Privacy Policy
Effective as of 25.05.2018
Controller:
| Name of the Civic Association: | Malý Berlín |
| Registered Seat: | Ulica Štefánikova 94/4, 91701 Trnava, Slovenská republika |
| ID No. (IČO): | 50916211 |
Supervisory Authority:
| Name: | Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov SR) |
| Registered Seat and Correspondence Address: | Hraničná 12, 820 07 Bratislava 27 |
| ID No. (IČO): | 36 064 220 |
| Email Contact: | statny.dozor@pdp.gov.sk |
| Phone Contact: | +421 /2 3231 3214 (Office Secretariat) |
Whenever personal data is processed during the activities of our Civic Association, we ensure compliance with all obligations arising from the General Data Protection Regulation (“GDPR”) and other relevant legal standards. This Privacy Policy explains how we process personal data. If you have any questions regarding data protection, you can contact us at any time at:
E-mail: michal.klembara(at)publikum.sk
Correspondence Address: Ulica Spartakovská 6548/19, 91701 Trnava
This Privacy Policy serves primarily to fulfill the information obligations under Articles 13 and 14 of the GDPR towards data subjects whose personal data we process (see Articles 12 to 22 of the GDPR: L_2016119SK.01000101.xml (europa.eu)). Typically, this involves the personal data of our members, contractual partners, artists, authors, donors, supporters, participants in our cultural events, or other events. Within the scope of our activities, we enter into relationships with many other entities, and therefore we want it to be clear to you what this Privacy Policy covers. This Privacy Policy applies to you even if you visit our website [www.malyberlin.sk], regardless of your relationship with our Civic Association.
When processing personal data, we are primarily governed by the GDPR, which also regulates your rights as a data subject, by those provisions of Act No. 18/2018 Coll. on Personal Data Protection and on amendments to certain acts (hereinafter referred to as the “Personal Data Protection Act“) that apply to us, as well as by other relevant regulations. If you do not fully understand any information provided in this Policy, please do not hesitate to contact us.
For what purposes and on what legal bases do we process personal data?
| Purpose of processing | Legal basis |
| 1. Establishing, exercising, or defending legal claims and fulfilling contractual obligations (contractual and legal agenda) | Performance of a contract pursuant to Art. 6(1)(b) GDPR and legitimate interest pursuant to Art. 6(1)(f) GDPR. |
| 2. Accounting and tax purposes (accounting agenda) | Compliance with a legal obligation pursuant to Art. 6(1)(c) GDPR. |
| 3. HR and payroll | Compliance with a legal obligation pursuant to Art. 6(1)(c) GDPR, or performance of a contract pursuant to Art. 6(1)(b) GDPR, or consent of the data subject pursuant to Art. 6(1)(a) GDPR. |
| 4. Raising awareness about the Civic Association in the online environment via social networks, communication platforms, and the Civic Association’s website | Legitimate interest of the Civic Association pursuant to Art. 6(1)(f) GDPR: raising awareness about the Civic Association and its activities in the online environment, or consent of the data subject pursuant to Art. 6(1)(a) GDPR. |
| 5. Sending marketing communication | Consent of the data subject pursuant to Art. 6(1)(a) GDPR or legitimate interest of the Civic Association pursuant to Art. 6(1)(f) GDPR: for direct marketing purposes. |
| 6. Artistic photography or audiovisual recording | Processing without the consent of the data subject for artistic purposes pursuant to Section 78(1) of the Personal Data Protection Act. |
| 7. Statistical purposes | Any of the above-mentioned (compatible) legal bases within the meaning of Art. 89 GDPR. |
What legitimate interests do we pursue?
As indicated above, we pursue the following legitimate interests when processing personal data:
| Legitimate interests | Explanation |
| 1. Establishing, exercising, or defending legal claims | In the event of judicial or extrajudicial disputes, negotiations or communications regarding contractual relationships, reporting facts to public authorities, etc., we rely on our legitimate interest. |
| 2. Raising awareness about the Civic Association in the online environment | In connection with publishing content on social networks, communication platforms, and our website, personal data processing including profiling may occur; in this regard, we also rely on our legitimate interest in raising awareness about our Civic Association and its activities in the online environment. |
| 3. Direct marketing purposes | We consider that direct marketing purposes may also constitute a legitimate interest. We rely on this mainly when sending marketing communication via newsletters in cases where the recipient’s prior consent is not required. If consent is required under applicable regulations, we do not rely on legitimate interest in such cases. |
To whom do we provide your personal data?
