Privacy Policy

1. Introduction

This personal data processing notice (hereinafter referred to as the “Notice”) defines the conditions and rules under which the processing of personal data of data subjects is carried out by Remediata s.r.o. (hereinafter referred to as the “Controller” or the “Company”).

The purpose of this Notice is to inform the persons whose personal data are processed by the Company (hereinafter referred to as “Data Subjects”) of all the facts and rules applicable to the processing of their personal data in the Company’s terms and conditions. 

Remediata s.r.o. provides services in the field of prevention of cyber-attacks and in the field of protection of its clients against cyber-threats. In the performance and implementation of the Company’s business activities, the processing of Personal Data of Data Subjects inevitably occurs for various processing purposes (described in the following text of the Principles) and the Company places maximum emphasis on the security of the processed data and the protection of the privacy of Data Subjects. All processing operations with personal data are carried out exclusively in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR Regulation”) and in accordance with Act No. 18/2018 on the protection of personal data and on amending and supplementing certain acts (hereinafter referred to as the “Act”) to the extent and for the time necessary to achieve the stated purpose of processing.

1.2 Explanation of terms

In order to clarify the terms used in connection with the personal data protection and privacy agenda, please refer to this section of the Principles for an explanation of the basic terminology used in the following text of the Principles.

1. Personal Data: any information relating to an identified or identifiable natural person. An identifiable natural person is a person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or by reference to one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. Processing: an operation or set of operations concerning personal data or sets of personal data, such as obtaining, recording, organizing, structuring, storing, processing or altering, retrieving, viewing, using, disclosing by transmission, dissemination or otherwise making available, rearranging or combining, restricting, erasing or disposing of, whether or not by automated or non-automated means.
3. Data subject: Any natural person whose personal data are processed.
4. Filing system: Any organised collection of personal data which is accessible according to specified criteria, whether the system is centralised, decentralised or distributed on a functional or geographical basis.
5. Profiling: Any form of automated processing of personal data which consists of using that personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects of the natural person concerned relating to job performance, financial situation, health, personal preferences, interests, reliability, behaviour, location or movements.
6. Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
7. Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
8. Recipient: The natural or legal person, public authority, agency or other body to whom the personal data are disclosed, whether or not it is a third party. 
9. Third party: A natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who are entrusted with the processing of personal data on the basis of a direct mandate from the controller or processor.
10. Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by means of a statement or an unambiguous affirmative act, consents to the processing of personal data concerning him or her.
11. Special category of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, as well as genetic data, biometric data for the individual identification of a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person.

1.3 Contact details of the Data Controller

In this section of the Notice, you will find the identification of the Controller as well as contact details for communication on privacy matters in order to facilitate and expedite your communication with us as much as possible.

Identification of the Controller (Company):

Business name:                    Remediata s. r. o
Registered seat:                   Vysokoškolákov 8556/33B, 010 08 Žilina, Slovaki
Identification number:       55 866 743

Contact details:

In connection with the processing of personal data you can contact us:

– by mail sent to the address of the company’s registered seat,

– by e-mail sent to the following e-mail address: [email protected]

1.4 Further information

In the following sections of this Notice, you will find more detailed information about the processing of Personal Data of Data Subjects in the following parts:

• Rights of the data subject and how to exercise them,
• Information on the processing of personal data pursuant to Articles 13 and 14 of the GDPR (divided according to the individual purposes for which the personal data is processed)
• Processing of personal data on behalf of other controllers
• Current list of processors under Article 28 of the GDPR
• Final provisions

2.1 Rights of the Data Subject in general

Each Data Subject has rights under the relevant provisions of the GDPR Regulation in relation to the personal data protection agenda, and in this section of the Notice we inform you in more detail about the content of the individual rights.

It is essential to note that the individual rights of the Data Subject may be linked to a specific purpose of processing and for this reason we recommend that you also familiarize yourself with the information obligations for each purpose of processing personal data, where the specific rights of the Data Subject are listed for each purpose.

If the Data Subject decides to exercise his or her rights under the GDPR, he or she may do so by using the contact details provided in this Notice, or by any other means if defined for the specific purpose of the processing of personal data.

In accordance with Article 12(3) of the GDPR Regulation, the Company shall provide the Data Subject with information on the measures taken in response to his or her request without undue delay and, in any event, within one month of receipt of the request. That period may be extended by a further two months if necessary, taking into account the complexity of the request and the number of requests. In the event of an extension of the time limit, the Company shall inform the Data Subject thereof within one month of receipt of the request, together with the reasons for missing the time limit. If the Data Subject has submitted the request by electronic means, the information shall be provided by electronic means where possible, unless the Data Subject has requested otherwise.

