Personal Data Protection

This site will tell you everything about the personal data processing that we carry out. If we process your personal data, you will find here detailed information on your rights and the manner in which your rights can be exercised. You will find more details on each individual processing, your rights and the manner in which your rights may be exercised under the following links designating specific groups of persons whose personal data are being processed, or specific types of processing.

We do not carry out information obligation or other duties under the personal data protection legislation on behalf of the clients. We do not accept applications from the clients for the exercise of data-protections rights. 

  1. Clients, their representatives and third parties (provision of legal services)
  2. Employment applicants
  3. Employees
  4. Marketing (information on services, including commercial communications)
  5. Suppliers of goods and services and their representatives

A CCTV camera is operated in the premises of our office and recordings are made by FSM, a.s., an independent contractor.

  1. CCTV camera system 

LAYER II.

Key characteristics of individual types of processing

  1. Clients, their representatives and third parties (provision of legal services) – processing of personal data of clients, their representatives and third parties for the purpose of rendering legal services and meeting statutory obligations and professional rules. 

Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available ZDE.

  1. Employment applicants collection and processing of identification and contact data of job applicants and their retention during the selection process, including data on education, qualifications and past experience. 

By requesting to be placed on the list potential employees who will be approached with suitable job offers, the applicants who were not selected or applied at the time when the company had no vacancies give their consent with data processing and receiving job offers via electronic mail. The company will retain such data for a period of 6 months after the consent was given. The data to be retained and processed include identification and contact information, past experience, education and qualifications.

The consent given in keeping with the process described above may be withdrawn at any time. When such consent is withdrawn, the applicant will be removed from the list of applicants and will no longer receive job offers from the company.

Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available  HERE.

  1. Employees – processing of employees’ personal data is carried out to ensure compliance with the employer’s legal obligations (performance of obligations arising from the employment contract) and the exercise and protection of the employer’s rights and legitimate interests.

Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available  HERE.

  1. Marketing – collection and processing of data for the purposes of offering services to clients and potential clients. 

Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available  HERE.

  1. Goods or service suppliers and/or their representatives contact information – retention of contact data used for entering into and data necessary for the performance of contracts with the suppliers of goods or services; retention of any contact information of the suppliers’ representatives (employees, statutory representatives or other designated persons).

Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available HERE.

  1. CCTV cameras FSM, a.s., makes a camera recording from the premises in which our law firm is located for the purposes of protecting the property, life and health of employees, members of the company and third parties (e.g. clients). The recording can be used, for example, to exercise liability rights and handed over to law enforcement authorities.

Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available HERE.

VRSTVA III. – Konkrétní parametry zpracování osobních údajů 

I. CLIENTS, THEIR REPRESENTATIVES AND THIRD PARTIES (PROVISION OF LEGAL SERVICES)

  1. CONTROLLER

The personal data controller is Felix a spol. advokátní kancelář, s.r.o., with registered address at U Nikolajky 833/5, 150 00 Prague 5, registered in the Company Register of the City Court in Prague, under reference number C 119050 (hereinafter the „Controller“).

  1. YOUR RIGHTS

You have the following rights in respect of the personal data processing concerned:

  1. ACCESS – The right to be informed whether or not your personal data are being processed. If your personal data are being processed, you have the right to obtain information about the processing in the prescribed extent and the right to obtain, under certain conditions, a copy of the processed personal data;
    • RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
    • ERASURE (right to be forgotten) – The right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
    • RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legal interests);
    • COMPLAINT – The right to lodge a complaint with the Office for Personal Data Protection against the Controller, the processing or the terms and conditions for the exercise of rights. See www.uoou.cz for the contact details and other information about the Office;
    • PORTABILITY – The right to receive, under certain conditions stipulated by law, personal data for the purposes of their further processing by another person designated by you and to transmit those data to such person or to request that the data be transmitted directly to the other person for processing.

In addition, you have the following right:

  • RIGHT TO OBJECT – The right to request that your personal data be no longer processed for the legitimate interests pursued by the Controller. 

You can find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised  HERE. In view of the special laws governing the legal profession and the nature of legal services, the rights of the data subjects described above may not be available to the full extent.

The Controller has not designated a DATA PROTECTION OFFICER

  1. PURPOSE OF PROCESSING

The Controller processes personal data for the purpose of fulfilling contracts on legal services with the client, and for the purpose of meeting statutory obligations and professional rules for provision of legal services.

