loader image

Privacy policy

1. Who processes your personal data in connection with provision of Huglo, Foaf, Verejnedata.sk and Softygon application services?

Personal data is processed by Foaf, s.r.o., with registered office at Pribinova 30, 821 09 Bratislava – Ružinov city borough, company ID No: 36 774 421, registered in the Commercial Register of the Municipal Court Bratislava III, Section Sro, File No. 45838/B, which is a provider of information society services via the Trovi and Huglo applications (hereinafter also referred to as „Huglo“ or „Trovi“ or „Foaf“ or „Softygon“ or „Verejnedata.sk“ depending on which application it is, or also „we“).

2. What is our position under the GDPR when processing your personal data?

We process personal data uploaded to Trovi, Huglo, Foaf, or Softygon application as the Controller for our own personal data processing purposes, but also as the Processor for our corporate customers who use some of the functionalities and services of these applications as controllers in pursuit of their own personal data processing purposes, while our Trovi and Huglo applications also work on the basis of technical integration with publicly available data and the reports generated therefrom, which are also generated by www.verejnedata.sk with help of our integration and synchronisation tool Softygon. If our customers use directly the services provided via the Softygon platform (www.softygon.com) to connect and synchronise data of their own systems with external systems, we will process personal data as the Processor.

Where Trovi, Huglo, Softygon or Foaf processes data on behalf of our customers, we are obliged to comply with the data processing contract concluded pursuant to Article 28 (3) of the GDPR, which determines the scope and conditions of such processing, and as the Processor we are not obliged to inform the data subjects of processing of their personal data. This should be done by our customers as controllers, and we want to help them to do this with the content of this document.

In fulfilling our information obligations, we therefore clearly distinguish between these situations and place emphasis on the proper fulfilment of our own information obligations to data subjects under Articles 13 and 14 of the GDPR whose personal data we process as the Controller.

V prípade, keď v Trovi, Huglo, Softygon alebo Foaf spracúvame dáta v mene našich zákazníkov sme zaviazaní dodržiavať zmluvu o spracúvaní osobných údajov uzatvorenú podľa čl. 28 ods. 3 GDPR, ktorá nám určuje rozsah a podmienky takéhoto spracúvania, pričom ako sprostredkovateľ nie sme povinný informovať dotknuté osoby o spracúvaní ich osobných údajov. Toto by mali vykonať naši zákazníci ako prevádzkovatelia, pričom my im k tomu obsahom tohto dokumentu chceme pomáhať.

Pri plnení našich informačných povinností preto zreteľne odlišujeme tieto situácie a kladieme dôraz na riadne splnenie našich vlastných informačných povinností, ktoré nám vznikajú voči dotknutým osobám podľa čl. 13 a čl. 14 GDPR, ktorých osobné údaje spracúvame ako prevádzkovateľ.

3. When do we process personal data as the Processor?

If you, as our customer, use the following services and functionalities when using our applications, we will be in the position of the Processor. Specifically, these are the following services:

  • use of invoicing tools to analyse documents, issue and manage invoices

  • displaying accounting documents and reports in Huglo reports that have been imported from source accounting systems;

  • integrating and facilitating data transfers between various invoicing and accounting systems used by third parties (e.g. personal accountants) and our applications;

  • use of the Softygon platform for data integration and synchronisation between customer and external systems;

  • provision of analytical and consulting BI (Business Intelligence) services due to creation of various reports, dashboards, relationship diagrams, links between persons and companies, economic results of entrepreneurs, debts, profit and loss statements, data conversions from public sources (open data) for needs and support of decision-making and planning processes of our customers in various areas of their business management, including use of AI technology, mainly through paid services provided through Foaf and Verejnedata.sk;

  • use of the “Payroll” module for payroll and HR services or consultancy;

  • use of the “Personalization of Documents” module allowing you to create your company documents in the selected design and with a personalized logo and signature;

  • filling out and submitting forms for qualified electronic signature service providers, which will allow you to easily request and obtain the necessary certified means of the highest level of trust for creation of electronic signatures for your company’s needs;

  • filling out and submitting forms to reach specific professional business advisors, consultants, attorneys, tax advisors and accountants based on their profiles and services displayed in the application;

  • use of the “Accounting” module for provision of accounting services;

  • use of the “Invoicing” module, which enables the issuance of invoices with QR codes for payment;

  • use of the “Register of Companies” module, which enables automatic completion of data relating to companies on the basis of entering their business name or company ID number;

  • use of the “Orders and Quotations” module, which enables registration and overview of incoming orders and prepared quotations;

  • use of the “Costs” module, which allows you to keep track of your company’s costs;

  • use the “Projects and Hours Reporting” module to track the hours worked by your team members on specific tasks and projects.

