INFORMATION ON THE PROCESSING OF PERSONAL DATA
www.dermarevolta.com
This information on the processing of personal data (hereinafter referred to as "Policy") contain information about the processing of your personal data by the company ATRIM SK s. r. o., based in Smaragdová ul. 1, 851 10 Bratislava, ID No.: 55482261, a company registered in the Commercial Register of the Municipal Court Bratislava III, Section Sro, Insert No. 170198/B (hereinafter referred to as "Operator"), which occurs:
-
- via the Operator's website dermarevolta.com (hereinafter referred to as "website") and the Operator's related profiles on social networks,
-
- in the context of the Operator's general business activities and the implementation of the Operator's contractual relationships, and
-
- in the operation of the CCTV system.
Through this Policy, the Controller provides you with information about why your personal data is processed, how it is processed, how long the Controller stores it, what your rights are in relation to the processing of your personal data and other relevant information about the processing of your personal data..
Through this Policy, the Controller fulfils its information obligation towards all data subjects both in the case where the Controller has obtained personal data directly from you as a data subject and in the case where the Controller has obtained your personal data from another source.
The Controller processes your personal data in accordance with Regulation 2016/679 of the European Parliament and of the Council of the European Union on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "Regulation"), the relevant Slovak legislation, in particular Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments and Additions to Certain Acts (hereinafter referred to as "Act") and other data protection regulations (Regulation, Law and other data protection regulations hereinafter collectively referred to as "Data protection regulations").
You may contact the controller and its data protection officer in writing or in person at its registered office for matters relating to the processing of your personal data Emerald Street. 1, 851 10 Bratislaor by e-mail to his e-mail address dermarevolta@dermarevolta.com.
For what purposes, on what legal basis and for how long do we process your personal data?
The controller processes your personal data exclusively in accordance with the principle of minimisation which means that the Data Controller does not request personal data from you that are not necessary for the specific and legitimate purpose of the processing. The controller shall only process personal data if there is a legal basis for the processing and, therefore, it is processed in accordance with the principle of lawfulness. The specific purposes, including the specified legal basis and retention period, for which the Controller processes your personal data are as follows:
| PROCESSING OF PERSONAL DATA ON THE WEBSITE (SPECIFIC PROCESSING PURPOSES FOR THE OPERATION OF THE DERMAREVOLTA.COM WEBSITE) | ||
| Purpose of processing | Taking photographs and audiovisual recordings of data subjects and publishing them on the website and on the Operator's social media profiles in the course of its presentation and business activities | |
| Legal basis | Art. 6(1)(a) of the Regulation - the processing of personal data is carried out on the basis of the data subject's consent | |
| Categories of personal data | Photograph of the data subject, visual images and manifestations of the personal nature of the data subject (in some cases together with his or her name and job position in the company of the Data Controller, other data provided to the Data Controller by the data subject) | |
| Retention period | 5 years from the date of consent or until its revocation, whichever is the earlier | |
| Purpose of processing | Booking a client for an appointment and placing him/her in the order of booked clients - accepting and registering bookings via the booking form on the website | |
| Legal basis | Art. 6(1)(b) of the Regulation - the processing of personal data is necessary for the purpose of concluding the contract | |
| Categories of personal data | Common personal data required by the online form (in particular first name, last name, email address, phone number, other data specified in the note) | |
| Retention period | Until the conclusion of the contractual relationship (within the reserved term) and after its conclusion until the full settlement of contractual and other claims arising from the contractual relationship. If the contractual relationship is not concluded (provision of the booked service), 60 days after the booked service date | |
| Purpose of processing | Responding to messages and handling queries/requests from messages received by the Operator via social media messages, email communications or by telephone to the contact details published on the website (other than enquiries about the Operator's services from a natural person), including the handling of enquiries and requests from legal persons | |
| Legal basis | Art. 6(1)(f) of the Regulation - the processing of personal data is carried out on the basis of the legitimate interest of the Data Controller, which is to respond to the messages received for the proper conduct of business communication, improving the quality of the services provided and attracting new clients | |
| Categories of personal data | First name, surname, e-mail address, telephone number, other data provided in the message or in the sending file, in the case of a natural person acting on behalf of a legal person, also identification data of his/her affiliation to a specific legal person and function or position in the said legal person | |
