Privacy Policy - Marketing

1. Controller

A Controller is a person who processes the personal data of the person concerned (you). The Controller is KREA SK s.r.o., with its registered office at Štúrova 71/a, 949 01 Nitra, Registration No.: 36 553 433, registered in the Commercial Register of the District Court of Nitra, Section: Sro, Insert No.: 13970/N (hereinafter referred to as "KREA SK").

If you have any questions, you can contact us (i) via e-mail at pomoc@krea.sk or (iii) by regular mail to our address KREA SK s.r.o., Štúrova 71/a, 949 01 Nitra.

2. Person concerned

You are the person concerned, because your personal data is processed by KREA SK.

3. Personal Data

Personal data is any data that the person concerned is identified or identifiable by. The extent of your personal data processed by KREA SK depends on the purpose for which this personal data is processed.

In the case your personal data is processed for marketing purposes, company KREA SK processes your name, surname, email, and phone number. At times, we may also ask you for your gender, age and address to compile statistical marketing data, in which case the data will be completely anonymous and separated from your identification data.

4. Sources of personal data

KREA SK collects your personal data directly from you. Personal data (i) is provided in particular on the contracts we have concluded with you, or (ii) you have filled in the form on the website, or (iii) you have sent or provided it to us in the context of mutual correspondence or communication, or (iv) we deduced them from the other data you provided us.

5. The purpose of personal data processing

Company KREA SK processes your personal data for the following marketing purposes:

(a) sending newsletters of a commercial and non-commercial nature via e-mail that may contain promotional and other offers, links to interesting articles from periodicals and KREA SK websites, or other information

(b) sending of documentary evidences, information, tenders and catalogues

(c) contacting by phone with commercial or other offers or non-trade information or questions

(d) contacting via SMS

(e) consumer competitions

(f) satisfaction surveys and other customer surveys

(g) recording of personal data in KREA SK's information systems

6. Legal basis for personal data processing

We process your personal data based on your consent, which you provided either directly in the contract or through a form on our website, by telephone or other credible way (e.g. by letter or e-mail). The consent you gave us for marketing purposes is voluntary and is not a contractual or statutory requirement. Company KREA SK can not make contractual performance conditional on granting this consent.

7. Withdrawal of the consent

You may withdraw consent by e-mail to pomoc@krea.sk, or (ii) in writing to KREA SK s.r.o., Štúrova 71/a, 949 01 Nitra, (iii) in person, (iv) through a link in the message, or (v) through the interface of the online service that you use and which enables that functionality. Withdrawal of the consent does not affect the lawfulness of the processing of personal data based on consent prior to its withdrawal. In case of withdrawal of the consent, your personal data will stop being processed without delay and will be erased.

8. The right to object and the right to file a claim for the opening of proceedings for the protection of personal data

You have the right to object to the processing of personal data directly to KREA SK (point 13 (a) and point 14 of this Policy) (i) by e-mail at pomoc@krea.sk

In addition to the right to object, you have the right to file a claim for the opening of proceedings for the protection of personal data to Office for Personal Data Protection of the Slovak Republic (https://dataprotection.gov.sk).

9. Personal data recipients

Company KREA SK processes your personal data primarily for its own purposes. In addition, we may provide your personal data to our business partners through which we process your personal data. These are trusted persons (so-called recipients and processors) who provide for us the development, maintenance and operation of software solutions and other services through which we process your personal data.

Your personal data is processed by MailChimp, which serves to process and send e-mail to your address. This service is operated by The Rocket Science Group, LLC, with its registered office at 675 Ponce de Leon Avenue NE, Suite 5000, Atlanta, Georgia 30308, United States of America (https://mailchimp.com/contact/).

In addition, your personal data may also be processed through cloud services provided within G Suite application when used internally. CCloud Services G Suite is operated by Google LLC, with its registered office at 1600

Amphitheater Parkway, Mountain View, CA 94043, United States of America (https://www.google.com/intl/cs/contact/).

Additionally, our employees are recipients of your personal data. We may also, with your consent, provide your personal data to third parties who will process your personal data for their marketing needs.

10. Transfer of personal data to third countries

We process your personal data primarily within the European Union and the European Economic Area. However, as noted above, your personal data is also transferred to the United States of America when processed through MailChimp and G Suite, and the United States of America which has a third-country status does not provide an adequate level of protection of personal data.

