GDPR | Sunny Real Properties

I. INTRODUCTORY PROVISIONS

The provided information regulates the conditions of personal data protection in accordance with the Regulation of the European Parliament and of the Council of the European Union No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive No. 95/46/EC (hereinafter referred to as the "Personal Data Protection Regulation") and Act No. 18/2018 Coll. on the protection of personal data and on the amendment and supplementation of certain laws (hereinafter referred to as the "Personal Data Protection Act"), valid from 25.05.2018, in connection with personal data provided by the data subjects to the operator on its website.

Operator: Sunny Real Properties s.r.o., with registered office at Hečkova 4 Košice, 040 17 Košice - Barca, Company ID: 99 999 999, registered in the Commercial Register of the District Court Košice I, 6531/V.

Statutory body:
Phone: +421 000 000 000

Email: info@sunnyrealproperties.com
Web: http://c1sunnyreal.host/

II. DEFINITION OF TERMS

Personal data means data relating to an identified or identifiable natural person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, surname, identification number, location data, or online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing of personal data means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data subject means any natural person whose personal data are processed.

Controller means the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data and processes personal data on their own behalf.

Processor means a natural or legal person who processes personal data on behalf of the controller.

Restriction of processing of personal data means the marking of stored personal data with the aim of limiting their processing in the future based on the request of the data subject under the conditions set out in this information.

III. PRINCIPLES OF PERSONAL DATA PROCESSING

Personal data are processed by the controller lawfully in accordance with the Personal Data Protection Regulation and the Personal Data Protection Act so as not to infringe the fundamental rights of the data subject.

Personal data are collected by the controller for a specific, legitimate and explicitly stated purpose and are not further processed in a manner incompatible with that purpose.

Processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is in accordance with a special regulation and appropriate safeguards for the rights of the data subject are respected.

The personal data processed are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

The personal data processed must be accurate and, where necessary, kept up to date. The controller shall erase or rectify without delay personal data that are inaccurate with regard to the purposes for which they are processed.

The controller shall keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with a special regulation and subject to the implementation of the appropriate technical and organizational measures required by the regulation to safeguard the rights and freedoms of the data subject.

Personal data are processed by the controller in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

IV. INFORMATION FOR DATA SUBJECTS

The data subject has the following rights in connection with the processing of their personal data:

Right to request access to personal data from the controller

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed.

The controller is obliged to provide the data subject with the personal data processed. For repeated provision of personal data requested by the data subject, the controller may charge a fee corresponding to the administrative costs related to handling the request.

The controller is obliged to provide the personal data to the data subject in the manner requested.

In addition to providing the personal data processed, the controller shall provide the data subject with information on the purpose of the processing, the categories of personal data concerned, the identity of the recipients or categories of recipients to whom the personal data have been or will be disclosed, the period for which the personal data will be stored or the criteria used to determine that period, the right to request rectification or erasure of personal data or restriction of processing, the right to object to processing, the right to lodge a complaint with the supervisory authority pursuant to Section 100 of the Personal Data Protection Act, the source of the personal data if not obtained from the data subject, and the existence of automated decision-making including profiling.

Right to rectification of personal data

The data subject has the right to request the controller to rectify inaccurate personal data concerning them without undue delay.

The data subject has the right to request the controller to complete incomplete personal data, taking into account the purposes of the processing. Otherwise, the controller may refuse to complete the personal data.

Right to erasure of personal data

The data subject has the right to request the controller to erase personal data concerning them without undue delay under the conditions set out in these paragraphs.

The controller is obliged to erase personal data without undue delay upon request of the data subject if:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed,
the data subject withdraws consent on which the processing is based and there is no other legal ground for processing,
the data subject objects to the processing of personal data concerning them for direct marketing purposes including profiling to the extent that it is related to direct marketing,
the personal data have been unlawfully processed,
fulfilment of a legal obligation under the Personal Data Protection Act, a special regulation or an international agreement binding on the Slovak Republic requires erasure.

The above does not apply if processing is necessary for exercising the right of freedom of expression and information, compliance with a legal obligation, performance of a task carried out in the public interest or in the exercise of official authority, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Section 78(8) of the Personal Data Protection Act, if it is likely that the right to erasure would render impossible or seriously impair the achievement of the objectives of such processing or for the establishment, exercise or defence of legal claims.