| Retention period | 60 days from the date of receipt of the request or until the request is processed (purpose fulfilled), whichever is earlier | |
| Purpose of processing | Disclosure of employees' personal data (to clients and the general public) on the website and other communication channels | |
| Legal basis | Art. 6(1)(f) of the Regulation in conjunction with Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments and Additions to Certain Acts - the processing of personal data is carried out on the basis of the legitimate interest of the Data Controller, which is the need to inform its clients about these personal data of its employees in case the clients wish to contact them in connection with the individual services of the Data Controller | |
| Categories of personal data | To the extent provided for in Section 78(3) of Act No. 18/2018 Coll. - title, first name, surname, occupational classification, job classification, functional classification, place of work and employer's identification data | |
| Retention period | During the duration of the data subject's employment or similar employment relationship with the Controller | |
| Purpose of processing | Publication of testimonials on satisfaction with the Operator's services on the Operator's website or on the Operator's social media profiles in the course of the Operator's presentation activities | |
| Legal basis | Art. 6(1)(a) of the Regulation - the processing of personal data is carried out on the basis of the data subject's consent | |
| Categories of personal data | Identification data of a specific natural person within the scope of name, other data specified in the reference | |
| Retention period | Identification data of the specific legal entity within the scope of the business name, other data specified in the reference | |
| Purpose of processing | Measurement of website traffic, website activity and targeting of the Operator's online advertising (via online tools - cookies) | |
| Legal basis | Art. 6(1)(a) of the Regulation - the processing of personal data is carried out on the basis of the data subject's consent | |
| Categories of personal data | Data about the activity on the website of the controller and preferences in the online environment, IP address of the device used, data about the web browser used, other online characteristics and preferences depending on the scope of the consent granted | |
| Retention period | For a maximum of 2 years from the date of consent or until its revocation, whichever is the earlier | |
| GENERAL PURPOSES OF PROCESSING IN THE COURSE OF BUSINESS | ||
| Purpose of processing | Handling of exercised rights of data subjects | |
| Legal basis | Art. 6(1)(c) of the Regulation - the processing of personal data is carried out in the performance of a legal obligation | |
| Categories of personal data | Common personal data included in the application | |
| Retention period | Pending the settlement of the rights exercised | |
| Purpose of processing | Records of the rights of data subjects exercised and the manner in which those rights have been exercised | |
| Legal basis | Art. 6(1)(f) of the Regulation - processing of personal data on the basis of the legitimate interest of the Data Controller, which is the need to record the exercised rights of data subjects in order to demonstrate compliance with the obligations arising from the relevant legislation in the field of personal data protection | |
| Categories of personal data | Common personal data included in the application | |
| Retention period | 5 years from the date of the processing of the right exercised or other request made | |
| Purpose of processing | Fulfilling the contractual obligations of the Operator (based on contracts concluded remotely via the website), including pre-contractual relations (handling enquiries, accepting orders and bookings, making payments, etc.) | |
| Legal basis | Art. 6(1)(b) of the Regulation - processing of personal data is carried out in the performance of the contract (including pre-contractual relations) | |
| Categories of personal data | Ordinary personal data (first name, last name, residential / business address, billing address if different from the delivery address, contact details - telephone number, e-mail address, bank account, affiliation or position in the company) | |
| Retention period | During the duration of the contractual relationship and after the termination of the contractual relationship until the expiry of the statutory limitation periods for the exercise of rights and other claims arising from the contracts, and at the latest until the legal and other claims arising from the contractual relationship have been fully settled | |
| Purpose of processing | Compliance with legal obligations related to the conclusion of a distance contract (e.g. information obligations, withdrawal obligations) | |
| Legal basis | Art. 6(1)(c) of the Regulation - the processing of personal data is carried out in the performance of a legal obligation | |
| Categories of personal data | Common personal data | |
| Retention period | During the duration of the distance contract and until the legal and other claims arising from the distance contract have been settled in full | |
| Purpose of processing | Keeping records of suppliers, other business partners and clients and their contact persons (in the case of business partners or corporate clients), concluded contracts and maintaining appropriate communication | |
| Legal basis | Art. 6(1)(f) of the Regulation - the processing of personal data is carried out on the basis of the legitimate interest of the Controller, which is the need to keep track of the Controller's suppliers, business partners and clients, or their contact persons in contractual relations for the proper performance of contractual obligations, possible proof of legal claims and the conduct of appropriate contractual communication | |
