DECLARATION OF THE DATA CONTROLLER ON THE PROCESSING OF PERSONAL DATA

The Controller, the company CROTRADING s.r.o., seated at Levočská 109, Prešov, 080 01, C. REG ID: 46386777 (hereinafter the „Data Controller“), in order to ensure the protection of the rights of data subjects, has adopted appropriate technical and organizational measures which declare the lawful processing of personal data. Furthermore, the Controller has implemented a transparent system for recording security incidents and any questions from the data subject as well as from other persons.

The Data Subject may also obtain individual information by telephone at: +421 918 808 889, email: info@heyus.com, or in person at the address: Levočská 109, Prešov, 080 01, or at the Controller’s website: https://heyus.com/personal-data-protection/

Below we provide information on the processing and protection of personal data in accordance with Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) and Act No. 18/2018 Coll. on the protection of personal data and on the amendment and supplements to certain acts (hereinafter referred to as the “Personal Data Protection Act”).

1. Controller

CROTRADING s.r.o.

Levočská 109 Prešov, 080 01

C. Reg. ID: 46386777

We process your data for our own purposes as the Data Controller. This means that we determine the purposes for which we collect your personal data, determine the means of processing, and we are responsible for their proper execution.

2. List of our processors and recipients who process your personal data

In certain cases, the Data Controller may also process the personal data of Data Subjects through processors who are authorized to process personal data in accordance with Article 28 of the GDPR.

Data Processors process the personal data of Data Subjects on behalf of the Data Controller. The processing of personal data by a Data Processor shall not adversely affect the exercise and enforcement of the Data Subject’s rights. The Data Controller shall only use Data Processors which have adequate technical, organizational and other measures in place to ensure that the processing complies with the requirements of the GDPR and that the protection of the Data Subject’s rights is fully ensured.

The Data Controller uses the following categories of Data Processors when processing the personal data of Data Subjects:

• Companies supplying technical solutions, web hosting services, maintenance and support of IT systems used by the Data Controller.
• Companies providing accounting and tax services.

The Data Controller uses the following categories of recipients when processing the personal data of the Data Subjects:

• Companies providing the Data Controller with marketing solutions.
• Bodies of state administration and public authority for inspection and supervision purposes.

3. Purpose of Personal Data Processing

On behalf of the company CROTRADING s.r.o. as the Data Controller, we only collect the data from you that we actually need to provide you with a comprehensive service in the field of car service, purchase and sale of motor vehicles. The purposes of the processing of personal data for each procedural step are:

• When communicating with clients by phone, in person, by electronic/paper mail or through the online contact form, we process data within the meaning of Article 6 par. 1 letter f) of the GDPR Regulation – legitimate interest for the purpose of responding to an enquiry/suggestion or question submitted by you regarding the services and products provided, when it is necessary to verify the relevance of the enquiry, or to carry out a possible follow-up contact with you as a Data Subject.
• If you express interest in our services, when creating an order for services by phone, in person, by electronic/paper mail, we process data within the meaning of Article 6 par. 1, letter b) of the GDPR Regulation – where data processing is necessary to perform the necessary measures according to your requirements as the customer before the conclusion and confirmation of the order, i.e. during the process of the pre-contractual relationship – e.g. identification of the client during the creation, definition or modification of the order, determination or change of the address and time of delivery, or the completion of other necessary data for the conclusion of the order.
• After the confirmation of the order, i.e. after the establishment of the contractual relationship between the Data Controller – the company CROTRADING s.r.o. and you as a Data Subject, the Customer, during the necessary cooperative communication with the Client, when informing about changes in the status of the order, during the final personal delivery, or in the preparation and issuance of the tax document (invoice), we process the data within the meaning of Art. 6 par. 1, letter b) of the GDPR – where the data processing is necessary for the performance of a contractual relationship to which you, as the Data Subject, are the contractual party – the Client.
• Through the website www.heyus.com you have the option to voluntarily register your email address as a subscriber of product news – newsletters, where we process data within the meaning of Article 6 par. 1), letter a) of the GDPR Regulation – based on your consent to the processing of your personal data for the purpose of mailing news in the form of newsletters to the provided email address.

