1. Personal Data Controller

The company MARTO s.r.o., with its registered office at Letecká 37, 052 01 Spišská Nová Ves, ID No.: 36192708, registered in the Commercial Register of the District Court Košice I, Section: Sro, File No.: 11112/V (hereinafter referred to as the "Company"), as the controller, processes personal data in several information systems.

2. Contact details of the Data Protection Officer

Due to the scope and subject of its activities, our Company is not obliged to appoint a Data Protection Officer. However, if you have any questions regarding your personal data, please send us an email to marto@marto.sk, call us at +421 905 558 581, or visit us in person at the Company's registered office address.

3. Purpose of personal data processing

To ensure its activities, the Company needs to know certain personal data of the data subjects and needs to provide them to other recipients for the purpose of fulfilling legal obligations and ensuring its business activities of the highest quality.

The Company processes the provided personal data for several purposes:

• Processing of contractual and pre-contractual obligations
• Processing of personnel and payroll agenda
• Processing of accounting agenda
• Protection of security and property
• Employee attendance records
• Securing business activities
• Marketing purposes

4. Legal Basis for Processing Personal Data of Data Subjects

When processing personal data, the Company proceeds in accordance with the valid and current Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Acts (hereinafter referred to as the "Personal Data Protection Act") and REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (hereinafter referred to as the GDPR).

The legal basis for personal data processing is:

• Specific legal regulations, namely: the Social Insurance Act, the Health Insurance Act, the Labour Code, valid payroll, accounting and tax regulations, the Commercial Code, the Civil Code, the Trade Licensing Act, the Act on Occupational Safety and Health Protection
• Consent of the data subject to the processing of personal data, depending on the purpose of personal data processing
• Performance of a contract to which the data subject is a party
• Processing of personal data for the protection of the life, health or property of the data subject
• Legitimate interest of the Company

The Company also processes personal data without the consent of the data subject if:

a) the purpose of personal data processing, the range of data subjects, and the list or scope of personal data are stipulated by a directly applicable legally binding act of the European Union, an international treaty by which the Slovak Republic is bound, or this Act. If the list or scope of personal data is not stipulated, the Company may process personal data only to the extent and in the manner necessary to achieve the stipulated processing purpose while adhering to the basic obligations pursuant to Section 13(3)(a) to (e)(i) of the Personal Data Protection Act.

b) The Company further processes personal data without the data subject's consent if the purpose of personal data processing, the range of data subjects, and the list of personal data are stipulated by a special Act, and only to the extent and in the manner stipulated by that special Act. Processed personal data may be provided, made available, or disclosed only if the special Act stipulates the purpose of the provision, making available, or disclosure, the list of personal data that may be provided, made available, or disclosed, as well as the third parties to whom the personal data are provided, or the range of recipients to whom the personal data are made available, unless the Personal Data Protection Act stipulates otherwise.

c) the processing of personal data is necessary to protect the life, health, or property of the data subject,

d) personal data that have already been published in accordance with the law are processed, and the controller has duly marked them as published; the person claiming to process published personal data shall prove to the Office, upon request, that the processed personal data were already legally published,

e) the Company processes personal data that are necessary for the protection of the rights and legally protected interests of the controller or a third party for the following purposes:

• protection of the Company's security and property
• securing pre-contractual/contractual relationships

5. Recipient

Our Company may provide your personal data to the following recipients:

Processors - who perform support services for our Company in the areas of payroll, personnel and accounting, safety and health protection or property, and the provision of web hosting services.

6. Consent of the Data Subject

The Company obtains the data subject's consent freely, without pressure or coercion, and without conditioning it on the threat of refusing a contractual relationship, provided services, or obligations arising for the controller from legally binding acts of the European Union, an international treaty by which the Slovak Republic is bound, or law.

Consent is granted separately for each purpose of personal data processing.

As a data subject, you can revoke your consent at any time.

The Company respects privacy and considers the provided personal data confidential.

7. Processors

In its business activities, the Company cooperates with several processors whose goal is to provide quality services. These entities process the personal data of data subjects in the performance of their contractual activities for the Company. This includes, for example, support services in the area of accounting and payroll services, provision of services in the field of OSH (Occupational Safety and Health), occupational health services (OHS), and the provision of web hosting services.

