Privacy protection and personal data protection policy of program application wynston.sk (the “document”)

Article 1
Identification of data controller, circle of data subjects and initial information

1
Messier s.r.o., with its registered ofice at Grösslingová 7152/5, 811 09 Bratislava, Identification No.: 123 124 14 , registered in the Commercial Register of the District Court, is the data controller of the personal data information system (the “Data Controller”) who uses the program application wynston.sk as a means of processing personal data (the “Program Application”) of (a) customers, (b) end users of the Program Application from corporate customers, (c) registered suppliers of transport services (drivers) (the “Data Subjects”).
2
The Data Controller created this Document for the Data Subjects to enhance the sufficient transparency and explain the basic rules that the Data Controller complies with when protecting the privacy and personal data of the Data Subjects using the Program Application.
3
The Data Controller is deeply committed to protect and process personal data of the Data Subjects in accordance with law and, therefore, in this Document about the use of the Program Application, it created specifically binding rules of processing personal data of the Data Subjects that are based on the basic principles for processing of personal data regulated in Section 6(2) of Act No. 122/2013 Coll., on Personal Data Protection, Amending and Supplementing Certain Acts, as amended (“Act No. 122/2013 Coll.”), and in Article 5(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”).
4
This Document is the internal privacy protection policy that the Data Controller has in place in accordance with Article 24 of the GDPR to demonstrate the achieved compliance with the GDPR when using the Program Application.
5
With this Document, the Data Controller provides the Data Subjects with the mandatory information pursuant to Section 15(1) of Act No. 122/2013 Coll. and Article 13 of the GDPR when acquiring personal data of the Data Subjects. The Data Controller provides the Data Subjects with the information about the content of this Document as early as during the installation of the Program Application into the technical device of the end consumer, and it also ensured that the Program Application not be used for the first time without the Subject Data having confirmed that it familiarised itself and agrees with the rules and settings of privacy protection and personal data protection stipulated by the Data Controller in this Document. This Document is also accessible for the Data Subjects in the content of the Program Application and the specifically determined web site intended for the registration of the Program Application; it is available at the following URL: wynston.wise.limo (the “Web”).

