National Institute for Value and Technologies in Healthcare
Registered at: Zámocké schody 2/A, 811 01 Bratislava
Company identification number (IČO): 54343461
PERSONAL DATA PROTECTION POLICY
The National Institute for Value and Technologies in Healthcare, registered office: Zámocké schody 2/A, 811 01 Bratislava, Company identification number (IČO): 54343461 (hereinafter referred to as "NIHO"), as the operator of the information system, publishes these principles of personal data protection in order to maintain transparency towards the persons concerned.
Basic information
NIHO aims to protect your personal data and privacy, and therefore, when processing personal data, we proceed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) and Act No. 18/2018 Coll. on the protection of personal data, as amended. In this privacy policy, we explain how we collect and process your personal data. In addition, you will find information here about your rights as a data subject in relation to the processing of your personal data.
For the purposes of this Privacy Policy, we use the following abbreviations:
- Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
- Act – Act No. 18/2018 Coll. on the protection of personal data and amending and supplementing certain acts;
Who is the controller in relation to your personal data?
The controller in relation to your personal data is the National Institute for Value and Technologies in Healthcare, registered office: Zámocké schody 2/A, 811 01 Bratislava, Company ID: 54343461.
Legal basis for processing personal data
What personal data of yours do we process? For what reasons? For what purposes? What is our legal basis for data processing?
We process personal data only to the extent necessary, and we do not process special categories of personal data (so-called sensitive personal data).
We process personal data for various purposes, but only to the minimum extent, in order to comply with the principle of purpose minimization of personal data processing set out in the Regulation, according to which the controller may obtain personal data only for specific, explicit and legitimate purposes. We process personal data lawfully, and only within the limits of the legal bases set out in Article 6(1) of the Regulation. In this case, we emphasize that the legal bases on which your personal data may be processed include your consent to the processing of personal data, but only if there is no other legal basis (e.g. compliance with a legal obligation of the controller, legitimate interest pursued by the controller or a third party).
It follows from the above that within the framework of our activities we process personal data for various purposes and to varying extents, either:
- based on your consent, or
- without your consent on the basis of a legal basis other than the performance of a contract, our legitimate interest or due to the fulfillment of a legislative obligation.
Each controller is responsible for ensuring that the appropriate legal basis has been established for the processing of personal data pursuant to Art. 6(1) of the Regulation. The rights of the data subjects result from the determination of the correct legal basis. As a controller, we have considered what constitutes an appropriate legal basis for the planned data processing before commencing activities involving the processing of personal data.
We hereby inform you that as the Controller we process only and exclusively your following personal data, for the following purposes and on the following legal bases:
- Employee personal agenda
| Purpose of processing personal data | Fulfillment of the employer's obligations related to employment or similar relationships (for example, based on agreements on work performed outside of employment), employee qualification improvement agenda and pre-contractual relationships (selection procedure). Within the information system in question, the main purpose is also fulfilled through: maintaining the personal agenda of employees in an employment relationship or other similar legal relationship, processing the agenda of hiring employees and terminating employment, processing the necessary statistical reports, increasing the qualifications of employees - their education through training, awarding certificates, authorizations or licenses, for the purpose of comprehensively ensuring the protection of the safety and health of employees at work. employee insurance for business trips. |
| Name of the information system | IS Personnel agenda of employees |
| Legal basis | Performance of the contract pursuant to Article 6(1)(b) of the Regulation. Fulfillment of the legal obligation of the controller pursuant to Article 6(1)(c) of the Regulation. |
| Retention period | 5 to 10 years, pay slips, work performance agreements and work activity agreements 50 years, personal files – up to the employee's 70th birthday |
| Person concerned | Job applicant, employee, employee's spouse, dependent children of employees, parents of dependent children of employees, close relatives, former employees. |
- Employee payroll agenda
| Purpose of processing personal data | Fulfillment of the employer's obligations related to employment or a similar relationship (for example, based on agreements on work performed outside of employment). Within the information system in question, the main purpose is also fulfilled through: processing the necessary statistical reports, processing wages and keeping relevant records in accordance with wage regulations, making wage deductions to the state and other entities in accordance with relevant laws, preparing documents for budget creation in the area of wages, keeping the payroll agenda of the IS operator's employees for labor law, payroll and sick leave purposes. |
| Name of the information system | IS Employee Payroll Agenda |
| Legal basis | Fulfillment of the legal obligation of the controller pursuant to Article 6(1)(c) of the Regulation. |
| Retention period | 5 to 10 years, pay slips, work performance agreements and work activity agreements 50 years, personal files – up to the employee's 70th birthday |
| Person concerned | Job applicant, employee, employee's spouse, dependent children of employees, parents of dependent children of employees, close relatives, former employees. |
- Employee health and safety agenda
