Article 1
Identification of the operator, the circle of data subjects and introductory information
1
Entrepreneur Viktor Parasochkin, registered office: Agátová 3460/7F, 841 01 Bratislava-Dúbravka, Company ID (IČO): 53973640, is the operator of the personal data information system (hereinafter referred to as the “Operator”), which uses the software application LEXWAY Backoffice System as a means of processing personal data (hereinafter referred to as the “Software Application”) of a) customers, b) end users of the Software Application from corporate clients, and c) registered transport service providers (drivers) (hereinafter collectively referred to as the “Data Subjects”).
2
The Operator has created this Document for Data Subjects in order to enhance sufficient transparency and explain the basic rules that the Operator follows in protecting the privacy and personal data of Data Subjects using the Program Application.
3
The Controller is particularly concerned about the security and lawfulness of the processing of personal data of Data Subjects, and therefore has created in this Document for the use of the Program Application special binding rules for the processing of personal data of Data Subjects, which are based on the basic principles of personal data processing regulated in Section 6, paragraph 2 of Act No. 18/201818/2018 Coll. on the protection of personal data and on the amendment and supplementation of certain acts (hereinafter referred to as “Act No. 18/201818/2018 Coll.”) and in Article 5, paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “GDPR”).
4
This Document represents the internal personal data protection and privacy policy implemented by the Operator in accordance with Article 24 of the GDPR for the purpose of demonstrating compliance with the GDPR when using the Software Application. The reason for developing this Document is the Operator’s obligation to adopt appropriate technical and organizational measures to ensure and demonstrate that the processing of personal data is carried out in accordance with the GDPR. The aforementioned measures will be reviewed and updated as necessary.
5
By means of this Document, the Operator provides mandatory information to the Data Subjects when obtaining personal data pursuant to Section 19 et seq. of Act No. 18/2018 Coll. and Article 13 of the GDPR. The Operator ensures that the Data Subjects are informed about the content of this Document when installing the Program Application on the end user’s technical device, while also ensuring that the Program Application cannot be used for the first time without the Data Subject confirming that he/she has become familiar with and agrees to the rules and settings for the protection of privacy and personal data set out by the Operator in this Document. Subsequently, this Document is accessible to the Data Subjects also within the content of the Program Application and a specially designated website intended for registration in the Program Application, available at the URL https://lexway.company/ (hereinafter referred to as the “Website”).
Article 2
Declarations and guarantees of the operator
1
The operator does not publish personal data of any Data Subject anywhere or transfer them to any third country that does not ensure an adequate level of protection of personal data. The operator guarantees to the Data Subjects that personal data will be processed exclusively in the territory of the Member States of the European Union, specifically, at the time of the effectiveness of this version of the Document, all personal data processed in the Software Application are physically stored exclusively in the territory of the Slovak Republic.
2
The personal data of the Data Subjects are processed within the Program Application predominantly in an automated (e.g. exclusively software) manner, while the possibility is always maintained for trained and professionally prepared Recipients authorized by the Controller to participate in their processing in accordance with Article 29 of the GDPR
3
The Controller uses appropriate means of encryption for data transmission conducted via a publicly accessible computer network between the Data Subject’s terminal device and the Program Application. Likewise, all data and personal data of the Data Subjects stored by the Controller in designated data storage facilities are secured by appropriate means of encryption.
4
The Controller processes personal data for as short a time as possible. The Controller has ensured automated destruction of personal data of all Data Subjects who uninstall the Program Application from their terminal device.
5
The Operator guarantees to the Data Subjects that by installing the Program Application on their end device (e.g. tablet, smart mobile phone), no third parties will gain confidential access to data and any content stored in the client technical device of the end user of the Program Application.
6
The Operator guarantees to the Data Subjects that each of the obtained consents intended to legalize a partial (partial) processing operation or other purpose of processing personal data unrelated to the use of the Program Application will be able to be expressed by the Data Subject freely and independently of the possibility of using the Program Application; The Operator does not in any case condition the possibility of using the Program Application on obtaining the consent of the Data Subject for purposes unrelated to the use of the Program Application (e.g. marketing purposes). The Data Subject always has the option not to grant the Data Subject’s consent to the processing of personal data to the Operator in relation to such partial processing operations or unrelated purposes of processing their personal data without this in any way affecting the possibility of using the Program Application. However, in some cases, granting consent by the Data Subjects directly affects the possibility of providing services provided on the basis of a contractual relationship concluded with a third party (e.g. a carrier or limousine driver registered in the Program Application). However, the granting or non-granting of such consent by the Data Subjects does not in any way condition the provision of services provided by the Operator through the Program Application, which consist of information society services and the mediation of personal transport and not in the provision of personal (taxi) transport services.
7
All entities that, in addition to the Operator, are legally involved in the processing of personal data of the Data Subjects are transparently identified in Article 6 of this Document together with their substantive legal status under the GDPR. The Operator will not perform any processing operation with the personal data of the Data Subjects to a third party and/or recipient, if it is not transparently identified in this Document and the Operator does not have the necessary legal basis for this under Article 6 of the GDPR.
