PERSONAL DATA PROTECTION AND INFORMATION ON COOKIES

/ Principles and information on personal data protection provided by the controller to the data subject when obtaining personal data from the data subject and information on cookies of the e-shop www.elysiumclinic.sk/

I. Controller

1.1. The identity and contact details of the Controller are:

Business name: Elysium clinic s.r.o.
Registered Seat : 93405 Opatovce 131, Opatovce 913 11, Slovak Republic
Registered in the Business Register of the District Court Trenčín, Section: Sro, Insert No.: 39857/R
Company Registration Number: 53008651
Tax Identification Number: 2121231101

1.2. Email contact and telephone contact of the Controller is:
Email: recepcia@elysiumclinic.sk
Tel. No.: +421911825707

1.3.Address of the Controller for sending documents:

Elysium clinic s.r.o., 93405 Opatovce 131, Opatovce 913 11, Slovak Republic

II. References

2.1. The Controller hereby, in accordance with Article 13 (1) and (2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC General Data Protection Regulation (hereinafter referred to as “Regulation”), further in accordance with Act No.18/2018 Coll. on personal data protection and amending and supplementing certain Acts as amended and in accordance with Act No. 452/2021 Coll. on Electronic Communications as amended, provides the following information, instructions and explanations to the Data Subject from whom the Controller obtains personal data concerning them:

III. Personal data protection and the use of cookies. Information and explanation of cookies, scripts and pixels

3.1. The website operator provides this brief explanation of the function of cookies, scripts and pixels:

3.1.1. Cookies are text files that contain a small amount of information that is downloaded to your device when you visit a website. Thanks to this file, the website temporarily stores information about your actions and preferences (such as login name, language, font size and other display settings) so that you do not have to enter them again the next time you visit the website or browse its individual pages.

A script is a part of programming code that is used to make websites work properly and interactively. This code will run on the operator's server or on your device.

Pixels are small, invisible text or images on a website that are used to monitor website traffic. In order for this to happen, various data is stored through pixels.

3.1.2.Cookies are divided as follows

Technical or functional cookies - they ensure the correct functioning of the Controller's website and its use. These cookies are used without any consent.

Statistical cookies – The Controller obtains statistics regarding the use of their websites. These cookies are used only with consent.

Marketing / Advertising cookies – Used to create advertising profiles and similar marketing activities. These cookies are used only with consent.

3.2. How to check cookies:

3.2.1. You cancheck and/or deletecookies at your discretion - seeaboutcookies.orgfor more details. You can delete any cookies stored on your computer or other device and you can set most browsers in a way to prevent them from being stored.

3.3.The Controller's website uses the following cookies:

All cookies used by the Controller can be found at https://www.cookieserve.com/ by entering the Controller's website address https:// www.elysiumclinic.sk.

Technical or functional cookies - the website operator i.e. Controller accesses the information. The duration of cookies is 5 years.

Statistical cookies - the website operator i.e. Controller accesses the information. The duration of cookies is 5 years.

Marketing and advertising cookies - the website operator i.e. Controller accesses the information. The duration of cookies is 5 years.

3.3.1.Cookies that are made available to third parties:

Facebook Pixels: Facebook Ireland Ltd. 4 Grand Canal Square, Grand Canal Harbor Dublin 2, Ireland. For more information on privacy protection, please visit https://www.facebook.com/about/privacy/

IV. Personal data processed

4.1.The Controller processes the following personal data on their website: name, surname, residence, email address, home telephone number, mobile phone number, billing address, delivery address, data obtained from cookies, IP addresses.

V. Contact details of the data protection officer responsible for the supervision of personal data protection

5.1.The Controller has appointed a data protection officer in accordance with Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Contact: Email: recepcia@elysiumclinic.sk, Tel. No.: +421911825707.

VI. Purposes of personal data processing of the Data Subject and duration of personal data processing

6.1. The purposes of personal data processing of the Data Subject are particularly:

6.1.1.record keeping, creation and processing of contracts and client data for the purpose of concluding contracts with third parties.

6.1.2.processing of accounting documents and documents related to the business activity of the Controller.

6.1.3.compliance with legal regulations in connection with archiving of documents, e.g. according to Act No. 431/2002 Coll. on accounting as amended and other relevant regulations.

6.1.4.activity of the Controller in connection with the fulfilment of the request, order, contract and similar instruments of the Data Subject.

