Privacy Notice

This Privacy Notice has been prepared by the non-governmental organization NextGen Legal (NGO), with its registered seat at Černyševského 1275/15, 851 01 Bratislava-Petržalka, ID No.: 55 472 842, registered with the Non-Governmental and Non-Profit Organizations Register maintained by the Ministry of Interior of the Slovak Republic, registration ID No.: VVS/1-900/90-66657 for the purpose of providing concise, transparent, understandable and easily accessible information regarding the processing of your personal data.

1. Definition of Terms

In accordance with the principle of transparency and comprehensibility, the following terms are used for the purposes of providing information within the framework of this Privacy Notice:

1. Act means Act No. 18/2018 Coll. on the Protection of Personal Data and on the Amendment of Certain Acts, as amended;

• Controller means non-governmental organization NextGen Legal (NGO), with its registered seat at Černyševského 1275/15, 851 01 Bratislava-Petržalka, ID No.: 55 472 842, registered with the Non-Governmental and Non-Profit Organizations Register maintained by the Ministry of Interior of the Slovak Republic, registration ID No.: VVS/1-900/90-66657;

• Data Subject means you if your personal data is processed in the manner specified in this Privacy Notice;

• GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

• Platform means a web portal www.nextgenlegal.sk (including all subdomains, subpages and components);

• Privacy Notice means this privacy notice on the processing of personal data prepared in accordance with Articles 13 and 14 of the GDPR;

• General Introduction

The Controller processes the personal data of the Data Subject as part of the performance of its activities. For this reason, the Controller is considered to be a so-called controller within the meaning of Article 4 (7) of the GDPR and Section 5 (o) of the Act. 

At the same time, the Controller uses cookies on the Platform. Some cookies may, among other functions, also collect personal data of the Data Subject. More information about cookies is available on the Platform.

In connection with the processing of personal data of Data Subjects, the Controller has designed and implemented standard and specific personal data protection, including appropriate technical and organizational measures to ensure a high level of security of the processed personal data.

In case of any questions in connection with this Privacy Notice, the processing of personal data or the exercise of the Data Subject’s rights under the GDPR and the Act, the Data Subject may at any time contact the Controller:

1. in writing to the address: NextGen Legal (NGO), Černyševského 1275/15, 851 01 Bratislava-Petržalka; 
2. e-mail: office@nextgenlegal.sk.

• Information on the Processing of Personal Data

Below is an overview of the individual processing activities, as well as the personal data processed, the purpose of the processing, the legal basis for the processing, the storage period and other information.