8
All recipients of personal data processed in the Program Application access them solely on the basis of authorization granted by the Operator, and are legally bound by specific obligations and legal guarantees strengthening the protection of the personal data of the Data Subjects.
9
The Operator does not provide the personal data of the Data Subjects to any third parties for commercial purposes without each Data Subject expressing their individual free consent, or unless such provision or disclosure of the personal data of the Data Subjects is necessary for the fulfillment of the Operator’s rights and obligations under the applicable General Terms and Conditions of the Program Application (e.g. disclosure of personal data to drivers of the Operator’s business partner).
10
The part of the processing of personal data of the Data Subjects related to the use of the Program Application is carried out separately and completely independently of the Operator by third parties that are in the position of separate operators of personal data information systems different from the Operator’s personal data information systems intended for processing personal data of the Data Subjects; in these cases, these are mainly operators of online stores with mobile applications, or operators of so-called payment gateways intended for making cashless payments over the Internet. The Operator also informs the Data Subjects about these third parties (for more information, see Article 6, point 3 of this Document), to whom the Data Subject provides his/her personal data directly when using the Program Application, without the Operator intervening in or influencing this process in any way. This part of the processing of the personal data of the Data Subjects is governed by the internal policies and security measures adopted by these third parties and the Operator has no influence on such processing of personal data, including the possibility of exercising the rights of the data subject, which it informs the Data Subjects about in Article 9 of this Document.
11
In the future, the Controller may make available all data, including personal data of Data Subjects, which are the subject of processing in the Software Application to a potential purchaser of the Software Application, or to their professional advisors (M&A consultants, lawyers, accountants, auditors, IT experts) subject to the prior creation of a confidentiality obligation, which will bind all persons participating in the so-called due diligence process to absolute confidentiality of all personal data that they become aware of when assessing and estimating the price of the Software Application. The Controller also undertakes to adopt special procedures and organizational security measures in this case that will strengthen the protection of the processed personal data of Data Subjects.
12
The Controller has carefully checked its business partners (so-called intermediaries) that it has allowed to process the personal data of Data Subjects in terms of their ability to ensure the security and lawfulness of the processing of personal data.
13
In this regard, the Program Application does not allow the sharing or disclosure of any personal data of the Data Subject, without the Data Subject himself/herself deliberately starting to use the Program Application and by his/her own actions not allowing the sharing of information, data and personal data processed in the Program Application with third parties.
14
The Program Application does not allow third parties to obtain and store information about the end device of the user of the Program Application or to process any information that is already stored and stored in such technical device by the Data Subjects during the use of the Program Application. In addition to the Controller and the data recipients authorized by him/her (see Article 6, point 2 of the Document), only the Processor 1 (see Article 6, point 1 of the Document) may have access to data and functions processed in the Program Application installed on the end user device of the Data Subject through the so-called
API (Application Programming Interface).
15
In processing personal data and communicating with Data Subjects, the Operator uses only the Program Application and the Website, in addition to regular telephone and email communication via officially published contact information on the Website; The Operator does not use so-called social networks or cooperate with social network operators to obtain personal data or perform any other processing operations with personal data. The Operator has not established and does not use any official profiles established on the social networks Facebook, Twitter, Instagram, etc. when processing the personal data of Data Subjects.
16
The Operator declares that Carriers registered in the Program Application do not have access to all data and personal data processed in the Program Application, but only to data and personal data relating to orders initiated by Data Subject 1 and Data Subject 2, which are intended for processing in real time.
17
The Controller does not process any personal data of minors in the Software Application. Only natural persons of full legal capacity may be Data Subjects.
18
The Controller does not process any data of special categories of personal data in the Software Application regarding Data Subjects pursuant to Article 9 of the GDPR.
Article 3
List of personal data subject to processing
1
The Operator processes the following personal data about natural persons – users (hereinafter referred to as “Data Subject 1”): Name, surname, email, telephone number, place and time of the planned arrival of the ordered limousine, order history (data on the place and exact time of boarding the vehicle, duration of the trip, route of the trip, data on the place and exact time of the end of the trip, type of vehicle used for a specific trip, specific requirements of the data subject (child seat, preference of a specific driver for the trip, etc.), date of travel, flight number in the case of pick-up at the airport, IP address and MAC address assigned to the client device of the Data Subject 1 when logging into the Program Application and so-called log records generated by the Program Application during the period of active use of the Program Application (e.g. time of logging in and time of logging out of the Program Application, actions performed and exact time of execution of actions in the program application).
2
The Operator processes the following list of personal data about natural persons who use the Program Application legally on the basis of a contractual relationship between the Operator and a third party with whom this natural person has a separate legal relationship (e.g. employee, manager, client) (hereinafter referred to as “Data Subject 2”): name, surname, email, telephone number, information about the natural person’s affiliation with the legal entity that is in a contractual relationship with the Operator, job function, order history (information about the place and exact time of boarding the vehicle, duration of the trip, route of the trip, information about the place and exact time of the end of the trip, type of vehicle used for a specific trip, specific requirements (child seat, preference of a specific driver, etc.), travel date, flight number, trip price, project number, billing codes, IP address and MAC address assigned to the client device of Data Subject 2 when logging into the Program Application and so-called log records generated by the Program Application during the period of active use of the Program Application (e.g. time of login and time of logout to the Program Application, actions performed and exact time of execution of actions in the Program Application).
