Data protection information obligation of the controller
1. Principles of personal data processing
CreditCall, s.r.o. with registered office at Račianska 66, 831 02 Bratislava, ID No. 36 677 922 (hereinafter referred to as the “Controller”) in accordance with Regulation 2016/679 GDPR on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “Regulation”) and Act No. 18/2018 Coll. on the protection of personal data and on amendment and supplementation of certain laws (hereinafter referred to as the “Act”) has developed security measures that are regularly updated. They define the scope and method of security measures necessary to eliminate and minimize threats and risks acting on the information system in order to ensure:
- the availability, integrity and reliability of management systems using state-of-the-art information technology,
- protect personal data against loss, damage, theft, modification, destruction
and keep them confidential, - identify and prevent potential problems and sources of disruption.
Contact the Data Protection Officer (DPO): dpo@creditcall.sk
2. Privacy Policy
Your personal data will be stored securely, in accordance with the security policy of the controller
and only for as long as necessary to fulfil the purpose of the processing. Access to your personal data will only be granted to persons authorised by the controller to process your personal data, who process it on the basis of the controller’s instructions, in accordance with the controller’s security policy. Your personal data will be backed up, in accordance with the retention policy of the controller. Your personal data will be completely deleted from the backup storage as soon as possible in accordance with the backup rules. Personal data stored on backup storage is used to prevent security incidents, in particular a data availability breach as a result of a security incident.
3. Definitions
3.1. ‘personal data’ means any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
3.2. ‘processing’ means an operation or set of operations concerning personal data or sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, whether or not carried out by automated or non-automated means
3.3. ‘restriction of processing’ means the marking of personal data stored in order to restrict their processing in the future;
3.4. ‘profiling’ means any form of automated processing of personal data which consists of using those personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects of the natural person concerned relating to job performance, financial situation, health, personal preferences, interests, reliability, behaviour, location or movements;
3.5. ‘pseudonymisation’ means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical
and organisational measures to ensure that personal data are not attributed to an identified or identifiable natural person;
3.6. ‘information system’ means any organised collection of personal data which is accessible according to specified criteria, whether the system is centralised, decentralised or distributed on a functional or geographical basis;
3.7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are laid down in Union law or
in the law of a Member State, the operator or the specific criteria for determining him may be determined by Union or Member State law;
3.8. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
3.9. ‘recipient’ means the natural or legal person, public authority, agency or other body to whom the personal data are disclosed, whether or not a third party. However, public authorities which may receive personal data in the context of a specific survey in accordance with Union or Member State law shall not be considered as recipients; the processing of those data by those public authorities shall be carried out in accordance with the applicable data protection rules, depending on the purposes of the processing;
3.10. ‘third party’ means a natural or legal person, a public authority, an agency or an entity other than the data subject, the controller, the processor and persons who are entrusted with the processing of personal data on the direct authority of the controller or processor;
3.11. ‘data subject consent’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she consents, by means of a statement or an unambiguous affirmative act, to the processing of personal data concerning him or her;
3.12. ‘personal data breach’ means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed;
3.13. ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which provide unique information about the physiology or health of that natural person and which result, in particular, from the analysis of a biological sample of that natural person;
3.14. ‘biometric data’ means personal data which are the result of specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person and which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
3.15. ‘health-related data’ means personal data relating to the physical or mental health of a natural person, including data relating to the provision of healthcare services, which reveals information about his or her state of health;
3.16. ‘representative’ means a natural or legal person established in the Union who has been appointed in writing by the controller or processor pursuant to Article 27 and who represents the controller or processor in respect of its obligations under this Regulation;
3.17. ‘undertaking’ means a natural or legal person carrying on an economic activity, whatever its legal form, including partnerships or associations which regularly carry on an economic activity;
3.18. ‘supervisory authority’ means an independent public authority established by a Member State pursuant to Article;
3.19. ‘supervisory authority concerned’ means the supervisory authority to which the processing of personal data relates because:
(a) the controller or processor is established in the territory of the Member State of that supervisory authority;
(b) data subjects residing in the Member State of that supervisory authority are substantially affected or are likely to be substantially affected by the processing; or
(c) the complaint has been lodged with that supervisory authority;
3.20. “cross-border processing” means either:
(a) the processing of personal data which takes place in the Union in the context of the activities of establishments of the controller or processor in more than one Member State, where the controller or processor is established in more than one Member State; or
(b) processing of personal data which takes place in the Union in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
3.21. ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there has been
infringement of this Regulation or whether the envisaged measure in relation to the controller or processor is in accordance with this Regulation, which must clearly demonstrate the seriousness of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free movement of personal data within the Union;
3.22. ‘information society service’ means a service as defined in Article 1(1)(a)(i) of Regulation (EC) No …/… (b) Directive (EU) 2015/1535 of the European Parliament and of the Council;
3.23. “international organisation” means an organisation and its subordinate entities governed by public international law, or any other entity established by or under an agreement between two or more countries.
