Privacy Policy – Provision of Services
This privacy policy (hereinafter as “Privacy policy“) regulate conditions for personal data processed by the controller – company Red Basket, s. r. o., with its registered seat Hroznová 1, 831 03 Bratislava, Slovak republic company ID number: 53 067 240, Business register of the District Court of Bratislava I, Section: Sro, Insert No.: 146039/B (hereinafter as “Controller“ od “we” in a respective grammatic form) in cases related to:
- the provisions of services and performing other business activities,
- maintenance of business relationships with the business partners and clients of the Controller,
The Controller is hereby informing you why your personal data are processed, how they are processed, for how long they are processed, what your rights regarding the processing of your personal data are and other relevant information on the processing of your personal data. Via this document, the Controller is fulfilling his information obligation to all data subjects, whether the personal data are obtained directly from you as data subjects or from other source.
The Controller processes your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter as “Regulation“), respective Slovak data protection legislation and other legislation in relation to personal data protection (hereinafter as “Personal data protection legislation“).
How can you contact the controller?
In matters related to personal data processing and protection, you may contact the Controller at the address Red Basket, s. r. o., with its registered seat Hroznová 1, 831 03 Bratislava, Slovak republic or via e-mail address team@redbasket.agency.
I. GENERAL INFORMATION
By this Privacy policy the Controller is providing you with the information on your personal data processing related to the provision of his services.
In some cases, when the Controller is providing marketing services for the Controller’s clients (hereinafter as “clients“) and the Controller is acting in the name and under orders of his clients, the personal data of the data subjects are processed by the Controller on behalf of its clients. When processing the personal data of the data subjects on behalf of clients, the Controller acts as a processor pursuant to Art. 4 (8) of the Regulation, while the controller who determines the purposes and means of personal data processing is always the client.
In a case described above the Controller enters into an agreement with its clients on entrustment with the processing of personal data, which sets out the conditions for the processing of personal data of the data subjects by the Controller as processor on behalf of its clients, and obligations to ensure an adequate level of personal data processing and it´s security.
Purposes, legal bases, scope and range of recipients of personal data processed by the Controller as processor on behalf of clients is determined by clients and relevant legislation, while the Controller in cases where it processes personal data of data subjects on behalf of its clients follows exclusively instructions of its clients and relevant legal regulations, fulfils the obligations of the processor accordance with the provisions of the Regulation and other respective legislation and does not perform any other processing operations with personal data except those arising from the concluded contract on entrustment with the processing of personal data and processing purposes specified by the client.
Information on the processing of your personal data in the above–mentioned situations shall be provided to you by the relevant controller – client of the Controller.
II. PURPOSES OF PROCESSING, LEGAL BASES, CATEGORIES OF PERSONAL DATA AND RETENTION PERIOD
In case, when the personal data are processed in the name of the Controller, it processes only such personal data which are necessary for the processing operation (purpose of the processing), always in accordance with the principle of minimization, so that the Controller can process personal data for which you have consented to, for the purposes of legitimate interests pursued by the Controller or to fulfil a contract concluded with you or comply with the legal obligation to which the Controller is subject. The Controller processes the personal data solely for the reasonable purposes, during limited period and by using the maximum possible level of security measures. The Controller processes your personal data only when the relevant legal basis for the processing exists (in accordance with the principle of lawfulness).
The Controller always stores the personal data in accordance with the principle of storage limitation. It means that it processes the personal data solely for a period during which it is necessary to store the personal data. After such a period elapses, the Controller erases the personal data, if not otherwise regulated by law.
