PRINCIPLES OF PERSONAL DATA PROCESSING
Controller: Mstein s.r.o., Račí potok 27, Košice 04001
Registered office: Račí potok 27, Košice 04001
ID No.: 50 876 821
Registration: Business Register of District Court Košice I., Section: Sro, File No.: 41382/V
Operator of the website: www.mstein.sk, www.mstein.eu
- by post to the registered office address,
- electronically: firstname.lastname@example.org
The protection of our customers’ personal data is a matter of course for us. All personal data that have been and are collected during your visit to the websites of the company M-stein s.r.o. until 24 May 2018 are processed in accordance with Act No. 122/2013 Coll. (hereinafter referred to as the “Personal Data Protection Act”) as well as in accordance with the applicable European legislation.
From and including 25 May 2018, your personal data are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation “GDPR”) and in accordance with Act No. 18/2018 Coll. on the Protection of Personal Data and on amendments of and supplements to certain acts, as in force and effect from 25 May 2018. In connection with the processing of personal data, we provide you with the following information in accordance with Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
Within performance of the obligations towards data subjects and pursuance of purposes of the controller, we only process routine personal data. When your personal data are processed by the controller, you are the data subject, i.e. the person whose personal data are processed by us. The data subjects are understood to be the website users and the buyers.
Our company is committed to processing personal data in accordance with the applicable Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. We undertake to process them in a secure manner and on the basis of appropriate technical and organisational measures that we have applied in internal documents and processes. We process personal data in a lawful manner and to the minimum extent, within the limits set by the purpose of processing and for a defined period of time. Access to personal data will only be permitted to authorised persons or processors who will comply with our data protection policy. We obtain personal data directly from the data subjects, from public sources or from sources that have consent for such processing.
Your personal data mean any information that relates to you and on the basis of which you are identifiable to us as a natural person. This is where we can identify you, directly or indirectly, in particular by reference to a commonly used identifier or other identifier such as a name, surname, identification number, location data or an online identifier, or to one or more factors or features that constitute your physical, physiological, genetic, psychological, mental, economic, cultural or social identity. This is, for example, the identification of you as a person based on a number, a code or one or more elements specific to you. Thus, personal data include in particular the contact details of a natural person, his or her IP address, and may include information about the use of services or about the activities and preferences of the natural person.
Legal bases and purposes of processing
The following are the grounds on which we are entitled to process personal data. Processing may be based on the legitimate interest of the controller, a legal obligation, a contractual basis or consent.
In order to process your order correctly and to keep you informed of its progress, we need to know the name of the ordering party (or the name of the company, company ID number and contact person), the address (billing and shipping address, if applicable), telephone number and e-mail address. Furthermore, we keep a record of all orders you have placed with us.
For the purpose of processing your order, we need to know under what conditions and where you have ordered the goods to be delivered.
If you are a registered customer with us, you can save time when entering your details in subsequent orders, keep track of your purchase history, or use the service to manage your favourite products and get information about availability.
Other product information, access to the catalogue, reviews, etc. are not subject to registration.
Personal data of persons under the age of 16
Our E-shop is not intended for children under the age of 16. A person under the age of 16 may only use our
E-shop if his/her legal representative (parent or guardian) gives consent.
Consent to the processing of personal data
The scope of personal data we process is minimized to the extent necessary to provide the high-quality services to you, to fully perform our legal obligations, and to protect our legitimate interests. We process both the personal data of our customers and the personal data of our potential customers who have given us consent to do so.
The provision of personal data is based on the free will and voluntary action of the data subject. The data subject has the right to withdraw the consent given at any time. On this basis, we process personal data as follows:
|Purpose||Description||Recipients/ Processors||Period of processing|
|Marketing communication – remarketing||cookies that are used for remarketing purposes to retarget data subjects based on their past online behaviour||Google Ireland Limited https://policies.google.com/privacy?hl=sk#enforcement Hotjar Limited https://www.hotjar.com/legal/policies/privacy||until fulfilment of the purpose and expiry of the period for exercising any claims, until withdrawal of the consent|
|Marketing communication – emails||Sending information about news and special offers (newsletter)||Provider of newsletter service – Rocket Science Group LLC https://mailchimp.com/legal/privacy/ , business partners||until withdrawal of the consent|
Contractual and pre-contractual relations (Article 6(1)(b) of GDPR)
- mean any processing that is necessary before, during and, in certain cases, after the contractual relation with the controller.
