Personal Data Protection

1. GENERAL INFORMATION

Information about the Controller

The controller of personal data is Benefit Systems Slovakia s.r.o., with its registered office at Prievozská 14, 821 09 Bratislava, Slovak Republic, Company ID No.: 48 059 528, registered in the Commercial Register of the Municipal Court Bratislava III, Section: Sro, Insert No.: 102826/B (hereinafter referred to as “Benefit Systems”, “we”, the “Company” or the “controller”).

Benefit Systems attaches great importance to the protection of personal data and therefore takes all appropriate care to ensure that your personal data is processed in accordance with the applicable laws of the Slovak Republic, including Act No. 18/2018 Coll. on Personal Data Protection, as amended (the “Act”), and the laws of the European Union, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “Regulation”), and, where applicable, other laws and regulations relevant to a specific processing activity.

How can you contact us regarding the processing of personal data?

If you do not find answers to your questions concerning the protection of your personal data, you may contact us in any of the following ways:

• by post sent to: Benefit Systems Slovakia s.r.o., Prievozská 14, 821 09 Bratislava, Slovak Republic, with the envelope marked “Personal Data”
• or by contacting the Company’s Data Protection Officer by email at dpo@multi-sport.sk.

You may also use the above contact details to exercise your rights as a data subject in relation to our Company and, where applicable, if you wish to withdraw your consent to the processing of your personal data granted to our Company.

What is the purpose of this Information?

On this page, we provide data subjects with more detailed information about the processing of personal data by the Company as the controller of personal data (hereinafter the “Information”), in particular about the categories of data subjects whose personal data the Company processes, the legal basis and purpose of such processing, the recipients of personal data, and related matters. The purpose of this Information is also to inform data subjects of their rights.

The Information is divided into General Information and specific information for selected categories of data subjects. Please note that, in addition to the specific information, the General Information also applies to the data subject whose data is processed by the Company.

Not all categories of data subjects whose personal data the Company processes, nor all processing purposes, are listed below. For more information about the processing of personal data, please do not hesitate to contact us. The contact details are provided above in the General Information section.

Who is the information contained in this document intended for?

This document is intended primarily for the following persons:

• our clients, partners and other natural or legal persons cooperating with us, including cases where the cooperation has not yet been formally established (potential clients, partners and other contractual parties), as well as cases where the cooperation has already ended (former clients, partners and other contractual parties), and also persons acting on behalf of such persons (statutory bodies, employees and other representatives)
• applicants for employment with our Company
• users of MultiSport cards
• visitors to our websites and social media profiles

What do the terms defined in this document mean?

“MultiSport Programme” means the set of products and services provided by third parties – Partners, which Benefit Systems enables Card Users to use for the duration of the agreement with the Client. The current overview of products and services included in the MultiSport Programme can be found on the website https://multi-sport.sk in the Activities and Places section.

“MultiSport card” or simply “Card” means a MultiSport card issued by Benefit Systems or another company within the Benefit Systems Group abroad, entitling its holder, the Card User, to use products and services within the MultiSport Programme.

“Client” means a company that provides its Employees and, where applicable, their close persons, with a benefit in the form of access to products and services within the MultiSport Programme.

“Partner” means a self-employed natural person or a legal entity operating a Partner Facility, which cooperates with Benefit Systems and provides, to that extent, services of its sports and/or relaxation facilities or enables Card Users to use such services. For the purposes of this Information, Partner shall also mean a foreign self-employed natural person or legal entity operating a partner facility and having a contractual relationship with the relevant Benefit Systems Group company in that country, whose services are included in the offer of international visits; such entity may be a recipient of personal data to the extent necessary for the provision of such services.

The Benefit Systems Group includes the following foreign companies:

• Benefit Systems S.A. (Poland)
• Benefit Systems d.o.o. (Croatia)
• Benefit Systems Bulgaria OOD (Bulgaria)
• Benefit Systems Spor Hizmetleri Limited Şirketi (Turkey)

A virtual card issued in any of these countries enables international visits within the entire Benefit Systems Group, and its use is governed by the terms and conditions of the company that issued the card.

Other terms used in this Information, such as “Partner Facility”, “User”, “Employee”, “Accompanying Person” and “Child”, shall have the meanings set out in the Terms of Use of MultiSport Programme Cards, available on the website multi-sport.sk.

What does the term personal data mean?

Personal data means any information relating to an identified or identifiable natural person (e.g. name and surname, residence, email address, MultiSport card number and data relating to its use, IP address).

What does the term processing of personal data mean?

