1. Controller, declarations and guarantees
- STEINIGER | law firm, s.r.o., registered seat: Jasovská 17, 851 07 Bratislava, Slovak Republic, ID No.: 47 238 135, registered in the Commercial Registry of the District Court Bratislava I, section: Sro, insert no.: 80481/B (hereinafter referred to as "Controller") processes personal data of the data subjects in its systems of personal data. Controller is responsible for the protection of personal data processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as "GDPR").
- In event the data subject requests the legal services to be provided in Czech Republic, the identification of Controller acting under this territory is STEINIGER law firm, s.r.o., registered seat: Národní 416/37, Staré Město, 110 00 Prague 1, Czech Republic, ID No.: 060 96 476 registered in the Municipal Court in Prague under file no.: C 276050 (hereinafter referred to as the "Czech Controller"). The terms and conditions of the data processing as mentioned below apply to the Czech Controller appropriately.
- As Controller cares about the protection of personal data and privacy of the data subject, he provides the data subjects not only with this comprehensive information about their data protection rights, but also with other information and explanations in order to provide a full transparency to the data processing and deepening mutual trust. Controller is taking regard to the provisions of Article 14 of GDPR.
- Controller ensures the data subject that he never sells or otherwise commercially does not use the personal data obtained from the data subject within a business cooperation with any third party and will never disclose personal data without an expressed individually written consent or any similar authorization provided by data subject.
- Controller ensures the data subject that he will never provide any personal data that is subject to processing in the Third Party's personal data information system without granting Controller with any specific written consent or sufficient written authorization; this shall not apply if Controller is obliged to provide personal data to the authorized state authorities in the exercise of their legal powers even without the consent of the data subject to applicable special laws, such as Money Laundering Act and other respectable laws, that may be subject to the lawful processing of the personal data.
- Controller declares, that he processes the minimum personal data needed to achieve the purpose of processing, which is defined primarily by the need to provide the legal services, taking a special regard on the time lapse of the processing and the extent of the data that is processed. Controller guarantees data subject safe and irreversible erasure of the personal data without delay after the end of the purpose of processing.
- Controller declares that in relation to the processing of personal data, there will be no decisions applied which are based solely on automated means of processing personal data, nor any kind of profiling in regards of the Article 22 (1) and Article 22 (4) of GDPR.
- Controller as a legal entity providing legal services also proceeds in accordance to the Slovak Act no. 586/2003 Coll. on advocacy and Czech Act no. 85/1996 Coll. on advocacy (hereinafter both referred to as "Act on advocacy"), which regulates the performance of the advocacy and the provision of individual legal services. Therefore, Controller warrants the data subject with an increased discretion and protection of their privacy by providing a special contractual liability of his employees and other co-workers for breach of confidentiality and unlawful disclosure of information related to the provision of legal services, including the personal data of clients or other physical persons involved in the legal affairs.
- Controller declares that he has taken reasonable technical, organizational and personnel measures to ensure the security of the processing of personal data, which are documented in GDPR Compliance project, with both standard and specific protection of personal data under Article 25 of GDPR ("privacy by default and privacy by design" measures)
- Controller declares that v any personal data breach that might lead to high risk for rights and freedoms of the data subject shall be communicated to the data subject involved to this data breach, if any occurs.
2. Purpose of processing, scale of the data collected and the legal basis for the processing of personal data
- Controller processes personal data under the purposes of providing legal services under Act on advocacy, as individual Controller.
- The purpose of processing the personal data is the provision of legal services.
- Data subject for the purposes of the Document is any physical person whose personal data are processed for the purpose of providing legal services to a lawyer acting under the Act on advocacy irrespective of its procedural or contractual status in relation to Controller.
- The legal basis for the processing of personal data for the purpose of Section 2. - Point 2. of this Document is Act on advocacy.
- If you have given Controller consent to process your personal data, then the legal basis for their processing is given this consent. It is our interest to stay in touch with each other. Therefore, we could let you know about news and references of our law firm, as well as the professional articles we publish. For this purpose, we hereby give you the opportunity to express your consent to the processing of your personal data for marketing purposes in a form of providing you with a marketing information via Newsletter.
