PERSONAL DATA PROCESSING STATEMENT
Statement on the processing of personal data in accordance with the Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the instruction of data subjects (hereinafter "GDPR")
I. Personal Data Controller
Personal Data Controller:
Name (company): RAVAK a.s.
Registered office: Obecnická 285, Příbram I, 261 01 Příbram
represented by: Ing. Josef Stibor, CEO
Company ID: 25612492
Tax ID: CZ25612492
(hereinafter referred to as "controller")
hereby informs data subjects about the processing of their personal data and their rights in accordance with Art. 12 GDPR.
II. Scope of personal data processing
Personal data are processed to the extent provided by the relevant data subject to the controller, in connection with the conclusion of a contractual or other legal relationship with the controller, or which the controller has collected otherwise and processes them in accordance with applicable legal regulations or to fulfill the legal obligations of the controller.
III. Sources of personal data
- directly from data subjects (e.g. registration, emails, phone, chat, websites, contact form on the website, social networks, business cards, contracts, consents, video recording made by the controller's technical device, etc.)
- from public records - for the purposes of this document, a public record is:
- public register according to Act No. 304/2013 Coll., on public registers of legal and natural persons, as amended, i.e. association register, foundation register, institute register, register of unit owners' communities, commercial register and register of public benefit corporations;
- other registers in the sense of Act No. 111/2009 Coll., on basic registers, as amended
IV. Categories of personal data that are the subject of processing by the controller
Identification data, contact data, descriptive data, transaction data, technical product data.
V. Categories of data subjects
The data subject is a natural person to whom the personal data relate, specifically:
- controller's employee
- applicant for employment with the controller
- contractual partner of the controller (natural person - entrepreneur, non-entrepreneur)
- subject in a pre-contractual relationship with the controller (orderer before accepting the order, inquirer, etc.)
- participant in proceedings
- secondary participant in proceedings
- affected person, participant
- authorized person
- obliged person
- injured party
VI. Categories of processors and recipients of personal data
- state administration bodies
- local government bodies
- public institutions
- banking institutions
- insurance companies
- external entity providing services to the controller in various areas (OSH, accounting, training, education)
VII. Purpose and reasons for processing personal data
The processing of personal data takes place at the controller:
- based on the consent given by the data subject
- when fulfilling a contract with the data subject
- when implementing measures taken before the conclusion of a contract at the request of the data subject
- due to the fulfillment of a legal obligation relating to the controller (including archiving based on the law)
- due to the protection of vital interests of the data subject or another natural person
- due to the fulfillment of a task carried out in the public interest or in the exercise of public authority to which the controller is entrusted
- due to the legitimate interest of the controller or a third party (including archiving based on the legitimate interest of the controller)
Reasons for processing special categories of personal data
- explicit consent of the subject,
- fulfillment of obligations in the field of labor law, social security law, and social protection,
- protection of vital interests of the data subject or another natural person in case the data subject is not physically or legally capable of giving consent,
- PD publicly disclosed by the data subject,
- determination, exercise or defense of legal claims or when dealing with courts,
- significant public interest,
- archiving in the public interest, for scientific or historical research purposes or for statistical purposes
VIII. Method of processing and protection of personal data
The processing of personal data is carried out by the controller. The processing is carried out in his premises, the controller's headquarters by individual authorized employees of the controller, or possibly by the processor. Processing takes place through computer technology, or manually for personal data in paper form, while observing all security principles for the management and processing of personal data. For this purpose, the controller has adopted technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to personal data, their alteration, destruction or loss, unauthorized transfers, their unauthorized processing, as well as other misuse of personal data. All entities to which personal data may be made available respect the right of data subjects to privacy and are obliged to act in accordance with applicable laws on the protection of personal data.
IX. Duration of personal data processing
In accordance with the deadlines specified in the relevant contracts, in the internal regulations of the controller or in the relevant legal regulations, it is a period necessary to ensure the rights and obligations arising from contracts, legitimate interests, as well as from relevant legal regulations.
X. Rights of data subjects
1. In accordance with Art. 12 GDPR, the controller informs the data subject about the right to access personal data and the following information:
- the purpose of processing,
- the category of affected personal data,<
- the recipient or categories of recipients to whom personal data have been or will be disclosed,
- the planned period for which personal data will be stored,
- all available information about the source of personal data,
- if they are not obtained from the data subject, the fact of automated decision-making, including profiling.
2. Any data subject who discovers or believes that the controller or processor is processing his personal data in a manner inconsistent with the protection of the private and personal life of the data subject or in violation of the law, especially if the personal data are inaccurate with regard to the purpose of their processing, may:
- Ask the controller for an explanation.
- Require the controller to remedy the situation. This may particularly involve blocking, making corrections, supplementing or deleting personal data.
