Privacy Policy
Preamble
These Personal Data Processing Principles (hereinafter "Principles") contain information on the processing of personal data (hereinafter "PD") of data subjects by ARMITAS a.s. in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR or the GDPR Regulation), Act No. 18/2018 Coll. on the Protection of Personal Data.
These Principles fulfil the information obligation pursuant to Art. 13 and Art. 14 of the GDPR and apply to all personal data processed in connection with visiting the website www.armitas.sk, entering into contractual relationships, the GDPR agenda, recruitment procedures, and communication on social networks.
Data subjects: website visitors; contractual partners / suppliers; clients / prospective clients; persons using the contact form; persons in relation to the GDPR agenda; job applicants; visitors of social media profiles.
ARMITAS a.s.
Plynárenská 5944/7A, 821 09 Bratislava – Ružinov
Municipal Court Bratislava III, Section: Sa, File No. 7886/B
- Company ID
- 57 370 842
- Tax ID / VAT ID
- 2122700668 / SK2122700668
- info@armitas.sk
- Web
- www.armitas.sk
Website and online tools
Responding to messages and handling inquiries
| Categories of data | Name and surname, e-mail address, message text |
| Purpose | Handling the inquiry, answering questions, establishing business contact |
| Legal basis | Art. 6(1)(f) GDPR – legitimate interest of the Controller (proper conduct of business communication, client acquisition); or Art. 6(1)(b) GDPR in pre-contractual negotiations |
| Retention period | 30 days from receipt or until the matter is resolved, whichever is earlier; upon entering into a contractual relationship, further according to the Clients section |
| Recipients | Authorised employees; Webnode platform (processor) |
| Categories of data | IP address (anonymised), device and browser type, pages visited, time on page, pseudonymised identifiers (cookie _ga, _gid, _ga_*) |
| Purpose | Statistical analysis of website traffic, measuring content performance, improving the website |
| Legal basis | Art. 6(1)(a) GDPR – consent via cookie banner |
| Retention period | 2 years (cookie _ga) · 24 hours (cookie _gid) · data in GA4: 14 months |
| Recipients / transfer | Transfer of personal data of Google LLC to the USA is governed by the Commission Implementing Decision (EU) 2023/1795 |
You may withdraw or change your consent at any time via the cookie banner in the footer of the website.
| Categories of data | Pseudonymised click identifier (GCLID), IP address (cookie _gcl_aw, _gcl_ls, _gac_*) |
| Purpose | Measuring advertising campaign effectiveness, remarketing, conversion attribution |
| Legal basis | Art. 6(1)(a) GDPR – consent |
| Retention period | 90 days (cookies _gcl_aw, _gcl_ls, _gac_*) |
| Recipients / transfer | Transfer of personal data of Google LLC to the USA is governed by the Commission Implementing Decision (EU) 2023/1795 |
| Categories of data | Session identifier (PHPSESSID), cookie banner setting (wnd_cookie_bar), preferred language |
| Purpose | Ensuring website functionality, session management, storing language preferences |
| Legal basis | Art. 6(1)(f) GDPR – legitimate interest |
| Retention period | Until end of browser session or max. 1 year |
| Recipients | Webnode platform (technical infrastructure processor) |
Security measures (Art. 25 and Art. 32 GDPR)
- Secured communication via HTTPS protocol (TLS encryption)
- Technical cookies with
Secure,HttpOnlyandSameSite=Laxattributes - Pseudonymisation and anonymisation of analytical data (IP address anonymisation in GA4)
- Restricted access to PD only for authorised employees (need-to-know principle)
- Regular review and update of security measures
Company agenda and contractual relationships
Procurement of goods, services and works
| Legal basis | Art. 6(1)(b) GDPR – performance of contract / pre-contractual relations Art. 6(1)(f) GDPR – legitimate interest (identification of persons, communication) |
| Scope of data | Title, name, surname, address, bank details, contact details, Company ID, Tax ID |
| Retention period | 1 year from first contact with the prospective supplier |
Execution of supplier relationships
| Legal basis | Art. 6(1)(b) GDPR – performance of contract Art. 6(1)(f) GDPR – legitimate interest |
