Privacy Policy

GDPR – PERSONAL DATA PROTECTION

NOTIFICATION TO DATA SUBJECTS REGARDING INFORMATION AND RIGHTS IN THE PROCESSING OF
PERSONAL DATA

The protection of personal data is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council, dated 27 April 2016, concerning the protection of natural persons in relation to the processing of personal data and the free movement of such data, which repeals Directive 95/46/EC (hereinafter referred to as “the Regulation”). Additionally, it is subject to Act No. 18/2018 Coll. on the Protection of Personal Data, along with amendments made by subsequent acts (hereinafter referred to as “the Personal Data Protection Act”).

Companies Advokátska kancelária JUDr. Michal Krnáč, s.r.o., with registered office at Vojtecha Tvrdého 793/21, 010 Žilina, ID no.: 52791777; Advokátska kancelária JUDr. Erik Končok, s.r.o., with registered office at Vojtecha Tvrdého 793/21, 010 Žilina, ID no.: 52789870; Advokátska kancelária JUDr. Iveta Boškajová, s.r.o., with registered office at J. Goliana 1513/16, 036 01 Martin, ID no.: 36785181; and Slovenská poradenská spoločnost, akciová spoločnosť, with registered office at Vojtecha Tvrdého 793/21, 010 01 Žilina, ID no.: 36414662 (collectively referred to as the “Companies”), may come into contact with the personal data of their clients or contractual partners during the course of their business activities as registered in the Commercial Register. In accordance with the applicable legislation, we hereby inform data subjects of their rights and relevant information concerning the processing of their personal data. A “Data Subject” is defined as any natural person who has expressed interest in the services provided.

For the purposes of the GDPR, the Companies act as the Data Controller, responsible for determining the purpose and scope of the processing of personal data collected through any functionalities of this website.

This Privacy Policy also applies to the processing of personal data provided to the Companies during the use of the websites krnackoncok.eu, korso.sk, and poradenska.sk

We also use cookies when you access or use this website. For further details, please visit https://krnackoncok.eu/en/cookies-policy/

The Companies obtain personal data directly from the Data Subject, limited to what is necessary to fulfill the specific purposes of processing.

Where the legal basis for processing personal data is a contractual obligation, the provision of such data is a legal requirement necessary for the conclusion and performance of a contract. Failure to provide this data will render it impossible to establish the contractual relationship or fulfill the terms of a contract.
When the legal basis for processing is a statutory requirement, the provision of personal data is mandatory under applicable law. Failure to provide the required data will prevent the proper fulfillment of the Companies’ obligations as prescribed by the relevant legal framework.

The Companies primarily collect personal data directly from the Data Subject. However, they may also obtain personal data from publicly accessible sources, official registers, or third parties, particularly in connection with the negotiation or performance of a contract. If a third party provides personal data to the Companies on behalf of the Data Subject, the data provider thereby confirms that they have obtained the Data Subject’s consent to process their personal data in compliance with the requirements set forth in Section 78(6) of Act No. 18/2018 Coll. on the Protection of Personal Data, as amended.

The processing of personal data is considered lawful if it is carried out under at least one of the following legal grounds pursuant to Section 13 of the Personal Data Protection Act:

  1. The Data Subject has given explicit consent for the processing of their personal data for one or more specific purposes.
  2. The processing is necessary for the performance of a contract to which the Data Subject is a party or for taking pre-contractual steps at the Data Subject’s request.
  3. The processing of personal data is necessary to comply with a specific legal obligation or an international treaty binding upon the Slovak Republic.
  4. The processing of personal data is essential to protect the life, health, or property of the Data Subject or another natural person.
  5. The processing of personal data is required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Companies.
  6. The processing of personal data is necessary to pursue the legitimate interests of the Companies or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject that require the protection of personal data, particularly when the Data Subject is a child. This legal basis does not apply to the processing of personal data by public authorities in the performance of their official duties.

The Companies process the Personal Data of the Data Subject primarily to fulfill a service based on the Data Subject’s specific request. The categories and types of personal data provided by the Data Subject and processed by the Companies vary depending on the specific purpose of the processing and the legal basis underpinning such processing.

