Personal data processing statement in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on instructions for data subjects (hereinafter referred to as "GDPR").
I. Personal data controller
Personal data controller:
Name (company): RAVAK a.s.
Registered office: Obecnická 285, Příbram I, 261 01 Příbram
Represented by: Ing. Josef Stibor, Managing Director
Company Identification No.: 25612492
Tax Identification No.: CZ25612492
(hereinafter referred to as the “Controller”)
herewith informs the data subjects of processing of their personal data and of their rights, incompliance with Article 12 of GDPR.
II. Scope of personal data processing
Personal data is processed within the scope in which a relevant data subject provided it to the Controller in connection with the conclusion of a contractual or another legal relationship with the Controller, or which the Controller collected otherwise and processes in compliance with the valid legal regulations, or to meet the Controller´s statutory obligations.
III. Personal data sources
directly from data subjects (e.g. registrations, e-mails, phone, chat, websites, contact web form, social networks, business cards, contracts, consents, video record made by means of the Controller´s technical equipment, etc.) from public records - for purpose of this document public records mean:
• public register pursuant to the Act No. 304/2013 Coll., on the Public Registers of Legal and Natural Persons, as amended, i.e. Register of Associations, Register of Foundations, Register of Institutes, Register of Associations of Unit Owners, Commercial Register, and Register of Publicly Beneficial Associations;
• other registers in the meaning of the Act No. 111/2009 Coll., on Basic Registers, as amended
IV. Categories of personal data being subject to processing by the Controller
Identification data, contact data, descriptive data, transaction data, product technical data.
V. Categories of data subjects
A data subject is a natural person whom the personal data refers to, in particular:
Applicant for job at the Controller
Controller´s contractual partner (natural person - undertaking, non-undertaking)
Entity in a pre-contractual relationship with the Controller (client before order acceptance, demanding entity, etc.)
Party to proceedings
Subsidiary party to proceedings
Affected person, involved applicant
Inquirer payer beneficiary
Entitled party obliged party aggrieved party
VI. Categories of personal data processors and recipients
Public administration bodies
Local self-government bodies
External entity providing services to the Controller in various fields (occupational health and safety, accounting, training, education)
VII. Purpose and reasons of personal data processing
Personal data is processed at the Controller:
based on the granted consent of a data subject
when performing a contract with a data subject
when implementing measures adopted before the conclusion of a contract upon a request of a data subject
due to fulfilment of a statutory obligation relating to the Controller (including archiving based on law)
due to protection of vital interests of a data subject or another natural person
due to fulfilment of a task performed in the public interest or when exercising official authority which the Controller is entrusted with
due to a legitimate interest of the Controller or of a third party (including archiving based on the Controller´s legitimate interest)
Reasons to process special categories of personal data
Data subject´s express consent, meeting of obligations in the field of labour law, social security and social protection law, protection of vital interests of a data subject or another natural person in case that a data subject is not physically or legally competent to grant a consent to processing of personal data published obviously by a data subject, determination, exercise or defence of legal claims or within judicial proceedings, important public interest, archiving in the public interest, for purpose of scientific or historical research or for statistical purposes.
VIII. Method of personal data processing and protecting
Personal data is processed by the Controller. Processing is realized in the Controller´s premises, registered office, by the Controller´s individual authorized employees, eventually by a processor. Processing is realized by means of computer technology, eventually also manually in case of personal data in a paper form, while keeping all the security principles for administration and processing of personal data. For that purpose, the Controller has adopted technical and organizational measures to ensure the personal data protection, in particular measures preventing from unauthorized or accidental access to personal data, its modification, destruction or loss, unauthorized transfers, unauthorized processing, as well as another misuse of personal data. All the subjects whom the personal data may be made accessible to respect the data subjects´ right to privacy and are obliged to act in compliance with the valid legal regulations concerning the personal data protection.
IX. Personal data processing period
In compliance with the periods specified in relevant contracts, in the Controller´s internal regulations or in relevant legal regulations, it is a period necessary to ensure the rights and obligations arising from contracts, legitimate interests as well as from relevant legal regulations.
X. Rights of data subjects
1. In compliance with Article 12 of GDPR the Controller informs a data subject of a right to access to personal data and to the following information: - purpose of processing,
- category of affected personal data,
recipient or category of recipients whom the personal data has been or will be made available to, planned period for which the personal data will be stored, any available information concerning the personal data source,
unless obtained from a data subject, the fact whether there is automated decision-making, including profiling.
2. Every data subject, who finds out or assumes the Controller or the processor processes his/her personal data in conflict with the protection of private and personal life of a data subject or in conflict with the law, especially if the personal data is inaccurate with respect to the purpose of its processing, may:
- ask the Controller for explanation. - ask the Controller to eliminate such incurred situation. In particular, it may concern blockage, rectification, completion or erasure of personal data.
