PERSONAL DATA PROCESSING POLICY
1. General provisions
1.1. This document defines the policy of the ISTA CORPORATION, s.r.o. (hereinafter referred to as the “Company”, “Controller” or “Processor”) in relation to personal data processing (hereinafter referred to as the “Policy”).
1.2. This Policy is used in personal data processing in connection with the Controller or Processor’s activity in the European Union regardless of the fact whether the processing takes place in the European Union or not.
1.3. The Policy is used in the processing of personal data processed fully or partially by automated means and for the processing of personal data processed by other non-automated means that are part of a record system or form an integral part of a record system with the exception of the cases listed in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR Regulation”).
1.4. This Policy is publicly available and published on the website at “https://tiande.eu”.
1.5. The Policy is approved by the Regulation of the Director of the Company and is valid until it is cancelled or replaced by a similar internal document.
1.6. Local regulations and other documents regulating personal data processing are drawn up taking the provisions of this Policy into account.
1.7. Any issue not covered by this Policy shall be governed by the laws of the Czech Republic and the European Union.
2. Basic terms used in the Policy
2.1. The following terms are used in this document:
- personal data – means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”);
- an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, for example an identification number, location data, network identifier or to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity;
- personal data subject – means a natural person who is directly or indirectly identified or identifiable by means of personal data;
- processor – means a natural or legal person who processes personal data on behalf of the controller;
Processor – ISTA CORPORATION, s.r.o.
Registered seat: Pobřežní 370/4, 18600 Prague 8, Czech Republic.
Contact address: Pobřežní 370/4, 18600 Prague 8, Czech Republic.
Company Identification Number: 248 30 933, Tax Identification Number: CZ 248 30 933
E-mail address: prague@tiande.eu
Contact telephone number: +420 211 222 818;
- controller – means a natural or legal person who determines the purposes and means of the personal data processing either individually or in cooperation with others; where the purposes and means of such processing are determined by the law of the Czech Republic or the European Union, a relevant controller or specific criteria for his/her nomination may be provided for by the law,
Controller – ISTA CORPORATION, s.r.o.
Registered seat: Pobřežní 370/4, 18600 Prague 8, Czech Republic.
Contact address: Pobřežní 370/4, 18600 Prague 8, Czech Republic.
Company identification number: 248 30 933, Tax identification number: CZ 248 30 933
E-mail address: prague@tiande.eu
Contact telephone number: +420 211 222 818;
- supervisory authority – means an independent authorized state authority established in the Czech Republic;
- recipient – means a natural or legal person having access to personal data on the basis of agreements concluded with the controller regardless of the fact whether it is a third party or not;
- personal data processing – means any operation or set of operations which is performed on personal data or sets of personal data whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- automated processing of personal data – means personal data processing by computer technology means;
- dissemination of personal data – means an activity making personal data available to an undefined group of persons;
- provision of personal data – means an activity making personal data available to a certain person or a certain group of persons;
- blocking of personal data – means temporary termination of personal data processing (except for the case where the processing is required for specification of personal data)
- destruction of personal data – means an activity in the result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) in the result of which personal data carriers are destroyed;
- pseudonymization of personal data – means an activity in the result of which personal data can no longer be attributed to a specific data subject without the use of additional information;
- information system of personal data – means a set of personal data contained in databases, technologies and technical means enabling their processing;
- cross-border processing of personal data – means transmission of personal data on the territory of a foreign state authority of a foreign state to a foreign natural or legal person.
