Personal data protection

Basic data protection principles and information on the processing of personal data

This privacy policy and information on the processing of personal data (hereinafter referred to as “Policy“) of the company Spolek pro chemickou a hutní výrobu, akciová společnost, ID No.: 000 11 789, with registered office at Revoluční 1930/86, registered in the Commercial Register kept by the Regional Court in Ústí nad Labem, Section B, Insert 47 (hereinafter referred to as “Administrator“) are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27. April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC(GDPR). The purpose of this Policy is to provide data subjects with basic information regarding the processing of personal data.

We always provide specific information and details on the individual processing of your personal data when we collect your personal data, if required by law. In the event that such specific information and/or details differ from the information in this document, such specific information and/or details shall take precedence over this Privacy Policy.

PERSONAL DATA

Personal data is any information relating to a natural person that the Controller is able to identify. In particular, the following categories of personal data may be processed by the Controller in connection with the operation of the Controller’s plant:

Basic personal identification and address data:

1. academic degree
2. name and surname
3. name of the business company
4. birth number or date of birth
5. ID NUMBER, VAT NUMBER
6. address of permanent residence
7. address of the registered office or place of business
8. billing address
9. employer’s address
10. identification details of the contractual partner’s representative or contact person designated by the contractual partner
11. working positions
12. identification data of the proxy
13. bank connection
14. Signature
15. name and surname, date of birth, permanent address, delivery address, telephone, email, employer’s address, ID number

Contact details

1. contact telephone number
2. contact email
3. delivery address

Data on services received/provided, use of services, goods purchased/delivered, and data on accounts payable and receivable

1. the type and specification of the service or goods provided
2. the volume of services/goods provided and their price
3. information on the status of servants, receivables, payment morale

Data from communication between the Controller and the subject

These data arise in the course of communication related to the provision of services and goods by the Controller and the customer, supplier, other contractual partner or their contact person. This includes records of personal communications, as well as written and electronic communications, including any records of telephone calls.

CCTV footage from the Administrator’s premises

The Administrator places CCTV systems in the premises of the Administrator’s plant in order to protect legitimate interests in the protection of property. Areas where cameras are placed are always marked with a notice. Information on the processing of personal data in the context of camera recordings is available at the location where the cameras are placed.

Data processed on the basis of consent

The processing of this data is not strictly necessary for the performance of the contract, for the fulfilment of legal obligations or for the protection of the legitimate interests of the Controller, but the processing of this data will enable the Controller to improve services and products, to focus on what the contractual partners are really interested in and, where appropriate, to inform them about offers that are suitable for them. These data are processed only if consent is given and may be processed for the period of validity specified in the consent. These include:

1. data obtained by satisfaction surveys (processed from the Controller’s customers on the basis of consent to the processing of personal data for marketing and business purposes)
2. data on the use of products, benefits and bonuses and the typical behaviour of contractual partners (processed by the Controller’s customers on the basis of consent to the processing of personal data for marketing and business purposes)
3. contact data in case it is not a customer of the Controller (processed on the basis of consent to marketing outreach)

THE PURPOSES, LEGAL BASES FOR PROCESSING AND PERIODS OF PROCESSING OF PERSONAL DATA

All personal data is always processed on the basis of the relevant legal basis under the GDPR and to the extent necessary for the purpose of processing. Below we list which of your personal data we process on which legal basis, for which purpose and for how long.

1. The Controller processes Personal Data mainly for the following purposes:

1. For the purpose of fulfilling legal obligations – e.g. safety regulations, labour law regulations, maintenance of the shareholders list
2. ensuring the conclusion and subsequent performance of a contractual obligation between the Controller and the Subject or their employer
3. to protect its legitimate interests, which are the proper and timely performance of the agreed contractual obligation between the Controller and the Entity or its employer, the performance of the legal obligations arising from the contractual relationship between the Controller and the Entity or its employer, the protection of the Controller’s reputation and the protection of the Controller’s proprietary interests in any legal or other disputes
4. ensuring the safety of the company’s operation Administrator
5. for analysing and evaluating potential risks and for direct marketing of own products
6. for marketing purposes, including PR activities, in order for the Administrator to best tailor its product and service offerings and commercial communications regarding them to the needs of Subjects or their employer