If the data subject´s request is considered to be legitimate, the Controller will eliminate immediately the defective situation.
If the Controller does not satisfy the data subject´s request, the data subject is entitled to apply directly to a supervisory body which is The Office for Personal Data Protection.
A data subject is entitled to apply with his/her suggestion to a supervisory body directly without taking any previous steps.
3. The Controller provides data subjects with the information and statements in a brief, transparent, clear and easily accessible manner by using clear and simple language means. The CONTROLLER may provide the information and statements to data subjects in writing, also electronically or verbally, if appropriate, in case the identity of a relevant data subject is verified by the Controller.
4. The controller is obliged to react on the data subject´s request for information without undue delay, latest within 1 month after receiving such a request. In reasonable cases the Controller may extend this period, however, the maximum is 2 months. The Controller informs a data subject of the period extension also within 1 month after receiving the data subject´s request and notifies a data subject of reasons of such extension. In case a data subject files a request for information and statements electronically, the CONTROLLER provides it electronically, unless a data subject asks for a different manner of providing the information and statements, e.g. in writing.
5. If a data subject asks the Controller for adoption of certain measures (rectification of his/her personal data, its erasure, etc.) and the Controller does not adopt such measure, the Controller informs a data subject of this fact immediately, latest within 1 month after the request for adoption of a relevant measure, including the reasons of not adopting such measures and information concerning the possibility of a data subject to lodge a complaint at The Office for Personal Data Protection, eventually to apply to a court.
6. The Controller provides the information and statements to a data subject free of charge, in case a data subject files requests repeatedly or if such requests are unjustified or unreasonable, the Controller may refuse the data subject´s request or impose a reasonable charge covering the administrative costs related to the provision of information and statements or related to the implementation of required measures. The Controller shall be able to document groundlessness or inadequacy of the data subject´s request.
7. In case the Controller obtains the personal data directly from a data subject, the Controller shall provide a data subject with the following information upon obtaining of such personal data:
a) identification and contact data of the Controller and of the Controller´s possible representative;
b) purposes of processing, for which the personal data is determined, and legal basis of processing;
c) legitimate interests of the Controller or of a third party in case processing is necessary for legitimate interests of the Controller or of a third party;
d) possible recipients or categories of recipients of personal data;
e) Controller´s possible intention to transfer the personal data to a third country or to an international organization and existence or non-existence of a decision of the European Commission that such third party or international organization provides adequate personal data protection, reference to appropriate guarantees and means to obtain a copy of such data or information where the data has been made available.
8. If it is necessary for ensuring of fair and transparent processing, the Controller shall provide a data subject with further information, especially processing period, eventually criteria for its determination, information concerning the data subject´s right to rectification, erasure, etc. of personal data.
9. In case the Controller does not obtain the personal data directly from a data subject, the Controller shall notify a data subject of the information specified in paragraph 7 a), b), d) and e), eventually further information pursuant to paragraph 8, upon obtaining of such personal data.
10. The Controller informs a data subject of any change of the purpose of personal data processing, whenever it is made.
11. The Controller is obliged to provide, upon request, a data subject with a confirmation whether the Controller processes personal data about a data subject. If so, the Controller is obliged to ensure access to such data and to the following information for a data subject:
a) purposes of processing;
b) category of affected personal data;
c) recipients or category of recipients whom the personal data has been or will be made available to, especially recipients in third countries or in international organizations;
d) planned period for which the personal data will be stored; if it may not be determined, then criteria to determine such period;
e) existence of a right to ask the CONTROLLER for rectification or erasure of personal data about a data subject or for limitation of its processing or raise an objection against such processing;
f) right to file a complaint at The Office for Personal Data Protection;
g) any available information concerning a personal data source unless the data is obtained from a data subject.
12. The Controller is obliged to provide a data subject with a copy of personal data processed, in accordance with the obligations stipulated in paragraph 11. The Controller may require a reasonable administrative fee for the provision of a copy according to the previous sentence.
13. The Controller is obliged to correct inaccurate personal data about a data subject without undue delay, complete incomplete personal data, even by providing an additional statement.
14. The Controller is obliged to erase personal data about a data subject without undue delay if one of the following reasons is met:
a) personal data is no longer necessary for purposes it has been collected or otherwise processed for;
b) data subject revokes his/her consent if the personal data has been processed based on such a consent and there is no other legal reason for processing;
c) data subject raises objections against processing and there are no prevailing legitimate reasons for processing;
d) personal data has been processed unlawfully;
e) personal data must be erased to meet a statutory obligation stipulated by the European Union law or by the legal system of the Czech Republic.
15. In case the Controller published the data subject´s personal data and is obliged to erase it, the Controller must take (with respect to available technology and costs) adequate steps to inform other personal data controllers who process such personal data that a data subject requires all the references to such personal data, its copies as well as replications, to be deleted.
