1. Controller
Inštitút pokročilých štúdií, o. z. (the “IOAS” or “controller”) Registered office: Gagarinova 3, 911 01 Trenčín, Slovakia Non-profit association registered under Slovak Act No. 83/1990 Coll.
Contact for personal data questions and requests: gdpr@ioas.pro
For general inquiries: director@ioas.pro, +421 903 667 654.
2. Legal framework
We process personal data in accordance with:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”),
- Slovak Act No. 18/2018 Coll. on personal data protection, as amended,
- other applicable laws of the Slovak Republic and the European Union.
3. What personal data we process
We process only the data you provide us yourself through forms, email or phone communication, or that is necessarily generated by operating the website:
3.1 Contact form
- name and surname, email, subject and content of the message
- IP address and User-Agent (technical, anti-abuse)
- timestamp of submission
3.2 Member registration (/en/registracia-clena/)
- name and surname, email, phone
- membership type, affiliation/institution, area of interest
- motivation (text justifying the application)
- consents to the statutes and to data processing
- IP address, User-Agent, timestamp
3.3 Newsletter
- email address
- IP address, User-Agent, opt-in timestamp
3.4 Membership (after admission)
- regular identification and contact data, profession and publications
- data on paid membership fees (for accounting purposes)
3.5 Technical data while browsing
- IP address, User-Agent (browser and OS type)
- nginx access logs (URL, time, return code)
- essential session and consent cookies — see Cookies policy
We do not process special categories of data (health, biometric, religious belief, sexual orientation, etc.) — unless you voluntarily provide them as part of a specific research collaboration where we agree on separate terms.
4. Purposes and legal bases of processing
| # | Purpose | Legal basis (GDPR) | Data |
|---|---|---|---|
| 1 | Handling the contact form — answering a question or request | Art. 6(1)(f) — legitimate interest of the controller to respond to communication | name, email, subject, message, IP |
| 2 | Member registration — review of the application | Art. 6(1)(b) — performance of a contract (pre-contractual steps) | name, email, phone, membership type, motivation |
| 3 | Membership — keeping the member register, communication, fees | Art. 6(1)(b) — performance of a contract (membership contract) | identification and contact data, payment data |
| 4 | Accounting and tax obligations | Art. 6(1)(c) — legal obligation (Slovak Act No. 431/2002 Coll.) | data on invoices and documents |
| 5 | Newsletter — sending updates | Art. 6(1)(a) — consent of the data subject | |
| 6 | IT security, anti-abuse (rate limiting, blocking attacks) | Art. 6(1)(f) — legitimate interest | IP, User-Agent, access logs |
| 7 | Public publication of content (member profiles, articles, photos from events) | Art. 6(1)(a) — consent of the persons concerned | only data the person approves |
Consent (purposes 5 and 7), if given, can be withdrawn at any time — see Your rights.
5. How long we store the data
| Data | Retention |
|---|---|
| Contact form | 2 years from the last communication |
| Member application (rejected) | 6 months from the decision, then anonymised / deleted |
| Active member data | for the duration of membership + 5 years thereafter |
| Accounting documents | 10 years (legal obligation) |
| Newsletter | until unsubscribe (any time via link in the email or upon request) |
| Nginx access logs | 30 days |
| Data related to attempted IT attacks | 1 year |
After the retention periods, the data is deleted or irreversibly anonymised.
6. Recipients of personal data
We do not sell your data to any third party.
In certain cases, however, we share it with processors that process the data on our behalf and based on a contract:
- Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) — hosting of web servers and databases, EU data centre;
- email service provider (local SMTP server at the controller) — sending automated notifications and communication;
- Let’s Encrypt / Internet Security Research Group — TLS/SSL certificate authority (no personal data is transferred, only the domain name).
If required by law, we will share data with public authorities (police, courts, the Slovak Data Protection Authority, the tax office) to the extent required by law.
7. Transfers to third countries
We do not transfer your personal data outside the European Economic Area (EEA).