| Purpose of processing personal data | Fulfillment of the employer's obligations related to employment or a similar relationship (for example, based on agreements on work performed outside of employment). Within the information system in question, the main purpose is also fulfilled through comprehensive occupational health and safety management and related tasks such as keeping records and registering occupational accidents, as well as records of inspections of compliance with occupational health and safety regulations, employee training, and the like. |
| Name of the information system | IS Employee Health and Safety Agenda |
| Legal basis | Fulfillment of the legal obligation of the controller pursuant to Article 6(1)(c) of the Regulation. |
| Retention period | 5 to 10 years, work accidents, occupational diseases, health records of employees working in the risk category 40 years, decisions of supervisory authorities 70 years. |
| Person concerned | Employee, former employee. |
- Records of members of the Supervisory Board, Scientific Council
| Purpose of processing personal data | The IS in question processes personal data, namely by keeping records of members of the supervisory board and scientific council. |
| Name of the information system | IS Records of members of the Supervisory Board, Scientific Council |
| Legal basis | Fulfillment of the legal obligation of the controller pursuant to Article 6(1)(c) of the Regulation. |
| Retention period | 10 years after termination of office |
| Person concerned | Member of the Supervisory Board, Scientific Council. |
- Legal relations
| Purpose of processing personal data | The IS in question processes personal data in connection with the conduct of legal disputes with natural persons and their representatives. |
| Name of the information system | IS Legal relations |
| Legal basis | Fulfillment of the legal obligation of the controller pursuant to Article 6(1)(c) of the Regulation. |
| Retention period | 10 years after the legal termination of the lawsuit, the end of the enforcement proceedings. |
| Person concerned | Natural persons with whom the operator is engaged in legal disputes and their representatives and natural persons whose personal data is processed as part of a legal dispute Natural persons against whom the operator has enforceable claims. |
- Contractual relations
| Purpose of processing personal data | Within the framework of the IS in question, personal data of a natural person as one of the contracting parties is processed. In the IS Contractual Relations, contractual relationships are prepared, namely lease agreements, purchase agreements, contracts within supplier-customer relationships, etc. |
| Name of the information system | IS Contractual relations |
| Legal basis | Fulfillment of the legal obligation of the controller pursuant to Article 6(1)(c) of the Regulation. |
| Retention period | 10 years after the end of the contract. |
| Person concerned | Contracting Party – a natural person, a natural person authorized by the Contracting Party to perform certain activities related to the contract. |
- Registration of requests based on Act No. 211/2000 Coll. on free access to information
| Purpose of processing personal data | Keeping records of requests for information. |
| Name of the information system | IS Legal relations |
| Legal basis | Fulfillment of the legal obligation of the controller pursuant to Article 6(1)(c) of the Regulation. |
| Retention period | 5 years from the date of application |
| Person concerned | Natural person – information requester |
- Job applicant records
| Purpose of processing personal data | Maintaining a database of job applicants who have sent applications for employment to the IS operator voluntarily, without a published selection procedure. |
| Name of the information system | IS Records of job applicants |
| Legal basis | The consent of the data subject pursuant to Article 6(1)(a) of the Regulation and the Act on the Protection of Personal Data, whereby the data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. |
| Retention period | 1 year from the date of sending the application for employment |
| Person concerned | Job seeker |
- Public procurement
| Purpose of processing personal data | The main mission of the Public Procurement IS is to process personal data of natural persons (especially statutory bodies of legal entities) who have legally participated in public procurement for the provision and procurement of goods, works and services. |
| Name of the information system | IS Public Procurement |
| Legal basis | Fulfillment of the legal obligation of the controller pursuant to Article 6(1)(c) of the Regulation. |
| Retention period | 10 years after the end of the public procurement |
| Person concerned | Natural persons – managers of legal entities. Natural persons – entrepreneurs |
- Necessary cookies
| Purpose of processing personal data | The purpose of processing personal data is the processing of personal data of natural persons - visitors to the operator's website for the purpose of technical storage of data or access to them, for the purpose of transmitting or facilitating the transmission of a message via a network, or if this is strictly necessary for the operator as a provider of information society services to provide an information society service that is explicitly requested by the data subject as a user. This is to adapt the operation of our website to your needs. |
| Name of the information system | IS Necessary cookies |
| Legal basis | Fulfillment of the legal obligation of the controller pursuant to Article 6(1)(c) of the Regulation. |
| Retention period | While browsing the website. |
| Person concerned | Data subjects who visited the operator's website |
To whom do we provide your personal data?
We protect the personal data we have collected from you and do not disclose or provide it to third parties or entities except the recipients listed below.
We provide the personal data we have collected from you, to the extent necessary, to the following recipients:
- companies providing IT infrastructure and website,
- server providers who are in charge of the data storage environment.
We select our partners, among other things, with regard to guarantees of their reliability and professional care in processing personal data.
If such an obligation arises from law or a decision of a public authority, your personal data may also be provided to public authorities or other entities.
