Center za informiranje, sodelovanje in razvoj nevladnih organizacij

Späť

INFORMATION ON THE PROCESSING OF PERSONAL DATA
IN CONNECTION WITH THE GRANT / SUBSIDY CALL
(hereinafter the “Information”)

Information provider:

This Information is provided by , with registered office at: , , postal code: , Company ID No.: , registration: (hereinafter the “Controller”), as the announcer of the call for the submission of applications for the provision of a subsidy / grant (hereinafter the “Call”).

This Information applies to all Calls of the Controller published in the eGRANT information system.

This Information concerns you if:

● you are a natural person and you (or someone on your behalf) submit an application for a subsidy / grant under the Call via the eGRANT information system, or you are a natural person who, on behalf of a legal person or another natural person – an applicant for a subsidy / grant – submits or cooperates in submitting such an application (hereinafter the “Applicant”),
● you are a natural person designated by the announcer to administer applications for a subsidy / grant in the eGRANT information system (hereinafter the “Manager”),
● you are a natural person designated as an evaluator of applications for a subsidy / grant submitted via the eGRANT information system (hereinafter the “Evaluator”),
● you are a natural person who, by casting a vote via the eGRANT system, expresses support for one or more projects applying for a subsidy / grant under the Call (hereinafter the “Voter”).

Who can you contact if you have questions, requests or suggestions regarding privacy and personal data protection?

You can contact the Controller with requests, questions, suggestions and comments:

● in writing at: ,
● by e-mail at:
● by phone at:

The Controller collects the personal data set out below:

Regarding the Applicant, the Controller processes in particular the following personal data:

● registration data (for registration on the subsidy portal) – login data, programme name, e-mail, first name and surname, data on confirmation of having read this Information, etc.,
● data on the submitted application – information on the project for which the Applicant is requesting support, in particular its title, description, budget and other data entered or attached as annexes in the eGRANT information system,
● data on the status of the application – whether it is in draft, submitted, complete, approved or rejected, whether it has or has not been accounted for, how it was evaluated by the Evaluators, etc.,
● data about the possible conclusion and performance of a contract on the provision of a subsidy based on the approved application,
● data disclosed in public registers, for example in the Commercial Register, the Trade Register, the Register of Tax Debtors, etc.

The purpose of the Call may also be to provide financial resources to support natural persons in a difficult social situation or for a similar purpose. In such a case, for the purpose of assessing and processing the application, special categories of personal data of the Applicant may also be processed to the necessary extent, for example personal data revealing racial or ethnic origin, religious or philosophical beliefs, data concerning health or data on integrity (clean criminal record).

Most of the information about the Applicant is obtained by the Controller directly from the Applicant via the registration form, the application form, the accounting / settlement form in the eGRANT information system, or via other forms. The Applicant is obliged to complete the data marked in these forms as mandatory; otherwise, it is not possible to register the Applicant or to submit an application for a subsidy / grant under the Call. If the Applicant enters incorrect or incomplete data, this may, depending on the circumstances, have various adverse consequences ranging from the impossibility to log in to the system, through the impossibility to submit or evaluate the application, non-approval or rejection of the application, the obligation to return the granted subsidy, to damage caused to the Applicant, the Announcer or another person, which will have to be compensated. In the case of deliberate provision of false data, criminal liability cannot be excluded.

The Controller obtains other data about the Applicant, in particular information on the status of the application and its evaluation, from its own activities, or from the activities of Managers and Evaluators (e.g. by submitting an evaluation).

As part of its own activities, the Controller may also obtain personal data of the Applicant to the necessary extent from public registers, such as the Commercial Register, the Trade Register, the Register of Tax Debtors, etc., as well as from other registers to which the Controller has lawful access. For example, if the Controller is a municipality providing subsidies, it has the right and obligation to verify certain facts in the relevant information systems of public administration, such as whether the Applicant has settled its financial obligations towards the state, etc.

In this context, the Controller will use access to the TRANSPAREX system database, which collects and processes data from public sources. The TRANSPAREX system is operated by ProWise, a.s., with registered office at: Nobelova 12/B, 831 02 Bratislava, Company ID No.: 51 871 998. Information on the processing of personal data of data subjects by this controller is available on its website: https://www.transparex.sk/privacy/gdpr-database.