Right to restriction of processing of personal data

The data subject has the right to request the controller to restrict processing of their personal data if:

the accuracy of the personal data is contested by the data subject during the period enabling the controller to verify the accuracy,
the processing is unlawful and the data subject opposes erasure and requests restriction of use instead,
the controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.

If processing has been restricted, personal data may only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

The controller shall inform the data subject before the restriction of processing is lifted.

Right to data portability

The data subject has the right to receive the personal data concerning them which they have provided to the controller in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller where technically feasible.

Exercising the right to data portability does not affect the right to erasure under the above conditions.

Right to notification of personal data breach where the breach is likely to result in a high risk to the rights and freedoms of natural persons

The controller shall without undue delay notify the data subject of a personal data breach, describing in clear and plain language the nature of the breach, contact details of the responsible person or other contact point where more information can be obtained, likely consequences of the breach, and measures taken or proposed to address the breach including measures to mitigate its possible adverse effects, if necessary.

Notification is not required if:

the controller has implemented appropriate technical and organizational protection measures and applied them to the personal data affected by the breach, in particular encryption or other measures making the personal data unintelligible to unauthorized persons,
the controller has taken subsequent measures to ensure a high risk to the rights of the data subject is no longer likely,
it would involve disproportionate effort; in such case the controller shall inform the public or take similar measures to inform the data subject effectively.

Right to object to processing of personal data

The data subject has the right to object to processing of their personal data on grounds relating to their particular situation where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or for the purposes of the legitimate interests pursued by the controller or a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, especially if the data subject is a child, including profiling based on these grounds. The controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

The data subject has the right to object to processing of personal data concerning them for direct marketing purposes including profiling to the extent that it is related to direct marketing. If the data subject objects to such processing, the controller shall no longer process the personal data for such purposes.

Right to lodge a complaint with the Office for Personal Data Protection pursuant to Section 100 of the Personal Data Protection Act

The data subject has the right to lodge a complaint with the Office for Personal Data Protection pursuant to Section 100 of the Personal Data Protection Act.

The data subject has been expressly informed that where the legal basis for processing personal data is the consent of the data subject for a specific purpose, the data subject has the right to withdraw their consent at any time.

VI. BASIC INFORMATION ON PERSONAL DATA PROCESSING

The controller processes personal data only to the extent necessary and for a specific purpose in accordance with the legal basis.

The controller has taken appropriate technical, security and personnel measures to ensure increased protection of the personal data of data subjects and handles the processed personal data sensitively in accordance with the principles of personal data protection.

The personal data processed by the controller come directly from the data subject or from publicly available sources.

The controller declares that personal data are not transferred to third countries outside the territory of the European Union or to international organizations and that the processed personal data are not published.

The controller may carry out automated decision-making including profiling for the purposes of direct marketing according to criteria determined by the controller. If the controller carries out automated decision-making including profiling, the controller shall specify the basic criteria on which the automated decision-making including profiling is based.

VII. PURPOSE AND LEGAL BASIS FOR PERSONAL DATA PROCESSING:

A) Received and sent correspondence

For the purpose of fulfilling statutory registry obligations, the controller records received and sent mail, processing the following personal data:

identification data to the extent of name, surname, title,
contact data to the extent of delivery address,
data included in the communication of recipients and senders of correspondence.

These personal data are processed on the basis of Act No. 395/2002 Coll. on archives and registries and on the amendment of certain laws as amended. Providing personal data is a legal obligation and failure to provide them would make it impossible to fulfill the statutory obligations of the controller.

The controller stores these personal data for 5 years from the first day of the relevant calendar year in which the personal data for correspondence were obtained and for 3 years for the books of received and sent correspondence records.

B) "Contact Form"

For the purpose of feedback and handling any request or order within the opening hours of the website visitor as a data subject, the controller processes the following personal data:

identification data to the extent of name
contact data to the extent of email and phone,
data included in the message text.

These data are processed by the controller based on its legitimate interests. Providing personal data in this case is neither a legal nor contractual obligation. Failure to provide personal data would make it impossible to contact back and handle the request or order by the controller.