- If you give us your consent, it will be in full force and effect until your consent is revoked, you process your personal information in the following scale: email address.
3. Processing period of personal data
- Controller processes the personal data during the duration of the legal services provided by the law firm. Upon termination of the provision of legal services, the entire related agenda, in particular all documents which have been entrusted to Controller by the client or which were given to Controller during the legal representation in the client's name, also personal data whose processing has been terminated and are handed to the new legal representative acting in name of the client on the basis of the transmission protocol.
- In the case of the processing of personal data on the basis of consent, personal data will be processed for the entire period from the date of such consent until the moment of its withdrawal.
4. Identification of processors, subcontractors and third parties
- Controller when processing personal data of data subject for the purposes of Section 2. of this Document, uses the following sufficiently well-trusted and professionally competent business partners capable of guaranteeing the security of personal data processing of data subject, who have, within the meaning of Article 28 of the GDPR, the status of processor:
- accounting firm for the purpose of providing accounting, billing and payroll accounting services;
- business IT management company, for the management and maintenance of IT systems and IT security;
- a web hosting company to manage the web site and web components of Controller.
- Controller may involve other partners to process the personal data only according to a written authorization. These partners are considered as independent controllers, respectively third parties, which are considered as recipients of personal data of data subjects, in particular:
- a company authorized to carry out auctions and commission sales.
- According to the nature of the matter, factual state or the legal obligation, Controller might be obliged to provide the personal data without a consent of data subject to third parties, mainly:
- to the respective state authorities acting under the “Anti-money laundering Act”;
- to the Attorney Association under the conditions established by the Act on advocacy;
- to the General Courts regarding to cases regulated by the specific acts (for instance the Criminal Code, the Civil Procedure Code, the Administrative Procedure Code);
- to the Constitutional Court and its proceeding and on position of its judges;
- to the state authorities acting under the Criminal Procedure Code as amended and under the Criminal Code as amended;
- to the European Court of Justice and to the European Court of Human Rights;
- to the respective bailiffs and enforcement activities (Enforcement Code) as amended;
- to the insolvency administrators;
- to the notaries under the Notary Code as amended;
- to the Ministry of Justice under the Public sector registers Act as amended;
- to the courts’ interpreters and translators in the extent necessary for the proper performance of their activities;
- to the courts’ experts in the extent necessary for the proper performance of their activities;
- to the banks under the Act on banks as amended;
- to the other state authorities under the certain specific acts.
5. Transmission of personal data to a partner law firm
- In case the data subject requests Controller to provide legal services in the Czech Republic, the data subject grants Controller a power of attorney to represent the data subject in proceedings conducted before public authorities or other authorities acting in the Czech Republic, Controller shall provide the personal data of the data subject to his partner law firm - STEINIGER | law firm, s.r.o., registered seat: Národní 416/37, Staré Město, 110 00 Prague 1, ID No.: 060 96 476, registered in the Municipal Court in Prague under file no.: C 276050 (hereinafter referred to as the "Czech Controller") as the recipient of personal data.
- In case the data subject requests Controller to provide legal services in the Slovak Republic, the data subject grants Controller a power of attorney to represent the data subject in proceedings conducted before public authorities or other authorities acting in the Slovak Republic, the Czech Controller shall provide the personal data of the data subject to his partner law firm - STEINIGER | law firm, s. r. o., registered seat: Jasovská 17, 851 07 Bratislava, Slovak Republic, ID No.: 47 238 135, registered in the Commercial Register of the District Court Bratislava I, section: Sro, insert no.: 80481/B (hereinafter referred to as the "Controller") as the recipient of personal data.
6. Scope of the processed personal data
- Controller processes personal data of data subjects in accordance to the Act on advocacy to the extent that is necessary to achieve the purpose of personal data processing of data subject; as a rule, it is with regard to all personal data that are necessary and are an integral part of documents constituting the file of a particular legal matter, including related electronic documents, and electronic mail.