In cases where Huglo or Trovi enables you to obtain a discounted financial product (e.g. insurance, leasing, etc.) and possibly other services (accounting, legal) by being able to offer it to you as a bound financial agent of a financial institution with which we will cooperate, we will also act as the Processor within the meaning of the GDPR of such financial institution for the related processing of personal data, providing you with more detailed information on the personal data protection that has been adopted in the terms and conditions of the respective financial institution.

4. When do we process personal data as the Controller?

If you use the following services and functionalities of our applications as a registered user, we will process your personal data as the Controller:

  • filling out and submitting forms for financial intermediation service providers, or independent financial agents, factoring, leasing, and banking service providers to provide their providers with a qualified tip that you are seriously interested in the specific financial services you need for your company;

  • filling out and submitting forms for qualified electronic signature service providers, which will allow you to easily request and obtain the necessary certified means of the highest level of trust for creation of electronic signatures for your company’s needs;

  • filling out and submitting forms to reach out to specific professional business advisors, consultants, attorneys, tax advisors and accountants based on their profiles and service overviews displayed in Huglo application;

  • when using the crowdfunding platform integrated into the Huglo application;

  • use of the “Open Banking” module, which allows you to connect your corporate account held at the bank Tatra banka with the Trovi application via Tatrabanka’s API, through which you can subsequently perform payment services and have an overview of transactions on your corporate account also in Trovi, while we provide you with payment services as a TPP (Third Party Payment Provider), also as an Account Information Service Provider (AISP) and as a Payment Initiation Service Provider (PISP);

  • use of other banking API integrations that allow our applications to provide payment services in cooperation with other commercial banks;

  • by providing completed registration forms sent from Trovi application,use of the “Legal Services” module which allows you to request cooperating law firms to provide a targeted and fixed-price legal service or to prepare a quotation for more complex cases;

  • use of the “Financing the Purchase of Equipment” module will allow you to apply for advantageous financing of your business needs through provision of filled-in registration forms sent to the leasing service provider.

5. For what purposes and on what legal basis do we process personal data in our applications as the Controller ?

Purpose of the personal data processing

Legal Basis


Further explanation of the purpose of the personal data
processing1

1.


Provision of Information Society Services

Legitimate interest under Article 6(1)(f) of the GDPR and, in support
thereof, a
contract under Article 6(1)(b) of the GDPR in relation to self-employed
persons who
pay for a subscription to Trovi, Huglo or Foaf.

The Controller will provide its paying customers using the information
society
services provided via Huglo, Trovi or Foaf with a number of separate modular
services at their request, which will inevitably also involve the processing
of a
variety of personal data of a common category, which will come primarily
from the
so-called “open data” and publicly accessible registries that provide public
licenses and APIs allowing digital service providers, such as the
Controller, to use
this data also for commercial purposes, subject to creation of added value,
digital
innovation and compliance with the relevant legal restrictions. The
processing of
personal data may also include the trial (unpaid) use of our applications in
the
context of pre-contractual relationships with potential customers.

In particular, personal data will be processed, for example, in

1) Provision of payment services within the framework of open banking API
integration built into the Trovi or Huglo application, which will be linked
to the
customer’s business account established in commercial banks and will allow
to enter
transactions and record reports of transactions made from the business
account in
the bank directly in the Huglo and Trovi application, thus the Controller
will be in
the position of the so-called Third Party Payment Provider, both as an
Account
Information Service Provider (AISP) and as a Payment Initiation Service
Provider
(PISP).

2) Provision of analytical and statistical business intelligence (BI)
services that
are able to prepare reports on social connections and other important
statistical
indicators related to specific businesses, which we make available and
create on the
basis of publicly available data (open data),

3) Provision of crowdfunding funding for specific projects and business
plans.

4) Provision of quick and convenient links to various third parties, which
is
directly related to providing tips to our business partners for establishing
new
business relationships between the third party and the user of Huglo, Trovi
and
Foaf, Softygon or more efficient data exchange with the customer’s
accountants. The
contact details and other additional information filled in by the
application user
can be subsequently provided in tips to e.g. law firms, factoring companies,
leasing
companies, financial agents, business advisors, tax advisors and auditors,
accounting service providers, or providers of qualified trusted electronic
signature
services. These third parties then process the personal data as separate
controllers
independent of us for their own purposes, for which we are not responsible.

2.

Fulfilment of Legal Obligations

Compliance with the legal obligations under Article 6(1)(c) of the GDPR

As the Controller, we often have to process personal data also in connection
with
fulfilment of our legal obligations under the GDPR (e.g. when notifying
personal
data breaches, dealing with rights of a data subject, deleting and
anonymising
unnecessary data after the end of the purposes of their processing, etc.),
when
creating and storing tax and accounting documents, when fulfilling the
employer’s
tax and labour law obligations, when maintaining our company’s corporate
agenda, as
well as in any other situations where it is necessary to carry out certain
processing operations with personal data in order to fulfil our obligations
set out
in the relevant laws.

3.


