address: Kulíškova 1015/19, 82108 Bratislava-Ružinov, Slovenská republika
identification number: 50760611
phone: 0948 113 947
(hereinafter referred to as “the Data Controller”)
Contact details of the person authorised by the Data Controller
The Data Subject may, if necessary, at any time contact the person authorised by the Data Controller (“the Data Processor”) in relation to the protection of personal data, namely:
name and surname: Michaela Pobudová
phone.: 0948 113 947
I. General information
1. The Data Controller is a civic association aimed at helping foreigners (asylum seekers, economic migrants or other persons who wish to settle in the territory of the Slovak Republic) to integrate them into society. As part of its activities, the Data Controller also performs various activities aimed at fulfilling its objectives, such as various cultural, educational, sport and other events for the public, especially various leisure time activities, courses, film screenings, presentations, lectures, workshops, tournaments and other similar activities.
2. The Data Controller also operates the www.mareena.sk website, which includes an e-shop (https://mareena.sk/eshop) and a photo bank (https://mareena.sk/nasi). When visiting, using and working on the website, the user (i.e. you as the Data Subject) may voluntarily submit information to the Data Controller, including personal data identifying the user as a specific person, in particular by e-mail, filling in the form, filling in the order and concluding the relevant contract (sales contract, subliferation contract) or other means that the functionality of the website allows.
3. You may also voluntarily provide your personal data to the Data Controller by other means than using www.mareena.sk website, e.g. in relation to events organized by the Data Controller or within the legal relations in which you enter with the Data Controller, such as by concluding a professional, civil, commercial or other contract.
GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Personal data – means any information relating to an identified or identifiable natural person (or "Data Subject") which means a person who can be identified directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, online identifier, or by reference to one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing – means an operation or set of operations with personal data or sets of personal data, such as collection, recording, organizing, structuring, storage, reprocessing or modification, retrieval, browsing, using, disclosure by transmission, dissemination or their provision by other means, regrouping or combination, restriction, erasure or destruction, whether or not carried out by automated or non-automated means.
Information system – means any organised set of personal data that is accessible according to specified criteria, regardless of whether the system is centralised, decentralised or distributed on a functional or geographical basis.
Data Controller – means a natural or legal person, public authority, agency or other entity that determines, alone or jointly with others, the purposes and means of the processing of personal data.
Data Processor – means a natural or legal person, public authority, agency or other entity that processes personal data on behalf of the Data Controller.
Consent of the Data Subject – is any freely given, specific, informed and unambiguous expression of the Data Subject's will, by which, by means of a statement or unambiguous affirmative action, he/she consents to the processing of his/her personal data.
Cookies - is a small file that is stored from the website on a hard drive (including mobile devices) of the user/visitor. This file identifies specific information from previous visits to the website from the respective device. For example, information may include the IP address of the connecting computer, the date and time of the visit, the referring URL (the page from which the visitor came), the pages/products visited on our website, the type of browser used and the pages that were visited, etc. The validity/functionality of the cookies either expires at the end of the Internet session (after disconnecting the device from the site/internet) or expires after a limited period of time.
III. Method, purpose and legal basis of the processing of personal data
1. The Data Controller processes your personal data, both automatically and manually, but only to the extent strictly necessary to fulfil the purpose of the data processing and for the necessary time (i.e. in case of provision of personal data beyond this framework, or if the purpose or legal basis of data processing is not fulfilled, the Data Controller does not further process such data and removes them from its information systems).
2. The purpose and legal basis for the processing of personal data (i.e. the reason for the processing) of the Data Subjects shall be in particular:
- conclusion of contractual and other similar legal relations with the Data Controller (including orders in the e-shop and use of photobank) and things related thereto, e.g. fulfilling a contractual obligation towards the members of the association, employees of the association, contractors, customers of the e-shop and photobank, etc. within the meaning of Article 6 paragraph 1(b) of GDPR;
- the exercise of the legitimate interests of the Data Controller within the meaning of Article 6 paragraph 1(f) of GDPR, in particular the sending of news and newsletters to persons who have previously provided their data or are members of the Data Controller, in order to improve the services provided and to provide appropriate information; the processing of personal data in connection with the activities of the Data Controller in accordance with the purpose for which it was established, i.e. in particular the processing of personal data at events organised by the Data controller, where such processing does not require the separate consent of the Data Subject;
- compliance with the legal obligations of the Data Controller within the meaning of Article 6 paragraph 1(c) of GDPR, in particular in relation to the fulfillment of the legal obligations of the Data Controller as an employer towards its employees, fulfillment of the obligations of the Data Controller arising from the Law on Accounting, etc.;
- carrying out direct marketing on the basis of the consent of the Data Subject within the meaning of Article 6 paragraph 1(a) of GDPR, e.g. sending news and newsletters, to persons who have not yet provided their data to the Data Controller;
- processing of personal data on the basis of the consent of the Data Subject within the meaning of Article 6 paragraph 1(a) of GDPR in connection with the activities of the Data Controller, in accordance with the purpose for which the consent was given, i.e. in particular the processing of personal data at events organized by the Data Controller, unless there is a legitimate interest of the Data Controller;
- the processing of personal data for the purpose of protecting the vital interests of the Data Subject within the meaning of Article 6 paragraph 1 (d) of GDPR, e.g. in cases where it is necessary to obtain and subsequently process personal data in order to call for urgent medical assistance.
