DECLARATION ON PERSONAL DATA PROCESSING
Declaration on Personal Data Processing according to European Parliament and Council Regulation (EU) 2016/679 on protection of natural persons in relation to Personal Data Processing and instructions for data subjects (hereinafter “GDPR”).
I. Personal data administrator
Personal data administrator:
Company reg. no. 27789969
herewith informs in accordance with Article 12 GDPR, data subjects about the processing of their personal data and on their rights.
II. Scope of personal data processing
Personal data are processed to the extent provided by data subject in connection with conclusion of a contractual or other legal relationship with the administrator or which the administrator has collected using some different method and is processing them in accordance with the applicable legislation or performance of administrator´s statutory obligations of the administrator.
III. Personal data sources
- Directly from subjects (for example registration, e-mails, phone, chat, web pages, web contacts forms, social networks, business cards, consents, video recordings acquired by administrator´s technical equipment etc.)
- From public files – for purposes of present document public files mean: public register according to Act No. 304/2013 Coll., on public registers of legal and natural persons, as amended, i.e. club register, foundation register, register of institutes, register of owners associations, trade register and register of public service companies; other registers within the meaning of Regulation no. 111/2009 Coll., on basic registers, as amended
IV. Personal data categories subject to the processing by administrator
Identification data, contact data, descriptive information, transaction data, product technical data.
V. Data subject categories
Particular natural person whose personal data is in question is the data subject.
- Employee of the administrator
- Job applicant with the administrator
- Administrator´s contracting partner (business or non-business natural person)
- A subject in pre-contractual relation with the administrator (ordering party before acceptance of particular order, enquiring party etc.)
- Party to the proceedings
- Minor party to the proceedings
- Participant, interested party
- Liable party
- Affected party
VI. Category of personal recipients and processing parties
- State administration bodies
- Local authorities
- Public institutions
- Insurance companies
- External subjects providing services to the administrator in different areas (OSH, accounting, training, education)
VII. Purpose and reasons for personal data processing
Personal data processing is carried out with the administrator:
- upon granted consent of data subject
- during contract performance with data subject
- as a part of measures taken before conclusion of a contract on data subject request
- due to fulfillment of legal obligations relating to the administrator (including archiving by law)
- to protect critical interests of data subject or other natural person
- in order to carry out a task performed within public interest or exercise of public authority to which the administrator is entrusted
- on grounds of legitimate interest of the administrator or third party (including archiving upon administrator´s legitimate interest)
Reasons for processing of personal data special categories:
- explicit consent of data subject
- compliance with obligations in the field of labour law, social security and social protection,
- protection of critical interests of the data subject or other natural person where particular data subject is not physically or legally entitled to grant his/her approval,
- data obviously published by the data subject at municipal authority
- determination, exercise or defense of legal claims or in court proceedings,
- important public interest
- archiving in public interest for scientific, historical or statistical purposes.
VIII. Methods of personal data processing and protection
Administrator shall carry out personal data processing. The processing is performed at its premises, the headquarters, by particular authorized employees of the administrator or external processor. The processing is carried out using information technology, even manually if necessary, in case of paper form of personal data, in compliance with all security principles given for personal data administration and processing. To this end, the administrator has taken technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized or incidental access to personal data, its alteration, destruction or loss, unauthorized transmission, unauthorized processing, and other misuse of personal data. All entities to which personal data may be made available shall respect privacy rights of data subjects and are required to comply with applicable privacy laws.
IX. Period of personal data processing
In accordance with the deadlines set out in the relevant contracts, internal regulations of the administrator or applicable relevant legislation, it is the necessary period to secure rights and obligations arising from the contracts, legitimate interests and relevant applicable regulations.
The administrator processes particular data upon consent of particular data subject, except in cases where the processing of personal data does not require such consent of data subject. In accordance with Article 6 (1) of the GDPR, the administrator may, without consent of the data subject, process the following data: when the data subject has given consent for one or more specific purposes, processing is necessary to fulfill a contract to which the data subject is party or to implement measures prior to conclusion of a contract at request of that data subject, the processing is necessary to fulfill the legal obligations related to the administrator, the processing is necessary to protect critical interests of data subject or other natural person, processing is necessary to fulfill a task carried out in public interest or within the exercise of the public authority entrusted to the administrator for purposes of legitimate interests of the administrator or third party, except in cases where the interests or fundamental rights and freedoms of the data subject requiring personal data protection prevail over such interests.
XI. Rights of data subjects
- In accordance with Article 12 of the GDPR, the administrator shall inform data subjects on their rights of access to personal data and the following information:
• purpose of the processing,
• category of affected personal data,
• recipient or category of recipients to which the data has been or will be made available,
• planned period of personal data storage,
• any available information on personal data source,
• if the data is not obtained from the data subject, the fact that automated decision making, including profiling, occurs.
