Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – „GDPR“) came into effect on 25 May 2018 and, in certain aspects, this GDPR regulation applies also to the Company.
The Company has always taken care to respect legal rules, including the relevant rules of the European Union. Therefore, as part of implementing GDPR, the Company has had an audit performed, and, based on the results of the audit, the Company has made the necessary adjustments in its internal structure and ensured that its employees get the training required.
To improve the transparency of personal data processing, the Company has adopted Mandatory Internal Rules for Processing of the Personal Data of the Natural Persons Concerned (the “Rules”) which will be applied consistently in the Company and which can be accessed below. The Rules include, among other things, the most important information regarding the list of the rights of the natural persons concerned.
- The Procedure for Submitting and Acting on Data Subjects’ Requests and Complaints
- The Rules of Personal Data Protection
- A Template of a Data Subject’s Request or Complaint
The Procedure for Submitting and Acting on Data Subjects’ Requests and Complaints
- Only the Executive Director of the Company is authorized to act on data subjects’ requests and complaints.
- If the personal data concerning a data subject are collected from the data subject, the Executive Director of the Company will, at the time when personal data are obtained, provide the data subject with information under Article 13 of the GDPR. If the personal data are not obtained from the data subject, the Executive Director of the Company will provide this information under Article 14 subsection 3 of the GDPR. The obligation to provide the applicable information can be fulfilled by offering the Company’s link to The Rules of Personal Data Protection which can be accessed at this address: www.ospen.cz.
- The Executive Director of the Company will act on the data subject’s request or complaint in accordance with the Company’s general guidelines, but always so that the data subject’s request or complaint be acted on without undue delay and so that the data subject be provided all the information concerning the company’s action on the request. If the request is not granted, the Executive Director of the Company will communicate the reasons for this decision to the data subject.
- The Company accepts data subjects’ requests or complaints only in written form, especially taking into account the necessity to verify the identity of the natural person submitting the request or complaint.
- The verification of the data subject’s identity will always be conducted in a reasonable manner that will ensure sufficient identification of the data subject regarding the mode of submission of the request or complaint, the communication means used, and the subject matter of the data subject’s request or complaint. The data subject’s request or complaint must be submitted in written form. A template of a data subject’s request or complaint is accessible on the Company’s website at www.ospen.cz.
- If the request or complaint is not made in person by the data subject (so that the Company may verify the data subject’s identity), the data subject must submit the request or complaint in written form with a signature certified by a notary.
- If the request or complaint is submitted in person by the data subject in the Company’s office, the Company will, upon the data subject’s request, confirm receipt on the copy of the request or complaint that has been submitted by the data subject together with the original of the request or complaint.
- The Executive Director of the Company who receives a data subject’s request or complaint directly from the data subject or indirectly through the Company’s representative will enter the received request or complaint into the registry of requests and complaints, entering the reference number of the request or complaint, the name and contact information of the person submitting the request or complaint, the subject matter of the request or complaint (what the request or complaint is concerned with), and the date of receipt of the request or complaint by the Company (the date the request or complaint is personally accepted or, if a request or complaint is filed through a holder of a postal service operator license, the date when the request or complaint was delivered).
- The Company has the obligation to act on all data subjects’ demands without undue delay, and within one month of receipt of the demand. When necessary, taking into account the complexity and number of requests, this period may be extended by two additional months.
- If a data subject requests access to personal data, the Executive Director of the Company will provide the data subject with at least the information as to whether the personal data concerning the data subject are or are not processed by the Company, and if they are processed by the Company, the Executive Director of the Company will provide the data subject with the data subject’s personal data and also with the following information:
- - the purposes of the processing of the personal data;
- - the categories of the personal data being processed;
- - the recipients or the categories of the recipients to whom the personal data will be or will not be disclosed, in particular recipients in third countries or in international organisations;
- - the expected period for which the personal data will be stored, or, if it is not possible to establish this period, the criteria used to determine this period;
- - the existence of the right to request from the Company a rectification or an erasure of the personal data concerning the data subject or to request a restriction of the processing or to object to such processing;
- - the existence of the right to file a complaint with a supervisory authority;
- - where the personal data are not collected directly from the data subject, any available information as to their source; and;
- - the fact that automated decision-making is being carried out, including profiling, and, at least in these cases, relevant information concerning the procedure used, as well as the significance and the expected consequences of such processing for the data subject.
- The Company will respond to a data subject’s request or complaint in the same manner in which the data subject asked for the information, that is, in written form, by sending a recorded-delivery letter to the data subject’s address.