4. List of Personal Data Processed

• Data required for sending a message via the online contact form

– Name

– E-mail address

– Phone number

• Registration data for the newsletter – product news

–  E-mail address

• Data required for order execution

– Name and surname

– E-mail address

– Phone number

5. Period of processing and storage of your personal data

Your personal data that we have processed or are processing within the meaning of Article 6 par. 1, letter b) of the GDPR Regulation – in order to fulfill the obligations of the Data Controller, the company CROTRADING s.r.o., towards customers and clients, we further process in order to fulfill our legal obligations in the field of taxes and accounting, which are based on generally binding legal regulations (e.g. We must keep individual accounting records of your confirmed orders and invoicing for the purpose of delivering goods selected to your contact address in accordance with Act No. 431/2002 Coll. on Accounting as amended, for the purpose of proving compliance with tax obligations in accordance with tax legislation Act No. 595/2003 Coll. on Income Tax, Act No. 563/2009 Coll. on Tax Administration, etc.), for the period of time stipulated by the relevant legislation. However, in any case, we are guided by the principle of minimizing the retention of personal data within the meaning of Article 5 par. 1, letter e) of the GDPR Regulation and therefore your personal data that is not subject to archiving under specific legislation will be deleted or anonymised.

Personal data processed in accordance with Article 6 par. 1), letter a) of the GDPR Regulation – based on your consent to the processing of personal data for the purpose of creating and maintaining a user account or for the purpose of mailing current marketing newsletters, we process the data for a period of 3 years or until the consent is withdrawn. In case of expiration of the data processing period, we will contact you in writing or by an e-mail, where it is possible to renew and extend the consent to the processing of your personal data for the defined purpose for the next processing period. If you do not consent to the renewal and extension of the processing period or do not respond to the contact, we will no longer process your personal data – i.e. we will automatically remove the data from the records, delete the electronic data technically from the systems and physically shred the data.

Personal data processed in accordance with Article 6 par. 1), letter f) of the GDPR Regulation – based on legitimate interest, which was obtained in response to an inquiry/suggestion or question submitted by you regarding the services provided and products delivered, where it was necessary to verify the relevance of the request or to carry out any subsequent contact of the client/Data Subject, after which it was not subsequently forwarded to the pre-contractual or contractual relationship, is immediately deleted.

As the Data Controller, we will ensure the erasure of personal data without undue delay after:

• all contractual relations between you and us as the Data Controller have been terminated ; and/or
• all your obligations towards the Data Controller have ceased; and/or
• all your complaints and claims have been dealt with; and/or
• all other rights and obligations between you and us as the Data Controller have been settled; and/or
• all the processing purposes laid down by law or the processing purposes for which you provided your consent have been fulfilled, if the processing was carried out based on the Data Subject’s consent; and/or
• the period for which consent was given has expired or the Data Subject has withdrawn his or her consent; and/or
• the Data Subject’s request for erasure of personal data has been granted and one of the grounds for satisfying that request has been met; and/or
• a legal ground for termination of the purpose of processing has occurred and also the protective retention period defined with regard to the principle of minimization of the retention period of personal data has expired;
• the legitimate interest of the Data Controller does not persist, all obligations laid down by generally binding legal regulations which require the storage of the personal data of the Data Subject (in particular for archiving purposes, tax inspection, etc.) have ceased to exist, or which could not be fulfilled without their storage.

In any case, we do not systematically process further any personal data collected incidentally for any purpose defined by us. Where possible, we shall inform the Data Subject to whom the accidentally obtained personal data belong of their accidental acquisition and, depending on the nature of the case, we shall provide him or her with the necessary cooperation to regain control over his or her personal data. Immediately after these necessary actions to resolve the situation, we shall immediately dispose of all accidentally obtained personal data in a secure manner.

Should you desire further information about the specific retention period of your personal data, please contact us using the contact details provided.

6. Disclosure of data

In any case, our company does not disclose the collected data.

7. Cross-border transfer of personal data

Cross-border transfer of personal data does not take place.

8. Rights and obligations of the Data Subject

• The Customer is obliged to provide only complete and truthful information.
• The Customer agrees to update his/her data if there is a change, at the latest before the first order following the change is placed.
• The Customer undertakes that if he/she provides personal data of a third party (name, surname, phone number), he/she does so only with the consent of that party and that the Data Subject has been informed about the procedures, rights and obligations provided on this website.
• You, as our Client and the Data Subject, are entitled to make decisions about the handling of your personal data within the specified scope. You can exercise the rights set out below:
         – In person at the contact point of the operator- the company CROTRADING s.r.o., seated at: Levočská 109, Prešov, 080 01;
         – Via our customer service line: +421 918 808 889;
         – Via e-mail: info@heyus.com;

We will endeavor to reply as soon as possible, but shall always reply to you within 30 days of receipt of your request at the latest. The applicable legislation and the GDPR Regulation or the Act provides you with in particular the following:

Right of Access – You have the right to request confirmation from us as to whether your personal data is being processed and, if so, to obtain a copy of that data and additional information pursuant to Article 15 of the Regulation or Article 21 of the Act. Where we collect a large amount of data about you, we may require you to specify the range of specific data we process about you.