The personal data of Data Subjects will not be transferred to any third country or international organization.

Automated individual decision-making, including profiling, is not employed in the processing of personal data.

Purpose of Processing Personal Data:

  • Recording Personal Data from the Contact Form: The processing of the Data Subject’s personal data is necessary to carry out pre-contractual measures at the Data Subject’s request. This processing is based on the legal grounds set forth in Section 13(1)(b) of the Personal Data Protection Act.
  • Provision of Contractual Services: The processing of the Data Subject’s personal data is required for the preparation and handling of contractual documentation in response to the Data Subject’s request. This processing is conducted under the legal basis specified in Section 13(1)(b) of the Personal Data Protection Act.
  • Exercise of the Data Subject’s Rights: The processing of personal data is necessary to facilitate the exercise of the Data Subject’s rights. This processing is based on the legal grounds provided in Section 13(1)(f) of the Personal Data Protection Act.
  • Litigation Agenda and Debt Recovery: The processing of personal data is required for managing litigation matters, including out-of-court negotiations and debt recovery. This processing is conducted under the legal basis specified in Section 13(1)(f) of the Personal Data Protection Act.
  • Compliance with Legal Obligations Arising from Generally Binding Legislation: The processing of personal data is necessary to fulfill legal obligations imposed by applicable laws, such as tax regulations, the Act on the Protection against the Legalization of Proceeds from Crime and the Financing of Terrorism, and obligations related to the archiving of documentation, including both physical and electronic records, as well as bookkeeping. This processing is based on the legal grounds outlined in Section 13(1)(c) of the Personal Data Protection Act.
  • Security and Management of IT Networks, PCs, and Servers: The processing of personal data is necessary for monitoring the functionality and security of the IT network to prevent potential threats from external or internal sources. This processing is based on the legitimate interests of the Companies, as outlined in Section 13(1)(f) of the Personal Data Protection Act.
  • Provision of Personal Data to Public Authorities: The Companies process personal data to comply with lawful requests from public authorities. This processing is conducted under the legal basis specified in Section 13(1)(c) of the Personal Data Protection Act.
  • Direct Marketing: The purpose of direct marketing is to inform Data Subjects, as potential clients, about updates and news related to the services in which they have expressed interest. The legal basis for processing personal data for direct marketing purposes is the explicit consent of the Data Subject.

Depending on the services provided, the Companies primarily process the following personal and work-related data of the Data Subject:

  • Name and surname, including the maiden name
  • Place of residence (permanent, temporary, or correspondence address)
  • Date of birth
  • Birth ID number
  • Nationality
  • Email address
  • Telephone number
  • Postal address
  • Billing address
  • Bank account number
  • Registered office, business email address, and telephone number
  • Correspondence and communication data, including email correspondence, internet data traffic, and the IP address of the terminal device used, as well as the date and time of access, and the name and URL of the opened file
  • Registration data


The Companies may share personal data with third parties as permitted by law or contract, including with contracted professional advisors and collaborators who are bound by a legal or contractual duty of confidentiality. Personal data may be accessed by employees who require it to perform their job duties related to the purpose for which the personal data was provided and in accordance with the Companies’ instructions. Employees are obligated to maintain the confidentiality of any personal data they encounter.

In accordance with statutory provisions and the fulfillment of legal obligations, personal data may also be disclosed to law enforcement authorities, public administration bodies, public authorities, and other entities as designated by law Personal data is stored for a limited period and will be deleted once it is no longer necessary for the purposes of processing. Personal data will be erased when retention is no longer required by law.

If you have any questions regarding the processing of personal data collected from you through any functionalities of this website, or if you wish to exercise any of your rights under the GDPR as outlined below, please contact us by submitting your inquiries in writing to our registered office address or electronically at advokacia@korso.sk.