We take the confidentiality of personal data seriously. For this reason, we have adopted internal rules ensuring that the personal data we process is shared only with our internal staff, trusted third parties, and authorized recipients. Our staff has access to personal data only within the scope of their job duties. We provide processed personal data only to the necessary and essential extent (from the perspective of the processing purpose), particularly to the following categories of recipients:
- authorized employees (designated internal staff) of the above-mentioned persons.
- processors of accounting, taxes, payroll, or HR;
- transport, courier, and postal companies;
- professional advisors (e.g., attorneys or tax advisors);
- banks and payment service providers;
- public authorities or public administration bodies;
- Slovak Arts Council, central state administration bodies, and other relevant state, self-governing, or non-governmental entities and institutions with whom we interact in the performance of our activities (especially in the cultural field);
- providers of standard software equipment (such as Microsoft);
- providers of analytical and statistical services (such as Google);
- providers of technical support, software equipment, or IT system management;
- providers of server and hosting services;
- Social Insurance Agency, pension management companies, supplementary pension companies, health insurance companies, etc.;
If we use a processor for processing personal data, we always verify in advance whether the processor meets the organizational and technical requirements regarding the security of personal data processing. If we use our own recipients (internal staff) for processing personal data, your personal data is always processed based on authorizations and instructions, by which we instruct our recipients not only about internal data protection rules but also about their legal liability for violations. If we are requested by a public authority to disclose personal data we process, we examine the conditions established by legislation for their disclosure and do not provide your personal data without verifying whether the conditions are met.
Within the operation of our website or email service, we use the following suppliers:
- WebSupport s. r. o., ID No.: 36 421 928, Registered Seat: Karadžičova 12, 821 08 Bratislava: web hosting and mail; WebSupport :: Ochrana osobných údajov
- IFNE Software, s.r.o., ID No.: 35 868 813, Registered Seat: Chorvátska 113/191 Šenkvice 900 81: MaxiTicket system (event tickets), General Terms and Conditions | MaxiTicket; https://www.osobnyudaj.sk/informovanie/53251580
- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland: Google Analytics functions; Safeguarding your data – Analytics Help (google.com)
- WP SYNTEX, 28, rue Jean Sébastien Bach, 38090 Villefontaine, France, WordPress plugin (Polylang): language version functionality; Privacy policy – Polylang
- The Rocket Science Group, LLC, Georgia, USA, Mailchimp platform functionalities used for sending newsletters: Mailchimp’s Privacy Policy; Mailchimp Data Processing Addendum;
To which countries do we transfer your personal data?
As a standard practice, we restrict any cross-border transfers of personal data to third countries outside the EU or the European Economic Area unless necessary. However, it is also true that some of our suppliers may be established or their servers may be located in the USA (like most other controllers, we use, for example, services of a global cloud service provider; for communication/information purposes in the online space, we may use platforms of leading global suppliers such as Google, Facebook, Microsoft, etc.).
The USA is considered a third country that does not ensure an adequate level of protection. Despite this, we consider that we carry out transfers of personal data outside the EU or the European Economic Area within the boundaries of the GDPR. Since the EU-US Privacy Shield mechanism was invalidated based on the judgment of the Court of Justice of the EU in the Schrems II case on 16.07.2020, we carry out data transfers to suppliers in the USA based on so-called Standard Contractual Clauses (SCCs) approved by the Commission, i.e., with appropriate safeguards pursuant to Article 46 of the GDPR.
Therefore, in our activities, cross-border transfer of personal data to third countries (USA) may occur in these cases, in connection with the usual use of services and platforms from the following categories of suppliers:
- Providers of standard software equipment (e.g., Microsoft);
Microsoft Privacy Statement – Microsoft privacy
European Union Model Clauses – Microsoft Compliance | Microsoft Docs
- roviders of analytical and statistical services (e.g., Google);
Privacy Policy – Privacy & Terms – Google
Google Ads Controller-Controller Data Protection Terms: Controller MCCs
- Operators of social networks and communication platforms (e.g., Facebook, Instagram, WhatsApp, LinkedIn, etc.)
Facebook
Data Policy | Instagram Help Center
Privacy Policy (whatsapp.com)
What is a standard contract clause? | Centrum pomoci: Facebook
LinkedIn Privacy Policy
EU SCCs (linkedin.com)
- Providers of email newsletter services (e.g., Mailchimp);
Mailchimp Data Processing Addendum
How long do we retain your personal data?