Article 2
Data Controller’S representations and warranties

1
The Data Controller never publishes or transfers personal data of any Data Subject to any third country that would not provide for the appropriate level of protection of personal data. The Data Controller warrants to the Data Subjects that their personal data be processed solely in the territory of EU member states, more specifically at the time when this version of the Document is in effect, all personal data processed in the Program Application are physically stored solely in the territory of the Slovak Republic.
2
Personal data of the Data Subjects are processed in the Program Application mainly in an automated (e.g. exclusively software) manner and during the whole time, the possibility remains preserved that also trained and professionally educated Recipients authorised by the Data Controller pursuant to Article 29 of the GDPR or instructed Authorised Persons under Act No. 122/2013 Coll. take part in the processing of personal data of the Data Subjects.
3
During the data transfer through the publicly accessible computer network between the end device of the Data Subject and the Program Application, the Data Controller uses appropriate means of encrypted protection of information. Similarly, all data and personal data of the Data Subjects stored by the Data Controller on the specified data storages are protected by appropriate means of encrypted protection of information.
4
The Data Controller is processing personal data for as short a time as possible. The Data Controller provided for the automated liquidation of personal data of all Data Subjects who uninstalled the Program Application from their end devices.
5
The Data Controller warrants to the Data Subjects that by installing the Program Application in their end device (e.g. tablet, smart phone), no other third parties will gain secret access to data and any content that is stored in the client technical device of the end user of the Program Application.
6
The Data Controller warrants to the Data Subjects that the Data Subjects will be able to express all consents being acquired intended to legalise a (partial) processing operation or other purpose of processing of personal data that is not associated with the use of the Program Application freely and independently of the possibility to use the Program Application; under no circumstances makes the Data Controller the possibility to use the Program Application contingent on acquiring the consent of the Data Subject for the purposes that are not associated with the use of the Program Application (e.g. marketing purposes). In respect to those partial processing operations or unrelated purposes of processing of its personal data, the Data Subject has always the option not to grant its consent with the processing of personal data to the Data Controller without this refusal having any effect on the possibility to use the Program Application. However, in certain cases, the granting of the consent by the Data Subjects directly affects the possibility to provide the services provided under the contractual relationship entered into with a third party (e.g. the carrier or a limousine driver registered in the Program Application). However, the granting or the refusal to grant this consent by the Data Subjects in no way conditions the provision of the services provided by the Data Controller through the Program Application; these services consist in the information society services and in the intermediation of personal transport, not in the provision of personal (taxi) transport.
7
All entities other than the Data Controller that legally participate in the process of processing personal data of the Data Subjects are transparently identified in ARTICLE 6 of this Document together with their substantive law status under the GDPR. The Data Controller will not perform any processing operation with personal data of the Data Subjects in respect of a third party and/or a recipient if the third party and/or the recipient is not transparently identified in this Document and the Data Controller lacks the legal basis to do so under Article 6 of the GDPR.
8
All recipients of personal data processed in the Program Application access this personal data exclusively on the basis of an authorisation granted by the Data Controller; they are legally bound by specific obligations and legal warranties enhancing the personal data protection of the Data Subjects.
9
The Data Controller does not provide personal data of the Data Subjects to any third parties for commercial purposes without each Data Subject first having granted its individual free consent or without such provision or making personal data of the Data Subjects accessible being necessary to perform the rights and obligations of the Data Controller under the applicable General Terms and Conditions of the Program Application (e.g. making personal data available to the drivers of the Data Controller’s business partner).
10
A part of the processing of personal data of the Data Subjects that is connected with the use of the Program Application is performed separately and completely independently of the Data Controller by third parties who are separate data controllers of personal data information systems different from the Data Controller’s personal data information systems intended for processing of personal data of the Data Subjects; these include mainly online operators of shops selling mobile applications or operators of so-called payment gates intended to execute cashless payments over the Internet. The Data Controller informs the Data Subjects also about these third parties (for more information see ARTICLE 6(3) of this Document) to whom the Data Subject provides its personal data directly when using the Program Application, without the Data Controller taking any part in this process or influencing it. This part of the processing of personal data of the Data Subjects is governed by internal policies and precautions adopted by these third parties and the Data Controller has no influence on that processing of personal data, including the possibility to exercise the rights of the data subject; the Data Subjects are informed about this in ARTICLE 9 of this Document.
11
In the future, the Data Controller may make all data, including personal data of the Data Subjects that are being processed in the Program Application, available to a party (if any) interested in buying the Program Application or to that party’s professional advisers (M&A consultants, lawyers, accountants, auditors, IT specialists) under the conditions that making such data available is contingent on the prior acceptance of the confidentiality undertaking that will bind all persons participating in the so-called due diligence process to absolutely comply with the confidentially undertaking regarding all personal data they familiarise themselves with when assessing and evaluating the price of the Program Application. In this case, the Data Controller also undertakes to adopt special procedures and take special organisational precautions that will enhance the protection of the processed personal data of the Data Subjects.
12
The Data Controller carefully screened its business partners (the so-called data processors) that it enabled to process personal data of the Data Subjects in light of their ability to ensure the safety and legality of the processing of personal data.
13
In this regard, the Program Application does not enable the sharing or publishing of any personal data of the Data Subjects without the Data Subject itself purposely beginning to use the Program Application and through its own actions enabling the sharing of information, data and personal data processed in the Program Application with third parties.
14
The Program Application does not enable any third parties to gain and store information about the end device of the user of the Program Application or to process any information which has been already stored and retained during the use of the Program Application in such technical device by the Data Subjects. In addition to the Data Controller and the recipients of data authorised by the Data Controller (see ARTICLE 6(2) of the Document), only the Data Processor 1 may have access to data and functions processed in the Program Application installed on the end user device of the Data Subject through the so-called API (Application Programming Interface) (see Article 6(1) of the Document).
15
When processing personal data of the Data Subjects and communicating with the Data Subjects, apart from the ordinary phone and email communication, the Data Controller uses only the Program Application and Web through officially published contact information on the Web; the Data Controller does not use the so-called social networks or cooperation with the operators of social networks to acquire personal data or to perform any other processing operations on personal data. When processing personal data of the Data Subjects, the Data Controller has not created or uses any official profiles created on the social networks Facebook, Twitter, Instagram etc..
16
The Data Controller represents that the Carriers registered in the Program Application do not have access to all the data and personal data processed in the Program Application, but only to data and personal data that are related to the purchase orders initiated by Data Subject 1 and Data Subject 2 intended to be dealt with in the real time.
17
The Data Controller does not process any personal data of minors in the Program Application. Only natural persons of full age with full legal capacity can be Data Subjects.
18
In the Program Application, the Data Controller does not process any data regarding the Data Subjects from the special category of personal data under Article 9 of the GDPR.

