Data protection

Latest update: 1 June 2018

1. GENERAL INFORMATION

Partner in Pet Food SK s.r.o. (”Company”) processes information in connection with third
parties, contact persons of its contracting partners and other individuals including e.g. consumers
(who are hereinafter referred to collectively as ”individuals”) which information qualifies as
”personal data” as defined in point 1 of article 4 of the General Data Protection Regulation No
2016/679 of the EU (“GDPR”).

This Data Protection Notice (”Notice”) provides information regarding the processing of these
personal data and the rights and remedies of the individuals.

Contact details of the Company:

The registered seat of the Company: 930 21 Dunajský Klátov 141, Slovakia

The company registration number of the Company: 46 333 037

The Company is registered at the Commercial Register of the District Court Trnava, section Sro,
insert No. 28041/T

The telephone number of the Company: +421 31 559 13 65

The e-mail address of the Company: info@ppfeurope.com

The website of the Company: http://www.ppfeurope.com/

2. UPDATES AND AVAILABILITY

The Company reserves the right to modify this Notice unilaterally with effect subsequent to such
modification, subject to the limitations provided for in the laws and with advance notification to
the individuals in due time, if necessary. The Company may modify this Notice especially when it
is required upon changes in the laws, the practice of the data protection authority, business needs
or employees’ needs, any new activity involving personal data processing or any newly revealed
security exposures. Upon request, the Company will send a copy of the latest updated version of
this Notice to individuals.

3. SPECIFIC DATA PROTECTION TERMS

In certain cases, specific privacy-related terms and conditions may also be applicable of which the
individuals who are affected by them will be duly notified. Such specific terms and conditions are
provided for in connection with the operation of electronic surveillance systems (i.e. cameras), the
entry-control systems operated at the entryways to the offices of the Company, and about cookies
that are used on the website of the Company.

4. SCOPE OF THE DATA AND THE PURPOSE OF THEIR PROCESSING

The table below describes the scope of the processed personal data, the purposes, the legal basis,
the duration of the processing and the scope of the persons authorised to have access to the data are
described. Where a purpose of processing is required for pursuing a legitimate interest of the
Company then the Company will make available the balancing test of the underlying interests upon
a request submitted to one of the contact details of the Company above. The Company wishes to
draw the attention of the individuals to their right of objection to the processing of their
personal data due to a cause related to their own situation any time where the processing is
based on legitimate interest including the case where the processing takes the form of
profiling. In such a case, the Company ceases processing the personal data unless it can prove
that the processing has to be continued due to compelling legitimate reasons which override
the interests, rights and freedoms of the individuals or which relate to the submission, the
enforcement or the protection of legal claims. If personal data is processed for the purpose of
direct marketing, individuals may at any time object to the processing of their personal data
for that purpose, including profiling, if connected to direct marketing.

Where this Notice indicates the relevant limitation period as the duration of data storage, then an
event which interrupts the limitation period shall extend the term of the data processing until the
new date when the underlying claim may lapse.