3. Basic rights and duties of personal data subjects
3.1. Personal data subjects are entitled to:
- have access to personal data free of charge except for the cases stipulated by legal regulations of the Czech Republic and the European Union;
- require correction, blocking and erasure (right to be forgotten) of the data;
- limit processing of the data;
- data transferability;
- raise an objection to the processing of personal data, including profiling;
- not to be subject of decision based solely on the automated data processing except for the situations in which the processing is necessary for concluding or fulfilling an agreement;
- file a complaint for activity or idleness of the controller or the processor to a supervisory authority designated for the protection of rights of personal data subjects or to an appropriate court;
- protect their rights and legitimate interests, including reimbursement of losses and (or) compensation for moral harm in an appropriate court;
- obtain information about the processing of personal data related to the subject, including:
information about the purpose and method of the processing, planned periods of storage of personal data, contact details of the controller, recipients or categories of recipients to whom personal data shall be made available, in particular, recipients from third countries or international organizations, existence or non-existence of decisions of the European Union on the adequacy of measures, appropriate guarantees and means which shall enable obtaining copies of personal data or information where copies of personal data can be obtained from, rights to file a complaint with a supervisory authority, facts that automated decision-making is taking place, all available data about resources of personal data (if they are not obtained directly from the data subjects) and other information pursuant to legal regulations of the Czech Republic and the European Union.
3.2. Personal data subjects are obliged to:
- provide accurate information about themselves and provide documents containing personal data that are required by legal regulations of the Czech Republic and the European Union and local requirements of the controller in the extent required for the purposes of the processing;
- inform the processor about the specification (update, alteration) of their personal data;
- fulfil other obligations stipulated by legal regulations of the Czech Republic and the European Union.
3.3. In all other cases that are not defined in this Policy, the procedure for implementation of the rights of subjects in relation to personal data and conditions for limitation of these rights is governed by the GDPR Regulation.
4. Basic rights and duties of the controller
4.1. Considering the current state of the development of technologies, implementation costs and the nature, scope, volume, context and purpose of the processing as well as differently probable and serious risks for the rights and freedoms of natural persons resulting from the processing of personal data, the controller is required to:
- introduce appropriate technical and organizational measures to ensure and to be able to document that the processing is performed in compliance with this Policy. Adopted measures can be pseudonymization, cost minimization and close combination of required protection, performing principles of the data protection and data processing in compliance with this Policy. These measures can be revised and updated as needed. The list of these measures is stated in section 11.5 of this Policy;
- introduce appropriate technical and organizational measures in order to ensure that only the personal data that are indispensable for each specific purpose of particular processing are processed in a standard way;
- support exercising of rights of personal data subjects pursuant to section 3.1. of this Policy with the exception of the cases where the controller proves that he/she is not able to identify this personal data subject;
- at the request of the data subject (legal representative of the personal data subject) provide information about adopted measures without undue delay and in any case within one month after receiving such request, except for the situations defined in the GDPR Regulation;
- keep records of the data processing which he/she is responsible for. This record must contain all of the following information:
a) name and details of the controller or an controller acting jointly with him/her (joint controller);
b) purpose of the processing;
c) description of the categories of personal data subjects and categories of personal data;
d) categories of recipients whom the personal data are or shall be disclosed to, including recipients in third countries or international organizations;
e) transmission of personal data to a third country or an international organization, if applicable, including information about this third country or international organization, and in case of personal data required for the fulfilment of agreements between a personal data subject and the controller or personal data required for the fulfilment of pre-contractual measures performed at the request of a personal data subject, transmission of documents concerning due protection of personal data;
f) time schedule for erasure of different categories of personal data, if possible;
g) general description of technical and organizational measures defined in the GDPR Regulation.
Documents and records stated in this section are kept in a written form, including an electronic form, and are made available at the request of supervisory authorities;
- report leakage of personal data to a relevant supervisory authority with undue delay and, if possible, within 72 hours after discovery of the personal data leakage at the latest, with the exception of the cases when it is improbable that this leakage of personal data could threaten rights and freedoms of individuals. If a supervisory authority is not notified of the leakage within 72 hours, causes of such delay must be stated in the notification. The controller is obliged to document all personal data leakages containing facts of the leakage, their consequences and measures adopted for elimination of the consequences.
Such documentation shall enable a supervisory authority to verify the fulfilment of this section.
4.2. The controller is entitled to:
- entrust the processing of personal data to other natural or legal persons with the approval of personal data subjects on the basis of a concluded agreement.
