INFORMATION ON PERSONAL DATA PROCESSING PURSUANT TO ART. 13 ET SEQ. GDPR
Company details: ANYBODY s.r.o., ZELNÝ TRH 293/10, BRNO, 60200, Id. No.: 06378277, Tax Id. No.: CZ06378277
Contact details: Adam Vodička, firstname.lastname@example.org
Contact details of the Data Protection Officer: No data protection officer has been appointed by the Controller.
Purposes of processing
The Controller processes personal data for the following purposes.
- processing for the purpose of performance of a contract to which the data subject is a party;
- processing for the purpose of implementing measures adopted on request of the data subject prior to entering into a contract;
- processing for the purpose of compliance with a legal obligation following for the Controller from special legal regulations. In relation to the clients – e.g. Act No. 563/1991 Coll., on accounting; Act No. 254/2004 Coll., on limitation of cash payments; Act No. 586/1992 Coll., on income taxes; Act No. 235/2004 Coll., on value added tax; Act No. 565/1990 Coll., on local fees; Act No. 326/1999 Coll., on the presence of foreigners in the territory of the Czech Republic, and others;
- processing for the purposes of protecting the rights and legally protected interests of the Controller.
- processing (retention) of the client’s personal data with a view to addressing the client with offers of services provided by the Controller (for a period of 3 years)
- creating a photocopy of the identity document (ID card, passport, etc.) for the purpose of protecting the rights and legally protected interests of the Controller
Legal basis for personal data processing
The legal basis for personal data processing is comprised in the following laws and regulations, in particular:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”)
- Act No. 101/2000 Coll., on personal data protection
- Act No. 563/1991 Coll., on accounting
- Act No. 254/2004 Coll., on limitation of cash payments
- Act No. 589/1992 Coll., on premiums for social security and contributions towards the State employment policy
- Act No. 48/1997 Coll., on public health insurance
- Act No. 262/2006 Coll., the Labour Code
- Act No. 586/1992 Coll., on income taxes
- Act No. 235/2004 Coll., on value added tax
- Act No. 565/1990 Coll., on local fees
- Act No. 326/1999 Coll., on the presence of foreign nationals in the territory of the Czech Republic
Legitimate interests of the Controller in respect of personal data processing
In certain cases, the Controller processes personal data on the basis of Art. 6 (1)(f) GDPR, i.e. for the purposes of the legitimate interests pursued by the Controller. The Controller does not require consent from the data subject for this type of processing. Nevertheless, the extent of such processing is limited and the Controller must therefore consistently assess justification of such an interest in each case (the Controller carries out a “balance test”, i.e. determines whether the interests of the Controller override the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
LEGITIMATE INTERESTS INCLUDE, FOR EXAMPLE:
- assessment of the client’s profile in connection with the services provided
- drafting contractual documents for the client
- protection of the Controller’s legal interests
Description of the categories of personal data processed
- identification details – details serving for unambiguous identification
- for a natural person: name(s); surname and, if applicable, surname at birth; academic degree; nationality; birth identification number or date of birth; sex; marital status; education; place of birth; place of residence; permanent address; for a client who is a natural person operating a business, also Id. No. and Tax Id. No.
- for a legal person: business name or designation; registered office; identification number; identification details of the governing bodies
- contact details – details enabling contact
- contact address; data box ID; telephone number; fax number; e-mail address and other similar data
- other data on the client – other client’s data required to attain the purpose of the processing
- bank account number; account statements; payment card details (other than protective elements); transaction data; records of communication with the client (e.g. e-mail communication); other data necessary for the services provided by the controller according to the nature of the specific service
Categories of recipients to whom personal data have been or will be disclosed
THE CONTROLLER WILL PROVIDE PERSONAL DATA TO THE FOLLOWING ENTITIES (THIRD PARTIES):
- governmental authorities, especially courts, prosecuting bodies, supervisory authorities, enforcement authorities, insolvency trustees, Czech Social Security Administration, public health insurance companies, etc.;
- various entities, for the purpose of performance of a contract to which the data subject is a party, such as delivery persons;
- other entities if necessary for the purposes of protecting the rights and legally protected interests of the Controller, e.g. when raising an insurance claim. The data provided are limited in extent so that the rights and legally protected interests can be secured successfully;
- the Controller will provide data to other entities only with the data subject’s consent or at his/her request.
Recipients of personal data in third countries or international organisations
Personal data will not be provided to recipients from third countries or international organisations.
Information on planned deadlines for erasure of individual categories of personal data
Personal data of data subjects are retained only as long as a purpose of processing based on at least one legal ground continues to exist. Personal data are thus processed for the term of the contract or on the basis of another legal ground based on which they are processed.
After termination of the legal ground, the personal data will be erased without undue delay after expiry of the statutory period for which the Controller is obliged to retain these data.
The statutory periods of processing are laid down, e.g., by Act No. 563/1991 Coll., on accounting; Act No. 235/2004 Coll., on value added tax; Act No. 565/1990 Coll., on local fees; Act No. 326/1999 Coll., on the presence of foreigners in the territory of the Czech Republic, and others.
Data subject’s rights with regard to personal data processing
The Controller processes personal data in accordance with the principles of lawfulness, fairness and transparency. Personal data are processed in accordance with an explicitly expressed and legitimate purpose, and these data are processed only to the necessary extent. If possible and in accordance with the relevant measures, the Controller processes data which accurate and kept up to date.
RIGHTS OF THE DATA SUBJECT
- Right of access to personal data – the data subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning him/her are being processed, and where that is the case, the data subject has the right of access to the personal data;
- Right to rectification of personal data – the data subject has the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him/her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement;
- Right to erasure of personal data (“right to be forgotten”) – the data subject has the right to obtain from the Controller the erasure of personal data concerning him/her without undue delay and the Controller has the obligation to erase personal data without undue delay;
- Right to restriction of personal data processing – the data subject has the right to obtain from the Controller restriction of processing in the following cases:
- the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the Controller override those of the data subject.
- Right to portability of personal data – the data subject has the right to receive the personal data concerning him/her, which he/she has provided to the Controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided;
- The right to object to personal data processing – the data subject has the right to object, on grounds relating to his/her particular situation, at any time to processing of personal data concerning him/her which is based on point (e) or (f) of Art. 6 (1) GDPR, including profiling based on those provisions;
- The right to revoke consent to personal data processing − the data subject has the right to revoke his/her consent at any time. The revocation of consent does not affect the lawfulness of processing based on consent before its revocation;
- The right to lodge a complaint with the supervisory authority – where a data subject believes that the rules of personal data protection have been violated, the data subject has the right to file a complaint with a supervisory authority. The supervisory authority is:
Office for Personal Data Protection
Pplk. Sochora 27
170 00 Praha 7
Data box ID: qkbaa2n
Adam Vodička, in Brno, on 1 September 2018