Privacy policy principles


Privacy policy principles

These principles of personal data protection and information on personal data processing (hereinafter referred to as the “Principles”) at the company Spolek pro chemickou a hutní výrobu, akciová společnost, Company Number: 000 11 789, having its registered office at Revoluční 1930/86, entered in the Commercial Register maintained at the Regional Court in Ústí nad Labem, Section B, File 47, (hereinafter referred to as the “Controller”), have been compiled in accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “GDPR”). The aim of these Principles is to provide personal data subjects with basic information regarding personal data processing.

We will invariably provide specific information and details regarding individual cases of processing your personal data when actually collecting your personal data, if the law requires as such. If such specific information or details differ(s) from the information provided in this document, such specific information or details prevail(s) over these Principles of personal data protection.


Personal data is any information which relates to a natural person (individual) that the Controller is capable of identifying. The Controller may primarily process the following categories of personal data in connection with the running of the Controller’s plant:

Basic personal identification data and address data

  1. academic title
  2. first name and surname
  3. trade name of company
  4. Personal Number or date of birth
  5. Company Number/Taxpayer Identification Number
  6. address of place of permanent residence
  7. address of registered office or place of business
  8. invoicing address
  9. address of employer
  10. identification data of the representative of a contractual partner or contact person which it appoints
  11. employment position
  12. identification data of an authorised party
  13. bank details
  14. signature
  15. first name and surname, date of birth, address of place of permanent residence, delivery address, telephone number, e-mail, address of the employer, number of personal ID documents

Contact data

  1. contact telephone number
  2. contact e-mail address
  3. delivery address

Data regarding services received/provided, the use of services, goods purchased/supplied and data on the level of monies owed and monies due

  1. the type and specification of the service or goods provided
  2. the volume of services/goods provided and their price
  3. information on the level of debts, monies due, payment ethics

Data from communication between the Controller and the data subject

Such data ensues from communication relating to the provision of services and goods between the Controller and the customer, a supplier, another contractual partner or their contact person. It involves records of personal communication and written and electronic communication, including possible recordings of telephone calls.

Camera footage from the premises of the Controller

The Controller places camera systems on the plant premises in order to protect its legitimate interest in protecting its property. The areas in which cameras are located are always marked as such. Information on personal data processing as part of camera footage is available at the place where the cameras are positioned.

Data processed with consent

The processing of such data is not absolutely required to be able to fulfil a contract, discharge mandatory obligations or protect the legitimate interest of the Controller, but processing such data enables the Controller to improve services and products, concentrate on what contractual partners are actually interested in and allows it to inform them of offers that are right for them. Such data is only processed if consent has been provided and may only be processed for the period of time stated in such consent. This primarily concerns:

  1. data obtained from surveys of satisfaction (which are processed at customers of the Controller subject to consent to personal data processing for marketing and commercial purposes)
  2. data on the use of products, benefits and bonuses and the typical behaviour of contractual partners (processed at the customers of the Controller subject to consent to personal data processing for marketing and commercial purposes)
  3. contact data in the case that the data subject is not a customer of the Controller (processed subject to consent to contact for marketing purposes)


All personal data is always processed based on the relevant legal basis according to GDPR and to the extent required for the purpose of its processing. Below is a list of the personal data which we process about you according to a particular legal basis, to which end and for how long.

1. The Controller processes personal data primarily for the following purposes:

  1. For the purposes of fulfilling mandatory obligations – for example, safety regulations, labour regulations, maintaining a list of shareholders
  2. ensuring that a contractual obligation between the Controller and the data subject, or its employer, is entered into and subsequently fulfilled
  3. so that the Controller can protect its legitimate interests, meaning the fulfilment of the agreed contractual obligations between the Controller and the data subject, or its employer, in a due and timely manner, the fulfilment of mandatory obligations arising for the Controller from the contractual relationship between the Controller and the data subject, or its employer, protecting the repute of the Controller and protecting the property interests of the Controller for possible judicial or other disputes
  4. ensuring the safety of operation of business of the Controller
  5. for the analysis and evaluation of possible risks and for directing marketing of own products
  6. for marketing purposes, including PR activities, so that the Controller is best able to adjust the offer of its products and services and commercial communications regarding them to the needs of data subjects, or their employers

