Personal data protection

Towercom, a.s., with its registered office at Cesta na Kamzík 14, 831 01 Bratislava, Corporate ID: 36 364 568, registered with the Commercial Register of the Bratislava I District Court, section Sa, entry no. 3885/B implements personal data protection in relation to the provided Services as follows:

Unless otherwise stipulated in this document, the terms used herein shall have the same meanings as in the General Terms of Service of Towercom, a.s. (hereinafter referred to as the “Terms”).

Legal regulations:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “Regulation”).

Act no. 18/2018 Coll. on personal data protection as amended, replacing the Act no. 122/2013 Coll. on personal data protection as amended (hereinafter referred to as the “PDP Act”).

Identification data and contact information of the Provider as a data controller:

Towercom, a.s.
Cesta na Kamzík 14
83101 Bratislava
Registration: Commercial Register of the Bratislava I District Court, section Sa, entry No.: 3885/B
Phone number: 0650 444 400
Email: ochrana.osobnych.udajov@towercom.sk

Minimum scope of personal data:

Phone number, email or other user identifier, outstanding payables, name, surname, academic degree, permanent residence address, personal identification number, date of birth, number of ID card or other identification document, and nationality.

The Provider is also entitled to process other personal data of the User as long as it is necessary for the due and timely performance of the Agreement.

Purpose of personal data processing:

The Provider is processing personal data of Users, as data subjects, for the following purposes:

  1. fulfillment of pre-contractual relationships, Registrations, conclusion of Agreements and their performance, changes or terminations, User Account management, billing, receipt and registration of payments, receivables and assignment of receivables and maintenance of a User list, exercising of rights, resolution of complaints, as well as other purposes arising out of or in connection with the due performance of the Agreement;
  2. providing of information about our own products and services;
  3. creation of the User’s personal and user profile (profiling).

Legal Basis of Personal Data Processing:

The legal basis for the processing of personal data for the purposes specified in Clause 1 above are pre-contractual relations, Agreement and special legislation, including, without limitation, the Electronic Communication (EC) Act.

The legal basis for the processing of personal data for the purposes specified in Clause 2 above is the legitimate interest of the Provider, namely the promotion of own products and services and special legislation, including, without limitation, the EC Act.

The legal basis for the processing of personal data for the purposes specified in Clause 3 above is the User’s consent.

Where required by the Regulation or the PDP Act, the Data Subject’s Consent may also be used as the legal basis for personal data processing.

Categories of recipients:

The Provider is entitled to make the processed personal data available within the necessary scope in compliance with the Regulation, the PDP Act or other applicable legal regulations to the following categories of recipients:

  1. individuals authorised to process personal data, who will process personal data on behalf of the Provider (data processors),
  2. third parties authorised by the Provider to collect receivables or exercise other legitimate rights of the Provider against the User, for the purpose of claiming receivables and exercising other rights of the Provider, including cases where the Provider’s receivables are assigned to a third party, even after the termination of the contractual relationship with the User,
  3. a court of law, other public administration body and other state administration body, if it is necessary to exercise the Provider’s rights against the User or to fulfil a legal obligation of the Provider,
  4. contractual partners of the Provider providing Services and/or Service related performance to the Provider,
  5. the Provider’s sales representatives or other parties, which, by virtue of the Provider’s authorisation, act on its behalf as intermediaries in the provision of Services (including their ordering, activation and handling of claims),
  6. postal and messenger services and/or other entities providing postal services or carrying out delivery

Personal data retention period:

In accordance with the personal data minimisation principle, the Provider, as a controller, keeps personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, as a minimum for the period of validity of the Registration or the Agreement, as well as after its termination, when this is necessary for the settlement of charges or their deposit, for registration and collection of the Provider’s receivables for the Services provided, for processing of the User’s requests, or in order to meet the legal conditions for exercising rights or fulfilling other obligations imposed by the respective legal regulations. In the case of profiling and in cases where the legal basis for processing of personal data is the User’s consent, the Provider, as a controller, retains personal data for the duration of the User’s consent.

