Privacy Policy
Schenker S.R.O.
-
This personal data protection policy (hereinafter referred to as the "Policy") contains information about the processing of your personal data by SCHENKER s. r. o., with its registered office at Kopčianska 94, 851 01 Bratislava, Company ID No.: 31 327 222, a company registered in the Commercial Register of the District Court Bratislava III, Section: Sro, file no. 3041/B (hereinafter referred to as the "Controller"), which occurs in the course of the Controller's business activities.
Through this Policy, the Controller provides you with information about why your personal data is processed, how it is processed, how long the Controller stores it, what your rights are in relation to the processing of your personal data, and other relevant information about the processing of your personal data. Through this Policy, the Controller fulfils its information obligation towards all data subjects, both in cases where the Controller has obtained personal data directly from you as the data subject and in cases where it has obtained your personal data from another source.
The Controller processes your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "Regulation"), relevant Slovak legislation, in particular Act No. 18/2018 Coll. on the protection of personal data and on amendments to certain acts (hereinafter referred to as the "Act") and other regulations on personal data protection (the Regulation, the Act and other regulations on personal data protection hereinafter collectively referred to as the "Personal Data Protection Regulations").
You can contact the Controller and its responsible person in matters relating to the processing of your personal data at SCHENKER s.r.o., Kopčianska 94, 851 01 Bratislava 5, by email at the general email address sk.dl.bts.zodpovednaosoba@dbschenker.com or by telephone at +421 2 68293 337.
-
The controller processes your personal data only for legitimate purposes, for a limited period of time and with the maximum possible level of security. We process your personal data in accordance with the principle of lawfulness, i.e. only if there is an adequate legal basis for their processing under Article 6(1) of the Regulation, specifically on the basis of the following legal bases:
IN CONNECTION WITH THE CONTROLLER'S BUSINESS ACTIVITIES:
Purpose of processing
Processing of accounting documents
Legal basis
Article 6(1)(c) of the Regulation – compliance with legal obligations: Act No. 431/2002 Coll. on Accounting, as amended, Act No. 595/2003 Coll. on Income Tax, as amended, Act No. 222/2004 Coll. on Value Added Tax, as amended, Act No. 311/2001 Coll. Labour Code, as amended
Categories of personal datacommon personal data necessary for the fulfilment of legal obligations (name, surname, address of residence/place or registered office, address for service delivery, contact details - telephone number, e-mail address, bank details), other personal data necessary for the processing of accounting records
Retention period
10 years following the year to which they relate
Purpose of processing
Processing of documents in accordance with the Controller's filing rules and filing plan, including the processing of received and sent mail
Legal basis
Article 6(1)(c) of the Regulation – compliance with legal obligations: Act No. 395/2002 Coll. on archives and registries and on amendments to certain acts, as amended Act No. 305/2013 Coll. on the electronic form of the exercise of public authority powers and on amendments to certain acts (e-Government Act), as amended
Categories of personal dataCommon personal data
Retention period
Post - 5 years following the year to which they relate, other records forming the registry within the meaning of the relevant provisions of Act No. 395/2002 Coll. on archives and registries and on amendments to certain acts, as amended
Purpose of processing
Fulfilment of the Controller's contractual obligations (based on contracts concluded with suppliers, customers of goods and services, other business partners and clients who are natural persons, and records of service orders), including the implementation of pre-contractual relationships (handling enquiries, accepting orders, making payments, etc.)