In these cases, however, cross-border transfers and processing of your personal data are secured by the Privacy Shield certification scheme created by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide European Economic Area and United States entities with the means to meet privacy requirements in their transfer from a Member State of the European Economic Area to the United States of America, and to promote transatlantic trade. This system ensures, under the European Commission's decision, the adequate protection of personal data. For more information on this system, please visit https://www.privacyshield.gov.

In addition, MailChimp and G Suite have updated their business terms and contracts to ensure the protection of processed and transmitted personal data in accordance with European regulations. Standard contractual terms of Google LCC are in line with the relevant European Commission decisions.

11. The duration of personal data processing

We will process your personal data for 24 months from your consent of until its withdrawal. After this period, or upon the withdrawal of your consent, we will delete your personal data (unless we process your personal data on a legal basis other than consent). Before the expiry of the period, we may ask you to extend your consent for the next 24 months.

12. Method of processing of personal data

Company KREA SK processes your personal data primarily electronically through automated information systems that operates itself or through its business partners (e.g.The Rocket Science Group, LLC and Google LLC).

13. Rights of the person concerned

(a) THE RIGHT TO OBJECT: You have the right to object to the processing of your personal data. You may object in the case that your personal data is processed for the purpose of performing a KREA SK public interest or legitimate interest or for the purposes of direct marketing. Your objection will be reasoned and successful if your legitimate reasons prevail over the legitimate reasons of KREA SK or when processing your personal data for direct marketing purposes (in which case the objection is considered as a withdrawal of your consent). You can not object if the processing is necessary (i) to accomplish the task on grounds of public interest or (ii) for scientific or statistical purposes or for historical research purposes. If your objection is reasoned and successful, we will stop further processing of your personal data.

(b) THE RIGHT TO BE INFORMED: You have the right to be provided with information as to whether we process your personal data, the extent to which we process it, and information about breaches of the security of your personal data.

(c) RIGHT TO ACCESS TO THE PERSONAL DATA: You have the right to issue a certificate that we process your personal data, what personal data we process and a copy of this personal data. We will provide this certificate by e-mail if you do not request another form. We may refuse to provide you with this certificate if it would have adverse consequences for the rights of other natural persons.

(d) RIGHT TO RECTIFICATION: If your personal data which we process is incorrect or incomplete, you have the right to request a correction or addition of personal data. In the case that you use any of the online services under which you manage your personal data (e.g.Sortio), you can directly apply the right to rectification by performing a rectification at the interface of the online service.

(e) THE RIGHT TO ERASURE / RIGHT TO BE FORGOTTEN: Once you have processed your personal data (withdrawal of consent, successful objection, expiry of the period, etc.) or when we process it in breach of law, you have the right to erase it and in this case company KREA SK will delete your personal data without any delay. You can also request erasure of your personal information. Erasure is always final. The right to erasure can not be applied if personal data is needed, e.g. for the exercising of the right of freedom of expression and the right to be informed, the fulfilment of a legal obligation, the fulfilment of a public service task, public service, archiving, scientific or statistical purposes or the purpose of historical research or the exercise of legal rights.

(f) RIGHT TO RESTRICT PROCESSING: In the case that you object to the correctness of your personal data, company KREA SK will restrict its processing for the period of verification of its correctness. If your personal data is processed unlawfully and you do not require erase of it, we will restrict its processing to the extent you require it or otherwise only archive it. If your personal data is processed for the performance of a public interest task or company KREA SK´s legitimate interest, the processing will be restricted for the period of review whether the legitimate reasons for processing prevail over the legitimate reasons of the person concerned. You may also ask us to restrict the processing of your personal data. We will inform you by e-mail about the beginning and ending of the restriction of the processing of your personal data.

(g) THE RIGHT TO DATA PORTABILITY: In the case that (i) it is technically possible, (ii) the processing of your personal data is subject to your consent or performance of the contract, (iii) and not for the performance of a public service task, (iv) processing is carried out by automated means (v) the transfer of personal data does not have adverse consequences for the rights of others, you have the right to have your personal data processed in a structured, commonly used and machine-readable format (e.g., .xml). With personal data processed in such manner, you have the right to request their transfer to another controller.