- Controller also processes particularly sensitive personal data belonging to a specific category of personal data within the meaning of Article 9 of GDPR in the extent necessary to prove, apply or defend legal claims before competent public authorities. Controller within internal processes and measures adopted in order to ensure the security of the personal data processing place increased emphasis on the protection of a specific personal data category.
- Controller currently on website www.steinigers.com (or on all relevant national domains, such as www.steinigers.sk and www.steinigers.cz, which only function as its language mutation with relevant content in an appropriate language) uses file type cookies. A cookie file is a small text file that the web site saves on your computer or mobile device while being browsed. Thanks to this file, the web site retains information about your steps and preferences (such as your login name, language, font size, and other delivery settings) for a certain time, so you do not have to retype it for the next time you visit the web site or browse its individual sub-pages.
- Controller uses its own cookies (i.e. first party cookies) in order to optimize the functions of the website and better user comfort of website’s visitors, as well as foreign cookies (i.e. third party cookies) to display so called behavioural advertising.
- The website also uses so called short-term cookies which are after the usage of the internet browser is finished automatically erased from computer system of the data subjects or of other program applications’ end users. However, in some cases may also processing so-called long-term cookies occur. Long-term cookies remain in end user’s equipment, while they allow Controller to recognize that the web site is being re-visited by the end-user device, what may be depending on settings made by the user of program application associated with e.g. remembering the default password for the program application.
- Controller informs data subjects and all visitors of the website about the fact that all the cookies files which the website can store in the terminal equipment of any visitor of the website can be controlled and deleted. Appropriate setting of the internet browser may ensure effective and complete prevention of cookies file usage. Concrete information and instructions on setting of certain type of internet browsers are available here: About Cookies - How to control cookies and information on erasing cookies from the user’s technical device user can be found here: About Cookies – How to delete cookies. Generally stated, it may be needed to turn on a feature that is commonly referred to as "tracking protection" in an internet browser.
- Controller informs Data subjects that in case of so-called third-party cookies that are used to display a behavioural advertisement, the website will require an explicit consent from data subject before installing these cookies on the device of end-user of the website.
- Controller of the website also uses web analytics service from company Google Inc., however, Controller does not process any personal data, neither any other identifiers usable for indirect identification (e.g., IP address) of data subjects. This does not mean that personal data are not processed by the company Google Inc., which is a provider of services - Google Analytics and Google AdWords.
- Controller can use Google Analytics and Google AdWords to generate online advertising through remarketing, i.e. outputs from Controller’s marketing communication may be displayed by different providers of digital service and of internet content including Google Inc., on various internet web sites which in the future, after the end of the Website visit, will be displayed on the device of end-user or data subject.
- Controller also uses Google Analytics reports to ensure more effective marketing communication, while it may lead to processing of demographic characteristics and interests concerning data subject (e.g., age, gender, interests) acquired by company Google Inc., which may also be used by Controller. However, Controller will not process personal data of data subject during the data processing by using Google Analytics because Controller will not dispose with adequate identifier, which would enable direct and indirect identification of data subject.
- Display of personalized advertisement banners by Google may be rejected by data subjects who use website via the following Google - Ads control.
- Any other information on using data by company Google Inc in the context of website usage may the Data subject find here: Google - Privacy - Partners.
- Controller indicate to data subjects that if data subject is sign in to internet services provided by company Google Inc during the visit or the usage of website, Google Inc may process personal data of the data subject. Controller does not affect, have impact on or participate on such data processing provided by Google Inc.