3
The Operator processes only the following personal data about natural persons – drivers of motor vehicles who are business partners (hereinafter referred to as “Data Subject 3”) based on registration in a separate module of the Program Application and subsequent use of the Program Application: name, surname, telephone number, email, IP address and MAC address assigned to the client terminal device of the Data Subject 3 when logging in to the Program Application and so-called log records generated by the Program Application during the period of active use of the Program Application (e.g. time of login and time of logout to the Program Application, actions performed and exact time of execution of actions in the Program Application).
Article 4
Legal basis and purposes of processing personal data
1
The Controller processes the personal data of all Data Subjects for the purpose of the proper use of the Software Application, the purpose of which is to enable comfortable and efficient transportation of individuals by luxury motor vehicles. Each Controller is responsible for ensuring that the appropriate legal basis for the processing of personal data is established pursuant to Art. 6(1) GDPR. The rights of the Data Subjects arise from the determination of the correct legal basis. Before commencing activities involving the processing of personal data, the Controller has considered what constitutes an appropriate legal basis for the planned data processing.
2
The Controller processes the personal data of Data Subject 1 for the purpose of concluding and fulfilling the contractual relationship established between Data Subject 1 and the Controller under the terms and conditions set out in this Document and the General Terms and Conditions of the Controller. The legal basis for the processing of personal data for this purpose is the contractual relationship concluded between the Controller and Data Subject 1, or provision of Section 13, paragraph 1, letter b) of Act No. 18/2018 Coll. and provision of Article 6, paragraph 1, letter b) of the GDPR.
3
The Operator processes the personal data of the Data Subject 2 for the purpose of fulfilling the contractual relationship established between the Operator and a corporate client who has its own legal relationship with the Data Subject 2 independent of the Operator under the conditions expressed in this Document, the General Terms and Conditions of the LEXWAY backoffice system Program Application and the consent of the Data Subject 2. The legal basis for processing the personal data of the Data Subject 2 for this purpose is the consent of the data subject, or the provision of Section 13, paragraph 1, letter a) of Act No. 18/2018 Coll. and Article 6, paragraph 1, letter a) of the GDPR. The personal data of the Data Subject 2 are also used for the purposes of invoicing and bookkeeping in accordance with Slovak law. The legal basis for this processing of the personal data of the Data Subject 2 for this purpose is a special law, or the provision of Section 13(1)(c) of Act No. 18/2018 Coll. and the provision of Article 6(1)(c) of the GDPR.
4
The Controller processes the personal data of the Data Subject 3 for the purposes of fulfilling the contractual relationship established between the Controller and the Data Subject 3 or the employer of the Data Subject 3 or the contractual business partner of the Data Subject 3. The legal basis for this processing of personal data is the contractual relationship concluded between the Controller and the Data Subject 3, or the provision of Section 13(1)(b) of Act No. 18/2018 Coll. and the provision of Article 6(1)(b) of the GDPR or the consent of the Data Subject 3 granted to the Operator upon registration in the Program Application, if the Data Subject 3 does not perform passenger transport as a self-employed person, but as an employee of another Carrier.
5
The purpose of processing the personal data of the Data Subject 1 and the Data Subject 2 is also the Operator’s own marketing communication (e.g. newsletter, etc.) as well as the display of third-party marketing communication without involving the provision or disclosure of the personal data of the Data Subject 1 and the Data Subject 2 to any third party. The legal basis for processing the personal data of the Data Subject 1 and the Data Subject 2 for this purpose is the consent of the data subject, or the provision of Section 13(1)(a) of Act No. 18/2018 Coll. and Article 6(1)(a) of the GDPR. The data subject grants or refuses this consent to the Operator separately through a separate legal act.
6
From 1.3.2024, the Operator is authorized to start processing electronic communication metadata attributable to the technical devices of the end users of the Program Application, i.e. the Data Subjects, for the purposes of protecting the rights and legally protected interests of the Operator in ensuring the protection and security of data processing in the Program Application (e.g. recognizing IP addresses and MAC addresses of user devices using the application and associating them with registered identities). The legal basis for processing personal data will be the legitimate interest of the Operator (i.e. protecting the rights and legally protected interests of the Operator), or the provision of Article 6(1)(f) of the GDPR).
7
The Operator is authorized to process the personal data of the Data Subjects also for the purposes of performing so-called due diligence audits, which could occur before the possible sale of the Program Application to an interested third party. The legal basis for the processing of personal data will be the legitimate interest of the Operator (i.e. protection of the rights and legally protected interests of the Operator), or the provision of Article 6(1)(f) of the GDPR.
