Notification of the Data Subject of Personal Data Processing
within the meaning of Article 19 et seq. of Act No. 18/2018 Coll. on Personal Data Protection and on Amendments and Supplements to Certain Acts, as amended, in accordance with Articles 13 and 14 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as "GDPR")
Pursuant to the provisions of Article 19 et seq. of Act No. 18/2018 Coll. on Personal Data Protection as amended (hereinafter referred to as the "Personal Data Protection Act"), we hereby provide you as the data subject with the following information about the processing of your personal data.
1. PERSONAL DATA CONTROLLER
The controller is the company Zurich Insurance Company Ltd, established and existing under the Swiss law, with its registered office at Mythenquai 2, 8022 Zürich, Switzerland, entered in the Commercial Register of the Canton of Zurich under the number CH-020.3.929.583-0, acting in the territory of the Slovak Republic through its branch office: Zurich Insurance Company Ltd, organizačná zložka, with its registered office at Mýtna 48, 811 06 Bratislava, company ID (IČO) 47 559 101, entered in the Business Register of the District Court of Bratislava I, Section Po, Insert No. 2345/B, represented by: Wolfgang H. Fischer, Head of the Branch Office (hereinafter referred to as the "Controller").
Phone: +421 2 3215 5208
2. ACCESS TO PERSONAL DATA AND PERSONAL DATA RECEIVERS
In the processing of personal data, in addition to the Controller and the companies related to the Zurich Insurance Group and their employees, other persons processing personal data as processors may have access to personal data. A specific, continuously updated list of processors, i.e. recipients of personal data processed on behalf of the Controller, in following categories:
- Companies providing services related to the social policy of the Controller
- Educational institutions
- Companies providing payroll and accounting services
- Companies providing internal and external audit services
- A company providing a health service
- Transport companies
- Companies providing catering services
- Law firms
A specific, up-to-date list of intermediaries, recipients of personal data processed on behalf of the Controller, will be provided on request.
3. LEGAL BASIS
The legal basis for the processing of personal data is, as a rule, the fulfilment of the statutory obligation (in particular Act No. 18/2018 Coll. on Personal Data Protection), the conclusion, administration and fulfilment of contractual obligations arising out of employment and commercial contracts, the legitimate interest, which is the protection of rights and interests of the Controller and his employees protected by right, as well as the consent of the data subject (mainly for the purposes of marketing, competitions, social events, etc.).
The consent to the processing of personal data must be granted voluntarily, and the data subject may withdraw the consent at any time. However, the consent is necessary for the Controller to ensure, for example, corporate events, and the like, and without such consent, the Controller is not entitled to provide the services in question.
If the data subject refuses to provide the Controller with the personal data required for the purpose of fulfilling the contractual obligations of the Controller or complying with the law, the Controller is not obliged to conclude a contract or provide any other services
4. PURPOSE OF PROCESSING
If the personal data are processed in connection with the fulfilment of the contractual obligations of the Controller, the legitimate interests of the Controller, or according to a special regulation or an international agreement to which the Slovak Republic is bound, the purpose of the processing shall relate in particular to the following activities:
- fulfilling the obligations of the Controller as the employer related to employment relationships, including pre-contractual relationships;
- establishing pre-contractual relationships at the request of the data subject in connection with the selection of job applicants for a suitable job;
- processing of incoming and outgoing mails;
- processing of personal data in accounting;
- registration and archiving;
- performance of internal and external audits, verification of compliance of internal processes with legislation, etc.;
- active and passive litigations.
If personal data are processed on the basis of the consent, the purpose of processing is mainly related to the marketing activities of the Controller, such as organization of competitions, social events, presentation of the Controller as an employer, etc., or to the organization of internal corporate events, etc.
5. SCOPE AND CATEGORIES OF PROCESSED PERSONAL DATA
The scope and/or the list of processed personal data is determined by the applicable legal regulations, or it may be inferred either directly or indirectly from a concluded contract as well as other contractual documentation, or is stated in the consent to the personal data processing. Personal data shall be processed by the Controller to the extent necessary for the purpose of their processing.
a) For the purposes of fulfilling the obligations arising out of the employment relationships, the Controller shall process the following personal data of the data subjects which have been provided to him, including a specific category of personal data, in particular:
the name, surname, family name, title, date and place of birth, marital status, permanent residence, temporary residence, birth number, nationality, citizenship, education, bank account number, monthly wage, remunerations, attendance, job classification, amounts affected by the execution of a decision ordered by a court or administrative authority, penalties and fines as well as compensation imposed on the employee by an enforceable decision of the competent authorities, wrongly received amounts of social security benefits and old age pension benefits or advance payments related thereto, the State social benefits, benefits in material need and allowances to material need benefits, and benefits to compensate social consequences of severe disability, which the employee is obliged to return based on an enforceable decision under a special regulation, data from the employment certificate, data included in the job seekers register, data on maternity or parental leaves, data on granting pension, the type of pension, name of the health insurance company with which the employee is insured, the name of a supplementary pension insurance company, processed personal data processed included in certificates, confirmations of passed examinations and educational activities, and any other data necessary for the proper fulfilment of the obligations of the Controller as the employer of the data subject in accordance with the relevant legislation of the Slovak Republic.