- Any data subject who discovers or considers that the administrator or processor processes his or her personal data contrary to the protection of privacy or private life of the data subject, or in violation of law, in particular if the personal data is inaccurate with regard to their purpose processing, is entitled to:
• Ask the administrator for explanation.
• Ask the administrator to rectify such a condition. In particular, it may include blocking, correction, adding or deleting personal information.
• If the data subject’s request is found to be legitimate, the administrator shall remove any deficiency immediately.
• If the administrator fails to comply with the data subject’s request, the data subject is entitled to contact Supervisory Authority directly, such as Personal Data Protection Authority.
• The data subject has the right to contact Supervisory Authority directly without taking the previously stated steps.
- The administrator shall provide data subjects with information and messages in a clear, transparent, comprehensible and easily accessible way, using clear and simple language means. The administrator may provide the information and messages data subjects in writing, where appropriate also electronically or orally, if he verifies particular data subject identity.
- At data subject request, the administrator is obliged to respond without undue delay, but no later than within one month of receipt of such a request. In justified cases, the administrator may extend this period, but not longer than 2 months. The Administrator shall also inform the data subject on period extension also within one month of receipt of the data subject’s request and shall inform the data subject about the reasons for the extension. In case the data subject submits a request for information and message electronically, the administrator shall provide it electronically, unless the data subject requests a different mean of providing information and communication, for example in writing.
- If the data subject asks the administrator to take certain measures (correction of his or her personal data, deletion, etc.) and the administrator does not accept such a measure, it shall inform the data subject without delay, not later than 1 month after the request for the appropriate action, including reasons for not performing and information on the data subject’s ability to file a complaint with the Office for Personal Data Protection or on possibility to take legal action.
- Administrator shall provide data subject with information and messages free of charge. When the data subject makes repeated requests or these requests are unreasonable or inappropriate, the administrator may refuse or impose a reasonable charge on the data subject, covering the administrative costs associated with the provision of information and communication or the implementation of the required measures. The administrator must be able to substantiate the groundlessness or inappropriateness of the data subject’s request.
- When the administrator acquires personal data directly from the data subject, the following information shall be communicated to the data subject during the data acquisition:
a) identification and contact data of the administrator or its possible representative;
b) purposes of the processing for which the personal data are intended and legal frame of the processing;
c) justified interests of the administrator or third party when the processing is necessary for purposes of justified interests of the administrator or third person;
d) possible recipients of recipient categories of personal data;
e) contingent intention of the administrator to transmit personal data to a third country or international organization and existence or absence of a European Commission decision that particular third country or international organization provides adequate protection for personal data, in addition to that also a reference to appropriate warranties and means to obtain a copy of, or information about, where these data has been made available
- If it is necessary to ensure fair and transparent processing, the administrator shall also provide the data subject with further information, namely the period of the processing of personal data, criteria for its determination, and also information about the rights of the data subject to correct personal data, their deletion, etc.
- If the administrator does not obtain personal data directly from the data subject, he shall, when acquiring the data subject, communicate the information referred to in paragraph 7 (a), (b), (d) and (e); and if need be also other information under paragraph 8.
- The administrator shall inform the data subject about any change in the purpose of the processing of his or her personal data whenever it occurs.
- The administrator is required, upon request, to provide the data subject with a confirmation of whether or not the administrator manages the personal data concerning him / her and, if so, to provide the data subject with access to the following data and information:
a) purposes of the processing;
b) category of affected personal data,
c) recipients or categories of recipients whom personal data have been or will be made available, in particular to recipients in third countries or to international organizations;
d) planned period for which personal data will be stored or, if it is not possible to specify such a time period, the criteria used to determine that time;
e) existence of the right to require from the administrator to correct or delete personal data relating to the data subject or to restrict their processing or to object to such a processing;
f) right to lodge a complaint with the Office for the Protection of Personal Data;
g) any available information on the source of personal data, if it is not obtained from the data subject.
- In accordance with the obligations set out in paragraph 11 the administrator is required to provide the data subject with copy of the processed personal data. The administrator may charge a reasonable administrative fee for the provision of copies under the previous sentence.
- The administrator has the obligation to correct inaccurate personal data concerning the data subject without any unnecessary delay, to complete incomplete personal data, including by providing an additional statement.
- The administrator is under obligation to delete personal data relating to the data subject without undue delay if one of the following reasons is met:
a) personal data are no longer required for the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent if personal data has been processed on the basis of such consent and there is no further legal reason for the processing;
c) the data subject objects to the processing and there are no prevailing legitimate reasons for the processing;
d) personal data has been processed unlawfully;
e) personal data must be erased in order to comply with legal obligation stipulated by European Union law or the law of the Czech Republic.
- If the administrator has disclosed data subject´s personal data and is required to delete it, the administrator must take reasonable steps (considering available technology and costs) to inform other data administrators who process the said personal data, that the data subject requests them to delete all references to particular personal data, its copies and replication.