Rights of the Data Subject in the Processing of Personal Data

The Data Subject has the following rights concerning the processing of their personal data, provided they have submitted such data directly to the Companies:

  • The right to obtain the identification data and contact details of the Companies and their representative, if applicable.
  • The right to receive the contact details of the designated responsible person, if one has been appointed.
  • The right to know the purpose for which the personal data is processed and the legal basis for such processing.
  • The right to be informed about the legitimate interests of the Companies or a third party if the personal data is processed for those interests.
  • The right to be informed about the retention period of the personal data; if this is not feasible, details regarding the criteria used to determine this period.
  • The right to access their personal data.
  • The right to rectification of personal data.
  • The right to have personal data concerning them erased by the Companies without undue delay.
  • The right to restrict the processing of personal data.
  • The right to object to the processing of personal data.
  • The right to data portability.
  • The right to withdraw consent at any time.
  • The right to bring an action under the Data Protection Act if the Data Subject believes their rights under the Act have been directly affected.
  • The right to be informed whether the provision of personal data is a legal requirement, a contractual obligation, or necessary for the conclusion of a contract, as well as the potential consequences of not providing such data.
  • The right to be informed about the existence of automated individual decision-making, including profiling.

The Data Subject shall have the following rights regarding the processing of their personal data if such data is not obtained directly from them by the Companies:

  • The right to the identification and contact details of the Companies and their appointed representative, if applicable.
  • The right to the contact details of the designated responsible person, if appointed.
  • The right to know the purpose for which the personal data is processed, along with the legal basis for such processing.
  • The right to be informed about the categories of data being processed.
  • The right to identification of the recipient or category of recipients of the personal data, if applicable.
  • The right to receive information regarding any intention by the Companies to transfer personal data to a third country or an international organization.
  • The right to be informed about the retention period of the personal data and, where applicable, the criteria used to determine this period.
  • The right to receive information regarding the legitimate interests of the Companies or a third party, if the processing of personal data is based on these interests.
  • The right to access personal data held by the Companies.
  • The right to request the rectification of inaccurate personal data.
  • The right to request the erasure of personal data without undue delay.
  • The right to restrict the processing of personal data under certain circumstances.
  • The right to object to the processing of personal data at any time.
  • The right to data portability, allowing the Data Subject to obtain and reuse their personal data across different services.
  • The right to withdraw consent at any time.
  • The right to bring a claim under the Data Protection Act if the Data Subject believes their rights have been violated.
  • The right to receive information about the source of the personal data, including whether it was obtained from publicly accessible sources.
  • The right to be informed about the existence of automated individual decision-making, including profiling.

The Data Subject has the right to request confirmation from the Companies regarding whether their personal data is being processed. If such processing occurs, the Data Subject has the right to access and receive information about their personal data, including:

  • The purpose of the personal data processing.
  • The category of personal data being processed.
  • The identification of the recipient or category of recipients to whom the personal data has been or will be disclosed, particularly if the recipient is located in a third country or an international organization, if applicable.
  • The retention period for the personal data; if this cannot be provided, information on the criteria used to determine it.
  • The right to request that the Companies rectify, erase, or restrict the processing of the personal data concerning the Data Subject, as well as the right to object to the processing of that personal data.
  • The right to file a petition to initiate proceedings in accordance with Article 100 of Act No. 18/2018 Coll.
  • The source of the personal data if it was not obtained directly from the Data Subject.
  • The existence of automated individual decision-making, including profiling, as outlined in Section 28, points 1 and 4 of Act No. 18/2018 Coll. In such cases, the Companies shall provide the Data Subject with information regarding the procedure used, as well as the significance and expected consequences of such processing of personal data for the Data Subject.

The Data Subject has the right to request the erasure of personal data if

  • The data is no longer necessary for the purposes for which it was collected and processed.
  • The Data Subject has withdrawn their consent to the processing of personal data (if this was the legal basis for processing), and no other legal basis for processing exists.
  • The Data Subject objects to the processing of the personal data, and there are no overriding legitimate grounds for processing, or if the Data Subject objects to the processing for direct marketing purposes.
  • Their personal data is being processed unlawfully.
  • The erasure is necessary to fulfill an obligation under the Personal Data Protection Act, a special regulation, or an international treaty to which the Slovak Republic is bound.
  • The personal data was obtained in connection with the offer of information society services.