2. The Controller also processes personal data with the consent of the data subject primarily for:

  1. a. marketing purposes, including PR activities, beyond the scope of its legitimate interest, including profiling and offering the products and services of our partners and other members of the SPOLCHEMIE Group

The provision of personal data to the Controller is generally a mandatory and contractual requirement. As far as the provision of personal data for indirect marketing is concerned, i.e. not entailing the performance of contractual and mandatory obligations of the Controller, your consent is required. If you do not provide the Controller with consent to personal data processing for marketing purposes, this does not mean that the Controller will refuse, as a result of this, to provide you with its products or services based on a contract.

The Controller processes personal data for a different purpose only if the data subject has been informed of this in the corresponding way.

Personal data is processed for such purposes to the extent required for the execution of such activities and for the period of time required to accomplish them or for the period of time directly set out by legal regulations. If a contract has been signed, the Controller processes personal data depending on the purpose and for the period of duration of such contractual relationship with the Controller and for a period of 10 years following the expiration of the final contractual relationship with the Controller, or to the conclusion of all disputes having arisen in connection with the contract. Data processed subject to consent is processed for the duration of the purpose and the duration of consent or until consent is withdrawn. Personal data is then erased or made anonymous.


The Controller transfers personal data to supervisory bodies and to other state bodies if such obligation is set out by law and if it required to protect the rights of the Controller.

The Controller may entrust a third party – a processor – with data processing. Processing is only permitted if there is a contract in place to bind the processor to the same level of data protection as that provided by the Controller itself.

Personal data may also be provided to other persons/organisations with the consent of or at the instruction of the data subject. The Controller uses the professional and specialised services of other persons or organisations when complying with its duties and obligations from contracts. If such suppliers process personal data which has been transferred by the Controller, they take on the role of processors, or other processors, of personal data and only process personal data within the bounds of the instructions provided by the Controller; they may not use such data in any other way. This primarily involves the recovery of outstanding debts, the activity of experts, lawyers, auditors, the management of IT systems, Internet advertising or sales representation.

We carefully select each such person or organisation and enter into a contract on personal data processing with it according to Article 28 GDPR; this contract sets out the strict obligations of the processor in relation to the protection and security of personal data.

Personal data is always transferred to and processed in countries outside the territory of the European Union in accordance with the valid legislation, in particular Article 45 through 49 GDPR.


The Controller processes personal data manually and automatically. The Controller keeps records of all manual and automated activities during which personal data is processed.

We take appropriate security measures (in particular technical and organisational measures) to protect your personal data from any accidental loss, destruction, misuse, damage and unauthorised or illegal access. The technical and organisational measures which we take to secure personal data are described in the Controller’s in-house legislation.

However, we should remind you that 100 % security cannot be guaranteed for any transmission of data over the Internet or using other data storage technology.


Under the Regulation, each data subject, i.e. each natural person (individual), has the rights described below. The data subject is authorised to exercise his/her rights with the Controller on the conditions that he/she proves his/her identity to the Controller.

You are able to exercise individual rights by sending a request by electronic means or on paper.

 The Controller will provide you with all communication and statements on the rights which you are exercising without charge. If, however, the request is manifestly unjustified or unreasonable, primarily because it is repetitive, the Controller is authorised to charge a reasonable fee which takes into account the administration costs associated with providing the requested information. If a repeat request is made for the provision of copies of processed personal data, the Controller reserves the right to charge a reasonable fee for administration costs for this.

 The Controller will provide you with a statement and information on measures taken as soon as possible, and within a maximum of one month. The Controller is, however, authorised to extend this time limit by two months if required and with respect to the complexity and number of requests. The Controller will inform you of any such extension and of the reasons for it.

When you make a request, you will be asked to provide certain identification information that makes it possible for us to identify you. We require the provision of such data to enable us to make sure that the request at issue was actually sent by you and whether we are able to identify you based on the information you provide.