Processed personal data	Purpose of personal data processing	Legal basis for the processing of personal data	Personal data retention period	Legal or contractual requirement and possible consequences of not providing personal data
Personal data necessary to conclude a contractual relationship, ensure communication between the contracting parties and proper performance of contractual obligations – name, surname, e-mail, telephone contact, job position and signature.	Conclusion of the contract, ensuring communication between the parties and proper performance of contractual obligations. Controller processes the personal data of the Data Subject who acts as a representative or contact person of the other contracting party (e.g. statutory representative, member of the statutory body, procurator, proxy, contact person, etc.).	Legitimate interest of the Controller. The legitimate interest ofthe Controller is to conclude a contractual relationship, to ensure the fulfilment of its contractual obligations arising from the contractual relationship in question and to ensure communication between the contracting parties.	For the period of limitation or limitation periodapplicable to the claims of the parties arising from the contractual relationship.	Voluntary provision of data. The Data Subject may exercise his/her right to object to the processing of personal data in accordance with Art. 21 of the GDPR with the Controller. In the event that the employer of the Data Subject provides his/her personal data within the framework of a contractual relationship, Section 78 (3) of the Act applies, pursuant to which the employer may provide such data.
Personal data necessary for the conclusion of a contractual relationship, ensuring communication between the parties and proper performance of contractual obligations, if the party to the contract is directly the Data Subject – name, surname, e-mail, IBAN and other personal data specified in the contract or processed on the basis of a contractual relationship.	Conclusion and performance of a contract to which the Data Subject is a party.	Pre-contractual measures and performance of the contractual relationship.	For the duration of the limitation period or the limitation periodapplicable to the claims of the parties arising from the contractual relationship.	The provision of personal data is a contractual requirement. Failure to provide personal data results in the Controller not being able to enter into a contractual relationship with the Data Subject or to exercise its rights, or to fulfil the obligations arising from the contractual relationship.
Personal data necessary to ensure mutual communication –name, surname, e-mail, telephone contact and content of communication. Such communication may take place online (email, contact form, etc.), by telephone or by post.	Ensuring communication (including sending, receiving and recording physical or electronic mail) between the Controller and the Data Subject.	Legitimate interest of the Controller. The legitimate interest of the Controller is the effective and trouble-free provision of communication with the Data Subject.	For a period of 3 years from the last communication between the Controller and the Data Subject. For a period of 10 years from the date of receipt or dispatch of paper mail.	Voluntary provision of data. The Data Subject may exercise his/her right to object to the processing of personal data in accordance with Art. 21 of the GDPR with the Controller.
Personal data contained in the documentation that is part of the registry- title, first name, surname, signature, place of residence, e-mail address, telephone number and other data according to a special regulation.	Registry management.	Legal obligation of the Controller. The Controller fulfils its legal obligations pursuant to Act No. 395/2002 Coll. and Decree No. 410/2015 Coll.	For a period of 10 years from the date of inclusion of the document in the registry.	The provision of personal data is a legal requirement. Failure to provide personal data results in a breach of legal obligations.
Personal data necessary for the exercise and enforcement of the rights of the Controller – name, address, date of birth and other personal data processed within the framework of individual proceedings. These rights may be exercised by the Controller both in court and out of court.	Asserting the Controller’s claims through courts, arbitration courts, bailiff’s offices, law firms, notary offices, etc.	Legal obligation of the Controller. The legal obligation lies in the identification of the Data Subject and the Controller’s claim in the exercise and enforcement of rights. Legal obligations arise from the following generally binding legal regulations: a) Act No. 40/1964 Coll.; b) Act No. 513/1991 Coll.; c) Act No. 160/2015 Coll.; d) Act No. 233/1995 Coll.; e) Act No. 244/2002 Coll.;f) Act No. 162/2015 Coll.; g) Act No. 563/2009 Coll. Legitimate interest of the Controller. In the event that there is no legal obligation to process the personal data of the Data Subject, but these personal data are necessary for the exercise or enforcement of the rights of the Controller, the Controller processes personal data on the basis of its legitimate interest. The legitimate interest ofthe Controller is the exercise of rights and their subsequent enforcement through legal means.	For the  duration of the limitation or limitation period or for a period  of 10 years from the final conclusion of the proceedings.	The Controller processes the personal data of the Data Subject on the basis of his/her legal obligation. Failure to provide personal data results in the Controller not being able to fulfill its legal obligations and thus its rights in asserting claims are limited. The Controller processes personal data on the basis of legitimate interests due to the fact that it has carried out a test of compatibility of purposes, while the original purpose for which it processed personal data is compatible with the purpose of asserting claims.