The controller stores these personal data until the request or order specified in the form is handled, but no longer than 5 years from obtaining the personal data.

C) Online form

For the purpose of feedback and handling any request of the website visitor as a data subject, the controller processes the following personal data:

identification data to the extent of name
contact data to the extent of email and phone
data included in the message text

These data are processed by the controller based on its legitimate interests, which are the proper handling of the website visitor's request. Providing personal data in this case is neither a legal nor contractual obligation. Failure to provide personal data would make it impossible to contact back and handle the website visitor's request by the controller.

The controller stores these personal data until the request specified in the form is handled, but no longer than 5 years from obtaining the personal data.

D) Order form

For the purpose of feedback and handling any request of the website visitor as a data subject, the controller processes the following personal data:

identification data to the extent of name
contact data to the extent of email and phone
data included in the message text

E) Online delivery

For the purpose of proper handling and delivery of the order of the website visitor as a data subject, the controller processes the following personal data:

identification data of the orderer to the extent of name and surname,
contact data of the orderer to the extent of email and phone, residence address, city, postal code, country,
data included in the message text – note,
identification data of the recipient to the extent of name and surname, possibly also gender,
contact data of the recipient to the extent of phone, residence address, city
data included in the message text – text for the recipient,
data about purchased goods,
data related to payment for goods (account number, amount paid, date of crediting payment to the operator's account),
data related to delivery of goods.

These data are processed by the controller for the purpose and in connection with the conclusion of a purchase or other contract and its performance. Providing personal data in this case is a legal and especially contractual obligation. Failure to provide personal data would make it impossible to conclude the purchase contract and thus deliver the ordered goods.

The controller stores these personal data until the order is fulfilled or for the duration of the limitation period.

F) Customer complaints and claims

For the purpose of proper handling of customer complaints and claims, the controller processes the following personal data:

identification data to the extent of name, surname, data stated in the complaint or claim
contact data to the extent of address, phone number or email address
data related to the delivered goods (especially type of goods, delivery address, price paid for goods, etc.)

These data are processed by the controller in connection with the conclusion of a purchase or other contract and its performance. Providing personal data in this case is a legal and especially contractual obligation. Failure to provide personal data would make it impossible to handle the complaint or claim related to the concluded purchase contract.

G) Enforcement of claims by the controller

For the purpose of enforcing claims, the controller processes the following data:

data stated in contracts with customers and suppliers to the extent necessary to enforce claims of the controller,
data stated in complaints, data necessary to file a proposal to initiate proceedings, data stated in proposals to initiate proceedings against the controller,
data kept in accounting and other data necessary in connection with possible enforcement of claims or defence of the controller's interests.

These data are processed by the controller based on its legitimate interest, which is the effective protection of its property and other rights and enforcement of claims by the controller. Processing of personal data is necessary for the purposes of the legitimate interests of the controller.

Personal data are processed during the court proceedings and during the limitation period during which claims may be asserted against the controller or during which the controller may assert its own claims.

H) Fulfillment of statutory obligations by the controller

For the purpose of fulfilling statutory obligations, the controller processes all personal data stated in Article VII, especially for fulfilling statutory obligations arising, for example, from the Accounting Act, Value Added Tax Act, Income Tax Act, Consumer Protection Act, Archives and Registries Act.

Processing of personal data by the controller is necessary for the purposes of fulfilling statutory obligations.

The controller processes these data for the period specified in the relevant legal regulations valid in the Slovak Republic.

I) Career

For the purpose of proper registration of a website visitor as a data subject interested in a job position, the controller processes the following personal data:

identification data of the applicant to the extent of name, surname, date of birth, nationality,
contact data of the applicant to the extent of email and phone, permanent residence address, correspondence address,
data on employment or field of study,
data on IT knowledge,
data on knowledge of English language,
data included in the note text

These data are processed by the controller based on its legitimate interests, which are the proper registration of a website visitor interested in an educational course and also for the purpose and in connection with the conclusion of a contract and its performance. Providing personal data in this case is a legal and especially contractual obligation. Failure to provide personal data would make it impossible to conclude the contract and thus ensure the educational course for the applicant.

The controller stores these personal data until the end of the educational course or for the duration of the limitation period.

