GUIDELINES ON THE PROTECTION OF PERSONAL DATA AND THEIR PROCESSING
Issued by the trade corporation Venta – Trans Europe s.r.o., Identification registration No.: 290 94 364, with registered office at Vinohradská 2133/138, 130 00 Prague 3 Vinohrady, registered in the Commercial Register kept by the Municipal Court in Prague, file number C 175002 (hereinafter referred to as „Corporation“)
Pursuant to the provisions of Section 305 of Act No. 262/2006 Coll., Labor Code, as amended
I. Introductory provisions
1. This Directive on Protection and Processing of Personal Data (hereinafter referred to as „the Directive“) is the central, general and basic internal regulation of the Corporation regulating the conditions for the protection of personal data and its handling during the activities of the Corporation respectively during the activities of its employees as well as other persons.
2. This Directive lays down the basic conditions and responsibilities for the processing of personal data in the Corporation in accordance with Regulation of the European Parliament and of the Council 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and on the cancellation of the Directive 95/46/ES (the General Regulation on the Protection of Personal Data, hereinafter referred to as „GDPR“), as well as the related regulations.
3. Given that the Corporation processes personal data, the Corporation in relation with at least some of the processing administrator of the personal data. This Directive applies to the Corporation in the capacity of an administrator or, as the case may be, alternatively a personal data processor, as defined by the GDPR. It also applies to all employees of the Corporation and third parties handling personal data.
4. The purpose of the Directive is to set basic conditions and inform employees of the obligations arising from GDPR and related legislation, and to ensure that personal data are processed within the Corporation in accordance with the GDPR.
5. Responsible persons, as well as all employees, are obliged to cooperate and communicate all relevant information in order to align the processing of personal data with the GDPR and rules set out in this Directive.
II. Basic terminology
1. For the purposes of the Directive, the following definitions shall apply:
a. „personal data“ means any information about an identified or identifiable natural person; identifiable natural person is a natural person that can be identified directly or indirectly, in particular by the means of reference to some particular identification characteristics such as name, identification number, location data, network identifier, or one or more specific physical, physiological, genetic, psychological, economic, cultural or the social identity of that natural person
b. „special category of personal data“ means personal data relating to ethnic origin, political opinions, religion, philosophical beliefs or trade union membership, as well as genetic data, biometric data, data on state of health or sexual life or sexual orientation of a natural person;
c. „data subject“ means the natural person to whom the personal data relate (may be an employee, a customer of a Corporation, etc.);
d. „processing“ means any operation or set of operations of personal data or personal data files that is executed with or without the help of automated procedures; automated procedure are or example collecting, recording arranging, structuring, storing, customizing or modifying, finding, viewing, using, disclosing, making accessible by the means of transmitting, spreading, or otherwise making available, sorting or combining, restraining, erasing or destroying (however this is not an exhausting list);
e. „Further processing“ the processing or personal data for a purpose other than that for which it was originally collected, e.g. further processing or freely available data (public land registry data originally collected for the purpose of land registry record keeping etc.);
f. „Administrator“ means a natural or legal person a public authority, an agency or other entity which, alone or jointly with others, determines the purposes and means of processing personal data; For the purposes of this Directive, the Administrator also means the Corporation;
g. „Processor“ means a natural or legal person, public authority, agency or other entity that processes personal data for the administrator; under certain conditions, the Corporation may also be in the position of the processor or it may be, for example, an entity that provides accounting pro the Corporation, etc.;
h. „Recipient“ means a natural or legal person, public authority, agency or other entity to whom personal data are provided, whether or not a it is a third party; e.g. Welfare System, revenue authority, tax or customs authorities, etc.;
i. „Supervisory Authority“ means an independent public authority established by a Member State under Article 51 of the GDPR, in the case of the Czech Republic, the Office for Personal Data Protection;
j. „Automated processing“ means the processing of personal data using computer technology;
k. „Profiling“ means any form of automated processing of personal data consisting of their use in evaluating certain personal aspects relating to a natural person, in particular to analyse or estimate aspects relating to its performance, economic situation, health, personal preferences, interests, behaviour, location, or movement; profiling is, for example, monitoring the behaviour of website visitors in order to track their preferences and subsequent sending business offers;
l. „Pseudonymization“ means the processing of personal data so that it can no longer be assigned to a specific data subject without the use of additional information if this additional information is kept separate and subject to technical and organizational measures to ensure that it will not be assigned to any identified or identifiable natural person;
m. „Third party“ means a natural or legal person, a public authority, an agency or other entity, which is neither a data subject, an administrator, a processor nor a person directly subject to the administrator or processor authorized to process personal data;
n. „Breach of personal data security “ means a breach of security that results in the accidental or unlawful destruction, loss, alteration or unauthorized provision or accessibility of transmitted, stored or otherwise processed personal data;
o. „Child“ means a natural person under the age of 18 who has not yet acquired full authority in accordance with Act No. 89/2012 Coll., of the Civil Code;
p. „Employee“ Employee Corporations carrying out employment, or persons working for the Corporation on the basis of agreements on work done outside the employment relationship.
1. All employees of the Corporation are required to ensure that the following principles are observed when processing personal data:
a. Legality, Correctness, Transparency: it is only possible to process personal data in a correct, legal and transparent manner, and only on the basis of legal titles defined in this Directive. Administrators are under a duty to ensure that data subject are informed as much as possible and to process their personal data openly and in accordance with GDPR.
b. Purpose limitation: The purpose of processing personal data has been determined by the framework of operations that can be performed for the purpose of processing. Definition of purpose is the key duty of the administrator. It is forbidden to process personal data for purposes other than those for which it was collected. There are exceptions (for example, if the data subject agrees to do so if the new processing purpose is compatible with the original, etc.). Processing for other purposes is so-called further processing.
c. Minimization of data: Only those personal data that are relevant and appropriate to the purpose of processing are processed and collected and only to the extent necessary to fulfil the defined purpose. If it is possible to achieve the purposes without the processing of some personal data, it is necessary to cease processing such excess personal data (for example, if the administrator is able to identify the data subject even without a personal identification number, etc.).
d. Accuracy: The data to be processed must be accurate and must match the reality and if necessary (depending on the nature of the particular processing), the administrator is required to update the data. Once the administrator or processor finds that the data is inaccurate, it shall take all reasonable measures to correct or erase inaccurate data. Accuracy must be ensured during the processing and collecting of data in the scope of the risk of potential harm to the data subject. Data subjects must be required to report any possible changes to the personal data previously reported. The manager is not responsible for inaccurate data if the data subject renders it untrue.
e. Limitation and form of storage: Personal data is retained only for the time necessary for the purposes for which personal data is processed. At the end of this time, the administrator is required to eliminate (erase or anonymize) personal data. It is not valid, if one of the exceptions set out in the GDPR is set. Personal data is stored in a form that does not allow unauthorized access to that data.
f. Integrity and confidentiality: Personal data shall be processed in such a way as to ensure its protection against unauthorized or unlawful processing and also by destruction, damage or loss, etc.
