The principles of personal data protection and information on personal data processing have been compiled in accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “GDPR”). Whole dokument of these Principles which provide personal data subjects with basic information regarding personal data processing is aviable below.
These principles of personal data protection and information on personal data processing (hereinafter referred to as the “Principles”) at the company Spolek pro chemickou a hutní výrobu, akciová společnost, Company Number: 000 11 789, having its registered office at Revoluční 1930/86, entered in the Commercial Register maintained at the Regional Court in Ústí nad Labem, Section B, File 47, (hereinafter referred to as the “Controller”), have been compiled in accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “GDPR”). The aim of these Principles is to provide personal data subjects with basic information regarding personal data processing.
We will invariably provide specific information and details regarding individual cases of processing your personal data when actually collecting your personal data, if the law requires as such. If such specific information or details differ(s) from the information provided in this document, such specific information or details prevail(s) over these Principles of personal data protection.
Personal data is any information which relates to a natural person (individual) that the Controller is capable of identifying. The Controller may primarily process the following categories of personal data in connection with the running of the Controller’s plant:
Basic personal identification data and address data
Data regarding services received/provided, the use of services, goods purchased/supplied and data on the level of monies owed and monies due
Data from communication between the Controller and the data subject
Such data ensues from communication relating to the provision of services and goods between the Controller and the customer, a supplier, another contractual partner or their contact person. It involves records of personal communication and written and electronic communication, including possible recordings of telephone calls.
Camera footage from the premises of the Controller
The Controller places camera systems on the plant premises in order to protect its legitimate interest in protecting its property. The areas in which cameras are located are always marked as such. Information on personal data processing as part of camera footage is available at the place where the cameras are positioned.
Data processed with consent
The processing of such data is not absolutely required to be able to fulfil a contract, discharge mandatory obligations or protect the legitimate interest of the Controller, but processing such data enables the Controller to improve services and products, concentrate on what contractual partners are actually interested in and allows it to inform them of offers that are right for them. Such data is only processed if consent has been provided and may only be processed for the period of time stated in such consent. This primarily concerns:
THE PURPOSES AND LEGAL BASIS OF PROCESSING AND THE PERIOD OF PROCESSING PERSONAL DATA
All personal data is always processed based on the relevant legal basis according to GDPR and to the extent required for the purpose of its processing. Below is a list of the personal data which we process about you according to a particular legal basis, to which end and for how long.
1. The Controller processes personal data primarily for the following purposes:
2. The Controller also processes personal data with the consent of the data subject primarily for:
a. marketing purposes, including PR activities, beyond the scope of its legitimate interest, including profiling and offering the products and services of our partners and other members of the SPOLCHEMIE Group
The provision of personal data to the Controller is generally a mandatory and contractual requirement. As far as the provision of personal data for indirect marketing is concerned, i.e. not entailing the performance of contractual and mandatory obligations of the Controller, your consent is required. If you do not provide the Controller with consent to personal data processing for marketing purposes, this does not mean that the Controller will refuse, as a result of this, to provide you with its products or services based on a contract.
The Controller processes personal data for a different purpose only if the data subject has been informed of this in the corresponding way.
Personal data is processed for such purposes to the extent required for the execution of such activities and for the period of time required to accomplish them or for the period of time directly set out by legal regulations. If a contract has been signed, the Controller processes personal data depending on the purpose and for the period of duration of such contractual relationship with the Controller and for a period of 10 years following the expiration of the final contractual relationship with the Controller, or to the conclusion of all disputes having arisen in connection with the contract. Data processed subject to consent is processed for the duration of the purpose and the duration of consent or until consent is withdrawn. Personal data is then erased or made anonymous.
SHARING AND TRANSFERRING PERSONAL DATA (PERSONAL DATA RECIPIENTS)
The Controller transfers personal data to supervisory bodies and to other state bodies if such obligation is set out by law and if it required to protect the rights of the Controller.
The Controller may entrust a third party – a processor – with data processing. Processing is only permitted if there is a contract in place to bind the processor to the same level of data protection as that provided by the Controller itself.
Personal data may also be provided to other persons/organisations with the consent of or at the instruction of the data subject. The Controller uses the professional and specialised services of other persons or organisations when complying with its duties and obligations from contracts. If such suppliers process personal data which has been transferred by the Controller, they take on the role of processors, or other processors, of personal data and only process personal data within the bounds of the instructions provided by the Controller; they may not use such data in any other way. This primarily involves the recovery of outstanding debts, the activity of experts, lawyers, auditors, the management of IT systems, Internet advertising or sales representation.
We carefully select each such person or organisation and enter into a contract on personal data processing with it according to Article 28 GDPR; this contract sets out the strict obligations of the processor in relation to the protection and security of personal data.
Personal data is always transferred to and processed in countries outside the territory of the European Union in accordance with the valid legislation, in particular Article 45 through 49 GDPR.
THE METHOD OF PROCESSING PERSONAL DATA AND SECURING DATA
The Controller processes personal data manually and automatically. The Controller keeps records of all manual and automated activities during which personal data is processed.
We take appropriate security measures (in particular technical and organisational measures) to protect your personal data from any accidental loss, destruction, misuse, damage and unauthorised or illegal access. The technical and organisational measures which we take to secure personal data are described in the Controller’s in-house legislation.
