top of page

DATA CONTROLLER'S PRIVACY POLICY

This section provides information about how we handle and protect personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation - GDPR), and Act No. 18/2018 Coll. on Personal Data Protection of the Slovak Republic.

The Data Controller, DiTeSo s. r. o., headquartered at Trieda KVP 1, Company ID: 56393440 (hereinafter "the Controller"), has implemented appropriate technical and organizational measures to ensure the protection of data subjects' rights and to guarantee lawful processing of personal data. The Controller has also established a transparent system for recording security incidents and any inquiries from data subjects and other parties.

If needed, data subjects can obtain additional information by phone at: +421 904 460 974 or by email at: info@diteso.sk.

1. Data Controller

DiTeSo s. r. o.
Trieda KVP 1
040 23 Košice – Sídlisko KVP district
Company ID: 56393440

We process your data for our own purposes as the Data Controller. This means we determine why we collect your personal data, we decide how to process it, and we're responsible for doing it properly.​

​2. Data Processors
 

In certain cases, the Controller may process the personal data of data subjects through data processors authorized to process personal data in accordance with Article 28 of the GDPR.
 

Data processors handle personal data on behalf of the Controller. Processing personal data through processors doesn't negatively affect your rights as a data subject. The Controller only works with processors who provide appropriate technical, organizational, and other safeguards to ensure GDPR compliance and full protection of data subjects' rights.
 

When processing personal data, the Controller uses the following categories of processors:

  • Providers of technical solutions, web hosting services, IT system maintenance and support used by the Controller

  • Providers of accounting and tax compliance services for the Controller
     

Categories of data recipients: persons acting on behalf of the Controller, legal representatives, auditors, state administration and public authorities exercising control and supervision.

3. Purpose of Personal Data Processing
 

As a data controller, we process personal data exclusively on a lawful legal basis and in accordance with defined purposes arising from our business activities—providing digital solutions, software development, IT consulting, and related services.
 

Response to inquiries, questions, or requests

When you contact us via email, contact forms on our website, by phone, or in person, we process your data (such as name, email, phone number, message content) to respond to your request.

Legal basis: Legitimate interest of the controller under Art. 6(1)(f) GDPR.
You have the right to object to such processing.

Expression of interest in our services or collaboration

We process data to prepare proposals, technical specifications, and communicate before entering into a contract.

Legal basis: Art. 6(1)(b) GDPR – taking steps prior to entering into a contract.

Fulfillment of contracts with clients, suppliers, and partners

When providing our services (e.g., designing and implementing software solutions, consulting services, system administration, support), we process personal data of contact persons of contracting parties, as well as data contained in orders, contracts, invoices, and project documentation.

Legal basis: Art. 6(1)(b) GDPR – contract performance.

Compliance with legal obligations

We process data to fulfill obligations arising from laws (e.g., accounting, taxes, employment records, archiving obligations).

Legal basis: Art. 6(1)(c) GDPR – legal obligation.

Managing internal processes and business communication records

We process data related to contract records, correspondence, email communication, project administration, and internal reports to ensure effective company management and fulfillment of obligations to clients and partners.

Legal basis: Legitimate interest under Art. 6(1)(f) GDPR.
You have the right to object to such processing.

Records and communication with business contacts

We process personal data of contact persons from partners, subcontractors, or collaborators (name, email, phone, job position) for the purpose of developing and ensuring business cooperation.

Legal basis: Legitimate interest under Art. 6(1)(f) GDPR in conjunction with § 78(3) of the Personal Data Protection Act.

Personnel records and recruitment

When selecting new employees or external collaborators, we process applicants' personal data (CV, contact details, professional information).

Legal basis:

  • Art. 6(1)(b) GDPR – pre-contractual relationship (for specific responses to job offers),

  • Art. 6(1)(a) GDPR – consent (only when storing applicants in a database for future recruitment).

Marketing and presentation of our solutions

We process selected data (e.g., name, email, photograph, video recordings) for presenting our projects, sending newsletters, publishing references, conducting online campaigns, or sharing content on social media.

