Privacy Policy of msg life Slovakia s.r.o. and msg life ag

Thank you for visiting this site and for your interest in msg life Slovakia s.r.o. The protection of your personal data is just as important to us as providing the best comprehensive services to our customers.

The domain www.msg-qatester-com.rucolabs.sk is owned by msg life Slovakia s.r.o., a subsidiary of msg life central europe gmbh, which in turn is owned by msg life ag (hereinafter referred to as “msg life”). This privacy policy outlines in detail what activities msg life undertakes during your visit to the website, what information may be collected in accordance with applicable data protection laws, and how such information is processed.

Your personal data is processed in accordance with the EU General Data Protection Regulation (“GDPR”), which also governs your rights as a data subject, as well as the applicable provisions of the Data Protection Act (in particular §§ 78 and 79), the Advocacy Act (§ 18), and other relevant legislation.

Your data is also shared with msg life in accordance with Article 6(1)(b) of the GDPR, if processing is necessary for the performance of a contract to which you, as the data subject, are a party. This also applies to data processing necessary prior to entering into a contract. The data shared with msg life complies with Act No. 18/2018 Coll. on Personal Data Protection and is also in line with the Federal Data Protection Act of the Federal Republic of Germany (“BDSG”) and the Slovak Republic (“SR”).

Any changes or amendments to this privacy policy will be published on this site in order to inform you about the data that msg life processes. The main categories of data protection information are listed below.

according to Articles 13 and 14 of the Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR Regulation”) and §§ 19 and 20 of Act No. 18/2018 Coll. on Personal Data Protection and on amendments and supplements to certain laws (hereinafter referred to as “Personal Data Protection Act”).

The purpose of this information is to provide you with details about what personal data we process, how we handle it, for what purposes we use it, to whom we may disclose it, where you can obtain information about your personal data, and how to exercise your rights regarding personal data processing.

Identification and contact data

The controller processing your personal data is msg life Slovakia, s.r.o., Hraničná 18, 821 05 Bratislava, Company ID: (hereinafter referred to as the “controller”).

Contact details of the person responsible for supervising personal data processing: email: dpo3@proenergy.sk.

General description

If you send us a message via the web contact form, we may process your personal data to handle your electronic correspondence. Depending on the subject and content of your message, processing may be performed within the fulfillment of a contractual or pre-contractual relationship with you (providing information about our products/services, contract negotiations, contract performance, complaint handling, etc.), fulfillment of a legal obligation (e.g., reporting illegal activities, handling data subject requests, records management), or within legitimate interest (e.g., complaint handling, managing business partner records, processing unexpected/unrequested communication).

Details of personal data processing

1 Purpose of personal data processing and legal basis for processing

The purpose of personal data processing is:

processing electronic correspondence received through the web contact form.

Personal data are processed based on:

(1) Article 6(1)(c) GDPR: fulfillment of a legal obligation,
(2) Article 6(1)(b) GDPR: contractual and pre-contractual relationships with the data subject,
(3) Article 6(1)(f) GDPR: legitimate interest.

2 Identification of personal data processed of data subjects

Data subjects whose personal data we process:

natural persons – senders of electronic correspondence.

Scope of personal data we process:

personal data – identification and contact data, e.g., title, first name, last name, email address, job offer, notes, attachments.

3 Identification of recipients or other parties who may have access to personal data

4 Transfer of personal data to a third country/international organization

No transfer to a third country or international organization occurs.

5 Identification of the source from which personal data were obtained

Directly from the data subject.

6 Duration of personal data retention

Correspondence retention: 3 years.

7 Profiling

Profiling is not performed.

8 Obligation to provide personal data

Providing personal data is voluntary and initiated by the data subject. Depending on the subject and content of the handled correspondence, provision of personal data may be required (fulfillment of legal obligations or requirements within contractual or pre-contractual relationships with the data subject). If personal data are not provided, the controller may not be able to handle the electronic correspondence.

Data subject rights

The data subject has the right to request access from the controller to the personal data processed about them, the right to rectify personal data, the right to erase or restrict processing of personal data, the right to object to the processing of personal data, the right to not be subject to automated individual decision-making including profiling, the right to data portability, and the right to file a proposal to initiate proceedings with the supervisory authority. The data subject can exercise their rights by sending an email to: jobs.sk.life@msg.group, or in writing to the controller’s address.

according to the Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR Regulation”) and Act No. 18/2018 Coll. on Personal Data Protection and on amendments and supplements to certain laws (hereinafter referred to as “Personal Data Protection Act”).

The purpose of this overview is to provide you with basic information about the processing of your personal data if you perform agreed work with us as an employee of a temporary employment agency.

Complete information is available upon request at the HR department and on the internal website.

Identification data

The controller processing your personal data is the company msg life Slovakia, s.r.o., Hraničná 18, 821 05 Bratislava, Company ID: (hereinafter referred to as the “controller”).

Contact details

If you have any uncertainties, questions concerning the processing of your personal data, suggestions, or complaints, or if you believe that your personal data are processed unlawfully or unfairly, or if you wish to exercise any of your rights, you can contact us at any time by sending an email to: jobs.sk.life@msg.group, or in writing to the address of the controller. The contact details of the person responsible for supervising personal data processing: email: dpo3@proenergy.sk.

Basic overview of processing activities

We may process your personal data within the following processing activities (IS):

Reporting of illegal activities

We may process your personal data if you have made a non-anonymous report of a possible illegal activity or if you are the subject or participant in an investigation of a possible illegal activity under a special legal regulation.

• Categories of data subjects – natural persons who submitted a report of illegal activity or a request for protection when reporting a serious illegal activity (or their close persons for whom protection is requested) and natural persons investigated based on the report.
• Categories of personal data – personal data contained in the report and data necessary for its review (mainly ordinary identification data about the reporter, persons involved in the violation, details of the report which may include data of various sensitivities).
• Retention period of personal data – 3 years (from the date of receipt of the report).
• Category of recipients (external) – (1) Office for the Protection of Whistleblowers of Illegal Activities, participants in the proceedings, other competent administrative authorities, Police Corps of the Slovak Republic, Prosecutor’s Office of the Slovak Republic, courts of the Slovak Republic, other authorized subjects.

Promotion

We may process your photographs, video recordings, your reviews about us, and other information about you only to the extent and in the manner you have consented to the processing of personal data. If we have determined that consent is not necessary (redundant, requiring disproportionate effort, etc.) for the given purpose—for example, if you have participated or will participate in events organized by the controller for a wide audience—we may create and process photographs or other recordings within our legitimate interest. These obtained data can be used for positive promotion, documentation, and presentation purposes of the controller’s activities. It is in our interest to document the activities of the controller and present/promote them to build good internal relations as well as external relations towards the controller and maintain our good reputation. If you do not want your photographs, video recordings, or other related data to be used for documentation, presentation/promotion purposes, you can exercise your rights (object to processing or withdraw consent) through the contacts provided at the beginning of this information.

• Categories of data subjects – employees (including persons in similar employment relationships), other natural persons.
• Categories of personal data – personal data (common – mainly identification data, captured in photographs, video/audio recordings, other data related to personal expressions).
• Retention period of personal data – duration of the employment relationship or after the purpose ends (5 years), does not apply to documents/records with permanent documentary value under the Archives and Registries Act.
• Category of recipients (external) – (1) other authorized subject.

Temporary Employment Agency

If you are an employee of a temporary employment agency, we may process your personal data in connection with the fulfillment of your employment contract with your employer and within the fulfillment of our legal obligations, mainly maintaining records about you to ensure access to our premises, attendance records, safety and health protection at work, training, social services, ensuring suitable working conditions, and employment conditions.

