Privacy Policy
Effective as of October 1, 2024 | See a previous version of Privacy Policy | Compare changes
The protection of personal data is of particular importance to ESET, spol. s r. o., having its registered office at Einsteinova 24, 851 01 Bratislava, Slovak Republic, Business Registration Number: 31333532 as a Data Controller ("ESET" or "We"). We want to comply with the transparency requirement as legally standardized under the EU General Data Protection Regulation ("GDPR"). To achieve this goal, We are publishing this Privacy Policy with the sole purpose of informing our customer ("End User" or "You") as a data subject about following personal data protection topics:
- Contact Information,
- Legal Basis of Personal Data Processing,
- Data Sharing and Confidentiality,
- Data Security,
- Your Rights as a Data Subject,
- Processing of Your Personal Data.
Legal Basis of Personal Data Processing
There are a few legal bases for data processing which We use according to the applicable legislative framework related to protection of personal data. The processing of personal data at ESET is mainly necessary for the performance of the Terms of Use ("Terms") with End User (Art. 6 (1) (b) GDPR), which is applicable for the provision of ESET products or services, unless explicitly stated otherwise, e.g.:
- Legitimate interest legal basis (Art. 6 (1) (f) GDPR), that enables us to process data on how our customers use our Services and their satisfaction to provide our users with the best protection, support and experience We can offer. Even marketing is recognized by applicable legislation as a legitimate interest, therefore We usually rely on it for marketing communication with our customers.
- Consent (Art. 6 (1) (a) GDPR), which We may request from You in specific situations when we deem this legal basis as the most suitable one or if it is required by law.
- Compliance with a legal obligation (Art. 6 (1) (c) GDPR), e.g. stipulating requirements for electronic communication, retention for invoicing or billing documents.
Data Sharing and Confidentiality
We do not share your data with third parties. However, ESET is a company that operates globally through affiliated companies or partners as part of our sales, service and support network. Licensing, billing and technical support information processed by ESET may be transferred to and from affiliates or partners for the purpose of fulfilling the EULA, such as providing services or support.
ESET prefers to process its data in the European Union (EU). However, depending on your location (use of our products and/or services outside the EU) and/or the service you choose, it may be necessary to transfer your data to a country outside the EU. For example, we use third-party services in connection with cloud computing. In these cases, we carefully select our service providers and ensure an appropriate level of data protection through contractual as well as technical and organizational measures. In compliance with GDPR, We may transfer personal data to third countries only under specific conditions. We ensure that any such transfer is carried out in accordance with the GDPR's strict requirements, aiming to safeguard the rights and freedoms of individuals whose data is being transferred. Before transferring any data outside the European Union (EU) or the European Economic Area (EEA), we assess the adequacy of the recipient country's data protection laws and consider implementing appropriate safeguards, such as:
- We evaluate if the receiving country has an adequate level of data protection, based on the European Commission's assessments.
- We use approved SCCs to contractually bind both parties and ensure that the recipient processes personal data in compliance with GDPR requirements.
- We rely on recognized codes of conduct or certification mechanisms that demonstrate compliance with data protection requirements.
By taking these measures, We ensure that personal data transfers are secure, transparent, and in accordance with the GDPR's principles. For some countries outside the EU, such as the United Kingdom and Switzerland, the EU has already determined a comparable level of data protection. Due to the comparable level of data protection, the transfer of data to these countries does not require any special authorization or agreement.
We rely on third-party services and collaborate with the external processors to provide our services related to cloud computing, billing, etc.
Data Security
ESET implements appropriate technical and organizational measures to ensure a level of security which is appropriate to potential risks. We are doing our best to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. However, in case of data breach resulting in a risk to your rights and freedoms, We are ready to notify the relevant supervisory authority as well as affected End Users as data subjects.
Data Subject’s Rights
The rights of every End User matter and We would like to inform you that all End Users (from any EU or any non-EU country) have the following rights guaranteed at ESET. To exercise your data subject’s rights, you can contact us via support form or by e-mail at dpo@eset.sk. For identification purposes, we ask you for the following information: Name, e-mail address and - if available - license key or customer number and company affiliation. Please refrain from sending us any other personal data, such as the date of birth. We would like to point out that to be able to process your request, as well as for identification purposes, we will process your personal data.