4.3. In case that two or more controllers determine the purpose and methods of the processing together, they are regarded as joint controllers. The division of their relevant functional responsibilities for the fulfilment of the obligations resulting from this Policy is performed in an open (transparent) manner. Such agreement shall clearly define relevant roles and relationships of joint controllers acting in cooperation in relation to personal data subjects. Basic conditions of the agreement should be accessible to personal data subjects. Regardless of the conditions of such agreement personal data subjects are entitled to exercise their rights defined in this Policy towards and against any of the controllers.
4.4. The Controller has other rights and duties not defined in this Policy pursuant to legal regulations of the Czech Republic and the European Union.
5. Legal status of the processor
5.1. In case that the processing is carried out on behalf of the controller, the controller should use only such processors who provide relevant guarantees of applying appropriate technical and organizational measures in such a way that the processing fulfils the requirements of this Policy and ensures protection of rights of personal data subjects.
5.2. The processor or any other person acting on behalf of the controller or the processor having access to personal data is allowed to process these data only on the basis of the controller’s order unless it is required by legal regulations of the Czech Republic or the European Union.
5.3. Data processing carried out by the processor shall be provided for by an agreement or other legal act pursuant to legal regulations of the Czech Republic or the European Union that shall be binding for the processor in relation to the controller and that shall define the subject and the periods during which the data shall be processed, the nature and the purpose of the processing, kinds of personal data and categories of personal data and the rights and duties of the controller. Requirements for the content of such agreement or other legal act are defined in accordance with the GDPR Regulation. The agreement or other legal act specified in this provision shall be in a written form, including an electronic form.
5.4. The processor shall not engage other processor without prior written specific or general consent of the controller. In case of the general consent the processor is obliged to inform the controller about any anticipated changes applying to further engagement or exchange of other processors in order to afford the controller the opportunity to express objections to such changes.
5.5. In cases where the processor engages other processors in the data processing on behalf of the controller, the same obligations resulting from the agreement or other legal act between the controller and the processor regarding the personal data protection apply also to other processors pursuant to the agreement or other legal act according to legal regulations of the European Union or the Czech Republic, including the duty to ensure adherence to appropriate technical and organizational measures in such a way that the processing of personal data meet the requirements of the GDPR Regulation. In case that other processors do not fulfil their obligations related to the data protection, the original processor is fully responsible for obligations of other processors towards the controller.
5.6. The processor processing personal data according to the purpose of the processing defined in section 6 of this Policy is entitled to:
- receive documents containing personal data.
5.7. The processor processing personal data according to the purpose of the processing defined in section 6 of this Policy is obliged to:
- process obtained personal data in accordance with the procedures stipulated by laws;
- afford a personal data subject (legal representative of the personal data subject) the opportunity to have free access to the processed personal data about him/her;
- adopt measures with the approval of the controller to specify, erase personal data of a personal data subject in connection with his/her legal and legitimate requirements (or requirements of his/her legal representative);
- immediately inform the controller if he/she assumes that the instructions violate the GDPR Regulation or other data protection provisions of the European Union or the Czech Republic;
- ensure that persons entitled to process personal data make a commitment to confidentiality;
- help the controller through appropriate technical and organizational measures where applicable, fulfil the controller’s duties, respond to requests for exercising rights of data subjects, when provision of services related to the processing is terminated to erase or return all personal data to the controller pursuant to the controller’s discretion and also to eliminate existing copies, except for the cases in which their keeping is required by legal regulations of the European Union or the Czech Republic;
- make all information required for confirmation of fulfilment of one’s duties available to the controller and to enable and contribute to conducting audits, including inspections, performed by the controller or other auditor authorized by the controller;
- keep files on all categories of the processed data conducted on behalf of the controller containing:
(a) name and details of the processor or a processor acting together with him/her (joint processor), if any;
(b) purpose of the processing;
(c) description of categories of personal data subjects and categories of personal data;
(d) categories of recipients to whom personal data are or shall be published, including recipients in third countries or international organizations;
(e) transmit personal data to third countries or international organizations, if applicable, including information about this third country or international organization and in case of personal data required for fulfilling an agreement among a personal data subject and the controller or fulfilling pre-contractual measures implemented at the request of a personal data subject, to present documents regarding due protection of these personal data;
(f) if applicable, time schedule for erasure of various categories of personal data;
(g) general description of technical and organizational measures defined in the GDPR Regulation.