Article 4a
Consent of the data subject supplementing the general terms and conditions of the software application
1
Given the fact that the Operator, when processing the personal data of the Data Subject 1 and the Data Subject 2 in the Software Application, needs to provide personal data to its business partners who have the status of carriers carrying out the actual transport, i.e. drivers and/or, if applicable, also to the employers of these drivers and the business model used by the Operator does not allow for the provision of this personal data within the framework of the contractual relationship concluded under the Operator’s General Business Terms and Conditions directly between the Operator and the Data Subject, it is necessary, in view of the need for sufficient legalization of the performance of the necessary processing operations with the personal data of the Data Subjects, to request consent from Data Subject 1 and Data Subject 2 to provide their personal data to Data Subject 3 (the taxi limousine driver registered in the Program Application and, if applicable, also the employer of this driver, who is in a business relationship with the Operator (see third parties in the position of data recipients referred to in Article 6, point 2 of this Document)) (hereinafter referred to as the “Carrier”).
2
The Operator informs the Data Subject 1 and Data Subject 2 that when using the Software Application, by their actions consisting in ordering transportation, they grant the Operator consent to the provision of personal data in the scope of: name, surname, telephone, place and time of pick-up or start of transportation to any Carrier registered in the Software Application for the purpose of performing personal transportation of the Data Subject 1 and/or the Data Subject 2 and fulfilling the specific contractual obligations that the Data Subject 3 (driver) has towards the Operator. The Data Subject 1 and Data Subject 2 also have the option of selecting a specific Carrier or driver in the Software Application, so that in the event of selecting a specific Carrier, personal data will only be provided to this selected Carrier and not to all Carriers registered in the Software Application. Data Subject 1 and Data Subject 2 are entitled to withdraw their consent to the processing of personal data explained in this point of this Document at any time until the commencement of the transport by the Carrier, using the “cancel order” function available in the Software Application. The commencement of the transport results in the conclusion of a separate contractual relationship between Data Subject 1 and/or Data Subject 2 and the Carrier. The validity period of this consent lasts for the entire period of active use of the Software Application.
3
Date 3 and at the same time the Carrier who performs passenger transportation on the basis of a contractual relationship concluded with the Operator’s business partner, who is in the position of a third party and data recipient (see Article 6, point 2, letter d) of this Document) grants the Operator consent to making his personal data available in the Program Application to the Subject 1 and the Subject 2 to the extent of name, surname, type and color of the motor vehicle, information on availability/unavailability for performing passenger transportation for the purpose of concluding a contractual relationship between the Subject 1 or the Subject 2 and the Subject 3. This consent may be revoked by the Subject 3 at any time by uninstalling the Program Application from his end user device or in the manner pursuant to Article 9, point 2 of this Document.
4
The consents of the Data Subjects formulated in Article 4A of this Document supplement the General Terms and Conditions approved by the Operator for the use of the Software Application and create the prerequisites for achieving compliance with the basic principles of personal data processing pursuant to Article 5(1)(a) and (b) of the GDPR and Article 7 of the GDPR.
5
In addition to the notification mechanisms described in Article 1(6) of this Document, the Operator also draws the attention of the Data Subjects to the formulations of the above-mentioned consents to the processing of personal data, with regard to the requirement arising from Article 7(2) of the GDPR, by specifically extracting this part of the text from this Document into a separate document, which is made available continuously throughout the entire period of use of the Software Application to each Data Subject within the Software Application user interface in the “Terms of Use” section.
Article 5
Period of storage of personal data
1
The Operator stores the personal data of the Data Subjects exclusively for the period of registration of the individual user of the Program Application. Uninstalling the Program Application from the device of the end user (Data Subject) will immediately result in the automated destruction of all personal data associated with the user account that was canceled as a result of uninstalling the Program Application.
2
The Operator will also destroy all personal data or precisely specified personal data at any time based on the individual request of the authorized Data Subject, even beyond the grounds set out in Article 17(1)(a) of the GDPR.
3
The Operator will carry out the procedure pursuant to Article 5(2) of this Document only in cases where this would not jeopardize or violate the fulfillment of its obligations under generally binding legal regulations (e.g. ensuring the security of personal data processing, recording of accounting documents) or its obligations under the General Terms and Conditions of the Program Application (e.g. checking the eligibility of driving by the employer of the Data Subject).
4
In the event of a longer period of inactivity in the use of the Program Application by the registered Data Subject exceeding 1 calendar year, the Operator will usually check the Data Subject’s interest in further use of the Program Application by e-mail. In the event of ignoring or a negative response from the Data Subject addressed, the Operator will ensure the cancellation of the user account together with the destruction of all personal data.
Article 6
Identification of intermediaries, recipients and third parties involved in the processing of personal data of data subjects
1
The Operator uses the following intermediaries when processing the personal data of Data Subjects in the Program Application:
a. AMCEF s.r.o. with its registered office at Janka Alexyho 2954/1A Bratislava – Dúbravka City District 841 01 Company ID: 51 026 694, registration: Commercial Register of the District Court Bratislava III, section: Sro, insert no. 152441/B
b. Websupport with registered office: Staré Grunty 12 Bratislava 841 04, Company ID: 36 421 928, Registration: Commercial Register of the District Court Bratislava I, Section: Sro, File No.: 63270/B;
c. SMS API with registered office Toszecka 101, 44-100 Gliwice, Poland, VAT (VAT UE) PL969-156-67-36
2
When processing the personal data of the Data Subjects in the Program Application, the Operator uses the following recipients, or groups of recipients, whom it has trained and sufficiently instructed in relation to the Program Application about their rights, responsibilities and obligations in the internal personal data protection system created by the Operator:
a. employees of the Operator;
b. legal entities that are in a business client relationship with the Operator (so-called B2B), which have a special and completely independent legal relationship with the Data Subjects directly using the Program Application (e.g. employment relationship, business relationship, etc.);
c. natural persons that are in a special business relationship with the Operator for the purpose of providing transportation services to the end user of the Program Application, or Data Subject 1 and Data Subject 2, i.e. the Carrier (see Article ARTICLE 4a point 1 of this Document).
