[email protected]
02/ 800 800 80

Information

Main page
Information
GDPR
GDPR
Subject name:

Kúpele Dudince, a.s.

Business ID:

31642713

Address:

Kúpeľná 106/3, 962 71 Dudince

Certificate number:

Osobnyudaj.sk-2018-11661

Certificate valid to:

23.06.2025
Contact us

Rights of the Data Subject

The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”), and Act No. 18/2018 Coll. on the Protection of Personal Data and on the Amendment of Certain Laws (hereinafter “the Act”) guarantee the following rights to you as the Data Subject:

a) The Data Subject’s right of access to personal data, which includes:

  • The right to obtain confirmation from the Controller as to whether or not personal data concerning the Data Subject are being processed;

  • If personal data concerning the Data Subject are being processed, the right to access such personal data and to obtain the following information:

    • Information on the purposes of processing;
    • Information on the categories of personal data concerned;
    • Information on the recipients or categories of recipients to whom the personal data have been or will be disclosed, especially recipients in third countries or international organizations;
    • Where possible, information on the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    • Information on the existence of the right to request from the Controller the rectification or erasure of personal data or restriction of processing concerning the Data Subject, or to object to such processing;
    • Information on the right to lodge a complaint with a supervisory authority;
    • Where the personal data were not collected from the Data Subject, any available information as to their source;
    • Information on the existence of automated decision-making, including profiling referred to in Article 22(1) and (4) of the GDPR, and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the Data Subject;

  • The right to be informed of appropriate safeguards pursuant to Article 46 of the GDPR, relating to the transfer of personal data if personal data are transferred to a third country or an international organization;

  • The right to obtain a copy of the personal data undergoing processing, subject to the condition that the right to obtain such a copy shall not adversely affect the rights and freedoms of others.

The right of access essentially means that the Data Subject has the right to obtain confirmation from the Controller as to whether or not personal data concerning them are being processed, and, if so, the right to access such personal data. Upon request, the Data Subject shall receive a copy of the personal data being processed. For any additional copies requested, the Controller may charge a reasonable fee based on administrative costs. If the Data Subject submits the request by electronic means, the information shall be provided in a commonly used electronic form, unless otherwise requested. Information must be provided promptly, within one month at the latest. The Controller has the right to extend the processing period by another two months in the case of a complex or frequent request. However, the Data Subject must be notified of the reason for the extension within one month. In the case of an unfounded or excessive request, the Controller has the right to charge a reasonable fee or refuse the request. In such cases, the Controller must explain the reasons for refusal and inform the Data Subject of their right to lodge a complaint with the supervisory authority.

b) The Data Subject’s right to rectification of personal data, which includes:

  • The right to have inaccurate personal data concerning the Data Subject rectified by the Controller without undue delay;
  • The right to have incomplete personal data completed, including by means of providing a supplementary statement.

The right to rectification means that the Data Subject may request the Controller to correct or complete their personal data if they are inaccurate or incomplete. The Data Subject has the right to provide a supplementary statement to complete the data.

c) The Data Subject’s right to erasure of personal data (right to be forgotten), which includes:

  • The right to have the Controller erase personal data without undue delay where one of the following grounds applies:

    • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    • The Data Subject withdraws consent on which the processing is based, provided that there is no other legal ground for the processing;
    • The Data Subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing pursuant to Article 21(2) of the GDPR;
    • The personal data have been unlawfully processed;
    • The personal data must be erased for compliance with a legal obligation under Union or Member State law to which the Controller is subject;
    • The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

  • The right to have the Controller, taking into account available technology and the cost of implementation, take reasonable steps, including technical measures, to inform other controllers processing the personal data that the Data Subject has requested the erasure of any links to, or copy or replication of, those personal data;

The right to erasure (right to be forgotten) does not apply where the processing is necessary:

  • For exercising the right of freedom of expression and information;
  • For compliance with a legal obligation requiring processing under Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  • For reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) of the GDPR and Article 9(3) of the GDPR;
  • For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR, insofar as the right referred to in Article 17(1) is likely to render impossible or seriously impair the achievement of the objectives of that processing;
  • For the establishment, exercise, or defense of legal claims.