Documents and records defined in this section are kept in a written form, including an electronic form, and are made available at the request of supervisory authorities;
5.8. The processor has other rights and duties not defined in this Policy pursuant to legal regulations of the Czech Republic and the European Union.
6. Purpose of obtaining personal data
6.1. The processing of personal data pursuant to this Policy is carried out for the following purposes:
- ensure compliance with legal regulations of the Czech Republic and the European Union;
- execute judicial acts, acts of other authorities or officials subject to the execution in accordance with legal regulations of the Czech Republic and the European Union;
- provide services to personal data subjects, fulfil orders, provide options for using the services, perform advertising campaigns, provide targeted advertising and services;
- carry out statistical studies and analyses of statistical data;
- enable participation in incentive events, competitions and similar events;
- keep personal records and issues of employees;
- provide holiday leaves to employees and sending employees on business trips;
- organize and implement remuneration of employees;
- applications for passports and visas and health insurance for those travelling abroad;
- organize individual (personalized) registrations of employees in the system of compulsory pension insurance;
- filling in and submission of various required reports to executive bodies and other authorized organizations;
- prepare, conclude, execute and terminate civil-law agreements.
7. Legal basis of personal data processing
7.1. The legal basis for the processing of personal data is represented by a set of normative legal acts according to which and in accordance to which the processor carries out the processing of personal data, including:
- legal regulations of the Czech Republic;
- Regulation (EU) 216/679 of The European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
- other legal regulations of the European Union.
7.2. In particular pursuant to the purposes defined in section 6 of this Policy, reasons for legal processing of personal data of subjects regardless of the method of obtaining these data, are as follows:
- the subject has agreed with the processing of his/her personal data for one or more specific purposes;
- the processing is required for the fulfilment of an agreement in which the subject is one of the parties or at his/her request for adopting measures before conclusion of a contract.
8. Volume and categories of processed personal data, categories of personal data subjects
8.1. According to the purpose defined in article 6 of this Policy, personal data can be processed from the following categories of subjects:
8.1.1. Users of the “https://tiande.eu” websites who have registered or made a purchase of goods:
- name, surname, father’s name;
- year and place of birth;
- contact details.
8.1.2. Applicants for a job in the controller’s organization:
- surname, name, father’s name;
- gender;
- age;
- education, qualification, work experience and information about further education.
8.1.3. Controller’s employees:
- surname, name, father’s name;
- gender;
- age;
- appearance (photograph);
- details of identity card;
- permanent residence and contact address;
- identification number (ID number) of a person;
- birth certificate number;
- education, qualification, work experience and information about further education;
- marital status including children, family relations;
- information about work activity, including incentives, rewards and / or disciplinary fines;
- details about marriage registration;
- military records;
- information about disablement;
- information about alimony deductions;
- information about incomes from previous workplace;
- other personal data provided by employees in accordance with the requirements of labour-law regulations of the Czech Republic and the European Union.
8.2. Processing of biometric personal data (information characterizing physiological and biological features of a person on the basis of which his/her identity can be determined) is carried out in accordance with the laws of the Czech Republic.
8.3. The processor does not process personal data of specific categories related to race, nationality, political views, religious or philosophical beliefs, health status, intimate life or criminal record data.
9. Procedure and general conditions of personal data processing
9.1. Personal data processing is carried out with the approval of a personal data subject unless legal regulations of the Czech Republic and the European Union stipulate otherwise.
9.2. Personal data processing can be carried out by computer technology (automated processing) or with direct participation of a person without using computer technology (non-automated processing).
