PERSONAL DATA PROCESSING STATEMENT

„Privacy Policy“

I. Introduction

This statement is created and published to provide information on procedures and obligations of our company with regards to GDPR requirements compliance. For the purpose of this text, the following terms are used:

• PD = personal data, i.e. any data that could be used to identify a specific person
• PD Owner the owner of the personal data being kept and processed by our company
• Controller – our company, keeping, processing, archiving and protecting your PD
• Processor – a company contracted by us to process your PD. This ensures the handling, processing and protection of your PD is in compliance with the requirements of GDPR and your rights are not being impinged in any way.

II. Personal data Controller

Auto-ID s.r.o., Za Dvorem 2283, 250 01, Brandýs nad Labem, Reg.No: 02418151, registered at the municipal court in Prague, section C, file No. 219 310 PD protection contact address: gdpr@autoid.cz Phone number: +420 603 182 303 (hereinafter referred to as “Controller”) in accordance with article 12 of the GDPR hereby informs you about the processing of your personal data and about your rights.

III. The extent of personal data processing

Personal data are processed to the extent provided to the Controller by the data subject, related and based on data subject’s decision at the time of establishing the relation or registration, and also within the contractual or other legal relation with the Controller, or which were collected by the Controller through other means and processed in accordance with applicable law or to fulfill the Controller’s legal duties.

IV. Personal data sources

Personal data are acquired from PD Owners (business communication, shopping, product delivery or service provisioning, phone communication, business cards, etc.).

Another source of personal data is data collection of the information prerequisite to be shared by job seekers and workers. In case of personal data obtained from public sources, it is used solely for the purposes of a business relationship realization or in accordance with the consent obtained from the subject of said personal data.

V. Categories of personal data subject to processing

• These are identifying data used for the purpose of unique and unmistakable PD Owner identification (name and surname, date of birth, birth certificate number, permanent address, etc.).
• Descriptive information (such as bank account details)
• Data necessary for fulfilling contractual obligations (e-mail, phone number, workplace address, post) and more
• Data provided above and beyond the scope of appropriate laws and legislative regulation, processed within the limits of the consent provided by the PD Owner

VI. PD Owner categories

These mostly include:

• Customers
• Customer’s customers
• Employees and workers employed based on agreements on non-work activities, as well as job seekers
• Owners of personal data of our suppliers and partners offering services necessary for the operation of our company
• Other persons contractually obligated to the PD Owner

VII. Personal data recipient categories

• State and other authorities as part of performing their legal duties laid down by the relevant legislation
• Financial institutions and public administration organizations
• Contractually obligated PD Processors
• Third parties and organizations based on a consent from the PD Owner
• Our company, acting as a PD Controller

VIII. Purposes of personal data processing

• Purposes contained within the limits of the consent given by the personal data subject
• Contract negotiations
• Fulfilling contract obligations
• Controller, recipient or other interested persons rights protection
• Archiving purposes required by the law
• Selection procedures for vacancies
• Fulfilment of legal obligations on the Controller’s part
• Protection of PD Owner’s or other bodies vital interests

IX. Methods of processing and protection of personal data

Personal data processing is performed by the Controller or by a contractually bound Processor, where the contract guarantees all liabilities related to PD processing and PD Owner’s rights will be met.

Personal data processing is carried out at the headquarters and/or premises of the Controller or Processor. Processing is carried out by the means of information technology or manually in case of PD in paper form while observing all of the security policies for personal data management and processing. To this end, the Controller has taken the technical and organizational measures to assure PD protection, in particular against unauthorized or inadvertent access to PD, their alteration, destruction or loss of, unauthorized use or transfer of PD, or any other PD misuse. All subjects to which the PD might be made available do respect the PD Owner’s rights for privacy protection and are under obligation to follow the effective legislation on PD protection.

X. Personal data processing period

According to processing periods resulting from the relevant contracts, from the Controller’s filing and discarding rules or from the relevant legislation, the period of personal data processing is limited to such that is strictly necessary to meet the rights and obligations requirements based on contractual obligations, legitimate interests of the Processor and the relevant legislation.

XI. Instructions

The Controller processes data with the PD Owner’s consent, with the exception of the cases specified by law where the processing of personal data does not require PD Owner’s consent.

In accordance with article 6 paragraph 1 of GDPR, the Controller is allowed to process the data without explicit consent from the PD Owner if:

• Personal data processing is required to fulfill contractual obligations where the PD Owner represents one of the contracting parties, or to carry out pre-contractual measures taken at the request of said PD Owner.
• Personal data processing is necessary for compliance with a legal obligation subject to the Controller
• Personal data processing is necessary to protect PD Owner’s or other natural person’s vital interests.
• Personal data processing is necessary to carry out a public interest task or to exercise a public authority vested in the Controller
• Personal data processing is necessary for the purposes of relevant Controller’s legitimate interests or interests of a third party, where PD Owner’s interests or fundamental rights requiring personal data protection take precedence over such relevant interests.
• In other cases, PD Owner’s consent granted under the terms of GDPR is required for personal data processing.

XII. Personal data subject rights

• In accordance with article 12 of GDPR, following a request from the PD Owner, the Controller shall inform the personal data subject on the rights to access the personal data and the following information:
• • Purposes of PD processing
  • Relevant personal data category
  • Recipients or recipient categories to whom the PD have been made available
  • Planned time for which the personal data will be stored,
  • All available information on the source of the personal data
  • whether automatic decision making, including PD profiling, is being carried out
• Any PD Owner identifying the Controller or Processor to carry out personal data processing in conflict with the protection of PD Owner’s personal and private life or in conflict with the law, in particular when said personal data is inaccurate in regard to the purpose of its processing, or suspects the Controller or Processor of such processing, may:
• Request an explanation from the Controller either in person or using the gdpr@autoid.cz e-mail address
• Require the Controller to remedy such situation. In particular, actions including blocking, correction, filling in or deletion (removal) of personal data may be requested.
• In case the PD Owner’s request is considered justified in accordance with paragraph 1 of this chapter, the Controller is required to resolve the offending condition without delays.
• Should the Controller fail to comply with personal data subject’s requests in accordance with paragraph 1, the PD Owner has the right to advance his complaint to the supervising authority directly, i.e. the Office for personal data protection (ÚOOÚ)
• Following the procedures referred to in paragraph 1 does not exclude the possibility of PD Owner reaching out to the supervising authority directly.
• The Controller has the right to demand adequate compensation for providing the information not exceeding the costs necessary for providing such information.