The right to erasure means that the Controller must erase your personal data when they are no longer necessary for the purposes for which they were collected or otherwise processed, if the processing is unlawful, if you object and there are no overriding legitimate grounds for the processing, or if there is a legal obligation to erase the data.

d) The Data Subject’s right to restriction of processing, which includes:

  • The right to have the Controller restrict processing where one of the following applies:
    • The accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;
    • The processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
    • The Controller no longer needs the personal data for the purposes of the processing but they are required by the Data Subject for the establishment, exercise, or defense of legal claims;
    • The Data Subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification of whether the legitimate grounds of the Controller override those of the Data Subject.

Where processing has been restricted in accordance with the above, such personal data shall, with the exception of storage, only be processed with the Data Subject's consent, for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

The right to restriction of processing means that if there are any unresolved issues regarding the processing of your personal data, the Controller must restrict the processing, so that the data can only be stored and not further processed.

e) The Data Subject’s right to notification regarding rectification or erasure of personal data or restriction of processing, which includes:

  • The right to have the Controller notify each recipient to whom the personal data have been disclosed of any rectification or erasure of personal data or restriction of processing unless this proves impossible or involves disproportionate effort;
  • The right to have the Controller inform the Data Subject about such recipients if the Data Subject requests it.

The right to notification means that the Controller is obliged to notify each recipient to whom the Data Subject’s personal data were disclosed of any rectification, erasure, or restriction of processing, unless it is impossible or requires disproportionate effort.

f) The Data Subject’s right to data portability, which includes:

  • The right to receive the personal data concerning the Data Subject, which they have provided to the Controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where:

    • The processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR, and
    • The processing is carried out by automated means;

  • The right to have the personal data transmitted directly from one Controller to another, where technically feasible.

The right to data portability means that you have the right to receive from us the personal data you provided in a structured, commonly used, and machine-readable format and the right to have us transmit those data to another Controller under legal conditions. Exercising this right does not affect your right to erasure. However, the right to portability only applies to personal data obtained on the basis of a contract or your consent.

g) The Data Subject’s right to object, which includes:

  • The right to object, on grounds relating to the Data Subject's particular situation, at any time to processing of personal data concerning the Data Subject which is based on Article 6(1)(e) or (f) of the GDPR, including profiling based on those provisions;
  • Where personal data are processed for direct marketing purposes, the Data Subject has the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes;
  • Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, the Data Subject, on grounds relating to their particular situation, has the right to object to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The right to object means that you can object to our processing of your personal data when it is based on legitimate interest or public interest. If we cannot demonstrate compelling legitimate grounds for the processing, or if you object to direct marketing, we must stop processing your data.

h) The Data Subject’s rights in relation to automated decision-making, including profiling, which includes:

  • The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the Data Subject or similarly significantly affects them, except where:

    • It is necessary for entering into, or the performance of, a contract between the Data Subject and a Controller;
    • It is authorized by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the Data Subject's rights, freedoms, and legitimate interests; or
    • It is based on the Data Subject's explicit consent.

  • In the cases referred to above, the Data Subject has the right to obtain human intervention on the part of the Controller, to express their point of view, and to contest the decision.

The right not to be subject to automated decision-making means that you can request not to be subject to a decision made solely by automated means, including profiling, unless it is required for a contract, authorized by law, or based on your consent. You can also request human intervention or contest the automated decision.

Sumbit a complaint

Need to resolve a security incident or other issue? Send us a message and we will promptly resolve it.

Send us a message

Osobnyudaj.sk, s.r.o.

Mlynské Nivy 5 - mestská časť Ružinov 821 09 Bratislava