If the Company does not take action on the basis of the Data Subject’s request, it shall inform the Data Subject of the reasons for its failure to act without delay and at the latest within one month of receipt of the request, in which case the Data Subject shall have the possibility to lodge a complaint with the supervisory authority and to seek judicial redress.

All information shall be provided free of charge to the Data Subject. If the Data Subject’s requests are manifestly unfounded or unreasonable, in particular because of their repetitive nature, the Company shall be entitled to:

– charge a reasonable fee, taking into account the administrative costs of providing the information or giving the notice or taking the action requested; or

– refuse to act on the request. 

If the Company has reasonable doubt as to the identity of the natural person who has exercised the rights of the Data Subject (within the meaning of Articles 15 to 22 of the GDPR), the Company shall be entitled to request the provision of additional information necessary to confirm the identity of the Data Subject.

2.2 Individual rights of Data Subjects

The Data Subject is entitled to the following rights under the GDPR:

1. The right of access (Article 15 of the GDPR Regulation)
   The Data Subject has the right to confirm whether the Controller processes his/her personal data, to obtain access to such data, to obtain information about such processing, to obtain copies of the personal data held by the Controller from the Data Subject.  If the Data Subject has made a request by electronic means, the information shall be provided in a commonly used electronic form, unless the Data Subject has requested otherwise.
2. Right to rectification (Article 16 of the GDPR)
   The Data Subject shall have the right to have inaccurate personal data concerning him or her rectified by the Data Controller without undue delay. With regard to the purposes of the processing, the Data Subject has the right to have incomplete personal data completed, including by providing a supplementary declaration. 
3. Right to erasure (Art. 17 GDPR)
   The Data Subject has the right to have the Data Controller erase the personal data concerning him or her without undue delay if one of the grounds set out in Article 17 of the GDPR Regulation is fulfilled, namely:
   • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed,
   • The data subject withdraws the consent on the basis of which the processing is carried out, unless there is no other legal basis for processing the personal data,
   • The data subject objects to the processing of the personal data on the legal basis of the legitimate interest of the Controller and no legitimate grounds for processing prevail,
   • the personal data have been unlawfully processed,
   • the personal data must be erased in order to comply with a legal obligation under European Union or Slovak law,
   • the personal data were collected in connection with the offer of information society services to a person under the age of 16.
     
     The controller is not obliged to delete the personal data of the Data Subject if the processing is necessary:
   • to exercise the right to freedom of expression and information,
   • to fulfil an obligation under a law, a special regulation or an international treaty by which the Slovak Republic is bound or to perform a task carried out in the public interest or in the exercise of official authority vested in the Controller,
   • for reasons of public interest in the field of public health,
   • for reasons of processing for so-called privileged purposes, namely for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes, unless the right to erasure is likely to make it impossible or seriously impede the achievement of the purposes of such processing,
   • for the establishment, exercise or defence of legal claims.
4. The right to restriction of processing of personal data (Article 18 of the GDPR):
   
   The data subject has the right to have the Controller restrict the processing of personal data in certain circumstances for the following reasons:ovných dôvodov:
   • The data subject has contested the accuracy of the personal data ( the restriction of processing applies for the period during which the accuracy of the personal data is verified),
   • the processing is unlawful and the Data Subject requests a restriction on the use of the Personal Data instead of erasure,
   • The controller no longer needs the personal data for the purposes of the processing, but the data subject needs them to establish, exercise or defend legal claims,
   • The data subject has objected to the processing of the personal data on the basis of the legitimate interest of the Data Controller, pending verification whether the legitimate grounds on the part of the Data Controller outweigh the legitimate grounds of the data subject.
     
     If the processing of personal data has been restricted, such personal data shall, with the exception of storage, be processed only with the consent of the Data Subject or for the establishment, exercise or defence of legal claims. 
     
     The controller shall inform the data subject who has obtained the restriction of the processing of personal data if the restriction of processing should be lifted.
5. Right to data portability (Article 20 of the GDPR)
   Where the processing of personal data is carried out by automated means and such processing is carried out on the legal basis of the data subject’s consent or on the basis of a contract, the data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to the controller in a structured, commonly used and machine-readable format and shall have the right to transfer such data to another controller without being prevented from doing so by the original Controller.
6. Right to object (Art. 21 GDPR)
   The data subject has the right to object to the processing of personal data if the legal basis for the processing is the legitimate interest of the Controller. In the event of such an objection, the Controller may no longer process the personal data unless it demonstrates  
   • compelling legitimate grounds for processing which override the interests of the rights and freedoms of the Data Subject,
   • the grounds for establishing, exercising or defending legal claims.
     
     If the Data Subject objects to the processing of personal data for direct marketing purposes, the Controller may no longer process his or her personal data.
7. Right to ineffectiveness of automated individual decision-making, including profiling (Art. 22 GDPR)
   The data subject has the right not to be subject to a decision which is based solely on automated processing, including profiling, and which has legal effects concerning him or her or similarly significantly affects him or her.
   
