PRINCIPLES OF DATA PROTECTION AND THEIR PROCESSING
The aim of these Principles of data protection and their processing (furthermore as “Principles”) is to provide information about what kind of data about physical subjects are processed during provision of our services and selling of our goods; to what purpose and for how long will our company process those personal data in accordance with valid laws; to whom and for what reason could be the personal information shared; and also to inform about what rights are entitled to physical subjects concerning precession of their personal information.
1. DATA CONTROLLER, CONTACT INFORMATION FOR GDPR SPHERE
The Data Controller is the company Prefa Brno a.s., Company ID 46901078, with headquarters at Kuklova 10/4231, registered in business register kept by Regional court under file number B 859 (furthermore as “Data Controller”). Any questions concerning personal data processing you can send to the address of Data Controller’s headquarters, to an e-mail address prefa@prefa.cz or call phone number +420541583111.
2. SCOPE OF PROCESSING AND CATEGORIES OF PERSONAL DATA WHICH ARE THE SUBJECT OF PROCESSING
Personal data are processed in the scope in which they were provided by the physical subject to the Data Controller in relation with closing a contract or other legal relationship with the Data Controller or which the Data Controller acquired in a different way and processes them in accordance with valid laws and with lawful obligations of the Data Controller. The Data Controller processes the following categories of personal data:
- name and surname, eventually academical title,
- name of a company,
- company ID, TIN,
- permanent address,
- headquarters address or place of business,
- shipping address,
- contact e-mail address,
- contact phone number,
- job position and/or function in the company,
- bank information,
- records of behaviour on internet websites run by the Data Controller acquired from cookies in case allowing cookies in web browser.
3. PURPOSE OF DATA COLLECTING
3.1 PROCESSING DUE TO FULFILLING THE CONTRACT AND OBLIGATIONS BY LAW, AND DUE TO RIGHTFUL INTERESTS OF THE DATA CONTROLLER
Providing personal data needed for fulfilling the contract, fulfilling obligations of the Data Controller and protection of the rightful interests of the Data Controller are obligatory. Without providing personal data for these purposes it would not be possible to provide our services. For this data processing the Data Controller does not need consent from data subject.
Basic individual purposes for personal data processing are mainly:
- processes connected to identification and possible contacting of the client (contract fulfilment),
- providing services and delivering of ordered goods (contract fulfilment),
- billing for services, issuing invoices (contract fulfilment),
- fulfilment of tax liability (fulfilment of obligations),
- recovery of claims with customer and other customer disputes (lawful interest),
- recording of debtors (lawful interest).
Personal data for these activities is processed in the range needed for fulfilment of these activities and for a period of time needed for their achievement or for a period of time established by law. After that personal data are erased or made anonymous. Standard time frames for personal data processing are available below in Article 5 of Principles.
3.2 PROCESSING PERSONAL DATA WITH CONSENT FOR MARKETING AND BUSINESS PURPOSES
With consent from data subject the Data Controller processes personal data for marketing and business purposes with the intention of creating a suitable offer of products and services from the Data Controller in connection with contacting the customer, exclusively in the form of electronic communication through contact e-mail address. Providing consent to marketing and business purposes is voluntary and data subject can cancel it anytime. This consent stays valid for 10 years since its granting or for a time of using the Data Controller’s services and following 10 years or until the data subject cancels the consent. Based on the consent, marketing and business purposes may be processed in all categories of data listed in Article 2 of Principles. If data subject cancels its consent, it does not influence processing of his personal data by the Data Controller for other purposes based on other legal titles in accordance with these Principles.
3.3 PROCESSING OF COOKIES FROM INTERNET WEBSITES OPERATED BY DATA CONTROLLER
If data subject has enabled cookies in their web browser, the Data Controller processes records about them placed on the Internet pages operated by the Data Controller for ensuring better running of the Data Controller’s web pages and for advertising purposes of the Data Controller. In case of granting consent with processing personal data for marketing and business purposes, these data are processed together with personal data for these purposes.
4. WAY OF PROCESSING AND PROTECTING PERSONAL DATA
Processing of personal data does the Data Controller. Processing is done in their premises and in headquarters by individual appointed employees of the Data Controller, eventually by processor. The processing is done through computing, eventually manually with personal data in paper form, in accordance with safety principles for managing and processing personal data. For this purpose, the Data Controller adopted measures of technical and organizational manner to protect personal data, especially measures preventing unauthorized or random access to personal data, their change, destruction or loss, unauthorized transmission, unauthorized processing, and other abuses of personal data. All subjects who can be permitted to access personal data respect rights of data subjects for data protection and they are obliged to follow applicable law regarding protection of personal data. Automatic decision making within the meaning of Article 22 of GDPR does not happen during processing of personal data by the Data Controller.
5. PROCESSING TIME OF PERSONAL DATA
Processing of personal data happens for a period of time needed for purposes for which are the date processed in accordance with the time periods stated in contracts, the Data Controller’s Document Management and Destruction Rules or in designated law. Time for which are personal data stored is as follows:
-
- If customers of services fulfilled all their obligations to the Data Controller, the Data Controller is authorized to process their basic personal, identification, and contact data, data about services and data from their communication with the Data Controller for a period of 4 years since the day of the end of contract in the database.
- In the case of purchase of goods from the Data Controller, the Data Controller is authorized to process customer’s basic personal, identification, and contact data, data about the goods and data from their communication with the Data Controller for a period of 4 years since the expiration date of the warranty.