Purpose of the processing Legal basis of the processing Scope of processed data Duration of storage, access rights, data transfers
Allowing participation in
promotions and advertising
campaigns (including prize games
organised by the Company)
– in
accordance with the applicable terms
and conditions of participation
Article 6 1. a) of the GDPR –
voluntary consent of the individual
given in the course of his/her
participation in the promotion or
advertising campaign in accordance
with the applicable terms and
conditions of participation.
The individual may withdraw his/her
consent any time. Such withdrawal will
not affect the legitimacy of the data
processing carried out on the consent
granted prior to the withdrawal.
Without the consent, the individual
cannot participate in the given
promotion, advertising campaign or
prize game.
The scope of participating persons
and the personal data are determined
on a case by case basis, in accordance
with the applicable terms and
conditions of participation (e.g.
name, residential address and the
chosen gift, vote cast in a public
voting game open for the public etc.).
The duration of processing is determined on a case
by case basis, in accordance with the applicable
terms and conditions of participation taking into
account the closing date of the promotion or
advertising campaign and the time required for the
delivery of the prizes, where applicable.
Authorised persons having access to the data
within the Company
: determined on a case by case
basis, in accordance with the applicable terms and
conditions of participation. Unless determined
otherwise, the persons having tasks in relation to the
promotion or advertising campaign are authorised to
have access to the data.
Sending out advertisements and
newsletters by email
Article 6 (1) a) of the GDPR –
voluntary consent of the individual
and Section 62 of the Act No.
351/2011 Coll. on Electronic
Communications – prior,
demonstrable consent of the
individual; previous consent is not
required only for direct marketing of
own similar goods and services, if the
contact details for e-mail delivery
were received in relation to the
previous sale of the goods and
services.
Consents may be withdrawn at any
time, without limitation and reasoning,
free of charge. Such withdrawal will
not affect the legitimacy of the data
processing carried out with the consent
prior to the withdrawal.
Without consent, where necessary,
the Company is not permitted to send
out advertisements and newsletters
by email.
Name and email address of possible
recipients.
If an individual withdraws consent, then personal
data has to be deleted.
Authorised persons having access to the data
within the Company:
persons sending out
advertisements and newsletters.
Making records of and recordings
at Company events
Article 6 1. a) of the GDPR
(voluntary consent of the individual).
The individual may withdraw his/her
consent any time. Such withdrawal will
not affect the legitimacy of the data
processing carried out on the consent
granted prior to the withdrawal.
Without the consent, no recordings
can be made.
No consent is needed for making
recordings and using them in a
proportionate manner for scientific
and artistic purposes and for print,
film, radio and TV newscast, while
respecting legitimate interests of data
subjects (Section 11 et seq. of the
Civil Code.
Making photos or videos at events
organised by the Company (portraits of
individuals). With the consent of the
individuals, the photos or videos may
be published in the intranet as well as
on external media of the Company (e.g.
the LinkedIn site of the Company) or
on other media likewise (e.g. Company
leaflets or brochures).
The recording will be deleted if the individual so
requested. In case of recordings which have been
made public, however, the right of withdrawal can
only be exercised until the time when such materials
appear publicly. For instance, where photos have
appeared publicly, third parties might copy and/or
save them outside the control of the Company.
Authorised persons having access to the data
within the Company:
until the recordings have
appeared publicly, such recordings are handled by
the HR Department.
Recordings which have been made publicly available
on the intranet of the Company, can be seen by all
members of the Company’s personnel.
The materials appearing on the LinkedIn site of the
Company and on any internet or other media are
public.
Sending invitations to events
organised by the Company
Article 6 1. f) of the GDPR
(processing of the data is needed for
pursuing the legitimate interests of
the Company).
The legitimate interest: successful
and efficient organisation of events.
Contact details of the persons whom
the Company intends to invite: the
names of the participants and the
organisations they represent and other
data they may provide in connection
with their participation (e.g. anticipated
time of arrival, preferred presentation