• Categories of data subjects – agency employees, former agency employees.
• Categories of personal data – personal data (common – identification data, data within the scope of fulfilling the temporary assignment contract – may include data concerning personal, professional life, health data (e.g., work fitness, injury, pregnancy, etc.).
• Retention period of personal data – 5 years.
• Category of recipients (external) – 1a) Temporary Employment Agency, (1b) Foreign Police of the Slovak Republic, (1c) other authorized subjects, (2) Occupational Health and Safety service providers, trainers.

Technical and organizational measures

For the purpose of protecting your and our security (including your personal data), demonstrating compliance with our legal obligations, and demonstrating, asserting, or defending our legal claims or the claims of third parties, we may process records containing your personal data. This may include, for example:

1. records of your consent to data processing,
2. records of fulfillment of our information obligation towards you,
3. records of handling your requests,
4. records of permitted/assigned accesses and assets and their use if we have permitted/assigned them to you,
5. records necessary for investigating security incidents and breaches of personal data protection,
6. records (certificates) if we have trained you,
7. records if you have committed to confidentiality,
8. records if you have been part of our control activities, audits,
9. other records related to the implementation of adopted technical and organizational measures.

Processing is based on the legitimate interest of the controller and also a duty arising from the GDPR Regulation. Records may be used to hold you accountable and as evidence for asserting, enforcing, or defending legal claims of the controller or third parties (especially regarding threats/violations of security, including protection of human life and health, property, financial or property damage, interruption of activities, damage to reputation, leakage of know-how, etc.).

• Categories of data subjects – employees, responsible person, applicants exercising rights, persons to whom the controller fulfills obligations under the GDPR Regulation, persons involved or handled in the context of a security incident, intermediaries, other external subjects (e.g., consultants, auditors, lawyers called in regarding the matter), employees of authorities based on special legal regulations (e.g., supervisory authority employees within consulting, control activities), etc.
• Categories of personal data – personal data (common – identification, contact, which may be supplemented depending on the nature of the case by other necessary data of various kinds – e.g., login data, data on user/offender behavior (e.g., login/logout logs, activities), data necessary to verify the identity of the person requesting the exercise of rights, data indicating violations of internal regulations (e.g., circumventing security settings, etc.)).
• Retention period of personal data – according to the chapter “record keeping, archiving” of the Personal Data Protection Policy and Personal Data Security Policy (most records are kept for 3 years or less, records about deletions or containing contracts for 5 years, some records permanently – e.g., related to security incident handling, impact assessments, informing data subjects, etc.).
• Category of recipients (external) – (1a,5) responsible person, Office for Personal Data Protection of the Slovak Republic, (1b,5) Police, Prosecutor’s Office of the Slovak Republic, courts of the Slovak Republic, (1c) other authorized subject.

Data from some of the above processing operations may be used, where applicable and to the necessary extent, for proving, asserting, or defending our legal claims or the legal claims of third parties (for example, providing data to criminal authorities, bailiffs, lawyers, etc.), in court or out-of-court proceedings, debt collection, etc.

Some obtained personal data (e.g., certificates, records, other documents confirming the given fact, etc.) may be stored and used as “evidence” for audit purposes, control activities by third parties, verifying proper fulfillment of the controller’s obligations under legislative requirements or other requirements (contractual, sectoral, etc.).

Your rights

As a data subject whose personal data we process, you have, under the GDPR Regulation and the Personal Data Protection Act, rights related to the processing of personal data, namely the right to request access from the controller to personal data processed about you, the right to rectification (or completion) of personal data, the right to erasure or restriction of processing of personal data, the right to object to the processing of personal data, the right to not be subject to automated individual decision-making including profiling, the right to data portability, and the right to withdraw consent to the processing of personal data.

If you decide to exercise any of your rights, you can use our request form, which is available in the complete information about the processing of your personal data. If you are not satisfied with our response, or believe that we have violated your rights or process your personal data unfairly, unlawfully, etc., you have the right to file a complaint – a proposal to initiate proceedings with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic.

podľa Nariadenia Európskeho parlamentu a rady (EU) 2016/679 o ochrane fyzických osôb pri spracúvaní osobných údajov a o voľnom pohybe takýchto údajov (ďalej len „nariadenie GDPR“) a Zákona č. 18/2018 Z. z. o ochrane osobných údajov a o zmene a doplnení niektorých zákonov (ďalej len „zákon o OOÚ“).

Cieľom tohto prehľadu je poskytnúť Vám základné informácie o spracúvaní vašich osobných údajov, pokiaľ ste prejavili záujem o naše služby, alebo využívate naše služby.

Kompletné informácie sú dostupné na vyžiadanie na e-mailových adresách nižšie.

Identifikačné údaje

Prevádzkovateľom spracúvajúcim Vaše osobné údaje je spoločnosť msg life Slovakia, s. r. o., Hraničná 18, 821 05 Bratislava, IČO: (ďalej len „prevádzkovateľ“).

Kontaktné údaje

V prípade nejasností, otázok týkajúcich sa spracúvania vašich osobných údajov, podnetov, alebo sťažností, ak sa domnievate, že vaše osobné údaje spracúvame nezákonne, alebo nespravodlivo, alebo v prípade uplatnenia niektorého z vašich práv sa na nás môžete kedykoľvek obrátiť zaslaním emailu: jobs.sk.life@msg.group, alebo písomne na adresu prevádzkovateľa. Kontaktné údaje zodpovednej osoby pre dohľad nad spracúvaním osobných údajov: email: dpo3@proenergy.sk.

Základný prehľad spracovateľských činností

Vaše osobné údaje môžeme spracúvať v rámci nasledovných spracovateľských činností (IS):

Účtovné doklady

Môžeme spracúvať vaše osobné údaje v súvislosti s plnením zmluvy s vami s cieľom plnenia účtovných a daňových povinností v zmysle osobitných právnych predpisov.

• Kategórie dotknutých osôb  – klienti/zmluvní partneri prevádzkovateľa, daňovníci prevádzkovateľa.
• Kategórie osobných údajov – osobné údaje identifikačné, kontaktné, finančné/platobné, iné údaje-podobnosti týkajúce plnenia zmluvy, účtovných a daňových povinností.
• Lehota na výmaz OÚ – 10 rokov.
• Kategória príjemcov (externí) – (1a) správca dane, (1b) audítory, (1c) iný oprávnený subjekt.

Oznamovanie protispoločenskej činnosti

Vaše osobné údaje môžeme spracúvať pokiaľ ste neanonymne podali oznámenie o možnej protispoločenskej činnosti, alebo pokiaľ ste predmetom, alebo účastníkom prešetrovania možnej protispoločenskej činnosti podľa osobitného právneho predpisu.

• Kategórie dotknutých osôb – fyzické osoby, ktoré podali oznámenie o protispoločenskej činnosti alebo žiadosť o poskytnutie ochrany pri oznámení závažnej protispoločenskej činnosti (prípadne ich blízke osoby o ktoré žiadajú ochranu) a fyzické osoby ktoré sú na základe oznámenia prešetrované.
• Kategórie osobných údajov – osobné údaje – uvedené v oznámení a údaje nevyhnutné na jeho preskúmanie (najmä bežné identifikačné osobné údaje o oznamovateľovi, osobách zapojených do porušenia, podrobnosti oznámenia (môžu obsahovať údaje rôznej citlivosti).
• Lehota na výmaz OÚ – 3 roky (odo dňa doručenia oznámenia).
• Kategória príjemcov (externí) – (1) Úrad na ochranu oznamovateľov protispoločenskej činnosti, účastníci konania, iný príslušný správny orgán, policajný zbor SR, prokuratúra SR, súdy SR, iný oprávnený subjekt.

Cookies

V prípade ak si prehliadate obsah našej webovej stránky, môžeme spracúvať vaše osobné údaje s cieľom poskytovania a zlepšovania služieb, vývoja nových služieb, ochrany používateľov a zabezpečovania efektívneho vyhľadávania a reklamy. V prípade údajov, ktoré nie sú výlučne technické, potrebujeme na takéto spracúvanie váš dobrovoľný súhlas s používaním cookies.