Personal Data Security and IT Systems

Compliance with the legal obligations under Article 6(1)(c) of the GDPR

As the Controller, we have an obligation under the GDPR to ensure an
adequate level
of protection for the personal data we process. When ensuring our internal
IT
security, we may process personal data not only of some users of our IT
systems and
visitors to our premises, e.g. for logging, backups, managing of access
rights to
systems and protected areas, conducting security audits or penetration
tests, but
also of website visitors (e.g. Blocking of IP addresses from which a
cyber-attack
takes place).

4.


Application Development, Improvement and Testing

Legitimate interest pursuant to Article 6(1)(b) of the GDPR

As the Controller, we may also process personal data in the context of
development,
improvement and testing of Trovi, Huglo and Foaf applications or our
software tool
Softigon, which use these applications, regardless of whether we are
fulfilling
requests for third-party developers or whether we are implementing our own
security
measures or implementing our own specifications. In case that we carry out
such
processing operations on behalf of our customers in performance of their
orders, we
will only process personal data as the Processor, if any.

5.


Provision of Technical Support and Customer Care

Legitimate interest pursuant to Article 6(1)(b) of the GDPR

When we provide service and technical support to customers by phone, email
or remote
access via the Internet, we may also process the necessary personal data of
the
persons involved to resolve the customer request, or we may see our
customers’ data,
but they are responsible for this as separate controllers.

6.

Marketing and PR Purposes

Consent pursuant to Article 6(1)(a) of the GDPR or legitimate interest
pursuant to
Article 6(1)(f) of the GDPR

As the Controller, we will process personal data for this purpose if we
operate our
own social media profiles (Facebook, YouTube, Instagram, Twitter, X,
Threads) or
publish blogs containing personal data on our websites, while we rely on our
legitimate interest in raising awareness of our applications and business
activities
in the online environment. There may also be some data processing when
interacting
with icons and plug-ins of social networks such as Facebook, Twitter,
YouTube that
are integrated into our websites.

Personal data will also be processed if we send you our marketing
communications by
email, text message or correspondence, or if you agree to the storage of
cookies on
your internet browser when you visit our websites, which may result in
personalisation and targeting of the content of our advertising to you.

7.

Legal and Contractual Purposes

Legitimate interest pursuant to Article 6(1)(b) of the GDPR

Depending on nature of the transaction and the terms of the business
relationship
with a particular partner, we may be entitled to a commission for a
successful tip.
When determining, calculating, proving and applying the commission for
providing a
tip, information may be exchanged and data may be processed about our
customers who
have started using third party services thanks to Trovi or Huglo functions,
for
which we are responsible as the data Controller.

As the Controller, we also process personal data that is necessary for
conclusion,
modification and performance of various contracts concluded with legal
entities and
natural persons. In some cases, we have to prove, assert or defend our legal
claims
in or out of court or report certain facts to public authorities (e.g.
Distrainor,
law enforcement authorities). Such processing includes the typical agenda of
the
legal department, including, communication or interaction with public
authorities,
exercising rights in administrative and other proceedings, preparation,
control and
storage of contracts, etc.

8.

Statistical Purposes

Legal bases for the above compatible purposes based on Recital 50 and
Article 89 of
the GDPR

In accordance with the terms of Article 89 of the GDPR, we process personal
data
collected for the above purposes and, on the basis of the above legal bases,
also
for statistical purposes. Personal data is never the result of such
processing, but
aggregated/anonymous information (such as how many customers we have or
economic
statistics).

6. What legitimate interests do we pursue in processing your personal data?

In order to achieve the above purposes of processing personal data, we as the Controller rely on the following legitimate interests in terms of the legal basis:

  • provision of information society services through Huglo, Trovi and Foaf application, consisting mainly of:

  • Provision of payment services within the open banking API integration built into Trovi or Huglo application;

  • Provision of analytical and statistical business intelligence (BI) services that are able to prepare reports on social links and other important statistical indicators related to specific entrepreneurs in Huglo, Trovi and Foaf applications, which we make available and create on the basis of publicly available data (so called open data);

  • Provision of crowdfunding funding for specific projects and business plans, enabling our customers to get involved through Trovi or Huglo applications;

  • Provision of quick and convenient links to various third parties, which is directly related to providing tips to our business partners for establishing new business relationships between the third party and the user of Huglo, Trovi and Foaf, or more efficient data exchange with the customer’s accountants;

  • obtaining, calculating, proving and claiming commissions for providing tips to business partners;

  • proving, exercising and defending the rights and legal claims of the Controller;

  • conclusion and performance of a variety of contractual relationships where the data subject is not a party to the contract, but his/her personal data is necessary for proper conclusion, adjustment or performance of such contract;

  • direct marketing communication of similar goods and services to existing customers;

  • raising awareness of Huglo, Trovi, Softygon and Foaf applications on social networks in the public space;

  • development, improvement and testing of applications;

  • provision of technical support and customer care.

