(hereinafter only as the „Controller“)
hereby informs the Data Subjects regarding the principles of processing personal data and certain rights of Data Subjects arising from valid legislation. We ask Data Subjects to carefully review these principles of processing personal data, as they establish the basis according to which we will be processing personal data obtained from you as the Data Subject or data which you provide. These principle present an overview summary of the most important processes, applied by the Controller to protect personal data. Should you have any questions regarding the processing and protection of your personal data, contact the Controller, using the above contacts.
Business company ASP GROUP s.r.o., ID number 26320509, with headquarters in Letkov, Staroplzenecka 290, ZIP 326 00, Czech Republic, registered in the Commercial Register maintained by the Regional Court in Pilsen, section C, entry 13271, is the Controller of personal data in the sense of the provisions of Article 4, paragraph 7 of regulation (EU) 2016/679, issued by the European Parliament and Council of the European Union (hereinafter only as „GDPR“).
The Controller of personal data is obliged to protect and respect the rights of Data Subjects to privacy, as the Controller views protection of privacy and personal data as their priority obligation. The Controller declares, that they handle personal data solely in accordance with valid legislation.
These principles present a generally applicable document to which the Controller undertakes to adhere in regard to protecting and processing personal data of physical persons such as the Data Subject, as obtained by the Controller in relation to a contract negotiation, the possible conclusion of a contract or in relation to any free consent of the Data Subject to processing of their personal data.
Principles of Processing Personal Data
According to article 5 of GDPR, the Controller is responsible for maintaining the following principles when processing personal data:
- legality – the obligation to establish a legal title for each instance of processing personal data,
- precision and transparency – the obligation of the Controller to ensure the maximum possible informing of the Data Subject regarding their personal data, particularly including transparent communication with the Data Subject and openness toward the Data Subject regarding their personal data. The obligation of the Controller to use the means of simple language and the obligation to provide clear, understandable and accurate information in communication with the Data Subject regarding their personal data,
- purpose limitation – the Controller is obliged to process personal data only for specific, clearly stated and legitimate purposes,
- data minimization – the Controller is obliged to process only that personal data necessary to fulfill the purpose of processing and only within a necessary extent,
- accuracy – the obligation to only process current and accurate personal data and immediately delete or correct inaccurate data,
- storage limitation – the obligation to store personal data only for a period of time necessary for the purpose of their processing,
- integrity and confidentiality – the obligation to process data in a manner maintaining their security and preventing their unlawful or unauthorized processing, damage, destruction or loss,
and is able to prove the maintenance of these principles.
Rights of Data Subjects Regarding the Protection of Personal Data
The Data Subject is entitled at any time to contact the Controller to receive information regarding the processing status of their personal data.
The Data Subject is entitled at any time to contact the Controller to exercise the following rights:
- right of access to personal data and the right to request confirmation by the Controller, regarding whether their personal data is being processed and the right to obtain a copy of that processed personal data,
- the right of correction, in case the Data Subject believes that their personal data, as maintained by the Controller, is inaccurate and the right to add information to incomplete personal data,
- the right of deletion (“right to be forgotten”) of personal data without undue delay, should it no longer be needed for the purpose for which it was collected and processed, should the Data Subject recall their consent for the processing of personal data and no other legal reason exists for that processing, or should the personal data be illegally processed,
- the right to limit processing in case the Data Subject denies the accuracy of the personal data, and this for the period necessary for the Controller to verify the accuracy of the personal data, in case that processing is illegal and the Data Subject rejects the deletion of such data, in which case the Controller no longer needs the personal data for the purpose of processing, but the subject requires them for identification, execution or defense of legal rights (for example in relation to defending their rights as a court), or the Data Subject raises a complaint against the processing, while it is not apparent whether the rightful interest of the Controller outweighs the rightful interests of the Data Subject,
- the right to transfer personal data should the Data Subject make a request from the Controller to obtain the data regarding and provided by the Data Subject, in a structured, commonly used and machine-readable format,
- the right to object against the processing of personal data, including profiling, that the Controller is processing due to a rightful interest. Should the Data Subject object to the processing of personal data for the purposes of direct marketing, that personal data will no longer be processed for this purpose,
- the right to recall consent in case the Data Subject provided consent to personal data processing for purposes that require such consent. The Data Subject has the right to recall such consent at any time. The Controller points out that, in case of recall of a consent, the data processed prior to recall was processed legally,
- the right to file a complaint with a supervisory office, in this case the Office for Personal Data Protection (Úřad pro ochranu osobních údajů), with headquarters at Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, should the Data Subject feel that the rules of personal data protection were somehow breached during processing.
