INFORMATION ON THE PROCESSING OF PERSONAL DATA
I.
Policy
1.1
TAMEX, spol. s r.o., with its registered office at Maďarská 23A/710, 851 10 Bratislava, ID No. (IČO): 17319871, registered in the Commercial Register of the Municipal Court of Bratislava III, Section Sro, Insert No. 1222/B (hereinafter referred to as “TAMEX”), as the operator of the NAVCOM TAXI (abbr. NCA TAXI) application designed for mobile devices, in particular smartphones and tablets, through which it is possible to order passenger transport, courier services, to purchase tickets for public transport of selected carriers and to purchase parking tickets (hereinafter referred to as the “Application”), is the controller of the personal data of users obtained through the Application.
1.2
As a personal data controller, TAMEX processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter referred to as the “Regulation”) and Act No. 18/2018 Coll. on the Protection of Personal Data, as amended. In order to comply with the obligations of the controller under the Regulation, the controller has prepared, in accordance with Articles 13 and 14 of the Regulation, this information on the processing of personal data (hereinafter referred to as “Information”).
1.3
In accordance with Article 37 of the Regulation, TAMEX has appointed a data protection officer who can be contacted at filip.lazistan@tamex.sk.
1.4
TAMEX processes personal data of the following categories of data subjects:
users of the Application who register in the Application as taxi (hereinafter referred to as “NAVCOM TAXI Driver”).
II.
NAVCOM TAXI Drivers
3.1
TAMEX processes the following personal data of NAVCOM TAXI Drivers:
a) vehicle details,
b) current location and activity data via the Application,
c) other data resulting from the documents submitted by the NAVCOM TAXI Driver for the purpose of proving authorisation to carry out business activities and to provide taxi or courier services,
d) other data provided by the NAVCOM TAXI Driver at the request of the data subject within the meaning of the Regulation.
3.2
Data subjects are NAVCOM TAXI Drivers, i.e. persons registered in the Application for the purpose of providing taxi or courier services who have a separate contract with TAMEX or provide taxi or courier services on the basis of an employment or business contractual relationship with the NAVCOM TAXI Driver.
3.3
The legal basis for the processing of personal data is:
a) performance of the contract pursuant to Article 6 (1) (b) of the Regulation, which is an intermediation contract concluded between the NAVCOM TAXI Driver and TAMEX and a contract on the transfer of persons or a contract on the provision of courier services concluded between the User and the NAVCOM TAXI Driver via the Application,
b) legitimate interests pursuant to Article 6 (1) (f) of the Regulation, which are, in particular, checking the fulfilment of legal obligations by NAVCOM TAXI Drivers, improving the functionality of the Application, efficient use of NAVCOM TAXI Drivers according to their current location, ensuring an overview of the NAVCOM TAXI Drivers’ workload and their activity and preventing misuse of the Application.
c) the fulfilment of a legal obligation pursuant to Article 6 (1) (c) of the Regulation, which is the bookkeeping and recording and handling of requests from data subjects within the meaning of the Regulation.
3.4
The purpose of processing the personal data of NAVCOM TAXI Drivers is to mediate the offer of NAVCOM TAXI Drivers to conclude a contract on the transport of persons (taxi services) or a contract on the provision of courier services through the Application to Users, processing payments from Users and sending them to NAVCOM TAXI Drivers, ensuring the functionality and efficiency of the Application, checking the performance of the obligations of HOIPIN Drivers, recording data on the drives made, and issuing invoices for the commission and bookkeeping.
3.5
TAMEX does not process special categories of personal data within the meaning of Article 9 of the Regulation.
3.6
The processed personal data and other data of NAVCOM TAXI Drivers, together with the evaluation of NAVCOM TAXI Drivers made by Users via the Application, is subject to automated individual decision-making. Automated individual decision-making is used to selectively display User orders to individual NAVCOM TAXI Drivers. The automated individual decision-making uses, in particular, data on the current location of the NAVCOM TAXI Driver, the rating of the NAVCOM TAXI Driver in the Application, previous orders, in particular the proportion of orders received and any cancellation of orders, vehicle type, or provision of additional services. Automated individual decision-making results in the selective display of Users’ orders to individual NAVCOM TAXI Drivers and, in cases of a poor NAVCOM TAXI Driver rating or a high proportion of unaccepted orders, also partial or complete restriction of order display.
3.7
TAMEX do not provides the any data of NAVCOM TAXI Drivers to the 3rd parties.
3.8
Public authorities which may receive personal data in the context of a specific survey in accordance with EU or Member State law are not considered to be recipients and will therefore not be mentioned here as recipients.
3.9
Personal data is processed primarily in EU Member States. TAMEX does not intend to transfer personal data to a third country or international organisation. However, TAMEX may, if necessary, transfer personal data to a third country or international organisation on the basis of adequacy decisions in accordance with Article 45 of the Regulation, or upon receipt of adequate safeguards pursuant to Article 46 of the Regulation, and provided that the data subjects have enforceable rights and effective legal remedies or in the case of exceptions under Article 49 of the Regulation. In the event of a transfer of personal data to a third country or international organisation, TAMEX is obliged to inform the data subject thereof.
