Privacy Policy
According to Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the „Regulation“) in accordance with § 19 of Act No. 18/2018 Coll. on the protection of personal data (of the Slovak Republic, hereinafter the „Act“).
CONTROLLER:
Business Name: HomeSystem s.r.o.
Registered Office: Školská 329/85, 972 01 Bojnice, Slovakia
Company ID (IČO): 50 376 608
Contact details of the Controller:
Contact person: Ing. Miloš Buček
milos.bucek@homesystem.sk
Družby 1866/16, 974 04 Banská Bystrica, Slovakia
A data subject is a natural person whose personal data we process, particularly, but not exclusively, employees and clients. Such data subjects, whose personal data is processed in our information systems for specifically defined purposes, have rights that they can exercise in writing or electronically with the controller's contact person. The data subject is YOU.
Right of access to personal data
i.e., the right to obtain from the competent person confirmation as to whether or not personal data concerning the data subject who has exercised their right are being processed, as well as the right to access such data. As a data subject, you are entitled to access information about: the purposes of the processing, the categories of personal data concerned, the recipients, the envisaged period for which the personal data will be stored, the logic involved in any automatic processing, and the envisaged consequences of such processing, etc. (Art. 15 of the Regulation). As a controller, we have the right to use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. Upon the data subject's request, the controller shall issue a confirmation of whether personal data concerning them are being processed. If the controller processes such data, they will issue a copy of the personal data of the data subject upon request. The issue of the first copy is free of charge. For any further copies requested by the person, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, the information shall be provided in a commonly used electronic form, usually via e-mail, unless otherwise requested by the data subject.
Right to restriction of processing
can be exercised if you, as the data subject, contest the accuracy of the personal data and other conditions under Article 18, Recital 67 of the Regulation, in the form of temporarily moving the selected personal data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website.
Right to rectification
if the controller registers incorrect personal data about the data subject. At the same time, the data subject has the right to have incomplete personal data completed. The controller shall rectify or complete the personal data without undue delay upon the data subject's request.
Right to erasure
"to be forgotten" with respect to the personal data concerning them (the data subject). However, given its nature and seriousness, this right is limited by other conditions; i.e., the controller shall erase personal data without undue delay when this right is exercised, provided one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the data subject withdraws the consent on which the processing is based; c) the data subject objects to the processing of personal data; d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; f) the personal data have been collected in relation to the offer of information society services to a person under 16 years of age.
The data subject shall not have the right to erasure if the processing is necessary: a) for exercising the right of freedom of expression and information; b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; c) for reasons of public interest in the area of public health; d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or e) for the establishment, exercise or defense of legal claims.
The controller shall erase the personal data of data subjects based on a request without undue delay after assessing that the data subject's request is justified.
Right to initiate proceedings
The data subject has the right to file a motion to initiate proceedings with the Office for Personal Data Protection of the Slovak Republic if they believe that their rights in the field of personal data protection have been violated.
Right to object
The data subject has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them. They may object to the processing of their personal data based on: a) the legal ground of the performance of a task carried out in the public interest or in the exercise of official authority, or the legal ground of the legitimate interests pursued by the controller; b) processing for direct marketing purposes; c) processing for scientific or historical research purposes or statistical purposes. We will assess the received objection within a reasonable time. In this case, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
Right to data portability
As a data subject, you have the right to have the personal data you have provided to a controller transmitted to another controller in a structured, commonly used and machine-readable format, provided that the personal data were collected based on the data subject's consent or a contract, and the processing is carried out by automated means.
Further Information:
- The purpose of personal data processing is the reason for which the controller processes the personal data of data subjects in information systems based on specifically determined legal grounds. Every processing of personal data is based on a specific legal ground and for a specifically determined, legitimate, and explicitly stated purpose.
- To maximize the protection of your personal data, we, as the Controller, have adopted appropriate personnel, organizational, and technical measures. Our goal is to prevent, or reduce as much as possible, the risk of leakage, misuse, disclosure, or other use of your personal data. In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, you, as the data subject, will be contacted without undue delay (Art. 34 of the Regulation).