Article 3
List of personal data that is processed

1
The Data Controller processes the following personal data about natural persons - users (“Data Subject 1”): name, surname, e-mail, phone number, place and time where the ordered limousine must arrive, history of purchase orders (information about the place and exact time when Data Subject 1 entered the vehicle, duration of the journey, route of the journey, information about the place and exact time of termination of the journey, type of vehicle used for the specific journey, specific requirements of the Data Subject (alcohol in the minibar, child seat, preference for a specific driver to perform the journey, etc.), journey date, flight number if collected at the airport, IP address and MAC address allocated to the client device of Data Subject 1 when signing in the Program Application and the so-called login records generated by the Program Application during the time of the active use of the Program Application (e.g. time of signing-in to the Program Application and time of signing-out of the Program Application, executed actions and the exact time of the actions executed in the Program Application).
2
The Data Controller processes the following personal data about natural persons legally using the Program Application on the basis of a contractual relationship between the Data Controller and a third party with whom this natural person has a separate legal relationship (e.g. employee, manager, client) (“Data Subject 2”): name, surname, e-mail, phone number, information about the relationship between the natural person and the legal person having a contractual relationship with the Data Controller, history of purchase orders (information about the place and exact time when Data Subject 2 entered the vehicle, duration of the journey, route of the journey, information about the place and exact time of termination of the journey, type of vehicle used for the specific journey, specific requirements of the Data Subject (alcohol in the minibar, child seat, preference for a specific driver to perform the drive, etc.), journey date, flight number, price of the journey, number of the project, invoicing codes, IP address and MAC address allocated to the client device of Data Subject 2 when signing in the Program Application and the so-called login records generated by the Program Application during the time of the active use of the Program Application (e.g. time of signing-in to the Program Application and time of signing-out of the Program Application, executed actions and the exact time of the actions executed in the Program Application).
3
The Data Controller processes only the following personal data about the natural persons - drivers of motor vehicles who are business partners (“Data Subject 3”) on the basis of registration in a separate module of the Program Application and subsequent use of the Program Application: name, surname, phone number, e-mail, IP address and MAC address allocated to the client end device of Data Subject 3 when signing in to the Program Application and the so-called login records generated by the Program Application during the time of the active use of the Program Application (e.g. time of signing-in to the Program Application and time of signing-out of the Program Application, executed actions and the exact time of the actions executed in the Program Application).

Article 4
Legal basis and purposes of processing of personal data

1
The Data Controller is processing personal data of all Data Subjects for the purposes of a proper use of the Program Application the purpose of which Program Application is to enable comfortable and efficient transport of natural persons by luxury motor vehicles.
2
The Data Controller is processing personal data of Data Subject 1 in order to enter into and perform the contractual relationship established between Data Subject 1 and the Data Controller under the terms and conditions specified in this Document and in the General Terms and Conditions of the Data Controller. The legal basis for the processing of personal data for this purpose is the contractual relationship entered into between the Data Controller and Data Subject 1 or the provisions of Section 10(3)(b) of Act No. 122/2013 Coll. and the provisions of Article 6(1) b) of the GDPR.
3
The Data Controller is processing personal data of Data Subject 2 in order to perform the contractual relationship established between the Data Controller and the corporate client who has its own legal relationship with Data Subject 2 independent of the Data Controller and under the terms and conditions specified in this Document, the General Terms and Conditions of the Program Application wynston.sk and the consent of Data Subject 2. The legal basis for the processing of personal data of Data Subject 2 for this purpose is the consent of the data subject or the provisions of Section 9(1) of Act No. 122/2013 Coll. and Article 6(1)(a) of the GDPR. Personal data of Data Subject 2 are used also for invoicing and bookkeeping in accordance with the Slovak law. The legal basis for this processing of personal data of Data Subject 2 for this purpose is a special Act or the provisions of Section 10(2) of Act No. 122/2013 Coll. and the provisions of Article 6(1)(c) of the GDPR.
4
The Data Controller is processing personal data of Data Subject 3 in order to perform the contractual relationship established between the Data Controller and Data Subject 3 or the employer of Data Subject 3 or the contractual business partner of Data Subject 3. The legal basis for this processing of personal data is the contractual relationship entered into between the Data Controller and Data Subject 3 or the provisions of Section 10(3)b) of Act No. 122/2013 Coll. and the provisions of Article 6(1)b) of the GDPR or the consent of Data Subject 3 granted to the Data Controller during the registration in the Program Application if Data Subject 3 does not perform personal transport as a self-employed person, but as an employee of another Carrier.
5
The purpose of the processing of personal data of Data Subject 1 and Data Subject 2 is also the own marketing communication of the Data Controller (e.g. a newsletter, etc.) as well as the displaying of marketing communication of third parties without providing personal data of Data Subject 1 and Data Subject 2 or making them accessible to any third party. The legal basis for the processing of personal data of Data Subject 1 and Data Subject 2 for this purpose is the consent of the data subject or the provisions of Section 9(1) of Act No. 122/2013 Coll. and Article 6(1)a) of the GDPR. The Data Subject grants or does not grant this consent to the Data Controller separately through a separate legal act.
6
Since 25 May 2018, the Data Controller will be authorised to process electronic communication metadata that can be allocated to technical devices of end users of the Program Application, i.e. Data Subjects, for the purposes of the protection of rights and statutorily protected interests of the Data Controller when providing for the protection and security of data processing in the Program Application (e.g. recognition of IP addresses and MAC addresses of end devices using the application and their allocation to registered identities). The legal basis for the processing of personal data will be the protection of rights and statutorily protected interests of the data controller or the provisions of Article 6(1)(f) of the GDPR.
7
The Data Controller may process personal data of the Data Subjects also for the purposes of performing the so-called due diligence audits that could take place before the sale (if any) of the Program Application to an interested third party. The legal basis for the processing of personal data will be the protection of rights and statutorily protected interests of the data controller or the provisions of Article 6(1)(f) of the GDPR.