Special Categories of Personal Data:
Data on health status of employees, such as data on incapacity for work, data on important personal obstacles at work, data on disability, pregnancy data, etc.
b) For marketing purposes, the Controller shall, in particular, process the following categories of personal data:
Basic identification data – title, name, surname and address of residence;
Contact details – e-mail address and phone number;
c) For the purposes of fulfilment of contractual obligations arising out of other than employment contracts, the Controller shall, in particular, process the following categories of personal data:
Basic identification data – title, name, surname and address of residence;
Contact details – e-mail address and phone number.
6. DURATION OF PROCESSING AND STORAGE OF PERSONAL DATA
The Controller is authorized to process personal data of data subjects for a period of time determined in accordance with the relevant legislation. Processing of personal data upon a consent shall only be possible for the period for which the consent was granted.
The consent is granted to the Controller for the duration of the contractual relationship and for the following five (5) years from the termination of the contractual relationship or until the moment of withdrawal of the consent.
Upon expiry of the relevant period, personal data will be erased if their storage is not required under the relevant Slovak legislation.
7. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY
The Controller transfers personal data to the processor in a third country – the company American Zurich Insurance Company belonging to the Zurich Insurance Group, based in the 1299 Zurich Way, Schaumburg, IL 60196, US, Zurich Shared Services Sdn Bhd Level 23 A, Mercu 3 , No. 3, Jalan Bangsa, KL Eco CityKuala Lumpur 59200, Malaysia and the company GENPACT India Private Limited, based in Raheja Mind Space, Pocharam, Hyderabad, Telangana, 500088 India. The European Commission has not decided that a third country, territory or one or more designated industries guarantee an adequate level of protection of personal data. In the absence of a European Commission decision, the transfer of personal data to a third country can only take place if adequate safeguards of personal data protection are provided. Adequate safeguards of the protection of personal data shall be provided, pursuant to Article 48 paragraph 3 letter c) of Personal Data Protection Act, upon the contractual relationship between the Controller and the concerned processors, which include the standard data protection clause adopted by the European Commission.
8. RIGHTS OF DATA SUBJECTS RELATED TO THE PROCESSING OF PERSONAL DATA
As regards the processing of personal data, data subjects may exercise the following rights:
- the right to access and be provided information about their personal data;
- the right to the rectification of personal data;
- the right to the erasure of personal data;
- the right to the restriction of personal data processing;
- the right to personal data portability;
- the right to object to the processing of personal data;
- the right to the ineffectiveness of automated individual decision-making, including profiling;
- the right to withdraw consent at any time (if consent is the legal basis of processing);
- the right to file a motion to initiate proceedings under Article 100 et seq. of the Personal Data Protection Act with the supervisory authority, i.e. the Office for Personal Data Protection of the Slovak Republic, with its registered office at Hraničná 12, 820 07 Bratislava 27, Slovak Republic, contact details: +421 2 3231 3214, e-mail: email@example.com
Data subjects may exercise the above rights, which are further specified in the provisions of Article 21 et seq. of the Personal Data Protection Act, in accordance with the Personal Data Protection Act and the GDPR as well as other relevant legislation.
Data subjects may exercise their rights against the Controller by means of a written request sent or delivered to the Controller's registered office: Námestie 1. mája 18, 811 06 Bratislava, or by electronic mail sent to the address: firstname.lastname@example.org.
The request must contain the following information: name, surname, date of birth and permanent address so that the Controller is able to identify the data subject. The Controller may request the provision of additional information necessary to verify the identity of the data subject if he has reasonable doubts as to the identity of the natural person. The Controller is required to provide the data subject with information on the measures taken at his/her request within one (1) month of receipt of the request. In justified cases, with regard to the complexity and the number of requests, the Controller may extend the above period by further two (2) months, even repeatedly. The Controller shall be obliged to inform the data subject about any such extension within one (1) month of receipt of the request, stating the reasons for the extension of the time limit. If the data subject has submitted the request in electronic form, the Controller shall provide the information in electronic form, unless the data subject requested information in any other way.
If the Controller fails to take measures at the request of the data subject, he is required to inform the data subject about the reasons for the failure to act within one (1) month of receipt of the request as well as about the possibility to file a motion to initiate proceedings under Article 100 of the Personal Data Protection Act with the Office for Personal Data Protection. Notifications of the measures taken shall be provided free of charge. If the request of the data subject is manifestly unfounded or inappropriate, in particular for its recurrent nature, the Controller may require a reasonable fee taking into account the administrative costs of providing the information, or a reasonable fee taking into account the administrative costs of the notification, or a reasonable fee taking account the administrative costs of implementing the requested measure, or refuse to act upon the request. The Controller shall prove that the request is unfounded or inappropriate.
In Bratislava, on 24 May 2018