Rights of the data subject in relation to the protection of personal data
As a data subject whose personal data we process in our information systems for specifically defined purposes, you can exercise the following rights in writing or electronically:
a) Right of access to personal data
You have the right to request confirmation from us as to whether we are processing personal data concerning you and, if so, you have the right to access this personal data and to receive basic information about the processing of your personal data. For this purpose, you can contact us at any time using the contact details provided on our website.
b) Right to correct and/or supplement personal data
You have the right to request that we correct inaccurate personal data concerning you without undue delay, as well as the right to have incomplete personal data completed. For this purpose, you can contact us at any time using the contact details provided on our website.
c) Right to erasure of personal data
You have the right to request the immediate deletion of your personal data only if:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- you withdraw the consent on the basis of which the processing is carried out and if there is no other legal basis for the processing;
- you object to the processing and there are no overriding legitimate grounds for the processing;
- personal data was processed unlawfully;
- the personal data must be erased to comply with a legal obligation under European Union law or the law of a Member State to which we are subject;
- personal data were collected in connection with the offer of information society services pursuant to Article 8(1) of the Regulation.
For this purpose, you can contact us at any time via the contact details provided on our website, and we will then assess whether there are any exceptions in your case where it is not necessary to delete your data even if any of the above conditions are met (e.g. it is necessary to exercise legal claims).
d) Right to restriction of processing of personal data
You have the right to have us restrict the processing of your data (i.e. only store your data but do not process it in any other way) if:
- you have challenged the accuracy of personal data;
- the processing is unlawful and you object to the erasure of the personal data and request the restriction of their use instead;
- we no longer need your personal data for the purposes of processing, but you need them to establish, exercise or defend legal claims;
- you object to the processing.
For this purpose, you can contact us at any time using the contact details provided on our website, and we will then assess whether there are any exceptions in your case, where your personal data can be processed in a way other than by storage.
e) Right to object to the processing of personal data
You have the right to object to the processing of your personal data if the legal basis for the processing of your personal data is: a) necessary for the performance of a task carried out in the public interest or in the exercise of official authority or b) processing is necessary for the purposes of the legitimate interests pursued by our company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of your person which require the protection of personal data, in particular if the data subject is a child.
If your data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data to the extent it is related to such direct marketing.
For this purpose, you can contact us at any time using the contact details provided on our website.
We may process your personal data only if we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
f) Right to data portability
If the processing of your personal data is carried out by automated means, based on your consent or for the purpose of performing a contract, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and you have the right to transmit these data to another person (controller).
g) The right to withdraw consent to the processing of personal data at any time
Finally, you have the right to withdraw your consent to the processing of personal data concerning you at any time. The withdrawal of consent does not affect the lawfulness of the processing of personal data based on consent before its withdrawal. For this purpose, you can contact us at any time using the contact details provided on our website.
h) Right to lodge a complaint with a supervisory authority
We would also like to inform you that if you believe that the rights of natural persons have been violated in the processing of your personal data or that the Act or Regulation has been violated, you may file a motion to initiate proceedings on the protection of personal data with the Office for Personal Data Protection of the Slovak Republic. A sample motion is published on the website of the Office for Personal Data Protection of the Slovak Republic www.dataprotection.gov.sk.
Responsible person
Lucia Grajcarová, M.Sc.
Are you obliged to provide us with your personal data?
Providing your personal data is voluntary, however, some of your personal data is required for the proper performance of the contract/agreement, and therefore, if it is not provided, it will not be possible for us to properly perform all actions.
Please do not provide us with any personal information unless you want it to be used in the manner described in this privacy policy.
Do we obtain your personal data from sources other than you?
No, all personal data we process comes explicitly from you.
Do we carry out automated decision-making, including profiling?
We do not make any decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you.
What basic technical, organizational, personnel and security measures and safeguards have we taken to protect your personal data?
As the operator, we have, pursuant to Article 24 of the Regulation and the provisions of Section 31 of the Act, adopted appropriate technical, organizational, personnel and security measures and guarantees, which take into account in particular:
- principles of personal data processing, which are lawfulness, fairness and transparency, limitation and compatibility of the purposes of personal data processing, as well as minimization of personal data, their pseudonymization and encryption, as well as integrity, confidentiality and availability;
- the principles of necessity and proportionality (also applies to the scope and amount of personal data processed, the retention period and access to the personal data of the data subject) of the processing of personal data with regard to the purpose of the processing operation;
- the nature, scope, context and purpose of the processing operation;
- resilience and recovery of personal data processing systems;
- instructions to authorized persons of the operator;
- taking measures to immediately determine whether a personal data breach has occurred and promptly informing the supervisory authority and the responsible person;
- taking measures to ensure the correction or deletion of incorrect data, or the exercise of other rights of the data subject;
- risks of varying likelihood and severity to the rights and freedoms of natural persons.
Do we transfer your personal data outside the European Union?
The operator would like to inform you that your data is not transferred outside the European Union to third countries or international organizations.
Other related information
If we link to third-party websites on our website, we note that third-party websites have their own privacy policies and are independent of ours. Therefore, we do not bear any legal responsibility for the content and activities of these third parties.
Updating and changing the privacy policy
The information we are required to provide in connection with the processing of personal data may change or become outdated over time. For this reason, we reserve the right to amend this privacy policy to any extent at any time.
Last update: June 13, 2022
EN 
SK