However, we should remind you that 100 % security cannot be guaranteed for any transmission of data over the Internet or using other data storage technology.
INFORMATION ABOUT THE RIGHTS OF DATA SUBJECTS
Under the Regulation, each data subject, i.e. each natural person (individual), has the rights described below. The data subject is authorised to exercise his/her rights with the Controller on the conditions that he/she proves his/her identity to the Controller.
You are able to exercise individual rights by sending a request by electronic means or on paper.
The Controller will provide you with all communication and statements on the rights which you are exercising without charge. If, however, the request is manifestly unjustified or unreasonable, primarily because it is repetitive, the Controller is authorised to charge a reasonable fee which takes into account the administration costs associated with providing the requested information. If a repeat request is made for the provision of copies of processed personal data, the Controller reserves the right to charge a reasonable fee for administration costs for this.
The Controller will provide you with a statement and information on measures taken as soon as possible, and within a maximum of one month. The Controller is, however, authorised to extend this time limit by two months if required and with respect to the complexity and number of requests. The Controller will inform you of any such extension and of the reasons for it.
When you make a request, you will be asked to provide certain identification information that makes it possible for us to identify you. We require the provision of such data to enable us to make sure that the request at issue was actually sent by you and whether we are able to identify you based on the information you provide.
The right to information on the processing of your personal data
You are authorised to request information from the Controller as to whether personal data has been processed or not. If personal data has been processed, you have the right to request information from the Controller, in particular about the identity and contact data of the Controller, its representatives and, where appropriate, data protection officers, the purposes of processing, the categories of personal data concerned, the recipients or categories of recipients of personal data, the authorised Controllers, a list of your rights, the possibility of contacting Úřad pro ochranu osobních údajů (Office for Data Protection), the sources of the personal data processed and automated decision-making and profiling.
If the Controller intends to process your personal data for a purpose other than that for which it was obtained, it will provide you with information about this other purpose and any other relevant information before such other processing.
Although the information provided to you when you exercise this right is found in these Principles, there is nothing to stop you requesting it again.
The right of access to personal data
You are authorised to request information from the Controller regarding whether your personal data has been processed or not, and if so, you have access to information about the purposes of processing, the categories of personal data concerned, the recipients or categories of recipients, the time for which personal data is stored, information about your rights (the right to demand rectification or erasure, restriction of processing, to lodge a complaint against such processing with the Controller), about the right to lodge a complaint with Úřad pro ochranu osobních údajů, information about the sources of personal data, information about whether automated decision-making and profiling is undertaken and information to concern the procedure used and the significance and expected consequences of such processing for you, information and guarantees if personal data is transferred to a third country or to an international organisation.
You have the right to provision of copies of processed personal data. However, the rights and freedoms of other persons may not be negatively affected by the right to obtain such copies.
Right to rectification
If you change your place of residence, telephone number or some other fact which can be considered personal data, you have the right to request that the Controller rectify the personal data processed.
You also have the right to supplement incomplete personal data by providing a supplementary statement.
Right to "erase" right to be "forgotten")
In certain cases you have the right to request that the Controller erase your personal data.
Such cases include, for example, cases in which the processed data is no longer required for the stated purposes. The Controller automatically erases personal data after the period of necessity, but you can contact it with a request to do so at any time.
However, your request is subject to individual assessment (in spite of your right to erasure, the Controller might have an obligation or legitimate interest to retain your personal data) and you will be informed in detail of the outcome.
The right to restriction of processing
The Controller only processes your personal data to the extent which is absolutely required. If, however, you feel that the Controller is, for example, exceeding the purposes for which it processes personal data specified above, you can request that your personal data be processed only for the absolutely required statutory reasons or that personal data be blocked.
Your request will be subject to individual assessment and you will be informed of the outcome.
Right to data portability
If you want the Controller to provide your personal data to another controller, or another company, the Controller will transfer your personal data to the designated person or organisation in the corresponding format, if there are not legal or other significant obstacles to the Controller doing so.
Right to object and automated individual decision-making
If you discover, or simply suspect, that the Controller is processing personal data in breach of the protection of your private and personal life or in breach of legal regulations (assuming that personal data is processed by the Controller in the public interest or in a legitimate interest or is processed for the purposes of direct marketing, including profiling, or for statistical purposes or for purposes of scientific or historical significance), you may contact the Controller and ask it for an explanation or for the rectification of the wrongful situation having occurred.
You can also object directly to automated decision-making and profiling.
Right to lodge a complaint with the Office for Personal Data Protection (Úřad pro ochranu osobních údajů)
You can contact the supervisory body, i.e. Úřad na ochranu osobních údajů, having its registered office at Pplk. Sochora 27, 170 00 Praha 7, website https:/www.uoou.cz/, at any time with a suggestion or complaint in relation to personal data processing.
Right to withdraw consent
You have the right to withdraw the consent you have given to personal data processing at any time by completing a form, sending withdrawal to the address of the registered office of the Controller or using the link in e-mail communication.
AUTOMATIC ASSESSMENT AND PROFILING
Personal data may be automatically assessed and, where appropriate, used for profiling or for the automated decision-making of the Controller.
UPDATING THE PRINCIPLES OF PERSONAL DATA PROTECTION
These Principles may be amended or updated on an ongoing basis. Any changes to these Principles of Personal Data Protection become effective after the updated Principles of Personal Data Protection have been published at the Controller’s website.