  1. LEGAL GROUND FOR PROCESSING

The legal ground for data processing is:

  • For clients – natural persons – fulfillment of the contract, fulfillment of statutory obligations under legal-profession regulations, under tax regulations and other public-law regulations prescribing keeping of books and other records, fulfillment of obligations according to professional rules, legitimate interests of the Controller (liability and other similar claims);
  • For clients – legal persons (personal data of representatives) – fulfillment of statutory obligations under legal-profession regulations (compliant provision of legal services), under tax regulations and other public-law regulations prescribing keeping of books and other records, fulfillment of obligations according to professional rules, legitimate interests of the Controller (liability and other similar claims);
  • For third parties – fulfillment of statutory obligations under legal-profession regulations (compliant provision of legal services), under tax regulations and other public-law regulations prescribing keeping of books and other records, fulfillment of obligations according to professional rules, legitimate interests of the Controller (seeking a ruling on attribution of costs, etc.);
  1. SCOPE OF THE DATA being processed

The Controller processes the following data for the above purpose:

  • For clients – natural persons – identification and contact data, additional data necessary for the provision of legal services;
  • For clients – legal persons – identification and contact data of the clients´ representatives, additional personal data of the clients´ representatives necessary for the provision of legal services;
  • For third parties (data of persons identified in legal files in connection with the provision of legal services) – identification and contact data, additional data necessary for the provision of legal services.
  1. SOURCE OF DATA

Personal data are obtained from the clients, i.e. their representatives, from public databases and open sources, from court files and through the Controller´s own activity.

  1. PROVISION OF DATA IS NECESSARY

The provision of personal data is necessary for proper provision of legal services.

  1. PERIOD for which the personal data are stored and processed

The Controller processes personal data for the period during which legal services are rendered and additionally for the period stipulated by law and by professional rules regarding archiving of documents.

  1. PLACE where the personal data will be processed

The place of processing of personal data is: the Controller’s offices and secured multimedia cloud.

  1. RECIPIENTS to whom the personal data may be disclosed

The personal data may be disclosed to the following recipients and other third parties: personal data processors used by the Controller, public authorities administering health and social insurance schemes, tax administrators, other public authorities and third parties if necessary for the provision of legal services.

  1. THIRD COUNTRIES

In the course of personal data processing, personal data are NOT transferred outside the EU.

  1. PROCESSOR

A personal data processor pursuant to Art. 4(8) of the GDPR or a third party authorized by the Controller to process personal data may be engaged in the processing of personal data. In such cases, the Controller will minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data. 

  1. AUTOMATED DECISION-MAKING AND PROFILING

Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.

Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, etc.

In connection with the processing of personal data, automated decision-making WILL NOT be used.

In connection with the processing of personal data, profiling WILL NOT be used.

II. employment applicants

  1. CONTROLLER

The personal data controller is Felix a spol. advokátní kancelář, s.r.o., with registered address at U Nikolajky 833/5, 150 00 Prague 5, registered in the Company Register of the City Court in Prague, under reference number C 119050 (hereinafter the „Controller“).

  1. YOUR RIGHTS

VYou (as data subjects) have the following rights in respect of the personal data processing concerned:

  1. ACCESS – The right to be informed whether or not your personal data are being processed. If your personal data are being processed, you have the right to obtain information about the processing in the prescribed extent and the right to obtain, under certain conditions, a copy of the processed personal data;
  2. WITHDRAWAL OF CONSENT – Your consent to be placed on the list of job applicants may be withdrawn at any time in the manner stipulated  HERE. The withdrawal of consent shall not affect the lawfulness of the processing of personal data carried out before the withdrawal. Upon your withdrawal of consent, the processing of your data for job offers will be terminated;
  3. RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
  4. ERASURE (right to be forgotten) – The right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
  5. RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legal interests);
  6. The right to lodge a complaint with the Office for Personal Data Protection against the Controller, the processing or the terms and conditions for the exercise of rights. See www.uoou.cz for the contact details and other information about the Office;
  7. PORTABILITY – The right to receive, under certain conditions stipulated by law, personal data for the purposes of their further processing by another person designated by you and to transmit those data to such person or to request that the data be transmitted directly to the other person for processing.

In addition, you have the following right:

  • RIGHT TO OBJECT – The right to request that your personal data be no longer processed for the legitimate interests pursued by the Controller  

You can find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised  HERE.

The Controller has not designated a DATA PROTECTION OFFICER. 

  1. PURPOSE OF PROCESSING
  1. The Controller processes personal data of employment applicants for the purpose of: selecting the best candidate for the position and entering into a general employment contract; 
  2. By requesting to be placed on the list of potential employees who will be approached with suitable job offers, the applicants who were not selected or applied at the time when there were no vacancies give their consent with data processing for the purpose of: receiving job offers corresponding to their qualifications, education and past experience.
  1. LEGAL GROUND FOR PROCESSING

The legal ground for data processing is

  • In regard to the purpose under Paragraph 3 (i.), data processing is necessary prior to entering into and employment contract upon the request of the data subject and then possible execution of the contract (Art. 6(1)(b) of the General Data Protection Regulation).;
  • In regard to the purpose under Paragraph 3 (ii.), data processing is subject to the applicant´s consent.
  1. SCOPE OF THE DATA being processed
  • In regard to the purpose under Paragraph 3 (i.), the Controller processes the following data: identification and contact information, education, qualifications and past experience;
  • In regard to the purpose under Paragraph 3 (ii.), the applicant gives his or her consent with processing of the following data: identification and contact information, education, qualifications and past experience, information on the outcome of the job selection process (if any).
  1. PROVISION OF DATA IS NECESSARY or VOLUNTARY
  • In regard to the data processing under Paragraph 3 (i.), the provision of personal data is necessary for the purpose of taking part in the selection process. If no personal data are provided, the applicant cannot take part in the selection process;
  • In regard to the data processing under Paragraph 3 (ii.), the provision of personal data is voluntary. If no personal data are provided, the applicant cannot be put on the list of job applicants maintained by the company.
  1. SOURCE OF personal data

Personal data are obtained from the data subjects.