Article 4a
Consent of Data Subject supplementing the general terms and conditions of the program Application

1
Given the fact that, when processing personal data of Data Subject 1 and Data Subject 2 in the Program Application, the Data Controller must provide personal data to its business partners who are the carriers actually performing the transport, i.e. to the drivers and/or also to employers of those drivers, and the business model used by the Data Controller does not make it possible to provide this personal data within the contractual relationship entered under the General Terms and Conditions of the Data Controller directly between the Data Controller and the Data Subject, from the point of view of the need for sufficient legalisation of the performance of the necessary processing operations performed on personal data of the Data Subjects, it is necessary to require Data Subject 1 and Data Subject 2 to provide their consent with the provision of their personal data to Data Subject 3 (to the taxi limousine driver registered in the Program Application or also to the employer of this driver who has a business relationship with the Data Controller (see third parties in the capacity of recipients of data specified in Article 6(2) of this Document)) (the “Carrier”).
2
The Data Controller informs Data Subject 1 and Data Subject 2 that, when using the Program Application, they grant the Data Controller their consent with the provision of the following personal data of theirs by their action consisting in ordering the transport: name, surname, phone number, place and time of pick-up or the beginning of transport to any Carrier registered in the Program Application for the purposes of performing personal transport of Data Subject 1 and/or Data Subject 2 and performing specific contractual obligations of Data Subject 3 (driver) vis-à-vis the Data Controller. Also, Data Subject 1 and Data Subject 2 can choose the specific Carrier or driver in the Program Application; therefore, when a specific Carrier is chosen, only partial provision of personal data to this chosen Carrier and not to all Carriers registered in the Program Application will take place. Data Subject 1 and Data Subject 2 may revoke their consent with the processing of personal data explained in this clause of this Document at any time, until the beginning of the transport by the Carrier, through the function “purchase order cancellation” available in the Program Application. Once the transport has begun, a separate contractual relationship between Data Subject 1 and/or Data Subject 2 and the Carrier is entered into. This consent remains valid throughout the entire term of active use of the Program Application.
3
Data Subject 3 and at the same time the Carrier performing the personal transport under the contractual relationship entered into with the business partner of the Data Controller acting in the capacity of a third party and the recipient of data (see Article 6(2)d) of this Document) grants to the Data Controller its consent with making its personal data in the Program Application available to Data Subject 1 and Data Subject 2 to the following extent: name, surname, type and colour of the motor vehicle, information about the availability/unavailability to perform the personal transport for the purposes of entering into the contractual relationship between Data Subject 1 or Data Subject 2 and Data Subject 3. Data Subject 3 may revoke this consent at any time by uninstalling the Program Application from its end user device or in the manner specified in Article 9(2) of this Document.
4
The consents of the Data Subjects specified in Article 4A of this Document supplement the General Terms and Conditions approved by the Data Controller for the use of the Program Application and constitute the prerequisites for achieving compliance with the basic principles of processing of personal data under Article 5(1)(a) and (b) of the GDPR and Article 7 of the GDPR.
5
Apart from the notification mechanisms described in Article 1(6) of this Document, the Data Controller notifies the Data Subjects of the wording of the above consents with the processing of personal data with respect to the requirement arising from Article 7(2) of the GDPR also by specifically extracting this part of the text from this Document into a separate document that is accessible continuously throughout the entire term of use of the Program Application to every Data Subject in the user interface of the Program Application in section “Terms of Use”.

Article 5
Term of retention of personal data

1
The Data Controller retains personal data of the Data Subjects exclusively throughout the term of registration of the individual user of the Program Application. By uninstalling the Program Application from the device of the end user (Data Subject), an automated liquidation of all personal data allocated to the user account that was cancelled as a result of the un-installation of the Program Application will take place immediately.
2
The Data Controller will also at any time liquidate all personal data or precisely specified personal data at the individual request of the authorised Data Subject, in excess of the reasons specified in Article 17(1) a) of the GDPR.
3
The Data Controller will proceed in accordance with Article 5(2) of this Document only where by doing it, it does not endanger or fail to perform its obligations under the generally binding legal regulations (e.g. providing for the security of processing of personal data, recording of accounting documents) or its obligations under the General Terms and Conditions of the Program Application (e.g. inspection by the employer of the Data Subject whether the journey was justified).
4
If a registered Data Subject has not been actively using the Program Application for longer than 1 calendar year, the Data Controller will check, usually by e-mail, whether the Data Subject is still interested in using the Program Application. lf the contacted Data Subject ignores the request or if it gives a negative answer, the Data Controller will provide for the cancellation of the user account together with the liquidation of all personal data.