7. Do you have a Data Protection Officer (DPO) and how can we contact him/her?

Yes, for Trovi and Huglo applications we have a designated responsible person, or DPO, whose current contact details are always communicated to the Office for Protection of Personal Data. Data subjects or any person can contact our DPO directly using these contact details:

E-mail: dpo@foaf.sk

Correspondence address: Responsible person (DPO), Pribinova 30 Bratislava – Ružinov 821 09 Bratislava.

8. Who do we provide your personal data to?

We take the confidentiality of your personal data very seriously and have put policies in place to ensure that your data is only shared with authorized individuals working with Trovi and Huglo or with a verified third party. Our employees and internal users may have access to your personal data on a need-to-know basis, which is usually limited by function, role and user role. We also use subcontractors to help us provide our services and these subcontractors may process your personal data for us. We ensure that selection of our subcontractors and the processing of personal data by our subcontractors comply with the GDPR. Depending on the purpose of processing, recipients of your personal data are divided in the following categories:

  • providers of accounting and invoicing services;

  • shipping, courier and postage companies;

  • professional business advisors;

  • factoring companies;

  • leasing companies;

  • collection companies;

  • public registers of creditors;

  • qualified trusted electronic signature service providers;

  • auditors and tax advisers;

  • independent and bound financial agents or financial intermediaries;

  • distrainors, notaries public, courts, lawyers, translators;

  • providers of standard software;

  • providers of technical support, development and administration of IT systems and applications;

  • providers of data analysis, processing and storage tools;

  • cloud or web hosting providers;

  • web analytics providers, including preparation of statistical data, fraud detection, advertising targeting, segmentation and profiling of web visitors;

  • IT security service providers;

  • entities to whom you consent to the storage of cookies by using a cookie bar when you visit our website, which may result in tracking of your behaviour and personalised advertising targeting;

  • marketing and PR agencies;

  • health insurance companies, pension management companies and social insurance companies in case of our employees, including those working under agreements on performance of work outside the employment relationship;

  • service providers for sending the newsletter;

  • social network operators;

  • banks and recipients of payments made through our applications;

  • text message payment service providers;

  • external contractors of Foaf, Huglo and Trovi applications.

9. To which third countries (outside the EU) do we transfer your personal data?

As a standard, we try to limit any cross-border transfers of personal data to third countries outside the EU or the European Economic Area, so if it is not necessary for us to do so, we do not do it. However, some of our sub-suppliers or recipients of personal data listed above may be established or may be under the jurisdiction of the authorities and laws of a third country which does not provide an adequate level of protection or their servers may be located in such third country.

As a result of using the services of certain recipients of personal data, cross-border transfers of personal data may be carried out to the United States of America (U.S.), which is not considered by the European Commission to be a third country that ensures an adequate level of personal data protection.

Specifically, we have a cross-border transfer of personal data to the United States of America (U.S.) in the context of use of the services of various recipients of personal data, mainly from the category of: i) social network operators (Meta Platforms.), ii) security services (Cloudflare), iv) web analytics and SDK implementation in websites (Meta, Google), v) statistical analysis providers (Google), vi) cloud service and software (SaaS) providers (e.g., AWS, Attlassian, Dropbox, Slack ), vii) platform providers for development and testing of our applications (Gitlab).

The European Commission adopted a new implementing decision, on 10 July 2023 approving the „EU-US Data Privacy Framework“, which constitutes an adequacy decision under Article 45 of the GDPR. It allows transfers of personal data to certified organisations (data importers) in the U.S. without the need for further authorisation or the need to take additional safeguards and measures. If we cannot rely on the European Commission’s decision on the adequacy of a third country pursuant to Article 45 of the GDPR, we require adoption of specific safeguards pursuant to Article 46 of the GDPR (most often so-called standard contractual clauses) or Article 47 (so-called binding corporate rules) and, if necessary, the adoption of other additional measures to protect the rights and freedoms of data subjects.

For an overview of such importers and safeguards operating on transfers of personal data to the U.S., please see the overview table below:

 

Supplier

Privacy policy adopted by importers of personal data

Appropriate specific legal safeguards within the meaning of Article
46 of
the GDPR or Article 47 of the GDPR

Decision on proportionality pursuant to Article 45 of the
GDPR

Amazon Web Services

https://aws.amazon.com/privacy/?nc1=f_pr

New type of the
standard
contractual clauses
adopted
by the European Commission in Decision 2021/914/EC of 4 June 2021 (“SCC”),
which a
supplier has undertaken to comply with under
DPA
contract
and supplementary measures:

Yes, it applies to Amazon Web Services.

The data importer’s registration in the EU-U.S. Data Privacy Framework can
be
verified here:

https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TOWQAA4&status=Active

Atlassian Inc.

https://www.atlassian.com/legal/privacy-policy

New type of standard contractual clauses approved by European Commission
Decision
(Module 2) incorporated into
data
processing
addendum
,
as well as other additional safeguards described in the documents for
data
transfer impact assessment
.

