Home/Privacy Policy

Privacy Policy

Data Protection Policy

Introduction: The Protection of Natural Persons’ Rights Regarding Personal Data Processing

Why is this data protection notice provided?

In the course of its business, the Data Controller processes personal data for various objectives, consistently upholding the rights of the individuals concerned (data subjects) and complying with all legal mandates. The Data Controller deems it crucial to inform the data subject about the handling and key characteristics of the personal data acquired during its processing activities.

What is the legal basis for processing the data subjects' personal data?

Personal data will only be processed for a specific purpose and on a corresponding valid legal basis. These purposes and legal grounds are detailed individually in relation to each data processing activity.

Is external assistance used to process your personal data?

The Data Controller primarily processes personal data at its own premises. However, certain operations require the external support of a Data Processor. The specific Data Processor utilized may vary based on the nature of the data processing task.

Who is processing your personal data?

Information regarding the Data Processors utilized by the Data Controller and their contact details is provided in Section II of this Data Protection Policy.

Section I. Name of the Data Controller

The publisher of this Data Protection Policy and the Data Controller is:

Detail

Information

Company Name

Leventours s.r.o.

Registered Seat

Nám. Sv. Imricha 923/21 943 01 Štúrovo, Slovakia

Company Registration Number

56728492

Tax Number (IČ DPH)

SK2122410499

EUID Identifier

SKORSR.56728492

Section II. Name of the Data Processors and Recipients

A Data Processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller (Regulation 2016/679, Article 4(8)). Prior explicit consent from the data subject is not required to engage a Data Processor, but the data subject must be informed. Accordingly, the following information is provided:

Data Processors:

  • Website Development:

    • IT and marketing service provider company (variable as per project needs).

  • Invoicing and Payroll Tasks Processor:

    • Company Name: Shark kzm s.r.o.

    • Registered Seat: Senný trh 3116/7, 945 01 Komárno, Slovakia

    • Company Registration Number: 52 363 813

    • Contact: https://shark-kzm.sk/hu/

Recipients (Data Transfers):

  • Google LLC (Registered Seat: Mountain View, California, USA)

  • Facebook, Inc. (Registered Seat: Menlo Park, California, USA)

  • Stripe, Inc. (Registered Seat: 1 Grand Canal Street Lower, Dublin, County Dublin, IE)

  • Zendesk, Inc. (Registered Seat: 1019 Market Street, San Francisco, CA 94103, US)

  • Tatra banka, a.s. (Registered Seat: Hodžovo námestie 3, 811 06 Bratislava 1)

  • PayPal (Európa) S.à r.l. et Cie, S.C.A. (Registered Seat: 283, route d'Arlon, L-1150 Luxembourg)

Where this Policy refers generally to transfers to the Company's Data Processors, it should also be understood to include transfers to the above-listed Recipients.

Section III. Lawfulness of Processing

1. Processing Based on Data Subject's Consent

When the Company intends to process data based on consent, this consent is secured via a dedicated data request form and information supplied in the relevant data processing notice.

Consent is actively provided when the data subject clicks a checkbox on the Site, adjusts relevant technical settings for information society services, or makes any clear, affirmative statement or action indicating approval of the intended data processing. Silence, pre-ticked boxes, or inaction do not constitute consent. Continuing a phone call after receiving due notice is considered consent.

Consent covers all processing activities for a single purpose. If processing serves multiple purposes, consent must be given for each. If consent is contained within a broader written document (like a sales contract), the request for consent must be clearly distinguishable, accessible, and stated in plain, unambiguous language. Any part of the statement violating GDPR shall be non-binding.

The Company will not condition the conclusion or performance of a contract on consent to process personal data that is not strictly necessary for executing that contract.

The data subject may withdraw consent at any time by sending an email to the Company's contact address specified in Section I. Withdrawal of consent means the Controller can no longer process the data, and the data must be erased, unless another legal basis (e.g., legal retention requirements, contract necessity) permits continued processing.

2. Processing Based on Fulfilling Legal Obligations

In cases where data processing is required to comply with a legal obligation, the scope of data, purpose, storage duration, and recipients are dictated by the underlying legislation. This processing is mandatory, irrespective of the data subject's consent.

Before this type of processing, the data subject is informed that the processing is obligatory and receives clear, detailed information about all processing facts, including purpose, legal basis, duration, who is handling the data, and available rights and remedies. For mandatory processing, providing a reference to the specific legislative provisions containing this information may suffice as notice.

