Declaration on the processing of personal data

DECLARATION ON THE PROCESSING OF PERSONAL DATA

Declaration on the processing of personal data per Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regards to the processing of personal data and on the information of data subjects ("GDPR")

I. Personal data controller

Personal data controller:

Name (company): Strojírny Rožmitál, s.r.o.

Registered office: Žižkova 708, Příbram I, 261 01 Příbram

Ing. Lenka Janotová, Director of the company

ID NO.: 14082918

VAT NO: CZ14082918

(hereinafter referred to as "the administrator")

 

Hereby informs the data subjects about the processing of their data and their rights in compliance with Article 12 GDPR.

II. Scope of the processing of personal data

Personal data are processed to the extent that the respective data subject has provided them to the controller in connection with the conclusion of a contractual or other legal relationship with the controller or which the controller has otherwise collected and processed by applicable law or to fulfil the controller's legal obligations. 

III.     Sources of personal data

  • directly from data subjects (e.g. registration, emails, telephone, chat, website, web contact form, social networks, business cards, contracts, consents, video footage taken by the controller's technical equipment, etc.)
  • public records - for this document, a public record is:
  • the public register according to Act No. 304/2013 Coll., on public records of legal and natural persons, as amended, i.e. the Federal Register, the Foundation Register, the Register of Institutions, the Register of Unit Owners' Associations, the Commercial Register and the Register of Benefit Corporations;
  • other registers within the meaning of No 111/2009 Coll., on basic registers, as amended

VI. Categories of personal data subject to processing by the controller

Identification data, contact data, descriptive data, transaction data, and technical product data.

V. Categories of data subjects

The data subject is the natural person to whom the personal data relate, namely:

  • an employee of the controller
  • an applicant for employment with the controller
  • a contractual partner of the controller (natural person or business)
  • a subject in a pre-contractual relationship with the controller (customer before accepting an order, enquirer, etc.)
  • party to the proceedings
  • intervener
  • person concerned, interested party
  • applicant
  • interviewer
  • payer
  • beneficiary
  • authorized
  • obliged
  • victim

VI. Categories of processors and recipients of personal data

  • public authorities
  • local authorities
  • public institutes
  • banking institutions
  • insurance companies
  • an external entity providing services to the administrator in various areas (OSH, accounting, training, education) 

VII. Purpose and reasons for processing personal data 

The processing of personal data takes place at the controller:

  • based on the data subject's consent
  • in the performance of a contract with the data subject
  • for the implementation of measures taken before the conclusion of the contract at the request of the data subject
  • for the fulfilment of a legal obligation applicable to the controller (including archiving by law)
  • for the protection of the vital interests of the data subject or another natural person
  • for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller
  • because of a legitimate interest of the controller or of a third party (including archiving based on a legitimate interest of the controller) 

Reasons for processing special categories of personal data

  • explicit consent of the subject,
  • compliance with obligations in the field of labour law, social security law and social protection,
  • the protection of the vital interests of the data subject or of another natural person where the data subject is not physically or legally able to give consent,
  • Generally know data disclosed by the data subject,
  • establishing, exercising or defending legal claims or in the course of legal proceedings,
  • significant public interest,
  • archiving in the public interest, for scientific or historical research purposes or statistical purposes 

VIII.     Method of processing and protection of personal data 

The controller carries out the processing of personal data. Processing is carried out at the controller's premises, at the controller's headquarters, by individual authorised employees or the processor. The processing is carried out using computer technology or, in the case of personal data in paper form, manually, in compliance with all security principles for managing and processing personal data. To this end, the controller has adopted technical and organisational measures to protect personal data, particularly steps to prevent unauthorised or accidental access to, alteration, destruction or loss of personal data, unauthorised transmission, unauthorised processing or another misuse of personal data. All entities to which personal data may be disclosed shall respect the right of privacy of data subjects and shall comply with applicable data protection legislation.

IX. Period of processing of personal data

Following the time limits specified in the relevant contracts, in the internal regulations of the controller or the relevant legislation, this is the time necessary to ensure the rights and obligations arising from the contracts, legitimate interests and the applicable legislation.