The right to information on the processing of your personal data

You are authorised to request information from the Controller as to whether personal data has been processed or not. If personal data has been processed, you have the right to request information from the Controller, in particular about the identity and contact data of the Controller, its representatives and, where appropriate, data protection officers, the purposes of processing, the categories of personal data concerned, the recipients or categories of recipients of personal data, the authorised Controllers, a list of your rights, the possibility of contacting Úřad pro ochranu osobních údajů (Office for Data Protection), the sources of the personal data processed and automated decision-making and profiling.

 If the Controller intends to process your personal data for a purpose other than that for which it was obtained, it will provide you with information about this other purpose and any other relevant information before such other processing.

 Although the information provided to you when you exercise this right is found in these Principles, there is nothing to stop you requesting it again.

 The right of access to personal data

You are authorised to request information from the Controller regarding whether your personal data has been processed or not, and if so, you have access to information about the purposes of processing, the categories of personal data concerned, the recipients or categories of recipients, the time for which personal data is stored, information about your rights (the right to demand rectification or erasure, restriction of processing, to lodge a complaint against such processing with the Controller), about the right to lodge a complaint with Úřad pro ochranu osobních údajů, information about the sources of personal data, information about whether automated decision-making and profiling is undertaken and information to concern the procedure used and the significance and expected consequences of such processing for you, information and guarantees if personal data is transferred to a third country or to an international organisation.

You have the right to provision of copies of processed personal data. However, the rights and freedoms of other persons may not be negatively affected by the right to obtain such copies.

 Right to rectification

If you change your place of residence, telephone number or some other fact which can be considered personal data, you have the right to request that the Controller rectify the personal data processed.

You also have the right to supplement incomplete personal data by providing a supplementary statement.

Right to "erase" right to be "forgotten")

In certain cases you have the right to request that the Controller erase your personal data.

Such cases include, for example, cases in which the processed data is no longer required for the stated purposes. The Controller automatically erases personal data after the period of necessity, but you can contact it with a request to do so at any time.

However, your request is subject to individual assessment (in spite of your right to erasure, the Controller might have an obligation or legitimate interest to retain your personal data) and you will be informed in detail of the outcome.

The right to restriction of processing

The Controller only processes your personal data to the extent which is absolutely required. If, however, you feel that the Controller is, for example, exceeding the purposes for which it processes personal data specified above, you can request that your personal data be processed only for the absolutely required statutory reasons or that personal data be blocked.

Your request will be subject to individual assessment and you will be informed of the outcome.

Right to data portability

If you want the Controller to provide your personal data to another controller, or another company, the Controller will transfer your personal data to the designated person or organisation in the corresponding format, if there are not legal or other significant obstacles to the Controller doing so.

Right to object and automated individual decision-making

If you discover, or simply suspect, that the Controller is processing personal data in breach of the protection of your private and personal life or in breach of legal regulations (assuming that personal data is processed by the Controller in the public interest or in a legitimate interest or is processed for the purposes of direct marketing, including profiling, or for statistical purposes or for purposes of scientific or historical significance), you may contact the Controller and ask it for an explanation  or for the rectification of the wrongful situation having occurred.

You can also object directly to automated decision-making and profiling.

Right to lodge a complaint with the Office for Personal Data Protection (Úřad pro ochranu osobních údajů)

You can contact the supervisory body, i.e. Úřad na ochranu osobních údajů, having its registered office at Pplk. Sochora 27, 170 00 Praha 7, website https:/, at any time with a suggestion or complaint in relation to personal data processing.

Right to withdraw consent

You have the right to withdraw the consent you have given to personal data processing at any time by completing a form, sending withdrawal to the address of the registered office of the Controller or using the link in e-mail communication.


Personal data may be automatically assessed and, where appropriate, used for profiling or for the automated decision-making of the Controller.


These Principles may be amended or updated on an ongoing basis. Any changes to these Principles of Personal Data Protection become effective after the updated Principles of Personal Data Protection have been published at the Controller’s website.