These safeguards also apply to data transfers not only to the U.S. but also
to
Australia.

Yes, it refers to Attlassian, Inc.

The data importer’s registration in the EU-U.S. Data Privacy Framework can
be
verified here:

https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt00000008RdQAAU&status=Active

European
Commission Decision on the EU-U.S. Data Privacy Framework_en.pdf
(europa.eu)

Cloudflare, Inc.

https://www.cloudflare.com/privacypolicy/

New type of the
the
standard contractual clauses
approved by European Commission
Decision
(Module 2) and supplementary measures:

After 10 July 2023:

Adequacy
decision EU-US Data Privacy Framework_en.pdf (europa.eu)

Yes refers to Cloudflare, Inc.

The data importer’s registration in the EU-U.S. Data Privacy Framework can
be
verified here:

https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnZKAA0&status=Active

European
Commission Decision on the EU-U.S. Data Privacy Framework_en.pdf
(europa.eu)

Dropbox, Inc.

https://www.dropbox.com/privacy

https://sign.dropbox.com/about/privacy

New type of standard contractual clauses (Module 3) approved by European
Commission
Decision incorporated into

contract
on the processing of personal data and appropriate additional ones
precautions.

Yes, it applies to Dropbox, Inc.

The data importer’s registration in the EU-U.S. Data Privacy Framework can
be
verified here:

https://www.dataprivacyframework.gov/list

European
Commission Decision on the EU-U.S. Data Privacy Framework_en.pdf
(europa.eu)

Google LLC

(Google Analytics)

https://policies.google.com/privacy?hl=en-US

New type of the
standard
contractual clauses
approved by European Commission Decision (Module
1 and
Module 2); and
appropriate
additional measures
together with explanation of
the
appropriate settings
for Google Analytics.

Yes, it applies to Google, LLC and all of its U.S. subsidiaries.

The data importer’s registration in the EU-U.S. Data Privacy Framework can
be
verified here:

https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active

European
Commission Decision on the EU-U.S. Data Privacy Framework_en.pdf
(europa.eu)

Gitlab, Inc.

https://about.gitlab.com/privacy/

New type of the
standard
contractual clauses

(Module 2) approved by European Commission Decision incorporated into
personal
data processing contract

N/A – not listed in the Data Privacy Framework list.

Meta Platforms , Inc.

https://www.facebook.com/policy.php

Standard contractual clauses approved by European Commission Decision
(2010/87/EC of
5 February 2010) and new standard contractual clauses (Module 3)
incorporated in
Facebook’s
European Addendum on Data Transfers
as well as the additional
measures
explained here:

Yes, it refers to Meta Platforms, Inc.

The data importer’s registration in the EU-U.S. Data Privacy Framework can
be
verified here:

https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnywAAC&status=Active

European
Commission Decision on the EU-U.S. Data Privacy Framework_en.pdf
(europa.eu)

Slack Technologies LLC

(Slack)

https://slack.com/trust/privacy/privacy-policy

New type of standard contractual clauses (Module 2 and 3) approved by
European
Commission Decision incorporated into
contract
on the processing of personal data
.

Yes, it applies to Saleforce, Inc. including its subsidiary Slack
Technologies LLC.

The data importer’s registration in the EU-U.S. Data Privacy Framework can
be
verified here:

https://www.dataprivacyframework.gov/list

European
Commission Decision on the EU-U.S. Data Privacy Framework_en.pdf
(europa.eu)

10. How long do we retain your personal data?

We retain personal data for no longer than is necessary for the purposes for which the personal data is processed. In general, the retention period follows from the legislation. Unless otherwise required by law, the retention period of your personal data is always determined by us in relation to specific purposes through an internal policy where we seek to minimise the retention period.

The general retention periods of personal data for the purposes of processing personal data as defined by us are as follows:

Purpose

General retention period of personal data

  1. Provision of information society services

Until subscription to the paid services in the Huglo, Foaf, Softygon or Trovi application is terminated or until the data subject’s objection to the processing of personal data is resolved, which in the particular case would outweigh our legitimate interest during the subscription period of the paid services in our applications.

  1. Fulfilling legal obligations

Until expiry of the relevant statutory period, if explicitly provided for by law (e.g. 10 years for the retention of accounts), or until the expiry of 4 years from occurrence of the relevant legal fact, if no such period is provided for by law.

  1. Security of personal data and IT systems

Maximum 1 year.

  1. Application development, improvement and testing

In general, until the related activity has been completed, or until the data subject’s objection to the related processing has been dealt with, if it would prevail over our legitimate interest in a particular case.

  1. Provision of technical support and customer care

During use of our applications, or until the data subject’s objection to the related processing has been dealt with, if it would prevail over our legitimate interest in a particular case.