Personal data necessary for the exercise of the rights of the Data Subject – name, surname, e-mail address, telephone contact, personal data in question, the right exercised and other information.	Exercising the rights of Data Subjects through a request.	Legal obligation of the Controller. The legal obligation is to allow the Data Subject to exercise his/her rights by means of a request and subsequently to deal with the request. Legal obligations arise from the following generally binding legal regulations:a) GDPR;b) the Act.	For a period of 5 years following the year in which the Data Subject’s request was handled.	The provision of personal data is a legal requirement. Failure to provide personal data results in the fact that the Controller cannot fulfill its legal obligations and thus cannot handle the request of the Data Subject.
Personal data necessary for keeping the accounting agenda and tax agenda, in particular name, surname, e-mail address and telephone contact and other data stated on the invoice.	Accounting and tax management.	Legal obligation of the Controller. The Controller fulfils its legal obligations arising in particular from the following generally binding legal regulations: a) Act No. 431/2002 Coll.;b) Act No. 222/2004 Coll.;c) Act No. 40/1964 Coll.;d) Act No. 311/2001 Coll., e) Act No. 595/2003 Coll.;f) Act No. 582/2004 Coll.; g) Act No. 283/2002 Coll.;h) Act No. 563/2009 Coll.	For a period of 10 years following the year in which the personal data was first processed..	The provision of personal data is a legal requirement. Failure to provide personal data results in a breach of legal obligations.
Personal data necessary to promote the activities, services or products of the Controller on social networks – name, surname, reaction, comment and profile of the Data Subject.	Operating fan pages or other profiles on social networks for the purpose of promoting the activities, services and products of the Controller. The Controller has created various profiles on social networks (Facebook and LinkedIn), and as the operator of these profiles, it also processes the personal data of social network users who visit these profiles. It operates these profiles for the purpose of promoting activities, services and products, and interacts with individual users of social networks as part of this activity.	Legitimate interest of the Controller. The legitimate interest ofthe Controller is the promotion of the activities, services and products of the Controller.	For the duration of the operation of the profile on the social network or until the reaction or comment is deleted.	Voluntary provision of data. The Data Subject may exercise his/her right to object to the processing of personal data in accordance with Art. 21 of the GDPR with the Controller.
Personal data necessary for the promotion of activities, services or products of the Controller – photographs and audiovisual recordings. The Controller may also assign other personal data to photographs or audiovisual recordings, such as – name, surname, e-mail, telephone number and position.	Promotion of activities, services or products of the Controller. For the purpose of promoting its activities, services or products,the Controller makes photographs or audiovisual recordings, the subject of which may also be the personal data of the Data Subjects in the form of their portrait. These photographs or audiovisual recordings are made by the Controller, e.g. as part of the organization of activities – conferences, seminars, press conferences, gatherings, etc.  The Controller processes these personal data on the basis of its legitimate interests in the case of: a) if the main purpose of the photograph or audiovisual recording is not the Data Subject (i.e. it is not a presentation of a specific Data Subject); b) if the main purpose of the photograph or audiovisual recording is the Data Subject, but this Data Subject can reasonably expect it (e.g. this is based on his or her relationship with the Controller or on the specific context of the situation); c) if the main purpose of the photograph or audiovisual recording is the Data Subject, but this personal data will not be further disclosed to an unspecified public; d) if the main purpose of the photograph or audiovisual recording is the Data Subject, but does not interfere unjustifiably or disproportionately with his or her right to protection of personality.	Legitimate interest of the Controller. The legitimate interest ofthe Controller is the promotion of the activities, services or products of the Controller through the taking of photographs or audiovisual recordings.	For a period of 5 years from the start of the processing of personal data.	Voluntary provision of data. The Data Subject may exercise his/her right to object to the processing of personal data in accordance with Art. 21 of the GDPR with the Controller.
Personal data necessary for the promotion of activities, services or products of the Controller – photographs and audiovisual recordings. The Controller may also assign other personal data to photographs or audiovisual recordings, such as – name, surname, e-mail, telephone number and position.	Promotion of activities, services or products of the Controller. For the purpose of promoting its activities, services or products,the Controller makes photographs or audiovisual recordings, the subject of which may also be the personal data of the Data Subjects in the form of their portrait. These photographs or audiovisual recordings are made by the Controller, e.g. as part of the organization of activities – conferences, seminars, press conferences, gatherings, etc.  The Controller processes these personal data on the basis of the consent of the Data Subject, in the event that the legal basis of his/her legitimate interests is not sufficient for the processing.	Consent of the Data Subject to the processing of his/her personal data. Consent to the processing of personal data is a freely given, specific, informed and unambiguous expression of the will of the Data Subject. Consent can be revoked at any time.	For a period of 5 years from the granting of consent or until the withdrawal of consent to the processing of personal data.	Voluntary provision of data. Failure to grant consent results in the Controller not making a photograph or audiovisual recording.

