top of page

Privacy Policy

Workcontrol s.r.o. and WorkcontrolEU s.r.o. process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as well as Act No 18/2018 on the protection of personal data, as amended.

If you have any queries about the protection of personal data in Workcontrol s.r.o. or WorkcontrolEU s.r.o., please contact our responsible person:

email address:

Definition of terms

Personal data means any information relating to an identified or identifiable natural person (“data subject”) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

processing of personal data means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Profiling means any form of automated processing of personal data whose purpose is to evaluate certain personal aspects relating to a natural person.

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organisational measures.

Data controller or controller, for the purposes of this document, means Workcontrol s.r.o. and WorkcontrolEU s.r.o.

Processor means a natural or legal person who processes personal data on behalf of the controller. 

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed.

Principles governing the processing of personal data in Workcontrol s.r.o. and WorkcontrolEU s.r.o.

Workcontrol s.r.o. and WorkcontrolEU s.r.o. process the personal data of data subjects in a lawful and transparent manner.

Such data are obtained exclusively for legitimate purposes in a reasonable and precisely defined extent based on defined legal grounds.


Workcontrol s.r.o. and WorkcontrolEU s.r.o. have put in place appropriate technical and organisational safeguards for the protection of personal data, in particular for their protection against illegitimate or unlawful processing, and their protection against damage or loss.

Lawfulness of the processing of personal data in Workcontrol s.r.o. and WorkcontrolEU s.r.o.

The main purpose for which Workcontrol s.r.o. and WorkcontrolEU s.r.o. process personal data is for establishing employment and non-employment relationships, for the purpose of temporary assignment to a user employer, and for payroll administration:

  1. The primary legal basis arises from legislation in the fields of employment and payroll, in particular the Labour Code, the Act on Employment Services, the Act on Social insurance, the Act on Health Insurance, the Act on Income Tax, the Act on Social Funds, the Act on Illegal Work, the Act on Travel Compensation, the Act on the Minimum Wage, the Act on Old Age Pension Savings, the Act on Supplementary Pension Savings, the Act on Income Compensation, the Code of Enforcement Procedure, the Act on Protection, Promotion and Development of Public Health, the Act on Occupational Health and Safety and other legislation, which means that personal data processing is necessary for compliance with a legal obligation.

  2. A further legal basis is the contractual and pre-contractual relationship with the data subject, especially as regards the establishment of an employment relationship.

When a data subject grants consent for the processing of personal data, the scope and purpose of such processing is defined in the data subject’s consent.

Acquired personal data are, as a rule, processed only for the purpose for which they were acquired.


Data subject’s consent

Where personal data are obtained with the consent of the data subject, the employee is informed of the purpose, scope and duration of consent before providing the data.

Consent can be revoked at any time by means of a written notice delivered to the address of the employer to whom consent was given. The revocation of consent does not affect the lawfulness of the processing of personal data under consent before the revocation of that consent.


Categories of recipients of personal data

  1. State and public authorities (Social Insurance Agency, health insurance companies, Financial Administration, labour inspectorates, bailiffs, Central Office of Labour, Social Affairs and Family…)

  2. Courts and law enforcement authorities

  3. Supplementary pension companies

  4. Commercial insurance companies

  5. Companies managing the companies’ information and technical systems

  6. Catering companies

  7. Occupational health and safety service companies

  8. User employers

  9. Document shredding companies


Retention period of personal data

When the purpose of personal data processing is completed, the data are processed and stored only in the extent required for the purposes of archiving, statistics and legislative compliance.

If personal data are obtained with the consent of the data subject, the retention period is defined in the specific consent.



The data subject has the following rights:

  1. to request the data controller to grant access to personal data that it holds on the data subject and the right to rectification, deletion or restriction of their personal data. The data shall be provided in the form requested by the data subject.

  2. to request from the data controller information on the purposes of the processing of their personal data, the categories of personal data concerned, the recipients of the personal data and the retention period

  3. to receive identification of the source from which personal data was obtained if not from the data subject

  4. to request information on the appropriate safeguards applied if their personal data is transferred to a third country

  5. to have inaccurate personal data rectified without delay

  6. to have personal data deleted if processing is no longer necessary, if the data subject revokes consent, if the data subject objects to the processing of personal data, if the personal data is processed unlawfully, if the personal data must be deleted to meet an obligation under applicable legislation, or if the data was obtained in connection with a promotional service

  7. to have the processing of personal data restricted if the data subject objects on grounds that the personal data is not accurate, that processing is unlawful or that the data controller no longer needs the personal data for the purpose of processing 

  8. to object to the processing of personal data

  9. accuracy of personal data

  10. to revoke their consent at any time

  11. to bring action against the data controller if their rights are infringed

  12. to be informed whether the processing of their personal data is a legal or contractual requirement or a requirement for the conclusion of a contract, and whether they are obliged to provide such data, together with information on the consequences of not providing such data

  13. to be informed of any use of automated decision-making, including profiling, and the foreseeable consequences of such processing

  14. to be informed of a breach of personal data protection without undue delay if it could put the rights of the natural person at higher risk

  15. to lodge a complaint with the supervisory authority, the Office for Personal Data Protection of the Slovak Republic.


The data controller must respond to any request of a data subject under the points above without undue delay, not later than 1 month from receipt of the request. If necessary, this period can be extended by another 2 months. The data controller must notify the data subject of any such extension.

bottom of page