3.10
NAVCOM TAXI Drivers’ data is stored only for as long as necessary to fulfil the purpose of personal data processing:
a) in the case of personal data processed for the purpose of registration in the Application, the personal data is stored for the period of the registration in the Application and is subsequently deleted without delay unless the same personal data is processed simultaneously for another purpose,
b) in the case of personal data processed for the purpose of concluding a contract on the transport of persons (taxi service) and a contract on the provision of courier services, the personal data is stored for the period necessary to fulfil the purpose (provision of taxi or courier service) and is subsequently recorded in the NAVCOM TAXI Driver Account for the duration of the NAVCOM TAXI Driver Account, including through the NAVCOM TAXI Driver’s order history; however, the shortest period of time the personal data is recorded equals the duration of the limitation period arising from the taxi or courier service ordered,
c) in the case of personal data necessary for bookkeeping, the personal data is recorded for the period required by generally binding legal regulations for accounting and tax documents,
d) in the case of personal data processed for the purpose of processing and recording requests from data subjects to exercise their rights under the Regulation, the personal data is stored for a maximum period of one year after the date of processing of the request and is deleted thereafter.
3.11
The EU digital COVID card is processed on the legal basis of the data subject’s consent.
V.
Processing of personal data for marketing purposes
5.1
TAMEX also processes Users’ personal data for marketing purposes, namely the following categories of personal data:
a) form of addressing,
b) first and last name,
c) age,
d) e-mail address.
5.2
The legal basis for the processing of personal data for marketing purposes is the consent of the data subject within the meaning of Article 6 (1) (a) of the Regulation.
5.3
Data subjects are Users of the Application who give TAMEX their consent to the processing of personal data for marketing purposes.
5.4
The purpose of the processing of personal data is to carry out TAMEX’s marketing campaigns, including the sending of e-mails, and to tailor and improve marketing campaigns for target groups.
5.5
TAMEX does not process special categories of personal data within the meaning of Article 9 of the Regulation. Users’ personal data may be subject to profiling the purpose of which is to tailor the marketing messages sent to the User. For this purpose, the User’s personal data may be considered in aggregate and the User may be placed in a marketing category on the basis of the personal data processed. The results of profiling are used exclusively for marketing purposes.
5.6
Personal data is processed primarily in EU Member States. TAMEX does not intend to transfer personal data to a third country or international organisation. However, TAMEX may, if necessary, transfer personal data to a third country or international organisation on the basis of adequacy decisions in accordance with Article 45 of the Regulation, or upon receipt of adequate safeguards pursuant to Article 46 of the Regulation, and provided that the data subjects have enforceable rights and effective legal remedies or, in the case of exceptions under Article 49 of the Regulation. In the event of a transfer of personal data to a third country or international organisation, TAMEX is obliged to inform the data subject thereof.
5.7
Personal data is retained during the period of the User’s registration in the Application or until the User’s consent to the processing of personal data for marketing purposes is withdrawn, whichever is earlier.
5.8
The User has the right to withdraw consent to the processing of personal data for marketing purposes at any time by sending an e-mail to filip.lazistan@tamex.sk. Withdrawal of consent does not affect the lawfulness of the processing of personal data prior to the withdrawal of consent.
VI.
Corporate customers
6.1
A corporate customer is a natural person who, on the basis of an employment relationship or other similar relationship with the company (employer), orders passenger transport (taxi service) or courier services through an established corporate portal in the Application, in the name and on behalf of the company (employer) with which TAMEX has a special contract.
6.2
Personal data is processed primarily in EU Member States. TAMEX does not intend to transfer personal data to a third country or international organisation. However, TAMEX may, if necessary, transfer personal data to a third country or international organisation on the basis of adequacy decisions in accordance with Article 45 of the Regulation, or upon receipt of adequate safeguards pursuant to Article 46 of the Regulation, and provided that the data subjects have enforceable rights and effective legal remedies or, in the case of exceptions under Article 49 of the Regulation. In the event of a transfer of personal data to a third country or international organisation, TAMEX is obliged to inform the data subject thereof.
6.3
Personal data is processed for the period of registration of the corporate customer within the established corporate portal in the Application and it is subsequently stored for no longer than during the limitation period for rights arising from the provided passenger transport services (taxi services) and courier services.
VII.
Technical data
7.1
When using the Application, TAMEX collects technical data from Users, namely:
a) type and model of mobile device,
b) unique mobile device identifier uuid,
c) identification of the operating system of the mobile device,
d) information on how to use the Application.