- In order to maintain the principles of personal data processing established by the Regulation and the Act, especially the principle of data minimization, we require from you as the data subject only those personal data that are a necessary legal or contractual requirement to fulfill the purpose of their processing. Please note that failure to provide these mandatory data necessary for the conclusion of the contract may result in the non-conclusion of the contractual relationship.
Purposes of processing, legal basis, categories of recipients, retention period, and further information categorized by information systems:
| ECONOMIC & ACCOUNTING AGENDA | |
|---|---|
| Purpose of processing | Processing orders, received invoices, and billing customers, communicating with the bank, managing the cash register, securing cash incomes and outcomes, inventory management, recording fixed and minor assets, keeping company accounting. |
| Legal basis | Act No. 431/2002 Coll. on Accounting, Act No. 222/2004 Coll. on VAT, Act No. 18/2018 Coll. on Personal Data Protection, Act No. 145/1995 Coll. on Administrative Fees, Act No. 40/1964 Coll. Civil Code, Act No. 152/1994 Coll. on Social Fund, Act No. 311/2001 Coll. Labor Code, Act No. 513/1991 Coll. Commercial Code, and other related regulations (of the Slovak Republic). |
| Categories of recipients | Tax authorities, Financial Directorate and other public authorities, processor for accounting, authorized employees, processor for administrative tasks, external cooperators. |
| Retention periods | Invoices, internal documents, cash register, bank statements, financial statements: 10 years. Debt recovery: 5 years. |
| Categories of data subjects | Employees of the controller, suppliers and customers (individuals, self-employed), employees and representatives of suppliers and customers. |
| Categories of personal data | Name, surname, title, permanent/temporary address, date of birth, type and number of ID document, phone number, e-mail address, signature, bank account number. |
| Automated decision-making and profiling | Not carried out |
| Cross-border data transfer | Not carried out |
| CONTRACTUAL RELATIONSHIPS – CLIENTS (INDIVIDUALS) | |
|---|---|
| Purpose of processing | This information system processes personal data of individuals – clients when ordering services or goods provided by the controller based on an order (by phone, e-mail, or via the web order form). |
| Legal basis | Contractual relationship between the controller and the customer. Processing is necessary for the performance of a contract (Art. 6(1)(b) GDPR). |
| Categories of recipients | State administration authorities, authorized employees, processors for administrative tasks, suppliers. |
| Retention periods | Client records (invoices, orders, complaints): 5 - 10 years. |
| Categories of data subjects | Individuals - clients. |
| Categories of personal data | Name, surname, address, phone number, e-mail, bank account details. |
| Automated decision-making and profiling | Not carried out |
| Cross-border data transfer | Not carried out outside the EU |
| SOCIAL MEDIA CONTESTS | |
|---|---|
| Purpose of processing | Organizing and evaluating contests on the Facebook profile. The main purpose is maintaining the register of contestants and communicating with them. |
| Legal basis | Consent of the data subject under Art. 6(1)(a) GDPR. Consent can be withdrawn at any time. |
| Categories of recipients | Authorized employees, processors for administrative tasks. |
| Retention periods | 3 months after contest evaluation, or upon consent withdrawal. |
| Categories of data subjects | Individuals - contest participants. |
| Categories of personal data | Title, name, surname. |
| Automated decision-making and profiling | Not carried out |
| Cross-border data transfer | Not carried out |
| E-SHOP CUSTOMERS | |
|---|---|
| Purpose of processing | The delivery of goods purchased at obchod.homesystem.sk and the execution of purchase-related actions (securing delivery, issuing accounting documents). |
| Legal basis | Processing is necessary for the performance of a contract (distance purchase agreement concluded by submitting an order). |
| Categories of recipients | Shipping companies (DPD, TNT, Zásielkovňa/Packeta), processor for economic-accounting agenda and administrative tasks. |