- If the Company cannot grant the data subject’s request, the Company will communicate this fact through the Executive Director of the Company to the data subject in written form, by sending a recorded-delivery letter to the data subject’s address within one month of receipt of such request.
- After acting on a request or complaint, the Executive Director of the Company will file the request or complaint, together with a copy of the Company’s response to the request or complaint, in accordance with the rules for filing of data subjects’ requests and complaints and the responses to them (including a copy of the document evidencing the sending of the response) in the relevant file. Further, the Executive Director of the Company will also enter the date and the manner of acting on the request or complaint into the registry of requests and complaints.
- If the data subject submits subsequent requests, the data subject will be charged 50 CZK per each subsequent request.
The Rules for Processing Personal Data of the Natural Persons Concerned with Whom the Company Will Interact as Part of Its Business Activity (the “Rules”)
Preambule
The Rules have been drawn up to ensure the best possible implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection – “GDPR”) which came into effect on 25 May 2018. The primary aim of the Rules is to provide the natural persons concerned with information mainly about what types of personal data the Company processes, what rights these natural persons have in relation to such processing, and for what period and what purposes such processing is being carried out.
I.
Types of Personal Data
Personal data are any and all information about an identified or identifiable natural person concerned (the “data subject”). The data subject can be the Company’s debtor, direct contractual partner (a client or a service provider) or a representative/contact person of the Company’s direct contractual partner (a client or service provider), whether the contractual partner is a legal entity or a natural person. With respect to the areas of the Company’s business activities, in particular the following types of personal data are relevant:
- - First name and surname
- - Permanent residency address
- - Registered office address or another contact address
- - Date of birth or birth certificate number (if it is a compulsory identifier)
- - Trader Identification Number/Certificate of Registration Number (IČ), Tax Identification Number (DIČ)
- - The name of the legal entity within which the data subject operates
- - The data subject’s position in the legal entity within which the data subject operates
- - Contact telephone number, contact email address
II.
Purposes of Personal Data Processing
Personal data will be processed mainly for the purposes of fulfilling a contract, performing statutory duties and other legal obligations, and protecting the Company’s legitimate interests (“Legal Reasons”). For processing of personal data for Legal Reasons, the Company does not have the obligation to obtain the data subject’s consent. In this case the data subject does not have the right to refuse personal data processing for the purpose of fulfilling a contract or performing statutory duties and other legal obligations. In the case of Legal Reasons, given the nature of the issues, in particular the following purposes are relevant (a demonstrative list):
- - performance of statutory duties and other legal obligations, such as tax obligations and obligations stipulated by specific laws;
- - fulfilment of contracts: typically, identification of the contractual partner or another contractual party, registration of claims, collection of debts and other disputes with contractual partners, and so on;
- - Legal Reasons: collection of the Company’s claims; monitoring of the Company’s debtors’ payment information for the purpose of preventing the creation of claims; seizure of evidence of activity as a means of preventing disputes; and keeping a registry of debtors.
Personal data will be processed for the above-stated purposes and for Legal Reasons to the extent necessary for the performance of these activities and for the period necessary for the completion of these activities or for the period directly stipulated by legal regulations. After that, the personal data will be erased or anonymized.
III.
Who Has Access to Your Personal Data
The Company will act as the controller of the processing of your personal data. For the above-stated purposes, the Company may transmit your personal data to the Company’s sub-contractors so that the sub-contractors could process the data for the Company. Your personal data may be transmitted to:
- 1.1.1. an external accountant,externí účetní
- 1.1.2. an external attorney’s office,
- 1.1.3. an external auditor,
- 1.1.4. the court, a private enforcement agent, or
- 1.1.5. data processors who provide internet server, web, or IT services for the Company.
IV.
The Period of Personal Data Processing
Your personal data will be processed for the period during which the fulfilment of contractual obligations will be carried out or during which a claim will be collected, or for the period necessary for the fulfilment of the storage obligations under the legal regulations in effect, such as, for example, the Accounting Act, the Archiving and Records Management Act, or the Value Added Act.
V.
Your Rights Resulting from the Processing of Your Personal Data
With respect to your personal data being processed by the Company, you have the following rights:
- a) right of access;
- b) right to rectification;
- c) right to erasure (“right to be forgotten”);
- d) right to restriction of processing;
- e) right to object to processing; and
- f) right to complain to a supervisory authority about the processing of personal data.
- Your rights are explained below so that you would have a clearer idea about what they mean.