  1. PERIOD for which the personal data are stored and processed
  • In regard to the data processing under Paragraph 3 (i.), data are stored until the end of the selection process.
  • In regard to the data processing under Paragraph 3 (ii.), the consent is given for the period of 6 months.
  1. PLACE where the personal data will be processed

The place of processing of personal data is: the Controller’s offices and secured multimedia cloud.

  1. RECIPIENTS to whom the personal data may be disclosed

The personal data may be disclosed to the following recipients and other third parties: personal data processors used by the Controller.

  1. THIRD COUNTRIES

In the course of personal data processing, personal data are NOT transferred outside the EU.

  1. PROCESSOR

A personal data processor pursuant to Art. 4(8) of the GDPR or a third party authorized by the Controller to process personal data may be engaged in the processing of personal data. In such cases, the Controller will minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data.

  1. AUTOMATED DECISION-MAKING AND PROFILING

Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.

Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, etc.

In connection with the processing of personal data, automated decision-making WILL NOT be used.

In connection with the processing of personal data, profiling WILL NOT be used.

III. EMPLOYEES

  1. CONTROLLER

The personal data controller is Felix a spol. advokátní kancelář, s.r.o., with registered address at U Nikolajky 833/5, 150 00 Prague 5, registered in the Company Register of the City Court in Prague, under reference number C 119050 (hereinafter the „Controller“).

  1. YOUR RIGHTS

You have the following rights in respect of the personal data processing concerned:

  • ACCESS – The right to be informed whether or not your personal data are being processed. If your personal data are being processed, you have the right to obtain information about the processing in the prescribed extent and the right to obtain, under certain conditions, a copy of the processed personal data;
  • RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
  • ERASURE (right to be forgotten) – The right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
  • RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legal interests);COMPLAINT – The right to lodge a complaint with the Office for Personal Data Protection against the Controller, the processing or the terms and conditions for the exercise of rights. See www.uoou.cz for the contact details and other information about the Office;
  • PORTABILITY – The right to receive, under certain conditions stipulated by law, personal data for the purposes of their further processing by another person designated by you and to transmit those data to such person or to request that the data be transmitted directly to the other person for processing.

In addition, you have the following right:

  • RIGHT TO OBJECT – The right to request that your personal data be no longer processed for public interest purposes, for the legitimate interests pursued by the Controller or a third party.

You can find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised, HERE.

The Controller has not designated a DATA PROTECTION OFFICER.

  1. PURPOSE OF PROCESSING

The Controller processes personal data for the purpose of:

Implementation of the general employee-employer relationship and fulfillment of the employer´s legal obligations (mandatory record-keeping under the Labor Code, health and social insurance, tax liabilities) and obligations arising out of employment contracts.

  1. LEGAL GROUND FOR PROCESSING

The legal ground for data processing is: meeting the obligations of the Controller arising from employment laws and regulations, social security and tax regulations (Art. 6(1)(c) of the General Data Protection Regulation) and meeting the obligations under the contracts with employees (Art. 6(1)(b) of the General Data Protection Regulation).

  1. SCOPE OF THE DATA being processed

The Controller processes the following data for the above purpose:

Identification and contact information of the employee, their qualifications, information on the course of employment (namely time worked, statutory deductions, wages, liability claims, violations of work discipline, injuries on the job, occupational diseases, paid leave periods, banking details, number of children (if any) and their age, health insurance company, birth number, information for tax records (in case of tax allowances also personal data of a spouse and children, including birth numbers).

  1. PROVISION OF DATA IS MANDATORY

Processing of personal data in connection with employment is stipulated by law, and/or is necessary for fulfillment of obligations under the employment contract.   

Provision of data by the employee is therefore obligatory; failure to provide data may be deemed a violation of work discipline and possibly result in liability for damage. Damage may be suffered in the form of a fine to the employer imposed by the respective government authority (e.g. Social Security Administration) for a failure to produce mandatory reporting on time (such as registering the employee for social insurance purposes). 

