We, the company SYNER, s.r.o, ID 48292516, with its registered office at Dr. Milady Horákové 580/7, 460 01 Liberec, registered in the Commercial Register kept by the Regional Court in Ústí nad Labem, Section C, File No. 5153 (hereinafter also referred to as the “Administrator” or as the “Company”), we issue this statement on personal data protection which we have prepared in accordance with applicable legislation, including Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “Regulation”). In this statement, we would like to inform our business partners, employees and the general public about the ways in which personal data is handled in our company.
- Personal Data – All information related to an identified or identifiable natural person (data subject); identifiable person means a person who can be identified, directly or indirectly, in particular by means of an identification number or one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
- Sensitive Data – Special categories of Personal Data which indicate racial or ethnic origin, political opinions, religions or philosophical beliefs, trade union membership, health or sexual life or the sexual orientation of an individual. Genetic and biometric data, which are processed for the purpose of unique identification of a natural person, are also considered to be a special category of data.
- Data Subject – Any natural person whose Personal Data the Company handles, including personal data of employees.
- Data Controller – An entity that determines the purposes and means of personal data processing and is responsible for their processing. In this case, the data controller is the Company.
- Data Processor – Any natural or legal person, public administration body, agency or any other entity processing personal data on behalf of the Data Controller (data processing through a subcontractor – e.g. a company that processes wages as a supplier).
- Personal Data Protection Officer – A person designated by the Data Controller to monitor compliance with the Regulation and other applicable legislation, to provide information and advice to Data Controllers (including employees involved in the processing of personal data) or Data Processors. The Company is not obliged to appoint a Data Protection Officer within the meaning of Article 37 of the Regulation and has not appointed a Commissioner within the meaning of Article 37 of the Regulation.
- Handling of personal data – Any operation or set of operations performed on personal data, such as their collection, recording, organization, storage, modification or change, search, consultation, use, disclosure, dissemination or providing in another way, sorting or combining, blocking, deleting or disposal. This includes manual processing of personal data in structured files.
- Automated Individual Decisions – are decisions that have legal consequences or have a significant impact on the Data Subject and which are based exclusively on automated data processing, the aim of which is to evaluate certain personal aspects of the Data Subject, e.g. his/her performance, creditworthiness, reliability, behaviour, etc.
- Recipient – Any natural or legal person, public authority, agency or any other entity to which data are disclosed, whether a third party or not. However, the public authorities that may receive the data in the context of an individual inquiry are not considered to be recipients.
- Third Party (person) – A person or entity other than the Data Controller. Third parties do not include data subjects or persons or entities that are obliged to collect, process or use personal data in the Czech Republic, another Member State of the European Union or another state that has concluded the Agreement on the European Economic Area.
C) SOURCES OF PERSONAL DATA
As part of its activities, the Controller obtains personal data:
- directly from the Data Subject when negotiating the conclusion of a transaction or the provision of a service and their subsequent implementation,
- from publicly accessible registers, lists and records (commercial register, trade register, real estate register, public telephone directory, etc.) and from other public registers,
- from other entities, if so provided by a special regulation,
- within the framework of the consent granted by the Data Subject (processing of photographs, use of Personal Data for the purpose of personnel procedures, etc.),
- possibly from other entities, if the Data Subject has given his/her consent.
D) SCOPE OF PERSONAL DATA
The Controller processes Personal Data of Data Subjects to the following extent:
- identification data of the Data Subject, in particular the name, surname, title, personal identification number, date and place of birth, sex, marital status, nationality, address of permanent residence, contact addresses and telephone number, in the case of a natural person pursuing his/her business name, distinguishing appendix or other designation, place of business and identification number, portrait, signature,
- contact details of the Data Subject, in particular e-mail address, telephone number,
- other descriptive data (bank details, education, etc.),
- Personal Data of the Data Subject of the connected person (identification and contact data of the family member such as spouse, partner, companion, descendants),
- information from external sources, especially from publicly available registers (e.g. commercial register, trade register, real estate register, insolvency register, public telephone directory, etc.),
- sensitive data only to the extent strictly necessary.
E) PURPOSE OF PERSONAL DATA PROCESSING AND TIME OF PERSONAL DATA PROCESSING
- Implementation of the contractual relationship
- Processing of Personal Data necessary for the proper fulfilment of the rights and obligations arising for the Controller from the contractual relationship with the Data Subject (e.g. preparation of the conclusion of the contractual relationship, execution of transactions, control of the fulfilment of contracts, etc.).
- The Controller processes Personal Data for this purpose for the duration of the contractual relationship.
- Legitimate interest of the Controller
- The processing of Personal Data is necessary for this purpose (e.g. protection of the Controller’s premises, internal reporting, and settlement of disputes with the Data Subject and protection and enforcement of the Controller’s rights, administration and recovery of receivables).
- The Controller processes personal data for this purpose for the duration of the contractual relationship and until the expiration of the limitation periods resulting from the fulfilment of rights and obligations on the basis of the given contractual relationship, or for the time necessary in the event that it is not connected with the contractual relationship between the Controller and the Data Subject.