or other event, etc.).
Unless the individual objects to the processing of
his/her data, contact details can be used also after the
event for sending out invitations to events organised
by the Company or on other occasions for seeking
contact. The Company stores the data for 3 years
after the last contact made with the
individual(general statute of limitation under the
Civil Code ).
Authorised persons having access to the data
within the Company: employees of the Marketing
Department
Processing the personal data of
contact persons representing
contracting partners and/or
involved in contract performance /
verification of performance (i.e.
day by day implementation of
contracts).
This includes e.g. the
processing of postal addresses of
contact persons, their payment
instructions or the sending official
notifications through the contact
details and information regarding
contractual obligations to be fulfilled.
It depends whether the contract is
concluded with the individual (e.g. a
private entrepreneur) or with other
undertakings; it is Article 6 1. b) of the
GDPR where the contract has been
concluded directly with the individual
and the purpose is the implementation
of the contract, or it is Article 6 1. f) of
the GDPR – pursuing the legitimate
interests of both the Company and
those of the contracting partner:
fulfilling the obligations, exercising
the contractual rights and
synchronising cooperation between
the contracting parties.
The exchange of personal data is
required under the contract; without
them, the Company is unable to
conclude the contract and/or
implement it.
The contact details (i.e. e-mail
addresses, telephone numbers,
mobile phone numbers, telefax
numbers) of the contact persons
representing the contracting partners
and/or involved in contract
performance / verification of
performance, and any other activity
of or communication between the
contracting parties which includes
any kind of personal data (e.g.
communication received from a
contact person or any other person
acting on behalf of a contracting
partner).
The personal data are either provided
to the Company by the contracting
partner, or the individuals
themselves.
Data are stored for this purpose during the
contractual relationship.
After termination of the contractual relationship data
are stored for as long as the Company is legally
obliged to do so or for as long as the Company
requires the data for the purposes of establishment,
exercise or defence of legal claims.
Authorised persons having access to the data
within the Company:
in the competent areas that are
affected by the subject matter of the contract.
Processing the personal data of
contact persons representing
contracting partners and/or
involved in contract performance /
verification of performance in
connection with compliance issues
or any other activity needed to
enforce contract performance
including seeking remedies in
order to enforce the rights arising
from the contracts
The legal basis of processing data is
the legitimate interest of the
Company (Article 6 1. f) of the
GDPR). The legitimate interest:
handling compliance issues or any
other activity needed to enforce
contract performance including
seeking remedies in order to enforce
the rights arising from the contracts.
The contact details (i.e. e-mail
addresses, telephone numbers,
mobile phone numbers, telefax
numbers) of the contact persons
representing the contracting partners
and/or involved in contract
performance / verification of
performance, and any other activity
of or communication between the
contracting parties which includes
any kind of personal data (e.g.
communication received from a
contact person or any other person
acting on behalf of a contracting
partner).
The personal data are either provided
to the Company by the contracting
partner, or the individuals
themselves.
Data are stored for this purpose during the
contractual relationship.
After termination of the contractual relationship data
are stored for as long as the Company is legally
obliged to do so or for as long as the Company
requires the data for the purposes of establishment,
exercise or defence of legal claims.
Authorised persons having access to the data
within the Company:
in the competent areas that are
affected by the subject matter of the contract.
Handling customer and other
requests received by the Company
Article 6 1. f) of the GDPR
(processing is needed to pursue the
legitimate interests of the Company
and those of its customer).
The legitimate interest: handling
customer and other requests,
responding to inquiries, and the
mutual performance of the
obligations arising from customer
contracts.
The personal data affected by the
customer and other requests that are
received by the Company, the contact
data of the customers and other
people (i.e. names, addresses, e-mail
addresses, telephone numbers) and
the records of the actions done in
relation to the request.