We retain personal data for a maximum of the time necessary for the purposes for which the personal data is processed. In general, the retention period is determined by legal regulations such as the Act on Archives and Registries or the Accounting Act, etc. If a specific retention period for personal data (which we always process only in relation to specific purposes) does not result from legal regulations, we determine such a period through our internal policies or registry plan. If we process personal data based on consent, after its withdrawal, we are obliged not to further process the personal data for that purpose. However, this does not exclude that we may continue to process your personal data on another legal basis, especially if such an obligation arises from the law.
The general retention periods for personal data for our defined processing purposes are as follows:
| Purpose of processing | General retention period of personal data |
| 1. Establishing, exercising, or defending legal claims and fulfilling contractual obligations (contractual and legal agenda) | Until the termination of the contract and the expiration of the limitation (retention) period – generally 4 years after the termination of the contract. Unnecessary data is disposed of upon termination of the contract or until a legitimate objection is filed by the data subject against processing. In relation to our legal claims, we process data during the duration of a lawsuit or out-of-court settlement, but for a maximum of 10 years from the final legally binding settlement. Alternatively, also 3 years from sending our response to a related request of the data subject regarding the exercise of rights under the GDPR. |
| 2. Accounting and tax purposes (accounting agenda) | Until the expiration of the relevant statutory period, generally 10 years following the year in which the relevant accounting document originated. |
| 3. HR and payroll purposes | During the duration of the employment or other than employment relationship and the expiration of the basic periods for retaining relevant documents (generally 10 years after the termination of the employment relationship). However, some documents such as payroll sheets and the employee’s personal file may be retained for up to 70 years from the employee’s birth. If personal data is processed based on consent, maximally until withdrawal. |
| 4. Raising awareness about the Civic Association in the online environment via social networks, communication platforms, and the Civic Association’s website | Until the withdrawal of consent for processing, or until the settlement of a legitimate objection to the processing of personal data. |
| 5. Sending marketing communication | Until the withdrawal of consent for processing, or until the settlement of a legitimate objection to the processing of personal data, generally not longer than 2 years unless consent is renewed. |
| 6. Artistic photography or audiovisual recording | Until the settlement of a legitimate objection to processing. |
| 7. Statistical purposes | During the duration of the above-mentioned purposes. |
The retention periods stated above determine only general periods during which personal data processing for the given purposes occurs. In reality, however, we proceed to the disposal or anonymization of personal data even before the expiration of these general periods if we no longer consider the personal data necessary for the purposes for which the personal data is processed. Conversely, in some specific situations, we may retain your personal data longer than stated above if required by legal regulations or our legitimate interest. If you are interested in information regarding the specific retention period for your personal data, please do not hesitate to contact us.
How do we obtain your personal data?
We most often obtain your personal data directly from you. In such a case, providing your personal data is voluntary. Depending on the specific case, failure to provide personal data may result in the inability to enter into a relationship with our Civic Association. We may also obtain your personal data from publicly available sources or registers, from public authorities, public administration bodies, or other persons.
We may also obtain your personal data from the entity in connection with which we process your personal data. Most often, these are cases where we conclude or negotiate a legal relationship or its terms with the given entity. If the acquisition of personal data concerns a legal relationship, it is most often a contractual requirement or a requirement necessary to conclude a contract. Failure to provide personal data may have a negative impact on the relevant entity, as the conclusion or implementation of a legal relationship with our Civic Association may not occur. If you are a member of a statutory body of an organization that is our contractual party or with whom we are negotiating the conclusion of a contractual relationship, we may obtain your personal data from publicly available sources and registers. Any accidentally obtained personal data is strictly not further systematically processed for any purpose of personal data processing defined by us.
What rights do you have as a data subject?
If we process personal data about you based on your consent to the processing of personal data, you have the right to withdraw your consent at any time. However, the withdrawal of consent does not affect the lawfulness of processing based on the consent of the data subject before its withdrawal.
Regardless of the above, you have the right to object at any time to the processing of personal data based on a legitimate or public interest, as well as for direct marketing purposes, including profiling.
The GDPR establishes general conditions for the exercise of individual rights of data subjects. However, their existence does not automatically mean that individual rights will be granted by us when exercised, as exceptions may apply in a specific case, or some rights are linked to specific conditions that may not always be met. We will always deal with your request regarding a specific right and examine it from the perspective of legal regulations and our internal policy for handling requests from data subjects.