Regarding the Manager, the Controller processes in particular the following personal data:

● identification and contact data – first name, surname, position at the Controller, contact e-mail / phone number, login data to the eGRANT information system, etc.,
● log files of the eGRANT information system relating to actions performed by the Manager in the system,
● data on confirmation of having read this Information, on acceptance of the obligation of confidentiality and on acceptance of the obligation to follow the instructions of the Announcer.

The Controller obtains personal data about the Manager from the Manager or from the Controller’s own activities and from the log files of the eGRANT information system. If the Manager provides incorrect data to the Controller, this may have various consequences, such as the impossibility to log in to the information system or the occurrence of damage.

Regarding the Evaluator, the Controller processes in particular the following personal data:

● identification and contact data – first name, surname, contact e-mail / phone number, login data to the eGRANT information system, etc.,
● records of the Evaluator’s assessments of individual applications for a subsidy / grant,
● data on confirmation of having read this Information, on acceptance of the obligation of confidentiality and on acceptance of the obligation to follow the instructions of the Announcer.

The Controller obtains personal data about the Evaluator from the Evaluator or from the Controller’s own activities and from the log files of the eGRANT information system (for example, about the submission of an evaluation). If the Evaluator provides incorrect data to the Controller, this may have various consequences, such as the impossibility to log in to the information system or the occurrence of damage.

Regarding the Voter, the Controller processes in particular the following personal data:

● data necessary to verify the Voter – first name, surname, telephone number, e-mail address, address or other identification data of the Voter entered in the voting form in the eGRANT information system, etc.,
● other statistical data – age category, information on how the Voter learned about the voting, etc.,
● data on confirmation of having read this Information,
● data on whether the Voter has given / not given / withdrawn consent for the Controller to send information related to the Call and to the possible support, non-support and implementation of supported projects.

The Controller obtains personal data about the Voter from the Voter, who submits them via the voting form. The Voter is obliged to complete the data marked in the form as mandatory; otherwise, the Voter cannot cast a vote. If the Voter provides incorrect data, this may have various consequences, for example that the vote is cast for a different project than the Voter intended, or that the vote is invalid.

Your personal data are processed for the following purpose:

The personal data of the Applicant are processed for the purpose of submitting, processing and evaluating the application in the eGRANT information system and, where applicable, for the purpose of concluding and performing a contract on the provision of a subsidy / grant. The legal basis for the processing is the conclusion and performance of the contract on the provision of a subsidy. The Applicant’s consent is not required for the processing of personal data for this purpose. The explicit consent of the Applicant is required for the processing of special categories of the Applicant’s personal data referred to in point 4 above. The legal basis for the processing of special categories of the Applicant’s personal data is therefore also such explicit consent.

The personal data of the Manager are processed for the purpose of managing, processing and evaluating applications in the eGRANT information system. The legal basis for the processing is the performance of obligations arising from the contractual relationship between the Controller and the Manager (whether this is an employment contract or an ad hoc oral agreement between the Controller and the Manager), under which the Manager performs tasks related to the administration of the Call and the applications submitted. The Manager’s consent is not required for the processing of personal data for this purpose.

The personal data of the Evaluator are processed for the purpose of evaluating applications in the eGRANT information system. The legal basis for the processing is the performance of obligations arising from the contractual relationship between the Controller and the Evaluator (whether this is an employment contract or an ad hoc oral agreement between the Controller and the Evaluator), under which the Evaluator evaluates the applications for a grant / subsidy submitted under the Call. The Evaluator’s consent is not required for the processing of personal data for this purpose.

The personal data of the Voter are processed for the purpose of public voting for individual projects applying for a subsidy under the Call. The legal basis for the processing is the Controller’s legitimate interest in the participation of the public in deciding on the granting of subsidies / grants and the Controller’s legitimate interest in being able to assess the validity of the vote (for example, whether the vote was cast by a person entitled to vote, whether it is not a duplicate vote, etc.). The consent of the data subject is not required for the processing of personal data for this purpose. The data subject may object to the processing if his/her rights and legitimate interests override the Controller’s legitimate interest.

If the Voter gives consent, the Controller will process information on his/her contact details for the purpose of sending information to Voters relating to the Call and to the possible support, non-support and implementation of supported projects. The processing of personal data for this purpose requires the Voter’s consent, which is given by ticking the relevant box in the voting form. The Voter may withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of the processing of personal data based on consent prior to its withdrawal.