Legal basis
Article 6(1)(b) of the Regulation – processing is necessary for the performance of a contract or in order to take steps prior to entering into a contract
Categories of personal datacommon personal data (name, surname, date of birth, address of residence/registered office/place of business/billing address, affiliation/position in the company that is the customer, contact details – telephone number, email address)
Retention period
during the term of the contractual relationship and after its termination until the complete settlement of contractual and other claims arising from the contractual relationship (usually until the expiry of the limitation periods) or until the termination of the status of a specific natural person as a representative of a legal entity; at the latest until the complete settlement of legal and other claims arising from the contractual relationship
Purpose of processing
Records of contracts with the Controller's suppliers/customers,
Records of suppliers,
Records of clients/customers,
Conducting business communication with representatives of suppliers/customers
Legal basis
Article 6(1)(f) of the Regulation – personal data processing is carried out on the basis of the controller's legitimate interest, which is the need to keep records of suppliers, business partners and clients of the controller, or their contact persons in contractual relationships for the proper fulfilment of contractual obligations, the possible assertion of legal claims and the maintenance of appropriate business communication
Categories of personal datacommon personal data
Retention period
5 years following the year in which the contract expired/supplier status ended/service was provided to the client
Purpose of processing
Customs declaration and related services
Legal basis
Article 6(1)(b) of the Regulation – processing is necessary for the performance of a contract and the implementation of pre-contractual relations
Categories of personal data
Standard personal data necessary for the performance of contractual obligations
Retention period
5 years following the year in which the contract expired
Purpose of processing
Processing of personal data for the purpose of delivering the transported shipment and verifying the identity of the person to whom the transported shipment is delivered or from whom it is collected, for the purpose of recording the entities to which the shipment is delivered and proving the delivery of the transported shipment
Legal basis
Article 6(1)(f) of the Regulation - the legitimate interest is to deliver and prove delivery of the transported shipment - fulfilment of the controller's contractual obligation
Categories of personal data
common personal data (contact details)
Retention period
10 years following the year to which they relate
Purpose of processing
Processing of personal data for the purpose of registering suppliers' employees and verifying their employment conditions in accordance with specific regulations
Legal basis
Article 6(1)(f) of the Regulation – the legitimate interest is to verify the terms and conditions of employment on the part of suppliers in order to prevent the controller from being liable for any damages/penalties
Categories of personal data
Common personal data
Retention period
5 years following the year to which they relate
Purpose of processing
Handling complaints and keeping records of complaints submitted
Legal basis
Article 6(1)(c) of the Regulation – compliance with legal obligations: Act No. 513/1991 Coll. Commercial Code, as amended, Act No. 40/1694 Coll. Civil Code, as amended
Categories of personal datacommon personal data necessary for the fulfilment of legal obligations
Retention period
pursuant to Act No. 513/1991 Coll. Commercial Code, pursuant to 40/1694 Coll. Civil Code (4 years following the date of filing a complaint, in the case of natural persons - non-entrepreneurs 3 years following the date of filing a complaint, or in both cases until the complete settlement of claims arising from the complaint, or until the expiry of the limitation periods specified in the relevant legal regulations)
Purpose of processing
Conducting judicial and administrative proceedings
Legal basis
Article 6(1)(c) of the Regulation – compliance with legal obligations: relevant legislation in the field of civil, criminal and administrative proceedings
Categories of personal data
Standard personal data necessary for compliance with legal obligations
Retention period
For the duration of the relevant proceedings and until the expiry of the limitation periods (unless otherwise provided for by the relevant legislation)
Purpose of processing
Exercising the rights of data subjects
Legal basis
Article 6(1)(c) of the Regulation – compliance with legal obligations: Act No. 18/2018 Coll. on the protection of personal data and on amendments to certain acts
Categories of personal dataStandard personal data included in the application
Retention period
until the exercised rights are fulfilled
Purpose of processing
Records of the rights exercised by data subjects and the manner in which those rights were exercised
Legal basis
Article 6(1)(f) of the Regulation – processing of personal data based on the legitimate interest of the controller, which is the need to record the rights exercised by data subjects in order to demonstrate compliance with obligations under relevant personal data protection legislation
Categories of personal datastandard personal data included in the application
Retention period
5 years from the date of exercising the right or other request submitted
Purpose of processing
Transfer for administrative purposes within the group of companies
Legal basis