9.3. Personal data processing is permitted only to those employees of the controller who have this activity outlined in their job description. These employees are entitled to obtain only those personal data that they need for the fulfilment of their work duties.
9.4. Personal data processing is carried out:
- by obtaining information containing personal data in oral, written and electronic form directly from personal data subjects;
- by providing originals of required documents directly from personal data subjects;
- by obtaining certified copies of documents containing personal data or by copying original documents;
- by obtaining personal data during sending inquiries to state authorities, local authority bodies, commercial and non-profit organizations, natural persons in cases and in accordance with the procedure defined by legal regulations of the Czech Republic and the European Union;
- by obtaining personal data from public resources;
- by recording (registering) personal data in journals, books, registers and other records;
- by using other means and methods of personal data obtaining.
9.5. Personal data processing continues until a personal data subject withdraws his/her consent and also for the period required for the purposes for which the personal data are processed. After achieving the purpose of the personal data processing and in case of withdrawal of the consent of a personal data subject to the personal data processing, personal data shall be erased, unless an agreement between the controller and a personal data subject and legal regulations of the Czech Republic and the European Union stipulate otherwise.
9.6. The transmission of personal data to third parties (including cross-border transmission) is possible with a written approval of a personal data subject except for the cases where it is required for protection of life and health of personal data subjects and in other cases defined by legal regulations of the Czech Republic and the European Union.
Obligations stipulated by legal regulations of the Czech Republic and the European Union in the sphere of personal data are followed during the personal data transmission to third persons in accordance with concluded agreements.
The transmission of personal data to authorized state and local authority bodies is carried out in accordance with the requirements of legal regulations of the Czech Republic and the European Union in the sphere of personal data. Any transmission of personal data that are or shall be processed after their transmission to a third party or an international organization should be carried out only in cases permitted by legal regulations of the Czech Republic and the European Union and on condition that legal requirements are fulfilled both by the controller and the processor. All provisions of the GDPR Regulation governing such personal data transmission shall be used in such a way that the level of protection guaranteed by the GDPR Regulation is ensured.
9.7. To obtain additional information about the rules of the personal data processing in accordance with this Policy contact the e-mail address prague@tiande.eu.
10. Procedure of providing information and answering questions related to processing of personal data of subjects
10.1. Information about the processing of personal data of subjects are provided to a personal data subject or his/her representative after the controller or the processor receives the request from the subject or his/her representative.
10.2. The request shall contain details enabling the controller to identify a personal data subject: details about the identity card of a data subject or his/her representative, information confirming the relationship of a personal data subject towards the controller (number of an agreement, date of a concluded agreement, conditioned word specification and (or) other information) or information confirming the fact of personal data processing in any other way, signature (including an electronic signature) of a personal data subject or his/her representative. The request can be sent in the form of an electronic document with an electronic signature on it pursuant to legal regulations of the Czech Republic or the European Union.
10.3. The controller is obliged to provide relevant information about measures adopted in connection with the requirement and also to adopt adequate measures and inform third parties whom the personal data of this subject has been transmitted to no later than one month after receiving the request of a personal data subject related to his/her own rights defined in section 3 of this Policy, except for the periods defined by the GDPR Regulation.
10.4. The information provided by the controller and other messages related to the personal data processing are provided in a brief, open, comprehensible and easily accessible form in a clear and comprehensible language. The information is provided in writing or other means, including an electronic form. If a data subject submits the request electronically, the information will be provided also electronically as circumstances allow unless the data subject requires a different method of obtaining the information. At the request of a personal data subject it is possible to provide the information in an oral form if the identification of the data subject is confirmed by other means.
10.5. In case that the controller has not adopted measures at the request of a data subject, the controller shall immediately inform the data subject about the causes why the measures have not been adopted and about the possibility of filing a complaint to a supervisory authority and a possibility of judicial remedies which must be conducted within 30 days from receiving this request at the latest.
In case that the requests of the data subject are manifestly unsubstantiated or excessive, mainly due to their repetitive character, the controller can either:
(a) charge an adequate fee taking administrative costs of information provision or performance of a required action into account; or
(b) reject to act in connection with this request.
