Svoboda & Williams Slovakia s.r.o. – an exclusive affiliate of Christie’s International Real Estate for the Czech Republic and Slovakia – is a renowned real estate agency providing a full range of services for the sale, acquisition, and lease of premium residential and commercial properties in attractive locations in Bratislava and throughout Slovakia.
We have been offering our services to clients as SVOBODA & WILLIAMS and Feelhome since 1993 and in Slovakia since 2019. We represent only the highest quality properties and offer meticulous, prompt and professional service. Innovation is key to every area of our business, which keeps Svoboda & Williams Estate Agents at the forefront of the market. SVOBODA & WILLIAMS is considered an exemplary entity with a high standard of social responsibility, with the goal of establishing a long-term relationship with the Client based upon mutual trust and reliability. This relationship rests upon the honoring of privacy, loyalty, and absolute respect for the needs of the Client and the Client’s individual requests. In view of this, we have prepared for you, our Client, the following
PERSONAL DATA PROCESSING AND CLIENT PRIVACY PROTECTION POLICY
OF SVOBODA & WILLIAMS
(“DATA PROCESSING POLICY”)
The objective of this DATA PROCESSING POLICY issued by Svoboda & Williams Slovakia s.r.o., with registered office at Zuzany Chalupovej 10B, 851 07 Bratislava - city part Petržalka, identification number (IČO): 52 116 344, is to provide Clients with information as to what personal data SVOBODA & WILLIAMS, as a Controller, processes in regard to its Clients – natural persons in the provision of services consisting in brokering the sale or acquisition of real estate properties, lease of real estate properties, real estate management, and other services, and in regard to visits to websites operated by SVOBODA & WILLIAMS, the use of SVOBODA & WILLIAMS applications, and in regard to contacts with potential Clients, for what purposes and for what duration of time SVOBODA & WILLIAMS processes such personal data in accordance with the valid legal regulations, to whom and on what grounds it may disclose or transfer such data, as well as information on what rights natural persons have in connection with the processing of their personal data.
This Policy pertains to the processing of the personal data of the Clients of SVOBODA & WILLIAMS and also, in a corresponding manner, of their representatives or contact persons, potential Clients or persons interested in the services of SVOBODA & WILLIAMS, and visitors to websites operated by SVOBODA & WILLIAMS, and users of SVOBODA & WILLIAMS applications, this being, in each case, within the scope of personal data corresponding to their relationship with SVOBODA & WILLIAMS
WHAT DOES THIS DATA PROCESSING POLICY CONTAIN?
- PERSONAL DATA CONTROLLER
- DATA PRIVACY OFFICER (DPO) CONTACT
- LEGAL FRAMEWORK, PERSONAL DATA PROCESSING PRINCIPLES
- WHAT DATA ON CLIENTS DO WE OBTAIN, HOW DO WE OBTAIN THEM, AND HOW DO WE USE THEM
- WHO HAS ACCESS TO DATA – CATEGORIES OF DATA RECIPIENTS
- WHERE DO WE STORE DATA
- HOW LONG DO WE STORE DATA
- HOW ARE DATA SECURED
- CLIENT’S RIGHTS AND OPTIONS
Personal Data (hereinafter “Data”) = any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, e.g., a name, identification number, location data, network identifier, or to one or more factors specific to such person’s physical, physiological, genetic, mental, economic, cultural or social identity. This means that personal data also include data such as e-mail, address, telephone number, user name, profile photos, personal preferences, user-generated content, information pertaining to physical characteristics. They may also include unique numerical identification data such as the IP address of the user’s computer or the MAC address of a device and cookie files.
Genetic Data = personal data relating to the inherited or acquired genetic characteristics of a natural person which provide unique information regarding such person’s physiology or health and which result primarily from the analysis of a biological sample from the natural person in question.
Biometric Data = personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images, dynamically recorded hand-written signature, or dactyloscopic data.
Data Concerning Health = personal data related to the physical or mental health of a natural person, including data on the provision of health care services, which reveal information about his or her health status.
Anonymous Data = such data which, either in its original form or upon processing, cannot be linked to an identified or identifiable data subject.
Pseudonymized Data = data that has been processed in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Data Subject = a natural person to whom personal data pertain. Natural persons are also considered to include persons doing business on the basis of a trade licensing or other authorization.