The Controller may also process the personal data of the Applicant, Manager, Evaluator and Voter for secondary purposes, which are:

● keeping accounts, performing financial control and fulfilling other legal obligations of the Controller. The legal basis for the processing is the fulfillment of legal obligations. The consent of the data subject is not required for the processing of personal data for this purpose.
● asserting and defending contractual rights and defending against unjustified claims brought against the Controller. The legal basis for the processing is the Controller’s legitimate interest. The consent of the data subject is not required for the processing of personal data for this purpose. The data subject may object to the processing if his/her rights and legitimate interests override the Controller’s legitimate interest.
● informing the public about the Controller’s activities in the field of granting grants / subsidies. The legal basis for the processing is the Controller’s legitimate interest. The consent of the data subject is not required for the processing of personal data for this purpose. The data subject may object to the processing if his/her rights and legitimate interests override the Controller’s legitimate interest.
● creating statistics and analyses. The legal basis for the processing is the Controller’s legitimate interest. For these purposes, the Controller will process personal data in anonymised form. The consent of the data subject is not required for the processing of personal data for this purpose. The data subject may object to the processing if his/her rights and legitimate interests override the Controller’s legitimate interest.

Access to data:

The personal data referred to in the previous point are available to the Controller and to employees and co-workers authorised by the Controller, in particular Managers, who are bound by the Controller’s instructions and by an obligation of confidentiality.

The personal data necessary for evaluating applications are available to Evaluators, who are bound by the Controller’s instructions and by an obligation of confidentiality.

Data about the Applicant stated in the part of the Application that is intended for publication will be published on the internet and will thus be available to an unlimited circle of recipients, including Voters. These data will be published for information purposes even after the end of the Call.

The personal data will be processed in the eGRANT information system, the operator of which is ELLMAN, s.r.o., with registered office at: Muškátová 732/23, 900 55 Lozorno, Company ID No.: 35 949 309 (hereinafter “ELLMAN”). ELLMAN operates and administers this information system on the basis of a contractual relationship with the Controller. ELLMAN processes personal data in the eGRANT information system by providing the Controller with web hosting, storage and tools so that the Controller can publish its Call in this information system, receive, process and evaluate applications, record Evaluators’ assessments and collect Voters’ votes. ELLMAN therefore generally processes personal data only by automated means. Employees, co-workers and other authorised persons of ELLMAN process the personal data of data subjects directly only on the basis of the Controller’s explicit instructions (support service). ELLMAN is contractually bound by an obligation of confidentiality regarding personal data and by an obligation to process personal data only in accordance with the Controller’s instructions and the relevant legislation.

The designer of the eGRANT system and the operator of the servers on which the eGRANT system runs and in which the data entered into the eGRANT system are stored is ui 42 spol. s r.o., with registered office at: Sibírska 62, 831 02 Bratislava, Slovak Republic, Company ID No.: 35 713 003. Data processing by this entity is performed primarily by automated means. In connection with the maintenance and development of the eGRANT system and support activities, the staff of this entity may occasionally come into contact with personal data processed in the eGRANT system. This entity is contractually bound by an obligation of confidentiality regarding personal data and by an obligation to process personal data only in accordance with the agreed instructions and the relevant legislation.

The Controller cannot exclude that, on the basis of a contractual relationship, personal data of data subjects will be processed on its behalf by other persons, so-called processors, such as providers of accounting, auditing, legal, cloud and other services. These processors will be contractually bound by an obligation of confidentiality regarding personal data and by an obligation to process personal data only in accordance with the Controller’s instructions and the relevant legislation.

The Controller cannot exclude that, in accordance with the relevant legislation, courts, law enforcement authorities or other authorities may request from the Controller, in the course of inspections or investigations, the data it processes.

Except for selected data about the Applicant stated in the application for a grant / subsidy under the Call, the Controller does not publish your data.

The Controller does not intend to transfer your data to third countries outside the EU. If processors of personal data do so, they do so exclusively in accordance with the relevant legal regulations and requirements.

Duration of processing of your personal data:

The Controller processes your data for no longer than is necessary, depending on the purpose of the processing. After that, the data are erased.
For the purpose of concluding and performing the contract on the provision of a subsidy / grant and for the purpose of asserting and defending the Controller’s contractual rights and defending against unjustified claims brought against the Controller, the Controller processes personal data for at least 10 years from their acquisition. At the end of this period and subsequently at intervals of no more than 5 years, the Controller will assess whether it still needs these data for the given purpose. If not, it will erase them. For example, if a court dispute arises concerning rights and obligations under the contract, the Controller will process the personal data for the duration of this dispute and for a reasonable period after its conclusion.

