This Policy is drafted in compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation, hereinafter: “GDPR”) and the provisions of the Slovenian Personal Data Protection Act (Official Gazette of the RS, No. 163/22) (hereinafter: “ZVOP-2”).
Personal Data Controller:
Masarykova rezidence d.o.o., Dunajska cesta 151, 1000 Ljubljana, reg. no.: 8878587000.
(hereinafter the „Company” or “Controller”)
The Company is a member of the CORWIN SK a.s. group, with registered office at Námestie Mateja Korvína 1, 811 07 Bratislava, company registration No: 45500126 (hereinafter referred to as the CORWIN Group), which is engaged in the development of real estate projects. More detailed information on the projects carried out by the CORWIN Group is available on its website: http://corwin.sk.
The Company is constructing the »Nordika« project (hereinafter also referred to as the “Project”) and processes personal data of clients and potential clients or data subjects (hereinafter also referred to as the ” Data Subjects” and individually as a Data Subject) to the extent and subject to the conditions set out in this document and is responsible for the protection and processing thereof. Unless otherwise provided by law, the Controller shall also be responsible for the processing of personal data by processors authorised by it for that purpose.
I. Controller identification and contact details
The Controller on whose behalf personal data are processed is Masarykova rezidence d.o.o., Dunajska cesta 151, 1000 Ljubljana, reg. no.: 8878587000, Contact info: T: +386 (0) 8201 6922, e-pošta: corwin@corwin.si.
II. Establishing the purposes of data processing and determining the legal basis
Controller will only process personal data to the extent provided by Data Subjects for the following purposes:
- direct marketing: Informing Data Subjects (customers or potential customers) about news related to individual projects carried out by CORWIN Group and sending additional marketing offers to customers of CORWIN Group via direct mail, e-newsletters, personalised offers or other appropriate formats. The legal basis for personal data processing is the consent of customers or potential customers if they provide an e-mail address and consent to the processing of their personal data for the purpose of receiving business and marketing information sent by CORWIN Group (point (a) of the first paragraph of Article 6 of GDPR).
- recording and promotional communication in the sale or lease of real estate: The legal basis for personal data processing is legitimate interest in compliance with point (f) of the first paragraph of Article 6 of GDPR and the consent of customers or potential customers if they provide an e-mail address and consent to the processing of their personal data for the purpose of receiving business and marketing information (point (a) of the first paragraph of Article 6 of GDPR).
- statistical purposes: Combining personal data with other parties’ data to produce reports that help to improve provision of services, while respecting technical and organisational measures to ensure compliance with the principle of data minimisation. The legal basis for personal data processing is the further processing of personal data in compliance with point (b) of the first paragraph of Article 5 in connection with the first paragraph of Article 89 of GDPR.
- keeping records of requests sent by Data Subjects and their handling by the Controller. The legal basis for personal data processing is the consent of customers and potential customers, the fulfilment of contracts and the legitimate interest of the Controller in compliance with points (a), (b) and (f) of the first paragraph of Article 6 of GDPR.
- compliance with the Controller’s obligations under applicable legal provisions regarding tax or consumer protection obligations in the internal market. The legal basis for personal data processing is the fulfilment of legal obligations in compliance with point (c) of the first paragraph of Article 6 of GDPR.
- protection of the legitimate interests of the Controller which are important for the proper pursuit of the activity (in particular, the establishment, exercise and proof of legal claims, defence of rights, etc.). The legal basis for the processing of personal data is a legitimate interest in accordance with Article 6(1)(f), first indent, of the GDPR.
- performance of a contract: the Controller processes personal data in the context of the contractual relationship (e.g. for sending the contract), for the conclusion, amendment and termination of the contract in accordance with the law, for invoicing, for dealing with complaints and other requests from the Data Subject, for the implementation of standard or above-standard solutions, and for communicating with the Data Subject, etc. The legal basis for the processing of personal data is the performance of a contract in accordance with Article 6(1)(b) of the GDPR.
- providing services through the Client Portal at: https://homebycorwin.com/login, in particular providing access to contractual documentation, invoices, and documentation related to the Project, to claim hidden defects in the Project Real Estate or to book an appointment, and for the purpose of performing two-factor authentication when logging in to the Client Portal. The legal basis for the processing of personal data is consent (point (a) of the first paragraph of Article 6 of GDPR).
- verification of the identity of the Data Subject in relation to the electronic signature: the Controller processes personal data in encrypted form for the purpose of verification of the identity of the Data Subject when signing the digital document confirming attendance at the preview of the Project Real Estate and when signing the digital document of handover protocol for the Project Real Estate. The legal basis for the processing of personal data is consent (point (a) of the first paragraph of Article 6 of GDPR).