  1. Marketing and PR purposes

Until the consent is withdrawn in case of cookies or until an objection to direct marketing is lodged.

  1. Legal and contractual purposes

Until the legal case has been concluded on the merits, which is associated with limitation of claims or exhaustion of all available remedies, or until processing of the data subject’s objection to the related processing has been dealt with, if it would prevail over our legitimate interest in a particular case.

  1. Statistical purposes

For duration of the aforementioned retention periods for other purposes. Unnecessary data is deleted continuously after the statistical outputs are compiled, unless we use the automatic settings of the service provider. In such cases, we retain the data processed within “Google Analytics” for a maximum of 26 months and the data processed within “Facebook Page Insights” for a maximum of 90 days. The data may also be erased earlier in case of an objection by the data subject.

The above retention periods only set out the general periods during which personal data are processed for the purposes in question. However, we do in fact proceed to the destruction or anonymisation of personal data before the expiry of these general periods if we consider the personal data concerned to be no longer necessary for the above-mentioned processing purposes. On the contrary, in some specific situations, we may retain your personal data for longer than the above if required to do so by law or in our legitimate interest, or if your personal data is also processed for another compatible processing purpose for which the retention period has not yet expired. If you would like information regarding the specific retention period for storage of your personal data, please do not hesitate to contact us through our authorised person.

11. From what sources do we obtain personal data about you?

Under Article 14 of the GDPR, we are obliged to inform you about the sources and categories of data we obtain indirectly. Given the fact that we use diverse and very extensive data from public sources, in order to be able to provide advanced analytical and statistical value-added services to our clients, we consider it objectively impossible to inform all data subjects that we collect their personal data in this way. If we were forced to inform every data subject whose personal data we obtain and process from public sources by address, it is quite certain that we would not be able to objectively provide our information society services to paying customers, which would make it impossible for us to conduct our business. We believe that this is the reason for application of the exemption from the information obligation under Article 14(5)(b) of the GDPR, but this still requires us to take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including making the following information available to the public:


Source of personal data


Categories of personal data collected


Groups of persons concerned

Trade Journal

Exclusively common categories of personal data

Individuals whose personal data are involved in bankruptcy, restructuring, liquidation, auctions – e.g. bankrupts, debtors, trustees, creditors

Register of Financial Statements

Common categories of personal data included in the accounts, in particular the
identification data of the entrepreneur and its economic results for a specific
period.

Self-employed persons and natural persons exercising the functions of a statutory body in legal persons.

Register of Legal Entities / Statistical Office of the Slovak Republic and
Statistical Office of the Czech Republic

Exclusively common categories of personal data within the scope of their processing in the Register of Legal Entities, e.g. business name, company ID number, registered office, date of establishment, date of termination, registered office address, main activity SK NACE Rev. 2, institutional sector ESA 2010, type of ownership, category of size of the organisation according to number of employees, legal form, region, district, municipality

Although the data relates exclusively to legal entities, we consider that in case of single-person LLCs, it could theoretically be of a personal data nature in specific cases, and therefore we mention this source and category of data out of legal caution.

Commercial Register

Exclusively common categories of personal data to the extent to which they are entered in the public part of the Commercial Register with a focus on monitoring changes in the entered data (e.g. changes in the registered office, changes in occupation of statutory bodies), typically e.g. academic degree, first name, surname, address of permanent residence of the member and executive officer in limited liability companies, etc.

Natural persons acting in relation to a legal person, in particular partners, executive officer, proxy holders, shareholders in name

Register of Bankrupts

Exclusively common categories of personal data e.g. first name, surname, permanent address and date of birth of bankrupts who are natural persons.

Exclusively common categories of personal data identifying the bankruptcy trustee – e.g. academic degree, first name, surname, office address, contact details

Data relating to claims, the bankrupt’s assets, creditors’ meetings, documents with the list of claims and other documents published in the Register of Bankrupts – e.g. the bankruptcy petition, the file number of the bankruptcy, date and time of publication of the prescribed acts of the bankruptcy proceedings, together with a brief description of them (e.g. the end of the survey of claims, the end of filing of claims).

Individuals whose personal data are included in bankruptcy, restructuring in the Register of Bankrupts.

Bankruptcy trustees in case of natural persons and judges ruling on bankruptcy.

Insolvency Register of the Czech Republic

Exclusively common categories of personal data e.g. first name, surname, address of permanent residency and date of birth, birth ID number for bankrupts who are natural persons

Information concerning a status of the proceedings, file reference number, Senate reference number, reference number of the proceedings in the case.

Data relating to the history of the insolvency proceedings – e.g. date of the last published event, end of the deadline for filing claims, date of the end of the insolvency proceedings, international jurisdiction of the court.

Individuals whose personal data are included in bankruptcy or restructuring in
the Register of Bankrupts.