| Scope of data | Title, name, surname, position, contact details, handwritten signature, data from powers of attorney and extracts from the Trade Register / Commercial Register |
| Retention period | 10 years from the date of termination of the contractual relationship |
Accounting records
| Legal basis | Art. 6(1)(c) GDPR – legal obligation: Act No. 431/2002 Coll. on Accounting · Act No. 595/2003 Coll. on Income Tax · Act No. 222/2004 Coll. on VAT · Act No. 563/2009 Coll. (Tax Code) · Act No. 513/1991 Coll. (Commercial Code) |
| Scope of data | Personal data in the scope of accounting documents and supporting materials (name, surname, address, bank details, signature on invoices) |
| Retention period | 10 years from the end of the relevant accounting period (§ 35(3) of Act No. 431/2002 Coll.) |
Litigation
| Legal basis | Art. 6(1)(c) GDPR – legal obligation Art. 6(1)(f) GDPR – legitimate interest in enforcing legal claims |
| Scope of data | Name, surname, permanent address, e-mail, phone, signature and other PD obtained during dispute resolution; possibly special categories of PD |
| Retention period | 12 years from the final and binding conclusion of the dispute |
Debt collection
| Legal basis | Art. 6(1)(f) GDPR – legitimate interest in debt collection Art. 6(1)(b) GDPR – subsidiary basis |
| Scope of data | Contact and identification details of the debtor, contract number, and other related data as applicable |
| Retention period | 12 years from the date the claim is extinguished |
Receiving orders and pre-contractual relations
| Legal basis | Art. 6(1)(b) GDPR – performance of contract and pre-contractual relations |
| Scope of data | Title, name, surname, address, contact details (tel., e-mail), bank details, Company ID, registered office, data from Trade Register / Commercial Register |
| Retention period | Until conclusion of the contract or 1 year from the date of receipt of the cooperation / quotation request |
Conclusion and performance of contract
| Legal basis | Art. 6(1)(b) GDPR – performance of contract |
| Scope of data | Title, name, surname, address, contact details, bank details, Company ID, registered office, other data specified in the contract |
| Retention period | 10 years from the date of conclusion of the contract |
Accounting records
| Legal basis | Art. 6(1)(c) GDPR – legal obligation (Act No. 431/2002, 595/2003, 222/2004, 563/2009 Coll.) |
| Scope of data | Personal data in the scope of accounting documents and supporting materials |
| Retention period | 10 years from the end of the relevant accounting period |
Exercising data subject rights
| Legal basis | Art. 6(1)(c) GDPR – legal obligation under the GDPR Regulation |
| Scope of data | PD necessary to identify the data subject and process the request |
| Retention period | 5 years after the request has been processed |
Handling personal data breaches
| Legal basis | Art. 6(1)(c) GDPR – legal obligation under the GDPR Regulation |
| Scope of data | PD affected by the relevant personal data breach |
| Retention period | 5 years from the conclusion of the breach investigation |
Recruitment procedure
| Purpose | Identification of applicants, assessment of conditions, evaluation of candidates, pre-contractual relations |
| Legal basis | Art. 6(1)(b) GDPR – measures prior to entering into a contract |
| Scope of data | Title, name, surname, date of birth, contact details, work experience, education, training, skills, driving licence, information about previous employers |
| Retention period | During the recruitment procedure; for unsuccessful applicants max. 3 months from the end of the recruitment procedure |
Applicant database – with consent
| Purpose | Inclusion in the applicant database for the purpose of being contacted when a suitable vacancy arises |
| Legal basis | Art. 6(1)(a) GDPR – consent of the data subject |
| Scope of data | Name, surname, contact details, CV including attachments (cover letter, certificates, training confirmations) |
| Retention period | For the duration of consent or until its withdrawal, but no longer than 2 years from the date consent was granted |
Consent is voluntary and may be withdrawn at any time at info@armitas.sk.
Social networks
ARMITAS a.s. operates company profiles on Facebook and LinkedIn. When using these platforms, personal data is processed both by the platform operator and by ARMITAS a.s. as the profile administrator.