3 years after answering the request (general statute
of limitation under the Civil Code)


Authorised persons having access to the data
within the Company:
Customer Service - ”CS”.


The Company transfers the data within its company
group:
Partner in Pet Food Polska SP.z.o.o.
ul. Szamocka 8,Warsaw 01-748, Poland
telephone No: +48 22 569 24 10,
info.pl@ppfeurope.com,


Partner in Pet Food CZ s.r.o.
Bucharova 1423/6 158 00 Prague 13 - Nové
Butovice, Czech Republic
telephone No: +420 234 111 111;
info@ppfeurope.com


Partner in Pet Food Hungária Kft.
H-2040 Budaörs, Puskás Tivadar utca 14., Hungary
telephone No: +36 1 801 02 03;
info@ppfeurope.com


Partner in Pet Food NL B.V.
Wijchenseweg 132 6538 SX Nijmegen, Holland
telephone No: +31 24 34 35 910;
info@ppfeurope.com


Legal basis of the data transfer: Article 6 1. f) of the
GDPR (the data transfer is needed for pursuing the
legitimate interests of the Company and its group
companies). The legitimate interest: using the
knowledge of the company group for more efficient
processing of customer and other requests and
sharing the relevant experience to serve customers
better.

Handling consumer requests
received by the Company

In most cases, consumer requests
(e.g. inquiries, comments or
complaints) are forwarded to the
Company by its contracting partners
(e.g. Lidl, Tesco, etc.). The Company
may respond to such requests directly
or assist the contracting partners in
the preparations of their responses.
In case a request is received through
social media (e.g. Facebook) then the
terms and conditions of the social
media service provider for data
processing and use may also be
applicable.

Article 6 1. f) of the GDPR
(processing is needed for pursuing
the legitimate interests of the
Company and those of its contracting
partner).
The legitimate interest: handling
consumer requests is in the legitimate
business interest of both the
Company and its contracting partner.
In addition, handling consumer
requests (claims of defects) is also a
legal requirement under the Act No.
250/2007 Coll. on the Consumer
Protection.
The personal data affected by
consumer requests that are received
by the Company, contact data of the
contact persons acting on behalf of
consumers and the contracting
partner (names, addresses, e-mail
addresses, telephone numbers), the
content of the claims (complaints),
requests presented by the consumers
as individuals, the records taken on
actions.

3 years after answering the request (general statute
of limitation under the Civil Code).


Authorised persons having access to the data
within the Company: Customer Service . ”CS”.


The Company transfers the data within its company
group:
Partner in Pet Food Polska SP.z.o.o.
ul. Szamocka 8,Warsaw 01-748, Poland
telephone No: +48 22 569 24 10,
info.pl@ppfeurope.com,


Partner in Pet Food CZ s.r.o.
Bucharova 1423/6 158 00 Prague 13 - Nové
Butovice, Czech Republic
telephone No: +420 234 111 111;
info@ppfeurope.com


Partner in Pet Food Hungária Kft.
H-2040 Budaörs, Puskás Tivadar utca 14., Hungary
telephone No: +36 1 801 02 03;
info@ppfeurope.com
Partner in Pet Food NL B.V.
Wijchenseweg 132 6538 SX Nijmegen, Holland
telephone No: +31 24 34 35 910;
info@ppfeurope.com


Legal basis of the data transfer: Article 6 1. f) of the
GDPR (the data transfer is needed for pursuing the
legitimate interests of the Company and its group
companies). The legitimate interest: use of the
knowledge of the company group for more efficient
processing of consumer requests and sharing the
relevant experience to serve consumers better.

 

5. DATA PROCESSSORS

The contracting partners engaged by the Company for carrying out tasks related to data processing
operations are listed below. Such contracting parties act as ”data processors” i.e. they process the
personal data defined in in this Notice on behalf of the Company.

The Company should use only data processors providing sufficient guarantees, in particular in
terms of expert knowledge, reliability and resources, to implement technical and organisational
measures which will meet the requirements of the GDPR, including for the security of processing.
The particular tasks and liabilities of the data processor are stipulated in the data processing
agreement made between the Company and the data processor. After the completion of the
processing on behalf of the Company, the processor should, at the choice of the Company, return
or delete the personal data, unless there is a requirement to store the personal data under Union
or Member State law to which the processor is subject.

Data processor Tasks
Contracting partners participating in
promotions and advertising
campaigns (including prize games
organised by the Company)
The details of the data processor and its tasks are indicated
in the terms and conditions of participation in the given
promotion.
PosTel DS s.r.o.
Nezábudková 471/8, 929 01 Dunajská
Streda
Provision of services in CCTV support – processing of data
captured and recorded via CCTV.
RON Software spol. s r.o.
Rudé armády 2001/30a, 733 01
Karviná - Hranice, Czech Republic
Provision of entry card system support – processing of data
generated and used via the entry card system.
WBI, s.r.o.
Žižkova 42, 811 02 Bratislava
Service and support of the information system.
External IT service provider IT, on-site support for IT administrators and end users,
maintenance of computers, user accounts management and
permission settings, server operation.