• Rights of Data Subjects

In connection with the processing of personal data, the Data Subject has the following rights, which you can exercise at any time if the legal conditions are met. In such a case, the Data Subject shall be provided with information on the measures taken on the basis of his/her request without undue delay, but no later than within 1 month. This period may be extended by a further 2 months, in which case the Data Subject will be informed of any such extension within 1 month of receipt of the request, together with the reasons for the missed deadline.

In any case, the rights of the Data Subject listed below are not absolute and their application may be subject to legal exceptions in the sense of the GDPR or the Act. At the same time, different rights apply to different processing activities

1. Right of Access (Art. 15 GDPR)

The Data Subject has the right to obtain confirmation as to whether his or her personal data is being processed, and if so, the right to obtain access to such personal data. The Data Subject also has the right to be provided with all information within the scope of this Privacy Notice.

• Right to Rectification (Art. 16 GDPR)

The Data Subject has the right to rectify the processed personal data without undue delay. At the same time, the Data Subject has the right to have incomplete personal data completed.

• Right to Erasure/to be Forgotten (Art. 17 GDPR)

The Data Subject has the right to erasure of personal data processed about him or her without undue delay. However, the right to erasure is not absolute and is subject to the fulfilment of legal prerequisites.

• Right to Restriction of Processing (Art. 18 GDPR)

The Data Subject has the right to have the processing of his or her personal data restricted.

• Right to Portability (Art. 20 GDPR)

The Data Subject has the right to receive the personal data provided in a structured, commonly used and machine-readable format and has the right to transmit this personal data to another controller if he or she has provided his or her personal data on the basis of consent and such personal data is processed by automated means.

• Right to Object (Art. 21 GDPR)

The Data Subject has the right to object to the processing of personal data if such processing is carried out on the legal basis for the performance of a task carried out in the public interest or for the legitimate purposes of the parties, including objection to profiling based on these legal bases. The Data Subject also has the right to object to the processing of personal data for the purposes of direct marketing, including profiling.

• Right in relation to Automated Individual Decision-Making, including Profiling (Art. 22 GDPR)

The Data Subject has the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces effects concerning him or her or similarly significantly affecting him.

• Right to Initiate Proceedings (Section 100 of the Act)

The Data Subject has the right to file a motion to initiate proceedings on the protection of personal data within the meaning of Section 100 of the Act to a supervisory authority if he/she believes that his/her personal data is being processed in violation of the GDPR.

The Data Subject may file a motion to initiate proceedings with the Office for Personal Data Protection of the Slovak Republic, with its registered office at Hraničná 12, 820 07 Bratislava. More information is available on the website of the Office for Personal Data Protection of the Slovak Republic.

1. Right to Withdraw Consent (Art. 7 GDPR)

If personal data is processed on the legal basis of the consent of the Data Subject, the Data Subject has the right to withdraw his/her consent at any time, without affecting the lawfulness of the processing based on the consent granted before its withdrawal. 

The Data Subject may withdraw your consent at any time by sending an e-mail: office@nextgenlegal.sk.

• Sources of Personal Data Collection

Primarily, personal data is collected directly from Data Subjects. However, in some cases, personal data may also be processed from other sources:

1. publicly available sources within which the personal data of the Data Subject is provided;
2. business partners;
3. another person who provides the personal data of the Data Subject – in such a case, the providing person is obliged to have the consent of the Data Subject within the meaning of Section 78 (6) of the Act;

• Recipients of Personal Data

Personal data of Data Subjects may also be provided to other natural or legal persons, public authorities or international organizations.

In such a case, the highest possible level of protection of personal data is ensured, whereby in the case of the provision of personal data to a processor or a joint controller, a contractual relationship within the meaning of Article 26 or Article 28 of the GDPR is concluded. 

The personal data of Data Subjects are provided to the following categories of recipients or public authorities:

1. controlling or controlled entities and other entities in the horizontal or vertical hierarchy of the organisational structure;
2. business partners;
3. legal, tax, accounting, IT and other advisors;
4. public authorities.

• Personal Data Retention Period

In addition to the specified retention period for individual personal data in accordance with point 3 of this Privacy Notice, the personal data of Data Subjects may also be stored for a longer period of time, if it is necessary to store personal data for longer than the specified period due to legitimate interests or due to a change in legal obligations.

• Transfer of Personal Data to Third Countries or International Organisations

Personal data of Data Subjects may be transferred to other third countries or international organizations. In the event of a possible transfer of personal data to third countries or international organizations, a sufficient level of protection of the personal data of the Data Subjects is ensured. 

Some recipients of personal data may have their registered office or place of business in a third country. In such cases, the personal data is transferred to such a country and the personal data is processed in accordance with adequacy decisions or standard contractual clauses.

Currently, the Controller does not transfer any personal data of Data Subjects to any third countries or international organisations.

• Automated Individual Decision-Making, including Profiling

When processing the personal data of Data Subjects, automated individual decision-making, including profiling, is not used.