In this section, we provide information on the processing and protection of personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and Act No. 18/2018 Coll. on Personal Data Protection and on amending and supplementing certain acts (hereinafter referred to as: “Personal Data Protection Act”).

The Controller, Xiasha Eastern Europe R&D Center s. r. o., with its registered office at Budovateľská 50, Company ID No. (IČO): 52392449 (hereinafter referred to as the “Controller”), has adopted appropriate technical and organisational measures to ensure the protection of the rights of data subjects, which declare the lawful processing of personal data. The Controller has also introduced a transparent system for recording security incidents and any questions from the data subject, as well as from other persons.

If necessary, the data subject may also obtain individual information by telephone at: +421 908 932 192 or by e-mail at: office@xiasha.eu.

  1. Controller

Xiasha Eastern Europe R&D Center s. r. o. Budovateľská 50 080 05 Prešov Company ID No. (IČO): 52392449

We process your data for our own purposes as the Controller. This means that we determine the purpose for which we collect your personal data, determine the means of processing and are responsible for their proper execution.

  1. Processors

In certain cases, the Controller may also process the personal data of data subjects through processors who are entrusted with the processing of personal data in accordance with Article 28 of the GDPR.

Processors process the personal data of data subjects on behalf of the Controller. The processing of personal data through a processor does not adversely affect the exercise and enforcement of the rights of the data subject. The Controller uses only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.

When processing the personal data of data subjects, the Controller uses the following categories of processors:

  • a supplier ensuring the delivery of technical solutions, web hosting services, maintenance and support of IT systems used by the Controller
  • a supplier ensuring services in the field of accounting and tax obligations of the Controller
  • the parent company (Zhejiang Xiasha Precision Manufacturing Co.,Ltd) for the purposes of order processing, ensuring the production and delivery of goods within the framework of cross-border personal data transfer (further information in Section 6)

Categories of recipients of personal data: persons acting under the authorisation of the controller, legal representative, auditor, state administration bodies and public authorities for the performance of control and supervision.

  1. Purpose of personal data processing

As the Controller, we process personal data exclusively on the basis of a legitimate legal basis and in accordance with precisely defined purposes:

  • Response to an inquiry, suggestion or question submitted by a natural person (e.g. a company representative) by telephone, e-mail, via the contact form on the website or by post For the purpose of responding to and handling the request of a natural person (who may be acting on behalf of a legal person), we apply the legal basis of Art. 6(1)(f) of the GDPR – the legitimate interest of the Controller. The natural person has the right to object to such processing.
  • Expression of interest in our products and services (e.g. based on information obtained from the website by a natural person who may be a company representative) We process the data of a natural person for the purpose of taking steps prior to entering into a contract (which may be concluded with a legal person represented by the natural person, based on an inquiry initiated via the website or otherwise) – the legal basis is Art. 6(1)(b) of the GDPR.
  • Processing of data within the framework of a contractual relationship with our customers (who may be legal persons) and suppliers (e.g. preparation of an offer, conclusion of contracts, invoicing, provision of services, management of contractual documentation) The processing of personal data of natural persons (e.g. contact persons, statutory representatives of customers or suppliers) is necessary for the performance of a contract pursuant to Art. 6(1)(b) of the GDPR, to which the legal person represented by the data subject is a party, or in order to take steps at the request of that legal person (through its representative) prior to entering into a contract.
  • Processing of data of job applicants If you respond to a specific job offer published by our company, we process your data on the basis of a pre-contractual relationship pursuant to Art. 6(1)(b) of the GDPR. In the case of inclusion in the database of applicants on the basis of your general interest in working for us, the processing takes place on the basis of your consent pursuant to Art. 6(1)(a) of the GDPR, which you can withdraw at any time.
  • Fulfilment of legal obligations Processing is necessary for the fulfilment of our legal obligations arising mainly from regulations in the field of accounting, taxes, commercial law, labour law (if relevant) and others, pursuant to Art. 6(1)(c) of the GDPR.
  • Keeping records of contracts, invoices, correspondence and other administration This is necessary processing related to the proper conduct of our business activities, where the legal basis may be the performance of a contract (Art. 6(1)(b) of the GDPR), a legal obligation (Art. 6(1)(c) of the GDPR) or a legitimate interest (Art. 6(1)(f) of the GDPR – e.g. for archiving purposes or for the possible defence of legal claims; the natural person has the right to object to such processing based on legitimate interest).
  • Keeping records of contacts of business partners (e.g. employees and representatives of companies with whom we cooperate as suppliers or potential or existing customers) For the purpose of ensuring and developing business cooperation, we process personal data (typically business contact details) of natural persons representing our business partners on the basis of a legitimate interest pursuant to Art. 6(1)(f) of the GDPR, or in conjunction with § 78(3) of Act No. 18/2018 Coll. on Personal Data Protection. These data subjects (natural persons) may object to such processing at any time.
  • Marketing activities and promotion of our products and services We may process personal data of natural persons (e.g. work e-mail address, work telephone number of a company representative, or a photograph or video recording from promotional events) for marketing purposes and the promotion of our products and services. The legal basis for processing is:
    • Legitimate interest of the Controller pursuant to Art. 6(1)(f) of the GDPR – in the case where we approach natural persons (representatives of companies) with whom we have an existing business relationship or contact (i.e. the company they represent is our customer, supplier, or relevant communication has taken place with them), with marketing relating to our products or services that might be relevant to that company. In such a case, the natural person has the right to object to such processing at any time (e.g. by unsubscribing from the newsletter via the link therein).
    • Consent of the data subject pursuant to Art. 6(1)(a) of the GDPR – if a natural person (e.g. a representative of a company that is not yet our customer, or also as a private individual) expresses an interest in receiving our marketing communications (e.g. by subscribing to a newsletter), or if it concerns the processing of data for specific visual purposes (e.g. photographs and video recordings from events in which they participated and consented to their publication). This consent is voluntary and can be withdrawn at any time.