Processing of personal data means any activity or operation involving personal data (e.g. collection, storage, transfer, erasure or analysis). Our aim is to maintain transparency regarding both the legal basis and the method of processing personal data. Our principle is to collect and process personal data only where necessary to achieve a specific processing purpose. We only request you to provide data where necessary.

Is the provision of personal data mandatory? What are the consequences of failing to provide it?

Where one of the legal bases listed below applies, the provision of personal data is necessary in order for us to fulfil our obligations or provide the services for which the data is intended. Without such data, the purpose of processing cannot be achieved, i.e. the provision of the data is mandatory — if you do not provide the personal data, it may not be possible to conclude a contract, handle your request or comply with legal obligations.

In particular, the following legal bases apply:

• compliance with a legal obligation (Article 6(1)(c) GDPR)
• performance of a contract or taking steps prior to entering into a contract (Article 6(1)(b) GDPR)
• legitimate interest of the controller (Article 6(1)(f) GDPR), where processing is necessary for the protection of rights or the proper provision of a service (as a data subject, you have the right to object at any time to processing based on legitimate interest; however, if, as controller, we assess the objection as unfounded due to overriding legitimate grounds or the need for processing for legal claims, the processing may continue)

Where the legal basis listed below applies, the provision of data is voluntary, i.e. you may provide or not provide your data, and you may withdraw your consent at any time, but this may affect the quality or scope of the services provided:

• consent of the data subject (Article 6(1)(a) GDPR)

In the tables below, you can easily navigate according to the legal bases — each processing purpose is assigned to the relevant legal basis, so it will be clear whether the provision of data is mandatory or voluntary.

Provision of personal data by other natural persons

If personal data is provided to us by a natural person other than the data subject, the provider of such data confirms that they have obtained the consent of the data subject whose data is being provided for the processing of their personal data under these terms in accordance with Section 78(6) of the Act.

Who are the recipients of personal data?

Recipients of personal data to whom personal data of data subjects may be disclosed include:

1. Partners, who, in accordance with the Terms of Use of the MultiSport card, primarily verify whether you are an authorised holder of a MultiSport card by checking your identity document and, through our devices (or written forms), record data related to the use of your MultiSport card. We then use this data mainly for invoicing purposes (i.e. accounting administration). The current list of Partners is available on www.multi-sport.sk in the Activities and Places section.
2. External advisers, i.e. companies providing us with legal, consulting, auditing and other similar services.
3. External suppliers, who provide certain services for us, in particular accounting, marketing and IT services.
4. Entities to which we are required to disclose data under applicable law (state administration authorities and other public authorities).

As we operate within a group structure, recipients of your personal data also include:

• Direct business partners of the Company, namely MultiSport Benefit, s.r.o., with its registered office at Lomnického 1705/9, 140 00 Prague 4, Czech Republic, Benefit Systems International S.A., 00-844 Warsaw, Ul. Skierniewicka 16/20, Warsaw (01-230), Poland, Benefit Systems S.A., Plac Europejski 2, 00-844 Warsaw, Poland (hereinafter the “Direct Business Partners”, and the companies belonging to this group also referred to as the “Group”);
• in the case of international visits, companies belonging to the Benefit Systems Group acting as independent controllers;
• Pre-approved subcontractors of the Company, namely BMS sp. z o.o., Al. Słowiańska 10 B, 01-695 Warsaw, Poland, Primaris Sp. z o.o. Sp. k., ul. Bukowińska 22B, 02-703 Warsaw, Poland, Betacom S.A., ul. Połczyńska 31 A, 01-377 Warsaw, Poland, Microsoft Ireland Operations, Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland, Sii Sp. z o.o., Al. Niepodległości 69, 02-626 Warsaw, Poland (hereinafter the “Pre-approved Subcontractors”).

Companies established in third countries

As a rule, the Company does not transfer personal data to third countries (i.e. countries outside the European Union and the European Economic Area – EEA). However, some companies with which we cooperate are established in third countries. In such cases, we carry out such transfers in accordance with the conditions laid down in the Regulation, in particular where the European Commission has decided that the relevant third country ensures an adequate level of protection of personal data, or where appropriate safeguards are provided, for example by entering into standard contractual clauses adopted by the European Commission.