Upon a request, filed according to Articles 15 through 22 of GDPR, without undue delay the Controller shall provide the Data Subject with information regarding measures taken, in any case within one month from receiving the request. This period may be extended by two additional months with respect to the complexity and number of requests. The Controller shall inform the Data Subject regarding any such extension within a month of receiving the request, along with reasons for the extension. In case the Data Subject submits their request in an electronic form, the information shall also be delivered in electronic form, if possible, unless the Data Subject requests otherwise.
Processing of Personal Data
The Controller declares that, when processing the personal data of Data Subjects, they shall only process such data as necessary to fulfill the purpose of the contract along with the protection of the rightful interests and claims of the Controller.
The Controller points out that, aside from processing personal data on the basis of the free consent of the Data Subject, the Controller is also entitled to process personal data without the consent of the Data Subject in cases stipulated by law (for example, in order to fulfill duties arising from concluded contracts; to meet requirements posed by specific legal regulations; to ensure the protection of rights and interests protected by law; to complete a task performed in the public interest; also in a necessary extent due to the Controller’s rightful interests to prevent fraud, or prevent damage to computers and electronic-communication systems).
The Controller collects and processes data on the basis of the free consent of the Data Subject, or, within a necessary extent, such data obtained by the Controller in relation to contract negotiations and with the possible conclusion of a contract or on the basis of another legal title.
The Controller processes personal data in an extent necessary for the purpose of a given contractual relationship or another legal title, as well as in a extent agreed upon with the Data Subject, particularly for the purposes of evaluating customer satisfaction, improving services, sending offers of products and services, as well as sending business announcements and newsletters.
Personal data is collected, stored and used for a necessary period of time; however at minimum for the duration of the contractual relation or another legal title; for a period during which claims arising from a contract toward the respective public administration body may apply; for a period necessary for the protection rights and claims of the Controller; or for a period stipulated to the Controller by legal regulation; or until recall of the consent, should the data be provided on the basis of the Data Subject’s consent and the obligation to process personal data is not stipulated to the Controller by a legal regulation. Data is particularly processed in regard to business transactions and for the purpose of customer care, information concerning news, products and services, sending business announcements and receiving opinions from the Data Subjects; and all this to improve customer care, as well as to meet the legal or contractual obligations of the Controller.
The Controller does not share personal data with third parties with such exceptions as established within these Principles. The Controller is entitled to share personal data of the Data Subjects with third parties for the purpose of information concerning products and services only after receiving the Data Subject’s consent or should it be required or permitted by law. The Collector is entitled to share personal data of the Data Subject with third parties for the purpose of preventing criminal acts or to decrease possible risks, should it be required by law, or should the Controller consider it suitable in order to protect its rightful interests, rights or property of their own or third parties.
The Controller collects, stores and securely processes personal data in such a way as to maintain their confidentiality and prevent the access of unauthorized parties to the data. The Controller processes and stores personal data in document form in a locked room, only accessed by authorized employees of the Controller who are obliged by confidentiality. Personal data in electronic form is processed, stored and protected by passwords and firewalls. In case the processing of personal data is based on the Data Subject’s consent or rightful interests and purposes of the Controller, personal data may be shared with external collaborators and suppliers, particularly should that be an external law firm, external accounting company or an external IT support. Entities collaborating with the Controller are carefully selected on the basis of guarantees ensuring technical and organizational protection of shared personal data.
Personal data is archived according to regulatory terms. The Controller establishes strict internal rules that verify the legality of keeping personal data, ensuring that personal data is not held by the Controller longer than entitled. The Controller is obliged to delete the respective personal data upon the expiration of a legal reason for their maintaining.
These Principles are effective as of May 25, 2018 and are issued for an indeterminate period.
The Controller is entitled to make changes to these Principles at any time, without the consent of the Data Subject. A current version of these Principles is always available for viewing during operational hours at the headquarters of the Controller.