  1. PERIOD for which the personal data are stored and processed

The Controller processes personal data: when processing is mandated by law, then for the period stipulated by law for each individual processing, when processing data necessary for the performance of fundamental employment relationship (under employment contract, agreement to perform work, or agreement to complete a job), then for the period of performance of employment obligations or even beyond, when processing is necessary for the performance of partial obligations (e.g. a non-competition clause) or for the exercise or defense of the Controller’s rights (e.g. liability for damage, dispute concerning invalidity of termination of employment, proof of compliance with public law obligations, payment of claims, etc.).

  1. RECIPIENTS and other persons to whom the personal data may be disclosed

The personal data may be disclosed to the following recipients and other third parties: personal data processors used by the Controller, public authorities administering health and social insurance schemes, tax administrators, law enforcement bodies. 

  1. PLACE where the personal data will be processed

The place of processing of personal data is: the Controller’s offices and secured multimedia cloud.

  1. SOURCE OF DATA from which personal data are obtained

Personal data are obtained from the data subjects and from their work activity. 

  1. THIRD COUNTRIES

In the course of personal data processing, personal data are NOT transferred outside the EU.

  1. PROCESSOR

A personal data processor pursuant to Art. 4(8) of the GDPR or a third party authorized by the Controller to process personal data may be engaged in the processing of personal data. In such cases, the Controller will minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data.

  1. AUTOMATED DECISION-MAKING AND PROFILING

Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.

Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, etc.

In connection with the processing of personal data, automated decision-making WILL NOT be used.

In connection with the processing of personal data, profiling WILL NOT be used.

IV. Marketing

  1. CONTROLLER

The personal data controller is Felix a spol. advokátní kancelář, s.r.o., with registered address at U Nikolajky 833/5, 150 00 Prague 5, registered in the Company Register of the City Court in Prague, under reference number C 119050 (hereinafter the „Controller“).

  1. YOUR RIGHTS

You have the following rights in respect of the personal data processing concerned:

  • WITHDRAWAL OF CONSENT – Your consent may be withdrawn at any time in the manner stipulated ZDE. The withdrawal of consent shall not affect the lawfulness of the processing of personal data carried out before the withdrawal. Upon your withdrawal of consent, the processing of your data for marketing purposes will be terminated;
  • ACCESS – The right to be informed whether or not your personal data are being processed. If your personal data are being processed, you have the right to obtain information about the processing in the prescribed extent and the right to obtain, under certain conditions, a copy of the processed personal data;
  • RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
  • ERASURE (right to be forgotten) – The right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
  • RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legal interests);
  • COMPLAINT – The right to lodge a complaint with the Office for Personal Data Protection against the Controller, the processing or the terms and conditions for the exercise of rights. See www.uoou.cz for the contact details and other information about the Office;
  • PORTABILITY – The right to receive, under certain conditions stipulated by law, personal data for the purposes of their further processing by another person designated by you and to transmit those data to such person or to request that the data be transmitted directly to the other person for processing.

In addition, you have the following right:

  • RIGHT TO OBJECT – The right to request that your personal data be no longer processed for public interest purposes, for the legitimate interests pursued by the Controller or a third party or for marketing purposes.

You can find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised  ZDE.

The Controller has not designated a DATA PROTECTION OFFICER.

  1. PURPOSE OF PROCESSING

The Controller processes personal data for marketing purposes: providing information about the Controller’s services.

  1. LEGAL GROUND FOR PROCESSING

The legal ground for the processing of personal data is: consent of the data subject, or as the case may be, the legitimate interests pursued by the Controller (marketing).

  1. SCOPE OF THE DATA being processed

The Controller processes the following data for the above purpose: contact and identification data of the data subjects, their rank and job position.

  1. PROVISION OF DATA IS VOLUNTARY

The provision of personal data is voluntary.

  1. SOURCE OF DATA

Personal data are obtained from the data subjects, from public sources, and from the Controller´s clients.

  1. PERIOD for which the personal data are stored and processed

The Controller processes personal data for the purpose stipulated in Paragraph 3: until withdrawal of consent, if such consent was given for the purpose of data processing, or as the case may be, until a legitimate objection is raised.

  1. PLACE where the personal data will be processed

The place of processing of personal data is: the Controller’s offices and secured multimedia cloud.

  1. RECIPIENTS and other persons to whom the personal data may be disclosed

The personal data may be disclosed to the following recipients and other third parties: personal data processors used by the Controller.

  1. THIRD COUNTRIES

In the course of personal data processing, personal data are NOT transferred outside the EU.

  1. PROCESSOR

A personal data processor pursuant to Art. 4(8) of the GDPR or a third party authorized by the Controller to process personal data may be engaged in the processing of personal data. In such cases, the Controller will minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data.

  1. AUTOMATED DECISION-MAKING AND PROFILING

Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.

Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, etc.

In connection with the processing of personal data, automated decision-making WILL NOT be used.

In connection with the processing of personal data, profiling WILL NOT be used.

V. GOODS OR SERVICE SUPPLIERS AND/OR THEIR REPRESENTATIVES CONTACT INFORMATION

  1. CONTROLLER

The personal data controller is Felix a spol. advokátní kancelář, s.r.o., with registered address at U Nikolajky 833/5, 150 00 Prague 5, registered in the Company Register of the City Court in Prague, under reference number C 119050 (hereinafter the „Controller“).