In our case, such companies include:

• Formstack, LLC, 11671 Lantern Rd., Ste. 300, Fishers, Indiana 46038, United States of America (hereinafter “Formstack”),
• Twilio Inc., 375 Beale Street, Suite 300, San Francisco, California 94105, United States of America (hereinafter “Twilio”),
• The Rocket Science Group LLC d/b/a MailChimp, Ponce City Market, 675 Ponce De Leon Ave NE E178, Atlanta, GA 30308, United States of America,
• Benefit Systems Spor Hizmetleri Limited Şirketi (Turkey), Sultan Selim Mah. Hümeyra Sk. NEF 09 Sitesi B Blok No:7 İç Kapı No: 82, 34400 Kağıthane/İstanbul.

and possibly others, if they are listed under specific processing purposes in this Information or if we have informed you about them separately in another way.

DO WE CARRY OUT AUTOMATED DECISION-MAKING AND PROFILING?

The Company does not process personal data based on automated individual decision-making, does not carry out profiling, and does not provide information society services within the meaning of Article 8(1) of the Regulation and Section 15(1) of the Act.

WHAT RIGHTS DO YOU HAVE IN RELATION TO YOUR PERSONAL DATA THAT WE PROCESS?

In connection with the processing of personal data, the data subject has in particular the following rights:

Right of access to personal data

You have the right to obtain confirmation as to whether or not your personal data is being processed. If the Company processes your personal data, you have the right to obtain, in particular, the following information: the categories of personal data processed, the purposes of processing, the retention period of the personal data (or, if this is not possible, the criteria used to determine such period), the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in a third country or international organisation, and, where possible, information about the source of the personal data if it was not obtained directly from the data subject.

Right to rectification of personal data

You have the right to have inaccurate or outdated personal data concerning you corrected, or incomplete personal data completed.

Right to erasure of personal data

You have the right to have your personal data erased if:

• the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
• you withdraw your consent on which the processing is based and there is no other legal basis for the processing;
• you raise a justified objection to processing carried out on the basis of the Company’s legitimate interest;
• the personal data is being processed unlawfully; or
• erasure is required for compliance with a legal obligation under Union or Member State law to which the controller is subject.

Right to restriction of processing

You have the right to restriction of the processing of your personal data if:

• you contest the accuracy of the personal data processed (processing will then be restricted for a period enabling the controller to verify the accuracy of the personal data);
• the processing of personal data is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
• we no longer need the personal data for the purpose of processing, but you require it for the establishment, exercise or defence of legal claims; or
• you object to the processing of personal data on the basis of the controller’s legitimate interest, pending verification of whether the controller’s legitimate grounds override your own.

In such a case, we will no longer process your personal data, or we will restrict such processing, unless we are able to demonstrate compelling legitimate grounds for the processing or the necessity of the processing for the establishment, exercise or defence of legal claims, the protection of persons, or reasons of public interest.

Right to data portability

Where the Company processes your personal data on the basis of your consent or for the performance of a contract, and such processing is carried out by automated means, you have the right to obtain your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller. You may also request that we transmit such personal data directly to another controller, where technically feasible. The exercise of the right to data portability does not affect the right to erasure of personal data.

Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data carried out on the basis of the controller’s legitimate interest. The controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or unless the processing is necessary for the establishment, exercise or defence of legal claims.

You also have the right to object at any time to the processing of your personal data for direct marketing purposes. If you object to such processing, your personal data will no longer be processed for direct marketing purposes.

Right to withdraw consent to the processing of personal data

Where your personal data is processed on the basis of consent, you have the right to withdraw such consent at any time. If you wish to withdraw your consent to the processing of personal data, simply contact us using any of the methods specified in the introduction to this Information.

If you wish to unsubscribe from a newsletter, you may do so by clicking the unsubscribe link in the email message we have sent to you.

Where the legal basis for the processing of your personal data is consent, the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right to lodge a complaint

You have the right to file a complaint with the Office for Personal Data Protection of the Slovak Republic if you believe that the processing of your personal data breaches the obligations laid down by personal data protection legislation, in particular the Regulation and the Act.

The supervisory authority responsible for personal data protection is the Office for Personal Data Protection of the Slovak Republic, with its registered office at Námestie 1. Mája 18, 811 06 Bratislava, Slovak Republic, https://www.dataprotection.gov.sk/. Section 100 of the Act sets out the requirements for such a complaint and the procedure followed by the Office when handling it.

2. SPECIFIC INFORMATION FOR CLIENTS, PARTNERS, SUPPLIERS AND OTHER BUSINESS PARTNERS

How did we obtain your personal data?

We have obtained your personal data through various communication channels depending on the type of cooperation with our Company. If you did not provide your personal data directly to us, we obtained it in one of the following ways:

• from the Partner, Client or contractual party (hereinafter the “Contractual Party” or “Business Partner”) on whose behalf you act (i.e. you are a statutory body, employee or other representative);
• from the websites of the Business Partner on whose behalf you act and from other publicly available sources (e.g. the Commercial Register, the ARES application, the FinStat database).