Article 6
Identification of Data Processors, recipients and third parties included in the processing of personal data of Data subjects

1
When processing personal data of the Data Subjects in the Program Application, the Data Controller uses the following data processors:
  1. 2P Com, s.r.o., with its registered office at Popradská 26, 821 06 Bratislava, Identification No. 35 864 613, registered in the Commercial Register of District Court Bratislava I, section Sro, insert No. 29514/B;
  2. Websupport, with its registered office at Staré Grunty 12, Bratislava 841 04, Identification No.: 36 421 928, registered in the Commercial Register of District Court Bratislava I, section: Sro, insert No.: 63270/B;
  3. CCW s.r.o., with its registered office at Trenčianska 47, 821 09 Bratislava, Identification No.: 31 364 543, registered in the Commercial Register of District Court Bratislava I, section: Sro, insert No.: 6299/B;
  4. CARPATHIAN Advisory Group, s.r.o., with its registered office at Jasovská 17, 851 07 Bratislava, Identification No.: 44 138 148, registered in the Commercial Register of District Court Bratislava I, section: Sro, insert No.: 52352/B; and
  5. Izzy Trading s.r.o., with its registered office at Trenčianska 17, 915 01 Nové Mesto nad Váhom, Identification No.: 36 717 924 ,registered in the Commercial Register of District Court Trenčín, section: Sro, insert No.: 17391/R.
2
When processing personal data of the Data Subjects in the Program Application, the Data Controller uses the following recipients or circles of recipients who have been trained in respect of the Program Application and sufficiently instructed by the Data Controller of their authorisations, responsibilities as well as obligations in the internal system of the personal data protection created by the Data Controller:
  1. Data Controller’s employees;
  2. the statutory body and employees of FRESH & COOL SYSTEMS s.r.o., with its registered office at Popradská 26, 821 06 Bratislava, Identification No.: 44 235 755, registered in the Commercial Register of the District Court Bratislava I, section: Sro, insert No.: 53050/B, an affiliated company having property and personnel ties to the Data Controller;
  3. legal entities that have a business client relationship (the so-called B2B) with the Data Controller that have a specific legal relationship with the Data Subjects directly using the Program Application; this legal relationship is completely independent of the Data Controller (e.g. employment relationship, commercial relationship, etc.);
  4. natural persons who have a separate commercial relationship with the Data Controller for the purposes of provision of transport services to the end user of the Program Application or Data Subject 1 and Data Subject 2, i.e. the Carrier (see ARTICLE 4a(1) of this Document).
3
The Data Controller uses the following partners acting in the capacity of a third party and separate data controller that is liable for personal data protection independently and separately from the Data Controller:
  1. Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, United States of America; and
  2. Apple Inc., 1 Infinite Loop, Cupertino, CA 95014, USA, United States of America.