- If the data subject's request is found to be justified, the controller will immediately remedy the defective situation.
- If the controller does not comply with the data subject's request, the data subject has the right to contact the supervisory authority directly, which is the Office for Personal Data Protection.
- The data subject has the right to submit his complaint to the supervisory authority directly without taking the previous steps.
3. The controller provides data subjects with information and communications in a concise, transparent, understandable and easily accessible form using clear and simple language. The controller may provide information and communications to data subjects in writing, electronically in appropriate cases, or orally, if it verifies the identity of the relevant data subject.
4. The controller is obliged to respond to requests from data subjects for information without undue delay, but no later than 1 month from receipt of such a request. In justified cases, the controller may extend this period, but by no more than 2 months. The controller informs the data subject about the extension of the period, also within 1 month from receipt of the data subject's request and informs the data subject of the reasons for this extension. If the data subject submits a request for information and communication electronically, the controller will provide them electronically, unless the data subject requests another method of providing information and communication, for example in writing.
5. If the data subject requests the controller to take certain measures (correction of his personal data, their deletion, etc.) and the controller does not take such measures, he informs the data subject without delay, no later than 1 month from the request to take the relevant measure, including the reasons for not taking these measures and also information about the possibility for the data subject to file a complaint with the Office for Personal Data Protection, or to go to court.
6. The controller provides information and notifications to the data subject free of charge. In the event that the data subject makes repeated requests, or these requests are unreasonable or excessive, the controller may reject the data subject's request or impose a reasonable fee covering the administrative costs associated with providing information and notifications or associated with the implementation of the required measures. The controller must be able to prove the unreasonableness or disproportionality of the data subject's request.
7. In the event that the controller obtains personal data directly from the data subject, he will provide the data subject with the following information upon their acquisition:
a) identification and contact details of the controller and any representative of the controller;
b) the purposes of processing for which the personal data are intended, and the legal basis for processing;
c) legitimate interests of the controller or a third party in the event that processing is necessary for the purposes of the legitimate interests of the controller or a third party;
d) possible recipients or categories of recipients of personal data;
e) the controller's possible intention to transfer personal data to a third country or international organization and the existence or non-existence of a decision by the European Commission that this third country or international organization provides adequate protection of personal data, further reference to appropriate guarantees and means to obtain a copy of this data or information on where this data has been made available.
8. If necessary to ensure fair and transparent processing, the controller will provide the data subject with additional information, especially the duration of personal data processing, or criteria for its determination, as well as information on the data subject's right to correct personal data, their deletion, etc.
9. In the event that the controller does not obtain personal data directly from the data subject, he will provide the data subject with the information specified in paragraph 7 letters a), b), d) and e), possibly also other information according to paragraph 8.
10. The controller informs the data subject about the change in the purpose of processing personal data whenever it occurs.
11. The controller is obliged to confirm to the data subject upon request whether the controller processes personal data concerning him, and if so, to provide the data subject with access to this data and the following information:
a) purposes of processing;
b) categories of affected personal data;
c) recipients or categories of recipients to whom personal data have been or will be made available, especially recipients in third countries or international organizations;
d) planned period for which personal data will be stored, or if it is not possible to determine, criteria used to determine this period;
e) the existence of the right to request from the CONTROLLER the correction or deletion of personal data concerning the data subject or restriction of their processing or to object to this processing;
f) the right to file a complaint with the Office for Personal Data Protection;
g) all available information about the source of personal data, if they are not obtained from the data subject.
12. The controller is obliged to provide the data subject with a copy of the processed personal data in accordance with the obligations set out in paragraph 11. The controller may charge a reasonable administrative fee for providing copies according to the previous sentence.
13. The controller has an obligation to correct inaccurate personal data concerning the data subject without undue delay, to supplement incomplete personal data, including by providing an additional declaration.
14. The administrator has the obligation to erase personal data relating to the data subject without undue delay if one of the following reasons is met:
a) personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent if the personal data were processed based on this consent, and there is no other legal reason for processing;
c) the data subject objects to the processing and there are no overriding legitimate reasons for processing;
d) personal data have been processed unlawfully;
e) personal data must be erased in order to fulfill a legal obligation established by the law of the European Union or the legal order of the Czech Republic.
15. In the event that the administrator has published the personal data of the data subject and is obliged to erase them, the administrator must take (considering the available technology and costs) appropriate steps to inform other personal data administrators who process these personal data that the data subject requests them to erase all references to these personal data, their copies, and replications.
16. The administrator is not obliged to fulfill the obligations under paragraphs 14 and 15 if the processing of personal data is necessary for him, e.g. to fulfill a legal obligation that requires the processing of personal data by the law of the European Union or the legal order of the Czech Republic, which applies to the administrator, or for the determination, exercise or defense of his legal claims, etc.