Partner in Pet Food Polska SP.z.o.o.
ul. Szamocka 8,Warsaw 01-748,
Poland
telephone No: +48 22 569 24 10,
info.pl@ppfeurope.com,


Partner in Pet Food CZ s.r.o.
Bucharova 1423/6 158 00 Prague 13 -
Nové Butovice, Czech Republic
telephone No: +420 234 111 111;
info@ppfeurope.com


Partner in Pet Food Hungária Kft.
H-2040 Budaörs, Puskás Tivadar utca
14., Hungary
telephone No: +36 1 801 02 03;
info@ppfeurope.com


Partner in Pet Food NL B.V.
Wijchenseweg 132 6538 SX
Nijmegen, Holland
telephone No: +31 24 34 35 910;
info@ppfeurope.com

IT services on the basis of an indefinite-term service
agreement.


E.g.: central arrangement of the operation of the IT systems,
preparation of security back-up saves, protection of the
company-wide network and preparations for data loss
incidents. IT support of processes related to access and
joining of employees, manage user accounts, set permissions,
blocking access of user accounts, archiving email accounts,
remote deletion of mobile phones.

Screen sharing, online meeting, web
conferencing service providers
The Company may share the personal data listed in this
Notice when it is using screen sharing, online meeting, web
conferencing service during its day-to-day communications.
In the course of the services, personal data may be processed
in countries outside the EU which do not provide for the same
level of data protection as the GDPR. LogMeIn, Inc., and its
wholly owned subsidiary, LogMeIn USA, Inc. (collectively
“LogMeIn”) participate in the EU-U.S. Privacy Shield
Framework regarding the collection, use and retention of
personal information from EU member countries. LogMeIn
also receives some data via other compliance mechanisms,
including data processing agreements based on the EU
Standard Contractual Clauses (a model data transfer
agreement in the form approved by the EU Commission),
which is available at the contact details of the Company.
Further information:
https://www.logmeininc.com/legal/privacy-shield and
https://www.logmeininc.com/gdpr/gdpr-compliance.

 

6. TECHNICAL AND ORGANISATIONAL DATA SECURITY MEASURES

The Company protects the personal data it processes primarily by restricting the access to the
information and by the unambiguous regulation of the rights to use them. Only such persons may
have access to the systems and instruments used for processing the personal data referred to in this
Notice whose access is required in order to fulfil the above-mentioned purposes and who are
authorised to exercise such access. These persons include e.g. designated team members or
departments (e.g. to user data that are required for the use of the Company’s IT systems, it is the
IT Department authorised to have access).

The Company ensures the safe and legitimate use of the devices which it makes available (including
Company-owned computers, laptops and mobile phones), the e-mail boxes and the Internet and the
desirable level of consciousness of the employees related to such use by applying the following
measures:

- The Company expects that the devices which it made available and which have access to the
Internet as well as the e-mail boxes are used by the employees with specific user names and
passwords, adequately complex and up-dated at regular intervals.

- The Company protects all its systems and devices by fire walls, antivirus software and spam
filters. In addition, the Company operates an intrusion protection system (so-called IPS)
which enables the detection, blocking and logging of illegitimate attempts of access to the
computers systems of the Company.

- The Company makes available safe wired and wireless network access for all devices.

- Remote access to the systems and software of the Company for any device is possible only
through safe connection (VPN) by using specific user names and passwords, with mitigation
of chances of accidental access (including illegitimate access by the use of stolen or lost
devices)

- The IT Department of the Company carries out regular software and system up-dates and
back-up saves of data in accordance with its own internal regulations.

As regards the physical protection of data and electronic documents, the Company owns locked
server rooms and procures in that access to a particular document is reserved to adequately
authorised persons only (e.g. access to HR documents is reserved to the HR Department).

7. DATA PROTECTION RIGHTS AND REMEDIES

7.1 Data protection rights and remedies

The detailed rights and remedies of the individuals are set forth in the applicable provisions of the
GDPR (especially in articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, 80, and 82 of the GDPR).
The summary set out below describes the most important provisions and the Company provides
information for the individuals in accordance with the above articles about their rights and remedies
related to the processing of personal data.