Right to Rectification of Personal Data: The Data Subject has the right to have any inaccurate personal data concerning them rectified by the Companies without undue delay. In light of the purpose of processing, the Data Subject also has the right to have incomplete personal data completed.

The Data Subject shall have the right to restrict the processing of personal data if

  • They object to the accuracy of the personal data, for a period that allows the Companies to verify the accuracy of the data.
  • The processing of the personal data is unlawful, and the Data Subject objects to the erasure of the personal data, instead requesting the restriction of its use.
  • The Companies no longer need the personal data for the purpose of processing, but the Data
  • Subject requires the data to exercise a legal claim.
  • The Data Subject objects to the processing of the personal data on the grounds of the legitimate interest of the Companies or for reasons necessary for the performance of a task carried out in the public interest, pending verification that the legitimate grounds of the Companies outweigh those of the Data Subject.

Right to Data Portability – The Data Subject has the right to request that the Companies transfer their personal data to a third party in a structured, commonly used, and machine-readable format, if technically feasible and under the following conditions:

  • The personal data are processed based on the Data Subject’s consent or are necessary for the performance of a contract to which the Data Subject is a party.
  • The processing of the personal data is carried out by automated means.

Right to Object to the Processing of Personal Data – The Data Subject may object to the processing of their personal data when such processing is carried out for the performance of a task in the public interest or in the exercise of official authority vested in the Companies. Additionally, if the Companies are processing personal data based on legitimate interests, the Data Subject can object if they believe that the Companies do not have the right to process their personal data. In such cases,
the Companies may no longer process the personal data unless they can demonstrate compelling legitimate interests that override the rights or interests of the Data Subject or provide grounds for exercising a legal claim.

Right to Object to the Processing of Personal Data for Direct Marketing – The Data Subject has the right to object to the processing of their personal data for the purpose of direct marketing, including profiling related to direct marketing. If the Data Subject exercises this right, the Companies must cease processing the personal data for direct marketing purposes.

Right to Withdraw Consent – The Data Subject has the right to withdraw their consent to the processing of personal data at any time. The withdrawal of consent does not affect the lawfulness of the processing that occurred based on consent prior to its withdrawal. The Data Subject must be informed of this fact before giving consent. Withdrawal of consent can be done in the same manner as it was originally provided.

Right to Be Informed of a Personal Data Breach – The Data Subject has the right to be informed of any personal data breach. Companies are obligated to notify the Data Subject without undue delay if the breach is likely to result in a high risk to the rights of the individual.

Rights in Relation to Automated Individual Decision-Making, Including Profiling – The Data Subject has the right not to be subject to a decision that is based solely on automated processing of personal data, including profiling, which has legal effects concerning them or similarly significantly affects them.


NOTICE: Due to the specific nature of the activities of some Companies (such as legal practice), the exercise of certain rights of Data Subjects may be significantly restricted, particularly in cases involving the processing of personal data related to specific legislation.

Exercise of the Rights of the Data Subject
To ensure the protection of personal data and mitigate the risks of misuse, the Data Subject may exercise their rights as follows:

  • The Data Subject has the right to invoke their rights and lodge complaints regarding the manner and extent of the processing of personal data directly with the Companies at Vojtecha Tvrdého 793/21, 010 Žilina, or via email at: advokacia@korso.sk.
  • If the Data Subject suspects that their rights have been or are being violated in the processing of personal data, they have the right to file a petition for the initiation of personal data protection proceedings with the Office for Personal Data Protection of the Slovak Republic, located at Hraničná 12, 820 07 Bratislava 27. The contact telephone numbers are +421 2 32 31 32 14 or +421 2 32 31 32 49, and the email address is statny.dozor@pdg.gov.sk.
  • For more information, please visit https://dataprotection.gov.sk/en/rights-data-subjects/proceedings-on-protection-personal-data/.