Categories of data subjects:

  • Natural persons acting on behalf of our customers – legal persons (e.g. employees, directors, contact persons of customers who visit the website or otherwise communicate with us on behalf of the customer).
  • Natural persons acting on behalf of our contractual partners – legal persons (e.g. employees, directors, contact persons of suppliers and other business partners).
  • Potential customers – natural persons (visitors to the website who may act in their personal interest or as representatives of companies who contact us based on information from the website).
  • Job applicants.
  • Employees and associates (if relevant for external information).
  • Other natural persons communicating with the Controller (e.g. via the contact form, e-mail, who may or may not be acting on behalf of a legal person).
  • Natural persons as participants in marketing activities (e.g. newsletter subscribers, competition participants, who may be representatives of companies or acting as private individuals).

Scope of personal data processed:

  • Identification data of a natural person: name, surname, job position (if provided or relevant).
  • Contact details of a natural person: work e-mail address, work telephone number, work address (if relevant for communication or potential meetings), or private contact details if provided by the data subject for this purpose.
  • Data about the legal person represented by the natural person: company name, Company ID No. (IČO), Tax ID No. (DIČ) (these are not personal data but are processed in context with the personal data of its representative).
  • Data related to business relationships with the legal person represented by the natural person: data from contracts, invoicing data, payment data (to the extent necessary for payment identification), data on inquiries and offers.
  • Content of communication with a natural person: e-mails, letters, messages from contact forms, online chat records (if used).
  • Data necessary for the fulfilment of legal obligations.
  1. Period of processing and retention of your personal data

Your personal data, which we have processed or are processing pursuant to Art. 6(1)(b) of the GDPR – within the framework of fulfilling the Controller’s obligations, we also process for the purpose of fulfilling our legal obligations regarding taxes and accounting. These obligations arise from generally binding legal regulations, such as Act No. 431/2002 Coll. on Accounting, as amended, or Act No. 595/2003 Coll. on Income Tax and Act No. 563/2009 Coll. on Tax Administration. We must retain the data for the period stipulated by these legal regulations. We adhere to the principle of data retention minimisation pursuant to Art. 5(1)(e) of the GDPR, and therefore your personal data that are not subject to archiving under special legal regulations will be erased or anonymised.

Personal data processed on the basis of consent granted pursuant to Art. 6(1)(a) of the GDPR, for example, for the purpose of sending current marketing news, we process for a period of 3 years or until the consent is withdrawn. If the end of the data processing period is approaching, we will contact the data subject with the option to renew and extend the consent for a further processing period. If the data subject does not grant consent or does not respond to the contact, we will cease processing the personal data – we will automatically remove them from the records, technically erase electronic data from systems and shred physical documents.

Personal data processed on the basis of a legitimate interest pursuant to Art. 6(1)(f) of the GDPR, which were obtained in response to an inquiry, suggestion or question for the purpose of providing feedback to the data subject, or if the processing was objected to, are erased without undue delay, unless they were subsequently transferred to a pre-contractual or contractual relationship.