The right of a personal data subject to access his/her personal data can be limited in accordance with legal regulations of the Czech Republic and the European Union, including cases when the access to personal data of a subject violates the rights and legitimate interests of third parties.
10.6. In case of receiving a request of a personal data subject for erasure of personal data, the controller is obliged without undue delay to erase the personal data and ensure discontinuance of their processing (if the personal data processing is carried out by a different person) should there be one of the following reasons: the personal data subject withdraws his/her consent with the personal data processing, retention of the personal data is no longer required for the purpose of the personal data processing, data have been processed unlawfully or must be removed in accordance with the laws of the Czech Republic and the European Union. The controller shall erase personal data or ensure their erasure (if the personal data processing is carried out by a different person acting on behalf of the controller) within the period not exceeding one month from receiving the withdrawal unless legal regulations of the Czech Republic and the European Union stipulate otherwise.
10.7. The requests and other reports concerning the personal data processing can be sent to the e-mail address prague@tiande.eu in an open form, however, the requirements of such requests stipulated in section 10.2. of this Policy must be fulfilled.
11. Requirements for personal data protection
11.1 The safety of personal data during their processing is observed in accordance with legal regulations of the Czech Republic and the European Union.
11.2. The controller carries out necessary organizational and technical measures for the personal data protection against accidental or unauthorized access, destruction, alteration, access blocking and other unauthorized activities.
11.3. As soon as this Policy comes into effect the controller shall introduce and apply safety measures defined in this section. The controller can update or alter these safety measures unless such updates and alterations deteriorate in general the safety of the personal data processing.
11.4. However, the controller is unable to guarantee that the safety measures adopted for the protection of the data and information provided by automated means shall prevent or exclude any risk of unauthorized data access or loss in case that the leakage of personal data is caused through the fault of activity of their owner. It is purposeful that the computer of the personal data subject is equipped with corresponding software for the data protection during their transfer, receipt of network data (such as updated antivirus systems) and that an internet service provider adopts appropriate measures for ensuring safety of the network data transfer (for example firewall and spam filtering).
11.5. The protective measures carried out by the controller during the personal data processing include:
- accepting local laws and other internal documents in the sphere of the personal data processing and protection;
- ensuring safety of processors, partial processors before initiation of the processing as well as during the processing fully or partially conducted by automated means, through auditing their safety and confidentiality according to the level required for the processing;
- appointing persons responsible for ensuring the personal data safety;
- performing methodical work and ensuring training of employees engaged in the personal data processing;
- inspection of introduction of necessary conditions for the work with material carriers and information systems within which personal data are processed as well as the conditions for their keeping and saving by the processor, ensuring the personal data safety and excluding an unauthorized access to them;
- dividing the personal data processed without automated means from other information;
- ensuring separated storage of material carriers of personal data containing personal data of various categories or containing personal data processed for various purposes;
- ban on the personal data transmission through open communication channels, computer networks and internet without using appropriate measures for ensuring the personal data safety;
- ensuring protection of documents containing personal data in paper and other material carriers during their transmission to third parties via postal services;
- internal inspection of all subjects involved in the personal data processing and their observance of legal regulations of the Czech Republic and the European Union and local documents of the controller during the personal data processing, including this Policy.
12. Responsibility for violating the procedure of processing of personal data of subjects
12.1. Each controller engaged in the personal data processing is responsible for damages caused by the data processing resulting from violation of the laws of the Czech Republic and the European Union. The processor is responsible for the damage caused by the data processing only in case that he/she has not fulfilled obligations resulting from this Policy that are explicitly designated for the processors or he/she has acted beyond or in contradiction with legal regulations of the controller.
12.2. General conditions for imposing administrative fines and their amounts are defined in accordance with legal regulations of the Czech Republic and the European Union.
The wording approved on
9 April 2018
Director
ISTA CORPORATION, s.r.o.
V. Strokatov