ADMINISTRATORS INFORMATION DUTIES TOWARDS AFFECTED SUBJECTS
This information aims to fulfil the prescribed the administrators duties towards data subjects, whose personal data (hereinafter referred to as PD) are processed by the administrator, those being the personal data of clients of the company of Šroubek Ústí nad Labem s.r.o. with registered office at Tovární 3416/42a, Ústí nad Labem-centrum, 400 01 Ústí nad Labem, Company ID 25429167, registered with Regional Court in Ústí nad Labem, Section C, Insert 17867 (Company or Administrator), and to provide information about the personal data the Administrator processes about individuals when providing services and/or goods, legal actions, inform about rights and duties of individuals and legal entities arising from industrial relations and contacts with third parties, about the purposes and term for which the Administrator processes such personal data in accordance with valid legislation, and to whom and for what reasons the Administrator may give them, and also inform about the rights individuals have in relation to personal data processing. This information is effective from 25 May 2018 and it is published in accordance with Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data (Regulation or GDPR) with a view to fulfilling the information duty of the Company as the administrator according to Article 13 of GDPR.
I. Categories of personal data
Personal data is any information that is related to an individual who the Company is able to identify. The Administrator may process the following categories of personal data in relation to providing services and/or goods and legal actions within contractual relationships:
A. Basic personal data and address details
Such data are necessary to provide services and/or goods. These include especially:
- name and surname
- date of birth, personal number
- permanent residency address
- statutory representatives identification data
B. Contact details
Contact phone number, contact e-mail
C. Data from contents of communication between Administrator, client and employee
These data originate from communication related to providing services and/or goods and legal actions within contractual relationships between the Administrator, a business partner, client, employee and a third party. These are records of personal communication with a business partner, client, employee and a third party on the Companys premises or other direct contact with a business partner, client, employee and a third party, written and electronic communication with a customer and/or a business partner, recorded phone calls, chat and video chat communication between a business partner, client, employee and a third person and the Company.
D. Video camera records from the Companys premises
The Company places cameras into its premises in order to protect legitimate interests of the Company. Areas where cameras are placed are always marked with a notice.
E. Data processed upon consent of business partner, client, employee and third party
Processing of these data is not strictly necessary to fulfil legal duties, contracts or protect the legitimate interests of the Company, but its processing allows the Company to improve the manage process, focus on what business partners, clients, employees and third parties are really interested in, and eventually inform business partners, clients, employees and third parties about offers for improvement of the managed process which are suitable for them. These data are only processed upon a given consent and may be processed for the duration of such consent. These include especially the following:
- Data acquired for business activities
- data about improvement of the managed process of the Company
- contact details which are not related to business representatives
- clients and employees of the Company
The extent of data processing depends on the purpose of the processing. For some purposes, it is possible to process data directly on the basis of a contract, legitimate interests of the Company or law (without consent), for other purposes upon consent only.
A. Z Processing in order to fulfil contracts, meeting statutory obligations and on grounds of legitimate interests of the Administrator
Provision of personal data necessary to fulfil a contract, meet statutory duties of the Company and protect legitimate interests of the Administrator is mandatory. Without providing personal data for these purposes it would not be possible to ensure the managed process. We do not need consent to process personal data for such purposes. Processing in order to fulfil a contract and meet statutory duties cannot be refused. The partial purposes include especially the following:
- Ensuring operations of the Company and managed processes (statutory performance)
- billing for any services (fulfilment of a contract)
- meeting statutory tax duties (meeting statutory duties)
- purposes provided for by special law for purposes of criminal proceedings and for meeting the duty to cooperate with Police of the Czech Republic and other state bodies (meeting statutory duties
- operating video camera and monitoring systems on the premises of the Company for the purposes of preventing damage (legitimate interest)
- collecting claims from business partners, clients, employees and third parties (legitimate interest)
- processes related to customer identification (fulfilment of a contract), debtor file (legitimate interest)
Personal data for these activities are processed to the extent necessary to perform these activities and for the time period necessary to complete them, or for term directly stipulated by legislation. Personal data are then erased or anonymised. The basic terms for personal data processing are available below. In the event that negotiations between the Company and a prospective employee about entering into an employment contract do not result in entering into an employment contract or agreement, the Administrator is entitled to process the personal data provided for 3 months following such negotiations. Invoices issued by the Company are archived for 10 years after they have been issued in compliance with Section 35 of Act No. 235/2004 Sb. on value added tax. As it is necessary to substantiate legal grounds for issuing invoices, contracts with individuals or legal entities are also archived for 10 years after the termination of such contracts. Personal data necessary for qualifying for special ZTP (severe health disability) or ZTP/P (severe health disability requiring special assistance) discounts in accordance with Section 3 of Act No. 127/2005 Sb. on electronic communication are processed for 5 years after such discount was granted or until it is no longer possible to challenge the amount of government contribution to such discounts provided such time period is longer. Video camera records from brand shops and f rom the Companys premises and the surroundings of the Companys buildings are processed at maximum for 90 days after the camera record was made.
B. Z Processing of personal data of data subjects that gave consent to business and marketing addressing by electronic contact
The Administrator processes contact details of subjects that gave their consent to business and marketing addressing by electronic contacts for the purposes of business and marketing addressing related to a survey conducted by the Company upon the subjects consent for the time period stated in such consent.