Article 7
Principles of protection of Privacy when using the Web

1
For processing personal data of the Data Subjects, the Data Controller also uses the Web.
2
The Web uses cookie files. A cookie file is a small text file that the Web stores in your computer or mobile device during its browsing. Thanks to this file, the Web retains for a while information about your steps and preferences (such as login name, language, font size and other display settings) so that you do not need to repeatedly type them during your next visit of the Web or when browsing its individual subpages.
3
The Data Controller uses its own cookie files (the so-called first party cookies) in order to optimise the functions of the Web and enhance the user convenience of the Web visitor as well as other cookies (the so-called third party cookies) to display the so-called behavioural ads.
4
The Web uses also the so-called short-term cookies that are erased after the termination of the use of the internet browser automatically from the computer system of the Data Subjects or other end users of the Program Application. However, in some cases, processed may also be the so-called long-term cookies that remain in the device of the end user and enable the Data Controller to see that the Web has repeatedly been visited by the relevant device of the end user, which may, depending on the setting performed by the user of the Program Application, be associated with, for example, remembering of the pre-set access password to the Program Application, etc..
5
The Data Controller informs the Data Subjects and all visitors of the Web of the fact that all cookie files that the Web may store in the end device of any visitor of the Web may be checked and erased. By appropriately setting the preferences of the internet browser, it is possible to effectively and completely prohibit the use of the cookie files. Specific information and instructions regarding the setting of preferences of individual internet browsers can be found here: https://www.aboutcookies.org/how-to-control-cookies/ and information necessary to erase the cookie files from the technical device of the user can be found here: https://www.aboutcookies.org/how-to-delete-cookies/. Generally, it can be stated that it is necessary to switch on the function that is usually called “Protection against spying” in the internet browser.
6
The Data Controller informs the Data Subjects that if the internet browser used by the device of the end user for entry and browsing the contents of the Web enables to use cookie files on the Web, the Data Controller may consider it as the expression of a valid legal consent of the end user of the technical device in which the cookie files are stored in accordance with (draft) Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (the “ePrivacy Regulation”).
7
The Data Controller informs the Data Subjects that if the so-called third-party cookies are used to display behavioural ads, the Web will request the Data Subjects to grant their explicit consents even before the installation of these cookie files in the device of the end user of the Web.
8
On the web, the Data Controller also uses the internet analytical service from Google Inc.; however, the Data Controller does not process any personal data or other identifiers that can be used for indirect identification (such as IP address) of the Data Subjects. However, it does not mean that in this manner the processing of personal data by Google Inc., which is the operator of the service Google Analytics, does not take place.
9
Google Analytics also uses the cookie files that are stored in the device of the end user of the Web (computer, tablet, smartphone) to analyse your behaviour on the Web. Google makes the part of the IP address that is related to the device of the end user of the Web anonymous immediately after acquiring it, which enhances the privacy protection of the Data Subject. Google Inc. uses the information acquired during the use of the Web by the Data Subject to evaluate the use of the Web by the users, to issue reports about the activities on the Web and to provide the Data Controller with other services associated with the use of Web and the Internet. This processing of data by the Google Analytics service may also be prevented by appropriately setting the preferences of the internet browser in which you install the browser plug-in available through the following link: https://tools.google.com/dlpage/gaoptout?hl=en. The Data Subjects or users of the Web may prevent the acquisition of information by the service Google Analytics also by clicking here. After clicking the above link, a cookie opt-out file that will prevent the future acquisition of data while visiting the Web will be stored in the end device of the Data Subject.
10
The Data Controller may use the Google Analytics service on the Web to also to generate online ads through re-marketing, i.e. outputs from marketing communication of the Data Controller may also be displayed by other providers of digital services and internet content, including Google Inc, on various web pages that will be in the future displayed on the device of the end user or data subject after they leave the Web.
11
The Data Controller also uses the reports by Google Analytics to conduct more efficient marketing communication, whereby the processing of demographic characteristics and interests that is related to the Data Subjects (such as age, sex, interests) acquired by Google Inc., which may be used also by the Data Controller, can take place. However, when processing data through the Google Analytics service, the Data Controller will not process personal data of the Data Subjects because it will not have a sufficient identifier at its disposal that would enable it to directly or indirectly identify the Data Subjects.
12
The Data Subjects using the Web may prevent the personalised commercial banners by Google from displaying through the following link.
13
The Data Subjects can find further information about the use of data by Google Inc. in the context of the use of the Web here: https://www.google.com/policies/privacy/partners/.
14
The Data Controller notifies the Data Subjects of the fact that if they are signed in to other internet services from Google Inc. during their visit and use of the Web, the processing of personal data of the Data Subject may take place. The Data Controller has no control over or influence on that processing of personal data nor participate in it in any manner.
15
In connection with the use of the Web by the Data Subjects, Google Inc. is a third party in the capacity of a separate data controller. The Data Subjects can find more information about the current privacy protection rules adopted by Google Inc. here: https://www.google.com/intl/en-GB/policies/privacy/. The Web does not use any plug-ins of operators of so-called social networks.

Article 8
Downloading the program application from servers of third parties

1
The Program Application can be freely downloaded from the so-called online stores with applications for smart devices, namely from App Store and Google Play.
2
The Data Controller informs the Data Subjects that if they download the Program Application in the device of the end user of the Program Application from so-called online stores with intelligent applications under Article 8(1) of this Document, the operators - third parties (see Article 6(3)(a) and (b) of this Document) (the “App Store and Google Play”) may process personal data of the Data Subjects completely independently of the Data Controller. The Data Controller has no influence on the processing of personal data by the App Store and Google Play.
3
The App Store and Google Play have created their own personal data protection and privacy protection policies that govern and apply also to the Data Subjects if the Program Application is downloaded from the App Store and Google Play.
4
More information about personal data protection and privacy protection of App Store in the English language can be found at the following URL: https://www.apple.com/legal/privacy/en/
5
More information about personal data protection and privacy protection of Google Play in the English language can be found at the following URL: https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en