6.1.5. Newsletter, marketing and similar advertising activities of the Controller. In case the Data Subject grants the Controller the consent to carry out marketing and similar marketing activities.

6.2. Personal data of the Data Subject shall be stored by the Controller only for the strictly necessary period of time required for the purposes of the performance of the contract and its subsequent archiving within the statutory deadlines imposed on the Controller by regulations. In case the Data Subject has agreed with sending advertising emails and similar offers, the Data Subject's personal data is processed for these purposes until the Data Subject withdraws their consent. However, for a maximum period of 10 years.

VII. Legal basis for the processing of the Data Subject's personal data

7.1 In case the Controller carries out the processing of personal data based on the consent of the Data Subject, this processing shall only be initiated after the Data Subject has granted their consent.

7.2.In case the Controller processes the personal data of the Data Subject for the purposes of negotiating pre-contractual relations and the conclusion and performance of a purchase contract and the delivery of goods, products or services related thereto, the Data Subject is obliged to provide personal data for the proper performance of the purchase contract, otherwise the performance cannot be ensured. Personal data for the given purpose are processed without the consent of the Data Subject.

VIII. Recipients or categories of personal data recipients

8.1.The recipient of the Data Subject's personal data will be or at least may be:

8.1.1. statutory bodies of the Controller or their members.

8.1.2.persons performing work in an employment or similar relationship for the Controller.

8.1.3.sales representatives of the Controller and other persons cooperating with the Controller when performing the Controller's tasks. For the purposes of this document all natural persons performing dependent work for the Controller on the basis of an employment contract or agreements on work performed outside the employment relationship shall be deemed to be employees of the Controller.

8.1.4.The recipient of the Data Subject's personal data will also be the Controller's co-workers, their business partners, suppliers and contractors, in particular: an accounting company, a company providing software development and maintenance services, a company providing legal services to the Controller, a company providing consultancy services to the Controller, companies providing transport and delivery of products to purchasers and third parties, marketing companies, companies operating social networks, companies providing payment gateways and other payment methods.

8.1.5.The recipient of personal data will also be courts, law enforcement authorities, tax authorities and other state authorities, if the law so provides. Personal data will be provided by the Controller to the authorities and state institutions on the basis of and in accordance with the legislation of the Slovak Republic.

8.1.6. The list of third parties - processors and recipients who process personal data of the Data Subject:

BillTax, s.r.o., Palackého 617/1 018 41 Dubnica nad Váhom – third party providing accounting services

IX. Information on the transfer of personal data to third countries and the period for which the personal data will be stored:

9.1.Not applicable. The Controller does not transfer personal data of Data Subjects to third countries.

X. Information on the existence of relevant rights of the Data Subject:

10.1.The Data Subject shall have, inter alia, the following rights, where:

10.1.1. Other rights of the Data Subjects are not affected by Clause 10.1.

10.1.2.The Data Subject's right to access data according to Article 15 of the Regulation, which includes:the right to obtain confirmation from the Controller as to whether they process the Data Subject's personal data and if so, to what extent. At the same time, if such data is processed, the Data Subject has the right to find out its content and to request information about the reason for its processing from the Controller, particularly information about: The reason for its processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly in the case of recipients in third countries or international organisations, estimated period for which the personal data will be stored or, if it is not possible, information on the criteria for its determination, on the existence of the right to request from the Controller the correction of personal data relating to the Data Subject or its deletion or restriction of processing and on the existence of the right to object to such processing, on the right to lodge a complaint with a supervisory authority where personal data have not been obtained from the Data Subject, any available information, as to its source, on the existence of automated decision-making, including profiling stated in Article 22 (1) and (4) of the Regulation and, in such cases, at least meaningful information on the procedure used as well as the significance and foreseeable consequences of such processing of personal data for the Data Subject, on adequate guarantees according to Article 46 of the Regulation concerning the transfer of personal data, if personal data is transferred to a third country or an international organisation.

10.1.3. the right to provide a copy of the personal data that is being processed, subject to the condition that the right to provide a copy of the processed personal data must not have adverse consequences on the rights and freedoms of others.