The web server, email server and all databases are operated in a data centre in Germany (Hetzner). If we were to use a service outside the EEA in the future (e.g. an analytics tool in the USA), we would do so only on the basis of Standard Contractual Clauses (SCC) approved by the European Commission, and we would update this page.
8. Automated decision-making and profiling
We do not carry out any automated decision-making or profiling that would have legal effects or other significant impact on you (Art. 22 GDPR).
9. Your rights as a data subject
Under the GDPR and Slovak Act No. 18/2018 Coll., you have the following rights against the controller:
9.1 Right of access (Art. 15 GDPR)
You may request from us confirmation as to whether we process your personal data, and if so — a copy of that data along with information about the purpose, categories, recipients and retention.
9.2 Right to rectification (Art. 16)
You may request rectification of inaccurate or completion of incomplete data.
9.3 Right to erasure / “right to be forgotten” (Art. 17)
You may request the erasure of data if: - it is no longer necessary for the purpose it was obtained, - you withdraw consent and there is no other legal basis, - the data was processed unlawfully, - it is required by law.
The right to erasure does not apply to the extent that processing is necessary (e.g. archiving accounting records, asserting legal claims).
9.4 Right to restriction of processing (Art. 18)
In certain cases (e.g. while verifying accuracy) you may request that we only store the data and not process it further.
9.5 Right to data portability (Art. 20)
Data you provided based on consent or performance of a contract and which we process automatically, we will provide to you in a structured, commonly used, machine-readable format (CSV / JSON), or, at your request, transmit it directly to another controller.
9.6 Right to object (Art. 21)
If we process data based on legitimate interest, you can object to it — in which case we will only continue processing if we demonstrate compelling legitimate grounds that override your interests.
9.7 Right to withdraw consent
You may withdraw consent (e.g. to the newsletter or publication of a profile) at any time — without affecting the lawfulness of processing prior to withdrawal. Just email gdpr@ioas.pro.
9.8 Right not to be subject to automated decision-making (Art. 22)
As stated in Section 8 — we do not apply this.
9.9 Right to lodge a complaint with the Slovak DPA
If you believe your rights have been violated, you may lodge a complaint with:
Office for Personal Data Protection of the Slovak Republic Hraničná 12, 820 07 Bratislava 27 statny.dozor@pdp.gov.sk dataprotection.gov.sk
10. How to exercise your rights
Send personal-data requests, questions and objections to:
Or in writing to the controller’s registered office (Section 1).
Procedure:
- Identification of the requester. In justified cases we may ask for additional data needed to verify your identity — to prevent disclosure of your data to another person.
- Time limit. We will assess your request and respond within 30 days of receipt. For complex requests, the period may be extended by up to 2 months, with prior notice.
- Free of charge. Handling the request is free. For manifestly unfounded or repeated requests we reserve the right to charge a reasonable fee or to refuse the request (Art. 12(5) GDPR).
11. Cookies and similar technologies
The ioas.pro website uses only essential cookies for basic functionality (remembering the cookie banner, session for form submission). We do not use analytical or advertising third-party cookies.
For details, see the separate document: Cookies policy.
12. Security of processing
The controller adopts adequate technical and organisational measures to protect data, including:
- transport encryption (HTTPS / TLS 1.2+) on the entire site and all forms,
- security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options) in HTTP responses,
- rate limiting and honeypot protection on forms (against spam and bots),
- access restrictions to the database and servers (only authorised persons),
- regular updates of the operating system and software.
Despite the measures taken, no internet transmission is 100% secure. If you discover or suspect a security incident affecting your data, please inform us immediately at gdpr@ioas.pro.
13. Changes to this policy
We may update this policy from time to time — for example when laws change, or when a new service or processor is introduced. The current version is always published on this page with the effective date.
For substantive changes (e.g. a new processing purpose or a new processor outside the EEA) we will inform you by appropriate means (email to registered members, notice on the website).
14. Effective date
Version: 2026-04-27 Effective: from the date of publication.
Previous versions are available upon request at gdpr@ioas.pro.