You can find categories of your personal data, which are processed, specific purposes, for which the Controller processes your personal data when providing services, relevant legal bases, on which are your personal data processed and set retention periods in the tables of purposes, which are located below:
In CASE you are a client or business partner (legal and natural persons) ordering services directly from the controller or concluding a contractual relationship with the controller
Purpose of processing | Legal bases | Categories of personal data | Retention period |
| Receiving and registering orders for services and implementing pre-contractual relations | Article 6 (1) (b) of the Regulation | Ordinary personal data necessary for the performance of contractual obligations (Name, surname, business name, registered seat address, ID, contact details – e-mail address, phone no., bank account details) | During the duration of a contractual relationship with the internal contractor and after its termination until the expiration of the legal limitation period or until the full settlement of the legal claims (or until the termination of a position of a data subject as a representative of internal contractor) |
| Fulfilment of legal obligations related to the conclusion of a distance contract (provision of information, withdrawal from the contract) | Article 6 (1) (c) Regulation, Act No. 250/2007 Coll. consumer protection act, Act No. 102/2014 Coll. on consumer protection in the sale of goods or provision of services under a distance contract or a contract concluded away from the seller’s business premises and on amendment and supplementation of certain laws, other relevant legislation | Ordinary personal data necessary for the performance of contractual obligations (Name, surname, business name, registered seat address, ID, contact details – e-mail address, phone no., bank account details) | During the duration of a contractual relationship with the internal contractor and after its termination until the expiration of the legal limitation period or until the full settlement of the legal claims (or until the termination of a position of a data subject as a representative of internal contractor) |
| Performance of contractual obligations of the Controller, including pre-contractual relations with business partners | Article 6 (1) (b) of the Regulation | Ordinary personal data necessary for the performance of contractual obligations (Name, surname, business name, registered seat address, ID, contact details – e-mail address, phone no., bank account details) | During the duration of a contractual relationship with the internal contractor and after its termination until the expiration of the legal limitation period or until the full settlement of the legal claims (or until the termination of a position of a data subject as a representative of internal contractor) |
| Performance of contractual obligations of the Controller, including pre-contractual relations with natural persons – internal contractors | Article 6 (1) (b) of the Regulation | Ordinary personal data necessary for the performance of contractual obligations (Name, surname, business name, registered seat address, ID, contact details – e-mail address, phone no., bank account details) | During the duration of a contractual relationship with the internal contractor and after its termination until the expiration of the legal limitation period or until the full settlement of the legal claims (or until the termination of a position of a data subject as a representative of internal contractor) |
| Handling of contractual complaints and keeping of related statutory records | Article 6 (1) (c) of the Regulation, Act No. 40/1964 Coll. the Civil Code, Act No. 250/2007 Coll. consumer protection act | Ordinary personal data (name, surname, business name, phone no., e-mail address, business ID, contract details | Until the complaint is handled and after it´s handling until the expiration of the legal limitation period or full settlement of possible the legal claims |
In CASE you are a representative (employee, member of statutatory body or proxy) of client – legal person ordering services from the controller or a representative (employee, member of statutatory body or proxy) business partner – legal person concluding a contractual relationship with the controller
Purpose of processing | Legal bases | Categories of personal data | Retention period |
| Keeping records of legal disputes, administrative disputes | Article 6 (1) point (c) of the Regulation, Act No. 160/2015 Coll. on the Civil Procedure Code as amended, Act No. 307/2016 Coll. on Reminder Proceedings and on Amendments to Certain Acts | Ordinary personal data and special category of personal data necessary for compliance with legal obligations | 10 years following the year to which they relate |
| Keeping records of business partners and clients – natural persons (their contact persons / representatives) | Article 6 (1) (f) of the Regulation – the processing of personal data is carried out for the purposes of the legitimate interest pursued by the Controller, which lays in the need to keep record on the business partners for the purposes of accounting, ensuring internal control activities and for the enforcement of legal and other claims arising from concluded contracts after their termination | Ordinary personal data (name, surname, business name, phone no., e-mail address, business ID, contract details | During the duration of a contractual relationship with the internal contractor and after its termination until the expiration of the legal limitation period or until the full settlement of the legal claims (or until the termination of a position of a data subject as a representative of internal contractor) |
| Keeping records of contact persons of the business partners and clients which are legal persons and execution of contractual communication in order to perform the contractual obligations towards the business partner or client – legal person | Article 6 (1) (f) of the Regulation – the processing of personal data is carried out for the purposes of the legitimate interest pursued by the Controller, which lays in the need to fulfill the contractual obligations towards business partners or clients which are legal persons (since in the name of the legal person there is always a natural person – data subject acting) | Ordinary personal data (name, surname, function within the legal person, business phone no., business e-mail | During the duration of the contractual relationship and after its termination until the full settlement of the contractual and other claims arising from the contractual relationship or until the termination of a position of a data subject as a representative of the legal person |