The Controller will process special categories of the Applicant’s personal data (as defined in point 4 above) only until the consent to processing is withdrawn (if there is no other legal basis for the processing). The withdrawal of consent does not affect the lawfulness of the processing of personal data carried out on the basis of consent before its withdrawal. The withdrawal of consent may result (especially in the case of data marked as mandatory) in the application not being capable of being processed or evaluated, being excluded or not supported. It may also result in the impossibility of concluding or performing the contract on the provision of a subsidy / grant or in the emergence of grounds for its termination.

For the purpose of fulfilling legal obligations, the Controller processes the necessary personal data for the periods laid down by law (for example, in the case of accounting, 10 years from the end of the accounting period to which the data relate).

For statistical and analytical purposes, the Controller processes data in anonymised and aggregated form, so that they no longer constitute personal data, and will process them for an indefinite period.

The Controller will process the data about the application intended for publication by publishing them for at least 10 years. After the expiry of this period, the Controller will assess whether their publication is still necessary for information purposes. If not, it will erase the published data. If it still needs the data, it will keep them published and will again reassess the duration of the purpose of publication no later than after a further 5 years.

The Controller will process the Voter’s personal data necessary for the purpose of evaluating the voting for at least 10 years from the evaluation of the voting. At the end of this period and subsequently at intervals of no more than 5 years, the Controller will assess whether it still needs these data for the given purpose. If not, it will erase them. For example, the Controller will not erase the data if, due to an ongoing dispute, it still needs to have proof that it included only valid votes in the voting and that it evaluated the voting correctly.

The Controller will process the Voter’s personal data processed for the purpose of sending information relating to the Call and to supported, unsupported and implemented projects for no longer than until consent to their processing is withdrawn. After that, it will erase them. Regardless of the withdrawal of consent, the Controller will, after 10 years from obtaining the data, assess whether it still needs them for this purpose. If not, it will erase them. If it still needs the data, it will keep them and will again reassess the duration of the purpose of processing no later than after a further 5 years.

In practice, it may happen that the Controller processes the same personal data of a data subject for several purposes. If one of the purposes of processing ceases to exist, but at least one other still exists, the Controller will not erase the personal data, but will no longer use them for the purposes that have ceased to exist. The Controller will erase the personal data only when all purposes for which they were processed have ceased to exist.

Your personal data are not subject to automated decision-making or profiling:

No, the Controller will not use your personal data for automated decision-making or profiling.

Your rights and how to exercise them:

You can exercise your rights by contacting the Controller in the manner set out in point 3 above. The Controller will inform you of how your request has been handled within 30 days. In justified cases, the Controller may extend this period by 60 days, and it may do so repeatedly. In such cases, the Controller will inform you in advance.

In order for the Controller to be able to handle your request and verify your identity, it will usually need you to state in your request your first name, surname and permanent address.

You have the right to access data. If you so request, the Controller will inform you whether it processes your data, what data it processes, for what purpose, to whom the data have been provided, whether they have been transferred to a third country and how long the Controller will store them.

You have the right to ask the Controller to rectify the data it processes about you if you believe they are incorrect.

You have the right to request the erasure of your personal data processed by the Controller if the Controller no longer needs them, if you withdraw the consent you have given for their processing, if the Controller has processed the personal data unlawfully, or if you correctly object that the Controller’s legitimate interests in processing the data do not override your rights.

You have the right to ask the Controller to temporarily suspend the processing of personal data if you believe that it is processing incorrect data about you, for the time necessary to verify their correctness, if the processing is unlawful or the Controller no longer needs the data and you request this instead of erasure, or if you object to the processing, until the Controller verifies whether its legitimate interests in processing the personal data override your rights.

You have the right to obtain the personal data about you that the Controller processes on the basis of consent and/or a contract and processes by automated means, in a structured, commonly used and machine-readable format. You may also transfer these data to another person, and if technically feasible, the Controller will, at your request, transfer your personal data directly to the controller of your choice.

You have the right to object to the processing of personal data carried out by the Controller on the basis of its legitimate interest. In this case, you should indicate your rights and legitimate interests which you consider to override the Controller’s interests.

If you believe that the Controller is breaching legal regulations in processing your personal data, you may contact the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava, https://dataprotection.gov.sk/uoou/.

Further details about your rights can be found in the General Data Protection Regulation.