Right to Withdraw the Consent. Right to withdraw the consent is applicable in case of processing based on consent only. If We process your personal data on the basis of your consent, you have the right to withdraw the consent at any time without giving reasons. The withdrawal of your consent is only effective for the future and does not affect the legality of the data processed before the withdrawal.
Right to Object. Right to object the processing is applicable in case of processing based on the legitimate interest of ESET or third party. If We process your personal data to protect a legitimate interest, You as the data subject have the right to object to the legitimate interest named by us and the processing of your personal data at any time. Your objection is only effective for the future and does not affect the lawfulness of the data processed before the objection. If we process your personal data for direct marketing purposes, it is not necessary to give reasons for your objection. This also applies to profiling, insofar as it is connected with such direct marketing. In all other cases, we ask you to briefly inform us about your complaints against the legitimate interest of ESET to process your personal data.
Please note that in some cases, despite your consent withdrawal or your objection processing, we are entitled to further process your personal data on the basis of another legal basis, for example, for the performance of a contract.
Right of Access. As a data subject, you have the right to obtain information about your data stored by ESET free of charge at any time.
Right to Rectification. If we inadvertently process incorrect personal data about you, you have the right to have this corrected.
Right to Erasure. As a data subject, you have the right to request the deletion or restriction of the processing of your personal data. If we process your personal data, for example, with your consent, you withdraw it and there is no other legal basis, for example, a contract, We delete your personal data immediately. Your personal data will also be deleted as soon as they are no longer required for the purposes stated for them at the end of our retention period.
Right to Restriction of Processing. If we use your personal data for the sole purpose of direct marketing and you have revoked your consent or objected to the underlying legitimate interest of ESET, We will restrict the processing of your personal data to the extent that we include your contact data in our internal black list in order to avoid unsolicited contact. Otherwise, your personal data will be deleted.
Please note that We may be required to store your data until the expiry of the retention obligations and periods issued by the legislator or supervisory authorities. Retention obligations and periods may also result from the Slovak legislation. Thereafter, the corresponding data will be routinely deleted.
Right to Data Portability. We are happy to provide You, as a data subject, with the personal data processed by ESET in the xls format.
Right to Lodge a Complaint. As a data subject, You have a right to lodge a complaint with a supervisory authority at any time. ESET is subject to the regulation of Slovak laws and We are bound by data protection legislation as part of the European Union. The relevant data supervisory authority is The Office for Personal Data Protection of the Slovak Republic, located at Hraničná 12, 82007 Bratislava 27, Slovak Republic.
Processing of Your Personal Data
Services provided by ESET implemented in our web-based product are provided under the Terms of Use ("Terms"), but some of them might require specific attention. We would like to provide You with more details on data processing connected with the provision of our products and services. We render various services described in the Terms and the product documentation. To make it all work, We need to collect the following information:
- ESET may collect personal information for the purposes of direct communication with You in order to respond to your questions, and fulfill your requests. If You send us product orders, service requirements, other requests or if You upload any materials to our website, We may have to contact You in order to gain additional information necessary for processing or in order to fulfill your order, request or requirement. For this purpose, as well as for the purpose of performing the requested services, We need to process your details provided via web forms, email or applications.
- If You are an End User of our products or services, the processing of your data is covered by the specific End User License Agreement or Terms of Use and dedicated Privacy Policy related to each product or service. For more information concerning data processing, please visit the online help documentation dedicated to our products and services. You can access this directly from the graphical user interface of your product by clicking on the “?” symbol. The maximum storage period for invoicing data is determined by law and We are legally required to keep the data for a period of 10 years. Unlike invoicing data, We only store licensing data for a period not exceeding 12 months from the expiration date of your license, and statistics that do not require the End User’s identification are processed for a period of 4 years.
- If You are already our customer or if You agree with the processing of your data for the purposes of marketing communication, We may use your details to administer marketing communication until You unsubscribe or withdraw your consent.