Legal basis:

  • Legitimate interest under Art. 6(1)(f) GDPR – for marketing to existing clients regarding similar services,

  • Consent under Art. 6(1)(a) GDPR – for visual content (photos/videos), newsletters, or marketing to non-clients.

Consent is voluntary and you can withdraw it at any time.

Categories of data subjects

  • Clients and potential clients

  • Contractual partners, suppliers, subcontractors

  • Job applicants

  • Employees and external collaborators

  • Contact persons of business partners

  • Participants in marketing and promotional activities

Scope of processed personal data

  • Identification data (name, surname, Company ID, Tax ID, company, position)

  • Contact details (email, phone, address, business address)

  • Data related to business relationships (orders, contracts, invoicing, project documentation)

  • Communication content (emails, messages, correspondence)

  • Data for accounting and tax purposes

  • Photographs, video recordings, and marketing materials (only with explicit consent)

DiTeSo s. r. o. as Data Processor

In cases where DiTeSo s. r. o. acts as a data processor under Art. 28(3) of the GDPR, we process personal data exclusively according to the instructions of another controller (our client). In such cases, the purpose of processing is determined by the controller, not by us.

Our role consists of technical, system, and administrative processing of data through information systems, development tools, or infrastructure solutions that we create, operate, or manage for the client.

Nature and scope of processing activities

Processing personal data as a processor includes mainly the following activities:

  • Development, testing, and implementation of software solutions – during development or operation of systems, processing of client's personal data may occur (e.g., test or production data).

  • Operation and maintenance of IT systems and databases – technical administration and service interventions in systems storing personal data (e.g., CRM, ERP, internal client platforms).

  • Hosting, cloud, and backup services – management of data storage, servers, and backups containing personal data, according to client instructions.

  • Data processing within integrations – technical support for connecting systems and data transfers between different applications or environments.

  • User support and service communication (helpdesk, ticketing) – access to data to the extent necessary for resolving technical requirements.

  • Data migration and conversion – transfer or conversion of client databases between systems when changing software or platforms.

  • Security and analytical activities – monitoring functionality, system logging, testing security measures (without evaluating personal data content).

In all these cases, we process personal data only to the extent necessary for contract performance and in accordance with the client's (controller's) instructions.

Processing data based on controller's instructions

As a processor, we make no decisions about the purpose or method of processing.

We process data exclusively according to the controller's written instructions, which are regulated in the data processing agreement.

Examples of processing include:

  • Processing personal data of employees, clients, or users of systems we operate for the client,

  • Processing test datasets containing personal data during software development or modifications,

  • Accessing personal data during maintenance, backup, or incident resolution.

Detailed description of processor activities (DiTeSo s. r. o.)

For greater transparency, here's an overview of the main processing activities that DiTeSo s. r. o. performs as a processor:

  1. Development and implementation of information systems – configuration, testing, and tuning of systems containing personal data.

  2. Service and technical support – resolving incidents, failures, and client requirements through access to data processing systems.

  3. Hosting and cloud solutions – server, storage, and database management, including security settings, backup, and recovery.

  4. Data and system integration – technical data processing when connecting client applications or modules.

  5. Analytical processing and reporting – data processing for reports, statistics, or logs according to client instructions.

  6. Testing security features and software functionality – processing personal data during testing operations based on client authorization.

  7. Data migration and archiving – technical data processing during transfer or archiving of client data structures.

Legal basis for processing personal data

When DiTeSo s. r. o. acts as a processor, the legal basis for processing is the data processing agreement concluded with the controller under Art. 28 of the GDPR.

Based on this agreement, we adopt the legal basis for processing personal data determined by the controller (our client) and process data exclusively according to their instructions, to the extent necessary for fulfilling the tasks specified in the agreement.

DiTeSo s. r. o. makes no decisions about the purposes or methods of processing and ensures that all operations comply with GDPR requirements, including confidentiality, integrity, and security of personal data.

DiTeSo s. r. o.:

  • Does not process personal data for its own purposes or based on legitimate interest,

  • Acts exclusively according to the controller's written instructions,

  • Implements technical and organizational measures to protect personal data,

  • Ensures confidentiality of all data it accesses,

  • Engages additional processors only with prior consent or in accordance with the framework agreement with the controller.