Security of personal data processing

When processing data, the Provider, as a controller, takes appropriate technical and organisational measures to ensure security of personal data protection, taking into account the sate of the art, the costs of implementing the measures, the nature, scope, context and purpose of personal data processing, the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Other information with regard to personal data processing:

Provision of personal data is voluntary. Regardless of the above, the User acknowledges that by not providing personal data at least within the extent required by applicable legal regulations, in particular the EC Act, it will not possible to conclude an Agreement.

When providing Services which are considered Public Services, the Provider is obliged, in accordance with the EC Act, for the purpose of providing cooperation to law enforcement authorities, courts of law and other state authorities, to retain operational data, location data and data of communicating parties within the scope and under the terms of the EC Act and special regulations. The Provider also retains the operational data if this is necessary for billing of services and payments for network connection, until the expiry of the time period during which the invoice can be legally contested or a claim for payment can be made.

The Provider may process the User’s personal data, which it is authorised to process on the legal bases established by the Regulation and the PDP Act, using fully or partially automated and non-automated means of processing.

The Provider undertakes to ensure appropriate measures to protect the identification and other personal data, as well as information about the User in accordance with applicable legal regulations.

The Provider does not intend to transfer personal data to a third country or an international organisation.

Neither the Provider nor the User are authorised to provide third parties with data designated as a trade secret or confidential information, except in the cases established by the applicable legal regulations of the Slovak Republic or in the event that both the Provider and the User agree to do this.

In accordance with the provisions of Section 44 para. 2 c) of the EC Act, the User has the option to add or not to add his or her personal data in the phone book and subscriber number information services and the possibility to choose which personal data to add according to Section 59 para. 2 of the EC Act. The User may request disclosure by delivering to the Provider a filled-in written request for disclosure of data in the phone book and information services. Relevant data of a natural person to be published in a phone book shall be the phone number, first name, surname and the permanent residence address. There is no charge for including the User’s personal data in the phone book, verifying, correcting or removing them. However, with regard to the nature of the Service provided, the Provider does not create a phone book.

Location data, if processed, are processed by the Provider and made available to the User within the scope and under the terms stipulated by the EC Act.

Special information in relation to profiling, including the significance and the envisaged consequences of creating a personal and user profile:

The Provider, as a controller, creates a personal and user profile of the User, as a data subject, if such person has granted their consent to the Provider as a controller. The User, as a data subject, has the right to withdraw the consent to create a personal and user profile at any time and to demand from the Provider, as a controller, to delete the personal data processed in this way.

The Provider has every interest to provide the User with a Service that meets the User’s needs and preferences as much as possible so that the User can make efficient use of the Service. In order for the Provider to be able to provide the Service in such quality to the User, the Provider must have the opportunity to create his or her personal and user profile. The Provider is entitled to create such personal and user profile of the User exclusively based on the express consent of the User as a data subject. By giving the consent to create a personal and a user profile, the User gives the Provider the opportunity to collect both simple as well as comprehensive information about the User, which the Provider may evaluate and, based on it, create a profile of the User’s interests, preferences, and other information, which are described in more detail below.

Using the procedures set out below the Provider, as a controller, collects the following information about the User, as a data subject, in order to create a personal and a user profile:

  • information that the User himself/herself provided to the Provider (data from the Agreement and/or registration form),
  • location information,
  • operating system version and Application version,
  • unique identifiers of the User’s terminal,
  • details on how the Service is used (searched for information and offers, time of search, time of logging in and out of the User account, filter settings, click-throughs from individual sub-pages of the website and/or application to other sub-pages),
  • cookies.

The data collected by the Provider about the User do not include special categories of personal data, i.e. the so-called data subject’s sensitive data. Such data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, genetic and biometric data as well as data concerning the data subject’s health or sex life or sexual orientation.

In creating the user and personal profile, the Provider, as a controller, uses cookies and Google Analytics, and subsequently evaluates the information obtained by monitoring the User’s behaviour together with other data obtained directly from the User through the aforementioned systems and compares it with the data obtained from other Users to predict their future behaviour and create a user profile based on the obtained results.

