II. Legal reason and purpose of personal data processing
- The legal reason for the processing of personal data is the performance of the contract, pursuant to Article 6, paragraph 1, letter b) GDPR, fulfilment of the legal obligation of the “Administrator”, according to Art. c) GDPR, and the legitimate interest of the “Administrator” according to Art. f) GDPR.
- The “Administrator” therefore processes and uses the data for the following purposes: a.) To fulfil legal obligations arising from applicable laws and regulations, b.) To fulfil the agreed contractual relationship, and exercise rights and obligations, c.) For mutual business communication and satisfaction evaluation, d.) For the purpose of direct marketing of the portfolio spectrum of own activities, e.) To ensure security and protection against cyber attacks, f.) To personalize, optimize, and develop existing and future services, g.) To measure client traffic on its own website server.
III. Third Party Involvement Statement
- The “Client” grants the “Administrator” consent to share the necessary personal data with legally bound employees, and procedurally necessary subcontractors of the “Administrator”, solely for the purpose of proper performance of the agreed contractual relationship between the“Administrator” and the “Client”.
- Subcontractors shall provide the specified guarantees for the implementation of appropriate technical and organizational measures so that the processing in question meets the requirements of this Regulation to ensure the protection of the rights and data subjects.
- “Administrator” according to the scope and degree of performance of the agreed contractual relationship between the“Administrator”and the “Client” uses the following standard services: a.) Administrative and technical administration and support, b.) Legal, legislative, tax, and invoicing service, c.) Postal, courier, and forwarding companies, d.) Legally provided and procedurally necessary employees and subcontractors.
- The“Administrator” pursuant to Article 28 (2), the GDPR shall not involve any other in the processing of personal data of the“Administrator” without prior specific or general written permission of the“Client”. In the case of a general written authorization, the “Administrator”shall inform the “Client” of any and all intended changes concerning the adoption of another“Administrator”or their replacement, and thereby provide the “Client” with the opportunity to object to these changes. The “Administrator” must impose on its subcontractors in position of the“Administrator” personal data the same obligations to protect personal data as set out in these conditions.
IV. Scope of data processing
- The “Administrator” undertakes to process personal data to the extent and for the purpose stipulated by law. The“Administrator” is not entitled to process personal data in contravention or beyond the scope set out in these conditions.
- Processing of personal data means any activity (operations) or set of activities (operations) related to the handling of personal data, with or without the use of computer technology, such as: acquisition, storage, sorting, collection, updating (renewals, changes), use, transfer, anonymisation, blocking, deletion, or physical disposal.
V. Closing provisions
- According to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals, the consent of the “Client” is required for the processing of personal data. The legal obligation of the “Administrator” is to prove that the consent has actually taken place (or who, when, how, and for what the consent was granted).
- The security of personal data is guaranteed by the “Administrator” by appropriate technical, procedural, and organizational measures that ensure a level of security appropriate to the risk. Depending on the type and need of processing, personal data is pseudonymized, anonymized, and encrypted. Part of the data protection process is the monitoring of access management and the scope of work performed with personal data.
- Conditions and relations not regulated in these Conditions of Personal Data Protection are governed by the law of the Czech Republic, and the relevant provisions of legal regulations: a.) Act No. 110/2019 Coll., Personal Data Processing Act, b.) Act No. 89/2012 Coll., Civil Code Act, c.) Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
These conditions take effect as of 1.1.2020.