   The above shall not apply where the decision is:
   • Necessary for the conclusion of a contract between the Data Subject and the Controller,
   • permitted by Union law or by the law of a Member State to which the Controller is subject and which also provides for appropriate measures guaranteeing the protection of the rights and freedoms and legitimate interests of the Data Subject,
   • based on the Data Subject’s explicit consent.

2.3 Right to withdraw consent 

The Data Subject shall have the right to withdraw his or her consent to the processing of personal data at any time insofar as the processing of personal data was based on this legal basis. The data subject shall withdraw his or her consent in the manner specified in the consent itself, or in the information obligation for the purpose of the processing, or by contacting the controller with his or her request using the contact details provided in this Policy. 

The lawfulness of the processing of personal data prior to the withdrawal of consent on the basis of validly given consent is not affected by its withdrawal.

2.4 Right to lodge a complaint

If the data subject considers that the processing of his or her personal data is unlawful or that any of his or her rights have been violated, he or she may lodge a complaint or institute proceedings in the Supervisory Authority – Office for the Protection of Personal Data of the Slovak Republic, Hraničná 12, 820 07 Bratislava, Slovakia tel.: +421/2/3231 3214, e-mail: [email protected].

3.1 Introductory information

In this section of the Notice, you will find detailed information on the processing of personal data with respect to the individual purposes of processing, with the scope of the individual information obligations defined in Article 13 (for the case of obtaining personal data directly from the data subject) and Article 14 (for the case of obtaining personal data from a source other than the data subject) of the GDPR Regulation.

All personal data is processed with an emphasis on its security, in accordance with the established security rules of the Company. Within the Company, personal data may be accessed only by persons who have been authorised to do so and who are bound by the confidentiality obligation arising from the content of the authorisation.

3.2 Purposes of the processing of personal data

1. Pre-contractual relations (commercial offers)
   
   If you are interested in using the Company’s services performed within the scope of its business activities, or if you are interested in drawing up a quotation or negotiating a contract with the Company, you have the status of a Data Subject, as personal data is processed in connection with the implementation of pre-contractual relations. 
   
   Information obligation for the purpose of processing:

2. Contractual agenda
   
   If you are a party to a contract concluded with the Company in connection with the performance of its business activities, you have the status of a Data Subject, since the processing of personal data occurs in connection with the performance of contractual relations. 
   
   Information obligation for the purpose of processing:

3. Accounting and tax agenda
   
   The Company continuously issues and records accounting and tax documents related to the implementation of its business activities. These documents may contain personal data of the Data Subjects. 
   
   Information obligation for the purpose of processing:

4. Contact details of contractors / business partners
   
   In carrying out contractual and business relations, the Company communicates with a certain range of persons who may represent contractual and business partners, or act in their change, or are their employees. Typical examples are statutory bodies, employees of contractual partners who are listed in the contract as contact persons, etc.
   
   Information obligation for the purpose of processing:

5. Suggestions, enquiries, contact form on the website www.remediata.sk
   
   In the performance and implementation of the Company’s business activities, it is inevitable to deliver messages that are in the nature of inquiries, suggestions, or complaints, while their processing inevitably involves the processing of personal data of the Data Subjects, i.e. the senders.  The Company also has a contact form published on the website www.remediata.sk, which can be used to send a request or a complaint. 
   
   Information obligation for the purpose of processing:

6. Privacy Agenda
   
   The Company is obliged to record and handle requests from Data Subjects in connection with the processing of their personal data, and additional personal data may be processed in this context.  
   
   Information obligation for the purpose of processing:

7. Marketing activities
   
   The Company carries out marketing activities to the necessary extent in relation to its customers and potential customers.
   
   Information obligation for the purpose of processing:

4.1 The Company’s position when processing personal data on behalf of a controller

In some cases, we process personal data on the instructions of another controller, on the basis of their authorization within the meaning of Article 28 of the GDPR. In this case, we have the status of Processor and always act in accordance with the instructions of that controller, which are defined in the contract concluded between the controller and our Company.

In this section of the Notice, you will find information about which companies we, as the Controller, have entrusted to process personal data on our behalf, in accordance with the provisions of Article 28 of the GDPR.

In selecting the processor, we have considered, to the extent possible, the extent of the technical and organisational measures taken so as to ensure the protection of the rights of Data Subjects.

Designation of processors / categories of processors for individual activities:

1.         Entities providing tax and accounting services

2.        Entities providing IT services and IT security services

3.        Cloud service providers

We regularly review and update the conditions and rules for processing personal data defined in the Notice. For this reason, we reserve the right to modify and change this Notice to any extent at any time. In the event of a change to the Notice, the updated version will be posted on this website without delay.