Facebook-f X-twitter Instagram Linkedin
ilts_favicon
preklady_favicon
prekladatel_favicon
česky
pусский

GDPR

STATEMENT ON THE PROCESSING OF PERSONAL DATA

Statement on the processing of personal data pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”)

I. Data Controller

Data controller:

I.L.T.S. Praha, s.r.o.
ID No.: 273 94 701
with its registered office at: Washingtonova 5, 110 00 Prague 1 
registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, File No. 109749

(hereinafter referred to as the “controller”))

hereby informs data subjects, in accordance with Article 12 of the GDPR, about the processing of their personal data and their rights.

II. Scope of Personal Data Processing

Personal data is processed to the extent that the relevant data subject has provided it to the controller in connection with the conclusion of a contractual or other legal relationship with the controller, or to the extent that the controller has collected it otherwise and processes it in accordance with applicable laws or to fulfill the controller’s legal obligations.

III. Sources of Personal Data

  • directly from data subjects (e.g., registration, emails, phone, chat, websites, online contact forms, social media, business cards, contracts, consents, video recordings captured via the controller’s technical equipment, etc.)
  • from public records – for the purposes of this document, “public records” means:
    • the public register pursuant to Act No. 304/2013 Coll., on Public Registers of Legal and Natural Persons, as amended, i.e., the Association Register, the Foundation Register, the Institution Register, the Register of Unit Owners’ Associations, the Commercial Register, and the Register of Public Benefit Corporations;
    • other registers within the meaning of Act No. 111/2009 Coll., on Basic Registers, as amended
IV. Categories of personal data processed by the controller

These include the following types of personal data:

  • name
  • address
  • permanent residence
  • mailing address
  • contact information (email address, phone number)
  • bank account number
  • date of birth
  • social security number
  • health insurance provider
  • health impairment
V. Categories of Data Subjects

A data subject is a natural person to whom the personal data relates, specifically:

  • an employee of the controller
  • a job applicant with the controller
  • a contractual partner of the controller (natural person—self-employed or not)
  • a party in a pre-contractual relationship with the controller (client prior to order acceptance, inquirer, etc.)
  • party to proceedings
  • intervenor
  • affected person, participant
  • applicant
  • inquirer
  • payer
  • recipient
  • beneficiary
  • obligor
  • injured party
VI. Categories of processors and recipients of personal data
  • state administration bodies
  • local
  • government bodies
  • public institutions
  • banking institutions
  • insurance companies
  • external entities providing
  • services to the controller in various
  • areas (occupational health and safety,
  • accounting, training,
  • education, legal services, advertising, and marketing)
VII. Purpose and legal basis for the processing of personal data

The controller processes personal data

  • in the performance of a contract with the data subject
  • in the context of pre-contractual measures taken at the data subject’s request
  • to comply with a legal obligation to which the controller is subject
  • on the grounds of the legitimate interests of the controller or a third party
Legal basis for the processing of special categories of personal data
  • the data subject’s explicit consent,
  • compliance with obligations under labor law, social security law, and social protection law,
  • protection of the vital interests of the data subject or another natural person where the data subject is physically or legally incapable of giving consent,
  • personal data manifestly made public by the data subject
  • the establishment, exercise, or defense of legal claims,
VIII. Method of Processing and Protection of Personal Data

The processing of personal data is carried out by the controller. Processing takes place at the controller’s business premises and registered office by individual authorized employees of the controller or, where applicable, by a processor. Processing is carried out using computer technology or manually for personal data in paper form, in compliance with all security principles for the management and processing of personal data. To this end, the controller has adopted technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to personal data, its alteration, destruction, or loss, unauthorized transfers, unauthorized processing, as well as any other misuse of personal data. All entities to whom personal data may be disclosed respect the data subjects’ right to privacy and are required to comply with applicable laws regarding the protection of personal data.

IX. Duration of Personal Data Processing

In accordance with the time limits specified in the relevant contracts, the controller’s internal regulations, or applicable laws, this refers to the period strictly necessary to ensure the rights and obligations arising from contracts, legitimate interests, and applicable laws.