The information shall be provided in writing, or by other means, including, where appropriate, by
electronic means. When requested by the individual, information may also be provided orally,
provided that the identity of the individual is proven by other means.

The Company will respond without unreasonable delay and by no means later than within one
month of receipt to the request of an individual whereby such person exercises his/her rights about
the measures taken upon such request (see articles 15-22 of the GDPR). This period may be, if
needed, extended by further two months in the light of the complexity of the request and the number
of requests to be processed. The Company notifies the individual about the extension also indicating
its grounds within one months of the receipt of the request. Where the request has been submitted
by electronic means, the response should likewise be sent electronically unless the individual
otherwise requests.

In case the Company does not take any measure upon the request, it shall so notify the individual
without delay but by no means later than in one month stating why no measures are taken and about
the opportunity of the individual to lodge a complaint with the data protection authority and to file
an action with the courts for remedy.

7.2 The individual’s right of access

(1) The individual has the right to obtain confirmation from the Company whether or not personal data
concerning him/her are being processed. Where the case is such, then he/she is entitled to have
access to the personal data concerned and to the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data have been or will be
disclosed including especially recipients in third countries and/or international organisations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not
possible, the criteria used to determine that period;

e) the right of the individual to request from the Company rectification or erasure of personal
data or restriction of processing of personal data concerning the individual or to object to
such processing;

f) the right to lodge a complaint with a supervisory authority;

g) where the personal data are not collected from the individual, any available information as to
their source.

(2) Where personal data are forwarded to a third country, the individual is entitled to obtain information concerning the adequate guarantees of the data transfer.

(3) The Company provides a copy of the personal data undergoing processing to the individual. The
Company may charge a reasonable fee based on administrative costs for requested further copies.
Where the individual submitted his/her request in electronic form, the response will be provided to
him/her by widely used electronic means unless otherwise requested by the individual.

7.3 Right to rectification

The individual has the right to request that the Company rectify inaccurate personal data which
concern him/her without undue delay. In addition, the individual is also entitled to have incomplete
personal data completed e.g. by a supplementary statement or otherwise.

7.4 Right to erasure (’right to be forgotten’)

(1) The individual has the right that when he/she so requests, the Company erase the personal data
concerning him/her without delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were
collected or otherwise processed by the Company;

(b) the individual withdraws consent on which the processing is based, and is no other legal
ground subsists for the processing;

(c) the individual objects to the processing and there are no overriding legitimate grounds for the
processing;

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject;

(f) the collection of the personal data occurred in connection with offering services regarding
the information society.

(2) In case the Company has made the personal data public and then it becomes obliged to delete it as
aforesaid, then it will, taking into account the available technology and the costs of implementation,
take reasonable steps including technical steps in order to inform controllers who carry out
processing that the individual has initiated that the links leading to the personal data concerned or
the copies or reproductions of these be deleted.

(3) Paragraphs (1) and (2) shall not apply to the extent that processing is necessary, among other things, for:

a) exercising the right of freedom of expression and information;

b) compliance with a legal obligation which requires processing by Union or Member State law
to which the Company is subject;

c) archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in so far as the right referred to in paragraph (1) is likely to render impossible or
seriously impair the achievement of the objectives of that processing; or

d) the establishment, exercise or defence of legal claims.

7.5 Right to restriction of processing

(1) The individual has the right to obtain a restriction of processing from the Company where one of
the following applies:

a) the accuracy of the data is contested by the individual, for a period enabling the Company to
verify the accuracy of the personal data;

b) the processing is unlawful and the individual opposes the erasure of the personal data and
requests the restriction of their use instead;

c) the Company no longer needs the personal data for the purposes of the processing, but the
individual requires them for the establishment, exercise or defence of legal claims;

d) the individual has objected to processing based on the legitimate interest of the Company
pending the verification whether the legitimate grounds of the Company override those of the
individual.