If personal data is provided to us by a person other than the data subject, the provider confirms that they have obtained the consent of the data subject whose data is being provided for the processing of their personal data under these terms in accordance with Section 78(6) of the Act.

What is the purpose, legal basis, retention period and who are the recipients of personal data?

No.	Purpose of processing	Categories of personal data	Legal basis for processing	Data subjects	Retention period	Recipients
1.	Communication with a Business Partner who is a natural person	Basic identification and contact data	Performance of a contract (Article 6(1)(b) of the Regulation)	Natural person who is a contractual party of the Company	5 years after the end of the cooperation	a) entities to whom the controller discloses data under applicable law, Direct Business Partners and Pre-approved Subcontractors, External Advisers, processor providing IT services to the Company, and depending on the chosen communication method, possibly also: b) Formstack (USA), if you contact us through contact forms available on our website
2.	Communication with Business Partners and prospective Business Partners	Basic identification and contact data	Legitimate interest (Article 6(1)(f) of the Regulation). The legitimate interest consists in the processing of personal data of natural persons acting on behalf of Business Partners in order to ensure the valid conclusion of a contract and its proper and efficient performance, or consent (Article 6(1)(a) of the Regulation)	Person acting on behalf of a Business Partner (in particular a statutory body or employee)	5 years following the year in which the communication ended; 3 years from the granting of consent or until its withdrawal	Entities to whom the controller discloses data under applicable law, Direct Business Partners and Pre-approved Subcontractors, External Advisers, processor providing IT services to the Company, and depending on the chosen communication method, possibly also: Formstack (USA), if you contact us through contact forms available on our website
3.	Satisfaction and needs surveys	Basic identification and contact data	Legitimate interest (Article 6(1)(f) of the Regulation). The legitimate interest consists in assessing the satisfaction of Business Partners, improving the Company’s reputation and thereby strengthening its business results and improving its services	Business Partners, person acting on behalf of a Business Partner	3 years from the date on which the survey is carried out	Direct Business Partners, processor arranging the survey
4.	Accounting agenda	Identification and billing data	Article 6(1)(c) of the Regulation – processing is necessary for compliance with the controller’s legal obligation (Act No. 431/2002 Coll. on Accounting, Act No. 222/2004 Coll. on Value Added Tax, Act No. 595/2003 Coll. on Income Tax, and related legal regulations)	Business Partners, persons acting on behalf of a Business Partner, in certain cases Users (in particular for accounting based on emergency forms), and other persons whose personal data forms part of accounting records	For the period required by the applicable legal regulations governing document retention (10 years following the year to which the documents relate)	Entities to whom the controller discloses data under applicable law, Direct Business Partners and Pre-approved Subcontractors, External Advisers, processor providing accounting services to the Company, Twilio Inc. (USA)
5.	Registry administration and archiving	Data contained in individual documents; in particular identification and contact data and data resulting from contracts, invoices, correspondence and other documents	Article 6(1)(c) of the Regulation – processing is necessary for compliance with the controller’s legal obligation (Act No. 395/2002 Coll. on Archives and Registries, Act No. 305/2013 Coll. on e-Government, and related legal regulations)	Persons whose data appears in the records (natural persons – recipients and senders of correspondence, Business Partners and other persons identified in documents)	For the period necessary to fulfil the purpose, or for the period required by law (in the case of ordinary correspondence, 10 years following the year in which the record was created)	Entities to whom the controller discloses data under applicable law, Direct Business Partners and Pre-approved Subcontractors, External Advisers
6.	Establishment and defence of the Company’s legal claims	In particular identification and contact data and data related to the subject matter of the legal claim (in particular data from contracts, communications or financial records)	Article 6(1)(c) of the Regulation – processing is necessary for compliance with the controller’s legal obligation (Act No. 162/2015 Coll. Administrative Judicial Procedure Code, Act No. 160/2015 Coll. Civil Dispute Procedure Code, Act No. 301/2005 Coll. Criminal Procedure Code, Act No. 233/1995 Coll. Enforcement Procedure Code, Act No. 7/2005 Coll. on Bankruptcy and Restructuring, and related legal regulations)	Parties to disputes, participants in proceedings and other persons involved (which may also include Users where this concerns the recovery of unpaid remuneration from the Client)	For the duration of statutory limitation and preclusive periods, or until the legal claim pursued in the relevant judicial or out-of-court proceedings has been settled, for a maximum of 10 years after the end of the relevant proceedings	Entities to whom the controller discloses data under applicable law, Direct Business Partners and Pre-approved Subcontractors, External Advisers, External Suppliers
7.	Marketing activities in relation to Business Partners	Basic identification and contact data	Legitimate interest (Article 6(1)(f) of the Regulation). The legitimate interest consists in the processing of personal data of natural persons acting on behalf of Business Partners in order to keep them informed about the Company’s activities, in particular by sending brochures, newsletters, information about new products, events, discounts, offers and similar communications, together with Article 6(1)(c) of the Regulation and Section 62(3) of Act No. 351/2011 Coll. on Electronic Communications	Business Partners, persons acting on behalf of a Business Partner	Until objection is raised (unsubscribe), but no later than until the end of the cooperation	Entities to whom the controller discloses data under applicable law, Direct Business Partners and Pre-approved Subcontractors, processor arranging the Company’s marketing activities, company arranging the sending of marketing communications
8.	Internal administrative purposes within the Group	Basic identification and contact data and other personal data necessary for the coordination, management and support of internal processes within the Group	Legitimate interest (Article 6(1)(f) of the Regulation). The legitimate interest consists in the disclosure of personal data within the Group in which the Company operates for internal administrative purposes and to streamline internal processes	Business Partners, persons acting on behalf of a Business Partner	For as long as the Company remains within the Group	Entity to whom the controller discloses personal data under applicable law, Direct Business Partners, Pre-approved Subcontractors
9.	Exercise of data subject rights	Identification and contact data and data contained in the request itself	Article 6(1)(c) of the Regulation – processing is necessary for compliance with the controller’s legal obligations arising from the Regulation, the Act and related legal regulations	Natural persons exercising their data subject rights	5 years following the year in which the request was handled or otherwise concluded	a) entity to whom the controller discloses personal data under applicable law, Direct Business Partners and Pre-approved Subcontractors, and depending on the chosen communication method, possibly also: b) Formstack (USA), if you contact us through contact forms available on our website