Article 6(1)(f) of the Regulation – the legitimate interest of the controller lies in the need to ensure the necessary transfer of information, including personal data, within the group of companies of which the controller is a member for administrative purposes, with the transfer being carried out in particular for the following purposes: improving the provision of services to the controller's clients, performing controls, the controller's business activities, processing the controller's accounts, and information security and information technology services
Categories of personal data
common personal data
Retention period
for the duration of the employment relationship, position in the Controller's company or contractual relationship, no more than 3 years after the end of the employment relationship or contractual relationship
Purpose of processing
Verification of business partners
Legal basis
Article 6(1)(f) of the Regulation – the legitimate interest is to verify business partners in order to prevent fraud, terrorist activities, etc. - Council Regulation (EC) No 2580/2001 on specific restrictive measures directed against certain persons and entities with a view to combating terrorism Council Regulation (EC) No 881/2002 imposing certain specific restrictive measures directed against certain persons and entities associated with Usama bin Laden, the Al-Qaida network and the Taliban
Categories of personal data
First name, surname, permanent residence/registered office, country of permanent residence/registered office
Retention period
For the duration of the contractual relationship
Purpose of processing
Verification of clients and end users of client benefits
Legal basis
Article 6(1)(c) of the Regulation – compliance with legal obligations, Act No. 297/2008 on the prevention of legalisation of proceeds from criminal activity and on the prevention of terrorist financing and on amendments to certain acts
Categories of personal data
data necessary for the identification and verification of the identity of the persons concerned
Retention period
5 years from the execution of the transaction or from the termination of the contractual relationship with the client
Purpose of processing
Verification of reports pursuant to Act No. 307/2014 Coll. on certain measures related to the reporting of anti-social activity and on amendments to certain acts, as amended
Legal basis
Article 6(1)(c) of the Regulation – compliance with legal obligations
Categories of personal data
common personal data necessary for the fulfilment of legal obligations
Retention period
120 days from the date of receipt of the request
Purpose of processing
Recording of reports pursuant to Act No. 307/2014 Coll. on certain measures related to the reporting of anti-social activity and on amendments to certain acts, as amended
Legal basis
Article 6(1)(c) of the Regulation – compliance with legal obligations
Categories of personal data
common personal data necessary for the fulfilment of legal obligations
Retention period
3 years from the date of receipt of the request
PRESENTATION ACTIVITIES
Purpose of processing
Sending information about the Controller's activities and its own services (direct marketing to existing and former clients)
Legal basis
Article 6(1)(f) of the Regulation - processing is carried out on the basis of the legitimate interest of the controller, which is the interest in maintaining the existing clientele and informing them about the controller's current services
Categories of personal data
first name, surname, e-mail, telephone number
Retention period
for one year from the date of termination of the contractual relationship or until unsubscribing, whichever occurs first
Purpose of processing
Direct marketing – potential clients
Legal basis
Article 6(1)(a) of the Regulation - personal data processing is carried out on the basis of the consent of the data subject
Categories of personal data
General personal data, contact details
Retention period
5 years following the year in which consent was given or until consent is withdrawn
Purpose of processing
Responding to messages and handling enquiries/requests from messages sent to the Controller via email, social media messages or telephone
Legal basis
Article 6(1)(f) of the Regulation – personal data processing is carried out on the basis of the legitimate interest of the Controller, which is to respond to messages received for the proper conduct of business communication, to improve the quality of services provided and to acquire new clients.
Categories of personal data
name, surname, e-mail, telephone number, other data specified in the message
Retention period
60 days from the date of receipt of the request or until it is processed (purpose fulfilled), whichever occurs first
SECURITY MEASURES
Purpose of processing
Protection of the Controller's property, protection of life and health, prevention of unlawful acts in monitored areas and their detection in the event of their occurrence
Legal basis
Article 6(1)(f) of the Regulation - The legitimate interest lies in the Controller's need to ensure: sufficiently effective protection of the Controller's property, protection of the life and health of persons in the monitored areas, a preventive measure to prevent the occurrence of any illegal activities that may occur in the monitored areas, an effective means of investigating illegal activities in the event that illegal activities occur in the monitored areas.
Categories of personal data
image portraits and expressions of a personal nature captured by the camera system
Retention period
30 days from the date of creation of the CCTV recording, except in cases where, in accordance with the relevant legal regulations, the relevant part of the CCTV recording is cut out and handed over to the authorities responsible for dealing with criminal offences or misdemeanours (police or municipal police) or to the courts in accordance with the relevant legal regulations
Purpose of processing
Keeping records of one-time entries into the Controller's premises (administrative building, warehouse, canteen, etc.)