III. Personal data
The Controller processes the personal data of Data Subjects to the following extent:
- name and surname
- permanent address
- mailing address (if different from the permanent address)
- EMŠO or other identification number, if the Data Subject is a foreigner
- date of birth
- nationality
- telephone number
- e-mail address
- electronic signature
- data from the submitted online form (in the context of signing up for a newsletter or expressing interest in receiving marketing notifications)
- other information that the Data Subject voluntarily provides to the Controller.
IV. Categories of Data Subjects
The Controller processes personal data for the purposes referred to in points a) to f) of Article II of this Information on processing personal data in relation to clients and potential clients as Data Subjects who have expressed an interest in one of the CORWIN Group’s projects and have given their consent to the processing of personal data, whereby for this category of Data Subjects the Controller only processes the personal data referred to in points a), g), h), j) and k) of Article III of this Information on processing personal data.
The Controller processes personal data for the purposes referred to in points c) to i) of Article II of this Information on processing personal data in relation to Data Subjects who are in a contractual relationship with the Company or who intend to enter into a contractual relationship with the Company. If the Data Subject enters into a contract with the Company, the contract constitutes the legal basis for the processing of his/her personal data. The personal data that the Data Subject entrusts to the Company at the time of entering into, during the process of entering into or in the course of performance of the contract shall be processed with the utmost care and only to the extent necessary to achieve the legitimate purposes of the processing of personal data. The personal data referred to in point i) of Article III of this Information on processing personal data (electronic signature) and the personal data for the purpose referred to in points a) and h) of Article II of this Information on processing personal data (direct marketing purpose and the purpose of providing services through the Client Portal) shall only be processed if the consent of the Data Subject has been given to the Controller.
V. The right to object
The Data Subject may object, on grounds relating to his or her particular situation, to processing of personal data carried out on the basis of the legitimate interest of the Controller. In this case, the Controller shall no longer process the personal data unless it demonstrates a legitimate ground for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him/her for such purposes.
The right to object may be enforced in the following ways:
- by post sent to the address of the Controller;
- by clicking on the relevant link in each individually delivered e-newsletter;
- by email to corwin@corwin.si;
- by phone to +386 (0) 8201 6922.
VI. The voluntary nature of the consent to processing of personal data
Data Subject who wants to receive news and marketing data must at the minimum provide the Controller with his/her email address and consent to the processing of the personal data for direct marketing purposes, otherwise, it’s not possible to subscribe to news and marketing information. Confirmation of consent to personal data processing for direct marketing purposes is a legal requirement. The decision on whether the Data Subject wishes to provide his/her personal data for the purposes of receiving newsletters and marketing information is voluntary.
In cases where the provision of personal data is a contractual or pre-contractual obligation, such provision of personal data is mandatory. If you do not provide us with personal data, we will not be able to enter into a contract with you or to perform the contractual obligations. If the Data Subject does not provide the email address, it is not possible to establish the Client Portal and therefore use the Client Portal, which is considered to be voluntary.
VII. Recipients or categories of recipients of personal data
Personal data processed on behalf of the Controller for the purposes set out in Article II of this Policy will also be made available to the following recipients:
- CORWIN SK a.s., Námestie Mateja Korvína 1, 811 07 Bratislava, matična številka: 45 500 126,
- Lis Anker, s.r.o., Mýtna 48, 811 07 Bratislava, ID št.: 35 834 889,
- CORWIN SI d.o.o., Dunajska cesta 151, 1000 Ljubljana, reg. no.: 8190356000;
- Lis Anker SI d.o.o., Dunajska cesta 151, 1000 Ljubljana, reg. no.: 8585458000;
- Linhartov kvart, razvoj nepremičninskih projektov, d.o.o. Dunajska cesta 151, 1000 Ljubljana, reg. no.: 8920419000;
- CC Koppa, razvoj nepremičninskih projektov, d.o.o., Dunajska cesta 155, 1000 Ljubljana, reg. no.: 9149961000;
- Vilharia offices I, razvoj nepremičninskih projektov, d.o.o., Dunajska cesta 155, 1000 Ljubljana, reg. no.: 8529302000;
- Vilharia offices II, razvoj nepremičninskih projektov, d.o.o., Dunajska cesta 155, 1000 Ljubljana, reg. no.: 8920877000.
i.e. to processors who have been authorised in writing to process personal data transferred to them by the Controller. These particularly include the above-mentioned CORWIN Group companies, delivery companies, courier companies, consulting companies and agencies, IT service providers and other persons whose services are used by CORWIN Group to carry out its activities. The processors are diligently selected to ensure that all data protection requirements are met (hereinafter: “Recipients”).
VIII. The period for which the personal data are stored
Personal data shall be processed for the period necessary to fulfil the purposes set out in this Information on processing personal data, except where a longer storage period would be necessary or permitted by law. Personal data processed on the basis of consent shall be stored until the consent is withdrawn.