| Conducting business communication with representatives of suppliers/customers in the capacity of legal entities, including pre-contractual relations | Article 6 (1) (f) of the Regulation | Ordinary personal data necessary for the performance of contractual obligations (Name, surname, business name, registered seat address, ID, contact details – e-mail address, phone no., bank account details) | During the duration of a contractual relationship with the internal contractor and after its termination until the expiration of the legal limitation period or until the full settlement of the legal claims (or until the termination of a position of a data subject as a representative of internal contractor) |
| Conducting business communication with representatives of suppliers/customers in the capacity of legal entities, including pre-contractual relations | Article 6 (1) (f) of the Regulation – the processing of personal data is carried out for the purposes of the legitimate interests pursued by the Controller, which are: – fulfillment of contractual obligations in case of a contract concluded with legal person and execution of contractual communication, – accounting purposes and internal control activities, including access management and keeping logs on the granted access rights and provided devices and – enforcement of legal and other claims arising from concluded contracts after their termination with internal contractors. | Ordinary personal data (name, surname, business name, phone no., e-mail address, business ID, contract details, data on granted access rights, borrowed devices) | During the duration of a contractual relationship with the internal contractor and after its termination until the expiration of the legal limitation period or until the full settlement of the legal claims (or until the termination of a position of a data subject as a representative of internal contractor) |
| Providing a reply to and handling of queries/requests delivered to the Controller via messages delivered via the contact form on the website www.redbasket.agency | Article 6 (1) (f) of the Regulation – processing is necessary for the purposes of legitimate interest pursued by the Joint controllers, in particular interest in responding to the received messages for proper conduct of business communication, improvement of the quality of provided services and acquisition of a new clients for both entities | Name, surname, phone number, e-mail address, a name of a company, on which behalf data subject acts, country, in which the data subjects is interested to be provided with, other data provided in the query or message | Until the query or request is handled (up to 3 months) |
| Direct marketing – former and current customers (newsletter) | Article 6 (1) (f) of the Regulation | E-mail address, first name, surname, affiliation to the client’s company | 3 years from the date of provision of the service or until unsubscription from the newsletter |
In other CASEs when your personal data may be processed (if you contact the controllor with a query, if you exexute your right as a data subject or in cases related to the accounting anf tax obligations)
Purpose of processing | Legal bases | Categories of personal data | Retention period |
| Providing a reply to messages and handling of queries/requests from data subjects received via Controller’s profiles on social networks, or via e-mail or telephone communication | Article 6 (1) (f) of the Regulation – the processing of personal data is carried out for the purposes of the legitimate interest pursued by the Controller, which is to interest to provide a reply to received messages for proper management of business communication, quality of service provided and new clientele acquisition | Name, surname, e-mail address, phone no., other data contained in the message | 3 months from the date of receipt of the request (message) or until the request has been processed, whichever is the earlier |
| Processing of data subjects’ requests | Article 6 (1) (c) of the Regulation, Slovak data protection act, other respective personal data protection legislation | Ordinary personal data necessary for the fulfilment of legal obligations – handling of the request of the data subject | During the handling of the application or exercised rights |
| Keeping records of the executed rights of data subjects and submitted requests | Article 6 (1) (f) of the Regulation – the processing of personal data is carried out for the purposes of the legitimate interest pursued by the Controller, which is the need to ensure the registration of ways, how the Controller handled the exercised rights of data subjects and their requests for the purposes of possible control of the supervisory authority and demonstration of compliance with the controller’s obligations under the relevant legislation | Ordinary personal data necessary for the fulfilment of legal obligations – handling of the request of the data subject | 5 years following the year to which they relate to |
| Processing of accounting documents | Article 6 (1) (c) of the Regulation, Act Nr. 431/2002 Coll. on accounting, Act Nr. 222/2004 Coll. On VAT | Ordinary personal data necessary for fulfillment of statutory obligations | 5 years following the year to which they relate |
| Processing of documents in accordance with the registry order and registry plan of the controller including processing of received and sent mail | Article 6 (1) (c) of the Regulation, Act Nr. 395/2002 Coll. on archives and registratures | Ordinary personal data necessary for fulfillment of statutory obligations | In accordance with the relevant provisions of Act of July 14, 1983, on the national archival resource and archives |
In relation to securing personal data, the Controller has adopted internal documentation on information and personal data security, in which adequate security measures are further specified. Security measures have been adopted in order to secure the processing of your personal data.