Legal basis
Article 6(1)(f) of the Regulation – the legitimate interest is to protect the Controller's property when third parties enter the Controller's premises
Categories of personal data
name, surname and ID card/passport number, vehicle registration number, type and colour of vehicle, signature
Retention period
1 year following the year to which they relate
Purpose of processing
Keeping records of regular entries to the Controller's premises (driver cards, contractual partners parking on the premises, other suppliers, etc.)
Legal basis
Article 6(1)(f) of the Regulation – the legitimate interest is to protect the Controller's property when third parties enter the Controller's premises
Categories of personal data
name, surname and ID card/passport number, branch, department, job title, vehicle registration number, signature, photograph, ID card/passport expiry date
Retention period
1 year following the year to which they relate
IN RELATION TO JOB APPLICANTS:
Purpose of processingConducting a selection process (ensuring the selection of new employees)
Legal basisArticle 6(1)(b) of the Regulation – processing is necessary for the performance of a contract and the implementation of pre-contractual relations
Categories of personal dataname, surname, e-mail, work experience details, other personal data provided in the CV and/or cover letter
Retention periodduring the selection process, no later than 60 days from the date of receipt of the CV and/or cover letter, if no employment relationship or similar labour-law relationship is established
Purpose of processingKeeping records of unsuccessful job applicants for the purpose of contacting them in the future
Legal basisArticle 6(1)(a) of the Regulation - the processing of personal data is carried out on the basis of the consent of the data subject
Categories of personal dataname, surname, e-mail, work experience details, other personal data provided in the CV and/or cover letter
Retention periodfor a period of 1 year from the date of consent or until its revocation, whichever occurs firstThe controller only processes personal data that is necessary for the processing operation (purpose of processing), always in accordance with the principle of minimisation so that we comply with contractual and legal requirements or so that we only process personal data for which we have a legitimate interest, always to the extent necessary to fulfil the specified purpose of processing. This means that we do not require personal data from you that is not necessary for a specific processing purpose.
The Controller always stores personal data in accordance with the principle of storage minimisation. This means that personal data is processed only for as long as it is necessary to store it. After this period, the Controller will delete the personal data, unless otherwise provided by law. The Controller has determined the retention period for your personal data in accordance with the relevant legal regulations, as specified above in the table of purposes.
-
We obtain your personal data directly from you as the data subject if you provide it to us (when contacting us via the website, in business communications, when entering into a contractual relationship with the Controller, when applying for a job). As a service provider, we also have personal data of employees, contractual partners and other persons provided to us by our clients. In such cases, we act as an intermediary and the personal data controller (client/contractual partner) fulfils its obligations under the Regulation directly towards the data subjects.
If, in certain cases, you do not provide us with your personal data as the Controller when processing personal data, we, as the Controller, will not be able to provide you with a service, conclude a contract with you, respond to your message, include you among job applicants, etc.
-
In certain cases, the Controller is obliged to provide your personal data to public authorities that are authorised to process your personal data, e.g. courts, law enforcement authorities, tax authorities, the Office for Personal Data Protection, and other authorised entities.
The Controller also provides your personal data to its processors, i.e. external entities that process your personal data on behalf of the Controller. Processors process personal data on the basis of a contract concluded with the Controller, in which they undertake to take appropriate technical and security measures to ensure the secure processing of your personal data. The Controller's processors include, for example:
- an intermediary providing accounting services,
- an intermediary providing IT services,
- a processor providing hosting and mail hosting services,
- a processor providing marketing and newsletter delivery services,
- an intermediary providing security services.
We also provide some of your personal data to our parent company, Schenker Aktiengesellschaft, with its registered office at Alfredstraße 81, Essen, North Rhine-Westphalia 451 30, Federal Republic of Germany, as well as to companies in the group of companies to which our company belongs. We do this on the basis of our legitimate interest in accordance with Recital 48 of the Regulation.
The recipients of your personal data also include Google Ireland Limited, which provides analytical and marketing services through cookies stored on your device by the Controller's website.