10.1.4.the right of the Data Subject to correction according to Article 16 of the Regulation, which includes the right: for the Controller to correct incorrect personal data concerning the Data Subject without undue delay; the right to fill in incomplete personal data of the Data Subject, by means of providing a additional declaration of the Data Subject, the right of the Data Subject to delete personal data (the so-called "right to be forgotten") according to Article 17 of the Regulation, which includes:

10.1.5.the right to obtain from the Controller the deletion of personal data concerning the Data Subject without undue delay, if one of the following reasons is met:personal data are no longer necessary for the purposes for which they were obtained or otherwise processed, the Data Subject withdraws the consent on the basis of which the processing is carried out, provided that there is no other legal basis for the processing of personal data, the Data Subject objects to the processing of personal data according to Article 21 (1) of the Regulation and there are no prevailing legitimate reasons for the processing of personal data or the Data Subject objects to the processing of personal data according to Article 21 (2) of the Regulation, personal data have been unlawfully processed, personal data must be deleted in order to comply with a legal obligation under European Union law or under the law of a Member State to which the Controller is subject, personal data have been collected in connection with the offer of information society services according to Article 8 (1) of the Regulation.

10.1.6.the right for the Controller who has disclosed the personal data of the Data Subject to take reasonable measures, including technical measures, taking into account the available technology and the cost of implementing the measures, to inform other controllers who carry out the processing of personal data that the Data Subject has requested them to delete all references to such personal data, or a copy or replica thereof, and it is understood, that the right to delete personal data which includes the rights according to Article 17 (1) and (2) of the Regulation will not arise if the processing of personal data is necessary:

10.1.7.to exercise the right to freedom of expression and the right to information.

10.1.8.to fulfil a legal obligation that requires processing according to the law of the European Union or the law of a Member State to which the Controller is subject or to fulfil a task carried out in the public interest or in the exercise of public authority entrusted to the Controller.

10.1.9.for reasons of public interest in the field of public health in accordance with Article 9 (2) point h) and i) of the Regulation as well as Article 9 (3) of the Regulation.

10.1.10.for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes according to Article 89 (1) of the Regulation, if the right referred to in Article 17 (1) of the Regulation is likely to make it impossible or significantly impedes the achievement of the goals of such personal data processing; or for the establishment, exercise or defence of legal claims.

10.1.11.the right of the Data Subject to restrict the processing of personal data according to Article 18 of the Regulation, which includes:

10.1.12. the right for the Controller to restrict the processing of personal data in one of the following cases: The Data Subject contests the correctness of the personal data during the period allowing the Controller to verify the correctness of the personal data, the processing of the personal data is unlawful and the Data Subject objects to the deletion of personal data and instead requests the restriction of its use, the Controller no longer needs the personal data for the purposes of the processing, but the Data Subject needs it for the establishment, exercise or defence of legal claims, the Data Subject objected to the processing according to Article 21 (1) of the Regulation, until it is verified whether the legitimate reasons of the Controller prevail over the legitimate reasons of the Data Subject.

10.1.13.the right, that in case the processing of personal data has been restricted, such restricted personal data processed, with the exception of storage, shall only be processed with the consent of the Data Subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

10.1.14. the right to be informed in advance about the cancellation of the restriction on the personal data processing.

10.1.15.the right of the Data Subject to comply with the obligation to notify recipients according to Article 19 of the Regulation, which includes: the right for the Controller to notify each recipient to whom personal data have been disclosed of any correction or deletion of personal data or restriction of processing carried out according to Article 16, Article 17 (1) and Article 18 of the Regulation, unless it proves to be impossible or requires disproportionate effort, the right for the Controller to inform the Data Subject about these recipients, if the Data Subject so requests.

10.1.16.the right of the Data Subject to data portability according to Article 20 of the Regulation, which includes: the right to obtain the personal data relating to the Data Subject that has been provided to the Controller in structured, commonly used and machine-readable format and the right to transfer such data to another controller without being prevented from doing so by the Controller, if:

a/ the processing is based on the Data Subject's consent according to Article 6 (1) point a) of the Regulation or Article 9 (2) point a) of the Regulation or on the contract according to Article 6 (1) point b) of the Regulation, and at the same time

b/ the processing is carried out by automated means, and at the same time:

10.1.17.the right to obtain personal data in a structured, commonly used and machine-readable format and the right to transfer such data to another controller without being prevented from doing so by the Controller, and it will not have adverse consequences on the rights and freedoms of others.

10.1.18.the right to transfer personal data directly from one controller to another controller, as long as it is technically feasible.