7.2
The technical data collected may be considered personal data of Users. The purpose of processing technical data is to ensure the functionality of the Application, improve the functionality of the Application, check compliance with the terms of use of the Application, obtain data for further development of the Application, obtain data on the use of the Application and protect against misuse of the Application. The legal basis for processing is the legitimate interests of TAMEX in accordance with Article 6 (1) (f) of the Regulation which are to ensure the functionality of the Application, improve the functionality of the Application, check compliance with the terms of use of the Application, obtain data for further development of the Application, obtain data on the use of the Application and protect against misuse of the Application. The subject of processing is not special categories of personal data within the meaning of Article 9 of the Regulation. The technical data collected may be used for profiling, the sole purpose of which is to better tailor marketing campaigns and marketing offers to Users.
7.3
The User is entitled to block the sending of push notifications at any time on his/her mobile device; however, the User acknowledges that some functions and notifications may be fully or partially restricted.
7.4
Personal data is processed primarily in EU Member States. TAMEX does not intend to transfer personal data to a third country or international organisation. However, TAMEX may, if necessary, transfer personal data to a third country or international organisation on the basis of adequacy decisions in accordance with Article 45 of the Regulation, or upon receipt of adequate safeguards pursuant to Article 46 of the Regulation, and provided that the data subjects have enforceable rights and effective legal remedies or, in the case of exceptions under Article 49 of the Regulation. In the event of a transfer of personal data to a third country or international organisation, TAMEX is obliged to inform the data subject thereof.
7.5
Personal data is recorded for a maximum period of two years after the date of acquisition.
VIII.
Rights of the data subject
8.1
The data subject has the following rights in relation to the processing of personal data:
a) the right of access to data pursuant to Article 15 of the Regulation – the data subject has the right to obtain confirmation from us as to whether personal data relating to the data subject are processed by us and, if so, the data subject has the right to be informed of the purpose of the processing, the categories of personal data processed, the recipients of the personal data and the duration of their retention. We are obliged to provide a copy of the personal data we process to the data subject upon request. We are entitled to charge a reasonable fee corresponding to the administrative costs for any additional copies requested by the data subject. Where a request is made by electronic means, the information shall be provided to the data subject in a commonly used electronic format, unless the data subject explicitly requests a different means of provision;
b) the right of rectification pursuant to Article 16 of the Regulation – the data subject has the right, at the request of the data subject, to have inaccurate personal data relating to the data subject rectified without undue delay. With regard to the purposes of the processing of personal data, the data subject also has the right to have incomplete personal data completed;
c) the right to erasure (“the right to be forgotten”) pursuant to Article 17 of the Regulation – the data subject has the right to erasure of personal data relating to the data subject and we are obliged to erase such personal data without delay if one of the following grounds is met:
1. the personal data is no longer necessary for the purposes for which it was processed,
2. the data subject withdraws their consent to the processing of personal data, insofar as it is the legal basis for the processing of personal data,
3. the data subject objects to the processing of personal data pursuant to Article 21 (1) of the Regulation and there are no overriding legitimate grounds for processing, or objects to the processing of personal data pursuant to Article 21 (2) of the Regulation,
4. the personal data was processed unlawfully,
5. the personal data must be erased in order to comply with a legal obligation under EU or Member State law;
d) the right to restriction of processing pursuant to Article 18 of the Regulation – the data subject has the right to have us restrict the processing of personal data if:
1. the data subject contests the accuracy of the personal data during the verification of its accuracy,
2. the personal data was processed unlawfully and, instead of erasure, the data subject requests restriction of its use,
3. we no longer need the personal data for the purposes of the processing, but the data subject needs it to establish, exercise or defend legal claims,
4. the data subject objects to the processing of personal data pursuant to Article 21 (1) of the Regulation, pending verification that the legitimate grounds on our side outweigh the legitimate grounds of the data subject;
e) the right to data portability pursuant to Article 20 of the Regulation – the data subject has the right to obtain the personal data provided to us on a legal basis pursuant to Article 6 (1) (a) or (b) of the Regulation (consent of the data subject or performance of a contract) concerning the data subject and transfer it to another controller. The data subject has the right to transfer the personal data to another controller only insofar as this is technically possible;
f) the right to object pursuant to Article 21 of the Regulation – the data subject has the right to object, on grounds relating to a particular situation, to processing of personal data carried out on a legal basis pursuant to Article 6 (1) (f) of the Regulation (legitimate interest). In the event of such objection by the data subject, we may no longer process the personal data unless we demonstrate compelling legitimate grounds for its processing or for establishing, exercising or defending legal claims;
g) the right to lodge a complaint – if the data subject considers that we have breached data protection legislation, he/she may lodge a complaint with the supervisory authority, which is:
Úrad na ochranu osobných údajov
Hraničná 12
820 07 Bratislava
e-mail address: statny.dozor@pdb.gov.sk
website: http://www.dataprotection.gov.sk/
8.2
The rights of the data subject may be exercised by sending a request to filip.lazistan@tamex.sk or in writing to the Company’s address: TAMEX, spol. s r.o., Maďarská 23A/710, 851 10 Bratislava.