1. The operator's website is connected to third-party plugins (applications) such as Facebook, Google Plus, YouTube, Twitter, AddThis, Pinterest, Tumblr, etc. These applications are stored and run on third-party servers. The controller has no influence on the protection of personal data when using third-party applications.

2. The operator's website uses third-party add-ons that allow users to share, comment, rate website content on social networks or register via a third-party account. In such cases, the web browser creates a direct connection between the user and the third party, during which cookies are used and user data is transferred between the website, the user's browser and the third-party server. The data are usually not linked to the user's personal data. The controller uses only reliable sources of plugins and add-ons but cannot guarantee the functionality or reliability of third-party plugins.

3. In case of user activity on these websites via social plugins, these activities may be displayed on third-party websites depending on the user's account settings (e.g., Facebook Like, Google Plus, Sharing on social networks, etc.).

VIII. RECIPIENTS OF PERSONAL DATA

The controller provides personal data to third parties exclusively on the basis of a mediation contract in accordance with the purpose and legal basis stated above, as well as in accordance with the Personal Data Protection Act and the Personal Data Protection Regulation.

Recipients of personal data are mainly intermediaries who provide the controller with accounting and personnel services, recruitment services, delivery-related services, maintenance services, legal services, debt collection services, technical and IT services, other consulting and advisory activities, etc.

Recipients of personal data also include employees of the controller if they have been instructed in accordance with the law and are bound by confidentiality obligations, and only if the provision of personal data to the employees is necessary to achieve one of the purposes of personal data processing.

The controller will provide or make personal data accessible to state administration bodies, public administration bodies or other state authorities and institutions if such provision or access is in accordance with generally binding legal regulations valid in the Slovak Republic and if it is necessary to comply with the relevant legal regulation or enforceable request of a state administration body, enforce contractual terms including their compliance control, prevent or address fraud, technical and security incidents, enforce rights and claims in accordance with generally binding legal regulations valid in the Slovak Republic.

IX. USE OF COOKIES

To facilitate tracking users on our website, we use protocol files, so-called cookies (i.e., identifiers that the web server sends to the browser on your end device). Cookies are temporary files, meaning that after you finish browsing, cookies are automatically deleted from your end device.

When visiting this website, protocol files with the following content are generated:

IP address,
page address,
information about the browser and operating system used,
website from which you open our page,
date, time of access and location.

The above information about web behavior is anonymized for maximum protection and therefore cannot be assigned to a specific user.

Cookies do not harm the end device, do not contain viruses, trojans or other malicious software, and do not permanently store data on the data subject's end device.

All used cookies are technical, functional or analytical cookies that serve to improve the functionality of the operator's website.

Each data subject can set their web browser so that in the browser settings they can refuse the use of cookies or set the use of only some cookies. However, if the data subject does not allow the use of cookies, some functions may not work properly.

Cookie settings in the most commonly used browsers:

Chrome - https://support.google.com/accounts/answer/61416?hl=cs
Firefox - https://support.mozilla.org/cs/kb/vymazani-cookies
Internet Explorer - https://support.microsoft.com/cs-cz/products/security.

Details of used cookies:

Type of cookies:	Storage duration:	Tracking codes:
_ga - Google Analytics - from connecto.io	2 years	UA-93359328-1
_gid - Google Analytics - from connecto.io	1 day
_gat - Google Analytics - from connecto.io	10 minutes
ci_session - session storage – user identification	2 weeks
c1sunnyreal_lang - storage of language used on the site	11 years

X. SUPERVISORY AUTHORITY

The Office for Personal Data Protection is a state administration authority with nationwide competence, which participates in the protection of fundamental rights of natural persons in the processing of personal data and supervises the protection of personal data. Any data subject may contact the Office for Personal Data Protection if they believe their rights have been violated or are threatened.

Address of the Office for Personal Data Protection:

Hraničná 12
820 07 Bratislava 27
Slovak Republic

Company ID: 36064220

Web: https://dataprotection.gov.sk
Email: statny.dozor@pdp.gov.sk

Telephone consultations on personal data protection only on Tuesdays from 8:00 to 12:00: +421/2/3231 3220.

ATTACHMENTS FOR DOWNLOAD

Request of the data subject for access to personal data
Request of the data subject for correction/completion of personal data
Request of the data subject for erasure of personal data