2. With the Subject’s consent, the Controller further processes personal data in particular for:

1. marketing purposes, including PR activities, beyond legitimate interest, i.e. including profiling and offering products and services of our partners and other members of the SPOLCHEMIE Group

Providing personal data to the Controller is generally a legal and contractual requirement. With regard to the provision of personal data for indirect marketing purposes, which does not constitute the fulfilment of a contractual and legal obligation of the Controller, your consent is required. If you do not give the Controller consent to the processing of your personal data for marketing purposes, this does not mean that the Controller will refuse to provide you with its product or service under the Contract as a result.

For other purposes, the Controller processes personal data only if the Subject has been adequately informed of this.

Personal data for these activities are processed to the extent necessary for the implementation of these activities and for the time necessary to achieve them or for the period directly provided for by law. In the case of a contractual basis, the Controller processes personal data depending on the purpose for the duration of such contractual relationship with the Controller and for a further 10 years after the termination of the last contractual relationship with the Controller, respectively. until the conclusion of any disputes arising in connection with the contract. Data processed on the basis of consent is processed for the duration of the purpose and duration of the consent or until the consent is withdrawn. The personal data is then deleted or anonymised.

SHARING AND TRANSFER OF PERSONAL DATA (RECIPIENTS OF PERSONAL DATA)

The Controller shall transmit personal data to supervisory authorities and other state authorities if this obligation is provided for by law and if it is necessary to protect the Controller’s rights.

The controller may delegate the processing of data to a third party, called. Processor. The processing is only possible on the basis of a contract that obliges the processor to the same level of data protection as provided by the Controller itself.

With the consent of the data subject or on his/her instructions, personal data may also be disclosed to other entities. The Administrator uses the professional and specialized services of other entities in fulfilling its obligations and duties under the contracts. If these suppliers process personal data transmitted from the Controller, they have the status of processors or other processors of personal data and process personal data only within the framework of instructions from the Controller and may not use it otherwise. These include debt collection, expert witnesses, attorneys, auditors, IT systems management, internet advertising and business representation.

We carefully select each such entity and enter into a contract with each of them for the processing of personal data in accordance with Art. 28 of the GDPR, which imposes strict obligations on the processor to protect and secure personal data.

The transfer and processing of personal data in countries outside the European Union always takes place in accordance with the applicable legislation, in particular Art. 45 to 49 GDPR.

HOW PERSONAL DATA IS PROCESSED AND DATA SECURITY

The controller processes personal data manually and automatically. The controller shall keep records of all activities, both manual and automated, in which personal data are processed.

We take appropriate security measures (in particular technical and organisational measures) to protect your personal data from any accidental loss, destruction, misuse, damage and unauthorised or unlawful access. The technical and organizational measures adopted for the security of personal data are described in the internal legislation of the Controller.

However, please note that no data transmission over the internet or data storage technologies can be guaranteed to be 100% secure.

INFORMATION ON THE RIGHTS OF DATA SUBJECTS

Under the Regulation, each data subject, i.e. to each natural person, the rights described below. The data subject is entitled to exercise these rights with the Controller provided that he or she proves his or her identity to the Controller.

You can exercise individual rights by sending your request electronically or in paper form.

The Administrator provides all communications and statements regarding the rights exercised by you free of charge. However, if the request would be manifestly unfounded or unreasonable, in particular because it would be repetitive, the Controller is entitled to charge a reasonable fee taking into account the administrative costs associated with providing the requested information. In the event of repeated requests for copies of the personal data processed, the Controller reserves the right to charge a reasonable fee for administrative costs for this reason.

The Controller will provide you with a statement and, where appropriate, information on the measures taken as soon as possible, but no later than within one month. The Administrator is entitled to extend the deadline by two months if necessary and in view of the complexity and number of applications. The Administrator will inform you of the extension, including the reasons for it.