3
The Operator uses the following partners who have the status of a third party and an independent controller responsible for the protection of personal data independently and separately from the Operator, i.e. the Operator does not bear any legal responsibility for the protection of personal data:
a. Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, United States of America; and
b. Apple Inc., 1 Infinite Loop, Cupertino, CA 95014, USA, United States of America.
4
The Operator selects the Operator’s partners (intermediaries, recipients and third parties) taking into account, among other things, the guarantees of their reliability and professional care in the processing of personal data.
5
If such an obligation arises from the law or a decision of a public authority, the personal data of the Data Subject may also be provided to public authorities or other entities.
Article 7
Privacy Policy when using the Website
1
The Operator also uses the Website when processing the personal data of the Data Subjects.
2
The Website uses cookies. A cookie is a small text file that the Website stores on your computer or mobile device when you browse it. Thanks to this file, the Website stores information about your actions and preferences (such as login name, language, font size and other display settings) for a certain period of time, so you do not have to re-enter them the next time you visit the Website or browse its individual subpages.
3
The Operator uses its own cookies (so-called first party cookies) to optimize the functions of the Website and improve the user experience of the Website visitor, as well as third-party cookies (so-called third party cookies) to display so-called behavioral advertising.
4
The Website also uses so-called short-term cookies, which are automatically deleted from the computer system of the Data Subjects or other end users of the Program Application after the end of using the Internet browser. However, in some cases, so-called long-term cookies may also be processed, which remain on the end user’s device, allowing the Operator to recognize that the Website is being visited again by a given end user’s device, which may, depending on the settings made by the user of the Program Application, be associated, for example, with remembering the preset access password to the Program Application, etc.
5
The Operator informs the Data Subjects and all visitors to the Website that all cookies that the Website may store on the end device of any visitor to the Website can be controlled and deleted. By appropriately setting the Internet browser, it is possible to effectively and completely prevent the use of cookies. Specific information and instructions on the settings of individual types of Internet browsers can be found here: https://www.aboutcookies.org/how-to-control-cookies/ and information necessary to delete cookies from the user’s technical device can be found here: https://www.aboutcookies.org/how-to-delete-cookies/. In general, it can be stated that it is necessary to enable the function in the Internet browser, which is usually referred to as “Protection from tracking”.
6
The Operator informs the Data Subjects that if the Internet browser used by the end user’s device to access and view the content of the Website allows the Website to use cookies, the Operator is entitled to consider this as an expression of valid legal consent of the end user of the technical device in which cookies are stored in accordance with the (draft) Regulation of the European Parliament and of the Council of the EU concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Directive on privacy and electronic communications (hereinafter referred to as the “e-Privacy Regulation”).
7
The Operator informs the Data Subjects that in the case of so-called third-party cookies used to display behavioral advertising, the Website will require the Data Subject to explicitly grant consent before installing these cookies on the end user’s device of the Website.
8
The Operator also uses the Internet analytics service from Google Inc. on the Website, however, the Operator does not process any personal data or other identifiers that can be used to indirectly identify (e.g. IP address) the Data Subjects. However, this does not mean that personal data is not processed in this way by Google Inc., which is the operator of the Google Analytics service. The Operator bears no legal responsibility for the activity of a third party.
9
Google Analytics also uses cookies to analyze your behavior on the Website, which are stored on the end user’s device of the Website (computer, tablet, smartphone). Google anonymizes the part of the IP address associated with the end user’s device of the Website immediately upon collection, thereby strengthening the protection of the Data Subject’s privacy. Google Inc. uses the information obtained during the use of the Website by the Data Subject to evaluate the use of the Website by users, to compile reports on Website activity and to provide the Operator with other services related to Website activity and Internet usage. This data processing by Google Analytics can again be prevented by appropriate settings in the Internet browser in which you install the browser plug-in available via the following link: https://tools.google.com/dlpage/gaoptout?hl=en. Data Subjects or Website users can also prevent the collection of data by Google Analytics by clicking on the following link. After clicking on the link, an opt-out cookie will be stored on the Data Subject’s device, which will prevent future collection of data when visiting the Website.
10
The Operator may also use the Google Analytics service on the Website to generate online advertising through remarketing, i.e. the outputs from the Operator’s marketing communication may also be displayed by different providers of digital services and internet content, including Google Inc, on various websites, which in the future, after the end of the visit to the Website, will be displayed on the device of the end user or the data subject.
11
The Controller also uses Google Analytics reports in order to conduct more effective marketing communication, and may also process demographic characteristics and interests related to Data Subjects (e.g. age, gender, interests) obtained by Google Inc., which may also be used by the Controller. However, when processing data through the use of Google Analytics, the Controller will not process personal data of Data Subjects, because it will not have sufficient identifiers that would allow direct or indirect identification of Data Subjects.