10.1.19.the right of the Data Subject to object according to Article 21 of the Regulation, which includes:

10.1.20.the right to object at any time for reasons related to the particular situation of the Data Subject to the processing of personal data concerning them which is carried out on the basis of Article 6 (1) point e) or f) of the Regulation, including objecting to profiling based on these provisions of the Regulation.

10.1.21.in case of exercising the right to object at any time for reasons related to the particular situation of the Data Subject to the processing of personal data concerning them which is carried out on the basis of Article 6 (1) point e) or f) of the Regulation, including objecting to profiling based on these provisions of the Regulation, the right that the Controller does not further process the personal data of the Data Subject, unless the Controller proves necessary legitimate reasons for processing which prevail the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.

10.1.22.the right to object at any time to the processing of personal data concerning the Data Subject for the purposes of direct marketing including profiling to the extent that it is related to direct marketing; provided that if the Data Subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for such purposes.

10.1.23.in connection with the use of information society services, the right to exercise the right to object to the processing of personal data by automated means using technical specifications.

10.1.24. the right to object for reasons related to the particular situation of the Data Subject to the processing of personal data concerning the Data Subject if the personal data is processed for scientific or historical research purposes or for statistical purposes according to Article 89 (1) of the Regulation, but with the exception of cases where the processing is necessary for the performance of the task for reasons of public interest.

10.1.25.the right of the Data Subject related to automated individual decision-making according to Article 22 of the Regulation, which includes:

10.1.26.the right not to be subject to a decision which is based solely on automated processing of personal data, including profiling, and which has legal effects concerning the Data Subject or similarly significantly affects the Data Subject, except cases according to Article 22 (2) of the Regulation [i.e. except where the decision is: (a) necessary for the conclusion or performance of a contract between the Data Subject and the Controller, b) permitted by the law of the European Union or the law of a Member State to which the Controller is subject and which also establishes appropriate measures guaranteeing the protection of the rights and freedoms and legitimate interests of the Data Subject; or (c) based on the Data Subject's explicit consent.]

XI. Information on the Data Subject's right to withdraw consent to the processing of personal data:

11.1.The Data Subject is entitled to withdraw their consent to the processing of personal data at any time without affecting the lawfulness of the processing of personal data based on the consent granted prior to its withdrawal.

The Data Subject is entitled to withdraw their consent to the processing of personal data at any time - in whole or in part. A partial withdrawal of consent to the processing of personal data may relate to a specific type of processing operation(s), while the lawfulness of the processing of personal data to the extent of the remaining processing operations remains unaffected. A partial withdrawal of consent to the processing of personal data may relate to a particular specific purpose(s) for the processing of personal data, while the lawfulness of the processing of personal data for other purposes remains unaffected.

The right to withdraw consent to the processing of personal data may be exercised by the Data Subject in paper form to the address of the Controller registered as its registered seat in the business register at the time of withdrawal of consent to the processing of personal data or in electronic form by electronic means (by sending an e-mail to the e-mail address of the Controller specified in the identification of the Controller herein).

XII. Information on the right of the Data Subject to lodge a complaint with the supervisory authority:

12.1.The Data Subject shall have the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work or place of the alleged infringement if they believe that the processing of personal data concerning them is in contradiction to the Regulation, and all without prejudice to any other administrative or judicial remedies.

The Data Subject concerned shall have the right to be informed by the supervisory authority to which the complaint has been lodged, as a complainant, on the progress and outcome of the complaint, including the possibility of seeking a judicial remedy according to Article 78 of the Regulation.

12.2.The supervisory authority in the Slovak Republic is the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27, Slovak Republic. Tel. contact: +421 /2 3231 3214, Email: statny.dozor@pdp.gov.sk.

XIII. Information related to automated decision-making, including profiling:

13.1.Since in the case of the Controller the processing of the Data Subject's personal data does not take the form of automated decision-making, including the profiling referred to in Article 22 (1) and (4) of the Regulation, the Controller is not obliged to provide the information according to Article 13 (2) point f) of the Regulation, i.e. information about automated decision-making, including profiling, and about the procedure used, as well as about the meaning and expected consequences of such personal data processing for the Data Subject. Not applicable.

XIV. Final Provisions

14.1. These Personal Data Protection Principles shall come into force and effect upon its publication on the Website on February 5, 2023.