|Purpose||Description||Recipients/ Processors||Period of processing|
|Performance of contractual relations (contractual and pre-contractual relations)||Communication in any form, registration of contractual relations and the resulting formalities||authorised public authorities, IT provider (e-mail service, web hosting), accounting firm, suppliers and contractors and business partners (Zoidberg project, s.r.o. ID No.: 45 577 056)||until fulfilment of the purpose and expiry of the period for exercising any claims|
|Delivery of goods /services/ Making payments under a contract Assurance services Running of e-shop||Pošta.sk Zásielkovňa.sk DHL.sk GoPay.com||until fulfilment of the purpose and expiry of the period for exercising any claims|
Legal obligation (Article 6(1)(c) of GDPR)
– obliges us to process the personal data and the provision of personal data is obligatory. Refusal of provision of personal data may result in damage the compensation of which we can claim from data subjects (for example if a sanction is imposed on us in causal connection with our failure to comply with our obligation). On this basis, we process personal data as follows:
|Purpose||Description||Recipients/ Processor||Period of processing|
|Bookkeeping, processing of accounting and economic documents||Act No. 431/2002 Coll. on Accounting, as amended, Act No. 222/2004 Coll. on Value Added Tax, as amended, Act No. 145/1995 Coll. on Administrative Fees, as amended, Act No. 40/1964 Coll., the Civil Code, as amended, Act No. 152/1994 Coll. on Social Fund and on amendments of and supplements to Act No. 286/1992 Coll. on Income Taxes, as amended, Act No. 311/2001 Coll. the Labour Code, as amended, Act No 513/1991 Coll., the Commercial Code, as amended||Revenue Office, other authorised public authorities, accounting firm, business partners||10 years|
|Handling complaints||Act No. 250/2007 Coll. on Consumer Protection, Act No. 40/1964 Coll. Civil Code||Authorised public authorities, accounting firm, business partners||pursuant to the Act referred to in the legal basis|
Legitimate interest of the controller (Article 6(1)(f) of GDPR)
– we apply it if we have reasons for processing which are essential to our activity and do not override the interests and rights of data subjects which require the protection of personal data. For such processing, the data subject is obliged to accept such processing but has the right to object to it or to exercise the other rights set out below. On this basis, we process personal data as follows:
|Purpose||Description||Recipients/ Processors||Period of processing|
|Analysing the behaviour of our website users (cookies)||cookies that evaluate statistical and analytical information about our customers. Thanks to this information, we evaluate whether and how our website is visited and how much it is understandable.||Google Ireland Limited https://policies.google.com/privacy?hl=sk#enforcement||until fulfilment of the purpose and expiry of the period for exercising any claims|
|Direct marketing communication||Sending information about news and special offers of the controller to data subjects in a contractual relationship||email service provider, administrator of our domain’s email service||until withdrawal of the consent|
|Creating a database of business partners and intermediaries||Communication in any form, registration of contractual relations and resulting formalities||authorised public authorities, IT provider (e-mail service, web hosting), accounting firm, suppliers and contractors and business partners||until fulfilment of the purpose and expiry of the period for exercising any claims|
First party cookies
These cookies are created and used by the operator of the websites www.mstein.sk, www.mstein.eu.
These cookies are created by companies whose services are used by the website operator. Some of our websites may contain content from other websites, such as Youtube, Facebook, etc., which may create their own cookies stored by your browser. Third party cookies are created and used by service providers, such as Google Analytics. These services are integrated into our websites, because we consider them to be useful and fully secure.
They are only stored by your browser until you leave the website. Once you close your browser, they are deleted from your computer or mobile device.
They remain stored on your device even after you close your browser. Such cookies help us remember your preferences on your next visit.
Strictly necessary cookies
They serve us to display the website safely and optimally. These cookies do not collect any information about you that can be used in marketing, nor do they remember where you have been on the Internet.
These cookies are used to analyse visitor behaviour on the website and subsequently improve its functionality and appearance.
These are used to help us remember your settings, in order to ensure maximum comfort during your visit.
They are used to serve targeted advertising based on your behaviour. These cookies do not identify a specific person, only the preferences of an anonymous computer. For example, they will prevent you from being shown unnecessarily frequent advertising from an area in which you are not interested.
However, if an anonymised IP is activated on this website, the Google IP address in the Member States of the European Union or other states of the Agreement on the European Economic Area will first be truncated. On behalf of the operator of this website, Google will use this information for the purpose of evaluating the use of the website by the data subject, compiling reports on website activity and providing other services relating to website use.
