PERSONAL DATA PROCESSING AND PROTECTION DECLARATION
In conformity with the relevant provisions of Regulation of the European Parliament and of the Council (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the associated standards, and in conformity with the principles of transparency and legitimacy, we publish the following Declaration:
IDENTIFICATION OF THE CONTROLLER:
The company BLANÁŘ NÁBYTEK, a.s.
registered at the Regional Court in Brno under file number B 3642
registered seat: No. 410, 691 11 Brumovice
Company ID Number: 26259842
(hereinafter the “Controller” or the “Company”)
EXTENT OF PERSONAL DATA PROCESSING:
The Controller processes the personal data to the extent necessary to fulfil the particular purpose of processing. In doing so, the Controller always proceeds in conformity with the valid legal regulations and in conformity with the Controller’s obligations.
PURPOSES OF PERSONAL DATA PROCESSING:
The Controller always processes the personal data for a clear and comprehensible purpose and keeps records of the purposes of individual processing. The purposes of processing at the Controller particularly include:
- personal data processing for the reason of fulfilment of legal obligations (fulfilment of statutory obligations including obligations resulting from the Archiving Act),
- personal data processing for the purpose of ensuring the operation of the Company (personal data of employees, job candidates, etc.),
- personal data processing for the purpose of conclusion and/or performance of contracts (data of customers, suppliers, etc.),
- for the reasons of the Controller’s legitimate interests (such as security protection of persons and property – CCTV recording, documentation of Company history, direct marketing, etc.),
- protection of the Controller’s rights and Controller’s interests protected by law,
- for the purposes specified specifically in the consent to the personal data processing,
- to ensure operation of the Company kindergarten,
LEGAL TITLES FOR PROCESSING:
The Controller processes the personal data in conformity with the relevant legal standards and on the basis of the following legal titles:
- the Data Subject gave consent to the processing of their personal data for one or more specific purposes;
- the processing is necessary for the fulfilment of the agreement of which the Data Subject is a party, or to take the measures adopted before conclusion of the agreement upon the request of such Data Subject,
- the processing is necessary to meet the legal obligations which applies to the Controller,
- the processing is necessary for the protection of the vital interest of the Data Subject or of another natural person,
- the processing is necessary to fulfil a task performed in the public interest or in the exercise of a public authority the Controller is charged with,
- processing is necessary for the purposes of legitimate interests of the respective Controller or a third party, with the exception of cases when the interests or the basic rights and freedoms of the Data Subject requiring protection of the personal data have precedence over such interests, especially when the Data Subject is a child.
The processing of a special category of personal data may occur exclusively on the basis of the following legal titles (and/or exceptions for processing):
- the Data Subject gives their explicit consent to the processing of such personal data for one or more defined purposes, with the exception when EU law or an EU member state law defines that the ban contained in paragraph 1 may not be cancelled by the Data Subject,
- the processing is necessary to meet the obligations and to exercise the special rights of the Controller or of the Data Subject in the field of labour law and the social security and social protection law, provided that it is allowed by EU law or an EU member state law or a collective agreement under the law of an EU member state in which the suitable guarantees referring to the basic rights and interests of the Data Subjects are defined,
- the processing is necessary for the protection of the vital interests of the Data Subject or another natural person in the event that the Data Subject is not physically or legally capable of giving their consent,
- the processing is performed within the scope of its activities and with suitable guarantees by a foundation, association or another non-profit-making entity which pursues the political, philosophic, religious and/or trade union goals, and on condition that the processing only relates to the present or former members of this entity, or to persons who keep in regular touch with such an entity in association with its objectives, and on condition that such personal data are not made accessible outside this entity without approval of the Data Subject,
- the processing relates to the personal data obviously published by the Data Subject,
- the processing is necessary for the definition, performance or defence of legal titles, or if the courts are acting within the scope of their jurisdiction;
- the processing is necessary for the reason of a significant public interest on the basis of EU law or an EU member state law which is adequate to the pursued goal, observes the nature of the rights for data protection and provides suitable and particular guarantees for the protection of the basic rights and interests of the Data Subject,
- the processing is necessary for the purposes of preventive medicine or occupational medicine, to assess the working abilities of the employee, medical diagnostics, provision of healthcare or social care or treatment or the management of the systems and services of the healthcare or social care under EU law or an EU member state law or under the agreements with a healthcare provider, subject to observance of the relevant conditions and guarantees,
- the processing is necessary for the reasons of public interest in the field of public healthcare, such as protection from serious cross-border health threats or assurance of strict standards of quality and safety of healthcare and medicines and/or medical devices under EU law or an EU member state law, defining the corresponding and special measures to ensure the rights and freedom of the Data Subject, especially the business secrets,
- the processing is necessary for the purposes of archiving in public interest, for the purposes of scientific and/or historical research or for statistical purposes in conformity with Article 89, paragraph 1 on the basis of EU law or an EU member state law which is adequate to the pursued goal, observes the nature of the rights for data protection and provides suitable and particular guarantees for the protection of the basic rights and interests of the Data Subject.