3. As a Data Subject, you provide personal data to the Data Controller on the basis of your voluntary decision (i.e. that you have no obligation to do so). However, the Data Controller states that in some cases it is not possible to perform the required actions without providing specific personal data (e.g. when organizing a competition, you cannot be included in the competition without entering the data). Similarly, it is also not possible to conclude an employment contract with the Data Controller without providing some of your personal data or to place an order or fulfill a contract.
4. If your consent as a Data Subject is required for the processing of the personal data provided, the Data Controller is obliged to request it from you in advance. When processing personal data on the basis of the consent with processing, you may withdraw your consent at any time, in the same simple way as it was granted (e.g. in the case of electronically granted consent, consent may be revoked by sending an e-mail to the Data Processor or directly to the Data Controller), without prejudice to the lawfulness of the processing of personal data prior to the withdrawal of consent.
IV. Scope of processing of personal data
1. The Data Controller processes your personal data only to the extent necessary to fulfill the purpose of the data processing. For example, for the purpose of concluding a contract, the Data Controller does not usually need to obtain and process your photo and thus processes only personal data that are necessary for the fulfillment of the rights and obligations arising from the contract. However, as the Data Controller’s activities are relatively diverse, due to the wide range of events organised, it is not possible to define precisely the scope of the data processed in advance. However, in the case of the provision of personal data beyond what is necessary, the Data controller does not further process such data and removes them from its information systems.
V. Security of personal data and retention period
1. The personal data you voluntarily provided are stored in a safe environment and will be used by the Data Controller only during fulfilment of obligations and/or commitments to the users of the portal or obligations towards persons who have provided the Data Controller personal data in other ways, and only to the extent that the submitted information provided, for the period necessary for the exercise of the rights and fulfilment of the obligations of the Data Controller arising from the concluded contract, or for a period of time that you have consented to (unless otherwise provided by law or agreement, this period is no more than 10 years from the provision of personal data).
2. In relation to the retention period of personal data, the Data Controller refers in particular to the fact that the storage of personal data also has its basis in certain legal acts, such as the Accounting Act, which directly imposes their storage for a certain period of time and at the same time their longer retention is necessary also due to the possibility of exercising the rights of the Data Controller, in particular with reference to statutory limitation periods. However, it is binding that the Data Controller only stores the data for which storage is necessary.
3. The Data Controller declares that he has provided adequate technical and organizational measures to ensure the processing of your personal data, while at the same time declaring that after the expiry of their processing and storage period he will ensure their destruction, in a way that provides sufficient guarantees against their possible misuse.
VI. Processing of personal data by an entity other than the Data Controller
1. The Data Controller declares that it will not rent, sell or exchange personal data of the Data Subject with a third party (i.e. data such as name, address, telephone number, e-mail, etc., which identify the user as a specific person), without the express consent of you as the Data Subject, without prejudice to the possibility for the Data Controller to designate a Data Processor for the processing of personal data in accordance with this Policy and the GPDR Regulation. The conditions of the Data Controller may include in particular:
- persons involved in the transport of the goods, if sent by the Data Controller,
- persons involved in the execution of payment and other services on the basis of the order, contract, etc.,
- persons ensuring the operation of the website, operation of the e-shop and related services,
- marketing service persons,
- persons performing accounting services, lawyer in case of exercise of the rights of the Data Controller, etc.,
- Google LLC company,
- MailChimp company.
2. It is also without prejudice to the fact that your voluntarily provided data may also be accessed by other, strictly Data Controller-mandated and duly instructed persons (e.g. persons in employment with the Data Controller), but solely for the purposes strictly necessary for the processing of your personal data in accordance with the purpose for which they were provided. Based on the applicable legislation, the Data Controller is also entitled or obliged to transfer certain personal data, for example to law enforcement authorities or other public authorities.
VII. Profiling and automated decisions
1. The Controller declares that the personal data you provide are not used for profiling purposes. Likewise, your personal data are not subject to automated decision-making.
VIII. Transfer of data to a third country
VIII. Transfer of data to a third country
IX. Cookies Files
X. Declaration of the Data Subject
1. Before you voluntarily provide information to the Data Controller, you declare (or conclude to confirm) that all personal data provided by you are true, accurate, up-to-date and complete and you give (where applicable) your voluntary consent to their processing.
XI. Links to third-party servers
XII. Rights of the Data Subject
1. As the Data Subject, you have certain rights regulated by the GDPR, such as:
- the right to file a complaint to a supervisory authority (i.e. the Office for Personal Data Protection of the Slovak Republic),
- the right to request access to personal data,
- the right to modification and erasure of personal data,
- the right to restriction of processing, the right to object to the processing of personal data
- or the right to data portability.
2. Full instructions of the Data Subject on all rights that the GDPR applies to him/her in connection with the protection of personal data can be found in the same section of the www.mareena.sk site (or directly here) as this Policy.
XIII. Final provisions
1. This Policy enters into force on 25.05.2018.
2. The Data Controller is entitled to change this Policy. The Data Controller shall publish the new version of the Policy immediately once it is approved on its website.