  1. YOUR RIGHTS

You have the following rights in respect of the personal data processing concerned:

  • ACCESS – The right to be informed whether or not your personal data are being processed. If your personal data are being processed, you have the right to obtain information about the processing in the prescribed extent and the right to obtain, under certain conditions, a copy of the processed personal data;
  • RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
  • ERASURE (right to be forgotten) – The right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
  • RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legal interests);
  • COMPLAINT – The right to lodge a complaint with the Office for Personal Data Protection against the Controller, the processing or the terms and conditions for the exercise of rights. See www.uoou.cz for the contact details and other information about the Office;

In addition, you have the following right:

  • RIGHT TO OBJECT – The right to request that your personal data be no longer processed for the legitimate interests pursued by the Controller.  

You can find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised HERE.

The Controller has not designated a DATA PROTECTION OFFICER.

  1. PURPOSE OF PROCESSING

The Controller processes personal data for the purpose of performance of a contract and for the legitimate interests pursued by the Controller: recording potential goods or service suppliers’ identification and contact data for the purposes of contract negotiation, recording any communication related to supplier contract negotiation (to prove the content of a contract or pre-contractual liability, etc.), execution and performance of the contract. Concerning the performance of a contract, the data include the documents and correspondence relating to the performance of contractual obligations as evidence of the manner in which the contract is discharged and the rights are exercised and protected.

If the supplier is not the sole party to the contract, the data of its employees, statutory representatives or other persons designated to negotiate, execute or ensure performance of the contract, are recorded.

  1. LEGAL GROUND FOR PROCESSING

The legal ground for the processing of personal data is:

  • if the supplier is a natural person acting alone: the legitimate interests pursued by the Controller (Article 6(1)(f) of the GDPR) in relation to the register of potential suppliers, and the steps necessary prior to entering into and performing a contract with the data subject (Article6(1)(b) of the GDPR) in the phase of entering into, and performance of, the contract with the data subject;
  • if the supplier is a legal person or a natural person acting through its representatives including employees: the legitimate interests pursued by the Controller (Article 6(1)(f) of the GDPR) in relation to the supplier register and the negotiation and performance of a contract, where the personal data of the supplier’s representatives are undergoing processing. 
  1. SCOPE OF THE DATA being processed

The Controller processes the following data for the above purpose:

  • if the supplier is a natural person acting alone: identification and contact data, i.e. the first name, surname, academic title, purpose of business and place of business, as well as the data relating to the contractual obligation, including related communication on contract negotiation and contract performance;
  • if the supplier is a legal person: identification and contact data of the legal person’s representative (business contact information), job position, and communication relating to the negotiation and performance of the contract with the employer.
  1. 6.      PROVISION OF DATA IS NECESSARY

The provision of personal data, if connected with the entering into, and performance of, a contract, is necessary. Without the data, the contract cannot be concluded or performed.

  1. SOURCE OF DATA from which personal data are obtained

Personal data are obtained from the data subjects, from public databases and public sources, from communication with clients, suppliers and potential clients, suppliers and their representatives.

  1. 8.      PERIOD for which the personal data are stored and processed

The Controller processes personal data as follows: in case of contractual documents needed for the performance of a contract for the duration of the contract, and in case of accounting documents for the prescribed period as laid down by law.

  1. 8.      PLACE where the personal data will be processed

The place of processing of personal data is: the Controller’s offices and secured multimedia cloud.

  1. 8.      RECIPIENTS to whom the personal data may be disclosed

The personal data may be disclosed to the following recipients and other third parties: personal data processors used by the Controller, tax administration.

  1. 8.      THIRD COUNTRY

In the course of personal data processing, personal data are NOT transferred outside the EU.

  1. PROCESSOR

A personal data processor pursuant to Art. 4(8) of the GDPR or a third party authorized by the Controller to process personal data may be engaged in the processing of personal data. In such cases, the Controller will minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data.

  1. AUTOMATED DECISION-MAKING AND PROFILING

Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.

Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, etc.

In connection with the processing of personal data, automated decision-making WILL NOT be used.

In connection with the processing of personal data, profiling WILL NOT be used.

VI. CCTV Camera systEm

  1. CONTROLLER

The personal data controller is FSM, a.s., Company Identification Number (IČO): 610 57 720 with registered address at U Nikolajky 833/5, 150 00 Prague 5, registered in the Company Register of the City Court in Prague, under reference number B 3839 (hereinafter the „Controller“).