- If you decide to submit a sample via our security features, i.e. Advanced Machine Learning module, Multiscan, LiveGrid reputation system, Replicators service - Sandbox, Sisyfos automated sample processing and detection system and/or ESET Threat Intelligence portal, the submitted sample will be automatically processed within our system. The output will contain results on the sample behavior only. The data from such a sample will not be used and/or contained in the output. ESET manages those security features, ensuring that your data remains within our control and is not processed by third parties. We store samples locally for a period of 30 days, the maximum storage period is limited by the time required to provide those security features.
- If you decide to set up YARA rule to utilize Early Warning, for searching the instances, and you decide to include text strings that contain personal data, this data will be used to search the instances. You can decide to delete this rule by yourself at your convenience within ESET Threat Intelligence portal at any time.
- If you decide to utilize the ESET AI Advisor for addressing queries related to detected incidents, your query, along with relevant data from monitored endpoint devices and network information processed in ESET Threat Intelligence, will be transmitted to our generative AI solution running on our private cloud in Azure. Only the essential data required to address your query will be shared with the AI solution, and it will be processed exclusively to deliver the requested service. ESET manages the AI solution, ensuring that your data remains within our control and is not processed by third parties. Please note, as mentioned above, that processed data may contain privacy sensitive information.
- Contact information and data contained in your support requests are required for provision of technical or other support provided by ESET. Based on the channel by which You choose to contact us, We may collect your email address, phone number, license information, product details and a description of your support case. You may be asked to provide us with other information to facilitate provision of support, such as generated log files or dumps. The data from such support may only be used for the provision of the support service and to enhance your experience while providing support. The maximum storage period is limited by the time required to provide support and review, and even in a pseudonymized form cannot exceed a period of 10 years.
- Email addresses provided to ESET, for example as part of trial license activation or purchases on our websites, may also be processed in the form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, i.e. profiling. Your activity on our website and your email address may be used to analyze or predict aspects concerning your personal preferences with respect to ESET products and services in order to provide personalized marketing messages or website content without any significant or legal consequences. The length of the retention period is based on the contract duration or the exercise of your right to object to the data’s processing.
- Customer feedback, answers or requests may be provided by You via ESET Threat Intelligence portal by our web forms. For the purpose of follow-up, your contact details including name, surname and/or customer name, email address, IP address or other data may be requested based on the nature or purpose of our communication. Data storage periods may differ based on the nature or purpose of communication explicitly in compliance with this Privacy Policy.
- Research or survey inputs may be provided by You via your ESET account by our web forms. For the purpose of follow-up, your contact details including name, surname, email address or other data may be requested based on the nature or purpose of our communication. Data will be stored until the end of the customer research or survey based on the nature or purpose of communication explicitly in compliance with this Privacy Policy.
- If You use our products or services designed for parents, the protection of personal data related to children is in place as required by the respective jurisdiction. All additional information is included in the product or service documentation.
- We want to do our best to help You to enjoy safer technology. Your input is very valuable for us and We provide a range of channels by which You can provide us with samples of malicious or suspicious software. Samples and their metadata will be processed and stored based on public interest as well as the legitimate interest of ESET, which is cybersecurity.ESET Threat Intelligence contains certain predefined monitoring rules, however, the extend of monitoring that is actually being performed in your infrastructure as well as the exact data being collected depends on rules, exclusions and settings managed by You and your administrators. We will therefore process such data as your data processor based on Data Processing Agreement that forms part of the Terms and only to provide you with our services. We will store these data for a limited time period in accordance with our Logs Retention Policy.
Please note that if the person using our products and services is not the End User who has purchased the product or service and concluded the Terms with Us, (e.g. an employee of the End User, a family member or a person otherwise authorized to use the product or service by the End User in compliance with Terms, the processing of the data is carried out in the legitimate interest of ESET within the meaning of Art. 6 (1) f) GDPR to enable the user authorized by End User to use the products and services provided by Us in accordance with Terms.
Contact Information
If You would like to exercise your right as a data subject or You have a question or concern, send us a message at:
ESET, spol. s r.o.
Data Protection Officer
Einsteinova 24
85101 Bratislava
Slovak Republic
dpo@eset.sk