Logo of UOO
I want to make a report
    I want to make a report

    Data Protection

    The protection of personal data is very important to the Whistleblower Protection Office (hereinafter referred to as "the WPO") and the WPO considers it necessary to inform the public about how it processes the personal data it collects, why it collects it and what this means for the data subjects. For this reason, and in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "GDPR") and Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments and Amendments to Certain Acts (hereinafter referred to as the "Act on Personal Data Protection"), the WPO provides the following information on the processing of personal data:

    1. Identification and contact details

    The Operator:
    Whistleblower Protection Office

    Námestie slobody 29

    811 06 Bratislava

    E-mail: [email protected], tel.: 0948 935 166

    Contact of the responsible person: [email protected]

     
    Personal data processing principles

    In accordance with Article 5 of the GDPR and Sections 6 to 12 of the Data Protection Act, WPO is guided by the following principles when processing personal data:

    1. lawfulness, fairness and transparency: it only processes personal data lawfully, fairly and transparently in relation to the data subject,
    2. purpose limitation: personal data is collected for specifically identified, explicitly stated and legitimate purposes, further processing may only take place for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR and Section 78(8) of the Data Protection Act,
    3. data minimisation: personal data shall only be collected in a proportionate, relevant and limited to what is necessary in relation to the purposes for which they are processed,
    4. correctness: the controller shall only process personal data that are correct and, where necessary, updated, and shall take measures to ensure that incorrectly processed data are erased or rectified (updated) without undue delay,
    5. minimisation of retention: the controller shall keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed,
    6. integrity and confidentiality: the controller shall process personal data in a manner that ensures adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or organisational measures,
    7. Responsibility: the controller is responsible for compliance with the principles of personal data processing and is obliged to demonstrate this compliance with the principles to the Office for Personal Data Protection of the Slovak Republic upon request.
     
    2. Lawfulness of processing

    WPO processes personal data in accordance with Article 6 of the GDPR and Section 13 of the Data Protection Act on the basis of at least one of the following legal bases:

    1. the consent of the data subject,
    2. the processing is necessary for the performance of a contract to which the data subject is a party or in the context of pre-contractual relations at the request of the data subject,
    3. the processing is necessary pursuant to a special regulation or an international treaty to which the Slovak Republic is bound,
    4. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
    5. the processing is necessary for the purpose of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights of the data subject which require the protection of personal data, in particular where the data subject is a child; the controller does not claim legitimate interests in the exercise of official authority.
     
    3. Purpose of the processing of personal data

    The ÚOO processes personal data, in particular in order to carry out its obligations and tasks under specific legislation, only to the extent necessary in relation to the purposes for which they were collected.

    The purpose of the processing of personal data is primarily

    1. fulfilment of the tasks of the WPO pursuant to a specific legal regulation, e.g. Act No. 54/2019 Coll. on the Protection of Whistleblowers of Anti-Social Activity and on Amendments and Additions to Certain Acts, as amended,
    2. selection procedures for vacancies in the WPO, completion of internships,
    3. securing public procurement,
    4. preparation, conclusion and execution of contracts, exercise of rights and fulfilment of obligations of the WPO under concluded contracts,
    5. bookkeeping,
    6. handling complaints and requests
    7. property management,
    8. archiving of documentation, files and records arising from the activities of the WPO.

    Other purposes for the processing of personal data may be specified in individual contracts concluded between the WPO and the data subject, for example, in contracts with authors, in licensing agreements, in sales contracts.

    The WPO may also process personal data on the basis of consent; in this case, the purpose of the processing of personal data is stated directly in this consent. If personal data are provided on the basis of consent, the data subject has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of the disclosure of personal data based on consent given prior to its withdrawal.

    Personal data shall not be processed for a purpose other than that for which they were originally collected, unless provided for by a specific regulation under which the controller acts or unless the data subject gives his or her voluntary consent.

    4. Period of processing of personal data

    The WPO respects the principle of minimising the retention period of personal data. At the same time, the activities of the WPO are subject to specific regulations which provide for the retention period of certain documents (for example, in the case of accounting documents, 10 years).

    According to a special law, the WPO is the originator of the registry, whose duty is to draw up a registry plan and submit it to the State Central Archives for approval. The retention periods of certain documents in the WPO are therefore governed by the approved registry plan.

    5. Sharing of personal data

    On the basis of special regulations, the WPO may be obliged to provide personal data to other public administration bodies and other public authorities, such as the police, the Public Prosecutor's Office, the Public Procurement Office, the Labour Inspectorate, and the Supreme Audit Office.

    The dispatch of parcels is carried out by the Slovak Post or a courier service.

    Cross-border transfer of personal data to third countries or international organisations does not take place as the controller is not obliged to do so by special regulations.

    6. Rights of data subjects

    In accordance with Articles 15 to 22 of the GDPR and Sections 19 to 29 of the Personal Data Protection Act, the data subject generally has the following rights:

    1. the right to confirmation of the processing of personal data,
    2. the right of access to personal data,
    3. the right to rectification of personal data,
    4. the right to erasure of personal data,
    5. the right to restrict the processing of personal data,
    6. the right to portability of personal data,
    7. the right to object to the processing of personal data,
    8. the right not to have decisions based on automated individual decision-making, including profiling.
     