• Kategórie dotknutých osôb – používatelia webovej stránky prevádzkovateľa.
• Kategórie osobných údajov – osobné údaje (bežné – umožňujúce priamu, alebo nepriamu identifikáciu, lokalizačné údaje).
• Lehota na výmaz OÚ – po uplynutí doby súhlasu (ak súhlas dotknutá osoba neobnoví).
• Kategória príjemcov (externí) – (1) iný oprávnený subjekt.

Technické a organizačné opatrenia

S cieľom zachovávania vašej ako aj našej bezpečnosti (vrátane vašich osobných údajov), preukazovania plnenia našej zákonnej povinnosti a preukazovania, uplatňovania, obhajovania našich právnych nárokov, alebo nárokov tretích strán, môžeme spracúvať záznamy s vašimi osobnými údajmi. Podľa potreby sa môže jednať napríklad o:

1. záznamy o udelení vášho súhlasu so spracovaním údajov,
2. záznamy o splnení našej informačnej povinnosti voči vám,
3. záznamy o vybavení vašej žiadosti,
4. záznamy o povolených/pridelených prístupoch a aktívach a ich používaní, ak sme vám také povolili/pridelili,
5. záznamy, ktoré sú potrebné v rámci vyšetrovania bezpečnostných incidentov a porušení ochrany osobných údajov,
6. záznamy (potvrdenia), ak sme vás školili,
7. záznamy, ak ste sa zaviazali zachovávať mlčanlivosť,
8. záznamy, ak ste boli súčasťou našej kontrolnej činnosti, auditu,
9. iné záznamy súvisiace s výkonom prijatých technických a organizačných opatrení.

Spracúvanie je v oprávnenom záujme prevádzkovateľa a zároveň povinnosťou vyplývajúcou z nariadenia GDPR. Záznamy sa môžu použiť na vyvodenie zodpovednosti voči vám a ako dôkaz na preukazovanie, uplatňovanie, alebo obhajovanie právnych nárokov prevádzkovateľa, alebo tretej strany (najmä v súvislosti s ohrozením/narušením bezpečnosti vrátane ochrany ľudského života a zdravia, majetku, finančnej, alebo majetkovej ujmy, prerušením činnosti, poškodením dobrého mena, únikom know how a pod.).

• Kategórie dotknutých osôb – zamestnanci, zodpovedná osoba, žiadatelia o uplatnenie práv, osoby, voči ktorým si prevádzkovateľ plní povinnosti vyplývajúce z nariadenia GDPR, osoby zapojené, alebo riešené v rámci bezpečnostného incidentu, sprostredkovatelia, iné externé subjekty (ako napr. ak by boli prizvané osoby k riešenej problematike – konzultanti, audítori, právnici,) zamestnanci orgánov na základe osobitných právnych predpisov (napr. zamestnanci dozorného orgánu v rámci konzultačnej, kontrolnej činnosti) a pod.
• Kategórie osobných údajov – osobné údaje (bežné -identifikačné, kontaktné, ktoré však môžu byť podľa charakteru riešenej veci doplnené o ďalšie nevyhnutné údaje rôznej povahy- napr. o prihlasovacie údaje, údaje týkajúce sa správania používateľa/páchateľa (napr. logy prihlásenia, odhlásenia, činnosti), údaje nevyhnutné na overenie totožnosti osoby, ktorá požiadala o uplatnenie práva, údaje z ktorých vyplýva porušovanie interných predpisov (napr. obchádzane bezpečnostných nastavení a i.) a pod.
• Lehota na výmaz OÚ – podľa kapitoly “vedenie záznamov, archivácia” Politiky ochrany osobných údajov a Politiky bezpečnosti osobných údajov ( väčšina evidencií sa uchováva 3 roky a menej, evidencie o výmaze, alebo obsahujúce zmluvy 5 rokov, niektoré evidencie permanentne-napr. týkajúce sa riešenia bezpečnostných incidentov, posúdenia vplyvu, informovaní dotknutých osôb a pod.).
• Kategória príjemcov (externí) – (1a,5) zodpovedná osoba, Úrad na ochranu osobných údajov SR, (1b,5) Polícia, Prokuratúra SR, súdy SR, (1c) iný oprávnený subjekt.

Údaje z niektorých vyššie uvedených spracovateľských operácií sa v aplikovateľnom prípade a v nevyhnutnom rozsahu môžu použiť v rámci preukazovania, uplatňovania alebo obhajovania našich právnych nárokov, alebo právnych nárokov tretej strany (napríklad poskytnutie údajov orgánom činným v trestnom konaní, exekútorovi, advokátom, a pod.), v rámci súdnych, alebo mimosúdnych konaní, vymáhania pohľadávok a pod.

Niektoré získané osobné údaje (napr. potvrdenia, záznamy, iné doklady potvrdzujúce danú skutočnosť a pod.) sa môžu uchovávať a používať ako „dôkaz“ pre účely auditov, kontrolnej činnosti zo strany tretích strán, v rámci overovania riadneho plnenia povinností prevádzkovateľa v zmysle legislatívnych požiadaviek, alebo iných požiadaviek (zmluvných, sektorových a pod.).

Vaše práva

Ako dotknutá osoba, o ktorej spracúvame osobné údaje, máte v zmysle nariadenia GDPR a zákona o OOÚ práva v súvislosti so spracúvaním osobných údajov, a to právo požadovať od prevádzkovateľa prístup k osobným údajom, ktoré sú o vás spracúvané, právo na opravu (príp. doplnenie) osobných údajov, právo na vymazanie, alebo obmedzenie spracúvania osobných údajov, právo namietať voči spracúvaniu osobných údajov, právo na neúčinnosť automatizovaného individuálneho rozhodovania vrátane profilovania, právo na prenosnosť osobných údajov, právo odvolať súhlas so spracúvaním osobných údajov.

V prípade, ak sa rozhodnete využiť niektoré zo svojich práv, môžete na to využiť náš formulár žiadosti, ktorý je dostupný v kompletnej informácii o spracúvaní vašich osobných údajov. V prípade, ak nie ste spokojný s našou odpoveďou, alebo sa domnievate, že sme porušili vaše práva, alebo spracúvame vaše osobné údaje nespravodlivo, nezákonne a pod. máte možnosť podať sťažnosť – návrh na začatie konania dozornému orgánu, ktorým je Úrad na ochranu osobných údajov Slovenskej republiky.

According to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR Regulation”) and Act No. 18/2018 Coll. on personal data protection and on the amendment and supplementation of certain laws (hereinafter referred to as the “Personal Data Protection Act”).

The purpose of this overview is to provide you with basic information about the processing of your personal data when you enter and move within our premises.

Complete information is available upon request at the Human Resources Department.

Identification and Contact Details

The controller processing your personal data is msg life Slovakia, s. r. o., Hraničná 18, 821 05 Bratislava, Company ID (hereinafter referred to as the “controller”).

If you have any doubts, questions regarding the processing of your personal data, suggestions, or complaints, if you believe your personal data are processed unlawfully or unfairly, or in case of exercising any of your rights, you may contact us anytime by sending an email to: jobs.sk.life@msg.group, or in writing to the controller’s address.

Contact details of the person responsible for supervising personal data processing: email: dpo3@proenergy.sk.

Basic Overview of Processing Activities

We may process your personal data within the following processing activities (IS):

Technical and Organizational Measures

We may process records with your personal data as part of the implementation of technical and organizational measures adopted by the controller to ensure an adequate level of security, compliance with GDPR requirements, and prevention or elimination of adverse effects on data subjects and the controller. This may include, for example, records of employee training, confidentiality commitments of persons who come into contact with personal data, records of your consent given for data processing, records related to handling your requests to exercise rights, records related to security incidents and data protection breaches, records from control activities and audits you were part of, records of assignment/removal of assets and access rights, records related to the use of assigned assets, etc.