X. Information

The controller processes data with the data subject’s consent, except in cases provided for by law where the processing of personal data does not require the data subject’s consent. In accordance with Article 6(1) of the GDPR, the controller may process the following data without the data subject’s consent: the data subject has given consent for one or more specific purposes; processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of measures taken prior to entering into a contract at the request of the data subject; processing is necessary for compliance with a legal obligation to which the controller is subject; processing is necessary to protect the vital interests of the data subject or another natural person; processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

XI. Rights of Data Subjects

  1. In accordance with Article 12 of the GDPR, the controller informs the data subject of the right of access to personal data and to the following information:
    • the purpose of the processing
    • the categories of personal data concerned
    • the recipients or categories of recipients to whom the personal data have been or will be disclosed
    • the envisaged period for which the personal data will be stored
    • any available information regarding the source of the personal data
    • where the personal data are not collected from the data subject, whether automated decision-making, including profiling, takes place.
  2. Any data subject who discovers or believes that the controller or processor is processing their personal data in a manner that violates the protection of the data subject’s private and personal life or is contrary to the law, particularly if the personal data is inaccurate with respect to the purpose of its processing, may:
    • Request an explanation from the controller.
    • Request that the controller remedy the situation. In particular, this may involve blocking, correcting, supplementing, or deleting personal data.
    • If the data subject’s request is found to be justified, the controller shall immediately remedy the situation.
    • If the controller does not comply with the data subject’s request, the data subject has the right to contact the supervisory authority directly, which is the Office for Personal Data Protection.
    • The data subject has the right to submit a complaint to the supervisory authority directly without taking any prior steps.
  3. The controller shall provide information and communications to data subjects in a concise, transparent, intelligible, and easily accessible manner, using clear and plain language. The controller may provide such information and communications to data subjects in writing, or, where appropriate, electronically or orally, provided that the controller verifies the identity of the data subject concerned.
  4. The controller is required to respond to data subjects’ requests for information without undue delay, but no later than 1 month after receiving such a request. In justified cases, the controller may extend this period, but by no more than 2 months. The controller shall inform the data subject of the extension of the deadline, also within 1 month of receiving the data subject’s request, and shall communicate the reasons for this extension to the data subject. If the data subject submits a request for information and communication electronically, the CONTROLLER shall provide it electronically, unless the data subject requests another method of providing the information and communication, e.g., in writing.
  5. If the data subject requests the controller to take certain measures (correction of their personal data, erasure, etc.) and the controller does not take such measures, the controller shall inform the data subject thereof without delay, no later than 1 month from the request to take the relevant measure, including the reasons for not taking these measures and information regarding the data subject’s right to file a complaint with the Office for Personal Data Protection or, if necessary, to bring the matter before a court.
  6. The controller shall provide information and communications to the data subject free of charge. If the data subject makes repeated requests, or if such requests are unfounded or excessive, the controller may refuse the data subject’s request or charge a reasonable fee to cover the administrative costs associated with providing the information and communications or with carrying out the requested actions. The controller must be able to demonstrate the groundlessness or unreasonableness of the data subject’s request.
  7. If the controller obtains personal data directly from the data subject, it shall provide the data subject with the following information at the time of collection:
    1. the identification and contact details of the controller and, where applicable, the controller’s representative;
    2. the purposes of the processing for which the personal data are intended and the legal basis for the processing;
    3. the legitimate interests of the controller or a third party, where the processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party;
    4. any recipients or categories of recipients of the personal data;
    5. any intention by the controller to transfer personal data to a third country or an international organization, and the existence or absence of a decision by the European Commission that such third country or international organization provides adequate protection for personal data, as well as a reference to appropriate safeguards and the means to obtain a copy of such data or information on where such data has been made available.
  8. If necessary to ensure fair and transparent processing, the controller shall also provide the data subject with additional information, in particular the duration of the processing of personal data or, where applicable, the criteria for determining it, as well as information regarding the data subject’s right to rectification of personal data, erasure, etc.
  9. If the controller does not obtain personal data directly from the data subject, the controller shall provide the data subject with the information specified in paragraph 7(a), (b), (d), and (e), as well as any additional information pursuant to paragraph 8, upon obtaining such data.
  10. The controller shall inform the data subject of any change in the purpose of processing personal data whenever such a change occurs.
  11. The controller is required, upon request, to provide the data subject with confirmation as to whether the controller is processing personal data concerning him or her, and if so, to ensure the data subject has access to such data and to the following information:
    • the purposes of the processing;
    • the categories of personal data concerned;
    • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
    • the planned period for which the personal data will be stored, or, if this cannot be determined, the criteria used to determine that period;
    • the existence of the right to request from the CONTROLLER the rectification or erasure of personal data concerning the data subject or the restriction of their processing, or to object to such processing;
    • the right to lodge a complaint with the Office for Personal Data Protection;
  12. In accordance with the obligations set forth in paragraph 11, the Controller is required to provide the data subject with a copy of the personal data being processed. The Controller may charge a reasonable administrative fee for providing copies as described in the preceding sentence.