16. The Controller is not obliged to meet the obligations pursuant to paragraphs 14 and 15 if personal data processing is necessary for the Controller, e.g. to meet a statutory obligation requiring personal data processing by the European Union law or by the legal system of the Czech Republic, relating to the Controller, or to determine, exercise or defend its legal claims, etc..
17. The Controller is obliged to limit processing of the data subject´s personal data if:
a) data subject denies personal data accuracy, for a period necessary for the Controller to verify personal data accuracy;
b) processing is illegal and data subject refuses personal data erasure and requires limitation of its usage instead of that;
c) the Controller does not need the personal data for purposes of processing any more but a data subject requires it to determine, exercise or defend legal claims;
d) a data subject raised an objection against processing pursuant to paragraph 19 of this Article of the Directive, until it is verified whether the Controller´s legitimate reasons for processing prevail over the data subject´s legitimate reasons.
18. In case the Controller limited personal data processing according to the previous paragraph, such personal data may by processed only with the data subject´s consent or to determine, exercise or defend the legal claims, to protect the rights of another natural or legal person, or due to an important public interest of the European Union or some of the EU Member States.
19. The Controller informs a data subject of the cancellation of personal data processing limitation pursuant to paragraph 17 in advance.
20. The Controller is obliged to notify the individual recipients of the information concerning any corrections or erasures of personal data, limitations of its processing, except for cases it shows to be impossible or requiring unreasonable efforts. The Controller informs a data subject also of such recipients if a data subject requires it.
21. In case a data subject raises an objection against personal data processing by the Owners Association, being processed by the Controller for purpose of legitimate interests of the Controller or a third party, the Controller will not continue processing such data based on that objection, unless the Controller proves legitimate reasons for processing which prevail over the interests or rights and freedoms of a data subject, or to determine, exercise or defend the legal claims. The Controller must inform a data subject of that right latest within the first communication with a data subject.
XI. Verification of data subject´s identity
1. In case the Controller receives a filing of a natural person - data subject, based on which a data subject, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”),
a) applies a right to access to his/her personal data,
b) asks for settlement of a request for confirmation whether the Controller processes personal data about an applicant in the meaning of GDPR,
c) asks for the provision of copies of personal data processed, free of charge,
d) asks for information which categories of personal data are processed,
e) asks for information for what purpose the personal data is processed,
f) asks for information what the planned period for which the personal data will be stored is; if it may not be determined, then what the criteria used to determine such period are;
g) asks for information whether (and under what circumstances) the Controller may be required to rectify or erase the personal data, limit its processing, eventually whether and how a data subject may file an objection against processing of his/her personal data,
h) asks for information whether (and how) a data subject may file a complaint with a supervisory body and who is that supervisory body,
i) asks for providing of all the available information concerning a source of personal data about a data subject, unless it has been obtained directly from a data subject,
j) asks for information whether there is also automated decision-making with respect to processing of the data subject´s personal data, including profiling specified in Article 22 (1) and (4) of GDPR, and at least in such case asks also for the provision of meaningful information concerning the procedure applied as well as meaning and assumed consequences of such processing for him/her,
l) asks for information who the recipients of the data subject´s personal data are, eventually asks for categories, whom the personal data has been or will be made available to, asks for information who the recipients from third countries and international organizations are, whom the data subject´s personal data has been or will be available to, and/or
m) asks for information concerning the guarantees pursuant to Article 46 of GDPR in case the personal data is transferred to a third country or to an international organization,
the Controller is always obliged to verify sufficiently the applicant´s identity before processing the above-mentioned requests. If the Controller doubts about the applicant´s identity, the Controller is entitled to ask from the applicant additional information necessary to confirm his/her identity (Article 12 (6) of GDPR).
2. In case of any doubts about the applicant´s identity, the Controller is entitled to require from that person:
a) sending of a request with the applicant´s verified signature in case the applicant filed a request in a paper form,
b) sending of a request with electronic signature, i.e. with electronic data attached to or connected logically with a data message and being used as a method for unambiguous verification of the identity of a signed person in relation to a data message,
c) sending a request via a data box if available to an applicant,
3. The Controller is not entitled to require any further information to verify the applicant´s identity, in particular if:
a) the Controller processes within a decisive period (i.e. time when a relevant request is filed) email contact data as the applicant´s personal data, from which a relevant request has been sent,
b) the Controller processes within a decisive period the applicant´s phone number, calls such phone number to verify the applicant´s identity and based on an agreement with the applicant sends the required information or other facts concerning the personal data processing electronically to the email address specified by the applicant or in writing to the address specified by the applicant,
c) the Controller is given a possibility to verify the applicant´s identity in another manner (e.g. by means of public registers, existing communication),
d) an applicant files a request personally in presence of a relevant employee of the Controller or another authorized person of the Controller.
XII. Final provisions
The Statement is publicly available on the Controller´s websites: www.ravak.com
This Statement was last updated on 24 May 2018.