3. Processing Based on Legitimate Interests

The legitimate interests of the Company or a third party may serve as a legal basis, provided these interests do not override the fundamental rights and freedoms of the data subject. The data subject’s reasonable expectations, based on their relationship with the Controller, must be considered. For example, processing personal data for contact or direct marketing purposes may be based on legitimate interests.

Processing based on legitimate interests requires a balancing of interests test. The Company, having conducted such tests, has concluded that processing under the described conditions is justified with appropriate safeguards (as set out in this Policy). Without this processing, the Company could not operate competitively, and the emotional impact or harm to the data subject's privacy is deemed proportionate. The data subject has the specific right to object to processing based on legitimate interest.

4. Processing for the Protection of Vital Interests

Processing may be based on the necessity to protect the vital interests of the data subject or another person. The right to data protection is subordinate to the right to life in critical situations.

5. Processing Based on Contractual Interests

Data processing may be based on a contractual necessity if it is required for the performance of a contract to which the data subject is a party, or if it is necessary to take steps at the data subject's request prior to entering into a contract.

6. Promoting the Rights of the Data Subject

The Company is obligated to ensure the exercise of the data subject's rights across all data processing activities.

Section IV. Information About Data Processing by the Company

Customer Data: Managing Contractual Partners, Contacts

The Company processes personal identification data (name, birth name, date of birth, mother's name, address), tax details (ID, number), identification numbers (entrepreneur ID, personal ID), contact information (phone, email, website), bank account number, customer/order number, and online identifier for natural persons who are contractual partners. This is for the purpose of preparing, concluding, performing, terminating, or granting benefits under a contract, in summary, supporting mutual economic processes. This processing is lawful if it is necessary for taking steps at the data subject's request prior to contract conclusion.

  • Recipients: Customer service, accounting, tax, business, invoicing employees, and Data Processors.

  • Storage Period: 8 years following contract termination (due to long-term business relationship).

  • Legal Obligation Data: Data required for accounting and taxation purposes are stored for 8 years to comply with a legal obligation.

The Company also processes the name, address, email, phone number, and online identifier of the natural person signing the contract on behalf of a legal entity for contract preparation and contact purposes. The legal basis is contract performance, and the storage period is 8 years after contract termination.

For contact persons (not signatories) named in a contract, the Company processes their name, address, phone number, email, and online identifier to maintain contact and fulfill contractual rights/obligations. The processing is based on legitimate interest (contract performance), given that the contact person is usually in an employment relationship with the contracting party, and the Company is informed that the contracting party has notified the contact person of this processing. The storage period is 8 years after contact is established.

Personal data may be transferred to the appointed accounting office, postal/courier services, the Company’s security agent, and the Company's Data Processors.

Processing is considered lawful if necessary in the context of a contract or the intention to conclude one (Article 6(1)(b) of the GDPR). The Company is obligated to inform the offeror/offeree during the process.

Sending Messages on the Company's Website (instantparistickets.com)

The natural person (user) can consent to data processing by ticking the relevant box; the box must not be pre-ticked.

  • Data Processed: Name (surname, first name), email address, phone number.

  • Purpose: To enable the personalized and optimal functioning of the website.

  • Legal Basis: Consent of the data subject.

  • Recipients: Company's IT data controllers; Data Processors.

  • Storage Period: 5 years or until the data subject withdraws consent (requests erasure).

The data subject acknowledges that providing this data is not a prerequisite for contract conclusion and is not mandatory.

Data Management in the Company's Webshop (instantparistickets.com)

Purchases constitute a contract under Act CVIII of 2001 and Government Decree 45/2014. The legal basis for processing purchase data is the contract.

The Company processes natural personal identification data and address for contract fulfillment, invoicing, and claim enforcement (Act CVIII of 2001, Article 13/A (1)). For billing, the Company may process address, delivery address, time, duration, and place of service use (Article 13/A (2)).

  • Recipients: Employees performing customer service, money management, transport, marketing, and the Company's Data Processors (accounting, tax, hosting, courier services).

  • Storage Period: Until registration/service is complete or consent is withdrawn; in case of purchase, until the end of the 5th year following the year of purchase.

The Data Protection Policy must be accessible via a link during the online purchase, and the customer must accept it.

Data Management Related to Social Media (Facebook, Instagram)

The Company's influence on social media platform data processing is limited. Where possible, the Company configures settings to align with data protection standards. The Company does not control the operator's primary activities and does not receive personal data from the platform operator.