- The administrator is not obliged to meet the obligations under paragraphs 14 and 15 if the processing of personal data is necessary for him, for example to fulfill some legal obligation requiring the processing of personal data by the law of the European Union or by Czech legislation applicable to the administrator determination, exercise or defense of their legal claims, etc.
- The administrator is obliged to restrict the processing of the personal data of the data subject when:
a) the data subject denies the accuracy of personal data – for necessary time the administrator needs to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject rejects the deletion of personal data and instead requires limiting its use;
c) the controller no longer needs personal data for processing but the data subject requires it to identify, exercise or defend legal claims;
d) he data subject has raised an objection to processing under paragraph 19 of this Article of the Directive until it has been ascertained whether administrator´s legitimate reasons for the processing prevail the legitimate reasons of the data subject.
- When the administrator has restricted the personal data processing under the preceding paragraph of this Directive, such personal data may be processed only with consent of the data subject or for the purpose of determining, enforcing or defending legal rights, for the protection of rights of another natural or legal person or important public interest of the European Union or of EU Member State.
- The controller shall inform in advance the data subject about the cancellation of the limitation of personal data processing pursuant to paragraph 17.
- The administrator is required to notify particular recipients of any corrections or deletions of personal data, restrictions on the processing of personal data, except when this proves to be impossible or requires unreasonable effort. The administrator shall also inform the data subject about such recipients if the data subject requests it.
- In the event that the data subject objects to the processing of personal data by Owner´s Association which the administrator processes for the purposes of legitimate interests of the administrator or third party, the administrator shall not further process the personal data unless it proves important legitimate reasons for the processing that prevail over the interests or rights and freedoms of the data subject, or for the determination, exercise or defense of legal claims. The administrator must inform the data subject about this right, at the latest when communicating with the data subject for the first time.
If the administrator receives a submission presented by a natural person – a data subject who, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data the repeal of Directive 95/46 / EC (GDPR),
- enforces right for access to their personal data,
- asks for processing of their request to confirm whether an administrator within the meaning of the GDPR processes personal data concerning the applicant,
- requests free copies of processed personal data,
- asks which categories of personal data are processed,
- asks for information why the personal data are being processed,
- asks for a statement as to what is the scheduled time for which personal data will be stored or if it is not possible to determine what criteria are used to determine that time,
- asks for information whether (and under what conditions) they can ask the administrator to correct or delete of personal data, the limitation of its processing, or whether and how the data subject may object to the processing of their personal data,
- asks for information whether (and how) the data subject may lodge a complaint with the supervisory authority and who is such an authority,
- asks for information on all available information about the source of the personal data which the data subject relates to, unless they were obtained directly from him,
- asks whether the processing of the data subject’s personal data also involves automated decision-making, including the profiling referred to in Article 22 (1) and (4) of the GDPR, and at least in those cases, further requests for meaningful information on the procedure used, and the significance and foreseeable consequences of such processing for its person,
- asks for a message as to who is the recipient of the personal data of that data subject or, where appropriate, asks for the categories to which his or her personal data have been or will be made available.
- asks to be informed on third-country recipients and international organizations that have or would have personal data of the data subject available,
- asks for the provision of information on guarantees under Article 46 GDPR in case personal data are transferred to a third country or international organization,
the administrator is obliged to verify identity of the applicant sufficiently before processing the above requests. If the administrator has doubts about the identity of the applicant, is entitled to ask the applicant for additional information necessary to confirm his / her identity (Article 12 (6) GDPR).
In the event of any doubts as to the identity of the applicant, the administrator is entitled to request from this person:
- to send the application with the certified signature of the applicant if the applicant made the application in paper form,
- to send electronic signature request, that is, data in electronic form that are logically associated with the data message or attached to it and which serve as a method for unique identity verification of signed person in relation to the data message
- to send a request via a data box if the applicant has established such a data box.
The administrator is not entitled to request additional information to verify applicant´s identity namely in situations when:
- The administrator within the relevant time (i.e. the time of submission of the relevant application) processes e-mail contact from which particular application was sent as the personal data of the applicant,
- the administrator shall process the applicant’s telephone number within the relevant time, then make a phone call to that telephone number to verify the identity of the applicant and, upon agreement with the applicant, send the requested information or communicate other facts concerning the processing of personal data by electronic means to the applicant to specified e-mail address or in written to the address given by the applicant,
- the administrator has the possibility to verify the identity of the applicant otherwise (e.g. through public registers, prior communication)
- the applicant presented the application in person in front of the relevant employee or other authorized person of the administrator.
XII. Final provisions
If you have any inquiries regarding data subject personal data processing, you can contact our appointed employee.
Email : firstname.lastname@example.org
The declaration is publicly available at administrator´s web pages: www.topteramo.cz/en/informace/ochrana-dat/
The latest update of this Statement was made on May 17, 2018