III. Categories of personal data recipients
When fulfilling its obligations and duties arising from contracts and self-management, the Company uses specialised services of other subjects. If such suppliers process personal data received from the Administrator, they are in the position of personal data processors and they only process personal data as instructed by the Administrators representatives and they must not use them any other way. This includes especially debt recovery, activities of experts, lawyers, auditors, IT system administration, internet advertising or other representation. We select each such subject with great care and we conclude a contract on personal data processing with every subject, which stipulates strict duties for the processor with regard to the protection and security of personal data. The processors are companies with registered seats in the Czech Republic and member countries of the European Union or so-called safe countries. In countries outside the European Union, disclosure and processing of personal data always complies with legislation in force. When meeting its statutory duties, the Administrator discloses personal data to administration bodies and authorities as provided for by law.
IV. Manner of personal data processing
The Administrator processes personal data manually and with computer aid. The Company keeps records of all activities, both manual and computerised, when personal data are processed.
V. Information on data subjects rights in relation to personal data processing effective from 25 May 2018
In accordance with the Regulation, data subjects that are identifiable for the Administrator and prove their identity, shall have the following rights from 25 May 2018:
A. Right to access to personal data
In accordance with Article 15 of the Regulation, data subjects shall have a right to access to personal data, which includes the right to acquire from the Administrator the following: confirmation whether it processes personal data, information about the purposes of the processing, categories of personal data affected, recipients to whom personal data were or will be disclosed, planned time period of processing, information about the existence of the right to request the Administrator correctsor erase the personal data related to the data subject or limits their processing, or raise an objection to such processing, right to file a complaint with a supervisory authority, about all available information about the source of the personal data if such data are not acquired from the data subject, about the fact that computerised decision-making is conducted including profiling, about suitable guarantees when disclosing data outside EU, in the event that rights and freedoms of others and copies of personal data are not adversely affected. In case of a repeated application the Administrator shall have the right to charge a reasonable fee for a copy of the personal data. The right for confirmation of personal data processing and for information may be claimed in writing at the address of the Companys registered office. The right for a copy of personal detail may be claimed at the management services of the Director of the Company provided the justification of such application is substantiated.
B. Right for correction of inaccurate data
In accordance with Article 16 of the Regulation, data subjects shall have the right for correction of inaccurate personal data the Administrator will process about them. Sales representatives, clients and employees are also obliged to report changes of their personal data and substantiate that such changes occurred. They are also obliged to cooperate with us if it is discovered that the personal data we process about them are inaccurate. We will make changes without undue delay, however, always with regard to given technical conditions. An application to correct personal data may be lodged with the management services of the Company provided the justification of such application is substantiated.
C. Right to erasure
In accordance with Article 17 of the Regulation data subjects shall have the right to erasure of personal data that are related to them if the Administrator does not substantiate legitimate grounds for processing of such personal data. The Administrator has set mechanisms to ensure automatic anonymisation or erasure of personal data in the event that they are no longer necessary for the purpose they were processed for. If a data subject believes that its personal data were not erased, it can contact us in writing at the Companys address.
D. Right to limitation of processing
In accordance with Article 18 of the Regulation data subjects shall have the right to limitation of processing if they deny the accuracy of the personal data, the purposes of their processing or if they raise an objection against their processing in writing at the address of the Companys registered office until such claim is settled.
E. Right to notification of corrections, erasure or limitation of processing
In accordance with Article 19 of the Regulation data subjects shall have the right to notification by the Administrator in case of any corrections, erasure or limitations of personal data processing. If there is a correction or erasure of personal data, we will inform each recipient unless it proves impossible or requires unreasonable effort. We can provide information about such recipients upon a data subjects request.
F. Right to transferability of personal data
In accordance with Article 20 of the Regulation data subjects shall have the right to transferability of personal data related to them which they provided to the Administrator, in a structured commonly used and machine-readable format, and the right to ask the Administrator to give such personal data to a different Administrator. If a data subject provided us with its personal data in connection with a service contract or upon its consent and the processing of such data is conducted in an automated way, the data subject has the right to acquire such data from us in a structured commonly used and machine-readable format. If technically possible, data may be given to an administrator designated by you provided there is a duly designated person acting on behalf of such administrator and it is possible to authorise this person. In the event that exercise of this right could negatively affect rights and freedoms of third parties, your application cannot be granted. The application may be lodged with the management services of the Company provided the justification of such application is substantiated.
G. Right to raise an objection against personal data processing
In accordance with Article 21 data subjects shall have the right to raise an objection against processing of their personal data for the reasons of the Administrators legitimate interests. In the event that the Administrator fails to prove that there is a significant legal ground for such processing, which outweighs the interests or rights and freedoms of the data subject, the Administrator shall cease the processing upon the objection without undue delay. The objection may be sent in writing at the address of the Companys registered office.
H. Right to withdraw consent with personal data processing
Consent to personal data processing for legal actions and business purposes, effective from 25 May 2018 may be revoked any time after this date. The withdrawal must be done in an express, understandable and specific manifestation of will to the management services of the Company. Consent to business and marketing addressing given for a specific electronic contact may be revoked any time to the management services of the Company.
CH. Right to approach Office for personal data protection
Data subjects have the right to approach the Office for personal data protection (www.uoou.cz).
VI. Representative for personal data protection
From 25 May 2018 the following contact details of a representative for personal data protection in accordance with the Regulation are available: MOPRO CS s.r.o., representative for personal data protection, contact person Mr. Radek Hykyš e-mail firstname.lastname@example.org.