2. For the purpose of fulfilling the principle of accountability, it is necessary for each individual processing of personal data to be determined by the responsible person determined by the particular job position. That responsible person shall be designated by the person in chargé of the post, who shall be responsible for keeping the processing registry in accordance with Article VII. paragraph 6. of the Directive.
IV. Duty of confidentiality
1. Anyone who engages in any way in the processing or personal data or contacts with them or earns of them shall be required to keep confidentiality of such data. This is not the case if the information is otherwise disclosed or if it is required by legislation. The duty of confidentiality also takes effect after termination of the employment relationship. Details are determined by the contract of employment eventually other contracts (for example with external personal data processors, etc.).
V. Legal titles
1. Processing of personal data shall always take place on the basis of the legal title referred to in Article V. paragraph 3, of this Directive. Without a legal title, personal data cannot be processed. Alternatively, it would be illegal to process it.
2. The legal title must be established at the latest together with the purpose of the particular processing. The legal title will be proposed by the person responsible for the processing i.e. the person referred to in the Article III. paragraph (2) of the Directive. Additionally, it proceeds according to Article VII paragraph (2) of the Directive. The person responsible for the processing under Article III. Paragraph (2) of the Directive is also responsible for the continuous monitoring of the existence of the legal title.
3. Personal data may only be processed to the appropriate extent and only on the basis of the following legal titles:
a) The data subject has consented to the processing of his or her personal data for one or more specific purposes;
b) Processing is necessary for the performance of the contract to which the data subject is party or for the implementation of measures taken prior to conclusion of the contract at the request of that data subject;
c) The processing is necessary to fulfil the legal obligation to which the administrator is subject;
d) Processing is necessary for protection of vitally important interests of data subjects of other natural persons;
e) Processing is necessary for the purposes of the legitimate interests of the relevant administrator or the third party, except for the situations, where the interests of fundamental rights and freedoms of the data subject that require the protection of personal data prevail over those interests;
f) Processing is necessary for accomplishment of the task carried out in the public interest or in the exercise of a public authority entrusted to an administrator (this title may not be used within the Corporation).
4. Personal data may only be processed on the basis of the consent of the data subject if, for the purposes of the processing, it is not possible to use the other legal title referred to in paragraph 3. letters b) to f) if this Article of the Directive. Consent as a legal title to that processing should therefore only be used as the ultimate solution to preserve the legality of the processing.
5. The legal title referred to in paragraph 3. letter b) of this Article of the Directive (i.e. „processing is necessary for the performance of the contract to which the data subject is party or for the implementation of measures taken before the conclusion of a contract at the request of that data subject“), only the conclusion or performance of a contractual obligation may be subordinated. In order for this legal title to be used, the data subject itself must be a party to the contract, or the request to conclude the contract must have resulted directly from data subject. This legal title does not apply to the processing of personal data due to non-fulfilment of the obligation.
6. The legal title referred to in paragraph 3. letter c) of this Article of the Directive (i.e. „processing is necessary for fulfilment a statutory obligation which applies to an administrator“) can be the support for the processing of personal data in the case when there is a duty defined by European or domestic law so certain that it can be determined what processing is to be performed and the administrator (the processor) has no choice as to how and whether to fulfil this obligation.
7. It is possible to process personal data on the basis of the legal title referred in paragraph 3 letter d of this Article of the Directive (i.e. „processing is necessary for the protection of the vital important interests of data subjects of other natural persons“) only if processing is necessary to prevent damage to the data subject or third party to health or life.
8. In the case of the processing of personal data according to the legal title referred to in paragraph 3 letter e) of this Article of the Directive (i.e. „processing is necessary for the purposes of the legitimate interests of the relevant administrator or third party, except where the interests of fundamental rights and freedoms of the data subject that require the protection of personal data prevail over such interests“) prior to the commencement of processing of personal data, a so called complex assessment was carried out.
Comprehensive assessment consists of the following steps:
a. Definition of legitimate interest.
b. Assessment of the necessity criterion (i.e. assessment of whether the objective pursued cannot be achieved by other, less invasive means).
c. Balance test.
Balance test consists of the following steps:
a. Assessment of the weight of legitimate interest
· interests of the administrator including fundamental rights and freedoms (freedom of expression, entrepreneurship, etc.), it is always necessary to examine whether processing is necessary and proportionate.
· Public interests and interests of the community – the public (philanthropic activities, detection of corruption, fraud prevention) of its existence can strengthen the legitimate interest of the administrator and increase its importance
· other legitimate interests (administrator´s subjective interests, network security, direct marketing)
· legal, cultural or social recognition or a legitimate interest – its existence is capable of adding to the legitimate interest of the administrator
b. Assessment of processing implications for entities
· Any direct and indirect damage that may arise but also the emotional impact (e.g. stress from loss of control over personal data, etc.)
· The identification and the need to evaluate both positive and negative impacts quantitatively but especially qualitatively
· not only the damage caused by the administrator itself, but also by the activity of the third party (after handover, etc.)
c. Balancing interests with the consequences that processing can have on subject
· it is necessary to compare interests
· an advantage over the likelihood and magnitude of the damage is also considered
· the result should ideally be that the interest of the entities does not exceed the interests of the administrator, i.e. the benefits will outweigh the impact on the rights and freedoms of the data subject
d. Assessing the adequacy of the planned measures and guarantees
· When conducting test, it is necessary to take into account the measures that the administrator has to implement in the plan in accordance with GDPR (purpose limitation, etc.)
· The uncertain to unsatisfactory outcome of the test can be reversed by accepting additional guarantees, which will ultimately outweigh the data subject´s interests
· The more significant the impact of the processing on the data subject, the grater the attention needs to be paid to the relevant safeguards.