The Company honestly declares that in the selection of individual processors, it has paid attention to their professional, technical, organisational, and personnel competence and their ability to guarantee the security of the processed personal data through adopted security measures in accordance with the Personal Data Protection Act.

At the same time, in selecting a suitable processor, the Company proceeded in a way that would not jeopardize the rights and legally protected interests of the data subjects.

The Company, as the controller, has concluded written contracts with the processors regarding the assurance of personal data protection processed by the processors, whom it entrusted with the processing of the personal data of the data subjects to the extent, under the conditions, and for the purpose stipulated in the contract and in the manner according to the Personal Data Protection Act.

8. Conditions and Method of Processing Personal Data of Data Subjects

The Company processes the personal data of data subjects in its information systems using both automated and non-automated means of processing.

The Company does not disclose the processed personal data, except in cases where specific legislation or a decision of a court or other state authority requires it.

The Company will not process your personal data without your explicit consent or other legal basis for any other purpose, nor to a greater extent than stated in this information and the registration sheets of the individual information systems of the controller.

9. Retention Period for Personal Data of Data Subjects

The retention period for personal data is determined according to the purpose of the personal data processing and the requirements of specific regulations.

Specific retention periods are prescribed by the Company's internal regulation, the Registry Plan, drawn up in accordance with the Act on Archives and Registry Offices.

The Company shall dispose of personal data whose processing purpose and retention period have ended in the prescribed manner. After the defined purpose has ended, the Company is entitled to process personal data to the necessary extent for research or statistical purposes in their anonymized form.

The Company ensures that the personal data of data subjects are processed in a form enabling the identification of individual data subjects for no longer than is necessary to achieve the purpose of the processing.

10. Automated Individual Decision-Making, including Profiling

The Company does not use automated individual decision-making or profiling when processing personal data.

11. Cross-border Transfer of Personal Data of the Data Subject

The Company does not transfer personal data to third countries or international organisations.

12. Rights of the Data Subject related to the Processing of their Personal Data

The data subject has the right to require from the Company, based on a written request:

• accurate information in a generally understandable form about the source from which it obtained their personal data for processing,
• access to their personal data,
• a list of their personal data that is subject to processing in a generally understandable form,
• rectification or destruction of their incorrect, incomplete, or out-of-date personal data that are subject to processing,
• erasure of their personal data whose purpose of processing has ended; if official documents containing personal data are subject to processing, they may request their return,
• destruction of their personal data that are subject to processing if the law has been violated,
• restriction of the processing of their personal data,
• the right to object to the processing of personal data at any time, based on a written request addressed to the Company or in person if the matter is urgent, by stating legitimate reasons or presenting evidence of unauthorized interference with their rights and legally protected interests, which are or may be damaged in a specific case by such personal data processing; if there are no legal grounds preventing this and it is proven that the data subject's objection is justified, the Company is obliged to block and destroy the personal data to which the data subject objected without undue delay, as soon as circumstances permit,
• prevent the processing of their personal data which they assume are or will be processed for direct marketing purposes without their consent, and request their destruction,
• the right to data portability of their personal data to another controller,
• whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to conclude a contract, and whether the data subject is obliged to provide personal data, as well as the possible consequences of not providing personal data,
• the right to file a motion to initiate proceedings pursuant to Section 100. If the data subject suspects that their personal data is being processed unlawfully, they may file a motion to initiate proceedings on personal data protection with the Office for Personal Data Protection of the Slovak Republic, with its registered office at Hraničná 12, 820 07 Bratislava 27, Slovak Republic, or contact the Office through its website http://www.dataprotection.gov.sk.

If the data subject does not have full legal capacity, their rights may be exercised by a legal representative.

If the data subject is deceased, their rights under this Act may be exercised by a close person.

The Company shall process the data subject's request under the Personal Data Protection Act free of charge, except for a fee that may not exceed the amount of actual material costs reasonably incurred in connection with making copies, providing technical media, and sending information to the data subject, unless a special Act stipulates otherwise.

The Company is obliged to process the data subject's request in writing no later than 30 days from the date of receipt of the request.

The Company shall notify the data subject and the Office for Personal Data Protection of the Slovak Republic in writing without undue delay of any restriction of the data subject's rights under the Personal Data Protection Act.

The Company hereby informed you, as the data subject, about the protection of your personal data and instructed you about your rights in relation to the protection of personal data to the extent of this written information obligation.

In Spišská Nová Ves, dated 11.11.2025