Controller uses to distribute newsletters,
- if you give your consent to the storage of analytical and marketing cookies, your personal data may be transferred to the USA, to companies Google LLC, Meta Platforms and LinkedIn Corporation, as the parent companies of European providers of the above stated services, which the Controller uses for the purpose of measuring traffic and activity on the Controller´s website, on the basis of the legal regulations applicable therein,
- if you contact the Controller via a message on social networks, your personal data may be transferred to the USA, to the company Meta Platforms and LinkedIn Corporation, as the parent companies of the European operators of social networks Facebook, INSTAGRAM and LinkedIn, on the basis of the legal regulations applicable therein,
- when using online cloud storage, your personal data may be transferred to the USA, to the company Google, LLC, which is the operator of the aforementioned service,
- when using online software (applications) to record time worked, orders placed and client records, your personal data may be transferred to the USA, to companies operating CLOCIFY and ASANA applications,
- when using online accounting software, your personal data is transferred to the UK, to company Bindu LTD.
In all the above stated cases, the transfer of your personal data is ensured via standard contractual clauses, which, in accordance with the terms of use of the above services, are part of the agreements on the commissioned processing of personal data concluded with the above-specified entities.
- Does the Controller use profiling or automated decision-making when processing your personal data?
The Controller does not use profiling when processing your personal data and does not process personal data in any form of automated individual decision-making, in which your personal aspects would be evaluated.
- Controller as a processor processing personal data on behalf of another controller
When providing marketing services, hosting services and IT services for the Controller’s clients (hereinafter referred to as “clients“), the Controller may process personal data of data subjects on behalf of its clients (clients’ customers, client employees and other data subjects). When processing personal data of data subjects on behalf of clients, the Controller acts in the position of a processor of personal data processing pursuant to Art. 4 (8) of the Regulation, whereas the controller who determines the purposes and means of the processing of personal data is always the client when processing personal data by the Controller in the position of a processor. The Controller concludes an agreement on commissioned data processing with its clients, which sets out the conditions for the processing of personal data of data subjects by the Controller as a processor on behalf of its clients, and obligations related to ensuring an adequate level of protection of the processed personal data. In the event that it is not agreed otherwise in an individual case, the above-mentioned contract shall be governed by the text of the contract of entrustment with the processing of personal data, the online version of which was provided by the Controller to the client when concluding their contractual relationship.
The purposes, legal bases, scope and range of recipients of processed personal data by the Controller as processor on behalf of clients is determined by the clients, whereas the Controller, in cases when it processes personal data of data subjects on behalf of its clients, proceeds exclusively according to the instructions of its clients and the relevant legal regulations, fulfills the obligations of the processor under the provisions of the Personal data protection legislation and does not carry out any other processing operations with personal data except those resulting from the concluded agreement on commissioned data processing and the purposes of the processing specified by the Client.
- What are our rights in relation to personal data processing?
As the data subject, your rights regarding the processing of your personal data are as follows:
Your rights
|
|
Right of access – You have the right to obtain a copy of the personal data which we hold about you, as well as the information on how we use your personal data. In most cases, your personal data will be provided to you by electronic means of communication, unless otherwise requested by you. | Right to rectification – We take reasonable measures in order to ensure that the data which we hold about you are accurate, complete and up-to-date. In case the personal data we hold are inaccurate, incomplete or outdated, we will modify, update or complete such personal data on basis of your request.
|
Right to erasure – Under certain circumstances, you have the right to ask us to erase your personal data, for example, if the personal data we have obtained about you, are no longer necessary to fulfil the original purpose of processing or if you withdraw your consent to the personal data processing. We assess exercising your right to erasure (right to be forgotten) on the basis of individual circumstances of each particular case of processing.
However, your right has to be assessed in the light of all relevant circumstances. For example, there may be certain circumstances or cases arising for us from applicable legislation when your personal data cannot be erased. In such case, we will not be able to accept your request. |
Right to restriction of processing – You have also the right to ask us not to process your personal data. If you believe that the personal data we process about you are not accurate, that the processing is unlawful and you request the restriction of their processing, that we no longer need your personal data, but they are required by you as the Data subject for the exercise of legal claims or if you believe that we as the controller are not entitled to further process your personal data, we will not further process your personal data on the basis of your request.
|
Right to data portability – Under certain circumstances, you have right to transmit the personal data to another subject according to your choice. However, the right to portability applies only to personal data that we process under the contract to which you are one of the parties or on the basis of the consent which you have granted us. | Right to lodge a complaint or request – If you believe that we breach Personal data protection legislation when processing your personal data or that we have not handled your request in accordance with such legislation, you can lodge a complaint with the supervisory authority which is Úrad na ochranu osobných údajov SR, Hraničná 12, 820 07 Bratislava 27, Slovak republic, website: dataprotection.gov.sk, tel. No.: 02 3231 3214; e-mail: statny.dozor@pdp.gov.sk. |
RIGHT TO OBJECT
You have the right to object to processing of your personal data, for example if we process your personal data based on the legitimate interest or to processing in which profiling occurs. If you object to such personal data processing, we will not further process your personal data unless we demonstrate compelling legitimate grounds for such processing.
|
|
RIGHT TO WITHDRAW CONSENT
If we process your personal data on the basis of your consent, you have the right to withdraw such consent for further processing of your personal data. You may withdraw your consent at any time in writing, by e-mail or orally (in person).
|
You may exercise your rights specified in the table above at the contact addresses of the Controller listed at the beginning of this document. The Controller will provide you with the answer to the exercise of your rights free of charge.
In the event of a repeated, unreasonable or inappropriate request for the exercise of your rights, the Controller is entitled to charge a reasonable fee for the provision of information. The Controller will provide you with an answer within 1 month from the day when you exercised your rights. In certain cases, the Controller is entitled to extend this period, in the case of a high number and complexity of applications of the data subjects, maximally by 2 months. The Controller will always inform you about the extension of the deadline in advance.
- Social media and links to other websites
As a part of the support of marketing and advertising you can find on the Controller´s website links to various social networks, such as Facebook. The Controller hereby wishes to inform you that after clicking on the plugin on the website and visiting the social network, the personal data protection rules of the social network operator will apply, except if you contact the Controller via a message on the social network (in which case the processing of your personal data is also governed by this Privacy Policy and your personal data shall be processed by the Controller in accordance with the information provided above).
For more information on the processing of your personal data by social media operators, please visit the following links:
- Facebook: https://sk-sk.facebook.com/policy.php,
- Instagram: https://sk-sk.facebook.com/help/instagram/155833707900388/
- Youtube: https://policies.google.com/technologies/product-privacy?hl=sk.
- Validity
An updated version of this Privacy policy is valid and effective as of 15th December 2022. As it is possible that an update of the information on personal data processing contained in this Privacy policy may be necessary in the future, the Controller is entitled to update this Privacy policy at any time. In such case, the Controller will inform you about it in an adequate manner in advance.