  1. YOUR RIGHTS

You have the following rights in respect of the personal data processing concerned:

  1. ACCESS – The right to be informed whether or not your personal data are being processed. If your personal data are being processed, you have the right to obtain information about the processing in the prescribed extent and the right to obtain, under certain conditions, a copy of the processed personal data;
  2. ERASURE (right to be forgotten) – The right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
  3. RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legal interests);
  4. COMPLAINT – The right to lodge a complaint with the Office for Personal Data Protection against the Controller, the processing or the terms and conditions for the exercise of rights. See www.uoou.cz for the contact details and other information about the Office;

In addition, you have the following right:

  • RIGHT TO OBJECT – The right to request that your personal data be no longer processed for public interest purposes or for the legitimate interests pursued by the Controller or a third party.
  • You can find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised ZDE.

The Controller has not designated a DATA PROTECTION OFFICER.

  1. PURPOSE OF PROCESSING

The Controller processes personal data for the following purposes: protection of the Controller’s assets, protection of property, lives and health of the employees and third parties (e.g. clients).

  1. LEGAL GROUND FOR PROCESSING

The legal ground for the processing of personal data is: legitimate interests pursued by the Controller and third parties, protection of property, lives and health.

  1. SCOPE OF THE DATA being processed

The Controller processes the following data for the above purpose: CCTV camera recording of the space outside the entrance to the Controller´s premises; monitoring access routes to the building located on the land plot owned by the Controller without recording the public areas not owned by the Controller.

  1. PROVISION OF DATA IS NECESSARY

The provision of personal data is necessary.

  1. PERIOD for which the personal data are stored and processed

The Controller processes personal data for a period of: 3 months.

  1. SOURCE OF DATA from which personal data are obtained

Personal data are obtained from the data subjects, from the CCTV camera system.

  1. PLACE where the personal data will be processed

The place of processing of personal data is: the Controller’s offices and secured multimedia cloud.

  1. RECIPIENTS and other persons to whom the personal data may be disclosed

The personal data may be disclosed to the following recipients and other third parties: personal data processors used by the Controller, law enforcement authorities.

  1. THIRD COUNTRIES

In the course of personal data processing, personal data are NOT transferred outside the EU.

  1. PROCESSOR

A personal data processor pursuant to Art. 4(8) of the GDPR or a third party authorized by the Controller to process personal data may be engaged in the processing of personal data. In such cases, the Controller will minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data. 

  1. AUTOMATED DECISION-MAKING AND PROFILING

Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.

Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, etc.

In connection with the processing of personal data, automated decision-making WILL NOT be used.

In connection with the processing of personal data, profiling WILL NOT be used.

VRSTVA IV.

Rights and exercise of rights

ARTICLE I

EXERCISE OF RIGHTS IN GENERAL

  1. 1.      CHANNELS USED TO EXERCISE RIGHTS

Subject to the terms and conditions provided below, the rights may be exercised via the email address akfelix@akf.cz.

  1. 1.      IDENTIFICATION AND SECURE COMMUNICATION

The exercise of rights must not negatively affect the rights and freedoms of third parties. Hence, the Controller has the right and obligation, in necessary cases, to identify the data subject requesting the exercise of rights. For that reason, the Controller must choose a safe and reliable communication channel. Communication via electronic mail with a certified electronic signature, communication via a data box, or communication via a postal service provider, where an authenticated signature of the responsible person is attached to the document being delivered or where the reply is served upon the addressee personally, shall be considered a reliable communication where the identity of the addressee need not be further verified.

  1. 1.      RIGHTS EXERCISED ORALLY

In exceptional cases, when requested by the data subject, the information may be provided or the rights exercised orally, provided that a written record is made of the oral provision of information or exercise or rights by the data subject. Where the rights are exercised orally, the identity of the data subject must be verified using an ID card, passport, driver’s license or another document that may serve as evidence that the rights are exercised by the person who is entitled to exercise those rights.

  1. 1.      ELECTRONIC APPLICATION

Where the request is made or the rights exercised by electronic means, the response shall also be provided by electronic means, unless otherwise requested by the data subject.

  1. 1.      CHARGE

The information provided to the data subjects, the copies of data provided to the data subjects and any communication and any action relating to the exercise of rights by the data subjects shall be free of charge.

  1. 1.      REJECTION AND CHARGE

Where the data subject’s request (exercise of right) is manifestly unfounded or unreasonable, particularly because it is identical or predominantly identical with an earlier data subject’s request or because it is excessive, and cannot be complied with within the statutory deadline,

  • compliance with the request shall be subject to a deposit to cover the administrative costs associated with the provision of the requested information or communication or with the requested actions; the deposit may be claimed up to the amount of the estimated costs and the requested information, communication, etc. shall only be released to the data subject after full reimbursement of the incurred costs, or
  • the request shall not be complied with, i.e. the exercise of the right shall be declined in writing with a reasoning.
  1. 1.      RESPONSE PERIOD

The data subject’s requests and the exercise of the data subject’s rights are responded to without undue delay. A response containing the requested information or a description of the measures adopted following the data subject’s request, etc., must be delivered to the data subject no later than within 30 days from the date of receipt of the request. If, for serious reasons, the matter cannot be resolved within the above deadline, the data subject shall be notified in writing or by email, no later than by the end of the above deadline, that the deadline will not be met, together with the reasons for the delay and a new deadline within which the matter will be resolved; the deadline may not be extended by more than 60 days.