(2) Where processing has been restricted under paragraph (1), such personal data shall, with the
exception of storage, only be processed with consent of the individual or for the establishment,
exercise or defence of legal claims or for the protection of the rights of another natural or legal
person or for reasons of important public interest of the Union or of a Member State.

(3) The Company informs the individual whose request has served as grounds for the restriction based
on the aforesaid, before the restriction of processing is lifted.

7.6 Notification obligation regarding rectification or erasure of personal data or restriction of
processing

The Company will communicate any rectification or erasure of personal data or restriction of
processing to each recipient to whom the personal data have been disclosed, unless this proves
impossible or involves disproportionate effort. The Company informs the individual about those
recipients if he/she so requests.

7.7 Right to data portability

(1) The individual has the right to receive the personal data concerning him/her, which he/she has
provided to the Company in a structured, commonly used and machine-readable format and have
the right to transmit those data to another controller without hindrance from the Company, where:

a) the processing is based on consent or on a contract; and

b) the processing is carried out by automated means.

(2) In exercising the right to data portability pursuant to paragraph 1, the individual shall have the right to have the personal data transmitted directly from one controller to another, where technically
feasible.

(3) Exercising the aforesaid right shall not contravene to provisions concerning the right to erasure
(‘right to be forgotten’) and, further, this right shall not harm the rights and freedoms of others.

7.8 Right to object

(1) The individual has the right to object, on grounds relating to his/her particular situation, at
any time to processing of personal data concerning him/her for the purposes of legitimate
interests. The Company will no longer process the personal data unless it demonstrates
compelling legitimate grounds for the processing which override the interests, rights and
freedoms of the individual or for the establishment, exercise or defence of legal claims.

(2) Where the processing of personal data serves direct marketing purposes the individual is
entitled to object to the processing of personal data regarding him/her for such purposes,
including profiling, in so far as the latter relates to direct marketing.

(3) In case the individual objects to the processing of personal data with the aim of direct marketing,
then the personal data can no longer be processed for this purpose.

(4) In connection with the use of services related to information society, the individual may refer to
his/her right of objection, with deviation from the directive 2002/58/EC, by means of automated
devices based on technical prescriptions.

(5) Where personal data are processed for scientific or historical research purposes or statistical
purposes, the individual, on grounds relating to his/her particular situation, has the right to object
to processing of personal data concerning him/her, unless the processing is necessary for the
performance of a task carried out for reasons of public interest.

7.9 Right to lodge a complaint with a supervisory authority

The individual has the right to lodge a complaint with a supervisory authority, in particular in the
Member State of his/her habitual residence, place of work or place of the alleged infringement if
he/she considers that the processing of personal data relating to him/her infringes the GDPR. In
Slovakia, the competent supervisory authority is the Office for Personal Data Protection of the
Slovak Republic (https://www.dataprotection.gov.sk/; Hraničná 12, 820 07 Bratislava 27;
telephone: + 421 2 32 31 32 14; e-mail: statny.dozor@pdp.gov.sk)

7.10 Right to an effective judicial remedy against a supervisory authority

(1) The individual has the right to an effective judicial remedy against a legally binding decision of a
supervisory authority concerning him/her.

(2) The individual has the right to an effective judicial remedy where the supervisory authority which
is competent does not handle a complaint or does not inform him/her within three months on the
progress or outcome of the complaint lodged.

(3) Proceedings against a supervisory authority shall be brought before the courts of the Member State
where the supervisory authority is established.

7.11 Right to an effective judicial remedy against the Company or the processor

(1) The individual, without prejudice to any available administrative or non-judicial remedy,
including the right to lodge a complaint with a supervisory authority, has the right to an effective
judicial remedy where he/she considers that his/her rights under the GDPR have been infringed
as a result of the processing of his/her personal data in non-compliance with the GDPR.

(2) Proceedings against the Company or a processor shall be brought before the courts of the
Member State where the Company or processor has an establishment. Alternatively, such
proceedings may be brought before the courts of the Member State where the individual has
habitual residence.