Article 9
Instructions about the rights of the data subject

1
The Data Controller is committed to preserve the integrity and confidentiality of personal data of the Data Subjects; therefore, it strives for the strong protection of personal data not only through individual modern technical and organisational precautions, but also through the possibility to exercise the rights of the Data Subject at any time through a written signed application implying the identity and the right that the Data Controller is requested to exercise by the Data Subject. The Data Subjects may sent the applications to exercise the right to the Data Controller to the following address: wynston.sk, with its registered seat at Grösslingová 7152/5, 811 09 Bratislava.
2
The Data Controller instructs the Data Subjects that if the legal basis for the processing of personal data is the consent of the data subject (see Articles 4(3) to (5) and 4a of this Document), the Data Subject may revoke the granted consent at any time. The Data Controller enables the Data Subject to revoke its consent with the processing of personal data directly through the Program Application or also through an ordinary e-mail delivered to the Data Controller from the e-mail address registered in the Program Application. In those cases, the provision of personal data by the Data Subject is exclusively voluntary and in no way affects the possibility to install and use the Program Application; however, if certain types of consents by the data subject are revoked, partial restriction of services and contractual performances provided by the Data Controller and/or its business partners can take place (e.g. revocation of the consent with the provision of personal data to the Carrier before the beginning of the personal transport will make it impossible for the transport to be performed, etc.).
3
The Data Controller instructs the Data Subjects that if the legal basis is the contractual relationship entered into directly between the Data Subject and the Data Controller (see Article 4(2)(3)(4) of this Document), it is necessary to provide the Data Controller with the required personal data, or the Program Application cannot be used.
4
The Data Controller instructs the Data Subject that if the legal basis is the protection of rights and statutorily protected interests of the Data Controller (see Article 4(6)(7) of this Document), the Data Controller may process the associated personal data of the Data Subjects without their consent and the Data Subjects must tolerate it. If the Data Subjects are not willing to accept this processing of personal data, the Data Controller advises them not to install and use the Program Application. Given its commitment to provide a high standard of personal data protection, the Data Controller enables the Data Subjects to individually object and restrict this processing for the so-called due diligence purposes of processing personal data beyond the scope of its legal obligations (for more information see ARTICLE 2(16) of this Document).
5
The Data Controller instructs the Data Subjects that Head 4, Part II of Act No. 122/2013 Coll., Sections 28-30, cover the rights of the data subject, and at the same time the Data Controller informs you that if you suspect that your personal data is processed without authorisation, you may file a petition to commence proceedings on personal data protection with the Office for Personal Data Protection of the Slovak Republic (www.dataprotection.gov.sk), or, from 25 May 2018, a complaint regarding a non-compliance or breach of the GDPR.
6
With effect from 25 May 2018, the rights specified in Article 8(1.2) of this Document will cease to exist and the Data Subjects will have at their disposal new rights which should provide more efficient control and overview of your personal data processed by the Data Controller. These include the right of access the data (Article 15 of the GDPR), the right to rectification (Article 16 of the GDPR), the right to erasure (Article 17), the right to restriction of processing (Article 18 of the GDPR). Given the nature of the processing of personal data, the Data Controller also informs the Data Subjects that they become entitled also to the right to request the examination of an individual decision generated by the Program Application that was based on the automated processing of personal data (Article 22 of the GDPR) as well as the right to data portability under Article 20 of the GDPR.
7
Each application to exercise the right of the data subject under the GDPR and also under Act No. 122/2013 Coll. may be made on the basis of a written and signed request sent to the address of the registered office of the Data Controller’s company specified in Article 1(1) of this Document.
8
The Data Controller warns the Data Subjects that when processing the applications to exercise the right of the data subject under Act No. 122/2013 Coll. or under the GDPR, it can request the applying Data Subject to credibly prove its identity, mainly if the Data Subject requests the exercise of its right in a manner other than by a written signed letter, by e-mail with a credible electronic signature or in person in the registered office of the Data Controller (i.e. in ordinary applications by e-mails or phone calls).
9
Each application to exercise the right of the data subject delivered to the Data Controller will be assessed individually and competently; the Data Controller will always inform the requesting Data Subject about the result within one month from the receipt of the application. The process of dealing with the application to exercise the right of the data subject under the GDPR or Act No. 122/2013 Coll. is free of charge. If we have, in your opinion, not dealt with your application to exercise the right of that data subject in accordance with the GDPR or Act No. 122/2013 Coll., you may file a complaint with the supervision authority (www.dataprotection.gov.sk) or apply for a judicial remedy directly with the general court having jurisdiction.
10
If the Data Subjects have any questions regarding the protection of privacy and personal data or information regarding the content and enforcement, they may contact the Data Controller at any time at the following e-mail address: info@wynston.sk

Article 10
Special instruction regarding the right to object to the processing of personal data and automated individual decision-making

1
In accordance with Article 21(4) of the GDPR, the Data Controller specifically instructs the Data Subjects that in connection with the provision of information society services through the Program Application, they may object to the automated individual decision-making under Article 21 of the GDPR. In addition to the procedure under Article 10(7) of this Document, the Data Subjects may in accordance with Article 21(5) of the GDPR object to the processing of personal data also through specific functionality integrated directly in the Program Application that is designated as “Call support”.
2
In accordance with Article 21(4) of the GDPR, the Data Controller specifically instructs the Data Subjects that under Section 21(2) of the GDPR, they have the right to object to the processing of personal data for the purposes of direct marketing at any time. The Data Subjects may at any time effectively unsubscribe from receiving the newsletter by unsubscribing or sending an empty reply to the e-mail sent by the Data Controller.