ARTICLE II

RIGHT OF ACCESS AND RIGHT TO OBTAIN A COPY

  1. Upon request, the data subject shall have the right to obtain confirmation as to whether or not his/her personal data are being processed.
  2. If the personal data concerning the data subject are being processed, the data subject shall receive the following information:
  1. the purposes of the processing and the legal basis/title for the processing of personal data, including reference to the provisions of the applicable legal regulation, and the scope and consequences of the processing;
    1. the recipients or categories of recipients of personal data, if any;
    1. the transfer of personal data to third countries, where applicable, including information on the appropriate safeguards to ensure security of the data transferred to a third country;
    1. the period for which the personal data will be stored, or if the period cannot be determined, the criteria used to determine that period;
    1. the existence of the right to request access to and rectification or erasure of personal data concerning the data subject or the right to request restriction of processing or to object to the processing of personal data and the conditions under which the rights arise and the manner in which the rights may be exercised; the information shall only include the rights the exercise of which is relevant to the nature of the processing of personal data concerned;
    1. the existence of the right to data portability, the conditions under which the right arises and the conditions under which it may be exercised, to the extent that the exercise of such right is relevant to the nature of the processing of personal data;
    1. the existence of an automated decision-making process and the data subject’s rights connected with automated decision-making;
    1. the source of personal data, and, where applicable, the fact that the personal data were obtained from publicly accessible sources;
    1. the right to lodge a complaint with the supervisory authority (the Office for Personal Data Protection);
    1. the existence of an automated decision-making in the form of profiling and the significance and the envisaged consequences of such processing, if any, for the data subject.
  2. The data subject shall have the right to request a copy of the personal data undergoing processing. The first copy is free of charge. For any further copies, a reasonable fee may be charged. Article I, paragraph 6 shall apply accordingly.
  3. Where the right to obtain a copy could adversely affect the rights and freedoms of third parties (e.g. copies containing third party personal data which the requesting data subject has no legal title to obtain), the copy shall be anonymized in an appropriate manner. If anonymization is not possible or if, as a result of the anonymization, the requested information loses the strength of evidence, no copy shall be provided.

ARTICLE III

RIGHT TO RECTIFICATION

  1. The data subject shall have the right to obtain rectification of the personal data being processed, if the data are inaccurate or incomplete in relation to the purpose for which they are being processed. The data subject shall have the right to request that the personal data be rectified (including completed) or completed.
  2. If the data subject has exercised the right to rectification of the personal data being processed, the Controller shall immediately review the processing of personal data that is the subject of the exercised right to rectification.
  3. If the objection is found to be reasonable, at least to some degree, the Controller shall, without undue delay, ensure that the situation is remedied, i.e. that the processed personal data are rectified or completed.
  4. The data subject will be notified in writing or by email of the result of the review and the measures adopted.

ARTICLE IV

RIGHT TO ERASURE

  1. The data subject shall only have the right to obtain from the data Controller the erasure of personal data concerning him or her if one of the following grounds applies:
    1. the personal data are not necessary in relation to the purposes for which they were collected or otherwise processed;
    1. the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
    1. the data subject has raised a reasonable objection to the processing;
    1. the personal data have been processed unlawfully, especially without legal grounds;
    1. the personal data have to be erased for compliance with a legal obligation arising from a particular legal regulation or a decision based on a legal regulation;
    1. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
  2. An erasure of personal data shall mean the physical destruction of the personal data carrier (e.g. destruction of documents) or the deletion of the data (from multimedia carriers) or other permanent exclusion of the personal data from further processing.
  3. If the data subject has exercised the right to erasure of the processed personal data, the Controller shall review the data subject’s request. If the request is found to be reasonable, at least to some degree, the personal data shall be erased to the necessary extent. Article I, paragraph 7 hereof shall apply accordingly.
  4. The data that are the subject of the right to erasure shall be marked until the data subject’s request is complied with.
  5. The personal data shall not be erased to the extent that their processing is necessary:
    1. for exercising the right of freedom of expression and information;
    1. for compliance with a legal obligation arising from legal regulations;
    1. for reasons of public interest in the area of public health (points (h) and (i) of Art. 9(2) and Art. 9(3) of the GDPR);
    1. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    1. for the establishment, exercise or defense of the Controller’s rights.