4. Purposes of the processing of personal data
4.1. Provision of call centre services via the information system
We process personal data of natural persons within the meaning of Article 6 para. 1 lit. (a) and (c) of Regulation 2016/679 GDPR on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The scope of the personal data we may process under:
- Article 6, para. 1 lit. c) of the 2016/679 GDPR: Title. First Name, Last Name, Address, Date of Birth, Birth Number, Account Number, Telephone, E-mail. The personal data is kept for 5 years after the termination of the contract.
- Article 6, para. 1 lit. a) of Regulation 2016/679 GDPR: Title. Name, Surname, Address, Phone, E-mail. Personal data is not transferred to a third country. Personal data will not be used for automated individual decision-making, including profiling. Personal data is stored for a period of 5 years from the date of consent. You have the right to withdraw your consent to the processing of your personal data at any time before the expiry of the aforementioned period by sending a request to the address of the Data Controller. The controller declares that in the event of a written request from the data subject to terminate the processing of personal data before the aforementioned period, the personal data will be deleted within 30 days of receipt of the withdrawal of consent.
4.2. Provision of insurance services as an independent financial agent
The personal data we process about our customers is processed on the basis of Act no. 186/2009 Coll. on financial intermediation and financial counselling, as amended in the meaning of Article 6 par. 1 lit. c) Regulation 2016/679 GDPR on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The scope of the personal data we may process: Title. First Name, Last Name, Address, Birth Number, Date of Birth, Signature, Spouse’s Name and Last Name, Child’s Name and Last Name, Health Information, Phone, Email. They are subsequently stored in accordance with Act No. 395/2002 Coll. on archives and registers.
4.3. Customer screening
The personal data we process about our customers is processed on the basis of Act no. 297/2008 Coll. on the protection against money laundering and the financing of terrorism and on amending certain laws within the meaning of Article 6(1) of the Treaty on the Functioning of the European Union, as amended by Article 6(1) of the Treaty on the Functioning of the European Union. 1 lit. c) Regulation 2016/679 GDPR on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Scope of personal data processed: Title. First Name, Last Name, Address, Birth Number, Account Number, Telephone, E-mail. They are subsequently stored in accordance with Act No. 395/2002 Coll. on archives and registers.
4.4. Marketing
The processing of personal data for marketing purposes is carried out on the basis of “Consent” to the processing of personal data within the meaning of Article 6(1)(a) of the Act. a) of Regulation 2016/679 GDPR on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, provided to us by the data subject. Personal data is not transferred to a third country. Personal data will not be used for automated individual decision-making, including profiling. Personal data is kept for 5 years after consent is given. You have the right to withdraw your consent to the processing of your personal data at any time before the expiry of the aforementioned period by sending a request to the address of the Data Controller. The controller declares that in the event of a written request from the data subject to terminate the processing of personal data before the aforementioned period, the personal data will be deleted within 30 days of receipt of the withdrawal of consent.
4.5. Processing of accounting documents
The processing is necessary for compliance with a legal obligation of the controller within the meaning of Article 6 para. 1 lit. c) Regulation 2016/679 GDPR on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Scope of processed personal data: title, first name, last name, address, signature. They are subsequently stored in accordance with Act No. 395/2002 Coll. on archives and registers.