Controller = the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor/Recipient = a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller, and which is stated in the List of External Processors.
Processing of Personal Data = any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;.
Personal Data Breach = a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;.
Consent of the Data Subject = any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Office = the Office for Personal Data Protection, with registered office at Hraničná 12, 820 07 Bratislava 27, dataprotection.gov.sk/uoou
GDPR = REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Personal Data Protection Act = Act No. 18/2018 Coll., on the Protection of Personal Data, as amended.
Information Society Services Act = E-Commerce Act = Act. No. 22/2004 Coll. on electronic commerce and amendments to Act No. 128/2002 Coll. on state control of the internal market in consumer protection matters and amending certain acts as amended by Act No. 248/2002 Coll. as subsequently amended.
Client = a natural person or legal person who has been reached out to by, or who has reach out to, SVOBODA & WILLIAMS for the purpose of the sending of an offer of services, requesting services, entering into an agreement, or who has already entered into such an agreement.
Data Privacy Officer („DPO“) = a data protection officer – the person responsible within SVOBODA & WILLIAMS for the processing of personal data.
2. PERSONAL DATA CONTROLLER
Svoboda & Williams Slovakia s.r.o.
with registered office at Zuzany Chalupovej 10B, 851 07 Bratislava - city part Petržalka
identification number (IČO): 52 116 344
(hereinafter “SVOBODA & WILLIAMS” or the “Controller”)
as the Controller, is aware of the legal obligations pertaining to the processing of the Data of its Clients and the liability imposed upon it in this regard by the legal regulations of the Slovakia and of the EU. This regulation provides the basic framework for the manner and conditions of handling Clients’ Data, of how to proceed in processing Data, and who to turn to in the performance of obligations arising under the Personal Data Protection Act, the E-Commerce Act, the GDPR, and this DATA PROCESSING POLICY.”
3. DATA PRIVACY OFFICER (DPO) CONTACT
Svoboda & Williams Slovakia s.r.o.
Data Privacy Officer
Zuzany Chalupovej 10B, 851 07 Bratislava - city part Petržalka
identification number (IČO): 52 116 344
4. LEGAL FRAMEWORK, PERSONAL DATA PROCESSING PRINCIPLES
The basic legal framework for the processing of personal data consists of the GDPR, the Personal Data Protection Act, the E-Commerce Act, and other related legal regulation.
The fundamental principle of Data processing is for it to be processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”). Data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is possible.
Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”); accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”).
Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organizational measures, in order to safeguard the rights and freedoms of the data subject (“storage limitation”).
Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”);
As a Controller, we take appropriate measures in order to provide data subjects with all information pertaining to the acquisition, processing, erasure and security of personal data in a concise, transparent, comprehensible and easily accessible manner, using clear and simple language. We must fulfill these obligations, as the Controller, and we do so, among other things, through this DATA PROCESSING POLICY.
5. WHAT DATA ON CLIENTS DO WE OBTAIN, HOW DO WE OBTAIN THEM, AND HOW DO WE USE THEM
SVOBODA & WILLIAMS can collect or acquire Data through our websites, forms, applications, electronic or telephone contact, personal meeting or otherwise. At times, Data will be provided to SVOBODA & WILLIAMS by the Client directly, such as when creating a user account on our websites, when contacting us by telephone, by e-mail or in person, at times we collect them as a Controller, such as through the use of cookie files, in order to ascertain how you use our websites or applications, or we obtain them from other persons, e.g. from associated parties – real estate agents and real estate agencies, e.g. Christie‘s International Real Estate.
Automated decision-making, including profiling – may be used by the Controller in sending or displaying personalized messages or content. This is a specific method, which is any form of automated processing of Data consisting of the use thereof personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's personal preferences, interests, economic situation, behavior, location, health, reliability, or movements. That means that the Controller can collect Data in various situations, see Table No. 1 below. The Controller can centralize and analyze such data in order to be able to assess and estimate the Client’s personal preferences and interests. On the basis of such an analysis, the Controller then sends or displays messages or content adapted to the interests and needs of the Client. If certain conditions are fulfilled, the Client has the right to object to the use of the Data for the purposes of profiling, see Table No. 2 below.