| Categories of personal data | Ordinary personal data (first name, last name, address of residence / registered office / place of business / billing address, affiliation / function in the company that is the customer, contact details - phone number, e-mail address) | |
| Retention period | During the duration of the contractual relationship and after its termination until the contractual and other claims arising from the contractual relationship are fully settled (as a rule, until the expiry of the limitation periods) or until the status of a particular natural person as an agent of a legal entity is terminated; at the latest until the legal and other claims arising from the contractual relationship are fully settled | |
| CAMERA SYSTEM | ||
| Purpose of processing | Protection of the Operator's property, protection of the health of persons in the Operator's monitored premises, prevention of illegal acts in the monitored premises and their detection in the event of their occurrence by monitoring defined areas of the Operator's operations with a camera system | |
| Legal basis | Art. 6(1)(f) of the Regulation - the processing of personal data is carried out on the basis of the legitimate interest of the Data Controller, which is: sufficiently effective protection of the Operator's property,to provide a preventive measure to prevent the occurrence of any unlawful acts that may occur in the monitored area, both in relation to the property of the Operator and the property of visitors to the premises (data subjects), in particular in relation to petty theft in the waiting areaan effective means of clarifying unlawful acts when they do occur. | |
| Categories of personal data | Images and expressions of a personal nature captured by the CCTV system | |
| Retention period | 14 days from the making of the CCTV footage (except in cases where the relevant part of the footage is cut out and provided to the relevant law enforcement authorities or those authorised to deal with the offence | |
In order to ensure the protection of your personal data, the Controller has adopted appropriate security measures, which are documented in internal documentation, both at an organisational and technical level.
What entities have access to your personal data?
In certain cases, the controller is obliged to provide your personal data to public authorities that are authorised to process your personal data, e.g. courts, law enforcement authorities as well as supervisory and oversight authorities (e.g. the Data Protection Authority in the case of an inspection) (third parties).
The controller also provides your personal data to its to the intermediary, i.e. external entities that process your personal data on behalf of the Controller. Processors process personal data on the basis of a contract concluded with the Data Controller, in which they undertake to take appropriate technical and security measures in order to process your personal data securely. The Controller's processors include:
-
- company providing services in the field of bookkeeping and personnel and payroll,
-
- a company providing occupational health and safety services,
-
- a company providing hosting services (including mail hosting services),
-
- a physician-ambulatory information system software company,
-
- security services company.
Recipients of your personal data include companies Google Ireland Limited a Meta Platforms Irelandwhich provide analytical and marketing services through cookies that are stored on your device by the website if you grant the Operator your consent to the storage of these files. For more information on cookies, please see the section of the website on the use of cookies Cookies.
Recipients of your personal data also include the operators of the social networks Facebook and Instagram (Meta Platforms Ireland) and YouTube (Google Ireland Limited), if you contact the Operator via a message on the Operator's social networks, if you share the website or its content on social networks, or if you grant the Operator consent to publish your photograph or audiovisual recording on the Operator's profiles on social networks and platforms.
These companies act as joint controllers with the Controller in the processing of personal data and the processing of personal data is governed in this case by the joint controllers' agreement within the meaning of Article 26 of the Regulation, according to which the Controller is the point of contact for handling your requests concerning the processing of personal data.
TRANSFER to third countries and international organisations
When using analytics and marketing cookies on the Operator's website and if you contact the Operator via a message on the Operator's social networks, share the website or its content on social networks, or if you give the Operator consent to publish your photo or audiovisual recording on social networks, your personal data may be transferred to the U.S., to companies in the U.S., to Meta Platforms, Inc.. a Google, LLC.
The transfer of your personal data is secured by means of adequate means of ensuring the transfer of personal data to third countries in accordance with the Data Protection Regulations, in particular through the use of standard contractual clauses included in the terms of use of the above services, the adequacy decision adopted by the European Commission in relation to the USA as a third country within the meaning of the relevant articles of the Regulation, as well as through the additional transfer guarantees accepted by the providers of the above services. Transfers may only take place exceptionally, on the basis of the relevant legislation in force in that third country (the USA) applicable to those service providers (FISA).