12
Data Subjects using the Website may refuse to display personalized advertising banners by Google via the following link.
13
Data Subjects can find further information about the use of data by Google Inc. in the context of using the Website here: https://www.google.com/policies/privacy/partners/.
14
The Operator informs the Data Subject that if they are logged in to other Internet services from Google Inc. while visiting and using the Website, Google Inc. may process the Data Subject’s personal data. The Operator has no influence or influence on this processing of personal data and does not participate in it in any way.
15
Google Inc. is a third party in the position of an independent controller in connection with the use of the Website by the Data Subject. More information about the current privacy rules adopted by Google Inc. can be found by the Data Subject here: https://www.google.com/policies/privacy/?hl=sk
16
The Website does not use any plug-ins (so-called plug-ins) of the operators of so-called social networks.
Article 8
Downloading software applications from third-party servers
1
The Software Application can be freely downloaded from so-called online stores with applications for smart devices, namely from the App Store and Google Play.
2
The Operator informs the Data Subjects that in the event of downloading the Software Application to the end user’s device of the Software Application from so-called online stores with smart applications pursuant to Article 8, point 1 of this Document, their operators in the capacity of third parties (see Article 6, point 3, letters a) and b) of this Document) (hereinafter referred to as the “App Store and Google Play”) may process the personal data of the Data Subjects completely independently of the Operator. The Operator has no influence on the processing of personal data by the App Store and Google Play. Therefore, the Operator bears no legal responsibility for the processing of personal data by the App Store and Google Play.
3
The App Store and Google Play have their own privacy and data protection policies, which govern them and which also apply to Data Subjects when downloading the Software Application from the App Store and Google Play.
4
More information on the protection of personal data and privacy of the Appstore can be found in Slovak at the following URL: https://www.apple.com/legal/privacy/sk/
5
More information on the protection of personal data and privacy of Google Play can be found in Slovak at the following URL: https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=sk
Article 9
Instructions on the rights of the data subject
1
The Operator is concerned about maintaining the integrity and confidentiality of the personal data of the Data Subjects, and therefore strives to ensure their strong security not only through individual, modern technical and organizational security measures, but also through the possibility of exercising the rights of the Data Subject at any time via an electronic request to the email address: info@lexway.company or a written, personally signed request, which will indicate the identity and the right the Data Subject is requesting the Operator to exercise.
2
The Operator informs the Data Subjects that in cases where the legal basis for the processing of personal data is the consent of the data subject (see Article 4, points 3 to 5 and Article 4a of this Document), the Data Subject is entitled to withdraw the consent granted at any time. The Operator allows the Data Subject to withdraw consent to the processing of personal data directly via the Program Application, or also via regular electronic mail delivered to the Operator from the email address registered in the Program Application. In these cases, the provision of personal data by the Data Subject is exclusively voluntary and does not affect the possibility of installing and using the Program Application in any way, however, in the event of withdrawal of certain types of consent by the Data Subject, there may be a partial restriction of services and contractual performance provided by the Operator and/or its business partners (e.g. withdrawal of consent to provide personal data to the Carrier before the start of passenger transportation will make it impossible to perform transportation, etc.).
3
The Operator informs the Data Subjects that in cases where the legal basis is a contractual relationship concluded directly between the Data Subject and the Controller (see Article 4, points 2,3,4 of this Document), it is necessary to provide the Data Subjects with the requested personal data, otherwise it is not possible to use the Program Application.
4
The Operator informs the Data Subjects that in cases where the legal basis is the protection of the rights and legally protected interests of the Data Subject (see Article 4, points 6,7 of this Document), the Data Subjects are entitled to process the related personal data of the Data Subjects without their consent and the Data Subjects are obliged to tolerate this. If the Data Subjects are not willing to accept this processing of personal data, the Operator recommends that they not install and use the Program Application. The Operator, taking into account its interest in a high standard of personal data protection, allows in the case of so-called due diligence purposes of processing personal data Data subjects beyond their legal obligations to individually object to and restrict this processing (for more information, see Article 2, point 16 of this Document).
5
The Controller informs Data Subjects that they can exercise the following rights in writing or electronically:
a) Right to access personal data
The Data Subject has the right to request confirmation from the Controller as to whether or not personal data concerning them are being processed and, if so, to obtain access to such personal data, as well as the right to basic information about the processing of personal data. For this purpose, the Controller may be contacted at any time, in written or electronic form, at the email address: info@lexway.company , or at the address of the registered office of the Controller specified in Article 1, point 1 of this Document.
b) Right to rectification and/or completion of personal data
The data subject has the right to request that the Controller correct inaccurate personal data concerning him/her without undue delay, as well as the right to complete incomplete personal data. For this purpose, the Controller may be contacted at any time, in written form or electronically to the email address: info@lexway.company, or to the address of the Controller’s registered office specified in Article 1, point 1 of this Document.