8. Social networks
- The official web site of Controller is: www.steinigers.com (i.e. all relevant national domains, such as www.steinigers.sk and www.steinigers.cz, which only function as its language mutation with relevant content in appropriate language). Controller’s official web site contains a number of additional modules (plugins) referring to the official Controller profiles set up on social networks websites operated by independent operators in position of a third party. These modules (plugins) can be activated via interaction initiated by the data subject (click on a pictogram belonging to social network Facebook, Twitter, LinkedIn, Google+). If the data subject does not interact by clicking on pictogram, the plugins will not by activated and any data will not be processed. In case of initiating any of the listed plugins referring to Controller’s profiles created on the social networks, the data of the data subject may be processed by relevant controller of the social network. Controller does not affect, have impact on such data processing except the part within which Controller is capable of processing the content of Controller’s site created on the relevant social network under the terms of usage of the certain social network. Information about processing the personal and other data of data subjects by social network operators may be found here:
- Controller respects and comply with privacy policies adopted by the social network controllers specified in Section 8. - Point 1. of this Document. Controller manages its official profiles on the social networks specified in Section 8. - Point 1. of this Document and ensures the prompt and immediate removal of any offensive, abusive, hateful, vulgar, sexual, or extremist manifestations of other social network users that cannot be considered compatible with the exercise of the constitutionally enshrined freedom of expression in democratic society.
- Controller does not use social networks to obtain any other information and personal data on registered members of social network, as information and personal data provided or published by the data subject itself on the official Controller’s social network profile specified in Section 8. - Point 1. of this Document. Controller does not use (mainly does not acquire, notify, store, share, disclose) any information and personal data that were provided on the data subject’s private profile created on any of the social networks specified in Section 8. - Point 1. of this Document by the Data subject itself.
- Controller does not use social networks specified in Section 8. - Point 1. of this Document to ensure marketing communication, but exclusively for informational and educational purposes of his activities, the daily functioning of its team and professional focus.
9. Monitoring office space with the camera system
- Controller monitors premises located in the interior of Controller's office located at Ružinovská 42, 821 03 Bratislava, Slovak Republic (hereinafter referred to as "Office") under the provisions of Article 6 (1) letter (f) of GDPR for the purposes of asset protection, crime prevention as well as support for the internal security measures of Controller.
- Controller monitors premises located in the interior of Czech Controller's office located at Národní 416/37, Staré Město, 110 00 Prague 1, Czech Republic (hereinafter referred to as "Czech Office") under the provisions of Article 6 (1) letter (f) of GDPR for the purposes of asset protection, crime prevention as well as support for the internal security measures of Controller.
10. The access of Controller to cloud services
- Controller currently uses services of cloud computing services providers, primarily regarding to cloud infrastructure as a services (IaaS), cloud-based software as a service (SaaS), while data storage, including personal data on remote virtual servers of cloud services provider or other processing operations of personal data of data subjects are being carried out. When using cloud computing services, Controller eliminates risks associated with potential leak of personal and confidential information in the greatest possible extent. For this purpose, Controller uses only verified providers of such services, who use advanced security solutions and comply with the strictest safety standards.
- Controller currently also uses its own data storage and own modern IT infrastructure, which provides clients with sufficient user comfort and the security of their data, including personal data.
- Controller is in the case of cloud services usage committed to:
- use cloud computing services only in justified cases, which with regard to the purpose of achieving the work objectives, costs, competitiveness and innovation cannot be equally effectively achieved by other means;
- use only well-verified cloud services providers capable of providing real and legal guarantees in order to achieve a sufficient level of security;
- to review cloud services providers under the internal rules set by the internal safety directive;
- conclude an agreement on guarantees of services availability (i.e. SLA - Service Level Agreement) and on confidentiality compliance with the cloud services providers and contracts which are in compliance with the requirements of personal data protection under Article 28 (3) of GDPR;
- do not use cloud computing services that may lead to the cross-border transmission of personal data to third countries not guaranteeing an adequate level of personal data protection except for the entities with their registered seat in the USA, which are certified in the system "Privacy Shield".
11. Cross-border transmission of personal data
- Controller will not perform any cross-border transmission of personal data obtained from the data subjects to a third country which does not provide an adequate level of personal data protection.
- None of the personal data that will be processed by Controller's business partners listed in Section 4. of this Document shall not be transmitted from the territory of the Member States of the European Union to third countries.
12. Source of personal data
- The source of personal data, which are the subject of Controller’s data processing for the purpose of Section 2. - Point 2. of this Document, is primarily always data subject or other natural or legal person authorized to act on behalf of data subject based on written power of attorney, who is in position of a client of legal services in relation to Controller.