- You can exercise all your rights by citing them in the template of the request form that is accessible on the Company’s internet website www.ospen.cz, and then sending the completed request form to this address: Jiráskovo náměstí č. 1487, 280 02 Kolín 5.
- You can file a complaint at a supervisory authority, The Office for Personal Data Protection (Úřad pro ochranu osobních údajů), at www.uoou.cz.
- Right of access means that you can at any time request confirmation from the Company as to whether any personal data concerning you are or are not being processed by the Company. And if they are being processed, then for what purposes, to what extent, to whom they are transmitted, for what period the Company will process them, whether you have the right to rectification, erasure, restriction of processing or the right to object to the processing, from which source the Company obtained your personal data, and whether the processing of your personal data involves automated decision-making, including potential profiling. You also have the right to obtain a copy of your personal data. The first request for a copy of your personal data is provided free of charge, but for subsequent copies the Company may charge a reasonable fee to cover the administrative cost.
- Right to rectification means that, if your personal data are incorrect or incomplete, you can at any time request from the Company rectification or completion of your personal data.
- Right to erasure means that the Company has the obligation to erase your personal data if (i) the data are no longer necessary for the purposes for which they were collected or otherwise processed, (ii) the processing is unlawful, (iii) you object to the processing and there are no overriding legitimate grounds for the processing, or (iv) the Company has a statutory duty or other legal obligation to erase your personal data.
- Right to restriction of processing means that, until the Company settles any disputed issues with respect to the processing of your personal data, the Company has the obligation to limit the processing of your personal data to only storage and, potentially, the Company can use the data for the purpose of establishing, exercising or defending legal claims.
- Right to object to processing means that you can object to the processing of your personal data which the Company is processing for direct marketing purposes or because of a Legal Reason. If you object to processing for direct-marketing purposes, your personal data will no longer be processed for such purposes.
- These Rules of Personal Data Protection came into effect on 25 May 2018.
OSPEN s.r.o.
Jiráskovo náměstí č. 1487
280 02 Kolín 5
- Věc:DATA SUBJECT’S REQUEST
- Data Subject’s Identification
| First name and Surname: | .................................................................. |
| Date of Birth: | .................................................................. |
| Address: | .................................................................. |
| Further Identification (email address, telephone number, …): | .................................................................. |
- The subject matter of the request – What right do I want to exercise (please tick the right that applies)
- 1) Right of access
- It is sufficient for me to know what categories of personal data concerning me the Company processes (e.g., data necessary for the fulfilment of a contract or contracts that the Company and I have entered into together, or for monitoring of how I use the services purchased, and so on); or/li>
- I want to know in detail all the personal data concerning me that the Company processes, but I do not need to receive copies of these data; or
- I want to know in detail all the personal data concerning me that the Company processes, and further, I request a copy of these data to be sent to me in the following manner:
- 2) Right to rectification
- I request that the following personal data be rectified/added:
- The current value of the personal data is:
- 3) Right to erasure
- I request that the Company no longer process the following personal data concerning me:
- and that these data be erased from the Company’s systems.
- 4) Right to restriction of processing
- (please describe what type of processing you want to limit or state what personal data the restriction concerns)
- I request that the Company restrict the following type of processing __________ (description of the processing you want to restrict) of my personal data __________ (what personal data the restriction concerns).
- 5) Right to data portability
- I request a transmission of these/of all the personal data concerning me that the Company processes, ___________________________, in the following format ________________.
- Please transmit the personal data to me at the following email address: ___________
- OR
- Please transmit the personal data directly to this new data controller:
- 6) Right to object to processing
- I object to the following type of processing of my personal data: ________________
- If you are requesting erasure/restriction of processing and the Company grants the legitimacy of your request, the Company will communicate the erasure/change/restriction of the processing of your personal data to all of the recipients to whom your personal data were disclosed, with the exception of cases when this would not be possible or when it would require disproportionate effort. Are you interested in obtaining information about these recipients of your personal data? (YES/NO)
- The reason for the request
- If you are requesting to exercise your right to erasure, your right to restriction of processing, or your right to object to processing, please state the reason for your request. If you do not state the reason for your request, your request cannot be granted.
- The reason for the request:
| Name of the controller: | _________________________________________________ |
| Address of the controller: | _________________________________________________ |
| Email address of the controller: | _________________________________________________ |
| Telephone number of the controller | _________________________________________________ |
In.............................date.............................
.............................................
Signature
Please note: it is necessary to submit the request in person or with a signature certified by a notary so that the identity of the data subject submitting the request can be verified.