Article 11
Profiling of Data subjects

1
Under Article 4(4) of the GDPR, the Data Controller may perform the so-called profiling of personal data of the Data Subjects processed in the Program Application because the Program Application enables it to find geographical position and perform geo-localisation of the end device of the user of the Program Application in real time, and the Data Controller, under the conditions explained in this Article of this Document, processes data about the current geographical position and movement through GPS coordinates of the device of the end user of the Program Application. By these provisions of Article 12 of this Document, the Data Controller provides the Data Subjects under Article 13(2)f) of the GDPR with meaningful information about the procedure used as well as the meaning and presumed consequences of such a processing of data for the Data Subject.
2
When using profiling, the Program Application does not process any special categories of personal data under Article 9(1) of the GDPR.
3
The Data Controller represents that the Program Application thereby does not monitor the Data Subjects without their knowledge continuously and systematically at any time, but always exclusively in a causal connection with the specific order and development of the specific order of personal transport for which the Data Subjects will use the Program Application.
4
From the moment of acceptance of the order of personal transport until the moment of termination of the ordered transport, the Program Application monitors the approximate geographical position of the devices of the end users of the Program Applications who are interested in performing the ordered personal transport; it means, from the acceptance of the order, during the whole development of the order and until the termination of personal transport, the Program Application monitors the approximate geographical position of the end user’s device of Data Subject 1 and/or Data Subject 2 as well as Data Subject 3 who actively and passively participate in the separate legal relationship regarding the personal transport; this legal relationship is independent of the use of the Program Application. Any data generated about the Data Subjects in this context in the Program Application are stored on the grounds of user comfort and visibility of information about completed orders until the un-installation of the Program Application from the device of the end user.
5
The functionality of the Program Application explained in Article 12(4) of this Document generates the following personal data about the Data Subjects in an automated manner: information about the place and exact time when the Data Subject entered the vehicle, duration of the journey, route of the journey, information about the place and exact time of termination of the journey. The Data Controller uses this personal data to perform the rights and obligations arising from contractual relations entered into separately with Data Subject 2 and Data Subject 3, i.e. in particular to examine the justification, correctness and charging of the price for personal transport that Data Subject 1 and Data Subject 2 are charged by the Carrier and to examine the amount and justification of the amount of remuneration of the Data Controller from each transaction or successfully terminated personal transport that was intermediated through the Program Application.
6
The Data Subjects take into consideration that the processing of personal data explained in Article 12(5) of this Document is necessary to properly perform the rights and obligations established by the separate contractual relationship entered into between the Data Subjects and the Data Controller under the applicable General Terms and Conditions and the separate agreement entered into with the Data Controller (in the case of Carriers).
7
In connection with the processing of personal data under this Article of this Document, the Data Controller informs the Data Subjects that they have the right to human interference by the Data Controller’s personnel to examine all decisions having a legal impact on the Data Subjects with a view to prevent any errors and misunderstandings that could be caused by incorrect activity of the Program Application (e.g. incorrect determination of the price of personal transport). If there are doubts as to the correctness of determination of the price of personal transport and/or of the amount of the contractually agreed remuneration, the Data Subjects may request the Data Controller to examine the associated decisions of the Program Application according applying the procedure under Article 9(7) of this Document and they can state all facts, factual assertions and evidence in support of their position.
8
The nature of profiling used by the Program Application does not establish the possibility to exercise the right of the Data subject to object to the automated individual decision-making under Article 21 of the GDPR.
9
In connections with the conclusions of its Data Protection Impact Assessment prepared under Article 35(3)(a) of the GDPR, the Data Controller concluded that, when profiling within the limits specified in this Article of this Document that is used for the needs of the Program Application, there are no high risks involving the rights and freedoms of the Data Subjects and there can be no discrimination of any of the Data Subjects.

Article 12
Data Protection Officer

1
On or before 25 May 2018, the Data Controller shall at this place publish also the direct contact information of the data protection officer who shall provide the Data Subjects with information and consultations regarding the rights of data subjects or other matters connected with personal data protection when using the Program Application or understanding this Document.

Article 13
Final Provisions

1
By their conscious and free action expressed in installing and subsequent practical using the Program Application, the Data Subjects confirm that they have familiarised themselves with the content of this Document, they understand it and they agree with its content.
2
If the Data Subjects do not agree or do not sufficiently understand the content or meaning of any part of this Document that regulates the processing of personal data, the Data Controller will welcome factual reservations and comments of the Data Subject which it undertakes to discuss with the Data Subject with a view to protect and support the rights of the Data Subject and prevent the occurrence and increase of any risks for the rights and freedoms of the Data Subject that could be caused or influenced by the use of the Program Application.
3
The Data Controller regularly revises and updates this Document; the current version of the Document published on the Web shall always be valid.
In Bratislava, on 19.10.2017