I. Introductory Provisions:
The information below governs the conditions for personal data protection in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or “GDPR”), which repeals Directive 95/46/EC, and with Act No. 18/2018 Coll. on the Protection of Personal Data and on the amendment of certain acts (the “Personal Data Protection Act”), effective from 25 May 2018, in connection with the personal data provided by data subjects to the controller on its website.
Controller: MIJA corp. s. r. o., registered office: Svätoplukova 4, 040 01 Košice – Staré Mesto, ID No. (IČO): 52 516 547, registered in the Commercial Register of the District Court Košice I, 46719/V
Phone: +421 948 600 058, +421 904 553 886
Email: info@beautylabstudio.sk
Website: www.beautylabstudio.sk
II. Definitions:
Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier, or to one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity.
Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data subject means any natural person whose personal data are processed.
Controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data and processes personal data in its own name.
Processor means a natural or legal person which processes personal data on behalf of the controller.
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future, based on the data subject’s request under the conditions stated herein.
III. Principles of Personal Data Processing:
Personal data are processed by the controller lawfully in accordance with the GDPR and the Personal Data Protection Act so that the fundamental rights of the data subject are not infringed.
The controller collects personal data for specified, legitimate and explicitly stated purposes and does not further process them in a manner that is incompatible with those purposes.
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is deemed compatible with the initial purposes under special legislation, with appropriate safeguards for the rights of the data subject.
Processed personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Processed personal data must be accurate and, where necessary, kept up to date. The controller shall erase or rectify without undue delay personal data that are inaccurate with regard to the purposes for which they are processed.
The controller stores personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as they are processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes under special legislation and provided that appropriate safeguards are in place to protect the rights of the data subject.
Personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.
IV. Information for Data Subjects:
The data subject has the following rights in relation to the processing of personal data:
Right of access:
The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed.
The controller is obliged to provide the data subject with their personal data that it processes. For any repeated provision of personal data requested by the data subject, the controller may charge a fee corresponding to the administrative costs related to handling the request.
The controller shall provide personal data to the data subject in the manner requested by the data subject.
In addition to providing the personal data of the data subject that it processes, the controller shall provide the data subject with information about the purpose of processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed (if any), the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period, the right to request rectification, erasure or restriction of processing, or to object to processing, the right to lodge a complaint with the supervisory authority pursuant to Section 100 of the Personal Data Protection Act, the source of the personal data if not obtained from the data subject, and the existence of automated decision-making, including profiling.
Right to rectification:
The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them.
The data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement, if required by the purpose of processing; otherwise, the controller may refuse to complete the data.
Right to erasure (“right to be forgotten”):
The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay under the conditions set out below.
The controller shall erase personal data without undue delay where:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
- the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing,
- the data subject objects to the processing of personal data concerning them for the purposes of direct marketing, including profiling to the extent that it is related to such direct marketing,
- the personal data have been unlawfully processed,
- erasure is necessary to comply with a legal obligation under the Personal Data Protection Act, a special regulation, or an international treaty by which the Slovak Republic is bound.
The above does not apply where processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation under the Personal Data Protection Act, a special regulation or an international treaty by which the Slovak Republic is bound, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Section 78(8) of the Personal Data Protection Act where the right to erasure would likely render impossible or seriously impair the achievement of the objectives of that processing, or for the establishment, exercise or defence of legal claims.
Right to restriction of processing:
The data subject has the right to obtain from the controller restriction of processing where:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims, for the protection of persons, or for reasons of important public interest.
The controller shall inform the data subject who has obtained restriction of processing before the restriction of processing is lifted.
Right to data portability:
The data subject has the right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller where technically feasible.
Exercising the right to data portability shall not adversely affect the right to erasure under the conditions mentioned above.
Right to object to processing
The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or that is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on those provisions. The controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
The data subject has the right to object at any time to the processing of personal data concerning them for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to lodge a complaint with the Office for Personal Data Protection under Section 100 of the Personal Data Protection Act
The data subject has the right to lodge a complaint with the Office for Personal Data Protection under Section 100 of the Personal Data Protection Act.
The data subject was expressly informed that where processing is based on consent for a specific purpose, the data subject has the right to withdraw consent at any time.
V. Procedure for Handling Requests for Access, Rectification, Erasure, Restriction of Processing, and Data Portability:
The controller shall respond to the data subject’s request without undue delay and in any event within one month of receipt of the request. In justified cases, taking into account the complexity and number of requests, the controller may extend this period by two further months, repeatedly if necessary.
The controller shall inform the data subject of any such extension within one month of receipt of the request together with the reasons for the delay. Where the data subject makes the request by electronic means, the information shall be provided by electronic means unless otherwise requested by the data subject.
If the controller does not take action on the data subject’s request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the supervisory authority under Section 100 of the Personal Data Protection Act.
If the controller lacks sufficient information to unambiguously identify the applicant or the lack of information prevents processing of the request, the controller shall invite the applicant to supplement the request or to sufficiently prove their identity. If the applicant fails to comply within 7 days of delivery of the invitation, the controller is entitled to refuse to act on the request.
Information, communications and actions are provided free of charge when requested by the data subject for the first time and where the request is not manifestly unfounded or excessive. Whether a request is manifestly unfounded or excessive is assessed by the controller.
Where the data subject’s request is manifestly unfounded or excessive, in particular because of its repetitive character, the controller may:
- charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or
- refuse to act on the request.
VI. Basic Information on Personal Data Processing:
The controller processes personal data only to the extent necessary and for a specific purpose in accordance with the relevant legal basis.
The controller has adopted appropriate technical, security and organisational measures to ensure enhanced protection of the personal data processed and handles the data sensitively in accordance with the principles of security of personal data processing.