9. Personal data may be due to the legitimate interests of the third-party administrator or third party referred to in paragraph 3 letter e) of this Article of the Directive shall be processed only if, on the basis of a comprehensive assessment and balance test, it is established that the interests or fundamental rights and freedoms of the data subject do not outweigh the legitimate interests of the administrator or third party. In the case of unsatisfactory results of the balancing test, it is necessary to take further measures to correct the deficiencies and to repeat the test or to drop the processing of personal data. As long as the result of the balance test is not satisfactory, personal data cannot be processed due to the legitimate interests of the administrator or third party.
10. A comprehensive assessment, including a balancing test, must be carried out prior to the commencement of processing due to the legitimate interests of the administrator or third party. A written record containing a description and result of the individual steps is made to perform a comprehensive assessment of the balance test. Comprehensive assessment, including a balance test, and record of this comprehensive assessment will be made by the Managing Director. For the processing already carried out, this person is obliged to make a comprehensive assessment without undue delay after the assignment of this responsibility, respectively, after the adoption of this Directive.
VI. Purposes of processing of personal data
1. Any processing of personal data shall be subject to a specific, explicit and legitimate purpose. The purpose must not be set in general and indefinitely. The purpose must be set so well that it can be seen what specific processing will take place on its basis.
2. Personal data cannot be processed without a specific, explicitly expressed and legitimate purpose.
3. The purpose must be set at the latest when collecting personal data. The purpose is to be proposed by the person responsible for the processing, i.e. the person in accordance with the Article III. paragraph 2 of the Directive. Additionally, it proceeds according to the Article VII paragraph 2 of the Directive. The person responsible for the processing according to the Article III. paragraph 2. of the Directive is responsible for continuous monitoring of existence and purpose,
4. Personal data may only be processed for a certain purpose to the extent necessary and for a prolonged period of time, further processing is not done for purpose, personal data cannot be further processed and disposed of.
5. If personal data is to be processed for a purpose other than that for which the personal data were originally collected (hereinafter referred to as „further processing“), such further processing shall be based on the consent of the data subject or the law of a Member State or the Union. In case that further processing is not based on the consent of the data subject or the law of the Union or the Member of the first state, a so-called conformity assessment must be carried out which must be carried out before commencing further processing
6. In assessing the compatibility of the objectives, the following issues are considered in particular:
· Any link between the purposes for which the personal data were collected and the purposes of the intended further processing;
· The circumstances under which personal data were collected, in particular as regards the relationship between data subjects and the administrator;
· The nature of personal data, in particular whether specific categories of personal data or personal data relating to convictions in criminal matters and offenses are being processed;
· Possible consequences of the intended further processing for data subjects;
· The existence of appropriate safeguards (e.g. encryption or pseudonymization).
7. Further processing that is considered in the test of compatibility of the purposes may only be carried out if the purpose of further processing in the assessment of the compatibility of the purposes is met and will be assessed as compatible with the original purpose.
8. Assessing the compatibility of the purposes and making a record of this assessment is performed by the Managing Director before proceeding with further processing. The corporation is obliged to inform the data subjects about this further processing; The person referred to in this paragraph shall inform the person responsible for fulfilling the information obligation on the positive result of the compatibility test.
VII. Common Provisions on Legal Titles and Purposes
1. the Managing Director of the Corporation supervises the processing of personal data only on the basis of legal titles presumed for the GDPR and for a specific, explicit and legitimate purpose. This person is also required to check regularly the existence of a legal title, its potential changes, etc. As soon the inspection has been performed, this person is responsible for the prompt determination of the following procedure in case of discovered deficiencies.
2. This person, responsible for the processing carried out on the basis of the Article V. paragraph. 2 and the Article VI. paragraph 3. of the Direction, hands over a written proposal for the wording of the purpose and legal title of the processing proposed to the Managing Director of the Corporation.
3. Once the purpose and legal title have been determined on the basis of the procedure set forth in paragraph 2 of this Article, the Executive Director of the Corporation shall notify the person responsible for the processing in accordance with Article III. paragraph 2 of the Directive, which is also obliged to monitor whether the purposes and legal title so established. This person is also responsible for maintaining the processing registry pursuant to Article VII. paragraph. 6. of the Directive.
4. If the employee discovers that the processing of personal data runs without a legal title or purpose, or a change in the legal title or purpose, he shall immediately notify the person responsible for the processing, that is, the person referred to in the Article III. paragraph 2. of the Directive. The latter is required to immediately examine the notification and, in the case of confirmation of the notification, immediately decide on the next proceeding and notify this person to the person responsible for keeping the processing registry pursuant to Article VII. paragraph 6. of the Directive, or to other persons (the person responsible for the liquidation, the person responsible for fulfilling the information obligation, etc.).
5. In the event of a change in the legal title or the purpose of the processing of the personal data when the personal data are processed, the data subject shall immediately inform the Managing Director of this change without delay.
6. The legal title and purpose of each processing are listed in the processing registry1, under the responsibility of the Managing Executive Director of the Corporation. All employees are required to provide the person referred to in the previous sentence with the assistance required for the proper maintenance of the processing and check of the of the processing of personal data compliance with the GDPR.
7. If the legal tittle and/or the purpose of the processing of the personal data is no longer fulfilled or the purpose is fulfilled, employees are obliged to inform the person responsible for the processing according to Article III. paragraph 2. of the Directive. This person ensures that the processing of relevant personal data is immediately terminated and the data is destroyed.
1 The Processing List is an overview of all data processing operations performed by the Corporation. This register is an effective means of checking whether the data are processed only for a necessarily long time, in just the necessary extent, etc. The processing register can also facilitate the demonstration of fulfilment of the obligations in case of control by the Supervisory Authority. In particular, the register should contain, for each individual processing, its purpose, legal title, processing time, specific personal data, category of data subject. There is also description of how the administrator obtained the personal data, how he handles it, where it is stored, who has access, to whom it passes, etc.
VIII. Data subject´s consent to the processing of personal data
1. If the processing of personal data is based on the consent on the data subject, such consent must comply with all the requirements according to the Article 7 of the GDPR, in particular it must be free, specific, informed and unambiguous. If the consent does not meet the requirements of Article 7 of the GDPR, personal data cannot be processed on its basis.
