Information Obligation of the Company Prepared in Accordance with the Act on the Protection of Personal Data

Identification details of the Controller:

Snowflake Academy s. r. o., Company ID: 56787871, M. Pišúta 937/14, 031 01 Liptovský Mikuláš (hereinafter referred to as the “Company”) acts, in the processing of personal data of its employees, clients, customers or business partners (hereinafter referred to as the “data subject”), as the controller of information systems (hereinafter referred to as the “IS”).

Legal basis for processing the personal data of data subjects:

In the processing of personal data, the Company acts in accordance with Act No. 18/2018 Coll. on the Protection of Personal Data and on the amendment and supplementation of certain regulations (hereinafter referred to as the “Personal Data Protection Act”). The legal basis for the processing of personal data is the Personal Data Protection Act, special legal regulations, and consent to the processing of personal data, depending on the purpose of such processing.

If the purpose of the processing of personal data, the group of data subjects and the list of personal data is established directly by an enforceable act of the European Union, by an international treaty binding upon the Slovak Republic, by the Personal Data Protection Act or by a special act, the Company is, under the Personal Data Protection Act, authorized to process personal data without the consent of the data subject.

The Company processes personal data without the consent of the data subject if the purpose of the processing of personal data, the group of data subjects and the list of personal data or their scope is laid down by a directly enforceable legally binding act of the European Union, by an international treaty binding upon the Slovak Republic, or by this Act. If the list or scope of personal data is not determined, the Company may process personal data only to the extent and in the manner necessary to achieve the established purpose of processing, while observing the fundamental obligations under the Personal Data Protection Act.

The Company further processes personal data without the consent of the data subject if the purpose of processing personal data, the group of data subjects, and the list of personal data is determined by a special act, and only to the extent and in the manner established by such act. Personal data processed may be provided, made accessible, or disclosed from the information system only if the special act stipulates the purpose of provision, accessibility, or disclosure, the list of personal data which may be provided, made accessible, or disclosed, as well as the third parties to whom the personal data is provided, or the group of recipients to whom the personal data is made accessible, unless otherwise provided by the Personal Data Protection Act.

The Company processes personal data without the consent of the data subject also if:

a) the processing of personal data is necessary for the performance of a contract in which the data subject is one of the contracting parties, or in pre-contractual relations with the data subject, or in negotiations for the amendment of a contract carried out at the request of the data subject,

b) the processing of personal data is necessary to protect the life, health, or property of the data subject,

c) the subject of processing consists exclusively of the title, first name, surname, and address of the data subject without the possibility of assigning further personal data to them, and their use is intended solely for the needs of the controller in postal communication with the data subject and for the record-keeping of such data,

d) personal data already disclosed in accordance with the law is processed and the controller has duly marked it as disclosed; whoever claims to process disclosed personal data shall, upon request, prove to the authority that the processed personal data has already been lawfully disclosed,

e) the processing of personal data is necessary to protect the rights and legally protected interests of the controller or of a third party, except where such processing is overridden by the fundamental rights and freedoms of the data subject that are subject to protection under this Act.

If, with respect to the purpose of processing personal data established in a directly enforceable legally binding act of the European Union, in an international treaty binding upon the Slovak Republic, in the Personal Data Protection Act, or in a special act, the specific personal data to be processed cannot be determined in advance, the list of personal data may be replaced by the scope of personal data.

The Company is obliged, in such processing of personal data, to act in accordance with the Personal Data Protection Act, except for those controllers who process personal data for the purposes of judicial proceedings and in connection therewith.

If the Personal Data Protection Act does not apply to the processing of personal data, the Company, as controller, is authorized to process personal data only with the consent of the data subject.

The Company obtains the consent of the data subject without coercion and enforcement, and also without conditioning it by threat of refusal of contractual relations, services provided, or obligations arising for the controller from legally binding acts of the European Union, international treaties binding upon the Slovak Republic, or the law.

In case of refusal to provide personal data to the Company for purposes necessary for the provision of services or fulfillment of legal obligations, the Company is authorized to notify the data subject of the possible consequences of not providing personal data.

The data subjects agree that the Company, in the processing of personal data, may entrust such processing to a processor who processes personal data on behalf of the Company. After the termination of the purpose of personal data processing, the Company shall destroy such lawfully obtained personal data of data subjects within the period established by applicable legal regulations and in accordance with the Company’s internal regulation.

Purpose of processing personal data of data subjects:

The Company respects your privacy and considers the personal data provided as confidential.