The personal data processed by the controller originate directly from the data subject or from publicly available sources.
The controller declares that, within the context of personal data processing, personal data are not transferred to third countries outside the European Union or to international organisations, and processed personal data are not made public.
The controller may carry out automated decision-making, including profiling, for the purposes of direct marketing according to criteria determined by the controller. If the controller performs automated decision-making, including profiling, it shall determine the basic criteria on which such automated decision-making, including profiling, will be based.
VII. Purpose and Legal Basis of Personal Data Processing:
A/ Incoming and Outgoing Correspondence
For the purpose of fulfilling statutory record-keeping obligations, the controller records incoming and outgoing mail and processes the following personal data:
- identification data in the scope of name, surname, title,
- contact data in the scope of mailing address,
- data included in the communications of recipients and senders of correspondence.
These personal data are processed on the basis of Act No. 395/2002 Coll. on Archives and Registries and on the amendment of certain acts as amended. Provision of personal data is a legal obligation and failure to provide them would prevent the controller from fulfilling its statutory obligations.
The controller stores these personal data for 5 years from the first day of the calendar year in which the personal data for correspondence were obtained and for 3 years for the registers of incoming and outgoing correspondence.
B/ “Contact Form”
For the purpose of returning contact and handling any request or booking submitted during the business hours of the website visitor in the position of data subject, the controller processes the following personal data:
- identification data in the scope of first name,
- contact data in the scope of email and phone number,
- data contained in the text of the message.
These data are processed by the controller on the basis of its legitimate interests. Providing personal data in this case is neither a legal nor a contractual obligation. Failure to provide personal data would make it impossible to return contact and handle the request or booking by the controller.
The controller stores these personal data until the request or booking stated in the form is handled, but for no longer than 5 years from obtaining the personal data.
Third-party plugins (applications) such as Facebook, Google Plus, YouTube, Twitter, AddThis, Pinterest, Tumblr, etc., are connected to the controller’s website. These applications are stored and run on the servers of third parties. The controller has no influence over personal data protection when using third‑party applications.
The controller’s websites use third‑party add-ons that allow users to share, comment on and rate website content on social networks or register via a third‑party account. In such cases, the web browser creates a direct connection between the user and the third party, during which cookies are used and user data are transmitted between the websites, the user’s browser and the third party’s server. The data are generally not associated with the user’s personal data. The controller uses reliable sources of plugins and add‑ons on its pages but cannot guarantee their functionality or reliability.
If a user acts on these websites via social plugins, those actions may be displayed on third‑party websites depending on the user account settings (e.g., Facebook Like, Google Plus, Social sharing, etc.).
VIII. Recipients of Personal Data:
The controller provides personal data to third parties exclusively on the basis of a data processing agreement, in accordance with the purposes and legal bases stated above and in accordance with the Personal Data Protection Act and the GDPR.
Recipients of personal data are in particular processors providing the controller with accounting and HR services, recruitment services, delivery services, servicing, legal services, services related to debt collection, provision of technical and IT services, other advisory and consulting activities, etc.
Recipients of personal data are also the controller’s employees, provided that they have been instructed in accordance with the law and are bound by confidentiality, and only if making the personal data available to the controller’s employees is necessary to achieve one of the purposes of processing.
The controller shall provide or make available personal data to state administration authorities, public administration authorities or other state authorities and institutions if such provision or disclosure is in accordance with generally binding legal regulations of the Slovak Republic and where necessary to comply with the relevant legal regulation or an enforceable request from a public authority, to enforce contractual terms including monitoring compliance, to prevent or address fraud, technical and security incidents, and to exercise rights and claims in accordance with generally binding legal regulations of the Slovak Republic.
IX. Use of Cookies:
To facilitate user behaviour tracking on our website, we use log files known as cookies (i.e., identifiers that the web server sends to the browser on your end device). Cookies are temporary files; after you finish browsing, cookies are automatically deleted from your device.
When visiting this website, log files are generated with the following content:
- IP address
- page address
- information about the browser and operating system used
- the website from which you access our site
- date, time of access and location
The above information about on‑site behaviour is anonymised for maximum protection and therefore cannot be attributed to a specific user.
Cookies do not damage the end device, do not contain viruses, trojans or other harmful software, and do not permanently store data on the data subject’s device.
All cookies used are technical, functional or analytical cookies that serve to improve the functionality of the controller’s website.
Each data subject can configure their web browser to refuse the use of cookies or to allow only certain cookies. However, if cookies are not allowed, some functions may not work properly.
Cookie settings in the most common browsers:
- Chrome – support.google.com
- Firefox – support.mozilla.org
- Internet Explorer – support.microsoft.com
Details about the cookies used:
_projectlang – language retention for the system – approx. 12 years
ci_session – user session for the system – 11 days
_gid – Google Analytics – 1 day
_ga – Google Analytics – 2 years
_gat – Google Analytics – until the end of the session
X. Supervisory Authority
The Office for Personal Data Protection is a state administration authority with nationwide competence that participates in protecting the fundamental rights of natural persons in the processing of personal data and supervises personal data protection. Any data subject may contact the Office if they believe that their rights have been violated or are at risk.
Address of the Office for Personal Data Protection:
Hraničná 12
820 07 Bratislava 27
Slovak Republic
ID No.: 36064220
https://dataprotection.gov.sk
email: statny.dozor@pdp.gov.sk
Phone consultations in the area of personal data protection only on Tuesday from 8:00 to 12:00: +421/2/3231 3220
Requests
- Data subject’s request for access to personal data
- Data subject’s request for rectification/supplementation of personal data
- Data subject’s request for erasure of personal data