    Right to confirmation and access to personal data

    The data subject shall have the right to obtain confirmation from the controller as to whether personal data relating to him or her are being processed and, if so, to obtain access to those personal data and the following information:

    1. processing purposes,
    2. the categories of personal data processed for the purpose,
    3. identification of the recipients or categories of recipients to whom the personal data have been or are to be disclosed,
    4. the period of retention of the personal data or, if this is not possible, information on the criteria for determining it,
    5. the source of the personal data, unless the personal data were obtained from the data subject,
    6. information on the existence of the right to request rectification, erasure or restriction of the processing of personal data relating to the data subject, or the right to object to the processing of personal data,
    7. information on the right to lodge a complaint or to initiate proceedings with the Office for Personal Data Protection,
    8. whether automated individual decision-making or profiling is carried out in the conditions of the controller.
     
    Right to rectification of personal data

    The data subject shall have the right to have his or her personal data rectified without undue delay. The data subject shall also have the right to request that his or her incomplete personal data be completed.

    If the data subject wishes to be informed of the notification of the fulfilment of this obligation towards the recipients of his or her personal data, it is necessary to request it.

     
    Right to erasure of personal data

    The data subject shall have the right to have his or her personal data erased without undue delay if:

    1. they are no longer necessary for the purpose for which they were collected and/or processed,
    2. the data subject withdraws consent to the processing of personal data and there is no other legal basis for the processing,
    3. the data subject objects to the processing of personal data for the performance of a task carried out in the public interest and legitimate interests and there are no overriding legitimate grounds for the processing of personal data,
    4. personal data are processed unlawfully on the basis of a decision of the Data Protection Authority or other authority competent to decide on unlawful processing,
    5. the reason for deletion is the fulfilment of an obligation under a law, a special regulation or an international treaty by which the Slovak Republic is bound
    6. personal data has been collected in connection with the offer of information society services.

    However, the obligation to delete personal data does not apply if an exception is given pursuant to Article 17(3) GDPR or Section 23(4) of the Personal Data Protection Act.

    If the data subject wishes to be informed of the notification of the fulfilment of this obligation towards the recipients of his or her personal data, it is necessary to request it.

     

    Right to restriction of processing of personal data

    The data subject has the right to restrict processing if:

    1. challenges the accuracy of the personal data,
    2. the processing is unlawful on the basis of a decision of the Data Protection Authority or another authority competent to rule on unlawful processing and the data subject objects to the erasure of the personal data and requests instead the restriction of their use,
    3. the operator no longer needs the personal data for the purposes of the processing but the data subject needs them to establish, exercise or defend legal claims; or
    4. objected to the processing pursuant to Article 21(1) of the GDPR or Section 27(1) of the Data Protection Act, pending verification whether the legitimate grounds on the part of the controller outweigh the legitimate grounds of the data subject.

    The data subject will be notified in advance of the lifting of the restriction of his or her personal data.

    If the data subject wishes to be informed of the notification of the fulfilment of this obligation towards the recipients of his or her personal data, it is necessary to request it.

     

    Right to portability of personal data

    The data subject shall have the right to obtain the personal data concerning him or her provided by the WPO in a structured, commonly used and machine-readable format, and shall have the right to transmit such personal data to another controller, if technically feasible. The possibility of portability shall be assessed on a case-by-case basis.

    The right of portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

    Similarly, the exercise of the right to data portability by the data subject shall not adversely affect the rights of other persons.

     

    Right to object to the processing of personal data

    The data subject shall have the right to object to processing at any time on grounds relating to his or her particular situation if the personal data are processed on the basis of Article 6(1)(e) or (f) of the GDPR or Section 13(1)(e) or (f) of the Data Protection Act. The data subject shall not have the right to object to the processing of personal data on grounds of public interest where the personal data are processed for scientific, historical research or statistical purposes.

     

    The right not to have decisions based on automated individual decision-making, including profiling.

    The right not to apply decision-making based on automated individual decision-making, including profiling, does not apply in the conditions of the WPO; the WPO does not carry out processing based on automated individual decision-making and does not carry out profiling or provide information society services pursuant to Article 8(1) of the GDPR and Section 15(1) of the Act on the Protection of Personal Data.

     

    7. Exercise of data subjects' rights and supervision

    The data subject may exercise his or her rights, in particular through the contact details of the controller, free of charge.

    If the data subject makes repeated requests for access to the personal data, the WPO is entitled to charge a reasonable fee corresponding to the administrative costs for providing additional copies of the personal data in accordance with the GDPR and the Personal Data Protection Act. If the data subject's request is manifestly unfounded or disproportionate, in particular due to its repetitive nature, the WPO is entitled to charge the data subject a reasonable fee taking into account the administrative costs of providing the information or of notifying or taking the requested action, or to refuse to act on the request.

    If reasonable doubts arise as to the identity of a data subject who has exercised his or her rights, the WPO shall be entitled to verify his or her identity, for example, by requesting additional information, summoning him or her, if expedient, and verifying his or her identity document, or by any other appropriate means.

    If the data subject considers that his or her rights protected by the GDPR and the Personal Data Protection Act have been violated in the processing of personal data, he or she has the right to lodge a complaint or to initiate proceedings against:

     

    Office for Personal Data Protection of the Slovak Republic

    Hraničná 12

    820 07 Bratislava 27

    tel.: +421 /2/ 3231 3214

    E-mail: [email protected]

     
     
    Facebook-f Instagram Linkedin Youtube Spotify
    plan_obnovy_logo_new

    For employees

    For employers

    Our office

    Quick links