| Platform operator | LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland |
| Purpose | Company presentation, sharing professional content, establishing business contacts, reach statistics (Page Insights) |
| Legal basis | Art. 6(1)(f) GDPR – legitimate interest (presentation and communication with professional audience) |
| Scope of data | Public profile information, interactions with posts, messages via LinkedIn Messaging, anonymised follower statistics |
| Transfer to third countries | Transfer of personal data of LinkedIn Ireland to the USA is governed by the Commission Implementing Decision (EU) 2023/1795 |
| Joint controllers | ARMITAS, a.s. and LinkedIn Ireland are joint controllers for Page Insights; the joint controller agreement pursuant to Art. 26 GDPR is available here |
| LinkedIn Privacy Policy | linkedin.com/legal/privacy-policy |
| Platform operator | Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland |
| Purpose | Company presentation, communication with the public, reach statistics (Page Insights) |
| Legal basis | Art. 6(1)(f) GDPR – legitimate interest (presentation and communication with the public) |
| Scope of data | Public profile information, interactions with posts, messages via Messenger, anonymised page visitor statistics |
| Transfer to third countries | Meta Ireland may transfer personal data to the USA; the transfer is governed by the Commission Implementing Decision (EU) 2023/1795 |
| Joint controllers | ARMITAS, a.s. and Meta Platforms are joint controllers for Page Insights; the joint controller agreement pursuant to Art. 26 GDPR is available here |
| Meta Privacy Policy | facebook.com/privacy/policy |
Messages and comments on social networks
| Legal basis | Art. 6(1)(f) GDPR – legitimate interest (responding to messages, business communication) |
| Scope of data | Public name / profile, content of the message or comment, and any other information voluntarily provided in the message |
| Retention period | Until the matter is resolved, max. 30 days; content remains on the platform subject to the respective network's terms |
If your message contains sensitive business information, we recommend contacting the Controller directly by e-mail at info@armitas.sk.
Recipients, processors and transfers of PD
Categories of recipients
- Auditors, lawyers and tax advisors
- Courts and law enforcement authorities
- Relevant tax authorities and supervisory bodies
- Other third parties in the enforcement of legal claims
Processors
| Category of processor | Purpose |
|---|---|
| Webnode International Limited (EU/EEA) | Operation of the technical infrastructure of the website |
| Google LLC | Web analytics (GA4), remarketing campaigns (Google Ads), tag management (GTM) |
| IT and hosting service providers | Infrastructure management, e-mail hosting, cloud storage |
| Accounting and payroll service providers | Bookkeeping, payroll agenda |
| Legal service providers | Legal advice, representation |
Meta Platforms and LinkedIn Ireland act as joint controllers (Art. 26 GDPR) in their relationship with ARMITAS, a.s., not as processors.
The Data Processing Amendment (DPA) with Google LLC forms an integral part of the Google Ads and Google Analytics 4 Terms of Service and is available at business.safety.google/adsprocessorterms.
Transfer of PD to third countries
The Controller does not transfer personal data to third countries. The USA has not been a third country since Commission Decision 2023/1795 – the transfer of personal data to the USA is governed by the Commission Implementing Decision (EU) 2023/1795.
The Controller does not sell, exchange or disclose your PD to third parties for their own marketing purposes without your explicit consent.
Rights of data subjects
Right to information
Right to be informed about how your PD is being processed.
Art. 13–14 GDPR
Right of access
Right to obtain access to PD being processed about you.
Art. 15 GDPR
Right to rectification
Right to prompt correction of inaccurate or incomplete PD.
Art. 16 GDPR
Right to erasure
Right to erasure of PD when the purpose has ceased or processing is unlawful.
Art. 17 GDPR
Right to object
Right to object to processing based on legitimate interest, including profiling.
Art. 21 GDPR
Right to restriction
Right to restriction of processing in specific cases.
Art. 18 GDPR
Right to portability
Right to receive PD in a machine-readable format and transfer it to another controller.
Art. 20 GDPR
Withdrawal of consent
Consent may be withdrawn at any time without affecting the lawfulness of prior processing.
Art. 7(3) GDPR
Automated decision-making
The Controller does not carry out profiling or automated decision-making.
Art. 22 GDPR
How to exercise your rights
Submit your request to info@armitas.sk or in writing to the registered office address. The Controller will respond within 30 days of receipt. Exercising rights is free of charge.
Complaint to the supervisory authority
Office for Personal Data Protection of the Slovak Republic
Further information
Source of personal data
The Controller processes PD directly from the data subject. In some cases, the source of PD is contractual parties (statutory representatives, authorised persons). PD may also be obtained from publicly available sources (commercial register, trade register, the contractual partner's website).
Automated decision-making and profiling
The Controller does not use profiling or any form of automated individual decision-making within the meaning of Art. 22 GDPR.
Validity and changes to the Principles
These Principles are valid and effective from 17 March 2026. The Controller reserves the right to update the Principles, in particular in connection with changes in legislation or processing activities. Data subjects will be informed of any changes through the update of the date on this page.