17. The administrator is obliged to restrict the processing of personal data of the data subject if:
a) the data subject disputes the accuracy of personal data, for the time necessary for the administrator to verify the accuracy of personal data;
b) the processing is unlawful and the data subject refuses to erase personal data and instead requests a restriction on their use;
c) the administrator no longer needs personal data for processing purposes, but the data subject requires them for the determination, exercise or defense of legal claims;
d) the data subject has objected to the processing under paragraph 19 of this article of the directive, until it is verified whether the legitimate reasons of the administrator for processing outweigh the legitimate reasons of the data subject.
18. In the event that the administrator has restricted the processing of personal data according to the previous paragraph, these personal data may be processed only with the consent of the data subject, or for the purpose of determining, exercising or defending legal claims, for the protection of the rights of another natural or legal person or for reasons of significant public interest of the European Union or a member state of the European Union.
19. The administrator informs the data subject in advance about the cancellation of the restriction on the processing of personal data under paragraph 17.
20. The administrator is obliged to notify individual recipients of information about all corrections or erasures of personal data, about the restriction of the processing of personal data, except in cases where this proves impossible or requires disproportionate effort. The administrator also informs the data subject about these recipients if the data subject requests it.
21. In the event that the data subject objects to the processing of personal data by the Community of Owners, which the administrator processes for the purpose of legitimate interests of the administrator or a third party, the administrator does not further process personal data on the basis of this objection, unless he demonstrates serious legitimate reasons for processing that outweigh the interests or rights and freedoms of the data subject, or for the determination, exercise or defense of legal claims. The administrator must inform the data subject about this right, no later than at the first communication with the data subject.
XI. Verification of the identity of the data subject
- In the event that the administrator receives a submission from a natural person - a data subject, who in accordance with the Regulation of the European Parliament and Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as "GDPR")
a) exercises the right of access to his/her personal data, and/or,
b) requests the processing of a request for confirmation whether the administrator processes personal data concerning the applicant in accordance with the GDPR, and/or,
c) requests the provision of free copies of processed personal data, and/or,
d) requests information on which categories of personal data are being processed, and/or,
e) requests information on the purpose for which personal data are processed, and/or,
f) requests information on the planned duration for which personal data will be stored, or if it is not possible to determine, what are the criteria used to determine this period, and/or,
g) requests information on whether (and under what conditions) the data subject can request the administrator to correct or delete personal data, restrict their processing, or whether and how the data subject can object to the processing of my personal data, and/or,
h) requests information on whether (and how) the data subject can file a complaint with the supervisory authority and who is this supervisory authority, and/or,
i) requests information on all available information about the source of personal data concerning the data subject, if they were not obtained directly from him/her, and/or,
j) requests information on whether, in relation to the processing of personal data of the data subject, there is also automated decision-making, including profiling referred to in Article 22(1) and 4 of the GDPR, and at least in these cases further requests the provision of meaningful information concerning the procedure used, as well as the significance and expected consequences of such processing for his/her person, and/or,
k) requests information on who are the recipients of the personal data of this data subject, or requests to specify their categories to which his/her personal data have been or will be made available, and/or,
l) requests information on recipients from third countries and international organizations who have had or will have access to the personal data of the data subject, and/or,
m) requests the provision of information regarding guarantees under Article 46 of the GDPR in the event that personal data are transferred to a third country or international organization,
the administrator is always obliged to sufficiently verify the identity of the applicant before processing the above requests. If the administrator has doubts about the identity of the applicant, he/she has the right to request additional information from the applicant necessary to confirm his/her identity (Article 12(6) of the GDPR).
- The administrator is entitled to request from the person in case of doubts about the identity of the applicant:
a) sending a request with the applicant's verified signature in case the applicant made the request in written form,
b) sending a request with an electronic signature, i.e. with data in electronic form, which are attached to the data message or are logically associated with it, and which serve as a method for unambiguously verifying the identity of the signed person in relation to the data message
c) sending a request by data box, if the applicant has one set up
- The administrator is not entitled to require additional information to verify the identity of the applicant, especially in cases where:
a) the administrator processes the email contact as the applicant's personal data from which the relevant request was sent at the decisive time (i.e. the time of submission of the relevant request)
b) the administrator processes the applicant's phone number at the decisive time, then makes a phone call to this phone number for the purpose of verifying the applicant's identity and according to the agreement with the applicant then sends the requested information or communicates other facts concerning the processing of personal data electronically to the email address provided by the applicant or in writing to the address provided by the applicant,
c) the administrator has the possibility to verify the identity of the applicant in another way (e.g. through public registers, previous communication)
d) the applicant made the request in person before the relevant employee of the administrator or another person authorized by him/her.
XII. Final Provisions
The statement is publicly available on the administrator's website: https://www.ravak.cz/
The last update of this Statement was made on May 24, 2018.