Summary

As a processor, DiTeSo s. r. o. fulfills a purely technical and service role in personal data processing.

The controller (client) is always responsible for determining the purpose and lawfulness of processing, while DiTeSo s. r. o. ensures implementation of technical and operational tasks in compliance with GDPR.

4. Retention Period for Your Personal Data
 

Personal data processed under Art. 6(1)(b) of the GDPR – for fulfilling the controller's obligations – we also process to comply with our legal obligations regarding taxes and accounting. These obligations arise from generally binding legal regulations, such as Act No. 431/2002 Coll. on Accounting or Act No. 595/2003 Coll. on Income Tax and Act No. 563/2009 Coll. on Tax Administration. We must retain data for the period stipulated by these legal regulations. We follow the principle of data minimization under Art. 5(1)(e) of the GDPR, so your personal data that's not subject to archiving under specific legal regulations will be deleted or anonymized.

Personal data processed based on consent under Art. 6(1)(a) of the GDPR, for example for sending current marketing news or registration in the applicant database, we process for 3 years or until consent is withdrawn. When the processing period is nearing its end, we contact the data subject with the option to renew and extend consent for another processing period. If the data subject doesn't grant consent or doesn't respond to contact, we stop processing personal data – automatically remove them from records, technically delete electronic data from systems, and shred physical documents.

Personal data processed based on legitimate interest under Art. 6(1)(f) of the GDPR, obtained in response to an inquiry, suggestion, or question for the purpose of providing feedback to the data subject, are immediately deleted after resolution, unless subsequently transferred to a pre-contractual or contractual relationship.

As Controller, we ensure deletion of personal data without undue delay after:

  • All contractual relationships between you and us as controller have ended; and/or

  • All your obligations to the controller have ceased; and/or

  • All your complaints and requests have been resolved; and/or

  • All other rights and obligations between you and us as controller have been settled; and/or

  • All processing purposes stipulated by legal regulations or processing purposes for which you gave us consent have been fulfilled, if processing was based on the data subject's consent; and/or

  • The period for which consent was granted has expired or the data subject has withdrawn their consent; and/or

  • The data subject's request for deletion of personal data has been granted and one of the reasons justifying granting this request has been fulfilled; and/or

  • The decisive legal fact for termination of the processing purpose has occurred and the protective retention period defined with regard to the principle of minimizing the personal data retention period has also expired;

  • And simultaneously the controller's legitimate interest no longer exists, all obligations stipulated by generally binding legal regulations requiring retention of the data subject's personal data have ceased (especially for archiving purposes, tax audit performance, etc.), or which could not be fulfilled without their retention.

We do not systematically process any accidentally obtained personal data for any purpose we've defined. When possible, we inform the data subject whose accidentally obtained personal data we have about the accidental acquisition and, depending on the nature of the case, provide necessary cooperation leading to restoration of control over their personal data. Immediately after these necessary actions aimed at resolving the situation, we securely dispose of all accidentally obtained personal data without delay.

 

If you're interested in more information about the specific retention period for your personal data, please contact us using the provided contact details.

5. Data Disclosure

Our company does not arbitrarily disclose obtained personal data under any circumstances.

6. Cross-Border Transfer and Profiling of Personal Data


Cross-border transfer outside the EU and profiling of personal data is not carried out, nor is it planned for the future.

7. Rights and Obligations of the Data Subject

  • The data subject is obliged to provide only complete and truthful information.

  • The data subject undertakes to update their data in case of changes, no later than before completing the first order following the change.

  • The data subject undertakes that if they provide personal data of a third party (name, surname, phone number), they do so only with their consent and the data subject is familiar with the procedures, rights, and obligations stated on this page.

  • As a data subject, you have the right to decide, to a specified extent, about handling your personal data. You can exercise these rights in person at the Controller's headquarters or by phone – in writing (by mail/email).

We'll try to respond as soon as possible, but we'll always respond within 30 days of receiving your request. Applicable legal regulations and the GDPR provide you with the following rights:

 

Right of access – You have the right to request confirmation from us about whether your personal data is being processed, and if so, to obtain a copy of this data and additional information arising from Art. 15 of the Regulation. If we obtain a large amount of data about you, we may request that you specify your request regarding specific data we process about you.