2. In order for consent to serve as a legal title for the processing of personal data, it must be given in writing or electronically and must be separate from other facts, i.e. it must constitute a separate document (that is, it must not be a part of business terms, for example).
3. Before the consent is given, the data subject shall be informed of all the facts and circumstances of the processing in order for the consent to be properly informed. In particular, the data subject is familiar with:
a) The identity of the administrator,
b) The purpose of processing,
c) Processing operations and their consequences for the data subject,
d) The possibility to withdraw consent at any time.
4. The model consent of the data subject with the processing of personal data forms Annex No. 2 of this Directive.
5. The data subject´s consent to the processing of personal data is archived in the consent database throughout the time of personal data processing. A database of approvals is led by the Managing Director of the Corporation, who is responsible at all times to prove all the facts of each consent according to the paragraph 6 of this Article of the Directive.
6. In the consent database, each consent shall be recorded:
a) Who is subject of the data,
b) When was the consent granted,
c) What kind of processing and what purpose the consent was granted for,
d) What information the data subject had at his disposal before consent was given,
e) The form in which consent was granted and what its content was,
f) The indication of whether and, alternatively, time of the withdrawal of the consent.
7. Upon the expiration of the period for which the consent was provided or after the consent has been revoked, the consent and personal data to which the consent has been granted must be disposed of (erased or anonymized) without undue delay. Deletion will not be made only for the particular personal data that is further processed on the basis of different legal title.
8. In the case of consent withdrawal, a document, in which the data subject revokes his consent without undue delay, is forwarded to the person responsible for the processing. That is the person referred to in the Article III. paragraph 2 of the Directive, which, by the means of informing the relevant persons (persons responsible for information duty, liquidation, etc.) ensures that the processing of the relevant personal data is immediately terminated and that data is disposed of and that all the processors are also promptly requested to dispose of such personal data to which the personal data were transmitted.
IX. The rights of data subjects and their communication in general
1. The Managing Director is responsible for observing the way of communicating with the data subjects, for fulfilling the information and reporting obligations towards data subjects and other external entities and for handling all requests of data subjects in accordance with this Directive. This person is also responsible for the deletion and destruction of personal data in accordance with this Directive. The responsible person appointed in this paragraph shall cooperate in particular with the persons responsible for the processing according to Article III. Paragraph 2 of the Directive and the person responsible for keeping the processing registry in accordance with Article VII. paragraph 6. of the Directive.
2. The administrator (the person specified in the previous paragraph) must communicate with the data subjects and communicate them in a clear, transparent, comprehensible and easily accessible manner using clear and simple language means. Such communication can be achieved, for example, by structuring the text, using simple sentences rather than professional terms, using graphs or other graphic elements, etc.
3. The administrator must take appropriate measures to enable the data subject to contact at least:
a) In writing (by post),
b) Electronically (e.g. via a web form) and
c) orally (by personal visit or by telephone).
4. The method of communication shall be chosen in such a way as to be appropriate and proportionate to the circumstances of the processing. The administrator should respect the method of communication chosen by the data subject.
5. Entire communication (including its content and its execution time) with the data subjects shall be recorded for the purpose of its later documentation. This person is responsible for the person under paragraph 1. of this Article of the Directive.
X. Information obligation in the case of obtaining personal data directly from the data subject
1. In the case where the administrator obtains personal data directly from the data subject (he/she personally communicates with them by telephone, completes the application, etc.), the data subject must be provided with at least the following informationat the moment of obtainingthis personal data:
a) The identity and contact details of the administrator (and his/her appropriate representative) on personal data protection issues;
b) Contact details of the Data Protection Officer when appointed to the Corporation;
c) The processing purposes for which the personal data are intended and the legal basis for processing;
d) The legitimate interests of the administrator or third party where the processing is based on a legal title of legitimate interest;
e) The recipient or category of recipients of personal data;
f) The nature and extent of processing, and any possible implications of such processing, for the rights and freedoms of data subjects;
g) The period for which personal data will be stored or, if it is not possible to determine it, the criteria used to determine that period;
h) The existence and manner of exercising the right to require the administrator to provide access to the personal data relating to the data subject, to correct or delete it, or to restrict the processing, and to object to the processing and data transfer rights;
i) When the processing is based on the consent of the data subject, the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of the processing based on the consent given prior to its withdrawal;
j) The existence of the right to lodge a complaint at the Supervisory Authority;
k) The fact whether the provision of personal data is a statutory or contractual requirement or a requirement to be made in the contract and whether the data subject is required to provide personal data and in regarding to possible consequences of failure to provide such data;
l) The fact that automated decision making, including profiling, and at least in those cases, meaningful information on the procedure followed and the significance and implications of such processing for the data subject can appear.
2. The information referred to in the previous paragraph of this Directive need not be provided to the data subject if the administrator is able to demonstrate that the data subjects have already got that information. However, in the case of an explicit request from the data subject, the information must be provided repeatedly.
XI. Information obligation in the case of obtaining personal data in a different way than from the data subject
1. Where personal data were not obtained directly from the data subject, the data subject´s administrative shall provide the following information:
a. The information referred to in the Article X. paragraph 1. of this Directive, in addition to the information in accordance with Article X. paragraph 1 letter k) of this Directive;
b. The category of personal data about which obtaining and processing the administrator informs;
c. A source of personal data.
2. The information referred to in paragraph 1. of the Article of the Directive shall be provided within the following deadlines:
a. Without undue delay, no later than one month after receiving personal data;
b. In the event of communication with the data subject, at the latest when the communication is first initiated;
c. In the case of the disclosure of personal data to another recipient at the latest during the first such disclosure of personal data.
3. Information according to the paragraph 1. of this Article of the Directive need not be provided to the data subject in the following cases:
a. The administrator is able to demonstrate earlier disclosure of the information to the data subject; in the case of an explicit request from the data subject, the information must also be provided repeatedly;
b. The provision of information is not possible or would require unreasonable effort (for example, if the contact details of the data subjects are not known and the contact details are impossible or very difficult to obtain);
c. The provision of information would frustrate the purpose of the processing (e.g. Detection of fraud, etc);
d. The acquisition of disclosure of personal data is expressly provided for by legislative;
e. Personal data are traced as confidential by the administrator and all persons who come into contact with the are required to maintain professional or professional secrecy, including the statutory duty or confidentiality.