4.6. Complaints
In the case of complaints, personal data is processed in accordance with Article 6 para. 1 lit. c) Regulation 2016/679 GDPR on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Scope of processed personal data: title, first name, surname, address, telephone, e-mail. They are subsequently stored in accordance with Act No. 395/2002 Coll. on archives and registers.
4.7. Debt recovery
In the case of debt recovery, personal data are processed within the meaning of Article 6(1)(a) of Directive 95/46/EC. 1 lit. c) Regulation 2016/679 GDPR on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Scope of processed personal data: title, first name, surname, address, telephone, e-mail. They are subsequently stored in accordance with Act No. 395/2002 Coll. on archives and registers.
4.8. Foreclosures
The processing of personal data is necessary for the fulfilment of the legal obligation of the controller within the meaning of Article 6 para. 1 lit. c) Regulation 2016/679 GDPR on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Scope of processed personal data: title, first name, surname, birth number, address,. They are subsequently stored in accordance with Act No. 395/2002 Coll. on archives and registers.
4.9. Register of jobseekers
The processing of personal data of job applicants in the company is carried out on the basis of “Consent” to the processing of personal data within the meaning of Article 6(1)(a) of the Act. (a) the regulations to be provided by the tenderer.
Only successful applicants will be contacted by the operator.
Personal data is not transferred to a third country.
Personal data will not be used for automated individual decision-making, including profiling.
Personal data is retained for a period of 12 months from the date of consent. You have the right to withdraw your consent to the processing of your personal data at any time before the expiry of the aforementioned period by sending a request to the address of the Data Controller. The controller declares that in the event of a written request from the data subject to terminate the processing of personal data before the aforementioned period, the personal data will be deleted within 30 days of receipt of the withdrawal of consent.
5. Rights of the data subject
5.1. Right to withdraw consent – where we process your personal data on the basis of your consent, you have the right to withdraw that consent at any time. You can withdraw your consent electronically, at the address of the responsible person, in writing, by notice of withdrawal of consent or in person at our registered office. Withdrawal of consent does not affect the lawfulness of the processing of personal data we have processed about you on the basis of that consent.
5.2. Right of access – you have the right to be provided with a copy of the personal data we hold about you
available to you, as well as information about how we use your personal data. In most cases, your personal data will be provided to you in written paper form, unless you request a different method of provision. If you have requested this information by electronic means, it will be provided to you electronically where technically possible.
5.3. Right to repair – we take reasonable steps to ensure the accuracy, completeness
and the timeliness of the information we have about you. If you believe that the information we hold is inaccurate, incomplete or out of date, please do not hesitate to ask us to amend, update or supplement this information.
5.4. Right to erasure (to be forgotten) – you have the right to ask us to erase your personal data, for example, if the personal data we have collected about you is no longer necessary for the fulfilment of the original purpose of the processing. However, your right must be assessed in the light of all the relevant circumstances. For example, we may have certain legal and regulatory obligations, which means that we may not be able to comply with your request.
5.5. Right to restriction of processing – in certain circumstances, you are entitled to ask us to stop using your personal data. For example, if you think that the personal data we hold about you may be inaccurate or if you think that we no longer need to use your personal data.
5.6. Right to data portability – in certain circumstances, you have the right to ask us to transfer the personal data you have provided to us to another third party of your choice. However, the right of portability only applies to personal data that we have obtained from you on the basis of consent or on the basis of a contract to which you are a party.
5.7. Right to object – you have the right to object to processing based on our legitimate interests. If we do not have a compelling legitimate ground for processing and you object, we will no longer process your personal data.
If you believe that any personal information we hold about you is incorrect or incomplete, please contact us.
If you wish to object to the way in which we process your personal data, please contact the person in charge by email or in writing to the Controller. Our designated person will review your objection and work with you to resolve the matter.
If you believe that your personal data is being processed unfairly or unlawfully, you may file a complaint with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27; tel. Number: +421 /2/ 3231 3214; mail: statny.dozor@pdp.gov.sk, https://dataprotection.gov.sk.