| Retention periods | Invoices, orders, complaints: 5 to 10 years. |
| Categories of data subjects | E-shop customers. |
| Categories of personal data | Title, name, surname, address. |
| Automated decision-making and profiling | Carried out via COOKIES. |
| Cross-border data transfer | Not carried out |
| REGISTERED E-SHOP CUSTOMERS | |
|---|---|
| Purpose of processing | Simplifying future shopping by creating a customer account (registration). Maintaining a register of registered customers. |
| Legal basis | Consent of the data subject under Art. 6(1)(a) GDPR. |
| Categories of recipients | Public authorities, processors for administrative tasks. |
| Retention periods | 5 years, or up to 30 days from the withdrawal of consent. |
| Categories of data subjects | Registered customer. |
| Categories of personal data | Name, surname, address, date of birth. |
| Automated decision-making and profiling | Carried out via COOKIES. |
| Cross-border data transfer | Not carried out |
| CLAIMS AND COMPLAINTS REGISTRY | |
|---|---|
| Purpose of processing | Registering complaints for the purpose of their application and resolution. |
| Legal basis | Fulfilling legal obligations under Act No. 40/1964 Coll. (Civil Code), No. 513/1991 Coll. (Commercial Code), and No. 250/2007 Coll. on Consumer Protection (of the Slovak Republic). |
| Categories of recipients | Economist, parent company, controller's employees, state authorities, manufacturer. |
| Retention periods | 5 years. |
| Categories of data subjects | Customer of the controller exercising their right to file a claim. |
| Categories of personal data | Name, surname, permanent address, contact details, bank account number. |
| Automated decision-making and profiling | Not carried out |
| Cross-border data transfer | Not carried out |
| MARKETING | |
|---|---|
| Purpose of processing | Conducting marketing surveys, sending information about special offers, products, and other activities via e-mail/phone. Issuing certificates. |
| Legal basis | Consent of the data subject under Art. 6(1)(a) GDPR. |
| Categories of recipients | Authorized employees, processor for administrative tasks. |
| Retention periods | 5 years. |
| Categories of data subjects | An individual who has expressed an interest in marketing information. |
| Categories of personal data | Title, name, surname, phone number, e-mail, company name. |
| Automated decision-making and profiling | Not carried out |
| Cross-border data transfer | Not carried out |
| „VERIFIED BY CUSTOMERS“ PROGRAM (Heureka) | |
|---|---|
| Purpose of processing | Determining customer satisfaction with purchases via e-mail questionnaires within the Heureka "Verified by Customers" program. Emails are sent if you do not opt-out of direct marketing. Processing is based on our legitimate interest. |
| Legal basis | Consent of the data subject under Art. 6(1)(a) GDPR. You can object to receiving e-mail questionnaires at any time. |
| Categories of recipients | Operator of Heureka.sk, NAJNAKUP, PRICEMANIA portals, processor for administrative tasks. |
| Retention periods | If filled out, the processor retains pseudonymized personal data for 4 years. If left unfilled, the data is retained for 6 months. |
| Categories of data subjects | An e-shop customer who gave consent to receive the questionnaire. |
| Categories of personal data | Customer's e-mail address and order details. |
| Automated decision-making and profiling | Not carried out |
| Cross-border data transfer | Not carried out |
| CONTROLLER PROMOTION – Custom-made product photos | |
|---|---|
| Purpose of processing | Recording and publishing photos of completed products (references) with the intention of showcasing the controller's quality of work on the website and social media. |
| Legal basis | Legitimate interest within the meaning of Art. 6(1)(f) GDPR. |
| Categories of recipients | Authorized employees, processor for administrative tasks. |
| Retention periods | Photographic materials: 3 years after fulfilling the processing purpose. |
| Categories of data subjects | Employees of the controller, the general public. |
| Categories of personal data | Name and surname (internal records only, not published online), photograph (color or black-and-white). |
| Automated decision-making and profiling | Not carried out |
| Cross-border data transfer | Not carried out |