 

Right to rectification – For us to continuously process only current personal data about you, we need you to notify us of changes as soon as they occur. If we process incorrect data about you, you have the right to request their correction.

Right to erasure – If the conditions of Article 17 of the Regulation are met, you can request deletion of your personal data. You can therefore request deletion if, for example, you've withdrawn your consent to processing personal data and there's no other legal basis for processing, or if we process your personal data unlawfully, or if the purpose for which we processed your personal data has ceased and we're not processing them for another compatible purpose. However, we won't delete your data if it's needed to prove, assert, or defend legal claims.

Right to restriction of processing – If the conditions of Article 18 of the Regulation are met, you can request that we restrict processing of your personal data. You can therefore request restriction, for example, while you're contesting the accuracy of processed data or if processing is unlawful and you don't wish us to delete the data but need processing to be restricted while you assert your rights. We'll continue processing your data if reasons exist to prove, assert, or defend legal claims.

 

Right to data portability – If processing is based on your consent or performed for the purpose of fulfilling a contract concluded with you and simultaneously performed by automated means, you have the right to receive your personal data that we obtained from you in a commonly used machine-readable format. If you're interested and it's technically possible, we'll transfer your personal data directly to another controller. This right cannot be exercised for processing performed for the purpose of fulfilling a task carried out in the public interest or in the exercise of official authority.

 

Right to object to processing – If we process your personal data for the purpose of fulfilling a task carried out in the public interest or in the exercise of official authority vested in us, or if processing is performed based on our legitimate interests or the legitimate interests of a third party, you have the right to object to such processing. Based on your objection, we'll restrict processing of personal data and unless we demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms or grounds for proving, asserting, or defending legal claims, we won't continue processing personal data and will delete your personal data. You have the right to object at any time to processing personal data for direct marketing purposes, including profiling to the extent it's related to such direct marketing. After raising an objection, we'll no longer process your personal data for this purpose.

Right to lodge a complaint – If you believe that processing of your personal data is contrary to the Regulation, you have the right to lodge a complaint with one of the relevant supervisory authorities, particularly in the member state of your habitual residence, place of work, or place of the alleged infringement. For the territory of the Slovak Republic, the supervisory authority is the Office for Personal Data Protection, headquartered at: Hraničná 4826/12, 820 07 Bratislava, Slovak Republic, website: www.dataprotection.gov.sk, tel.: +421 /2/ 3231 3220.

 

Right to withdraw consent – If processing of your personal data is based on consent, you have the right to withdraw this consent at any time. Withdrawal of consent doesn't affect already performed processing. If you later decide that you're interested in receiving our business and marketing offers about our products and services again, you can grant your withdrawn consent (or withdrawn objection) again at any time, using any of the contact methods mentioned above.

8. Contact Details of the Personal Data Protection Office

Office for Personal Data Protection of the Slovak Republic

Address:
Park One Building
Námestie 1. mája 18
811 06 Bratislava
Slovak Republic
Company ID: 36 064 220

Registry office:
Monday – Thursday: 8:00 - 15:00
Friday: 8:00 - 14:00

Phone consultations on personal data protection:
Tuesday and Thursday from 8:00 to 12:00 +421 2 323 132 20
Office President's Secretariat +421 2 323 132 11
Office Secretariat +421 2 323 132 14
Fax: +421 2 323 132 34

Spokesperson:
Mobile: +421 910 985 794
Email: hovorca@pdp.gov.sk

Email:
a) General: statny.dozor@pdp.gov.sk
b) For providing information under Act No. 211/2000 Coll.: info@pdp.gov.sk
c) Website: webmaster@pdp.gov.sk
d) To submit requests for information under Act No. 211/2000 Coll. on Free Access to Information, use the online form.
e) Email address through which the Office will provide you with advice on personal data protection. It's intended for children, youth, students, teachers, parents who suspect their personal data has been misused: ochrana@pdp.gov.sk

bottom of page