XII. Information obligation in case of further processing
1. In case that the administrator intends to further process personal data for purposes other than the purpose for which it was collected, it shall provide the data subject before further processing with information about the other purpose and further;
a) The information referred to in Article X. paragraph 1 of this Directive, in case that the personal data were obtained directly from the data subject, or
b) The information referred to in Article XI. paragraph 1 of this Directive, unless personal data have been obtained directly for the data subject.
3. The information referred to in the previous paragraph of this Directive need not be provided to the data subject in cases
a) Referred to in Article X. paragraph 2. of this Directive, where the personal data were obtained directly from the data subject, or
b) Referred to in Article XI. Paragraph 3. of this Directive, unless personal data have been obtained directly from the data subject.
XIII. Notification obligation to recipients of personal data
1. The Administrator (the person referred to in Article IX. paragraph 1. of the Directive) shall notify any individual recipients to whom personal data have been made available of any corrections or deletions of personal data or processing restrictions, except where this proves impossible or requires unreasonable effort.
2. The Administrator (the person referred to in Article IX. paragraph 1. of the Directive) shall inform the data subject about the recipients in accordance with Article X. paragraph 1. and Article XI. paragraph 1. of this Directive.
XIV. Rights of data subjects
1. The administrator shall establish simple procedures for the data subjects to contact him in order to exercise his rights. Administrator, respectively the person referred to in article IX. paragraph 1 of the Directive, is obliged to actively raise awareness in the informing obligation, where appropriate, to ensure that data subjects are actively alerted about their rights and how and where they can apply.
2. When dealing with requests and when informing data subjects on the procedures for handling requests, the principles of communication with the data subjects to in Articles X. to XIII of this Directive must always be respected.
The procedure for handling request, including the reasons for the way the application is handled, must be recorded.
XV. Identification of data subjects
1. Prior to the settlement of each claimed right the data subject must be securely identified so that and unauthorized person cannot obtain, delete or modify the personal data of another data subject.
2. The specific ways of identifying data subjects must be determined individually, taking into account the nature, scope, context and purposes of the processing, as well as to the various and potentially diverse risks to the rights and freedoms of natural persons. Requirements for identity verification can be determined according to the specific rights applied (for example, the request for a data processing certificate is lower than the request for a copy of the data). Therefore, the first type of application may require lower claims to verify the identity of the data subject).
3. If the data subject cannot be safely identified on the basis of the data provided by him, additional data may be requested from the data subject. However, identification data which are not necessary for the specified processing purpose may not be required.
4. If the data subject cannot be identified under the paragraph 3. of this Article of the Directive, the application may also be refused if the data subject has to be informed.
XVI. Time limit for processing the request of data subjects and ways of handling it
1. Within one months of receipt of the data subject´s request, it is necessary that:
a) The application has been complied with, or
b) The application is refused, or
c) The time limit for processing the application is extended.
2. Applications shall be granted if the required measures are implemented and the data subject is informed of these measures, alternatively if the data subject is informed of the facts he has requested, etc.
3. The application shall be refused if the requested action is refused and the data subject is informed of the reasons for such a refusal, together with providing information on the possibility of filing a complaint with the supervisory authority and the possibility of seeking legal protection.
4. Extension of the time limit referred to in paragraph 1 letter c) of this Directive is possible for up to two months. At the same time as the deadline is extended, the data subject must be informed of the extension and the reasons for the extension. If the deadline has been extended, the applications must subsequently be accepted within the extended period of time.
5. Requests may also be granted in part. In the rest, the request must be rejected.
XVII. Fee for processing the requests
1. The processing of applications is in principle free of charge. Fees associated with processing an application may only be required exceptionally under paragraph 2. of the Article of the Directive.
2. If the request made by a data subject are manifestly unreasonable or disproportionate, it can be:
a) a reasonable fee imposed, taking into consideration the administrative costs associated with the provision of the required information or communication or with the performance of the required tasks;2or
b) refused to grant an application.
3. A manifestly unreasonable request is that there is a complete lack of justification (if justification is necessary) and it cannot be deduced by the interpretation of what the data subject is dealing with (i.e. does not apply to the right of access) etc.
4. It is obviously inappropriate such an application, which is repeated, for example, etc.
5. The administrator must be able to substantiate the apparent lack of justification or inappropriateness.
2 A special internal regulation (fee pricelist) may further adjust the amount of fees for processing the application and the reasons for its assessment.
XVIII. Right of access
1. The data subject shall have the right to require the administrator,
a. To provide him/her with information as to whether the administrator process personal data concerned him/her and/or
b. Make available any alternatively processed personal data.
2. At the request of the data subject, the following information shall be provided:
a. Information (confirmation) of whether the administrator processes personal data;
b. A copy of the processed personal data;
c. Information on past processing;
d. Processing purposes;
e. The categories of personal data concerned;
f. The recipients of categories of recipients to whom personal data has been or will be made available;
g. The planned time, for which personal data will be stored or, if it is not possible, the criteria used to determine that time;
h. The existence of the right to require from the administrator to correct or to erase personal data relating to the data subject or to restrict their processing or to object to such processing;
i. The right to lodge a complaint with the Supervisory Authority;
j. Any available information about the source of personal data, unless it is obtained from the data subject;
k. The fact that automated decision making is taking place, and at least in these cases, meaningful information regarding the procedure used, as well as the significance and the expected consequences of such processing for the data subject.
3. The request may be limited to certain information by the data subject. However, if the application is not restricted, all information and data under paragraph 2. of this Article of the Directive must be provided.
4. By making the data referred to in paragraph 1. letter b) of this Article of the Directive means providing a copy of the processed personal data. Providing the first copy of the processed personal data is always free of charge. It is also free to provide a copy after each change of personal data can reasonably be expected.
5. A Copy of the processed personal data will not be provided if this would adversely affect the rights and freedoms of other persons.
XIX. Right to repair
1. The data subject shall have the right to require:
a) Correction inaccurate personal data; and
b) Date addition of incomplete personal data.
2. In case the data subject submits an application under paragraph 1 letter a) of this Article of the Directive, the Administrator must immediately verify that the personal data are inaccurate and limit the processing of the personal data concerned during that time.