c) Right to erasure of personal data
The Data Subject has the right to request the immediate erasure of personal data only if:
For this purpose, the Controller may be contacted at any time, in paper form or electronically, at the following email address: info@lexway.company , or to the address of the registered office of the Controller company specified in Article 1, point 1 of this Document, and the Controller will subsequently assess whether there are any exceptions in the given case when it is not necessary to delete the data of the Data Subject even if any of the above conditions are met (e.g. it is necessary for the exercise of legal claims).
d) Right to restriction of processing of personal data
The Data Subject has the right to have the Controller restrict the processing of his/her data (i.e. only store the data, but not process it in any other way) if:
For this purpose, you can contact the Operator at any time, in paper form or electronically at the email address: info@lexway.company, or at the address of the registered office of the Operator’s company specified in Article 1, point 1 of this Document, and we will then assess whether there are any exceptions in your case, when your personal data can be processed in another way, not only by storage.
e) Right to object to the processing of personal data
The data subject has the right to object to the processing of his or her personal data if the legal basis for the processing of his or her personal data is: a) necessary for the performance of a task carried out in the public interest or in the exercise of official authority or b) processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require the protection of personal data, in particular where the Data Subject is a child.
If the Data Subject’s data are processed for direct marketing purposes, he or she has the right to object at any time to the processing of personal data to the extent that it is related to such direct marketing.
For this purpose, the Controller can be contacted at any time, in written or electronic form, at the following email address: info@lexway.company , or to the address of the registered office of the Controller company specified in Article 1, point 1 of this Document.
The Controller may process the Personal Data of the Data Subject only if it demonstrates compelling legitimate grounds for processing which override the interests, rights and freedoms or grounds for establishing, exercising or defending legal claims.
Specific instructions on the right to object to the processing of personal data are provided further in Article 10 of this Document.
f) Right to data portability
If the processing of the Data Subject’s personal data is carried out by automated means, based on consent or for the purposes of performing a contract, the Data Subject has the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and has the right to transmit these data to another person (the Controller).
g) Right to withdraw consent to the processing of personal data at any time
Last but not least, the Data Subject has the right to withdraw the consent granted to the processing of personal data concerning him or her at any time. Withdrawal of consent does not affect the lawfulness of the processing of personal data based on consent before its withdrawal. For this purpose, the Data Subject may contact the Controller at any time, in written or electronic form, at the email address: info@lexway.company , or at the address of the registered office of the Controller specified in Article 1, point 1 of this Document.
h) Right to file a complaint with a supervisory authority
The Controller hereby informs the Data Subjects that if they believe that the rights of natural persons have been violated in the processing of personal data or that Act No. 18/2018 Coll. or GDPR has been violated, they may file a motion to initiate proceedings on the protection of personal data with the Office for Personal Data Protection of the Slovak Republic. A sample proposal is published on the website of the Office for Personal Data Protection of the Slovak Republic www.dataprotection.gov.sk.
6
Any request for the exercise of the rights of the data subject under the GDPR and under Act No. 18/2018 Coll. may be submitted in paper form or electronically to the email address: info@lexway.company , or to the address of the registered office of the Controller company specified in Article 1, point 1 of this Document.
7
The Controller informs the Data Subject that when processing a request for the exercise of the rights of the data subject under Act No. 18/2018 Coll. or under the GDPR may ask the requesting Data Subject for reliable verification of their identity, especially if the Data Subject requests the exercise of their right in a manner other than by written letter with a handwritten signature, by e-mail with a reliable electronic signature or in person at the registered office of the Controller (i.e. e.g. in cases of ordinary e-mail requests or telephone calls).
8
Each request for the exercise of the data subject’s right delivered to the Controller will be individually and competently assessed, and the Controller will always inform the requesting Data Subject of the result no later than one month from the receipt of the request. The process of processing a request related to the exercise of the data subject’s right under the GDPR or Act No. 18/2018 Coll. is free of charge. In the event that we do not process your request for the exercise of the data subject’s right in your opinion in accordance with the GDPR or Act No. 18/2018 Coll. you have the option of filing a complaint with the supervisory authority (www.dataprotection.gov.sk) or applying for a judicial remedy directly at the competent general court.
9
In case of any questions regarding the protection of privacy and personal data or information on the content and application, the Data Subjects may contact the Controller at any time via the email address: info@lexway.company
Article 10
Specific information on the right to object to the processing of personal data and automated individual decision-making
1
The Controller, in accordance with Article 21(4) of the GDPR, specifically informs Data Subjects that, in connection with the provision of information society services through the Software Application, they have the right to object to automated individual decision-making pursuant to Article 21 of the GDPR. In addition to the procedure pursuant to Article 10(7) of this Document, Data Subjects are also entitled, in accordance with Article 21(5) of the GDPR, to object to the processing of personal data via a specific functionality integrated directly into the Software Application, which is designated as “Call Support”.
2
The Controller, in accordance with Article 21(4) of the GDPR, specifically informs Data Subjects that, pursuant to Article 21(2) of the GDPR, they have the right to object at any time to the processing of personal data for direct marketing purposes. Data subjects have the right to effectively unsubscribe from the newsletter at any time by unsubscribing or by sending an empty reply to the e-mail sent by the Controller.