Processing is based on the legitimate interest of the controller and also an obligation arising from the GDPR Regulation. Records may be used to hold you accountable and as evidence for proving, enforcing, or defending legal claims of the controller or a third party (especially concerning threats or breaches of security including protection of human life and health, property, financial or asset damage, business interruption, damage to reputation, leakage of know-how, etc.).

• Categories of data subjects – employees, responsible person, applicants exercising rights, persons towards whom the controller fulfills obligations arising from GDPR, persons involved or addressed in security incidents, processors, other external subjects (e.g., consultants, auditors, lawyers), employees of authorities based on special legal regulations (e.g., employees of supervisory authorities in consultancy, control activities), etc.
• Categories of personal data – personal data (common – identification, contact data, which depending on the nature of the case may be supplemented with other necessary data of various kinds, e.g., login data, data related to user/offender behavior (e.g., login/logout logs, activity), data necessary to verify identity of the person who requested rights exercise, data indicating breaches of internal regulations (e.g., circumventing security settings), etc.
• Data retention period – according to the chapter “record keeping, archiving” of the Personal Data Protection Policy and the Data Security Policy (most records are kept for 3 years or less, records related to erasure or containing contracts 5 years, some records permanently – e.g., relating to security incident handling, impact assessments, notification of data subjects, etc.).
• Category of recipients (external) – (1a,5) responsible person, Office for Personal Data Protection of the Slovak Republic, (1b,5) Police, Prosecutor’s Office, courts of the Slovak Republic, (1c) other authorized entities.

Data from some of the above processing operations may be used, where applicable and to the necessary extent, to prove, enforce or defend our legal claims or legal claims of third parties (e.g., providing data to law enforcement authorities, bailiffs, lawyers, etc.) within court or out-of-court proceedings, debt recovery, etc.

Some obtained personal data (e.g., confirmations, records, other documents confirming facts, etc.) may be kept and used as “evidence” for audits, control activities by third parties, for verifying the proper fulfillment of the controller’s obligations under legislative or other requirements (contractual, sectoral, etc.).

Your Rights

As a data subject whose personal data we process, you have rights under the GDPR Regulation and the Personal Data Protection Act related to personal data processing, namely the right to request from the controller access to your personal data processed about you, the right to rectify (or supplement) personal data, the right to erase or restrict the processing of personal data, the right to object to personal data processing, the right not to be subject to automated individual decision-making including profiling, the right to data portability, and the right to withdraw consent to personal data processing.

If you decide to exercise any of your rights, you may use our request form, which is available in the complete information on the processing of your personal data. If you are not satisfied with our response or believe that we have violated your rights or are processing your personal data unfairly or unlawfully, you may file a complaint – a proposal to initiate proceedings with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic.

According to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR Regulation”) and Act No. 18/2018 Coll. on personal data protection and on the amendment and supplementation of certain laws (hereinafter referred to as the “Personal Data Protection Act”).

The purpose of this overview is to provide you with basic information about the processing of your personal data, if you are our business partner.

Complete information is available upon request at the Human Resources Department.

Identification and Contact Details

The controller processing your personal data is msg life Slovakia, s. r. o., Hraničná 18, 821 05 Bratislava, Company ID (hereinafter referred to as the “controller”).

If you have any doubts, questions regarding the processing of your personal data, suggestions, or complaints, if you believe that your personal data are processed unlawfully or unfairly, or in case of exercising any of your rights, you can contact us anytime by sending an email to: jobs.sk.life@msg.group, or in writing to the controller’s address.

Contact details of the person responsible for supervising personal data processing: email: dpo3@proenergy.sk.

Basic Overview of Processing Activities

We may process your personal data within the following processing activities (IS):

Accounting Documents

We may process your personal data in connection with fulfilling the contract with you for the purpose of meeting accounting and tax obligations under specific legal regulations.

• Categories of data subjects – clients/contractual partners of the controller, taxpayers of the controller.
• Categories of personal data – identification data, contact data, financial/payment data, other data related to contract fulfillment, accounting and tax obligations.
• Data retention period – 10 years.
• Category of recipients (external) – (1a) tax authorities, (1b) auditors, (1c) other authorized entities.

Reporting of Unlawful Conduct

We may process your personal data if you have submitted a non-anonymous report of possible unlawful conduct, or if you are the subject or participant in the investigation of possible unlawful conduct under a special legal regulation.

• Categories of data subjects – natural persons who submitted the report of unlawful conduct or request for protection when reporting serious unlawful conduct (or their close persons for whom protection is requested) and natural persons investigated based on the report.
• Categories of personal data – personal data included in the report and data necessary for its review (mainly usual identification personal data about the reporter, persons involved in the violation, details of the report (may include data of various sensitivity).
• Data retention period – 3 years (from the day the report was received).
• Category of recipients (external) – (1) Office for the Protection of Whistleblowers of Unlawful Conduct, participants in proceedings, other competent administrative authorities, Police Corps of the Slovak Republic, Prosecutor’s Office of the Slovak Republic, courts of the Slovak Republic, other authorized entities.

Business Partner Records

We may process your identification and contact data if you are our business partner (or a designated contact person of the partner), and we need these data for the fulfillment of our business relationships. The legal basis is legitimate interest.

• Categories of data subjects – business partners of the controller and employees of the business partner.
• Categories of personal data – personal data (common – identification and contact data in the scope of a business card).
• Data retention period – 10 years.
• Category of recipients (external) – (1) other authorized entities.

Technical and Organizational Measures

For the purpose of maintaining your and our security (including your personal data), proving the fulfillment of our legal obligations and demonstrating, enforcing, defending our legal claims or claims of third parties, we may process records with your personal data. These may include, for example:

1. records of your consent given for data processing,
2. records of fulfilling our information obligation towards you,
3. records about handling your requests,
4. records about authorized/assigned accesses and assets and their use if granted/assigned to you,
5. records necessary for investigating security incidents and data protection breaches,
6. records (confirmations) if we have trained you,
7. records if you have committed to confidentiality,
8. records if you were part of our control activities, audit,
9. other records related to the implementation of adopted technical and organizational measures.

Processing is in the legitimate interest of the controller and also an obligation arising from the GDPR Regulation. Records may be used to hold you accountable and as evidence for proving, enforcing, or defending legal claims of the controller or a third party (especially concerning threats or breaches of security including protection of human life and health, property, financial or asset damage, business interruption, damage to good reputation, leakage of know-how, etc.).

• Categories of data subjects – employees, responsible person, applicants for rights exercise, persons to whom the controller fulfills obligations arising from the GDPR Regulation, persons involved or addressed in security incidents, processors, other external subjects (e.g., consultants, auditors, lawyers), employees of authorities based on special legal regulations (e.g., employees of supervisory authorities within consultancy and control activities), etc.
• Categories of personal data – personal data (common – identification, contact, which may be supplemented according to the nature of the case by other necessary data of various types, e.g., login data, data related to user/culprit behavior (e.g., login/logout logs, activities), data necessary to verify identity of the person who requested the exercise of a right, data indicating breaches of internal regulations (e.g., circumventing security settings), etc.
• Data retention period – according to the chapter “record keeping, archiving” of the Personal Data Protection Policy and Data Security Policy (most records are kept for 3 years or less, records about erasure or containing contracts 5 years, some records permanently – e.g., relating to security incident handling, impact assessments, notification of data subjects, etc.).
• Category of recipients (external) – (1a,5) responsible person, Office for Personal Data Protection of the Slovak Republic, (1b,5) Police, Prosecutor’s Office, courts of the Slovak Republic, (1c) other authorized entities.

