Privacy and Cookie Policy

We appreciate the confidence you have placed in us by entrusting your Personal Data to our company when visiting the QES Portal at qesportal.sk, qesportal.eu, qesportal.com and other similar domains (hereinafter referred to as the "Portal" or the "Website") as well as when using services provided through the Portal (hereinafter referred to as the "Services") and we are determined to protect them and make you feel safe with us. In this document, the Privacy & Cookie Policy (hereinafter referred to as the "Policy") we would like to familiarize you with the way we handle your Personal Data, how you can contact us in case of any questions related to the processing of your Personal Data or other important information on the processing of your Personal Data.

When processing your Personal Data, we follow the valid legal regulations, in particular Act No. 18/2018 Coll. on personal data protection, as amended (hereinafter referred to as the "Act") and Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "Regulation").

Who we are

We are the controller for the processing of your Personal Data:

Disig a.s.
Záhradnícka 151, 821 08 Bratislava
BIN: 35 975 946
Contact to the data protection officer: gdpr@disig.sk

Personal data categories

We process the following categories of data about you:

• IP address – it is a computer address that is automatically sent to our server when the user’s browser requests to view our Portal.
• Information about the type of browser the user is using – just like the IP address, this information is sent to us automatically.
• On-device biometrics - fingerprint or facial biometrics on devices with the Android operating system and TouchID or FaceID technology on Apple devices - we use this method of authentication only to facilitate your access to the protected repository of certificates that are used to sign documents through our mobile application. The functionality of the operating system of the respective device is used for this purpose, when, at the request of the application, the current biometric data are compared with the data securely stored on your device and the result is evaluated. Based on the result, our mobile application will allow or deny access to the relevant repository of certificates. The relevant biometric data required for this are stored on your device and processed via your mobile device. We do not have access to them and therefore do not process them in any way. It is up to you to choose whether you will use the said feature or prefer to enter the password manually. The operating system provider is responsible for evaluating such biometric authentication and its functionality as such.
• Electronic certificates and the data contained in them.
• Electronic documents and the data contained in them, which the user uploads to our server through the Website.
• Name, surname and e-mail address, which the user provides when registering on the Portal and in the case of communication, if the user uses support services,
• Backup e-mail address, the use of which is optional and serves for sending notifications to registered users of the Portal.
• User activity data
  • Type of file being processed (filename extension, e.g., pdf.docx...),
  • Size of the processed file,
  • Type of the operation performed (e.g., signing, verification...),
  • Thumbprint of the signature certificate,
  • Signature type (e.g., CAdES, XAdES, PAdES, ...).
• Information from Google Analytics – our Website uses the Google Analytics service, which allows us to find out how users use our Website (it detects the number of visits, from what website the user got to our Website, etc.). This information is transmitted to Google and is available to us in anonymized form.

Purpose and legal basis

We process the above-stated categories of personal data for the following purposes and on the basis of the following legal bases:

Contract performance: If you are a party to a contract concluded with us, the processing of your personal data is necessary for the performance of the subject of the contract and related obligation relationships (complaints, liability for defects) and this processing will be performed precisely on the basis of the contract and special legal regulations, such as, in particular, Act No. 250/2007 Coll. on Consumer Protection, as amended, Act No. 40/1964 Coll. - the Civil Code, as amended, Act No. 513/1991 Coll. - the Commercial Code, as amended.

Your Personal Data may be processed in order to perform the contract even if you are not a party to the relevant contract, but the contract is otherwise related to you, so we will process your personal data on the basis of our legitimate interest, as long as we need to process them to the necessary extent so that we are able to perform the contract and provide you with Services properly.

Mutual communication: If you contact us with any issue, by means of any communication channel (mail, e-mail or telephone), your Personal Data will be processed for the purpose of communicating with you. We process personal data for communication with you based on your request. Such communication can take place on the legal basis of pre-contractual relationships, a contract, or our legitimate interest in providing our Services and products in the highest possible quality.

Security and stability of our information systems and network: For this purpose, we process your personal data on the basis of our legitimate interest consisting in the protection of rights, legally protected interests and property in our possession, as well as in the protection of rights and legally protected interests and property owned by other persons and in ensuring due operation of IT systems, infrastructure and applications, their security and protection against disturbances.

Sending of information about news, events and special offers of the company: We try to send newsletters and marketing information to the extent and in a frequency, that you will not consider bothering. We process personal data for direct marketing purposes on the basis of your consent or on the basis of our legitimate interest.

Compliance with legal obligations: When processing your personal data for individual purposes, your personal data are also processed on the basis of various special regulations that impose various obligations on us, e.g. bookkeeping, the processing of accounting and economic documents, administration of the registry, the provision of data to public and other authorities that supervise our activities or that settle disputes, or when implementing decisions. Such special regulations are, for instance, the Act, the Regulation, Act No. 272/2016 on Trust Services, Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, Act No. 102/2014 Coll. on the protection of consumers in sale of goods or provision of services under remote contracts or contracts executed outside the business premises of the seller and on amendments and supplements to certain acts, Act No. 431/2002 Coll. on Accounting, Act No. 395/2002 Coll. on Archives and Registries.