In which cases do we transfer personal data to third countries?

The Company transfers personal data to third countries in the following cases:

• accounting agenda, to the extent of the email address to which the Company sends the Client an invoice for payment of remuneration for the MultiSport Programme, to the USA, where we use the services of Twilio Inc.
• communication with a Business Partner who is a natural person
• communication with Business Partners and prospective Business Partners

Items (ii) and (iii) apply where you contact us through one of the contact forms available on our website, the functionality of which is provided through the services of Formstack, based in the USA.

3. SPECIFIC INFORMATION FOR JOB APPLICANTS

How did we obtain your personal data?

We have obtained your personal data through various communication channels depending on the way contact with our Company was established. If you did not provide your personal data directly to us (e.g. by sending your CV), we obtained it through a recruitment agency to which you had provided your personal data.

Where the legal basis for the processing of your personal data is consent, the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

What is the purpose, legal basis, retention period and who are the recipients of personal data?

No.	Purpose of processing	Categories of personal data	Legal basis for processing	Data subjects	Retention period	Recipients
1.	Recruitment process	Identification data, contact data, data relating to qualifications and professional experience, data arising from the recruitment process, and other data voluntarily provided by the applicant	Article 6(1)(b) of the Regulation – processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract; consent (Article 6(1)(a) of the Regulation)	Job applicants and persons interested in work under agreements for work performed outside an employment relationship	For the duration of the recruitment process and, in the case of the selected candidate, until the conclusion of the contract; 3 years from the granting of consent or until its withdrawal	Entity to whom the controller discloses personal data under applicable law, Direct Business Partners, Pre-approved Subcontractors, processors (Alma Career, s.r.o. and the company ensuring the external candidate selection process – recruitment agencies)
2.	Exercise of data subject rights	Identification and contact data and data contained in the request itself	Article 6(1)(c) of the Regulation – processing is necessary for compliance with the controller’s legal obligations arising from the Regulation, the Act and related legal regulations	Natural persons exercising their data subject rights	5 years following the year in which the request was handled or otherwise concluded	Entity to whom the controller discloses personal data under applicable law, Direct Business Partners, Pre-approved Subcontractors, and depending on the chosen communication method, possibly also: Formstack (USA), if you contact us through contact forms available on our website

We do not process and do not request special categories of personal data or personal identification numbers. Likewise, we do not require you to provide your photograph.

In which cases do we transfer personal data to third countries?

The Company transfers personal data to the USA in the case of the purpose exercise of data subject rights, where you contact us through one of the contact forms available on our website, as the functionality of this service is provided through the services of Formstack, based in the USA.