Data from some of the above processing operations may be used where applicable and to the necessary extent to prove, enforce, or defend our legal claims or legal claims of third parties (e.g., providing data to law enforcement agencies, bailiffs, lawyers, etc.) within court or out-of-court proceedings, debt collection, etc.

Some obtained personal data (e.g., confirmations, records, other documents confirming the fact, etc.) may be kept and used as “evidence” for audits, control activities by third parties, for verifying proper fulfillment of the controller’s obligations under legislative or other requirements (contractual, sectoral, etc.).

Your Rights

As a data subject whose personal data we process, you have rights under the GDPR Regulation and the Personal Data Protection Act related to personal data processing, namely the right to request from the controller access to your personal data processed about you, the right to rectify (or supplement) personal data, the right to erase or restrict the processing of personal data, the right to object to personal data processing, the right to not be subject to automated individual decision-making including profiling, the right to data portability, and the right to withdraw consent to personal data processing.

If you decide to exercise any of your rights, you may use our request form, which is available in the complete information on the processing of your personal data. If you are not satisfied with our response, or you believe that we have violated your rights or are processing your personal data unfairly or unlawfully, you have the option to file a complaint – a proposal to initiate proceedings with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic.

According to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR Regulation”) and §§ 19 and 20 of Act No. 18/2018 Coll. on personal data protection and on the amendment and supplementation of certain laws (hereinafter referred to as the “Personal Data Protection Act”).

The purpose of this information is to provide you with details on what personal data we process, how we handle it, for what purposes we use it, to whom we may disclose it, where you can obtain information about your personal data, and how to exercise your rights regarding personal data processing.

Identification and Contact Details

The data controller processing your personal data is msg life Slovakia, s. r. o., Hraničná 18, (hereinafter referred to as the “controller”).

Contact details of the responsible person for supervision over personal data processing: email: dpo3@proenergy.sk.

If you have expressed interest in working with us (e.g., by submitting a job application, sending a CV, etc.), we will process your personal data as follows:

1 Purpose of personal data processing and legal basis

The purpose of personal data processing is:

selection of suitable employees.

Personal data are processed on the basis of:

• (1) Article 6(1)(b) of the GDPR Regulation: contractual and pre-contractual relationship with the data subject,
• (2) Article 6(1)(c) of the GDPR Regulation: Act No. 311/2001 Coll. Labour Code as amended, Act No. 5/2004 Coll. on Employment Services and on the Amendment and Supplementation of Certain Acts,
• (3) Article 6(1)(a) of the GDPR Regulation: consent of the data subject (in case of data provided through a referring employee, retention of the CV for future recruitment processes),

2 Identification of personal data processed concerning data subjects

Data subjects whose personal data we process:

job applicants.

Scope of personal data we process:

personal data contained in the CV and accompanying documents and resulting from the assessment of the suitability of the job applicant.

These are mainly identification and contact data, data concerning habits, preferences indicated in the CV or directly during the job interview, financial data – e.g., requested or offered salary.

3 Identification of recipients or other parties who may have access to personal data

4 Transfer of personal data to a third country/international organization

No transfer to a third country takes place. Transfer within the international organization only occurs within the msg group.

5 Identification of the source from which personal data were obtained

Directly from the data subject, or with consent, from another person (referring employee).

6 Retention period of personal data

3 years.

7 Profiling

Profiling involving automated individual decision-making including profiling is not performed.

8 Obligation to provide personal data

Failure to provide personal data necessary for selecting a suitable candidate may result in non-selection and inability to assess the candidate’s abilities and qualities.

Providing personal data from the referring employee is only possible with your voluntary consent. If you do not provide consent, CV, or other data through the referring employee, you may provide personal data directly to us.

If you wish to participate in future selection procedures, you need to give us your voluntary consent. Without such consent, the controller will not process personal data longer than necessary to assess the candidate’s suitability for the specific job position.

Providing personal data processed under the Labour Code and special laws is a legal/contractual requirement, or a requirement necessary to conclude a contract. The data subject is obliged to provide personal data, and if not provided, the controller will not conclude or fulfill the contract with the data subject.

Rights of the data subject

The data subject has the right to request access from the controller to the personal data processed about them, the right to rectify personal data, the right to erase or restrict the processing of personal data, the right to object to the processing of personal data, the right not to be subject to automated individual decision-making including profiling, the right to data portability, as well as the right to file a proposal to initiate proceedings with the supervisory authority.

If the controller processes personal data based on the consent of the data subject, the data subject has the right to withdraw consent to personal data processing at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The data subject may exercise their rights by sending an email to: jobs.sk.life@msg.group, or in writing to the controller’s address.

If you voluntarily provide us with consent to the processing of personal data, we will, as part of our legitimate interest and also in fulfillment of a legal obligation, keep evidence of the consent provided (in the scope of the wording of the given consent) for 3 years after its expiration.

We may store it as “evidence” for audits, control activities by third parties, verifying proper fulfillment of the controller’s obligations under legislative or other requirements (contractual, sectoral, etc.), or use it to demonstrate, assert, or defend our legal claims (e.g., providing data to law enforcement authorities, lawyers, etc.) in judicial or extrajudicial proceedings, and so forth.

According to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR Regulation”) and Act No. 18/2018 Coll. on personal data protection and on the amendment and supplementation of certain laws (hereinafter referred to as the “Personal Data Protection Act”).

The purpose of this overview is to provide you with basic information about the processing of your personal data when you perform work for us based on an employment relationship or a similar employment-law relationship.

Complete information is available from the HR department upon request.

Identification and Contact Details

The data controller processing your personal data is msg life Slovakia, s. r. o., Hraničná 18, 821 05 Bratislava, Company ID: (hereinafter referred to as the “controller”).

In case of uncertainties, questions regarding the processing of your personal data, suggestions, or complaints, if you believe that we process your personal data unlawfully or unfairly, or if you wish to exercise any of your rights, you can contact us at any time by sending an email to: jobs.sk.life@msg.group, or in writing to the controller’s address.

Contact details of the responsible person for supervision over personal data processing: email: dpo3@proenergy.sk.

Basic Overview of Processing Activities

Personnel and Payroll (PAM)

We process your personal data for the purpose of managing personnel and payroll agendas, fulfilling the employer’s statutory obligations and obligations related to the employment relationship or similar employment relationship, including pre-contractual relations, contract amendment negotiations, or based on your voluntary consent, or within the scope of the legitimate interest of the controller or a third party in connection with:

1. processing contact data within the fulfillment of work duties and ensuring crisis management and continuity management (IS 1.10, 1.11),
2. sharing data within the corporate group for internal administrative purposes (mainly maintaining internal records, contacting, cooperation, training, approval of remuneration/benefits) (IS 1.22).

• Categories of data subjects – job applicants, employees, former employees (including persons in a similar employment-law relationship), depending on the nature of the processing operation, personal data may also concern spouses of employees, dependent children of employees, parents of dependent children of employees, close persons.
• Categories of personal data – individual PAM agendas contain personal data (including sensitive personal data – especially concerning health) that are significant regarding the work the employee is to perform, is performing, or has performed.
• Retention period of personal data – for the time necessary to fulfill the purpose, according to the Archives and Registries Act (maximum 70 years in the case of employee personal files, counted from birth).
• Category of recipients (external) – (1) institutions and organizations, contractual partners permitted by special legal regulations, including state administration and public authorities for control and supervision, (2) processors, (4) contractual partners to whom provision is required for fulfilling the contract between data subjects and the controller, (5) personal data may in certain cases be shared within the scope of legitimate interest, (3) if you have given voluntary consent or instructed us to provide data, your personal data may also be shared with other recipients.