When you make your request, you will be asked to provide certain identifying information on the basis of which we are able to identify you. The provision of such data is necessary to verify whether the relevant request was sent by you and whether we can identify you on the basis of the information you have provided.

Right to information about the processing of your personal data

You are entitled to request information from the Controller as to whether or not personal data is processed. If personal data are processed, you have the right to request information from the Controller, in particular, about the identity and contact details of the Controller, its representative and, where applicable, the Data Protection Officer, the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients of personal data, the authorised Controllers, a list of your rights, the possibility of contacting the Data Protection Authority, the source of the personal data processed and automated decision-making and profiling.

If the Data Controller intends to further process your personal data for a purpose other than that for which it was collected, it will provide you with information about this other purpose and other relevant information prior to such further processing.

The information provided to you in exercising this right is already contained in this Policy, but this does not prevent you from requesting it again.

Right of access to personal data

You are entitled to request information from the Controller as to whether or not your personal data are processed and, if so, you have access to information about the purposes of processing, the categories of personal data concerned, the recipients or categories of recipients, the period of storage of personal data, information about your rights (rights to request from the Controller rectification or erasure, restriction of processing, to object to such processing), the right to lodge a complaint with the Data Protection Authority, information on the source of the personal data, information on whether automated decision-making and profiling is taking place and information regarding the procedure used as well as the significance and expected consequences of such processing for you, information and safeguards in the event of transfer of personal data to a third country or an international organisation.

You have the right to be provided with copies of the personal data processed. However, the right to obtain such a copy shall not adversely affect the rights and freedoms of other persons.

Right to repair

If there has been a change on your part, for example, of your residence, telephone number or other fact that can be considered personal data, you have the right to request the Administrator to correct the personal data processed.

In addition, you have the right to have incomplete personal data completed, including by providing an additional declaration.

Right to erasure (right to be forgotten)

In certain specified cases, you have the right to request that the Controller erase your personal data.

These cases include, for example, that the processed data is no longer necessary for the purposes mentioned above. The controller deletes personal data automatically after the expiry of the period of necessity, but you can contact the controller at any time with your request.

Your request will then be subject to an individual assessment (despite your right to erasure, the Controller may have an obligation or legitimate interest to retain your personal data) and you will be informed in detail about the processing of your request.

Right to restriction of processing

The controller processes your personal data only to the extent necessary. However, if you feel that the Administrator, e.g. exceeds the purposes for which the personal data is processed as set out above, you may request that your personal data be processed solely for the strictly necessary lawful purposes or that the personal data be blocked.

Your application is then subject to an individual assessment and you will be informed in detail about its processing.

Right to data portability

If you wish the Controller to provide your personal data to another Controller, resp. to another company, the Controller will transfer your personal data in the appropriate format to the entity designated by you, provided that no legal or other significant obstacles prevent it from doing so.

Right to object and automated individual decision-making

If you become aware or believe that the Controller is processing personal data in violation of the protection of your private and personal life or in violation of the law (provided that the personal data is processed by the Controller on the basis of public or legitimate interest, or is processed for direct marketing purposes, including profiling, or for statistical purposes or for purposes of scientific or historical interest), you may contact the Controller and ask it to explain or remedy the defect.

You can also object directly to automated decision-making and profiling.

Right to lodge a complaint with the Office for Personal Data Protection

You may at any time contact the supervisory authority, the Office for Personal Data Protection, with its registered office at Pplk. Sochora 27, 170 00 Prague 7, website https:/ /www.uoou.cz/ .

Right to withdraw consent

You have the right to revoke your consent to the processing of personal data at any time by filling in the form, by sending the revocation to the address of the Administrator’s registered office or by using the link in the e-mail communication.

AUTOMATIC EVALUATION AND PROFILING

Personal data may be automatically evaluated and, where appropriate, used for profiling or automatic decision-making by the Controller.

UPDATING THE PRIVACY POLICY

This Policy may be modified or updated from time to time. Any changes to this Privacy Policy will become effective upon the posting of the updated Privacy Policy on the Controller’s website.