3. If the data subject submits an application under paragraph 1 letter b) of this Article of the Directive, the data Administrator shall complete the required data only as appropriate for the purposes of the processing. The administrator is not obliged to perform the required extension of the data subject is not relevant for the purpose.
XX. The right to erase
1. The data subject has the right to delete (erase) his or her personal data if he makes a request for deletion and at least one of the following reasons:
a. Personal data are not needed for the purpose for which they are processed;
b. Personal data are processed solely on the basis of consent and the data subject withdraws consent to processing;
c. The data subject opposes the processing and, in its assessment, it becomes clear that the data subject´s interest prevails over the manager´s interest tor the data subject opposes the processing;
d. Personal data has been processed unlawfully;
e. The administrator is subject to a legal obligation to delete personal data;
f. Personal data of children collected by an administrator in connection with the provision of an information society service.
2. Even if one of the reasons under paragraph 1. of this Article of the Directive is given, the administrator my further process personal data if the processing is necessary:
a. For the exercise of the right to freedom of expression and information;
b. For the fulfilment of a legal obligation of an administrator´s task carried out in the public interest or during the exercise of public authority by which the administrator is entrusted;
c. On grounds of public interest in public health care;
d. For purposes of archiving in the public interest, for purposes of scientific or historical research or for statistical purposes, where it is likely that the right of deletion would make it impossible or seriously jeopardized to meet the objectives of such processing;
e. For the determination, exercise or defence of legal claims.
3. The administrator also has the obligation to delete personal data without the data subject´s request beyond the scope of this Article of the Directive. This obligation arises especially in case of loss of the legal title of purpose of the processing. The person referred to in Article IX. paragraph 1. of the Directive is responsible for ensuring this administrator’s responsibility.
XXI. Right to limit processing
1. The data subject has the right to limit the processing of his or her personal data in the following cases:
a) The data subject denies the accuracy of the personal data;
b) The processing is unlawful and the data subject rejects the deletion of personal data and requests instead to limit their processing;
c) The administrator no longer needs personal data for processing but the data subject is required to identify, exercise or defend legal claims;
d) The data subject has objected to the processing and an assessment of the legitimate reasons for processing is under way.
2. Personal data processing of which has been restricted cannot be processed otherwise than by storing them. During the processing restriction, the personal data in question cannot be destroyed either.
3. Specific technical solutions for processing restrictions (e.g. their designation in the frame of the system, unauthorized access, temporary deletion, etc.).
4. Other processing of personal data whose processing has been restricted to mere storage is only possible:
a) With the consent of the data subject,
b) By reason of the determination, exercise or defence of legal claims,
c) In order to protect the rights of another natural or legal person, or
d) Due to an important public interest of the EU or of a Member State.
5. The data subject shall be informed of the termination of the processing limitation in advance.
XXII. The right of portability
1. The data subject shall have the right to:
a) Receive personal data in machine – readable format; and
b) Require the direct transmission of personal data in a machine-readable format to another administrator where this is technically possible.
2. A machine-readable format means a structured, commonly used and machine-readable format in which automated processed personal data (for example XML, JSON a CSV) are stored.
3. The rights referred to in paragraph 1 of the Article of the Directive shall have the data subject only against personal data meeting the following conditions:
a) Personal data are processed in an automated,
b) Personal data are processed on the basis of consent or performance of the contract; and
c) Personal data were provided directly by a personal data subject (e.g. Data tracked on the basis of the use of the service or feasibility by the competent body).
4. Personal data in a machine-readable format will not be provided or transmitted unless this would adversely affect the rights and freedoms of other persons.
XXIII. Right to object
1. The data subject shall have the right to object to the processing of personal data which is carried out:
a) To carry out a task in the public interest or in the exercise of public authority,
b) For the purposes of the legitimate interests of the administrator or a third party,
c) For direct marketing3purposes or
d) For scientific or historical research purposes or for statistical purposes.
2. In the event that an objection is raised according to paragraph 1 letter a) or b) of this Article of the Directive, the following steps must be taken:
a) The processing of the personal data concerned must be restricted for purposes other than the determination, exercise or defence of legal claims without undue delay.
b) An assessment must be made as to whether the administrator has legitimate reasons for further processing that override the interest and freedoms of the data subject (balance test);
c) Where the controller does not have valid reasons for the processing of the personal data concerned, the relevant processing or personal data must be terminated.
3. In the event that an objection is raised under paragraph 1. letter c) of this Article of the Directive the processing of personal data for the purposes of direct marketing must be terminated without undue delay.
4. In the event that an objection is raised in accordance with paragraph 1 letter d) of the Article of the Directive, the processing of personal data for the purpose of scientific or historical research or for statistical purposes shall be terminated without undue delay unless the processing is necessary for the performance of a task carried out in the public interest.
3 Direct marketing means addressing customers in order to offer them pre-selected products and services.
XXIV. Records of processing of personal data
1. The administrator is obliged to keep records of the individual processing activities, which are prepared in writing (also in electronic form). These obligations are not imposed by the Corporation according to the Article 30 paragraph 5 of the GDPR.
2. The Managing Director is responsible for keeping records of the processing of personal data. These records are safely stored in the office of Managing Director during the entire processing of personal data. Once the processing is complete, the processing records are immediately discarded.
3. The processing records shall contain the following information:
a. The name and contact details of the administrator and any possible joint administrator, representative of the administrator and the data protection officer;
b. Processing purposes;
c. A description of the categories of data subjects and categories of personal data;
d. The category of beneficiaries to whom personal data have been or will be made available;
e. information on the possible transfer of personal data to a third country or international organization, including the identification of that third country or international organization, and, in the case of surrender pursuant to the second subparagraph of Article 49 paragraph (1) of the second subparagraph of the GDPR, documentation of appropriate evidence;
f. where possible, the planned deadlines for deletion of individual categories of data;
g. where possible, a general description of the technical and organizational security measures.
XXV. Risk assessment and impact assessment for the protection of personal data
1. The Managing Director provides the risk assessment of each processing for the rights and freedoms of natural persons. The risk assessment must be made prior to the processing of the personal data, for personal data already processed, without delay after the adoption of this Directive.
2. In the frame of assessing the risks under paragraph 1. of this Article of the Directive it is necessary to determine for each processing the degree of risk in any of the following stages to be determined taking into account all the processing circumstances:
- Low risk
- Medium risk
- High risk
3. In the event that a processing operation is likely to have a high risk to the rights and freedoms of natural persons, taking into account the nature scope context and purpose of the processing, the Managing Director shall conduct an assessment of the impact of the processing operations envisaged to protect the personal data.