For the quality provision of its services, the Company needs to know certain personal data of data subjects and needs to provide them to other recipients for the purpose of fulfilling legal obligations and ensuring the highest quality of services.

The Company processes the provided personal data for several purposes.

These include the personal data of job applicants and the personal data of its employees for the purposes of personnel and payroll administration, and related legal obligations arising from special legal regulations.

The Company further processes the personal data of its clients, customers, and business partners for the purpose of securing its business activities, taking into account the interests of its clients, customers, and business partners.

No processing of personal data for any other purpose takes place in the Company, which means that the Company collects, stores, and processes only the personal data of data subjects necessary for the fulfillment of the services it provides. The personal data provided is strictly protected against misuse by unauthorized third parties, by means documented in the adopted security project and the security directive in accordance with the Personal Data Protection Act.

In the processing of personal data of data subjects, the Company observes the fundamental obligations of the controller arising from the Personal Data Protection Act, which include, among others, the following obligations:

The Company always uses the personal data provided for a pre-determined purpose of processing, which is clear, precisely and specifically defined, and in compliance with the Constitution of the Slovak Republic, constitutional acts, laws, and international treaties binding upon the Slovak Republic.

The Company always defines the conditions of personal data processing in such a way that there is no restriction of the rights of the data subject established by law.

The Company acquires only such personal data of data subjects which, by their scope and content, correspond to the purpose of processing and are necessary to achieve it.

The Company ensures that the personal data of data subjects are processed exclusively in a manner corresponding to the purpose for which they were previously collected.

As controller, the Company is obliged to process only correct, complete, and, where necessary, updated personal data in relation to the purpose of processing. Incorrect and incomplete personal data must be blocked by the controller and, without undue delay, corrected or supplemented; if they cannot be corrected or supplemented so as to be correct, the Company shall clearly mark such personal data and, without undue delay, destroy them.

The Company ensures that the personal data of data subjects are processed in a form permitting the identification of individual data subjects for no longer than is necessary to achieve the purpose of processing.

The Company shall destroy in the prescribed manner those personal data whose purpose of processing has ended. After the termination of the defined purpose, the Company is authorized to process personal data to the necessary extent for research or statistical purposes in anonymized form. Personal data processed in this way may not be used by the controller to support measures or decisions taken against the data subject to restrict their fundamental rights and freedoms.

Processors:

The Company does not provide your personal data to third parties in violation of the Personal Data Protection Act or for the purpose of their collection, in conflict with your interests or instructions, and personal data is provided to a third party only within the scope of the purpose specified above.

In its business activities, the Company cooperates with several processors whose aim is to provide quality services, while these entities, in the performance of their contractual activities for the Company, process personal data of data subjects.

The Company hereby solemnly declares that in the selection of individual processors, it has taken into account their professional, technical, organizational, and personnel competence, as well as their ability to guarantee the security of the processed personal data through adopted security measures in accordance with the Personal Data Protection Act.

At the same time, in selecting a suitable processor, the Company has proceeded in such a way as to avoid endangering the rights and legally protected interests of the data subjects.

As controller, the Company has concluded with the processors, pursuant to the Personal Data Protection Act, written contracts on the protection of personal data processed by the processors, whom it has authorized to process personal data of data subjects only to the extent, under the conditions and for the purpose agreed in the contract, and in the manner in accordance with the Personal Data Protection Act.

Scope and list of processed personal data:

The Company processes in its information systems the personal data of data subjects to the extent necessary to achieve the defined purpose. This refers to the scope of personal data established by special legal regulations or to the extent of the consent of the data subject for the processing of their personal data.

The Company processes only personal data that has been provided voluntarily and to the necessary extent by the data subject themselves. The provision of personal data to the Company beyond the scope of special laws is voluntary.

Conditions and method of processing personal data of data subjects:

The Company processes in its information systems the personal data of data subjects by automated as well as non-automated means of processing.

The Company does not disclose the processed personal data, except in cases where this is required by a special legal regulation or by a decision of a court or another state authority.

The Company shall not process your personal data without your explicit consent or other legal basis for another purpose, nor to a greater extent than specified in this information and in the record sheets of the individual information systems of the controller.