  13. The controller is obligated to rectify inaccurate personal data concerning the data subject without undue delay, and to complete incomplete personal data, including by providing a supplementary statement.
  14. The controller is obligated to erase
    • personal data relating to the data subject, provided that one of the following conditions is met:
    • the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
    • the data subject withdraws consent, if the personal data was processed on the basis of such consent, and there is no other legal basis for the processing;
    • the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
    • the personal data has been processed unlawfully;
  15. If the controller has made the data subject’s personal data public and is required to erase it, the controller must take reasonable steps (taking into account available technology and costs) to inform other controllers processing such personal data that the data subject has requested the erasure of all links to, copies of, and replicas of such personal data.
  16. The controller is not required to fulfill the obligations under paragraphs 14 and 15 if the processing of personal data is necessary for the controller, e.g., to comply with a legal obligation requiring the processing of personal data under European Union law or the legal system of the Czech Republic applicable to the controller, or to establish, exercise, or defend its legal claims, etc.
  17. The controller is obligated to restrict the processing of the data subject’s personal data if:
    • the data subject contests the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
    • the processing is unlawful and the data subject opposes the erasure of the personal data and requests, instead, the restriction of their use;
    • the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise, or defense of legal claims;
    • the data subject has objected to the processing, until it is determined whether the controller’s legitimate grounds for processing override the data subject’s legitimate grounds.
  18. If the controller has restricted the processing of personal data in accordance with the preceding paragraph, such personal data may be processed only with the consent of the data subject, or for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of substantial public interest of the European Union or of a Member State of the European Union.
  19. The controller shall inform the data subject in advance of the lifting of the restriction on the processing of personal data pursuant to paragraph 17.
  20. The controller is required to notify individual recipients of any rectification or erasure of personal data, or of the restriction of processing of personal data, except where this proves impossible or involves disproportionate effort. The controller shall also inform the data subject of these recipients if the data subject so requests.
If the controller receives a request from a natural person—the data subject—who, in accordance with the GDPR,
  • exercises the right of access to their personal data,
  • requests confirmation as to whether the controller processes personal data concerning the applicant within the meaning of the GDPR,
  • requests the provision of copies of the processed personal data free of charge
  • requests information on which categories of personal data are being processed,
  • requests information on the purpose for which the personal data are being processed,
  • requests information on the planned period for which the personal data will be stored, or, if this cannot be determined, the criteria used to determine this period,
  • request information on whether (and under what conditions) the data subject may request the controller to rectify or erase personal data, restrict their processing, or, where applicable, whether and how the data subject may object to the processing of their personal data,
  • requests information on whether (and how) the data subject may lodge a complaint with a supervisory authority and which authority is responsible,
  • requests all available information regarding the source of the personal data concerning the data subject, if such data was not collected directly from the data subject,
  • requests information on whether, in connection with the processing of the data subject’s personal data, automated decision-making, including profiling as referred to in Article 22(1) and (4) of the GDPR, also takes place, and, at least in such cases, further requests meaningful information regarding the procedure used, as well as the significance and anticipated consequences of such processing for the data subject,
  • requests information regarding the recipients of this data subject’s personal data, or, where applicable, requests a list of the categories of recipients to whom his or her personal data has been or will be disclosed.
  • requests information regarding recipients in third countries and international organizations that have had or will have access to the data subject’s personal data,
  • requests information regarding the safeguards under Article 46 of the GDPR in the event that personal data is transferred to a third country or an international organization; the controller is obligated to sufficiently verify the identity of the applicant before processing the above-mentioned requests. If the controller has doubts about the applicant’s identity, it has the right to request from the applicant additional information necessary to confirm their identity (Article 12(6) of the GDPR).
If there is any doubt regarding the applicant’s identity, the administrator is authorized to request the following from the applicant:
  1. submission of the request with the applicant’s verified signature if the applicant submitted the request in paper form,
  2. submission of the request with an electronic signature, i.e., with data in electronic form that is attached to the data message or logically associated with it, and which serves as a method for unambiguously verifying the identity of the signatory in relation to the data message
  3. submitting the request via a data box, if the applicant has one set up
The controller is not authorized to request additional information to verify the applicant’s identity, particularly in cases where:
  1. at the relevant time (i.e., the time of submission of the relevant request), the controller processes the email address as the applicant’s personal data from which the relevant request was sent
  2. the controller is processing the applicant’s phone number at the relevant time; in such cases, the controller will call that phone number to verify the applicant’s identity and, as agreed with the applicant, will then send the requested information or provide further details regarding the processing of personal data electronically to the email address provided by the applicant or in writing to the address provided by the applicant,
  3. the controller has the option to verify the applicant’s identity by other means (e.g., through public registers, prior correspondence)
  4. the applicant submitted the request in person to the relevant controller’s employee or another person authorized by the controller.

 

XII. Final Provisions

For any questions regarding the processing of data subjects’ personal data, please contact the company’s designated representative via email at: ilts@ilts.cz

This Statement is publicly available on the controller’s website: www.ilts.cz.

This Statement was last updated on May 25, 2018.

CZENRU
Request a quote