-
In some cases, your personal data may be transferred to third countries, to the USA:
- Meta Inc. and LinkedIn Corporation, for example, if you contact the Controller via a message on the relevant social network.
The transfer of your personal data is secured by appropriate means of securing the transfer of personal data to third countries in accordance with the Personal Data Protection Regulations, in particular through the use of standard contractual clauses that are part of the terms of use of the above-mentioned services, as well as through additional transfer guarantees accepted by the providers of the above-mentioned services. Transfers may only take place in exceptional cases, based on the relevant legislation in force in the third country (USA) applicable to the aforementioned service providers (FISA).
-
When processing your personal data, the controller does not use profiling and does not process personal data in any form of automated individual decision-making that would involve the evaluation of your personal aspects.
-
In connection with the processing of your personal data, you have the following rights as a data subject:
Right of access - As a data subject, you have the right to obtain confirmation from the Controller as to whether your personal data is being processed and, if so, you have the right to access this personal data and information in accordance with Article 15 of the Regulation. The Controller will provide you with a copy of the personal data being processed. If you submit your request electronically, the Controller will provide you with the information in a commonly used electronic form, unless you request otherwise.
Right to rectification - The Controller has taken appropriate measures to ensure the accuracy, completeness and timeliness of your personal data. As a data subject, you have the right to have the Controller rectify your inaccurate personal data or complete your incomplete personal data without undue delay.
RIGHT TO OBJECT
You have the right to object to the processing of personal data, for example, if the Controller processes your personal data on the basis of a legitimate interest or in the course of processing that involves profiling. If you object to such processing of personal data, the Controller will no longer process your personal data unless it can demonstrate compelling legitimate grounds for further processing of your personal data.
Right to erasure (right to be forgotten) - You also have the right to obtain from the Controller the erasure of your personal data without undue delay if certain conditions are met, for example if the personal data are no longer necessary for the purposes for which the Controller obtained or processed them. However, this right must be assessed on a case-by-case basis, as there may be situations where other circumstances prevent the Controller from erasing personal data (e.g. the Controller's legal obligation). This means that in such a case, the Controller will not be able to comply with your request to erase your personal data.
Right to data portability - Under certain circumstances, you have the right to transfer your personal data to another controller of your choice. However, the right to data portability only applies to personal data that the Controller processes on the basis of your consent, on the basis of a contract to which you are a party, or where the Controller processes personal data by automated means.
RIGHT TO WITHDRAW CONSENT
If the Controller processes your personal data on the basis of your consent, you have the right to withdraw your consent at any time in the same manner as you gave it. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal of consent.
Right to restrict processing - You also have the right to have the Controller restrict the processing of your personal data. This will be the case, for example, if you contest the accuracy of the personal data or if the processing is unlawful and you request the restriction of processing, or if the Controller no longer needs your personal data for the purposes of processing, but you need it to prove, exercise or defend legal claims. The Controller will restrict the processing of your personal data if you request it.
Right to lodge a complaint or suggestion - If you feel that your personal data is being processed in violation of applicable law, you may lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection of the Slovak Republic, with its registered office at Námestie 1.mája 18 (Park One Building), 811 06 Bratislava; website: dataprotection.gov.sk, tel. number: 02 3231 3214; e-mail: statny.dozor@pdp.gov.sk
You can exercise your rights listed in the table above against the Controller via the contact addresses listed at the beginning of this document. The Controller will provide you with a response to the exercise of your rights free of charge. In the event of repeated, unjustified or disproportionate requests to exercise your rights, the Controller is entitled to charge a reasonable fee for providing the information. The Controller will provide you with a response within one month of the date on which you exercised your rights. In certain cases, the Controller is entitled to extend this period, in the event of a high number and complexity of requests from data subjects, but by no more than 2 months. The Controller will always inform you of any extension of the period.
-
This Policy is valid and effective from 1 December 2025. Given that the information on the processing of personal data contained in this Policy may need to be updated in the future, the Controller is entitled to update this Policy at any time. In such a case, however, the Controller will inform you in an appropriate manner.