The Data Controller maintains its own page on Facebook/Instagram. Followers' personal data is processed based on their voluntary consent, indicated by liking/following the page or commenting. Users affirm they are over 16 years of age or have legal guardian consent (GDPR Article 8(1)). The Controller is not able to verify age.

  • Purpose: To provide information (news, updates), advertising, presentation, and promotion of services.

  • Legal Basis: Voluntary consent of the data subject (in line with platform policies).

  • Data Processed: Data subject's name, data subjects are users of the platform.

  • Duration: Until the data subject unsubscribes (un-likes/unfollows) or deletes content.

  • Consequence of Non-Provision: Failure to receive current news and services from the Data Controller.

Management of Recruitment Data, Applications, CVs

  • Data Processed: Name, date/place of birth, mother's name, address, qualifications, photograph, phone number, email, and potentially previous employment record.

  • Purpose: Application assessment and conclusion of an employment contract.

  • Legal Basis: Data subject's consent (implied upon sending the application).

  • Recipients: Managers and employees entitled to exercise employer rights.

  • Storage Period: Until the application is assessed, for a maximum of 2 years. Data of unsuccessful or withdrawn candidates will be deleted.

Data Processing for Tax and Accounting Obligations

The Company processes personal data to fulfill legal, tax, and accounting obligations as stipulated by law (e.g., Accounting Act, Personal Income Tax Act).

  • Data Processed: Name, address, identification of the ordering party, signature (on vouchers/receipts), tax identification number. Data for vehicle logbooks (driver name, vehicle type, purpose, route, business partner) are processed for legal obligations, cost accounting, and tax assessment.

  • Storage Period: 8 years after the termination of the legal relationship giving rise to the legal obligation.

  • Recipients: Employees and Data Processors performing tax, accounting, payroll, and social security tasks.

Payer Data Processing

The Company processes data (employees, family members, recipients of benefits) for fulfilling its legal obligations as a paying agent (e.g., taxation, contributions, payroll, social security, pension administration).

  • Data Processed: Natural person identification data (including previous name/title), gender, nationality, tax identification number, social security number. Data on membership in health and trade unions may be processed if tax laws impose a legal consequence.

  • Storage Period: 8 years after the termination of the legal relationship.

  • Recipients: Employees and Data Processors performing tax, payroll, and social security tasks.

Processing of Documents of Lasting Value (Archives Act)

The Company processes documents deemed of permanent value under Act LXVI of 1995 (Archives Act) to ensure the preservation of archival material for future use.

  • Storage Period: Until transfer to the public archives.

  • Recipients: Company head, employees responsible for records management/archiving, and public archive employees.

Section V. Cookie Policy on the Website (instantparistickets.com)

Cookies are small text files stored on the user's device (computer or phone) with an expiration date. They store information about website visits and personal adjustments but do not contain the user's personal identity data. Cookies aim to create a user-friendly site and improve the user experience. If the user does not consent to their use, the use of the website will be interrupted.

  • Purpose: Improvement of internet experience, storage of personal adjustments.

  • Legal Basis: The data subject's freely given consent.

  • Data Processed: Analytical information is stored without name or other personally identifying data.

  • Storage Period: The data subject can delete cookies at any time from their device.

Section VI. Information About the Rights of the Data Subject

Further information on data subject rights can be found in the General Data Protection Regulation (GDPR) (Article 12-22, 77-82).

The data subject has the following key rights:

  • Information and Access to personal data (Articles 13 & 14).

  • Right of Access by the data subject (Article 15).

  • Right to Rectification (Article 16).

  • Right to Erasure ('right to be forgotten' – Article 17).

  • Right to Restriction of processing (Article 18).

  • Right to Data Portability (Article 20).

  • Right to Object (Article 21).

  • Right not to be subject to Automated Individual Decision-Making, including profiling (Article 22).

  • Right for Remedies (Articles 77-82).

Right to Lodge a Complaint with a Supervisory Authority

Every data subject has the right to lodge a complaint with a supervisory authority, particularly in their habitual residence, place of work, or the location of the alleged infringement, if they believe the processing of their personal data violates the GDPR.

Contact of the Supervisory Authority in Slovakia:

Office for Personal Data Protection of the Slovak Republic

(Úrad Na Ochranu Osobných Údajov)

Hraničná 12

820 07 Bratislava 27

Tel. + 421 2 32 31 32 14

Email: statny.dozor@pdp.gov.sk

Website: http://www.dataprotection.gov.sk/

Date of Effect: Slovakia, [Date 8 days after posting on instantparistickets.com

Leventours s.r.o.