The information collected by the Provider, as a controller, in creating the user and personal profile, is used by the Provider to adapt the Service provided to the User to his/her needs, and to create the average Service User’s profile, in order to constantly improve the quality of the Service and the user environment, the possibilities of its use, and development of new applications and optimisation of the technical options and settings of the Service. As a consequence of creating the User’s personal and user profile, the Provider can present the User with marketing and promotional offers and information about the Provider’s services targeting the User’s needs derived from the data obtained in the process of creating the User’s personal and user profile, i.e. mainly from his/her previous interactions when using the Service.

The data obtained in the process of creating the User’s personal and user profile are personal data obtained based on the consent of the User as a data subject. As a data subject, the User has the right to be provided by the Provider, as a controller, with information about the processing of personal data and the rights of the data subject.

Rights of Users as data subjects:

The right to request from the controller access to personal data concerning the data subject: As a data subject, the User has the right to obtain from the Provider confirmation of:

  1. the purpose of personal data processing,
  2. the categories of processed personal data,
  3. the recipient to whom the personal data was/is to be provided,
  4. the personal data retention period,
  5. the right to request from the Provider, as a controller, rectification of personal data/erasure of personal data or restriction of processing/the right to object to the processing of personal data,
  6. the right to file a request to start proceedings with regard to personal data protection,
  7. the source of personal data,
  8. the existence of automated individual decision-making including profiling.

The right to the rectification of personal data: The data subject shall have the right to obtain from the Provider, as a controller, without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.

The right to the erasure of personal data: The data subject shall have the right to obtain from the Provider, as a controller, without undue delay, the rectification of inaccurate personal data concerning him or her under the circumstances specified below. The Provider, as a controller, will erase the personal data without undue delay if:

  1. the personal data are no longer necessary for the purpose for which they were collected or processed,
  2. the data subject withdraws the consent to the processing on the basis of which the processing of personal data is carried out and where there is no other legal ground for the processing,
  3. the data subject objects to the processing of personal data,
  4. the personal data have been unlawfully processed,
  5. the reason for erasure is the fulfillment of an obligation pursuant to special regulations or an international treaty by which the Slovak Republic is bound,
  6. the personal data were collected in relation to the offer of information society services.

The right to the restriction of the processing of personal data: The User, as a data subject, has the right to have the Provider, as a controller, restrict the processing of personal data if:

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the Provider, as a controller, to verify the accuracy of the personal data,
  2. the processing is unlawful and the User, as a data subject, opposes the erasure of the personal data and requests the restriction of their use instead,
  3. The Provider, as a controller, no longer needs the Personal data for the purposes of the processing, but they are required by the User, as a data subject, for the exercise of legal claim, or
  4. the User, as a data subject, has objected to processing of personal data pending the verification whether the legitimate grounds of the Provider, as a controller, override those of the data subject.

Right to personal data portability: The User, as a data subject, has the right to obtain the personal data pertaining to him or her which he or she has provided to the Provider, as a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another Controller, if this is technically feasible, and if

  1. personal data is processed on the basis of the consent, or the processing is necessary for the performance of a contract to which the User, as a data subject, is party,
  2. processing of personal data is carried out by automated means.

Withdrawal of consent: If personal data are being processed on the basis of the User’s consent, the User has the right to withdraw the consent to process personal data at any time. The withdrawal of the consent shall not affect the lawfulness of personal data processing based on consent prior to its withdrawal. The User, as a data subject, can withdraw his or her consent in the same way in which it was granted, namely by sending a consent withdrawal notice.

The right to file a request to start proceedings with regard to personal data protection: If the User, as a data subject, has reasons to believe that his or her rights, as a natural person, have been infringed, he or she has the right to file a request to start proceedings with regard to personal data protection with the respective supervisory authority.

The right of the User to object to the processing of personal data:

The User, as a data subject, has the right to object against processing of his or her personal data on grounds relating to his or her particular situation, carried out to pursue legitimate interests of the Provider, as a controller, including profiling. The Provider, as a controller, shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

The User, as a data subject, has the right to object to the processing of personal data concerning him or her for the purpose of direct marketing. If the User, as a data subject, objects to the processing of personal data for the purpose of direct marketing, the Provider, as a controller, may no longer process personal data for direct marketing purposes.