As a data subject, you have in particular:
- Right to request access to personal data pursuant to Art. 15 GDPR that we process about you. This right includes the right to confirmation as to whether we process personal data about you, the right to obtain access to this data, and the right to obtain a copy of the personal data we process about you, if technically feasible;
- Right to rectification and completion of personal data pursuant to Art. 16 GDPR if we process incorrect or incomplete personal data about you;
- Right to erasure of personal data pursuant to Art. 17 GDPR;
- Right to restriction of processing of personal data pursuant to Art. 18 GDPR;
- Right to notification regarding rectification or erasure of personal data or restriction of processing to recipients pursuant to Art. 19 GDPR;
- Right to data portability pursuant to Art. 20 GDPR;
- Right to object pursuant to Art. 21 GDPR;
- Right not to be subject to automated individual decision-making pursuant to Art. 22 GDPR.
You also have the right to file a complaint/motion/proposal for the initiation of proceedings to the Office for Personal Data Protection of the Slovak Republic within the meaning of Section 100 of the Personal Data Protection Act at any time or to turn directly to the competent court with a lawsuit. In any case, we recommend resolving any disputes, questions, or objections primarily by communicating with us.
In connection with the right to object to automated individual decision-making pursuant to Art. 22 GDPR, we also state for completeness that we currently do not carry out processing operations based on which decisions with legal effects or other significant impacts on your person would be made solely based on fully automated processing of personal data within the meaning of Art. 22 GDPR.
How do we protect your personal data?
It is our obligation to protect your personal data in an appropriate manner, and for this reason, we pay due attention to its protection. Our Civic Association has implemented generally accepted technical and organizational standards to preserve the security of processed personal data, especially against their loss, misuse, unauthorized modification, destruction, or other impact on the rights and freedoms of data subjects.
What cookies do we process via our website?
Cookies are small text files that improve website usage, e.g., by allowing recognition of previous visitors when logging into the user environment, remembering the visitor’s choice when opening a new window, measuring website traffic, or how it is used for user improvement. Our website uses cookie files only for statistical purposes of measuring its traffic. Statistical cookies help us understand how visitors interact with the website by collecting and reporting information anonymously.
Legal basis:
- Article 6(1)(a) of the GDPR – consent of the data subject (i.e., the visitor of the Controller’s website; pursuant to Section 55(5) of the Electronic Communications Act, the use of the appropriate web browser setting or other computer program is also considered consent of the data subject for this purpose).
- Article 6(1)(f) of the GDPR – legitimate interest (website functionality, identification and monitoring of visitor movement on the website for internal statistics, evaluation of functioning, and further development of the website, provided that in the given case the interests or fundamental rights and freedoms of the data subject do not override such interest of the Controller).
Types of cookies:
- Essential: Allow the website to remember information that influences its appearance or functioning. This concerns, for example, the preferred language of the website.
- Analytical: Allow recognizing website visitors, determining their number, and possibly identifying the way visitors use the website, which sections they visit, etc.
- Third-party cookies: On the website, we also allow certain third parties (e.g., Google Analytics) to insert their cookie files into the end device and have access to them in accordance with the visitor’s web browser settings. The use of cookies by these companies is governed by their own privacy policies, not by the privacy policy of the Civic Association.
Every visitor to our website is entitled in all cases to refuse the storage of cookies on their end device via their web browser settings (pursuant to Section 55(5) of Act of the National Council of the Slovak Republic No. 351/2011 Coll. on Electronic Communications, the use of the appropriate web browser setting or other computer program is considered consent of the data subject to the processing of personal data).
Procedures for selected web browsers can be found, for example, here:
Turn cookies on or off – Computer – Google Account Help
Delete and manage cookies (microsoft.com)
Specifically, we use mainly the following cookies:
| Cookie Name | Purpose of Use | Provider | Expiration | Type |
| _ga | Registers a unique ID used to generate statistics about how the visitor uses the website. It serves exclusively for the anonymous aggregation of statistical data that helps us understand how visitors use our website (visitor tracking, client ID). | Google Analytics | 2 years | HTTP |
| _gid | Registers a unique ID used to generate statistics about how the visitor uses the website. It serves exclusively for the anonymous aggregation of statistical data that helps us understand how visitors use our website (user behaviour tracking). | Google Analytics | 24 hours | HTTP |
| pll_language | Saving website language settings. | Polylang | 1 year | HTTP |
How to control cookies?
You can control and/or delete cookies at your own discretion – details are available, for example, at www.aboutcookies.org. You can delete all cookies stored on your computer and set most browsers to prevent them from being stored. However, in such a case, you will likely have to manually adjust some settings every time you visit the website, and some services or functions may not work.
Changes to Privacy Policy
Data protection is not a one-time matter for us. Information we are required to provide you regarding our personal data processing may change or become outdated. For this reason, we reserve the right to modify and change these conditions at any time and to any extent. In the event that we change these conditions in a substantial way, we will bring this change to your attention, e.g., by a general notice on our website or in another appropriate manner.