The duration of the processing of personal data for the purpose of performance of the contract shall be determined by the duration of the contractual relationship. After the termination of the contract, certain personal data may be further processed if there is another legal basis (e.g. a legitimate interest to assert or defend legal claims or a legal obligation).
IX. Information on Automated Individual Decision-Making
We do not carry out automated decision-making and/or profiling.
X. Transfer of personal data to a third country or an international organisation
We do not transfer personal data to third countries or international organizations.
XI. Rights of Data Subjects
In accordance with the legislation governing the protection of personal data, the Data Subject has the following rights:
The Right of access
The Data Subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the Data Subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.
The Controller shall ensure a copy of the processed personal data. For any additional copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs.
The right to rectification (correction)
The Data Subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him/her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
The right to erasure (“The right to be forgotten”)
The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning him/her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the Data Subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
- the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing,
- the personal data have been unlawfully processed;
- the personal data must be erased in order to comply with a legal obligation under EU and Slovenian law.
The Controller shall take reasonable steps, including technical measures, taking into account the technology available and the cost of implementing the measures, to inform controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The erasure shall not be carried out if the processing of the personal data is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by EU or Slovenian law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- for reasons of public interest in the area of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- for the establishment, exercise or defence of legal claims
The Right to restriction of processing
The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
- the Data Subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed:
- with the Data subject’s consent, or
- for the establishment, exercise or defence of legal claims, or
- for the protection of the rights of another natural or legal person, or
- for reasons of important public interest of the EU or of Slovenia.
The right to data portability
The Data Subject shall have the right to receive the personal data concerning him/her, which he/she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided, where:
- the processing is based on consent or on a contract; and
- the processing is carried out by automated means.
The right to data portability is only admissible where technically feasible. The exercise of this right is without prejudice to the right to erasure.
That right shall not apply to processing necessary:
- for the performance of a task carried out in the public interest, or
- in the exercise of official authority vested in the Controller.
The right to object to processing and profiling (if any exists)
The Data Subject shall have the right to object, on grounds relating to his/her particular situation, at any time to processing of personal data concerning him/her which is based on point (e) or (f) of Article 6(1) of GDPR, including profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him/her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
The right to file a complaint with the supervisory authority
Without prejudice to any other administrative or judicial remedy, every Data Subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his/her habitual residence, place of work or place of the alleged infringement if the Data Subject considers that the processing of personal data relating to him/her infringes this Regulation.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78. of GDPR.
The supervisory authority to which data subjects shall address their complaint in duly justified cases is:
- for the Republic of Slovakia: Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov), established at Hraničná 12, 820 07 Bratislava 27, T: +421(0)2 32313214, E: statny.dozor@pdp.gov.sk;
- for the Republic of Slovenia: Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec Republike Slovenije), established at Dunajska cesta 22, 1000 Ljubljana, T: +386 (0) 1 23 09 730, E: gp.ip@ip-rs.si.
The right to withdraw consent to processing
f the legal basis for the processing of personal data is the consent of the Data Subject, the Data Subject may at any time withdraw his/her consent without affecting the lawfulness of processing based on consent before its withdrawal.
The right to withdraw the consent at any time, even before the expiry of the period for which the consent was granted, may be exercised by the Data Subject in particular in the following ways:
- by post to the address of the registered office of the Controller,
- at any time and free of charge by clicking on the relevant link in each delivered newsletter;
- by e-mail to the Controller;
- by phone.
In addition to the information, communications, replies and actions of the Controller referred to in Articles 15 to 22 of the GDPR, which shall be provided free of charge, the information, communications, replies and actions of the Controller with regard to the exercise of rights and claims in the field of personal data protection, access to, acquisition and processing of personal data under the ZVOP-2 or any other law shall also be provided free of charge.
Where the Data Subject’s requests are manifestly unfounded or excessive, in particular because they are repetitive, the Controller may nevertheless grant the request if it is substantiated on its merits and charge the Data Subject reasonable costs. Reasonable costs shall include only the material costs of providing the information, communications, replies or taking the action requested.
The Controller shall provide the Data Subject with information on the measures taken upon request pursuant to Articles 15 to 22 of the GDPR without undue delay and in any event within one month of receipt of the request. This period may be extended by up to two additional months, if necessary, taking into account the complexity and number of requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Data Subject submits the request by electronic means, the information shall, where possible, be provided by electronic means, unless otherwise requested by the Data Subject.
XIII. Changes to the Data Protection Policy
The Controller reserves the right to modify or amend the provisions of this Information on processing personal data at any time and without prior notice. Any amendments shall take effect from the date of publication on the website.
Date:
Masarykova rezidence d.o.o.