Registry Management (and correspondence)

We may process your personal data based on legal obligation for registry management and mail records. Processing of correspondence data may be performed as part of contractual or pre-contractual relations (contract negotiation, contract fulfillment, accounting, complaints handling, etc.), legal obligation fulfillment (e.g., reporting unlawful activity, handling data subject requests, registry management), or legitimate interest (e.g., handling complaints, maintaining business partner records, processing unsolicited communications).

• Categories of data subjects – natural persons – senders and recipients of correspondence.
• Categories of personal data – personal data (common identification data such as title, name, surname, signature, address, email address, telephone number, other data of varying sensitivity within communication under Act No. 305/2013 Coll. or voluntarily provided within communication).
• Retention period of personal data – maximum 10 years (registry log), 5 years for regular and official correspondence.
• Category of recipients (external) – (1) Ministry of Interior of the Slovak Republic, other authorized entity.

Reporting Unlawful Activity

We may process your personal data if you have submitted a non-anonymous report of possible unlawful activity, or if you are the subject or participant in the investigation of possible unlawful activity under special legal regulation.

• Categories of data subjects – natural persons who submitted the report of unlawful activity or a request for protection when reporting serious unlawful activity (or their close persons for whom protection is requested) and natural persons investigated based on the report.
• Categories of personal data – personal data stated in the report and data necessary for its review (especially common identification data about the reporter, persons involved in the violation, details of the report (may include data of varying sensitivity)).
• Retention period of personal data – 3 years (from the date the report was received).
• Category of recipients (external) – (1) Office for the Protection of Whistleblowers, participants in the proceedings, other competent administrative authority, Police of the Slovak Republic, Prosecution of the Slovak Republic, Courts of the Slovak Republic, other authorized entity.

Promotion

We may process your photographs, videos, your reviews about us, and other information about you only to the extent and manner you have consented to the processing of personal data. In cases where we determine that consent is not necessary (redundant, requiring disproportionate effort, etc.) within the given purpose, for example, if you have participated or will participate in events organized by the controller for a wide audience, we may produce and process photographs or other records within our legitimate interest. These obtained data may be used for positive promotion, documentation, and presentation purposes of the controller’s activities. It is in our interest to document and present/promote the controller’s activities to build good internal and external relationships and maintain our good reputation. If you do not want your photographs, videos, or other related data to be used for documentation, presentation, or promotional purposes, you can exercise your rights (object to processing or withdraw consent) via the contacts provided at the beginning of this information.

• Categories of data subjects – employees (including persons in similar employment-law relationships), other natural persons.
• Categories of personal data – personal data (common – mainly identification data captured in photographs, video/audio recordings, other personal expressions).
• Retention period of personal data – duration of employment or after the end of the purpose (5 years), does not apply to documents/records with permanent documentary value under the Archives and Registries Act.
• Category of recipients (external) – (1) other authorized entity.

Technical and Organizational Measures

To ensure your and our security (including your personal data), to demonstrate fulfillment of our legal obligation and to assert, exercise, defend our legal claims or those of third parties, we may process records with your personal data. This may include, for example:

1. records of your consent to data processing,
2. records of fulfilling our information obligation towards you,
3. records of handling your requests,
4. records of permitted/assigned accesses and assets and their use if granted/assigned to you,
5. records necessary for investigating security incidents and personal data protection breaches,
6. records (confirmations) of training provided to you,
7. records if you committed to confidentiality,
8. records if you were part of our control activities, audits,
9. other records related to the implementation of accepted technical and organizational measures.

Processing is based on the legitimate interest of the controller and also on a duty arising from the GDPR Regulation. Records may be used to establish responsibility towards you and as evidence for asserting or defending legal claims of the controller or third parties (especially regarding threats/breaches of security including protection of human life and health, property, financial or material damage, disruption of activities, reputational damage, know-how leaks, etc.).

• Categories of data subjects – employees, responsible persons, applicants exercising rights, persons against whom the controller fulfills GDPR obligations, persons involved or handled within security incidents, intermediaries, other external subjects (e.g., consultants, auditors, lawyers called to address issues), employees of authorities under special laws (e.g., supervisory authority employees during consulting and control activities), etc.
• Categories of personal data – personal data (common – identification, contact data, which may be supplemented depending on the case with other necessary data of various types, e.g., login credentials, user/perpetrator behavior data (login/logout logs, activity), data needed to verify identity of person exercising rights, data revealing internal rules violations (e.g., circumventing security settings), etc.).
• Retention period of personal data – according to the chapter “record keeping, archiving” of the Personal Data Protection Policy and Security Policy (most records are kept 3 years or less, deletion records or those containing contracts 5 years, some permanently – e.g., related to security incident resolution, impact assessments, notifications to data subjects, etc.).
• Category of recipients (external) – (1a,5) responsible person, Office for Personal Data Protection SR, (1b,5) Police, Prosecution, Courts of the Slovak Republic, (1c) other authorized entity.

Some data from the above processing operations may be used, if applicable and to the necessary extent, to demonstrate, assert, or defend our or third parties’ legal claims (e.g., providing data to law enforcement, executors, lawyers, etc.) in judicial or extrajudicial proceedings, debt collection, etc.

Some personal data (e.g., confirmations, records, other documents confirming facts) may be stored and used as “evidence” for audits or control activities by third parties, verifying compliance with legal or other obligations (contractual, sectoral, etc.).

Your Rights

As a data subject whose personal data we process, you have rights under the GDPR Regulation and the Personal Data Protection Act related to personal data processing, including the right to request access to your personal data processed by the controller, the right to rectification (or completion), the right to erasure, or restriction of processing, the right to object to personal data processing, the right not to be subject to automated individual decision-making including profiling, the right to data portability, and the right to withdraw consent to personal data processing.

If you decide to exercise any of your rights, you may use our request form available in the complete information on personal data processing. If you are dissatisfied with our response or believe we violated your rights or process your personal data unlawfully or unfairly, you may file a complaint – a proposal to initiate proceedings with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic.

According to Articles 13 and 14 of the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR Regulation”) and §§ 19 and 20 of Act No. 18/2018 Coll. on personal data protection and on the amendment and supplementation of certain laws (hereinafter referred to as the “Personal Data Protection Act”).

The purpose of this information is to provide you with details about what personal data we process, how we handle it, for what purposes we use it, to whom we may provide it, where you can obtain information about your personal data, and how to exercise your rights related to personal data processing.

Identification and Contact Details

The data controller processing your personal data is msg life Slovakia, s. r. o., Hraničná 18, 821 05 Bratislava (hereinafter referred to as the “controller”).

If you have any uncertainties, questions regarding the processing of your personal data, suggestions, or complaints, or if you believe that your personal data are processed unlawfully or unfairly, or if you wish to exercise any of your rights, you can contact us at any time by sending an email to: jobs.sk.life@msg.group, or in writing to the address of the controller. We will try to respond as soon as possible, but at the latest within 1 month from receipt. In certain cases, we may need additional information to identify and verify your identity to process your request.

Received questions, suggestions, requests for exercising your rights, etc. may be provided to our external responsible person, who ensures independent supervision of proper and secure processing of your personal data. If interested, you can also contact the responsible person directly at: email: dpo3@proenergy.sk.

If you have knowledge or suspicion of a security breach affecting personal data, i.e., a personal data breach, please inform us immediately by sending an email to: jobs.sk.life@msg.group.