X. Rights of data subjects 

  1. Under Article 12 of the GDPR, the controller informs the data subject of the right to access personal data and the following information:
  • the purpose of the processing,
  • the category of personal data concerned,<
  • the recipient or categories of recipients to whom the personal data have been or will be disclosed,
  • the intended period for which the personal data will be stored,
  • any available information on the source of the personal data,
  • if not obtained from the data subject, whether automated decision-making, including profiling, occurs. 
  1. Any data subject who becomes aware or considers that the controller or processor is carrying out a process of processing of their data which is contrary to the protection of the data subject's private and personal life or contrary to law, in particular where the personal data are inaccurate concerning the purpose of the processing, may:
  • Request an explanation from the controller.
  • Request that the controller remedies the situation. In particular, this may involve blocking, rectifying, supplementing or erasing personal data.
  • If the data subject's request is justified, the controller shall rectify the lousy situation immediately.
  • If the controller does not comply with the data subject's request, the data subject has the right to apply directly to the supervisory authority, the Office for Personal Data Protection.
  • The data subject has the right to address their complaint directly to the supervisory authority without taking any preparatory steps. 
  1. The controller shall provide information and communication to data subjects in a concise, transparent, understandable and easily accessible manner using clear and plain language. The controller may provide information and communication to data subjects in writing and, where appropriate, electronically or orally, provided that it verifies the identity of the data subject concerned.
  2. The controller shall respond to data subjects' requests for information without undue delay but, at the latest, within one month of receipt of such a request. In justified cases, the controller may extend this time limit, but no longer than two months. The controller shall inform the data subject of the extension within one month of receipt of the data subject's request and shall inform the data subject of the reasons for the extension. Suppose the data subject submits a request for information and communication electronically. In that case, the CONTROLLER shall provide the information and communication to the data subject electronically unless the subject requests another method, e.g. in writing.
  3. If the data subject requests the controller to take specific measures (rectification of their data, erasure, etc.) and the controller does not take such steps, the controller shall inform the data subject thereof without delay, and at the latest within one month of the request for taking the relevant measures, including the reasons for not taking such steps, as well as information on the possibility for the data subject to lodge a complaint with the Office for Personal Data Protection or to apply to the court.
  4. The controller shall provide the information and communication to the data subject free of charge. Suppose the data subject makes repeated requests, or such requests are unfounded or excessive. In that case, the controller may refuse the request or impose a reasonable fee covering the administrative costs associated with providing the information and communication or implementing the requested measures. The controller must demonstrate the unfoundedness or unreasonableness of the data subject's request.
  5. Where the controller obtains personal data directly from the data subject, the controller shall communicate the following information to the data subject when receiving the data:

            (a) the identification and contact details of the controller and the controller's representative, if any;

            (b) the purposes of the processing for which the personal data are intended and the legal basis for the processing;

            (c) the legitimate interests of the controller or of a third party where the processing is necessary for the legitimate interests of the controller or the third party;

            (d) the possible recipients or categories of recipients of the personal data;

            (e) the intention, if any, of the controller to transfer the personal data to a third country or an international organisation and the existence or otherwise of a decision of the European Commission that the third country or international organisation provides adequate protection for the personal data and a reference to appropriate safeguards and means of obtaining a copy of the data or information on where the data have been disclosed.

  1. Where necessary to ensure fair and transparent processing, the controller shall also provide the data subject with further information, in particular the duration of the processing of the personal data, or the criteria for determining it, and information on the data subject's right to rectification, erasure, etc.
  2. If the controller does not obtain the personal data directly from the data subject, the controller shall communicate to the data subject, upon receiving the personal data, the information referred to in paragraphs 7(a), (b), (d) and (e), and, where applicable, further information according to paragraph 8. 
  1. The controller shall inform the data subject of any change in the purpose of the processing of personal data whenever it occurs. 
  1. The controller shall, upon request, provide the data subject with confirmation as to whether the controller processes personal data relating to them and, if so, provide the data subject with access to such data and to the following information:

            (a) the purposes of the processing;

            (b) the categories of personal data concerned;

            (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

            (d) the intended period for which the personal data will be stored or, if this cannot be determined, the criteria used to determine that period;

            (e) the existence of the right to request from the CONTROLLER the rectification or erasure of personal data relating to the data subject or the restriction of their processing or to object to such processing;

            (f) the right to complain to the Data Protection Authority;

            (g) any available information about the source of the personal data unless obtained from the data subject.

  1. The controller shall, by the obligations set out in paragraph 11, provide the data subject with a copy of the personal data processed. The controller may charge a reasonable administrative fee for providing documents under the preceding sentence.
  2. The controller is obliged to correct inaccurate personal data concerning the data subject without undue delay to complete incomplete personal data, including by providing an additional declaration.
  3. The controller is obliged to erase personal data concerning the data subject without undue delay if one of the following grounds is met:

            (a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

            (b) the data subject withdraws consent where the personal data were processed based on that consent, and there is no further legal basis for the processing;

            (c) the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;

            (d) the personal data have been unlawfully processed;

            (e) the personal data must be erased to comply with a legal obligation under European Union or Czech law. 

(15) Where a controller has disclosed the personal data of a data subject and is obliged to erase it, the controller must take reasonable steps (having regard to available technology and costs) to inform other controllers of personal data that process that personal data that the data subject has requested them to erase all references to that personal data, copies and replications thereof.

