General Data Protection
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter the “GDPR”) and Act No 18/2018 on personal data protection and amending certain acts entered effect on 25/05/2018.
Slovenské elektrárne, a.s. (hereinafter “SE”) is a data controller, who in the performance of his / her business activities and the fulfillment of the tasks arising from applicable legislation and contractual relations processes the personal data of the data subjects. SE has adopted proportionate technical and organisational measures to protect the personal data and prevent their accidental or illegal destruction, loss, alteration, unauthorised disclosure or accessing, having regard for the latest knowledge, the costs of measures, the nature, context and purpose of processing and the risks that data processing represents for the rights and freedoms of individuals.
Definition of basic terms
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data subject means any natural person whose personal data are processed. Data subjects whose data are processed in SE include the company’s own employees and their family members, persons working on agreement, jobseekers, contractors’ employees, visitors and others.
A data controller is anybody that alone or jointly with others, determines the purposes and means of the processing of personal data and processes data on their own behalf; Slovenské elektrárne is a data controller.
A data processor is anybody who processes personal data on behalf of a controller under a written contract or agreement.
Compliance with personal data processing rules
As a data controller, Slovenské elektrárne defines the purpose, conditions and means of personal data processing and complies with the personal data processing rules laid down by the GDPR. Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
- collected for specified, explicit and legitimate purposes (“purpose limitation”);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
- accurate and, where necessary, kept up to date (“accuracy”);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
Lawfulness of personal data processing
Personal data processing in SE is carried out on at least one of the following legal bases:
- contract with the data subject – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
- compliance with the controller’s legal duties – processing is necessary for compliance with a legal obligation to which the controller is subject (under Slovak or EU law),
- legitimate interests of the data controller – processing is necessary for the purposes of legitimate interests pursued by the data controller,
- the data subject’s consent – if the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Personal data processing via a data processor
As a data controller, Slovenské elektrárne can have personal data processed by a data processor, who will process the personal data on behalf of the controller in accordance with a written contract. As a data controller, SE uses only data processors providing sufficient guarantees to implement technical and organisational measures which will meet legislative requirements and ensure protection of data subjects’ rights.
Data subjects’ rights execution
Data subjects have the following rights in relation to the processing of their personal data:
Right of access to data – provision of information on whether personal data concerning the data subject is processed, including information on the purpose of processing, the categories of personal data concerned, their recipients or categories of recipient, the envisaged period for which the personal data will be stored, and the source from which the personal data were obtained.
Right to rectification – the rectification of inaccurate personal data or the completion of incomplete personal data concerning the data subject.
Right to erasure (“right to be forgotten”) – the erasure of personal data that are no longer necessary in relation to the purposes for which they were collected or otherwise processed, or that the controller is no longer entitled to process for other reasons (if the data subject has withdrawn the consent under which the processing was carried out and there is no other legal ground for the processing; or personal data have to be erased for compliance with a legal obligation etc.).
Right to restriction of processing – restriction of personal data processing if the data subject contests the accuracy of the personal data or opposes the erasure of the personal data and requests the restriction of their use instead, or if the controller no longer needs the personal data for the purposes of the processing but they are required by the data subject for the establishment, exercise or defence of legal claims or if the data subject has objected to processing based on a legitimate interest of the controller pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to data portability – provision of personal data in a format that can be transmitted to another controller; this right can only be exercised if personal data is processed based on consent or a contract and is processed by automated means (the personal data are acquired and processed in electronic format).
Right to object (to personal data processing) – a data subject has the right at any time to object to the processing of personal data based on legitimate interests of the controller, including profiling; personal data processing will be restricted until the demonstration of compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
If personal data processing is based on consent, the data subject has the right at any time to withdraw his or her consent; further processing of such personal data shall cease without undue delay.
The contact point for handling requests and representing the SE in relation to the data subject and to all questions concerning the processing of their personal data and the exercise of their rights is the data protection officer who can be reached at firstname.lastname@example.org.
In addition to the rights listed above, you have the right to submit complaints concerning the processing and protection of personal data to the supervisory authority which is the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27, Slovak Republic.
Handling of data subjects’ requests
Contact us electronically by email to the data protection officer: email@example.com; or apply in a letter sent to:
Slovenské elektrárne, a.s.
Zodpovedná osoba / Data Protection Officer
Mlynské nivy 47
821 09 Bratislava
Requesters may be asked to provide additional information as proof of identity to prevent unauthorised disclosure or provision of information to unauthorised persons.
To speed-up handling of requests to exercise the rights of data subjects, please use this form and follow the instructions included therein.
Requests are usually handled in written form and delivered to the requester in person no later than one month from the request’s submission date. Where complex requests require a longer time or more difficult technical procedures, or where additional information is needed for the assessment and processing of the request, this period may be extended by a further two months; In this case, you will be informed of the extension with an indication of the reasons.
Violation or suspected violation of personal data protection you may report to the data protection officer using the online form on this page or by sending an email to firstname.lastname@example.org.