III. SOURCE OF THE PERSONAL DATA
The Controller obtains your personal data directly from you as a data subject, in case you provide the Controller with your personal data (when you contact us, when you conclude a contract with us or when you provide us with your personal data via other way –precontractual issues).
The Controller can obtain your personal data also from other sources, namely:
- a company, on which behalf you act when ordering a service from the Controller or when otherwise contacting the Controller on that company´s behalf,
- from another company (legal persons) that has ordered a service from the Controller (for example, your employer).
In case a Controller is providing a service to you, this provision would be impossible if your personal data would not be provided and / or processed by the Controller.
IV. TO WHOM THE CONTROLLER PROVIDES YOUR PERSONAL DATA?
In certain cases, the Controller is obliged to provide your personal data to public authorities that are authorized to process your personal data, e. g. by a court or law enforcement authority. In some cases, the Controller is also obliged to provide your personal data to the competent supervisory authorities, in particular to the Slovak Office for Personal Data Protection.
Recipients of your personal data when providing services (depending on the type of service provided) also include:
State offices and institutions: Tax office, Court
Other: Notary office, Advocates, lawyers, translation agency.
The Controller also provides your personal data to its processors, i.e., external entities that process your personal data on behalf of the Controller. Processors process personal data on the basis of a contract concluded with the Controller in which they have undertaken to take appropriate technical and security measures for the purpose of the secure processing of your personal data (according to the Art. 28 of the Regulation). The Controller’s processors include:
- a company providing social media posting services,
- a company providing social networking services,
- project and team management services company,
- website design services company,
- a company providing e-mail and web hosting services,
- a company providing an online platform for sharing and saving documents,
- a company providing, e-mail related services, communication software, and
- cookies providers,
- a company providing cloud services,
- a company providing transcription services.
Among the recipients of your personal data belong also (these are not processors):
- European affiliates of the companies Facebook, Inc. and LinkedIn Corporation which are the companies that operate social networks used by the Controller for the communication and presentation activities (in case you contact Controller via these networks).
- Google LLC and Alphabet Inc. in case of using cloud services,
- Otter.ai Inc. in case of using transcription services.
V. TRANSFER TO THIRD COUNTRIES AND INTERNATIONAL ORGANISATIONS
In some cases, your personal data can be transferred to third countries of international organizations. These cases are as follows:
- if you contact the Controller via its profiles on social networks Facebook, Instagram, LinkedIn, Twitter your personal data may be transferred to USA, to the companies of Meta Inc. LinkedIn Corporation and Twitter, Inc., which are parent companies of the operators of the social networks Facebook, Instagram, LinkedIn and Twitter and under special US laws are in some cases required to have access to your personal data.
- if the Controller using cloud services your data may be transferred to USA to company Google LLC and Alphabet Inc,
- if the Controller using transcription services your data may be transferred to USA – Otter.ai Inc.,
- if our external cooperating persons providing services (so called contractor) is involved, your data may be transferred to third countries according to the relevant country in which the cooperating person is based (especially but not exclusively: USA, Canada, Mexico, Nigeria – the list of these countries may change according to our personal operation).