4. The impact assessment on the protection of personal data must be carried out in particular in the following processing case:
a) Systematic and extensive assessment of personal aspects relating to natural persons, based on automated processing, including profiling, and on which decisions are based which give rise to legal effects in relation to natural persons or have a similarly significant impact on individuals;
b) Extensive processing of specific categories of data referred to in Article 9 paragraph 1 of the GDPR or personal data relating to criminal convictions and offenses referred to in Article 10 of the GDPR;
c) Extensive systematic monitoring o publicly accessible areas.
5. The Responsible Person referred to in paragraph 3 of this Article of the Directive shall also carry out an impact assessment for the protection of personal data in all processing operations that the Supervisory Authority makes public in the list of processing operations subject to personal data protection impact assessment.
6. The impact assessment on the protection of personal data shall comply with the requirements of Article 35 of the GDPR and shall include at least:
a) A systematic description of the intended processing operations and processing purposes, including, where appropriate, the legitimate interests of the administrator;
b) An assessment of the necessity and proportionality of the processing operations for purposes;
c) Risk assessment for the rights and freedoms of data subjects;
d) Planned measures to address these risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this regulation, taking into account the rights and legitimate interests of the data subjects and other affected persons.
XXVI. Physical security rules
1. The presence of third parties in the premises of the Corporation (particularly in those rooms/offices where personal data are processed) may endanger the security of the processed personal data. In addition to customers/clients/guests, third parties are in particular persons performing the following activities:
a. Maintenance of technical or software equipment,
b. Consultancy activities
c. cleaning, supply, security and other services.
2. The conditions under which a third person may access the rooms where personal data are processed or directly on such personal data must be regulated in a written agreement.
3. Personal data must not be processed in those premises. Corporation where customer/clients/guests and other unauthorized persons can move freely. If personal data is processed directly at the headquarters of the Corporation, this processing must take place in a secured room where public access is free.
4. Access to personal data may only be available to employees whose access is necessary for the proper performance of their duties. If an employee does not have access to and needs access to personal data, his/her access must be approved or recorded (e.g. recorded in a book, etc.). Approvals or access logging must be properly maintained and stored.
5. Access to computer devices, applications and information systems must be modified to allow access to authorized users only.
6. Each room must provide the possibility of protecting (locking) the personal data contained therein, especially when there is no employee present. Entrance doors and locks must have a certain degree of tamper resistance (safety locks, lattices on low-level windows, etc.).
7. Managing Director of the Corporation will ensure that staff are assigned keys from those rooms to which an employee has access in view of the activities entrusted to him. Employees may not pass the keys to another person without the permission of the senior employee/manager.
8. At the end of the employment, the Head of the Corporation shall remove the keys and any other similar means of access of the employee. Employee is also obliged to return all documents that may contain personal data, including their copies. Alternatively, the employee undertakes to discard these copies.
9. All rooms are regularly subject to fire inspection. The rooms in which personal data are processed or their immediate surroundings are equipped with means that minimize the extent of possible fire (e.g. smoke detectors, fire doors, fire extinguishers, etc.).
10. All documents containing personal data must be locked in lockable drawers or other safe kind of the furniture or otherwise secured during the period when not in use. This is particularly the case if an authorize employee is not present in the documentary room.
11. Employees must not leave any electronic or non-electronic personal data media or unsecured computers freely accessible (such as office desks, on copy machines, in offices or corridors, in the reception etc.) at the time of their absence.
12. Employees may not store any documents containing personal data on their desktop, and the employee undertakes to lock their computer when leaving the office.
13. Employees are required to protect documents stored on their computers by a unique password that they cannot tell any other person.
XXVII. Monitoring by the means of CCTV system
1. The CCTV system operates a CCTV system in the room of Corporation.
2. The corporation monitors delimited spaces, especially at the workplace, to protect the rights and rightfully protected interests of the employees and third parties. The Corporation monitors designated areas to protect their property from unlawful behaviour (theft, damage, misuse, etc.) and the protection of the property and health of employees and other persons.
3. Individual cameras located at the headquarters of the Corporation and in other buildings used by the Corporation take note, in particular, of entry areas, reception areas, corridors and other related spaces.
4. Records of the CCTV system are kept by the Corporation for a maximum of 30 days, which is a necessary period for detecting a particular infringement.
5. The use of the camera system in rooms exclusively for the private purposes of employees or other persons (e.g. toilets, dressing rooms) is forbidden.
6. Records access to the camera system recordings are made to identify when, by whom and for what reason, personal data from the camera system were processed.
7. The Managing Director of the Corporation is responsible for managing recordings from CCTV systems and access records.
8. Areas that are monitored must be visibly labelled „Space monitored by the camera system“ and the appropriate pictogram.
XXVIII. Staff training
1. In order to ensure compliance with the GDPR, the Administrator shall take all necessary measures, including initial and subsequent regular training of all employees of the Corporation. The aim of the training is to inform employees of their duties so that their activities comply with the requirements of the GDPR and this Directive.
XXIX. Report security breaches
1. If an employee becomes aware of a breach of security of personal data processed within the corporation, he will immediately notify the Corporation. In case that it seems likely that this breach may result in a risk to the rights and freedoms of natural persons, the responsible persons under the previous sentence shall report a violation of the personal data security to the supervisory authority within 72 hours from the time when the violation was learned. If the violation does not notify within this time limit, it must also attach the reason for the delay to the notification.
2. If it is assessed that it is unlikely that a violation in accordance with paragraph 1 of this Article of the Directive may result in a risk to the rights and freedoms of natural persons, and therefore the breach will not be notified to the Supervisory Authority, the Managing Director is required to document the reasons for such non-notification, explaining why the breach does no endanger the rights and freedoms of natural persons.
3. Notification pursuant to paragraph 1 of this Article of the Directive mainly contains the following information:
a. Description of the nature of the personal data breach case, including, where possible, the categories and approximate numbers of data subjects and categories concerned and the approximate amount of personal data records concerned;
b. The name of contact details of the Data Protection Officer or other contact point that may provide further information;
c. A description of the likely consequences of a personal data breach;
d. A description of the measures that and administrator has adopted or proposed for adoption with a view to resolving the personal data breach, including possible adverse impacts.