Data are collected by the Controller:
- on the legal grounds as set out in Art. 6, paragraph 1 letter b) of the GDPR, i.e. because the processing is necessary for the performance of a contract to which the Client is a contracting party, as the data subject, or for the implementation of measures taken prior to the execution of the agreement upon the Client’s request. The Data are provided obligatorily and the purpose of the processing of such Data is the execution and performance of a contractual relationship and related actions (communication with the Client in regard to services and real estate properties being offered, etc.). The source of the Data is the Client or a person authorized by the Client. If the Client does not provide the Data, an agreement cannot be entered into with him/her or negotiations held for the purpose of the execution of an agreement, or a service provided that the Client has requested (e.g. the sending of specific information regarding a real estate property, making an appointment for a meeting, visiting a real estate property, entering into an agreement with the Controller, or a third party (purchase/sale of a real estate property, lease of a real estate property, real estate property management, etc.) (hereinafter “Performance of a Contract”).
- on the legal grounds as set out in Art. 6 paragraph 1 letter f) of the GDPR, i.e. because the processing is necessary for the purposes of the Controller’s legitimate interests, so that the Controller may send the Client marketing and commercial messages – newsletters, targeted advertising, adapted recommendations, etc., all pursuant to the legal regulations. The Data are provided voluntarily on the basis of the Client’s consent. The source of the Data is the Client or a person authorized by the Client. If the Client does not provide the Data, commercial messages (newsletters) cannot be sent to the Client and the Client cannot properly use the Controller’s websites or applications either (hereinafter “Consent to CM and Cookies“)
- on the legal grounds as set out in Art. 6 paragraph 1 letter c) of the GDPR, i.e. because the processing is necessary for the fulfillment of the Controller’s legal obligation, so that the Controller may fulfill legal requirements under special legal regulations (e.g. Act No. 297/2008 Coll. on protection against money laundering and terrorist financing). The Data are provided obligatorily and the purpose of the processing of such Data is the execution and performance of a contractual relationship and related actions (communication with the Client in regard to services and real estate properties being offered, etc.). The source of the Data is the Client or a person authorized by the Client. If the Client does not provide the Data, an agreement cannot be entered into with him/her or negotiations held for the purpose of the execution of an agreement, or a service provided that the Client has requested (e.g. the sending of specific information regarding a real estate property, making an appointment for a meeting, visiting a real estate property, entering into an agreement with the Controller, or a third party (purchase/sale of a real estate property, lease of a real estate property, real estate property management, etc.) (hereinafter “Legal Obligation”)
- on the legal grounds as set out in Art. 6 paragraph 1 letter f) of the GDPR, i.e. because the processing is necessary for the purposes of the Controller’s legitimate interests, so that the Controller may ensure the security of its platforms and services against misuse, better comprehend the Client and ensure the proper functioning of its websites and applications, ensure the performance of the Controller’s contractual obligations, etc. The Data are provided obligatorily and the purpose of the processing of such Data is ensuring the security of the Controller’s websites / applications and their protection against misuse, as well as better comprehension of the needs and wants of the Client, improved services and brand awareness, ensuring the proper functioning of CM, advertising, and the improvement and protection thereof through cookies and ensuring the fulfillment of the Controller’s contractual obligations in regard to third parties, particularly the owners of real estate properties, developers, etc. The source of the Data is the Client or a person authorized by the Client. If the Client does not provide the Data, this can affect our ability to provide the Client with our services (hereinafter “Legitimate Interests”).
Further explanations provided below as follows:
Table No. 1
6. WHO HAS ACCESS TO DATA – CATEGORIES OF DATA RECIPIENTS
The Controller can share the Client’s Data in order to fulfill its legal obligations, to improve its services, or if it receives the Client’s consent to such sharing.
Data can be processed in the Controller’s name only by trustworthy external processors / recipients. The Controller only provides such information to these external processors / recipients that they need in order to provide the service, and requires that they not use the Data for any other purpose. The Controller makes every effort to ensure that all of the third parties that it works with will store the Data in a duly secure manner. Services that require the processing of Data are provided to the Controller by, for example, contracted real estate agents, external IT service suppliers, such as providers of platforms with hosting services, administration and support of our databases, as well as of our software and applications that may contain Data (these services may sometimes include access to Data with the goal of performing the required tasks), as well as owners of real estate properties, developers, persons conducting monitoring of social media, identity administration, evaluations and reviews, customer relationship management, web analysis and search engines, tools for the processing of content generated by the user, advertising, marketing and digital agencies and agencies for social media that supply advertising, marketing services and campaigns, analyze their effectiveness and administer contacts with the Client.
