1. The administrator of personal data pursuant to Article 4 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”) is: the Institute of International Diplomacy and Foreign Trade, RED-X, s.r.o., Company ID No.: 28599152, Tax ID No.: CZ28599152, The company is registered at the Regional Court in Ostrava, Section C, Insert 33938, Data box ID: 29pkdpm. Contact and invoicing address: Institute of International Diplomacy and Foreign Trade, RED-X, s.r.o., Janovice 488, 739 11 Frýdlant nad Ostravicí, Czech Republic, E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it., (hereinafter referred to as the “Administrator”).
2. Personal data means all information about an identified or identifiable natural person. An identifiable natural person is a “Natural person” who can be directly or indirectly identified, in particular by reference to a specific identifier, such as name, identification number, location data, network identifier, or one or more specific physical, physiological, genetic, mental, economic, cultural, or social identity of this “Natural person”(hereinafter referred to as the: “Client”).
3. The“Administrator”uses the subcontractor platform of the web hosting and mailing service provider in the performance of data management duties. The subcontractor fulfils the conditions for secure processing of personal data, and is fully responsible for the proper security of the physical, hardware, and software perimeter, and bears direct responsibility for any leakage or breach of personal data.
4. The“Administrator” stores personal data of the“Client” for the time necessary to exercise the rights and obligations arising from the contractual relationship between “Administrator” and “Client” , and the assertion of claims from these contractual relationships, for a period of 15 years from the termination of the contractual relationship. After this time, the data is deleted.
5. The“Client” has the right to request from the “Administrator” access to his personal data, pursuant to Article 15 of the GDPR, correction of personal data, pursuant to Article 16 of the GDPR, or restrictions on processing, pursuant to Article 18 of the GDPR. The“Client” has the right to delete personal data according to Article 17, paragraph 1, letter a), and c) to f) GDPR. Furthermore, the “Client” has the right to object to the processing, according to Article 21 of GDPR, and the right to data portability, according to Article 20 of GDPR.
6. The“Client” has the right to lodge a complaint with the “Office for Personal Data Protection” if it considers that its right to personal data protection has been violated.
7. The“Client”has no obligation to provide personal data. However, the provision of personal data is a necessary requirement for the conclusion and performance of the contract. Without the provision of personal data, it is not possible to conclude the contract or perform it properly by the “Administrator”.

 II. Legal reason and purpose of personal data processing

1. The legal reason for the processing of personal data is the performance of the contract, pursuant to Article 6, paragraph 1, letter b) GDPR, fulfilment of the legal obligation of the “Administrator”, according to Art. c) GDPR, and the legitimate interest of the “Administrator” according to Art. f) GDPR.
2. The “Administrator” therefore processes and uses the data for the following purposes: a.) To fulfil legal obligations arising from applicable laws and regulations, b.) To fulfil the agreed contractual relationship, and exercise rights and obligations, c.) For mutual business communication and satisfaction evaluation, d.) For the purpose of direct marketing of the portfolio spectrum of own activities, e.) To ensure security and protection against cyber attacks, f.) To personalize, optimize, and develop existing and future services, g.) To measure client traffic on its own website server.

 III. Third Party Involvement Statement

1. The “Client” grants the “Administrator” consent to share the necessary personal data with legally bound employees, and procedurally necessary subcontractors of the  “Administrator”, solely for the purpose of proper performance of the agreed contractual relationship between the“Administrator” and the “Client”.
2. Subcontractors shall provide the specified guarantees for the implementation of appropriate technical and organizational measures so that the processing in question meets the requirements of this Regulation to ensure the protection of the rights and data subjects.
3. “Administrator” according to the scope and degree of performance of the agreed contractual relationship between the“Administrator”and the “Client” uses the following standard services: a.) Administrative and technical administration and support, b.) Legal, legislative, tax, and invoicing service, c.) Postal, courier, and forwarding companies, d.) Legally provided and procedurally necessary employees and subcontractors.
4. The“Administrator” pursuant to Article 28 (2), the GDPR shall not involve any other in the processing of personal data of the“Administrator” without prior specific or general written permission of the“Client”. In the case of a general written authorization, the “Administrator”shall inform the “Client” of any and all intended changes concerning the adoption of another“Administrator”or their replacement, and thereby provide the “Client” with the opportunity to object to these changes. The “Administrator” must impose on its subcontractors in position of the“Administrator” personal data the same obligations to protect personal data as set out in these conditions.

 IV. Scope of data processing

1. The “Administrator” undertakes to process personal data to the extent and for the purpose stipulated by law. The“Administrator” is not entitled to process personal data in contravention or beyond the scope set out in these conditions.
2. Processing of personal data means any activity (operations) or set of activities (operations) related to the handling of personal data, with or without the use of computer technology, such as: acquisition, storage, sorting, collection, updating (renewals, changes), use, transfer, anonymisation, blocking, deletion, or physical disposal.

 V. Closing provisions

1. According to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals, the consent of the “Client” is required for the processing of personal data. The legal obligation of the “Administrator” is to prove that the consent has actually taken place (or who, when, how, and for what the consent was granted).
2. The security of personal data is guaranteed by the “Administrator” by appropriate technical, procedural, and organizational measures that ensure a level of security appropriate to the risk. Depending on the type and need of processing, personal data is pseudonymized, anonymized, and encrypted. Part of the data protection process is the monitoring of access management and the scope of work performed with personal data.
3. Conditions and relations not regulated in these Conditions of Personal Data Protection are governed by the law of the Czech Republic, and the relevant provisions of legal regulations: a.) Act No. 110/2019 Coll., Personal Data Processing Act, b.) Act No. 89/2012 Coll., Civil Code Act, c.) Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

 These conditions take effect as of 1.1.2020.