(16) The controller shall not be obliged to comply with the obligations under paragraphs 14 and 15 if the processing of personal data is necessary for the controller, e.g. to comply with a legal obligation which requires the processing of personal data under the European Union or Czech law to which the controller is subject, or for the establishment, exercise or defence of legal claims, etc.

  1. The controller is obliged to restrict the processing of personal data of the data subject if:

            (a) the data subject contests the accuracy of the personal data for the period necessary to enable the controller to verify the accuracy of the personal data;

            (b) the processing is unlawful, and the data subject refuses to erase the personal data and requests instead the restriction of their use;

            (c) the controller no longer needs the personal data for the processing, but the data subject requires them for the establishment, exercise or defence of legal claims;

            (d) the data subject has objected to the processing under paragraph 19 of this Article of the Directive, pending verification that the controller's legitimate grounds for the processing override those of the subject. 

  1. Where the controller has restricted the processing of personal data under the preceding paragraph, such personal data may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person or reasons of substantial public interest of the European Union or a Member State of the European Union. 
  1. The controller shall inform the data subject before lifting the restriction on the processing of personal data under paragraph 17. 
  1. The controller shall notify individual recipients of any rectification or erasure of personal data, of any restriction on the processing of personal data, except where this proves impossible or requires disproportionate effort. The controller shall also inform the data subject of these recipients if the data subject so requests. 
  1. If the data subject objects to the controller to the processing by the Community of Owners of personal data processed by the controller for the legitimate interests of the controller or a third party, the controller shall no longer process the personal data based on the objection unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. The controller must inform the data subject of this right at the latest at the time of the first communication with the data subject. 

XI. Verification of the identity of the data subject

  1. If the controller receives a submission from a natural person - data subject, which, by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (from now on referred to as "GDPR")

            (a) exercise the right of access to their data, and,

            (b) requests confirmation as to whether the controller processes personal data relating to the applicant within the meaning of the GDPR and,

            (c) requests that copies of the personal data processed to be provided free of charge; and,

            (d) requests a communication of which categories of personal data are processed and,

            (e) requests a statement of the purpose for which the personal data are processed and,

            (f) asks for a statement of the intended period for which the personal data will be stored or, if this cannot be determined, the criteria used to determine that period and,

            (g) asks to be informed whether (and under what conditions) they may request the controller to rectify or erase the personal data, to restrict their processing, or whether and how the data subject may object to the processing of my data, and,

            (h) asks to be informed whether (and how) the data subject may lodge a complaint with a supervisory authority and who that supervisory authority is, and,

            (i) ask for the disclosure of any available information about the source of the personal data concerning the data subject, if not obtained directly from the data subject, and,

            (j) requests to be informed whether, about the processing of the personal data of the data subject, automated decision-making, including profiling as referred to in Article 22(1) and (4) of the GDPR, also takes place and, at least in these cases, further requests to be provided with meaningful information concerning the procedure used as well as the relevance and foreseeable consequences of such processing for the data subject, and,

            (k) requests to be told who the recipients of the data subject's data are or, where appropriate, to indicate the categories of recipients to whom their data have been or will be disclosed, and,

            (l) requests to be informed of the recipients in third countries and international organisations who have had or will have personal data of the data subject and,

            (m) requests information regarding the safeguards under Article 46 of the GDPR where personal data are transferred to a third country or international organisation,

the controller is always obliged to sufficiently verify the applicant's identity before processing the above requests. If the controller doubts the applicant's identity, he can request additional information to confirm his identity (Article 12(6) GDPR). 

  1. The administrator is entitled, in case of doubt as to the identity of the applicant, to request from that person:

            (a) to send the application with the applicant's signature certified if the applicant has made the application in paper form,

            (b) sending the application with an electronic signature, i.e. with data in electronic form attached to or logically associated with the data message, which serves as a method to unambiguously verify the identity of the signatory about the data message

            (c) sending the application by data mailbox, if the applicant has one 

  1. The controller shall not be entitled to request further information to verify the identity of the applicant, in particular, where:

            (a) at the relevant time (i.e. the time of the submission of the appropriate application), the controller processes the email contact as personal data of the applicant from which the proper application was sent

            b) the controller processes the telephone number of the applicant at the relevant time, then makes a telephone call to that telephone number to verify the identity of the applicant and, as agreed with the applicant, then sends the requested information or communicates other facts relating to the processing of personal data electronically to the email address provided by the applicant or in writing to the address provided by the applicant,

            (c) the controller can verify the identity of the applicant in other ways (e.g. through public registers and existing communications)

            (d) the applicant has requested in person in front of a competent controller official or another person authorised by the controller. 

XII.     Final provisions

The Declaration is publicly available on the website of the administrator: www.rozmital.com/pl

This Declaration was last updated on 01.01.2022