Overview of Processing Activities

We may process your personal data within the following processing activities (IS):

• Registry Management (and correspondence) – your personal data may be processed under legal obligation for registry management and mail records. Processing of correspondence data may be performed as part of contractual or pre-contractual relations (contract negotiation, contract fulfillment, accounting, complaints handling, etc.), legal obligation fulfillment (e.g., reporting unlawful activity, handling data subject requests, registry management), or legitimate interest (e.g., handling complaints, maintaining business partner records, processing unsolicited communications).
• Reporting Unlawful Activity – your personal data may be processed if you have submitted a non-anonymous report of possible unlawful activity or if you are the subject or participant of an investigation of possible unlawful activity under specific legal regulations.
• Corporate Agenda – we may process your personal data if you are a shareholder of the controller for the purpose of fulfilling corporate obligations. The legal basis is legal obligation.
• Promotion – we may process your photographs, videos, reviews, and other information about you only to the extent and manner for which you have given consent. If we determine consent is not necessary (e.g., for events open to a wide audience), we may process photos or other records under our legitimate interest for positive promotion, documentation, and presentation purposes. If you do not want your photos or videos to be used for such purposes, you can exercise your rights (object to processing or withdraw consent) via the contacts at the beginning of this information.
• Cookies – when browsing our website, we may process your personal data to provide and improve services, develop new services, protect users, and ensure effective search and advertising. For data beyond technical, your voluntary consent to cookies is required.
• Technical and Organizational Measures – to ensure your and our security (including your personal data), compliance with legal obligations, and assertion of rights, we may process records with your personal data, such as:
• records of your consent to data processing,
• records of fulfilling our information obligations to you,
• records of handling your requests,
• records of permitted/assigned access and assets usage, if
• we have granted/assigned them to you,
• records necessary for investigating security incidents and
• personal data protection breaches,
• records (confirmations) of training provided to you,
• records if you have committed to confidentiality,
• records if you were part of audits or control activities,
• other records related to implementing technical and organizational measures.

Processing is based on the legitimate interest of the controller and also a duty arising from the GDPR Regulation.

Records may be used to establish liability towards you and as evidence for asserting or defending legal claims of the controller or third parties (especially concerning threats/violations of security including protection of life, health, property, financial or material damage, business interruptions, reputational harm, know-how leaks, etc.).

Data from some of the above processing operations may, where applicable and necessary, be used to demonstrate, assert, or defend our or third parties’ legal claims (e.g., providing data to law enforcement authorities, bailiffs, lawyers, etc.) within judicial or extrajudicial proceedings, debt collection, etc.

Some personal data (e.g., confirmations, records, other documents confirming facts) may be stored and used as “evidence” for audits, control activities by third parties, or compliance verification with legislative or other requirements (contractual, sectoral, etc.).

Some data may be used for internal statistical purposes, process and service improvement, but only to the necessary extent and, where possible, using security measures like anonymization, pseudonymization, or encryption.

Additional General Information

We process your personal data within the above processing activities in accordance with data processing principles to ensure we only process personal data to the necessary extent to achieve the specified legal purpose and keep them only as long as necessary under current laws (especially the archives and registries act). Retention periods are stated in the “Details of Processing Activities” section. These periods may be extended in exceptional cases, especially for asserting or defending legal claims.

We primarily collect your personal data directly from you as the data subject (or your legal representative). If we obtain data from other sources, we will transparently inform you and ensure such data was obtained lawfully (e.g., with your consent) and is accurate and up to date. Please report any changes to your personal data promptly.

Access to your personal data is granted only to authorized persons who are properly trained about data protection rules and responsibilities and committed to confidentiality.

Access may also be granted to external recipients or other parties where permitted or required by law or public authority, including organizations and institutions (such as state administration and public authorities for supervision and control), contractual partners acting as independent controllers, or other legally regulated persons/entities. We may also share data with processors contractually obligated to maintain adequate data protection guarantees.

Personal data may be shared within the msg life group for internal administrative purposes or with another party under legitimate interest. If you have given voluntary consent or instructed us, your personal data may also be shared with additional recipients. Data may also be shared with contractual partners for contract fulfillment between you and the controller. Specific recipient lists per processing activity are in the “Details of Processing Activities” section.

We inform you about any transfers of personal data to third countries or international organizations. Details and safeguards for such transfers are included in the relevant “Details of Processing Activities” section, e.g., (i) Commission adequacy decisions, (ii) standard contractual clauses, (iii) binding corporate rules, or (iv) exceptions like explicit consent.

These and other detailed processing information are provided separately for each processing activity in the “Details of Processing Activities” section.

Your Rights

As a data subject whose personal data we process, you have rights under GDPR and the Personal Data Protection Act related to data processing. Below is an overview. To exercise your rights, you may use our attached request form and send it to the contact listed at the beginning of this information. If unsure or needing assistance filling the request, contact our external responsible person (contact info above).

Right of Access

You can request information from us about how we process your personal data, including details on:

• the purpose of processing,
• categories of personal data processed,
• data recipients,
• retention period or criteria,
• your rights,
• data source if not obtained directly from you,
• automated decision-making (profiling),
• data transfers outside the EU/EEA or to international organizations and protection measures.

All this information is available here. Upon your request, we will provide a copy of your personal data we process. Additional copies may incur reasonable administrative fees.

This right must not adversely affect others’ rights. We will inform you about the procedure, possible costs, and details after receiving your request. Electronic requests will be answered electronically unless you request otherwise.

Note: You can exercise this right simply via request form section “D” (Attachment 1).

Right to Data Portability

You have the right to receive your personal data provided to us based on consent or contract in a structured, commonly used, machine-readable format and request transfer to another controller.

Note: Exercise via request form section “E” (Attachment 1).

Right to Rectification

It is important we hold accurate and complete data to avoid errors or issues. You have the right to immediate correction or completion of inaccurate or incomplete personal data. Please notify changes promptly.

Note: Exercise via request form sections “A” or “B” (Attachment 1).

Right to Erasure (“Right to be Forgotten”)

You may request deletion of your personal data if:

• data is no longer necessary,
• you withdraw consent and no other legal basis exists,
• you object to processing and no overriding legitimate interest exists,
• data was unlawfully processed,
• deletion is required by law,
• data was collected in relation to information society services to a child.

For example, you may request deletion if we process your data unlawfully or longer than necessary.

However, deletion may be denied if processing is needed for freedom of expression, legal obligation, public interest, archiving, or legal claims.

Note: Exercise via request form section “C” (Attachment 1).

Right to Restrict Processing

You have the right to restrict processing in cases such as:

• disputing accuracy during verification,
• unlawful processing but objection to deletion,
• data no longer needed by us but needed by you for legal claims,
• objecting to processing while assessing legitimate interests.

Restricted data may be processed only with consent or for legal claims or public interest.

We will inform you before lifting restrictions.

If you exercise rectification, erasure, or restriction rights, we will notify data recipients unless impossible or requires disproportionate effort.

Note: Exercise via request form section “F” (Attachment 1).

Right to Object

If you believe we have no right to process your data, you may object. This applies when processing is based on legitimate interests or public interest, including profiling. We will stop unless we demonstrate overriding legitimate reasons or for legal claims. You may always object to processing for direct marketing.

Note: Exercise via request form section “G” (Attachment 1).

Right not to be Subject to Automated Decision-making Including Profiling

If profiling is performed, we inform you in specific processing sections. Otherwise, your data is not used for evaluating or predicting personal aspects like work performance, finances, health, preferences, reliability, behavior, location, or movement.

You may request exemption from profiling unless essential for contract conclusion, legally permitted with safeguards, or based on explicit consent.

Note: Exercise via request form section “H” (Attachment 1).

Right to Withdraw Consent

If you previously consented to data processing, you may withdraw at any time. Withdrawal does not affect lawfulness before withdrawal (e.g., already distributed promotional materials will not be recalled).

If consent was given electronically, withdrawal may be done the same way or simply by contacting us.

Right to Lodge a Complaint with Supervisory Authority

If dissatisfied with our response or if you believe your rights are violated, you can file a complaint with the Slovak Data Protection Authority. More info at www.dataprotection.gov.sk.

Security of Your Personal Data Processing

We take your personal data security and privacy seriously and provide basic info about our practices here.