The IP address transmitted from the data subject’s browser within the scope of Google Analytics is not combined with other Google data. The transmission of data generated by cookies relating to the use of the website (including IP addresses) to Google and the incorporation of this data by Google can also be prevented by installing the browser plug-in model available at this link (http://tools.google.com/dlpage/gaoptout?hl=sk).
Transfer outside the EU
As part of the processing of personal data by the controller, we process personal data within the EU. In the case of the processing of personal data by our processors, in some cases the personal data may be transferred within the EU or to countries outside the European Union with a guaranteed and adequate level of protection, within the meaning of Article 45 of the Regulation. These processors include, for example:
Google, Int. (analyses)
Host4Life (hosting services)
Websupport (domain management)
GoPay (payment gateway)
Slovenská Pošta (parcel system)
DHL (shipping system)
Use of automated decision making
Personal data will not be used for automated individual decision-making, including profiling.
Period of personal data processing
Personal data are stored for the periods set out above, which are determined by the legal basis for their processing or by the controller; after the primary purpose of the processing is fulfilled, they are either destroyed or archived according to the records retention rules.
In general, we process personal data:
a) on the basis of consent – for the period expressly stated in the consent or until its withdrawal;
b) for the performance of our legal obligations or options – for the period required by the relevant law;
c) for the performance of a contract – for the duration of the performance of the contract or the duration of pre-contractual negotiations;
d) for legitimate interests – for the duration of performance of the contract or until the processing is objected to;
Ensuring the protection of personal data
We have applied appropriate technical and organisational measures to secure personal data to prevent unauthorised access to or loss of such data, which we define in internal documentation only. When designing the level of protection, we assess the impact on potential risks and the impact on the rights and freedoms of the individuals concerned and adopt the best possible solutions according to the available science, technology and financial means.
Rights of the data subjects
As a data subject – i.e. the person whose personal data are processed – you have the right to be informed about the data of the controller – i.e. the person who processes your data.
For the purpose of personal data processing, the controller is: Mstein s.r.o., Račí potok 27, Košice 04001, ID No.: 50 876 821, Registration: Business Register of District Court Košice I., Section: Sro, File No.: 41382/V
You can exercise your rights by calling the telephone number listed in the Contact section of our website, or in writing to the correspondence address, registered office of M-Stein s.r.o. or by email.
Contact person: Pavol Mészáros, email@example.com, +421 948 904 432
Right to withdraw consent
Where we process personal data on the basis of consent, this right allows you to withdraw consent at any time. Consent may be withdrawn electronically, in writing, by notice of withdrawal of consent or in person. Withdrawal of consent does not affect the lawfulness of the processing of personal data that we have processed on the basis of that consent.
Right of access
The right to be provided with a copy of the personal data we hold about the data subject, as well as information about how we use his or her personal data. In most cases, personal data will be provided in written paper form, unless another method of provision is required. Where this information has been requested by electronic means, it will be provided electronically where technically feasible.
Right to rectification
We take reasonable steps to ensure the accuracy, completeness and timeliness of the personal data we hold. If the information we hold is not accurate, complete or up-to-date, we request notice to correct, update or complete the information.
Right to erasure (to be forgotten)
This right applies, for example, if the personal data we have collected is no longer necessary to fulfil the original purpose of the processing. However, the right must be assessed in the light of all relevant circumstances. For example, we may have certain legal and regulatory obligations which means that we may not be able to comply with every request.
Right to restriction of processing
In certain circumstances, you may ask us to stop using personal data. These include, for example, the cases where the data subject thinks that the personal data we hold about them may be inaccurate or where they think we no longer need to use his/her personal data.
Right to data portability
In certain circumstances, you may ask us to transfer your personal data to third party of your choice. However, the right to portability only applies to personal data that we have obtained by consent or under a contract to which the data subject is a party.
Right to object
The right to object to the processing of data is based on our legitimate interests. If we do not have a compelling legitimate ground for processing and an objection is lodged, we will no longer process the personal data. Any objection can be raised electronically, or by post to the controller’s registered office.
Right to bring a data protection action
If there is a concern that personal data are being processed unfairly or unlawfully, it is possible to lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27; tel. +421 /2/ 3231 3214; email: firstname.lastname@example.org , https://dataprotection.gov.sk . In the case of electronic submission of the application, it must comply with the requirements of Section 19(1) of Act No 71/1967 Coll. on Administrative Proceedings (Administrative Procedure Code).