ARTICLE V

RIGHT TO RESTRICTION OF PROCESSING

  1. Where the data subject has exercised the right to restriction of processing in respect of a specific processing of personal data, the Controller shall immediately assess relevance of the data subject’s request, primarily the existence of the grounds for exercising the right to restriction of processing; the assessment shall take into account the content of the request as well as other facts and circumstances relating to the processing concerned.
  2. The data subject shall have the right to restriction of processing where one of the following grounds applies:
    1. the accuracy of the personal data is contested by the data subject;
    1. the processing is unlawful and the data subject opposes the erasure of the personal data and requests restriction of their use instead;
    1. the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
    1. the data subject has objected to the processing.
  3. The personal data affected by restriction shall be marked.
  4. Where the processing has been restricted, the personal data concerned may, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
  5. If the restriction of processing is lifted, the data subject shall be informed in writing or by email before the restriction of the processing of personal data is lifted. The information shall contain the date on which and the reasons why the restriction will be lifted.

ARTICLE VI

RIGHT TO PORTABILITY

  1. If the processing of personal data involves personal data obtained from the data subject (either data directly provided by the data subject or data obtained about his/her activities, etc.) and concerning the data subject, the data subject shall have the right to portability (receipt and transmission) of those data if the processing is based on consent of the data subject or on a contract with the data subject and the processing is carried out by automated means. The right to portability does not apply to the data and information created by the Controller on the basis of the data obtained from the data subject (e.g. profiling of the envisaged consumer behavior of the data subject based on the data obtained from the data subject, etc.).
  2. In exercising the right to portability of data, the data subject may request the following:
    1. have the personal data that are subject to the right to portability transferred to the data subject in a structured, commonly used and machine-readable format; format requiring special paid license or format excluding further editing of or other manipulation with (processing of) the personal data (e.g. *.pdf) shall be avoided;
    1. have the personal data that are subject to the right to portability transferred to another personal data controller designated in the data subject’s request for the transfer of data, in a structured, commonly used and machine-readable format; format requiring special paid license or format excluding further editing of or other manipulation with (processing of) the personal data (e.g. *.pdf) shall be avoided.
  3. A request of the data subject shall not be complied with if, inter alia (Article I(6)), compliance with the request would adversely affect the rights and freedoms of other persons (data subjects).
  4. A request for portability of data pursuant to paragraph 2(b) shall further not be complied with, if the transfer of data is not technically feasible; transfer of data that cannot be adequately secured by available technical means given the nature of the transferred personal data and the risks involved shall also be considered not technically feasible.
  5. In addition to the transferred personal data, information on the purposes of the processing of personal data shall be transferred and, where requested by the data subject, also information on the processing of personal data to the extent of Article 13 of the GDPR.

ARTICLE VII

AUTOMATED INDIVIDUAL DECISION-MAKING INCLUDING PROFILING

  1. No decision or juridical action concerning the data subject or other measures or procedures which produce adverse legal effects concerning the data subject or similarly significantly affect the data subject (e.g. automated refusal of an online credit application, e-recruiting practices without any human involvement and review of the electronic system’s negative decisions) can be based on automated individual decision-making, including profiling, unless the decision is:
    1. necessary for entering into, or performance of, a contract between the data subject and the data controller;
    1. authorized by legal regulations which lay down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
    1. based on the data subject’s explicit consent.
  1. In the cases referred to in points (a) and (c) of paragraph 1, the Controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests and prevent them from negative effects of automated individual decision-making. Such measures include at least the data subject having a chance to express his/her point of view prior to the implementation of the action with negative consequences, a chance to have the decision reviewed by the Controller-appointed person and the right to obtain human intervention, e.g. a regular review of the functionality of the automated decision-making system and a setup of its functionality so as to exclude unreasonable interference with the rights and freedoms or legitimate interests of the data subject.
  2. Where the processing involves sensitive data, or where individual decisions pursuant to paragraph 1 are to be based on sensitive data, paragraph 2 shall only apply if sufficient safeguards have been ensured pursuant to paragraph 2 of this Article on condition that the processing of personal data is based on explicit consent of the data subject pursuant to Article 9(2) point (a) of the GDPR, or the processing is necessary for reasons of important public interest stipulated by law and the processing is adequate to the envisioned objectives, compliant with the personal data protection law and provides sufficient and specific safeguards of the protection of fundamental rights and interests of the data subject.

ARTICLE VIII

RIGHT TO OBJECT

  1. If the processing of personal data is based on point (e) of Article 6(1) of the GDPR (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or point (f) of Article 6(1) of the GDPR (processing is necessary for the purposes of protection of the rights and legitimate interests pursued by the controller), the data subject shall have the right to object to the processing of personal data concerned.
  2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object, at any time, to the processing of the personal data concerning him or her for such marketing, including profiling to the extent that it relates to such direct marketing. Where the data subject has objected to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
  3. If the data subject has exercised the right to object, the Controller shall investigate the objection without undue delay.
  4. The personal data or the processing of personal data concerned shall be marked until the data subject’s objection is resolved.
  5. The personal data that are the subject of a justified objection can no longer be processed, unless:
    1. further processing is important for serious legitimate reasons that override the interests or rights and freedoms of the data subject, or
    1. further processing is necessary for the establishment, exercise or defense of the Controller’s rights.