Privacy policy

Personal data processing policy and data protection system under the GDPR


The purpose of this policy is to demonstrate that the processing of personal data by the operator is carried out in accordance with the currently applicable legislation, in particular Act 18/2018 Coll. on the Protection of Personal Data (hereinafter referred to as “The new Act on the Protection of Personal Data”) and Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”). The new legislation obliges the operator to take appropriate technical and organisational measures to ensure and demonstrate that the processing of personal data is carried out in accordance with the new legislation, considering the nature, scope and purpose of the processing of personal data and the risks of varying likelihood and severity to the rights of the natural person. The operator shall keep these measures in place up to date as necessary.

This document is the result of an assessment of the processing of personal data by the operator for the purposes of the legal standards governing the protection of personal data. By implementing standardised data protection based on the principles set out here, the risk of a data breach is minimised.


Business name: KAVAZ s.r.o.

Main office: T. J. Moussona 6429/2B, Michalovce 071 01, Slovak Republic

Legal form: Limited liability company

ID: 53 058 364

Registration: the company is registered in the Commercial Register of the District Court Košice I., section: Sro, no. 48850/V

Statutory body: Ing. Lukáš Karch, Phd., – managing director, Andréia Karch Vaz – managing director

 (hereinafter in the text of the Policy referred to as the “Operator“)



If you wish to contact us in the course of processing your personal data, you can do so at:

Tel: +421 905 379 313

E-mail: [email protected]

Adress: T. J. Moussona 6429/2B, Michalovce 071 01, Slovak Republic


The legal basis for the processing of personal data of all categories of data subjects by the operator are the following provisions of the GDPR, the new Act on the Protection of Personal Data:

a) the processing of personal data is necessary for the performance of a contract, to which the data subject is a party or for the performance of a pre-contractual measure at the request of the data subject, – pursuant to Section 13, Article 1 (b) of the GDPR or Article 6 (b) of the GDPR.

(orders, work contracts, employment contracts, pre-contractual relations, CVs….)

b) Pursuant to Section 78 (3) of the Personal Data Protection Act, the operator, who is the employer of the data subject, is entitled to provide the data subject’s personal data or to disclose his or her personal data within the scope of title, name, surname, job classification, service classification, functional classification, employee’s personal number or employee’s employee number, professional department, place of work, telephone number, fax number, workplace e-mail address and employer’s identification data, if this is necessary in connection with the performance of the job duties, service duties or functional duties of the data subject. The provision or disclosure of personal data shall not undermine the dignity, respectability, and safety of the data subject.

c) the processing of personal data is necessary pursuant to a special regulation or an international treaty by which the Slovak Republic is bound, – pursuant to Section 13 (1) (c) of the Personal Data Protection Act, or Article 6 (c) of the GDPR (Commercial Code, Labour Code, Health Insurance Act, Social Insurance Act, Income Tax Act…)

d) the processing of personal data is necessary for the purpose of the legitimate interests of the operator or of a third party, except where those interests are overridden by the interests or rights of the data subject requiring the protection of personal data, in particular where the data subject is a child, – pursuant to Section 13(1) (f) of the GDPR or Article 6 (f) of the GDPR.

e) further processing of personal data for archiving purposes, scientific, historical research, or statistical purposes, provided that it is in accordance with a specific regulation and that adequate safeguards for the protection of the rights of the data subject are complied with.


We declare that, as the operator, we comply with all legal obligations required by applicable legislation, in particular the Data Protection Act and the GDPR, and therefore that:

  • we will only process your personal data based on the valid legal basis described above,
  • we hereby fulfil our information obligation to data subjects under Article 13 of the GDPR,
  • we will enable and support you in exercising and fulfilling your rights under the new Data Protection Act and the GDPR.


  • contractual/pre-contractual partners and customers of the operator
  • employees of the operator



We process the personal data you entrust to us for the following purposes:

  • Contractual/pre-contractual partners and customers of the operator:


KAVAZ s.r.o. is the operator of personal data collected in connection with the business activities of its contractual and pre-contractual partners.

Your personal data – business name, postal address, e-mail address, telephone number, names and surnames of contact persons, ID number, tax code, VAT number are processed for the purpose of:

  • implementation of contractually agreed cooperation,
  • processing of orders, delivery of ordered products and all related formalities,
  • the processing of requests for delivery of products and services, their acceptance, and all related formalities,
  • identification of the contracting party,
  • provision of the agreed service/delivery of the ordered goods.


  • Employees:
    • The operator processes the personal data of employees solely for the purposes of employment and legal relationships arising from employment law and social security law.
    • The operator processes personal data necessary for the payment of wages and the keeping of personnel records on the basis of the employment relationship or agreements for work performed outside of the employment relationship.
    • Another purpose is the performance of the employer’s obligations related to the employment relationship, civil servant relationship or similar relationship (e.g., based on agreements for work performed outside the employment relationship), including pre-contractual relationships.
    • The purpose is also to ensure the identification of the employee in employment contracts.


  • The operator warrants that the personal data provided by the data subject in the contract or otherwise will be processed in information systems in accordance with the principle of storage minimization and if the purpose of processing the personal data cease to exist, the operator warrants to delete the personal data. In the event that the personal data referred to above are processed for a purpose other than that set out above in this article, the data subject shall be informed of this purpose as well as of the legal basis for such processing prior to such processing.
  • The operator guarantees that the personal data of employees will be used for purposes specified in this policy for the maximum duration of the employment relationship or, if required by any of the above regulations, for the period specified in this statutory provision.



We protect personal data to the maximum extent possible. We protect it as if it were our own. We have put in place all possible technical and organizational measures to prevent the misuse, damage or destruction of your personal data.


Your personal data can be accessed only by persons, authorized by the operator, who are bound by confidentiality and trained in processing security.

We handle most of the processing operations ourselves and do not need 3rd parties.
To ensure specific processing operations that we are not able to provide on our own, we use the services of intermediaries who specialize in the processing. They are bound by an intermediary contract in accordance with the GDPR.

These are providers of the following platforms and services:

  • OSH service provider
  • Supplier of accounting services
  • Medical provision of work capability assessment


We only process data in the European Union or in countries that provide a level of protection based on a decision of the European Commission.


You have a number of rights in relation to data protection. If you wish to exercise any of these rights, please contact us using the email address above.

You have the right to information, which is already fulfilled by this privacy policy.

Due to the right of access, you can ask at any time for personal data we are processing and the reason for such processing. We will provide this information to you within 30 days.

If something changes or if you find any of your personal data outdated or incomplete, you have the right to have your personal data completed and amended.

If you believe that we are processing your data inaccurately or unlawfully, but you do not want to delete all of your data or if you object to the processing of your personal data, you can exercise your right to restriction.

You can restrict the scope of the personal data or the purposes of the processing.

Right to erasure: In case there is no legal basis that authorizes us or legal obligation that obliges us to process your personal data, your next right is the right to erasure. In this case, we will delete all of your personal data from our system, as well as from the system of all sub-processors and backups, within the statutory time limit.

Complaint to the Data Protection Authority: If you feel that we are not processing your data in accordance with the law, you have the right to contact the Data Protection Authority at any time. We would be very pleased if you would first inform us of such suspicion so that we can do something about it and correct any potential wrongdoing.


We would like to assure you that the operator, as well as our employees, co-workers and intermediaries who will process your personal data, are obliged to maintain confidentiality of personal data, the disclosure of which would compromise the security of your personal data. This confidentiality continues even after the relationship with us has ended.

This Privacy Policy is applicable from 25.5.2018 and replaces the previous Privacy Policy.