Trade Licensing Register

Exclusively common categories of personal data within the scope published in the Trade Licensing Register – e.g. business name, company ID number, place of business, addresses of establishments, subject of business.

Self-employed natural persons who are registered in the Trade Licensing Register

Register of Public Sector Partners

Exclusively common categories of personal data, in particular business name, legal form, company ID number, address of registered office or place of business, date of registration, date of deletion, insertion number in relation to the public sector partner.

Exclusively common categories of personal data, in particular business name, company ID number, address of the registered office / place of business or residence in relation to the authorised person.

Exclusively common categories of personal data, in particular academic degree, first name, surname, date of birth, nationality, address of permanent residence, data on exercise of a public function in relation to the beneficial owners.

Exclusively common categories of personal data included in the verification document – e.g. identification of the exponents of the management, supervisory and ownership structure of the public sector partner, how profits are
shared, voting rights, public functions of the beneficial owners.

Natural persons in their capacity as beneficial owners.

Natural persons in their capacity as public sector partner.

Natural persons in their capacity as authorised person (e.g. lawyers,
notaries)

Financial Administration

Exclusively common categories of personal data, financial information, and tax information.

Natural persons who exercise their rights in performance of the tasks of the financial administration, natural persons who are obliged to the financial administration by special legal regulations

Social Insurance Company

Common categories of personal data, information relating to debts and arrears of social contributions of a particular entrepreneur.

Entrepreneurs who are in arrears with their contributions to the Social Insurance Company.

Health Insurance Company – Všeobecná zdravotná poisťovňa, a.s.

Common categories of personal data, information relating to debts and arrears of health insurance of a particular entrepreneur.

Entrepreneurs who are in arrears with their health insurance.

Health Insurance Company – Union zdravotná poisťovňa, a.s.

Common categories of personal data, information relating to debts and arrears of health insurance of a particular entrepreneur.

Entrepreneurs who are in arrears with their health insurance.

Health Insurance Company – Dôvera zdravotná poisťovňa, a.s.

Common categories of personal data, information relating to debts and arrears of health insurance of a particular entrepreneur.

Entrepreneurs who are in arrears with their health insurance.

Court decisions

It is envisaged that final and published court decisions will be anonymised in terms of personal data. Exclusively common categories of personal data included in final and published court decisions to a minimum extent (data of judges, legal representatives) and contextual data on the content of litigation.

Natural persons whose personal data was not anonymised in the decision due to an administrative error on the part of the courts.

Natural persons who heard the case as judges.

Legal representatives.

Contact database of companies

Contact details (phone number, email) and the entrepreneur’s website.

Natural persons acting in relation to a legal person as authorised representatives or designated as contact persons.

Central Register of State Claims

Exclusively common categories of personal data relating to claims for which the creditors are public authorities and from which the identification of the debtor and the amount of the debt is always
apparent.

Natural persons on the list of debtors to the State

COFACE

(Creditors’ Register)

Exclusively common categories of personal data relating to commercial debts arising out of a commercial relationship, from which the identification of a debtor and the amount of a debt is always apparent.

Natural persons appearing on the list of debtors

Business Lease Slovakia

(Creditors’ Register)

Exclusively common categories of personal data relating to commercial debts arising out of a commercial relationship, from which the identification of a debtor and the amount of a debt is always apparent.

Natural persons appearing on the list of debtors

Central Register of Distraint Proceedings

Exclusively common categories of personal data relating to distraint proceedings pending against entrepreneurs to the extent of a statement or certificate of distraint proceedings.

Natural persons whose personal data appear in the Register of Distraint Proceedings, in particular debtors, creditors and bailiffs.

Register of Mandates for Distraint Proceedings

Exclusively common categories of personal data relating to the distraint proceedings file ECLI, company ID number of the debtor, fist name, surname and date of birth of the debtor in the distraint proceedings, if he/she is a natural person.

The natural persons whose personal data appear in the Register of Distraint Orders, in particular the debtors, creditors, executors and the statutory judge.

However, we may also obtain your personal data from the company in connection with which we process your personal data. This is most often the case when we enter into or negotiate a contractual relationship or its terms with a company. If you are a member of the statutory body of an organisation that is a party to our contract or with which we are negotiating a contractual relationship. From such sources, we obtain only common (basic) identification and contact categories of personal data.

We do not further systematically process any personal data collected incidentally for any personal data processing purpose defined by us.

12. Is provision of your personal data a legal or contractual requirement in specific cases?
If you provide us with your personal data for the purposes of which the legal basis is performance of a contract, provision of such data is generally to be regarded as a contractual requirement or a requirement necessary for the proper conclusion or performance of the contractual relationship in question. Failure to provide personal data in these cases may have negative consequences for the party interested in entering into a contractual relationship with us, as it may not be possible to enter into such a relationship or may cause various practical complications and difficulties in cooperating with us in the performance of such a contract during its term.