4. Managing Director of the Corporation will report a personal data breach without undue delay to the data subject if it is likely that such a breach will result in a high risk to the rights and freedoms of natural persons. The notification shall be made using clear and simple language means describing the nature of the personal data breach and indicating the measures taken.
5. A notification under the previous paragraph is not required if the administrator has taken follow-up measures to ensure that a high risk to the rights and freedoms of data subjects is no longer likely to occur or would require unreasonable effort. It is also necessary to capture and preserve it in writing.
6. The Managing Director of the Corporation is required to keep records of all personal data breaches, including those that have not been reported or announced.
XXX. Archiving and shredding of personal data
1. This Directive also applies to the processing of personal data, which means their archiving.
2. Personal data is always remained only for the time necessary to achieve the purpose of its processing and for the duration of the relevant legal title.
3. The person responsible for the liquidation of personal data is a person under Article IX. paragraph 1. of the Directive.
XXXI. Involvement of external entities in the processing of personal data
1. The Managing Director is responsible for adhering to the involvement of external entities in the processing of personal data under this Directive.
2. At any external entity involved in the processing of personal data, with the exception of the administrator´s staff, it is necessary to assess before getting involved that:
a. An external subject determines its own purposes and means of processing and whether it is in relation to the respective processing by a separate administrator; or
b. The administrator and the external entity determine the purposes and means of processing together and whether they are related to the relevant processing by the joint administrators; or whether
c. An external entity handles the personal data for the administrator on the basis of the administrator’s mandate(s) and whether it is related to the relevant processing by the data processor.
3. The Joint Administrators shall have a completed written agreement between themselves, in which it shall proportionally shred the responsibility for fulfilling the obligations arising from this Directive and the GDPR (in particular information obligations and obligations relating to the rights of data subjects). When allocating responsibilities of joint administrators, account must be taken of the tasks of individual administrators in the processing, and in particular their relationship to data subjects. The data subjects must be informed of the essential elements of joint administrator’s co-operation process. The data subject can exercise his/her rights with each of the joint administrators and in relation to each of them.
4. The administrator must conclude a written processing contract with the processor. In particular, the drafting treaty provides:
a. Subject of processing. The purpose of the processing is to define the range of personal data to be processed on the basis of the processing contract. The subject of the processing must be defined sufficiently concrete to be at least obvious:
i. Specific types of personal information (e.g. name, surname, e-mail, contact address),
ii. Categories of personal data and
iii. Categories of data subjects (e.g. customers/clients/guests, employees, suppliers).
b. Processing time. The processing time must be determined as an exact time period or by the criteria on the basis of which the exact time period is determined (e.g., for the duration and validity of the contract, etc.).
c. Nature and purpose of the processing. The nature of the processing contained in the processing agreement must be appropriate to the purpose for which the personal data are processed by the administrator and must not contradict that purpose. The purpose of processing specified in the reprocessing contract must not conflict with the purpose of the processing on the part of the administrator and may not exceed that purpose in its scope. The contract should also include a warning that if the processor itself determines the means of purpose of the processing, he ceases to be a processor and becomes an administrator.
d. Manner of control of the processor by the administrator. Personal data may only be processed by the processor on the basis of the administrator´s demonstrable instructions. The processor shall inform the administrator of the processing that is beyond the instructions of the administrator, as legal order so provides.
e. Duty of confidentiality. The processor must ensure that persons processing the personal data entrusted are bound by confidentiality or subject to a statutory duty of confidentiality.
f. Safety precautions. The processor must be obliged to take sufficient organizational and technical measures to ensure the processing of personal data under this Directive and the GDPR. The processor must be committed to periodic internal audits of the organizational and technical measures adopted on the basis of risk analysis. The course of internal audits and the justification of the measures taken must be properly documented for the purposes of any evidence of compliance.
g. Terms of involvement of the next processor. The processor must be obliged to do so without the prior written consent of the administrator in the processing of any further processor. Any other processor must be compelled in writing to process personal data in a manner consistent with the processing agreement and to protect personal data at least at the level specified in the processing agreement.
h. Providing synergies. The processor must be obliged to provide synergy to the extent that he controller can
i. Handle requests for the exercise of data subjects ‘rights in the manner and within the time limits of this Directive and GDPR;
ii. Ensure a sufficient level of security of processing and reporting security incidents in accordance with this Guideline and GDPR Articles 32 to 36;
iii. To demonstrate compliance with the obligations in accordance with this Directive and GDPR and
iv. To carry out audits with the processor, either alone or by the means of an authorized auditor.
i. Measures at the end of processing.The processor must be bound by the decision of the controller for all personal data
i. discard (erase), including existing copies of personal data, except where the law provides otherwise, or
ii. return to the administrator.
5. Contracts pursuant to paragraphs 2. and 3. of this Article of the Directive does not have to explicitly modify the specified requirements to the extent that they are already sufficiently regulated by the legal order for the respective processing.
6. An administrator shall not engage an external entity in the processing of personal data if, as a result of such involvement, the administrator was unable to fulfil his obligations under this Directive and the GDPR.
7. The Managing Director of the Company is responsible for the control over the management of the cooperation with external entities and over the processing of personal data by external entities. In particular, the review consists of a regular review of whether the processing of data by external entities take place in accordance with the concluded contracts, the Directive and the legal order.
1. Managing Director of the Corporation examines effectiveness and practical operation of the system of data protection and data security as well as fulfilment of obligations of the Corporation according to the GDPR and this Directive in the given Corporation at least four times a year at regular intervals. Managing Director of the Corporation shall write a written report on the results of the review, without undue delay after the end of the review, evaluation in particular state of the preventive measures, vulnerabilities and threats, conclusions of measuring the effectiveness of the measures taken and recommendations for improving the system.
XXXIII. Transitional and final provisions
1. Ratios relating to the subject matter of the Directive before the date of this effective date shall be governed by this Directive from the date of its entry into force. All employees are obliged, within the scope of their competence, to bring the processing of personal data into compliance with this Directive and generally binging legal regulations.
2. This Directive shall enter into force on 18.05.2018 and shall be binding on all employees of the Corporation.
XXXIV. List of attachments
1. The annexes to this Directive are the following sample documents:
Appendix No. 3 - Model agreement on the amendment of the employment contract