We ensure information security (including personal data) by applying suitable technical and organizational measures based on international standards (ISO/IEC 27001:2013, ISO/IEC 27002:2013).

We secure premises where personal data is processed with physical protection, technical safeguards, and organizational measures.

We follow regularly updated policies and procedures with defined responsibilities.

All processes related to personal data processing are documented and regularly updated. New processes are assessed and approved.

We assess risks related to confidentiality, availability, and integrity; high-risk processing has additional protections.

We perform regular audits and controls to ensure compliance and address issues diligently.

An independent external responsible person oversees lawful and secure personal data processing.

Authorized persons accessing your data are bound by confidentiality, trained before and during processing.

We use verified suppliers/processors contractually bound to maintain security measures.

Access to data is controlled by “need to know” and “need to use” principles. We have incident management and continuity plans.

We maintain up-to-date registers of assets with appropriate security measures, including secure deletion, backup, encryption, malware protection, authentication, pseudonymization, anonymization, and transfer rules.

Details of Processing Activities (IS)

IS Registry Management

1 Purpose and Legal Basis

Purpose:

Registry management, processing electronic and written correspondence.

Legal basis:

(1) Article 6(1)(c) GDPR:
• Act No. 395/2002 Coll. on archives and registries,
• Act No. 305/2013 Coll. on electronic form of public authority acts,
(2) Article 6(1)(f) GDPR: legitimate interest.

2 Data Subjects and Data Scope

Data subjects:

Individuals – controllers and intermediaries, authorized persons, data subjects, other persons involved in proceedings.

Data processed:

Identification data (title, name, surname, signature, address, email, phone, other data per communication scope under Act No. 305/2013).

3 Recipients

4 Transfers to Third Countries/International Organizations

No transfers occur.

5 Data Source

Directly from the data subject.

6 Retention Period

• Max 10 years (registry log),
• 5 years for regular and official correspondence.

7 Profiling

Not performed.

8 Obligation to Provide Data

If provision is legally required (registry management, mail records, communication with authorities), data provision is mandatory. Otherwise voluntary, but refusal may affect communication processing.

IS Reporting Unlawful Activity

1 Purpose and Legal Basis

Purpose:

Investigation of reports under Act No. 54/2019 Coll. on protection of whistleblowers.

Legal basis:

(1) Art.6(1)(c) GDPR:
• Act No. 54/2019 Coll. on whistleblower protection,
(2) Art.9(2)(g) GDPR: substantial public interest.

2 Data Subjects and Scope

Data subjects:

Persons reporting unlawful activity or requesting protection and those investigated based on reports.

Data:

Data in the report and necessary data for review (identification data, report details).

3 Recipients

4 Transfers

No transfers.

5 Source

Directly from data subject (in person, mailbox, email, phone).

6 Retention

3 years from report receipt.

7 Profiling

Not performed.

8 Obligation

Data provided voluntarily; refusal limits investigation feedback or contact.

IS Corporate Agenda

1 Purpose and Legal Basis

Purpose:

Shareholder records for corporate obligations.

Legal basis:

(1) Art.6(1)(c) GDPR, including relevant commercial and tax laws,
(2) Art.10 GDPR: processing related to criminal convictions allowed by law.

2 Data Subjects and Scope

Shareholders.

Data including name, birth data, nationality, residence, contact, legal capacity, dividends, bank details, integrity documents, other relevant data.

3 Recipients

4 Transfers

No transfers.

5 Source

Directly from data subject.

6 Retention

According to archives and registries law.

7 Profiling

Not performed.

8 Obligation

Mandatory for contract/legal obligations; refusal prevents fulfilling corporate duties.

IS Promotion

1 Purpose and Legal Basis

Purpose:

Positive promotion and documentation of controller activities (photos, videos, reviews).

Legal basis:

Consent (Art.6(1)(a)) and legitimate interest (Art.6(1)(f)).

2 Data Subjects and Scope

Employees and other individuals.

Data: names, job positions, photos, audio/video recordings.

3 Recipients

4 Transfers

No transfers.

5 Source

Directly from data subject or legal representative during participation or posting reviews.

6 Retention

Duration of employment or 5 years after, except for permanent records.

7 Profiling

Not performed.

8 Obligation

Voluntary provision; refusal means no processing; withdrawal respected but does not affect prior lawful processing.

IS Cookies

1 Purpose and Legal Basis

Purpose:

Service provision and improvement, user protection, effective search and advertising.

Legal basis:

Consent and legitimate interest.

2 Data Subjects and Scope

Website users.

Data: personal and technical data enabling identification and location.

3 Recipients

4 Transfers

Data may be transferred to the USA (Google Ireland Limited) under adequate safeguards (standard contractual clauses).

5 Source

Directly from data subject via website use.

6 Retention

Until consent expires or is withdrawn.

7 Profiling

Not performed.

8 Obligation

Voluntary; refusal means no tracking or personalized services.

IS Technical and Organizational Measures

1 Purpose and Legal Basis

Purpose:

Implementing technical and organizational measures for security and GDPR compliance.

Legal basis:

Legitimate interest and legal obligation under GDPR and Act No.18/2018 Coll.

2 Data Subjects and Scope

Employees, responsible persons, applicants, persons involved in security incidents, intermediaries, external experts, regulatory employees.

Data: identification, contact, login, behavioral logs, identity verification, breach evidence, etc.

3 Recipients

4 Transfers

No transfers.

5 Source

Directly from data subject or legal representative.

6 Retention

According to internal policies (usually 3-5 years, some permanent).

7 Profiling

Not performed.

8 Obligation

Voluntary provision for rights exercise; mandatory for security measures, with consequences if not provided.

Attachments

Attachment No.1

[] (header – title, name, surname, address of applicant)

[] (name of controller)
[] (address)
[] (Company ID)

In [], date []

Request related to exercising rights in personal data processing

Dear [] (responsible person, company, controller),

In accordance with applicable data protection laws, I as a data subject hereby

request

[] (state one or more of options A-H below depending on your request, delete unnecessary)

(A) – correction of personal data you process related to [] (specify relationship or other details to identify your data)

Request details:

Due to processing incorrect personal data, please correct as follows:

Incorrect data:
[]

Correct data:
[]

———————————————————————————————————————

(B) – completion of personal data you process related to []

Request details:

Due to incomplete personal data, please complete as follows:

Incomplete data:
[]

Completed data:
[]

———————————————————————————————————————

(C) – deletion of personal data you process related to []

Request details:

I request deletion of personal data for the following reason(s):

(please check applicable)
☐ data no longer necessary
☐ withdrawal of consent
☐ objection upheld
☐ objection to marketing
☐ unlawful processing
☐ legal obligation
☐ data related to info society services to child

Reason:
[]

———————————————————————————————————————

(D) – access to a copy of personal data you process related to []

Request details:

If confirmed you hold personal data about me, please provide a copy [] (specify format and delivery).

———————————————————————————————————————

(E) – transfer of personal data to another controller related to []

Request details:
Controller to transfer data to: []

Format and delivery: []

———————————————————————————————————————

(F) – restriction of processing personal data related to []

Request details:

I request restriction for the following reason(s):

(please check applicable)
☐ data inaccurate – pending verification
☐ unlawful processing – object to deletion
☐ needed for legal claims
☐ objection pending verification

Reason:
[]

Requested restriction type:
[]

Requested restriction duration:
[]

———————————————————————————————————————

(G) – objection to processing personal data related to []

Request details:

I object to processing based on:

(please check applicable)
☐ public interest or official authority
☐ legitimate interest of controller or third party

Reason:
[]

———————————————————————————————————————

(H) – no automated decision-making including profiling related to []

Request details:
[]

———————————————————————————————————————

For questions or clarifications, please contact me at [].

Thank you in advance.

Sincerely,

___________________________
[] (name, surname, signature of data subject)