Transfer of your personal data in the above stated cases is secured according to the Regulation, via standard contractual clauses incorporated into the service and our data processing agreements concluded with respective recipients of your personal data.
Your personal data is not provided to other third countries or international organizations in any case.
VI. DOES THE CONTROLLER USE PROFILING AND AUTOMATED DECISION-MAKING?
The Controller does not process your personal data by profiling or any form of automated individual decision-making, by which evaluation of your personal aspects would take place in the normal course of our business or when providing above stated services to you.
VII. WHAT ARE OUR RIGHTS IN RELATION TO PERSONAL DATA PROCESSING?
As the data subject, your rights regarding the processing of your personal data are as follows:
Your right and description | Your right and description |
| Right of access – You have the right to obtain a copy of the personal data which we hold about you, as well as the information on how we use your personal data. In most cases, your personal data will be provided to you by electronic means of communication, unless otherwise requested by you. | Right to rectification – We take reasonable measures in order to ensure that the data which we hold about you is accurate, complete and up to date. In case the personal data we hold is inaccurate, incomplete, or outdated, we will modify, update, or complete such personal data on basis of your request. |
| Right to erasure – Under certain circumstances, you have the right to ask us to erase your personal data, for example, if the personal data we have obtained about you, are no longer necessary to fulfil the original purpose of processing or if you withdraw your consent to the personal data processing. We assess exercising your right to erasure (right to be forgotten) on the basis of individual circumstances of each particular case of processing. | Right to restriction of processing – You also have the right to ask us not to process your personal data. If you believe that the personal data we process about you are not accurate, that the processing is unlawful and you request the restriction of their processing, that we no longer need your personal data, but they are required by you as the Data subject for the exercise of legal claims or if you believe that we as the controller are not entitled to further process your personal data, we will not further process your personal data on the basis of your request. |
| Right to data portability – Under certain circumstances, you have the right to transmit the personal data to another subject according to your choice. However, the right to portability applies only to personal data that we process under the contract to which you are one of the parties or on the basis of the consent which you have granted us. | Right to lodge a complaint or request – If you believe that we breach Personal data protection legislation when processing your personal data or that we have not handled your request in accordance with such legislation, you can lodge a complaint with the respective supervisory authority which is in Slovak republic – Data Protection Office of Slovak republic, Hraničná 12, 820 07 Bratislava; web address: dataprotection.gov.sk, Tel. +02 3231 3214; e-mail: statny.dozor@pdp.gov.sk |
| RIGHT TO OBJECT You have the right to object to processing of your personal data, for example if we process your personal data based on the legitimate interest or to processing in which profiling occurs. If you object to such personal data processing, we will not further process your personal data unless we demonstrate compelling legitimate grounds for such processing. | |
| RIGHT TO WITHDRAW CONSENT If we process your personal data on the basis of your consent, you have the right to withdraw such consent for further processing of your personal data. You may withdraw your consent at any time in writing, by e-mail or orally (in person). | |
VIII. HOW CAN YOU OBTAIN FURTHER INFORMATION AND EXCERCISE YOUR RIGHTS?
You may exercise your rights stated in the previous point of this Privacy policy via contact addresses stated in the beginning of this Privacy policy.
We will provide you with a response to a request regarding exercise of your rights within one month from the day of exercise of your rights. In certain cases, we are entitled to prolong the period for providing the response, i.e., in case of a high number and complexity of the requests submitted by the data subjects, by a maximum of 2 months. We will always inform you in advance about prolongation of the period. Response to a request regarding exercise of your rights will be provided to you free of charge. In case of a repeated, unreasonable, or disproportionate request to exercise your rights, we are entitled to charge a reasonable fee for providing the information.
IX. VALIDITY
This Privacy policy is valid and effective as of September 7, 2023.
As it is possible that an update of the information on personal data processing contained in this Privacy policy may be necessary in the future, the Controller is entitled to update this Privacy policy at any time. In such case, the Controller will inform you about it in an adequate manner in advance.