- Fulfilment of obligations stipulated by legal regulations
- The processing of Personal Data is necessary for this purpose because their processing is required by law or other generally binding legal regulations (e.g. fulfilment of notification obligations for public authorities, fulfilment of obligations concerning enforcement of decisions, fulfilment of archiving obligations, fulfilment of obligations arising from regulations governing premiums, taxes and accounting, obligations arising from regulations governing employment, etc.).
- The Controller processes Personal Data for this purpose to the extent specified by applicable legal regulations.
- Processing on the basis of a consent given
- The Controller further processes personal data to the extent and in the manner agreed by the Data Subject.
- The Controller processes Personal Data for this purpose for the duration of the consent.
F) METHOD OF PERSONAL DATA PROCESSING
The Controller processes Personal Data of the Data Subject by automated means and manually in compliance with all safety principles for the management and processing of Personal Data. To this end, the Controller has taken technical and organizational measures to ensure the protection of Personal Data, in particular measures to prevent unauthorized or accidental access to Personal Data, their change, destruction or loss, unauthorized transfers, their unauthorized processing and other misuse of Personal Data. All entities to which Personal Data may be disclosed respect the Data Subject’s right to privacy and are obliged to comply with applicable legislation on personal data protection.
G) INFORMATION ON THE PROVISION OF PERSONAL DATA TO THIRD PARTIES – RECIPIENTS OF PERSONAL DATA
- The Controller passes Personal Data of entities to state supervision bodies and other persons to whom he/she is obliged to make Personal Data available on the basis of legal regulations – these are mainly state administration bodies, courts, bodies active in criminal proceedings, executors, notaries, insolvency administrators, etc.
- The Controller processes Personal Data through his/her own employees as a personal data controller or through his/her processors, on the basis of a contract concluded in accordance with the Regulation, while ensuring technical, organizational and personnel measures ensuring a high level of protection and safety of the Data Subject´s Personal Data.
H) RIGHTS OF DATA SUBJECTS
- Right of access to Personal Data
The Data Subject is entitled to request the Controller for access to his/her Personal Data, in particular information on the processing of his/her Personal Data, always containing at least a statement on the purpose of personal data processing, scope and content of personal data (e.g. a list), or categories of Personal Data subject to processing, including all available information on their source, nature of automated processing in connection with its use for decision-making, if acts or decisions are made on the basis of such processing, the content of which interferes with the law and legitimate interests of the Data Subject and the categories of recipients of Personal Data.
- Right to correct Personal Data
The Data Subject is entitled to object to the incorrect processing of Personal Data and is entitled to request the correction or supplementation of such Personal Data. In such a case, the Controller is obliged to inform the recipient without undue delay of the Data Subject’s request.
- Right to restrict processing
- The Data Subject has the right to restrict processing if:
- he/she denies the accuracy of the Personal Data for the time necessary to verify the accuracy of the Personal Data,
- the processing is illegal and the Data Subject refuses to delete the Personal Data and instead calls for restrictions on their use,
- if the Controller does not need the Personal Data of the Data Subject for the purposes of processing, but the Data Subject requires them for the determination, exercise or defence of legal claims,
- if the Data Subject has objected to the processing until it has been verified that the legitimate reasons of the processing Controller outweigh the interests, rights and freedoms of the Data Subject.
- Processing restrictions mean that the Personal Data of the Data Subject who has been restricted are identified and, for the duration of the restriction, such Personal Data may, with the exception of their storage, be processed only with the Data Subject’s consent or for the purpose of determining, enforcing or defending legal protection of the rights of another natural or legal person or on grounds of overriding public interest of the Union or of a Member State. The Data Subject who has reached the processing restriction will be notified in advance by the Controller that the processing restriction will be terminated.
- The Data Subject has the right to restrict processing if:
- Right to delete Personal Data
The right to delete Personal Data only applies to Personal Data for the processing of which the consent of the Data Subject has been given and there is no other legal basis for the processing of Personal Data.
- Right to the transferability of Personal Data
The Data Subject may request the Controller to provide the Data Subject’s Personal Data for the purpose of transferring them to another Controller of Personal Data. However, this right belongs only to those data which are processed automatically by the Controller on the basis of the consent of the Data Subject or a contract with the Data Subject.
- Right to object
- If Personal Data are processed for the purposes of direct marketing, the Data Subject has the right to object at any time to the processing of Personal Data concerning him/her for that marketing. If the Data Subject objects to processing for direct marketing purposes, Personal Data will no longer be processed for these purposes.
- Furthermore, the Data Subject has the right to object at any time to the processing of Personal Data concerning him/her, if the processing takes place due to the performance of a task performed in the public interest or due to the legitimate interests of the Controller or a third party.
- The Controller shall not further process Personal Data unless he/she demonstrates serious legitimate reasons for the processing which outweigh the interests or rights and freedoms of the Data Subject, or for the determination, exercise or defence of legal claims.
- Right to lodge a complaint with the supervisory authority
If the Data Subject considers that the processing of Personal Data violates the legislation on personal data protection, he/she has the right to lodge a complaint with the supervisory authority. In the Czech Republic, the supervisory authority is the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Praha 7, www.uooz.cz
In case of questions aimed at personal data protection, you can contact our employee responsible for personal data protection, at the address: email@example.com.