List of Data Recipients
The Controller is obligated to disclose Data to third parties if it has such an obligation for the purpose of fulfilling a statutory obligation, or for the protection of the rights, property, interests or safety of the Controller, its Clients, employees, external agents.
The Controller can also disclose Data if it has the Client’s consent to do so or if the law allows it to do so.
The Controller does not offer or sell Data.
Collected Data will not be shared with any third party, with the exception of the above.
7. WHERE DO WE STORE DATA
The Data that we collect in regard to the Client are stored and processed only within the territory of the EU, or within the territory of states that have undertaken to comply with EU standards for the processing and security of personal data (USA). Outside of the EU, personal data are processed or stored only with processors / recipients who are certified according to the EU – U.S. Privacy Shield – these being Google LLC and Dropbox, Inc.
8. HOW LONG DO WE STORE DATA
The Client’s Data are stored for as long as this is necessary in order to fulfill the purpose for which the Controller received the same, in order to comply with the Client’s needs, or in order to full its legal obligations.
In order to determine the duration of Data storage, the following criteria shall apply:
- if the Client is interested in a real estate property being offered by the Controller or has entered into an agreement with the Controller – the Data in the Client’s Contact Form are stored for a duration of 6 months from the acquisition thereof, Data in electronic form are stored for a duration of 10 years from the acquisition thereof, or from the termination of the contractual relationship with the Client, unless legal regulations provide a longer period of time (Performance of a Contract),
- if the Client has entered into an agreement with the Controller on the short-term lease of a real estate property – Data in paper form will be disposed of within 1 month of the termination of the contractual relationship, Data in electronic form are stored for a period of 18 months from the termination of the contractual relationship with the Client, unless legal regulations provide a longer period of time (Performance of a Contract),
- if the Client is interested in being sent CM, Data are stored for a period of 10 years from their acquisition (Consent to CM and Cookies),
- if the Client contacts us with an enquiry or request for us to contact him/her, Data are stored for a period of time as necessary for the processing of the enquiry and further for a period of 10 years from the last interaction (Performance of a Contract), if the Client creates an account, the Controller stores the Data until the Client requests for erasure, or for a period of 10 years from the last activity on the Client’s account (Legitimate Interests),
- if the Client consented to being sent direct marketing messages, Data are stored until the Client cancels the subscription thereof or requests for the Controller to erase them, or for a period of 10 years from the last interaction (Consent to CM and Cookies),
- if cookies are located on the Client’s device, Data are stored for the period of time as necessary in order to achieve the purpose thereof, according to the type of cookie (Consent to CM and Cookies),
- if the Controller is fulfilling legal requirements according to special legal regulations (e.g. Act No. 297/2008 Coll. on protection against money laundering and terrorist financing, etc.). Data are stored for a period of 10 years from their acquisition, or from the termination of the contractual relationship with the Client or the realization of the transaction, unless legal regulations provide a longer period of time (Legal Obligation).
The Controller may store some Data in order to fulfill its legal obligations, and to be able to duly protect its legitimate interests, or for statistical purposes or historical research purposes.
If the purpose of the storage of Data has been fulfilled and the duration of their storage has elapsed, the Data are erased from the Controller’s systems and records or anonymized, so that the identification of the Client is no longer possible.
9. HOW ARE DATA SECURED
The Controller makes every effort to duly protect the Data, from the moment of their acquisition until the moment of their erasure, pseudonymization or anonymization. The Controller stores and processes Data in a secured manner in accordance with the level of standards within the given sector and has taken all reasonable security measures, through the use of conscientiously adjusted internal processes and security policies, so that no misuse of Data or unauthorized access to Data can occur. The Controller has contractually ensured that every authorized and trustworthy processor (see Art. 6 of this document) handles Data in this same manner.
As follows from the technical nature of the functioning of data transmission on the Internet, the Controller cannot ensure the security of the Client’s Data being transmitted to the Controller’s websites. Therefore, the securing of any information transmitted in such manner is beyond the Controller’s technical capabilities.
10. CLIENT’S RIGHTS AND OPTIONS