As the Controller, we will ensure the erasure of personal data without undue delay after: all contractual relationships between you and us as the Controller have been terminated; and/or

  • all your obligations towards the Controller have ceased; and/or
  • all your complaints and requests have been settled; and/or
  • all other rights and obligations between you and us as the Controller have been settled; and/or
  • all purposes of processing established by legal regulations or purposes of processing for which you have given us consent have been fulfilled, if the processing was based on the consent of the data subject; and/or
  • the period for which the consent was granted has expired or the data subject has withdrawn their consent; and/or
  • the data subject’s request for erasure of personal data has been complied with and one of the reasons justifying compliance with this request has been met; and/or
  • the decisive legal fact for the termination of the purpose of processing has occurred and the protective retention period, defined with regard to the principle of minimising the data retention period, has also expired;
  • and at the same time, the legitimate interest of the Controller no longer exists, all obligations established by generally binding legal regulations that require the retention of the data subject’s personal data (especially for archiving purposes, tax audits, etc.), or which could not be fulfilled without their retention, have ceased.

Any accidentally obtained personal data will in no case be further systematically processed by us for any purpose defined by us. If possible, we will inform the data subject to whom the accidentally obtained personal data belong about their accidental acquisition and, depending on the nature of the case, provide them with the necessary cooperation leading to the restoration of control over their personal data. Immediately after these necessary actions aimed at resolving the situation, all accidentally obtained personal data will be disposed of securely without undue delay.

If you are interested in further information about the specific retention period of your personal data, please contact us using the contact details provided.

  1. Disclosure of data

Our company does not arbitrarily disclose obtained personal data under any circumstances.

  1. Cross-border transfer of personal data and automated decision-making, including profiling

Automated individual decision-making and profiling

We do not use automated individual decision-making or profiling when processing your personal data.

Cross-border transfer of personal data outside the European Union (EU) / European Economic Area (EEA)

Your personal data (to the extent of contact and identification data of natural persons acting on behalf of our customers – legal persons, such as name, surname, work e-mail address, work telephone number, customer’s company name, delivery address) may be transferred to a third country outside the EU/EEA, specifically to the People’s Republic of China.

This transfer is carried out for the purpose of:

  • Processing your order placed with our Slovak company.
  • Ensuring the production and/or completion of the ordered goods.
  • Ensuring logistics and delivery of goods to the address specified by you.

Since the People’s Republic of China is not a country for which the European Commission has issued an adequacy decision regarding the level of personal data protection, such a transfer is carried out only subject to the provision of appropriate safeguards in accordance with Article 46 of the GDPR.

Our company ensures the protection of transferred personal data through standard contractual clauses approved by the European Commission. These clauses are concluded between our company (Xiasha Eastern Europe R&D Center s. r. o. as the controller and data exporter) and the data recipient in the People’s Republic of China, which is our parent company Zhejiang Xiasha Precision Manufacturing Co.,Ltd, with its registered office at 389 Rong ji Road, Luo Tuo industrial Zone, Ningbo, 315202, China (hereinafter referred to as the “recipient in the third country”), which in this relationship acts as a processor and data importer. These clauses oblige the recipient in the third country to maintain an adequate level of personal data protection comparable to that within the EU/EEA. Further information about our parent company can be found on the website: https://www.chinaxiasha.com/.

You have the right to obtain a copy of these standard contractual clauses or information on where they have been made available, upon request addressed to our company (Xiasha Eastern Europe R&D Center s. r. o.) using the contact details provided in this document (see section Controller’s contact details – e.g. e-mail: office@xiasha.eu, telephone: +421 908 932 192).

In certain specific cases, if standard contractual clauses were not applicable, the transfer may also be based on derogations under Article 49 of the GDPR, for example, if the transfer is necessary for the performance of a contract concluded in your interest (as a customer’s representative) between our company and our partner in China (Art. 49(1)(c) of the GDPR), for the purpose of delivering the goods you ordered. You would be appropriately informed about such a procedure.

  1. Rights and obligations of the data subject

The data subject is obliged to provide only complete and truthful data. The data subject undertakes to update their data in the event of a change, at the latest before the first order following the occurrence of the change is processed. The data subject undertakes that if they provide the personal data of a third person (name, surname, telephone number), they do so only with their consent and the data subject is familiar with the procedures, rights and obligations set out on this page.

As a data subject, you have the right, to the extent specified, to decide on the handling of your personal data. You can exercise these rights in person at the Controller’s registered office or by telephone – in writing (by post / e-mail). We will try to respond to you as soon as possible, but we will always respond to you no later than 30 days from the receipt of your request. Applicable legal regulations and the GDPR, or the Act, provide you in particular with:

Right of access – You have the right to request confirmation from us as to whether your personal data are being processed, and if so, to obtain a copy of this data and additional information arising from Art. 15 of the Regulation, or § 21 of the Act. If we obtain a large amount of data about you, we may request that you specify your request for the range of specific data we process about you.