Storage period

We store personal data for the purpose of performing the contract and thus providing the Service until this purpose of processing is attained (until the contract has been properly performed) and the deadline for making any claims lapses, but max. 4 years from the performance of the subject of the obligation relationship. In doing so, we store data on the user‘s activity only during the user‘s registration period on the Portal, and we store the electronic documents that the user uploads or creates as part of the request for the Services, including signed electronic documents, for a maximum period of 14 days.

When providing support, we store the provided personal data only for a reasonably long period of time necessary for effective detection and elimination of the reported problem.

We store your personal data processed for the purpose of marketing for the duration of your registration on the Portal and, in the case of consent to such processing, for a period of 3 years.

We will keep personal data obtained on the basis of our legitimate interest only for the duration of the reasons for such processing.

We process personal data processed for the purpose of performing legal obligations only for a period that depends on the obligation we have to perform based on a special regulation and the deadline set by the special regulation.

Cookies

A cookie is a small text file that can be stored on your computer, smartphone or another device, when you browse the Website or when you are active on it.

Individual types of cookies are responsible for the proper functioning of the website and, depending on the type of information processed, can collect various information about visitors, such as the IP address, information about your activities, browser fingerprint, preferred font size, default language, filled-in login data or displayed advertisements. If you visit the same website next time, cookies will help you connect faster. Plus, the website will "recognize" you and offer you the information you prefer, ensure that the advertisement already displayed is not repeated, in the case of filling in identification data, it will offer to fill in data already filled in during previous visits to the website, and based on this information, it will display relevant content and offers of estimated activities and services that we assume you could use.

We can use cookies for a traffic analysis of our website through services such as Google Analytics, Google AdSense, and others. It is an analytics tool that helps website and app owners understand how their visitors use their websites. You can find more information on the websites of individual providers of these services, for instance you can find information about how Google uses cookies at this link.

From the point of view of personal data protection, it is important to assess what data are contained in a particular cookie file. If the data entered in the cookie file include any identifier that, alone or in conjunction with other data, can directly or indirectly identify a natural person - the user of the website, such a cookie will have to be considered personal data according to Article 4 paragraph 1 of the Regulation.

Legal basis for the processing of personal data

If we can identify the visitor to our website during recording, it will be the processing of personal data. We must have a legal basis for such processing. These cookies are processed either on the basis of your consent as the data subject or on the basis of our legitimate interest in ensuring the proper functionality of our website in accordance with your preferences (technical cookies).

What cookies we process and for what purpose

Technical cookies (so-called strictly necessary cookies)

They are essential cookies to ensure proper functionality of the website. In the case of this type of cookies, the controller is authorized to process the data to the necessary extent even without the user’s consent for the purposes of operation, network, service or network and service. Their sole purpose is carrying out or facilitating the transmission over a network, or they are strictly necessary in order to provide the service explicitly requested by you.

These cookies are specifically:

• QESPortalTermsConsent - Allows our service to remember that the user has agreed to the General Terms and Conditions (if the user has agreed to them), so that if the user wants to use our services repeatedly, he does not have to give consent again.
• QESPortalCookieConsent – Allows our service to remember that the user has agreed to the Privacy and Cookie Policy (if the user has agreed to it), so that if the user wants to use our services repeatedly, he does not have to give consent again.
• QESPortalCookieStats – Allows our service to remember whether the user has agreed to the use of statistical cookies.
• dwsConfiguration - a record in the browser’s LocalStorage - Allows our service to remember what signature certificate the user used last and to select it again when creating an electronic signature the next time.
• .AspNetCore.Antiforgery.* - Technological cookies used to protect against CSRF (Cross Site Request Forgery) attacks.
• .AspNetCore.Correlation.oidc.* - Technological cookies necessary for user login.
• .AspNet.SharedCookie* - Technological cookies necessary for user login.
• idsrv.session:* - Technological cookies necessary for user login.
• BNI_LDZEP* - Technological cookies necessary for the correct distribution of user requests between the individual servers of our service.
• QSSCD* – Technological cookies used to protect against DoS (Denial Of Service) attacks.

Statistics (analytical) cookies

These cookies help to obtain data on website traffic and information that you most often search for and how you interact with a particular service, in order to ensure easier use of the website. Statistics cookies help us to understand how visitors interact with websites by collecting and reporting information anonymously. We process these cookies based on your consent.

These cookies are specifically:

• _g* - Google Analytics cookies are third-party cookies (from Google) to capture data about how users use our website, in particular the number of visitors, the pages they visited and the time they spent on them.

How to control and change cookie settings

You can control and/or delete cookies as you wish – for details, please see aboutcookies.org. You can delete all cookies that are already on your computer and you can set your browser to prevent them from being placed.