If you provide us with your personal data for purposes which are legally based on performance of legal obligations, the provision of such data is generally directly related to the need to perform our legal obligations and therefore we require it from you to the extent necessary. Depending on the specific situation, failure to provide the requested personal data may have various negative consequences for you as a data subject (e.g. you will not be registered as an employee paying taxes or health insurance, we will not be able to process your data subject request, we will not be able to establish access rights to internal systems, etc.).

If you provide us with your personal data for purposes for which consent is the legal basis, this is always a voluntary provision of personal data, which is not a legal or contractual requirement and any failure to provide personal data should not have any material consequences for you.

13. Does the processing of your personal data involve automated individual decision-making, including profiling, with legal effect or other substantial impact on you?

Yeah, based on the explicit consent of a person authorised to act on behalf of a specific company or the consent of a self-employed person, an automated individual decision-making function may be initiated in the Huglo or Trovi application in relation to the assessment of creditworthiness, trustworthiness and business reliability in such cases where such business entity would choose to apply for “crowdfunding” investments for its business through our applications. Our application could automatically generate an index of the entrepreneur’s business reliability based on an analysis of the publicly available data about the entrepreneur, which would be displayed to potential investors. The consequence of such processing could be that, if an investment candidate is poorly evaluated, it could lead to the opportunity to obtain investment for their business being lost.

14. Under the General Data Protection Regulation (GDPR), what are the rights of a data subject whose personal data we process as the Controller?

If we process personal data about you on the basis of your consent to the processing of your personal data, you have the right to withdraw your consent at any time. You have the right to object effectively at any time to the processing of personal data for direct marketing purposes, including profiling.

You also have the right to object to the processing of your personal data on the basis of the legitimate interests pursued by us as explained above. You also have this right against the processing of personal data on a legal basis of public interest, which we do not carry out.

If you exercise this right, we will be happy to demonstrate the manner in which we have assessed the following legitimate interests as overriding the rights and freedoms of the data subjects

The GDPR sets out the general conditions for exercising your individual rights. However, their existence does not automatically mean that they will be granted in application of individual rights, as exceptions may apply in a particular case, or some rights are linked to specific conditions that may not be met in every case. We will always deal with your request concerning a specific right and examine it in the light of the legal provisions and applicable exceptions.

In particular, as a data subject, you have:

  • The right to request access to personal data under Article 15 of the GDPR that we process about you. This right includes the right to confirm whether we are processing personal data about you, the right to obtain access to that data and the right to obtain a copy of the personal data we are processing about you, where technically feasible;

  • The right to rectification and completion of personal data pursuant to Article 16 of the GDPR if we process incorrect or incomplete personal data about you;

  • The right to erasure of your personal data pursuant to Article 17 of the GDPR;

  • The right to restriction of processing of personal data pursuant to Article 18 of the GDPR;

  • The right to data portability pursuant to Article 20 of the GDPR if the processing of personal data is based on the legal basis of consent pursuant to performance of a contract;

  • The right to object under Article 21 of the GDPR if the processing is based on a legitimate interest, public interest or for direct marketing purposes, including profiling;

  • The right to object to automated individual decision-making under Article 22 of the GDPR.

You also have the right to file a complaint at any time with the Office for Protection of the Personal Data of the Slovak Republic (URL: www.dataprotection.gov.sk) or to file a lawsuit with the competent court. In any case, we recommend that any disputes, questions or objections be resolved primarily by communicating with us.

 
15. How do you use cookies when I visit your website?

The law says that we may store cookies on your device if they are strictly necessary for operation and proper functioning of our website that you request to view. For all other types of cookies, we need your consent, which you can freely give or just as easily withdraw at any time via the cookie dialogue window, which should appear whenever you first visit our website or whenever you use the “Cookie settings” function, which you can also activate via a single click on the Cookieyes widget (the blue ball in the bottom right-hand corner of the screen). Our website uses different types of cookies. For more information on how we process cookies in accordance with GDPR and e-Privacy regulations, please view the Cookie Policy.

16. How do I know that the information you give me about the processing of personal data is up to date?

Data protection is not a one-off issue for us. The information that we are required to provide you with with respect to our processing of your personal data may change over time or may no longer be up-to-date. For this reason, we reserve the right to change or amend the text of the answers to the above questions or the questions themselves at any time. We also reserve the right to change the full version of the Privacy Policy and replace it with a new, more up-to-date version.

If we change the Privacy Policy in a material way, we will bring the change to your attention, for example, by a general notice on this website or by a separate notice via email or other similarly effective means. In case that a specific notification of a change to the Privacy Policy is not necessary for the proper observance of the principle of lawful, fair and transparent processing of personal data (e.g. in case of minor content changes and language corrections), we do not proceed in this way. The text of the Privacy Policy published on the website is always considered up-to-date www.trovi.skwww.foaf.skwww.huglo.skwww.softygon.com www.verejnedata.sk