(h) RIGHTS IN RELATION TO AUTOMATED DECISION MAKING AND PROFILING: You have the right to refuse a decision that is based on automated processing of personal data and profiling if it has legal effects or if the person concerned is significantly affected. The right can not be invoked if such a decision is necessary for the conclusion or performance of the contract or is performed by law or by the consent of the person concerned. Any decision based on automated processing of personal data and profiling must be manually inspectable. The person concerned is entitled to challenge that decision or give opinion in writing. Company KREA SK does not currently use automated individual decision making and profiling. However, they may submit bids specifically designed for you based on the information and personal data we have received from you.

14. How to apply rights and instructions

You may apply for your rights and requirements via e-mail at pomoc@krea.sk, or in written to our address KREA SK s.r.o., Štúrova 71/a, 949 01 Nitra, in person or in the above manner. If you submit your request, objection, opinion, or withdrawal of the consent in other way than by letter with your signature, e-mail with a qualified electronic signature or in person, we may require additional trusted verification of your identity, otherwise we will not have to comply with your request. We are not obliged to meet your request even in the cases governed by law.

Your requests will be delivered within one month of delivery. We can extend this deadline by another two months, even repeatedly, if this is a justified case and with regard to the complexity and the number of requests. We will inform you about the time extension.

We will provide you with information, confirmations and notices free of charge. In the case of repeated requests or requests that are manifestly unfounded or inappropriate, we may require you to pay the administrative costs incurred for its handling, or we may refuse to handle such a request.

In the case we contact you by phone or contact you directly, these phone conversations will be recorded. Learn about this fact at the beginning of the phone conversation. If you do not want the conversation to be recorded, please contact us in a different way, or ask for a phone call from an unmonitored line.

15. Principles relating to personal data processing

(a) THE LEGALITY PRINCIPLE: We process the personal data fairly, transparently and only for a legitimate reason (consent of the person concerned, fulfilment of the contract, performance of the statutory duty, protection of the vital interests of the person concerned or other natural person, fulfilment of the public service task or the exercise of public authority, company KREA SK's legitimate interest). We will not violate the rights of the person concerned in processing.

(b) THE PRINCIPLE OF PURPOSE LIMITATION: Personal data may only be processed for a specific, well-defined, explicitly and legitimately intended purpose, for archival, scientific or statistical purposes or historical research purposes only.

(c) THE PRINCIPLE OF PERSONAL DATA MINIMISATION: We can only process the personal data we absolutely need or this that is allowed for us to process by the law. We will not process or require unnecessary personal information. It is also up to you to provide us only with the personal data that is necessary for the purpose for which we will process it and do not provide us with excessive data (e.g., when communicating with each other, etc.).

(d) THE PRINCIPLE OF ACCURACY: We only process correct and up-to-date personal data. If personal data is processed incorrectly or incompletely, we will correct or complete it. We will erase incorrect personal information. The accuracy of personal data also depends on you, so it is essential that you always provide us with correct and complete personal information.

(e) THE PRINCIPLE OF STORAGE LIMITATION: Personal data will only be processed for the duration required to meet the purpose or set by law. We will process it longer only for archival, scientific or statistical purposes or for historical research purposes.

(f) THE PRINCIPLE OF INTEGRITY AND CONFIDENTIALITY: We protect personal data against loss, accidental erasure, damage, theft or destruction. We will ensure that personal data is not processed unlawfully. Personal data security is important and we ensure it through standardized technical and other appropriate measures.

(g) THE PRINCIPLE OF ACCOUNTABILITY: We are responsible for the security and protection of your personal data and the Office for Personal Data Protection of the Slovak Republic, which is entitled to review the processing of personal data in the framework of the procedure for the protection of personal data.

16. Processing of children’s personal data

If you are under 16 years and you have given us permission to process your personal data, it is necessary that this consent is granted and confirmed by your legal representative. In this regard, we may ask you for the date of birth as one of your personal data to verify your age.

17. Other information

This Policy has been developed to explain the protection of personal data and to enhance transparency in its processing. This Policy will be regularly updated and posted on KREA SK's web sites. The Policy will take effect on May 25, 2018.