The controller does not use profiling when processing your personal data and does not process personal data in any form of automated individual decision-making, which would lead to the evaluation of your personal aspects.
SOCIAL NETWORKS AND LINKS TO OTHER INTERNET SITES
In order to promote marketing and advertising, you will find links to various social networks and platforms such as Facebook and Instagram on the Operator's website. The Operator hereby wishes to inform you that once you click on the add-on on the website and go to the social network, the privacy policy of the social network operator will apply, except if you contact the Operator by means of a message on the social network or if you consent to the publication of your photo or audiovisual recording on social networks (in which case, the processing of your personal data is also governed by this Policy and your personal data processed by the Operator in accordance with the information provided above).
For more information on the processing of your personal data by social network operators, please visit the following links: (i) Facebook and (ii) Instagram.
What rights do you have in relation to the processing of personal data?
| Right of access - As a data subject, you have the right to obtain confirmation from the Data Controller as to whether it is processing your personal data and, if so, the right to obtain access to that personal data and information pursuant to Article 15 of the Regulation. The Controller will provide you with a copy of the personal data that is being processed. If you make a request by electronic means, the information will be provided to you by the Controller in a commonly used electronic format, unless you request otherwise. | Right to repair - The Controller has taken reasonable measures to ensure the accuracy, completeness and timeliness of your personal data. As a data subject, you have the right to have your inaccurate personal data corrected or your incomplete personal data completed by the Controller without undue delay. |
| RIGHT TO INSTALL You have the right to object to the processing of personal data, for example, if the Controller processes Your personal data on the basis of a legitimate interest or for processing involving profiling. If you object to such processing of your personal data, the Controller will not further process your personal data unless it demonstrates the necessary legitimate grounds for further processing of your personal data. | |
| Right to erasure ("right to be forgotten") - You also have the right to obtain from the Data Controller the erasure of your personal data without undue delay if certain conditions are met, for example, if the personal data are no longer necessary for the purposes for which the Data Controller obtained or processed them. However, this right of yours must be considered on a case-by-case basis, as there may be situations where the Controller is prevented from erasing your personal data by other circumstances (for example, a legal obligation of the Controller). This means that in such a case, the Data Controller will not be able to comply with your request to erase your personal data. | Right to data portability - In certain circumstances, you have the right to transfer your personal data to another controller that you designate. However, the right to portability only applies to personal data that the Controller processes on the basis of consent granted by you to the Controller, on the basis of a contract to which you are a party or where the Controller processes personal data by automated means. |
| THE RIGHT TO WITHDRAW CONSENT If the Controller processes your personal data on the basis of your consent, you have the right to withdraw the consent at any time in the same way as you gave it. Withdrawal of consent does not affect the lawfulness of the processing carried out prior to the withdrawal of consent. | |
| Right to restriction of processing - You also have the right to have the Controller restrict the processing of your personal data. This will be the case, for example, if you contest the accuracy of the personal data or if the processing is unlawful and you request the restriction of processing, or if the Data Controller no longer needs your personal data for the purposes of processing but you need them to prove, exercise or defend legal claims. The Controller will restrict the processing of your personal data if you so request. | Right to lodge a complaint or complaint - If you feel that your personal data is being processed in violation of applicable law, you may lodge a complaint with the supervisory authority, which is Office for Personal Data Protection of the Slovak Republic, with registered office at Námestie 1. mája 7286/18, Nudova Park One, 811 06 Bratislava - Staré Mesto; website: dataprotection.gov.sk, tel. 02 3231 3214; e-mail: statny.dozor@pdp.gov.sk |
You can exercise your rights set out in the table above by contacting the Operator at the contact addresses set out at the beginning of this document. The answer to the exercise of your rights will be provided to you by the Operator free of charge. In the event of a repeated, unfounded or unreasonable request for the exercise of your rights, the Controller is entitled to charge a reasonable fee for the provision of the information. The Controller will provide you with a reply within 1 month from the date on which you exercised your rights. In certain cases, the Controller is entitled to extend this period, in the case of a large number and complexity of requests from data subjects, but not more than 2 months. The Controller will always inform you of the extension of the time limit.
Validity
This updated Policy is valid and effective as of 01.06.2025. As it may be required to update this Policy in the future, the Operator is entitled to update this Policy at any time. In such case, however, the Operator will notify you in advance in an appropriate manner.