Right to rectification – In order for us to continuously process only current personal data about you, we need you to notify us of any changes as soon as they occur. If we process incorrect data about you, you have the right to request their rectification.

Right to erasure – If the conditions of Article 17 of the Regulation (referred to as Article 14 in the Slovak text, which is likely a typo for Article 17 ‘Right to erasure / right to be forgotten’), or § 23 of the Act, are met, you may request the erasure of your personal data. You can therefore request erasure, for example, if you have withdrawn your consent to the processing of personal data and there is no other legal basis for processing, or if we process your personal data unlawfully, or the purpose for which we processed your personal data has ceased and we are not processing them for another compatible purpose. However, we will not erase your data if they are necessary for the establishment, exercise or defence of legal claims.

Right to restriction of processing – If the conditions of Article 18 of the Regulation, or § 24 of the Act, are met, you may request that we restrict the processing of your personal data. You can therefore request restriction, for example, while you are objecting to the accuracy of the processed data or if the processing is unlawful and you do not wish us to erase the data, but you need their processing to be restricted while you exercise your rights. We will continue to process your data if there are reasons for the establishment, exercise or defence of legal claims.

Right to data portability – If the processing is based on your consent or carried out for the purpose of performing a contract concluded with you and at the same time carried out by automated means, you have the right to receive your personal data, which we have obtained from you, in a commonly used and machine-readable format. If you are interested and it is technically possible, we will transfer your personal data directly to another controller. This right cannot be exercised for processing carried out for the performance of a task carried out in the public interest or in the exercise of official authority.

Right to object to processing – If we process your personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in us, or if the processing is carried out on the basis of our legitimate interests or the legitimate interests of a third party, you have the right to object to such processing. Based on your objection, we will restrict the processing of personal data and, unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims, we will no longer process the personal data and will erase your personal data. You have the right to object at any time to the processing of personal data for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. After raising an objection, we will no longer process your personal data for this purpose.

Right to lodge a complaint – If you believe that the processing of your personal data is contrary to the Regulation, or the Act, you have the right to lodge a complaint with one of the competent supervisory authorities, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. For the territory of the Slovak Republic, the supervisory authority is the Office for Personal Data Protection, with its registered office at: Hraničná 4826/12, 820 07 Bratislava, Slovak Republic, web: www.dataprotection.gov.sk, tel.: +421 /2/ 3231 3220. (Translator’s note: The Slovak DPA address provided in the original Slovak document in Section 8 is outdated. The address Hraničná 12, 820 07 Bratislava 27 is the current one. The address Hraničná 4826/12, 820 07 Bratislava is also used by the DPA and appears more recent than the one in Section 8 of the original document. Please verify the DPA’s current contact details.)

Right to withdraw consent – If the processing of your personal data is based on consent, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the processing already carried out. If you later decide that you are interested in receiving commercial and marketing offers about our products and services from us again, you can grant your withdrawn consent (or submitted objection) again at any time, in any of the above-mentioned forms of contact.

  1. Contact details of the Office for Personal Data Protection (Translator’s note: The contact details below are as provided in the original Slovak document. The address for the Slovak DPA has changed. Please verify the current and correct contact details for the Úrad na ochranu osobných údajov Slovenskej republiky from their official website www.dataprotection.gov.sk before using this section.)

Office for Personal Data Protection of the Slovak Republic Address: Park one Building Námestie 1.mája 18 811 06 Bratislava Slovak Republic Company ID No. (IČO): 36 064 220

Filing office: Monday – Thursday: 8:00 – 15:00 Friday: 8:00 – 14:00

Telephone consultations in the field of personal data protection: Tuesday and Thursday from 8:00 to 12:00 +421 2 323 132 20 Secretariat of the President of the Office +421 2 323 132 11 Secretariat of the Office +421 2 323 132 14 Fax: +421 2 323 132 34

Spokesperson: mobile: 0910 985 794 e-mail: hovorca@pdp.gov.sk

E-mail: a) general: statny.dozor@pdp.gov.sk b) for providing information according to Act No. 211/2000 Coll.: info@pdp.gov.sk c) website: webmaster@pdp.gov.sk d) for submitting requests for information according to Act No. 211/2000 Coll. on Free Access to Information, use the online form. e) e-mail address through which the Office will provide you with advice in the field of personal data protection. It is intended for children, youth, students, teachers, parents who suspect that their personal data have been misused: ochrana@pdp.gov.sk