- Invoices issued by the Data Controller are in accordance with § 35 of act no. 235/2004 Sb. about VAT archived for period of 10 years since the end of tax period and customer contract.
6. CATEGORIES OF RECEIVERS OF PERSONAL DATA
The Data Controller uses professional and specialized services of other subjects during fulfilling of his obligations and duties from contracts. If these suppliers process personal data received from the Data Controller, they have position of processors of personal data and they process personal data only within the instructions from the Data Controller and they cannot be used otherwise. Namely these are delivery services, pay gate providers, experts, lawyers, auditors, IT system administrators, internet advertisement providers or sales representatives. Each of these subjects is carefully picked by the Data Controller and with them is signed a contract about personal data processing in which strict obligations for protection and security of personal data are established for processors.
7. THE RIGHTS OF DATA SUBJECTS
In accordance with GDPR, personal data subjects have rights that are listed below. Concerning rights against the Data Controller, data subject is authorized to apply them on contact addresses listed in Article 1 of Principles.
7.1 THE RIGHT TO ACCESS YOUR PERSONAL DATA
In accordance with Article 15 of GDPR data subject has right to access personal data which includes right to obtain confirmation from the Data Controller about whether the subject’s personal data are or are not processed and if so, subject has right to gain access to these personal data and information about:
- purposes of processing,
- categories of personal data,
- receivers to whom personal data were or are going to be accessed,
- planed period of processing,
- existence of right to require form the Data Controller correction or erasure of personal data concerning data subject or limitation of their processing or to object against this processing,
- right to submit a complaint to supervisory authority,
- all accessible information about source of personal data if they are not acquired from data subjects,
- the fact that automatization of decision-making including profiling is happening,
- appropriate safeguards during handover of data outside EU.
If it will not unfavourably affect rights and freedoms of other people, data subject has right to ask for a copy of processed personal data. In the case of repeated request, the Data Controller has right to charge a proportional fee.
7.2 THE RIGHT TO CORRECTION OF INACCURATE DATA
In accordance with Article 16 of GDPR data subject has right to correction of inaccurate data or to complete missing data which are processed by the Data Controller. Data subject is obliged to announce changes in their personal data and to prove these changes. If the Data Controller learns that some date is inaccurate, the data subject is obliged to cooperate and provide new complete data.
7.3 THE RIGHT TO ERASURE (RIGHT TO BE FORGOTTEN)
In accordance with Article 17 of GDPR, the data subject has the right to erasure of their personal data unless the Data Controller can prove that there are rational reasons for processing this personal data.
7.4 THE RIGHT TO RESTRICTION OF PROCESSING
In accordance with Article 18 of GDPR, the data subject has the right to restriction of processing for the time of investigation of data accuracy concerning the data subject, reasons for its processing or if they submit an objection against its processing. It the processing has been restricted, the subject matter data can be processed only with the consent from the data subject (except their storage) or for reasons of designation, execution, and defence of legal claims, for reasons of protecting rights of another natural or legal entity, for reasons of an important interest of the EU or one of its member states.
7.5 NOTIFICATION OBLIGATION OF THE DATA CONTROLLER CONCERNING CORRECTIONS OR ERASURE OF PERSONAL DATA OR RESTRICTION OF PROCESSING
In the case of correction, erasure or restriction of processing of personal data, the Data Controller is obliged to inform individual recipients of personal data about this fact (with the exception of cases when it happens to be impossible or it demands unreasonable effort) in accordance with the Article 19 of GDPR. Based on a request from the data subjects, the Data Controller is going to provide information about these recipients.
7.6 THE RIGHT TO DATA PORTABILITY
In accordance with Article 20 of GDPR, the data subject has the right to data portability which concern them and which they provided to the Data Controller in a structured, commonly used and machine-readable format. Moreover, the data subject has right to ask the Data Controller to forward the information to another Data Controller in case that the data processing is done based on a contract or based on a consent from the data subject and this processing is done in an automated way. If the rights and freedoms of third parties are unfavourably touched by such a request, this request cannot be fulfilled.
7.7 THE RIGHT TO OBJECT AGAINST PROCESSIONG OF PERSONAL DATA
In accordance with Article 21 of GDPR, the data subject has the right to object against processing of their personal data due to justified interest of the Data Controller. In case that the Data Controller does not prove that there are serious justified reasons for processing which prevail above interests, rights and freedoms of data subjects, the Data Controller is obliged to terminate them immediately based on the objection.
7.8 THE RIGHT TO WITHDRAW CONSENT FOR THE PROCESSING OF PERSONAL DATA
Consent for processing of personal data for marketing and business purposes can be withdrawn anytime. The withdrawal has to be made in an explicit and clear way of will. Processing of data from cookies can be disabled in web browser’s settings.
7.9 THE RIGHT TO BE INFORMED ABOUT PERSONAL DATA’S SECURITY VIOLATION
In accordance with Article 34 of GDPR, the data subject has the right to be informed about personal data’s security violation by the Data Controller without undue delay, if there is a possibility that the personal data’s security violation would lead to high risk for rights and freedoms of natural persons. .
7.10 THE RIGHT TO CONTACT THE OFFICE FOR PERSONAL DATA PROTECTION
The data subject has the right to contact The Office for Personal Data Protection (www.uoou.cz/en/) if they find out or think that the Data Controller or processor is processing their personal data in conflict with private and personal life of the data subject or in conflict with relevant laws.