Cookies are useful as long as the website owners do not misuse them for unauthorised data collection. If you do not trust the functionality of cookies, you can regularly delete them from your disk. In some cases, incorrect recording of information obtained through cookies may occur, and therefore a problem with logging in, for instance to our web applications. Please see below for instructions on removing all and incorrectly written cookies. Instructions for deleting cookies in individual Internet browsers:

• Internet Explorer™ - https://support.microsoft.com/en-us/help/278835/how-to-delete-cookie-files-in-internet-explorer
• Safari™ - https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac
• Opera™ - https://www.opera.com/help/tutorials/security/privacy/
• Mozilla Firefox™ - https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox
• Google Chrome™ - https://support.google.com/chrome/answer/95647?hl=en&hlrm=en

You can also change the cookie settings directly on our website, as follows:
By clicking on the Part "Cookie settings" displayed at the bottom of the website, you can have the dialog box in which you set cookies for the first time be displayed again at any time and you can change it at will.

Retention period

Some data or types of cookies are deleted from your device as soon as the browser window is closed, while others remain on your device even after closing the browser with the controller’s website. We store the information we connect with our cookies data according to your consent, which you have given us or only for the necessary time.

Necessity to provide Personal Data

If the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to conclude a contract, the data subject is obliged to provide Personal Data. Otherwise, it will not be possible to attain the processing purpose that the controller intended to carry out in the case of providing Personal Data.

Provision and disclosure of your Personal Data

In general, we can disclose and/or provide your Personal Data to other subjects such as government authorities and public authorities for the purpose of executing inspection and supervision (e.g., the National Security Authority of the Slovak Republic), courts, LEAs, auditors, lawyers, IT systems and support suppliers, the competent registration authority of Disig, a. s., trust service providers, and other external professional advisers and companies providing us with products and services (legal/natural persons). We are responsible for the proper protection of your personal data, which are provided and/or made available to other entities acting as processors. The current list of specific recipients of your personal data can be provided on request via our email address.

Transfer of personal data to third countries

In the processing of your personal data, they are not usually transferred to third countries outside the European Economic Area (EEC) and the European Union (EU), nor to international organizations. If, in justified cases, there is a need to transfer personal data to third countries outside the territory of the European Union, we will transfer personal data only with your consent or under conditions under which the said transfer is otherwise permitted by the Regulation or the Act.

Automated decision-making

Processing of Personal Data for the purposes laid down above does not include any automated decision-making.

Profiling

Processing of Personal Data for the purposes laid down above does not include any profiling.

Rights of the data subject related to the processing of personal data

As a data subject, you have the following rights:

Right of access to data
You have the right to obtain confirmation as to whether personal data about you are being processed. Where that is the case, you have the right of access to your personal data and additional information resulting from Art. 15 of the Regulation or Article 21 of the Act.

Right to demand rectification
You have the right to obtain the rectification of incorrect or inaccurate data concerning you without undue delay and/or to have your personal data completed.

Right to erasure of personal data
You have the right to obtain the erasure of your personal data without undue delay if the conditions of Art. 17 of the Regulation or Article 23 of the Act are met.

Right to the restriction of processing
You have the right to demand the restriction of the processing of your personal data if the conditions of Art. 18 of the Regulation or Article 24 of the Act are met (e.g., the accuracy of the personal data is contested by the data subject; the processing of personal data would be unlawful; the controller no longer needs the personal data for processing but they are required by the data subject for the establishment or defence of legal claims, or the data subject objected to the processing of personal data).

Right to object to processing
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data that we carry out due to the performance of a task carried out in the public interest or in the exercise of public authority entrusted to us or if the processing is carried out on the basis of our legitimate interest or that of a third party, this also applies to profiling. You also have the right to object to the processing of personal data for direct marketing purposes, including profiling to the extent that it is related to such direct marketing.

Right to data portability
You have the right to receive personal data concerning you from us, which you have provided to us, in a structured, commonly used and machine-readable format. You have the right to transfer the personal data received in this way to another controller without us preventing you from doing so. Such portability of personal data is possible if your personal data were processed on the basis of the consent provided or on the basis of a contract and if the processing was carried out by automated means. If technically possible, you have the right to a direct transfer from one controller (us) to another controller.

Right to withdraw consent for processing
If your personal data are processed on the basis of consent, you, as the data subject, are entitled to withdraw the consent at any time. Withdrawal of consent does not affect the lawfulness of the processing of your personal data before the withdrawal of such consent.

Exercise of rights
If you decide to exercise any of the above rights against us in connection with the processing of your personal data, you can do so in writing at the address of our headquarters or electronically at the email address: gdpr@disig.sk

Right to lodge a complaint with the supervisory authority
You have the right to lodge a complaint with the supervisory authority responsible for supervising the processing of personal data. In the territory of the Slovak Republic, this authority is the Office for Personal Data Protection of the Slovak Republic, https://dataprotection.gov.sk, Hraničná 12, 820 07 Bratislava 27; telephone number: +421 /2/ 3231 3214; E-mail: statny.dozor@pdp.gov.sk

Contact details

If you wish to send questions or have comments to our data protection officer for personal data protection in connection with the processing of your personal data, you can do so via e-mail: gdpr@disig.sk, or in writing at the address of our headquarters.

 

We may update this policy without notice. Therefore, we kindly ask you to regularly familiarize yourself with their current wording, which you can find either on our website or we will be happy to provide you with it on request.

This version of the Policy was issued on 01 May 2023

Privacy and Cookie Policy can be saved as PDF document.