Rights of the data subject related to the processing of their personal data:

The data subject has the right, on the basis of a written request to the Company, to require:

a) confirmation as to whether or not personal data concerning them is being processed,

b) in a generally comprehensible form, information about the processing of personal data in the information system to the extent defined by the Personal Data Protection Act; when a decision is issued under the Personal Data Protection Act, the data subject is entitled to become acquainted with the procedure of processing and evaluation of operations,

c) in a generally comprehensible form, precise information about the source from which their personal data was obtained for processing,

d) in a generally comprehensible form, a list of their personal data that are subject to processing,

e) the correction or destruction of their incorrect, incomplete, or outdated personal data that are subject to processing,

f) the destruction of their personal data whose purpose of processing has ended; if official documents containing personal data are subject to processing, they may request their return,

g) the destruction of their personal data that are subject to processing if the law has been violated,

h) the blocking of their personal data due to withdrawal of consent prior to the expiry of its validity period, if the Company processes personal data on the basis of the consent of the data subject.

The above rights of the data subject under letters e) and f) may be restricted only if such restriction arises from a special act, or if by their application the protection of the data subject would be violated, or the rights and freedoms of other persons would be infringed.

According to the Personal Data Protection Act, the data subject has the right, on the basis of a written request addressed to the Company, to object to:

a) the processing of their personal data which they assume are or will be processed for the purposes of direct marketing without their consent, and to request their destruction,

b) the use of personal data specified in the Personal Data Protection Act for the purposes of direct marketing in postal communication, or

c) the provision of personal data specified in the Personal Data Protection Act for the purposes of direct marketing.

According to the Personal Data Protection Act, the data subject has the right, on the basis of a written request addressed to the Company or personally, if the matter cannot be delayed, to object at any time to the processing of personal data in cases under the Personal Data Protection Act by stating legitimate reasons or by submitting evidence of unauthorized interference with their rights and legally protected interests, which are or may be harmed in a specific case by such processing of personal data; if there are no legal obstacles and it is proven that the objection of the data subject is justified, the Company is obliged to block the personal data the processing of which the data subject objected to, and destroy them without undue delay as soon as circumstances allow.

According to the Personal Data Protection Act, the data subject has the right, on the basis of a written request addressed to the Company or personally, if the matter cannot be delayed, to object at any time and not be subject to a decision of the Company which would have legal effects or significant impact on them, if such decision is issued exclusively on the basis of acts of automated processing of their personal data. The data subject further has the right to request the Company to review the issued decision by a method other than an automated form of processing, whereby the Company is obliged to comply with the request of the data subject, ensuring that the decisive role in reviewing the decision will be carried out by an authorized person; the controller shall inform the data subject of the method of review and the outcome of the findings within the period specified by the Personal Data Protection Act. The data subject does not have this right only if provided by a special act which regulates measures ensuring the legitimate interests of the data subject, or if, within pre-contractual relations or during the existence of contractual relations, the controller has issued a decision granting the request of the data subject, or if the controller has taken other appropriate measures under the contract to ensure the legitimate interests of the data subject.

If the data subject exercises their right:

a) in writing and it is clear from the content of the request that they are exercising their right, the request shall be deemed submitted under the Personal Data Protection Act; a request submitted by e-mail or fax shall be delivered in writing by the data subject no later than three days from the date of its dispatch,

b) personally in oral form into the record, which must clearly show who exercised the right, what they seek, when, and who drew up the record, including their signature and the signature of the data subject; the Company is obliged to provide a copy of the record to the data subject,

c) through the processor pursuant to letter a) or b), the processor is obliged to deliver such request or record to the Company without undue delay.

The data subject, in case of suspicion that their personal data is being unlawfully processed, may file a petition to initiate proceedings on the protection of personal data with the Office for Personal Data Protection of the Slovak Republic, with its seat at Hraničná 12, 820 07 Bratislava 27, Slovak Republic, or contact the Office through its website http://www.dataprotection.gov.sk.

If the data subject does not have full legal capacity, their rights may be exercised by their legal representative.

If the data subject is deceased, their rights under this Act may be exercised by a close person.

The Company shall handle the request of the data subject under the Personal Data Protection Act free of charge.

The Company shall handle the request of the data subject under the Personal Data Protection Act free of charge, except for reimbursement not exceeding the amount of purposefully incurred material costs associated with the making of copies, obtaining of technical carriers, and sending of information to the data subject, unless otherwise provided by a special act.

The Company is obliged to handle in writing the request of the data subject under the Personal Data Protection Act no later than 30 days from the date of receipt of the request.

The restriction of the rights of the data subject under the Personal Data Protection Act shall be notified by the Company without undue delay in writing to the data subject and to the Office for Personal Data Protection of the Slovak Republic.

The restriction of the rights of the data subject under the Personal Data Protection Act shall be notified by the Company without undue delay in writing to the data subject and to the Office for Personal Data Protection of the Slovak Republic.