- Personal data which are the subject of data processing for the purposes of Section 2. - Point 2. of this Document may also come from:
- publicly available resources or from information sources of third parties if Controller has legal entitlement to obtain them when providing legal services under the Act on advocacy;
- procedural acts and documents of third parties that are being executed within various legal proceedings in which Controller participates as an advocate of any of the parties;
- procedural acts and documents of another advocate presuming that the advocate was in certain legal matter entitled by Controller by a substitute power of attorney, to execute legal services acts.
13. Information and guidance on rights of a data subject
- Controller cares for protection of your personal data, therefore, Controller seeks to ensure strong security through individual, modern, technical and organizational security measures, as well as through the ability to apply rights of data subject under GDPR, any time through a written, self-signed application from which your identity and the right you are applying for will be clear. The application for the exercise of the data subject´s rights may be addressed to Controller’s address of its registered seat. In case of any questions relating to the exercise of your rights as a Data subject, please, do not hesitate to contact us. The contact details are listed in Section 1. - Point 1. of this Document.
- Since May 25, 2018, you are entitled to new rights that should provide you with more effective control and overview on your personal data processed by our company in a position of Controller. Specifically, it is the right to data access (GDPR, Article 15), the right to rectification (GDPR, Article 16), the right of deletion (GDPR, Article 17), the right to limit the processing (GDPR, Article 18), the right for accuracy of data (GDPR, Article 20). As a data subject you also have the right to file a complaint at any time to the supervisory authority - more information can be found at www.dataprotection.gov.sk.
- With regard to the terms of personal data processing adopted by Controller, we would like to inform you that you are not entitled to object individual decisions based on automated processing (GDPR, Article 21 and Article 22) whereas we do not execute any processing operations with your personal data without human factor involvement exclusively through technologies and software tools used for personal data processing. The purpose of the information mentioned above does not deter you from exercising your rights, but to provide you some guidance for the purpose of a more efficient handling of this agenda.
- Every application for the exercise of right of the data subject under GDPR may be claimed on the basis of a written and self-signed application sent on the address of Controller’s registered seat. Please note that when processing your request, we may ask you for a trusted verification of your identity in case you request us to exercise your right in any other way than by a written letter with your own signature (e.g. by e-mail application) or personally at Controller's headquarters.
- Applying your rights as a data subject stated in Section 12. of this Document may also be pre-agreed at Controller's premises, however, personal verification of your identity by submitting your Identification Card is always required.
- In case, we process your personal data based on your data subject’s consent with personal data processing, you always have the option to withdraw this consent at any time, even by e-mail sent from the e-mail address which is being processed with your other personal data and information.
- Every application for the exercise of the data subject’s rights delivered to us will be individually and competently assessed, while we will inform you on results of your application within one month of receipt of your application at the latest. Processing your application associated with the exercise of your data subject’s rights under GDPR is free of charge. If the response to your application is not in compliance with your opinion, you are pursuant to GDPR entitled to file a complaint to the supervisory authority (www.dataprotection.gov.sk) or reach for judicial protection directly at the adequate court.
- In case you have any questions regarding your personal data protection and exercise of your rights, please do not hesitate to contact us through the contact details posted at our website www.steinigers.com.
- Controller is entitled to limit the exercise of the data subject's right under certain legally set conditions, mainly if requested personal data (information) must remain confidential under the obligation of professional secrecy pursuant to Act on advocacy.
14. Contact information of a responsible person
- Controller has entitled the supervision of the personal data protection to its employee, who is a Controller’s contact person for the personal data protection.
- Contact information on the supervisor authorities are as follows:
For Slovak Controller:
Úrad na ochranu osobných údajov Slovenskej republiky
820 07 Bratislava
+421 /2/ 3231 3214
For Czech Controller:
Úřad pro ochranu osobních údajů
Pplk. Sochora 27
170 00 Praha 7
+420 234 665 111
Approved in Bratislava, Slovak Republic, on May 25, 2018
STEINIGER | law firm, s. r. o.
JUDr. Ondrej Steiniger, attorney at law and managing director