Right to Correction – In order to ensure that we only process personal data about you that is up-to-date at all times, we need you to notify us of any changes as soon as they occur. If we process incorrect data about you, you have the right to request its correction.

Right to Erasure – If the conditions of Article 14 of the Regulation or Article 23 of the Act are met, you may request the erasure of your personal data. Therefore, you can request erasure if, for example, you have withdrawn your consent to the processing of your personal data and there is no other legal basis for the processing, or if we are processing your personal data unlawfully, or if the purpose for which we processed your personal data has ceased to exist and we are not processing it for another compatible purpose. However, we will not delete your data if it is necessary for proving, exercising or defending legal claims.

Right to Restriction of Processing – If the conditions of Article 18 of the Regulation or Article 24 of the Act are met, you can request us to restrict the processing of your personal data. Therefore, you can request a restriction, for example, while you object to the accuracy of the data processed or if the processing is unlawful and you do not want us to delete the data but need the processing to be restricted while you exercise your rights. We will continue to process your data if there are grounds for proving, exercising or defending legal claims.

Right to Portability – If the processing is based on your consent or carried out for the fulfillment of a contract concluded with you and at the same time carried out by automated means, you have the right to receive from us your personal data that we have collected from you in a commonly used machine-readable format. If you so wish and it is technically feasible, we will transfer your personal data directly to another Data Controller. This right will not apply to processing carried out for the fulfillment of a task carried out in the public interest or in the exercise of official authority

Right to Object to Processing – If we process your personal data for the fulfillment of a task carried out in the public interest or in the exercise of official authority vested in us, or if the processing is carried out pursuant to our legitimate interests or the legitimate interests of a third party, you have the right to object to such processing. Upon your objection, we will restrict the processing of your personal data and, unless we can demonstrate compelling legitimate grounds for processing which prevail over your interests, rights and freedoms or for the establishment, exercise or defense of legal claims, we will no longer process your personal data and will delete your personal data. You have the right to object at any time to the processing of personal data for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. Once you have lodged an objection, we will no longer process your personal data for this purpose.

Right to Lodge a Complaint – If you consider that the processing of your personal data is in breach of the Regulation or the Act, you have the right to lodge a complaint with one of the competent supervisory authorities, in particular in the Member State of your habitual residence, place of work or place of the alleged breach. For the territory of the Slovak Republic, the supervisory authority is the Office for Personal Data Protection, with registered office at Hraničná 4826/12, 820 07 Bratislava, Slovak Republic, website: www.dataprotection.gov.sk, tel.: +421 /2/ 3231 3220.

Right to Withdraw Consent – If the processing of your personal data is based on consent, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the processing already completed. If at any later time you decide that you wish from us to resume receiving sales and marketing offers about our products and services, you may renew your withdrawn consent (or lodged objection) at any time by using any of the contact methods set out above.

9. Contact details of the Office and of the person responsible

Office for Personal Data Protection of the Slovak Republic

Address:

Hraničná 12

820 07, Bratislava 27

Slovak Republic

C. Reg. ID: 36 064 220

Registry:

Monday – Thursday: 8:00 – 15:00

Friday: 8:00 – 14:00

Phone consultations on data protection:

Monday – Thursday: from 8:00 to 12:00 +421 2 323 132 20

Office of the President’s Secretariat +421 2 323 132 11

Secretariat of the Office: +421 2 323 132 14

Fax: +421 2 323 132 34

Spokesperson:

Cell phone: 0910 985 794

e-mail: hovorca@pdp.gov.sk

E-mail:

a) general affairs: dozor@pdp.gov.sk

b) for the provision of information pursuant to Act No. 211/2000 Coll.: info@pdp.gov.sk

c) website: webmaster@pdp.gov.sk

d) Use the online form for submitting requests for information pursuant to Act No. 211/2000 Coll. on free access to information.

e) the email address through which the Office will provide you with advice on personal data protection. It is intended for children, young people, students, teachers, parents who suspect that their personal data has been misused: ochrana@pdp.gov.sk

You can find a template for opening a personal data protection procedure on the website of the Office (https://dataprotection.gov.sk/uoou/sk/content/konanie-o-ochrane-osobnych-udajov).

10. Website security

The website www.heyus.com uses an encrypted SSL connection for any user connection and transmission of any data, which prevents third parties from accessing the transmitted data while it is being transmitted across the Internet and preventing third parties from altering such data. The Data Controller’s databases containing personal data are protected by encryption and non-public access data in accordance with state-of-the-art technical standards.