PERSONAL DATA SOURCES
The Controller obtains the personal data for processing in the following ways:
- directly from the Data Subject,
- from the registers, records or lists accessible to the public,
- from contract partners.
CATEGORIES OF THE DATA SUBJECT
- employees (including job candidates),
- customers and clients (including the Company kindergarten),
- other persons having contractual relationships with the Controller,
- natural persons captured on CCTV recordings,
- service suppliers.
CATEGORIES OF PERSONAL DATA
- the personalised and identification data serving for a definite and unmistakable identification of the Data Subject and communication with the same,
- descriptive data,
- special categories of personal data, i.e., such personal data which testify about the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health condition or sexual life or sexual orientation of a natural person. Also genetic and biometric data which is processed for the purpose of the unique identification of a natural person is considered a special category of data. Processing of this category is only possible subject to compliance with the defined obligations.
PERSONAL DATA RECIPIENTS
A recipient shall mean natural persons or legal entities, public authorities, an agency or any other entity to which the data is communicated.
The Controller shall keep information on personal data recipients and shall at all times respect the purpose of processing as well as any legal obligations and responsibilities.
METHOD OF PERSONAL DATA PROCESSING
The Controller processes the personal data at its premises or branch offices via its employees or other appointed processors. Processing occurs both in paper and electronic form, both in an automated and in manual manner.
While processing the personal data, the Controller shall at all times ensure compliance with the statutory requirements as well as the general principles of personal data protection.
PERSONAL DATA PROTECTION
The Controller shall ensure the organisational and technical protection of personal data in a manner to avoid any unauthorised or accidental access to the personal data, changing, destruction, loss, unauthorised transfers and/or unauthorised processing or misuse of the personal data.
Personal data protection also forms an integral part of the Security Policy of the Company.
PERIOD OF PERSONAL DATA PROCESSING
The Controller shall always only process the personal data for the period necessary to accomplish the purpose of processing, and in conformity with all the obligations under the statutory standards.
RIGHTS OF THE DATA SUBJECT
The rights of the Data Subject are an important element of personal data protection for the Controller.
The Data Subject has the right to be informed on the processing of their personal data on the basis of a request made in conformity with the relevant statutory provisions, in particular with respect to the following information:
- purpose of processing,
- categories of personal data affected,
- recipient or category of recipients,
- period of processing and/or storage of personal data,
- available information on the source of personal data,
- the fact whether automated decision-making takes place, including profiling.
Furthermore, the Data Subject has the following rights:
- right to access the personal data,
- right to correction and/or completion of the personal data,
- right to deletion of the personal data,
- right to restriction of processing,
- right to transferability of data,
- right to object,
- right not to be the subject of automated individual decision-making, including profiling.
If the Subject believes that the Controller processes the personal data in contradiction with the Data Subject’s rights or the law, the Data Subject may furthermore:
- ask the Controller for explanation,
- ask for elimination of the unlawful condition,
- refer to the relevant supervisory authority, which is the Personal Data Protection Office (www.uoou.cz).
All information, communication and actions pursuant to the GDPR are provided and made for free.
Only when the requests made by the Data Subject are evidently unjustified or inadequate, in particular because they are repeated, may the Controller charge either an adequate fee or refuse to comply with the request.
Any questions and/or requests to enforce the rights of the Data Subjects may be directed in writing to the address of the Company or electronically by e-mail firstname.lastname@example.org or the data box.
BLANÁŘ NÁBYTEK, a.s.