Article 11
Profiling of data subjects
1
The Controller may perform so-called profiling within the meaning of Article 4(4) of the GDPR with the personal data of the Data Subjects processed in the Software Application, because the Software Application enables it to determine the geographical position and geolocation of the end device of the Software Application user in real time and the Controller processes data on the current geographical position and movement via GPS coordinates of the end user’s device of the Software Application under the conditions explained in this Article of this Document. By these provisions of Article 12 of this Document, the Controller provides the Data Subjects with meaningful information on the procedure used, as well as the significance and expected consequences of such data processing for the Data Subject.
2
When using profiling, the Software Application does not process any special categories of personal data within the meaning of Article 9(1) of the GDPR.
3
The Operator declares that in this way the Program Application does not track the Data Subjects without their knowledge continuously and systematically at any time, but always exclusively in a causal connection with the ordering and progress of a specific order for personal transport for which the Data Subjects use the Program Application.
4
From the moment of acceptance of the personal transport order until the moment of completion of the ordered transport, the Program Application checks the approximate geographical location of the devices of the end users of the Program Application who are involved in the execution of the ordered personal transport, i.e. from the acceptance of the order, throughout the entire course of the order until the completion of the personal transport, the Program Application tracks the approximate geographical location of the end user device of the Data Subject 1 and/or the Data Subject 2 as well as the Data Subject 3, who actively and passively participate in the personal transport within a separate legal relationship independent of the use of the Program Application. The data generated in this context within the Program Application are stored about the Data Subjects for reasons of user comfort and visibility of data on completed orders until the Program Application is uninstalled from the end user’s device.
5
The functionality of the Software Application explained in Article 12, point 4) of this Document automatically generates the following personal data about the Data Subjects: data on the place and exact time of boarding the vehicle, duration of the journey, route of the journey, data on the place and exact time of the end of the journey. The Operator uses these personal data for the purposes of fulfilling the rights and obligations arising from the contractual relationships concluded separately with the Data Subject 1 and the Data Subject 3, specifically in particular to check the eligibility, correctness and charging of the price for passenger transport charged by the Carrier to the Data Subject 1 and the Data Subject 2 and to check the amount and eligibility of the Operator’s remuneration for each transaction, or. successfully completed passenger transport, which was mediated through the Software Application.
6
The Data Subjects take into account that the processing of personal data explained in Article 12, point 5 of this Document is necessary for the proper performance of the rights and obligations established by the specific contractual relationship concluded between the Data Subjects and the Operator under the applicable General Terms and Conditions and the specific contract concluded with the Operator in the case of Carriers. The Operator emphasizes that the provision of personal data of the Data Subject is voluntary, however, personal data is required for the proper performance of the rights and obligations established by the specific contractual relationship concluded between the Data Subjects and the Operator under the applicable General Terms and Conditions and the specific contract concluded with the Operator in the case of Carriers, and therefore, if they are not provided, it will not be possible for the Operator to properly perform all actions.
7
In connection with the processing of personal data pursuant to this Article of this Document, the Operator informs the Data Subjects that they have the right to human intervention by the Operator’s staff for the purpose of reviewing all decisions with legal effect on the Data Subjects in order to prevent any errors and misunderstandings that would be caused by incorrect operation of the Software Application (e.g. incorrect determination of the price for passenger transportation). In case of doubts about the correctness of the determination of the price of passenger transportation and/or the amount of the contractually agreed remuneration of the Operator, the Data Subjects may request the Operator to review the related decisions of the Software Application in accordance with the procedure set out in Article 9, point 7) of this Document, while they may provide all facts, factual allegations and evidence in support of their statement.
8
The nature of the profiling used by the Software Application does not establish the possibility of exercising the Data Subject’s right to object to automated individual decision-making pursuant to Article 21 of the GDPR.
9
The Controller, in connection with the conclusions of its Data Protection Impact Assessment prepared pursuant to Article 35(3)(a) of the GDPR, has concluded that profiling for the purposes described in this Article of this Document, which is used for the needs of the Software Application, does not result in a high risk to the rights and freedoms of Data Subjects and cannot discriminate against any of the Data Subjects.
Article 12
Responsible person
1
The responsible person is Andrej Boháč, contact details of the responsible person email info@lexway.company, phone +421 94 064 2727 The responsible person is direct contact details on the board will provide information and consultations regarding the rights of the data subject, or other matters related to the protection of personal data when using the Program Application or understanding this Document.
Article 13
Final provisions
1
Before using the Program Application for the first time, the data subjects confirmed that they have familiarized themselves with and agree to the rules and settings for the protection of privacy and personal data set out by the Operator in this Document.
2
In the event that the Data Subjects do not agree or do not sufficiently understand the content or meaning of any part of this Document governing the processing of personal data, the Operator welcomes the substantive reservations and comments of the Data Subject, about which it undertakes to communicate with the Data Subject in order to protect and support their rights and prevent the emergence and aggravation of any risks to the rights and freedoms of the Data Subject that could be caused or affected by the use of the Software Application.
3
The information that the Operator is obliged to provide in connection with the processing of personal data may change continuously or become outdated, and therefore the Operator regularly revises and updates this Document, while the current version of the Document published on the Website always applies. For this reason, the Operator reserves the right to modify this Document to any extent at any time.
In Bratislava on July 28, 2025