PRINCIPLES OF PERSONAL DATA PROTECTION AND PROCESSING

Purpose, objective and scope of activities

Under this document CHEMINVEST s.r.o. (controller of personal data) undertakes to apply and comply with the below mentioned principles taking into account the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data („General Data Protection Regulation) against the data subject (against employees, suppliers/vendors and clients).

Description of the principles the company complies with:

Transparency and fairness

We hereby secure that any information and communication relating to the processing of those personal data is easily accessible and easy to understand, and that clear and plain language is used.

Purpose limitation

Personal data shall be collected only for relevant purposes (specified, explicit, legitimate). The personal data are not processed in a manner that is incompatible with those purposes.

In case of purpose changes:

  • we monitor relations between purposes, and circumstances under which the personal data were collected,
  • we monitor nature of the personal data (whether special categories are processed),
  • we monitor and minimize potential consequences of intended further processing for data subjects,
  • we ensure existence of appropriate safeguards

Data minimisation

When processing the personal data, we adhere to and apply: adequacy, relevancy, and limitation to necessary scope with regards to the purposes for which the personal data are processed. We always assess, whether any infringement of the rights of the data subject being consequence of the processing is:

  • adequate,
  • relevant and legitimate to what is necessary in relation to the purposes for which they are processed.

If it turns out that processing of specific personal data for a certain purpose becomes superfluous, or such processing does not comply with the GDPR, we shall not process such personal data.

Accuracy

Processed personal data shall be accurate and, where necessary, kept up to date.
We hereby secure, that the personal data that are inaccurate, are erased or rectified without delay:

  • we adopt every reasonable steps to ensure that the personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Integrity and confidentiality

We hereby declare that personal data processing method shall ensure appropriate security of the personal data, using appropriate technical or organizational measures, including their protection against:

  • unauthorized or unlawful processing and against
  • accidental loss, destruction or damage („integrity and confidentiality“).

Responsibility of the controller

As the personal data controller, we shall bear the responsibility for:

  • processing of personal data in compliance with GDPR principles and we are able to document such compliance.

In case we (personal data controller) process personal data through the third person – the processor, the processor is:

  • entitled to process personal data only upon instructions coming from us (personal data controller), except for the cases where it is required by the Union or Member State law (e.g. Czech Police or OLAF)

Rights of the data subject (employees, suppliers/vendors, clients)

We (personal data controller) shall adopt such suitable measures so that the data subjects (employees, suppliers/vendors, clients):

  • are provided with all information collected from the data subjects,
  • were provided will all communication/announcements in compliance with the rights of the data subjects:

– in brief, transparent, easily accessible and easy to understand manner,

– using clear and plain language.

The information shall be provided in writing or any other form – e.g. electronic form (where applicable).

Based on the request of the data subject, we, as the data controller, shall provide the data subject with information regarding adopted measures:

  • without undue delay – within one (1) month (the period may be extended by two (2) further months – after notifying the data subjects of the reasons for extension).

Information and any communication or announcement shall be provided free of charge, however, in case requests from a data subject are manifestly unfounded, excessive or repetitive, the data controller may either charge a reasonable fee taking into account the administrative costs or refuse to act on the request (the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request).

Right of access by the data subject

The data subject (employees, suppliers/vendors, clients) shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  • the purposes of the processing and the categories of personal data concerned,
  • the recipients or categories of recipient,
  • the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
  • where the personal data are not collected from the data subject, any available information as to their source,
  • existence of automated decision-making including profiling.

The data subject (employees, suppliers/vendors, clients) shall have the right to obtain from the controller rectification or erasure or other limitations and/or object against such processing.

The data subject (employees, suppliers/vendors, clients) shall have the right to lodge a complaint with the competent supervisory authority.

We (personal data controller) undertake to provide a copy of the personal data of the data subject (employees, suppliers/vendors, clients) undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

Unless otherwise requested by the data subject, the information shall be provided in such a form corresponding to the form of request.

Where the personal data are transferred to a third country or international organisation, the data subject shall have the right to be informed of the appropriate safeguards.

Right to personal data rectification

We (personal data controller) are aware that the data subject (employees, suppliers/vendors, clients) shall have the right (without undue delay) to obtain rectification of inaccurate personal data or completion of personal data.

Right to personal data erasure

We (personal data controller) are aware that the data subject (employees, suppliers/vendors, clients) shall have the right (without undue delay) to obtain erasure of personal data and the personal data controller shall be obliged to do so where one of the following grounds apply:

  • the personal data are no longer necessary in relation to the purposes for which they were collected,
  • data subject (employees, suppliers/vendors, clients) withdraws consent on which the processing is based,
  • the data subject objects to the processing,
  • the personal data have been unlawfully processed,
  • compliance with a legal obligation.

Right to restriction of personal data processing

The data subject (employees, suppliers/vendors, clients) shall have the right to obtain from the controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject,
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims,
  • the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject,

The personal data shall, with the exception of storage:

  • only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

The data subject (employees, suppliers/vendors, clients) who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.

Right to data portability

The data subject (employees, suppliers/vendors, clients) shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller:

  • in a structured, commonly used and machine-readable format,
  • have the right to transmit those data to another controller, where:

– the processing is based on consent or on a contract and the processing is carried out by automated means,

the right to have the personal data transmitted directly from one controller to another, where technically
feasible,

  • The exercise of the right to data portability shall be without prejudice to the right to be forgotten:

– that right shall not apply to processing necessary for the performance of a task carried out in the publicinterest or in the exercise of official authority vested in the controller.

Right to object

The data subject (employees, suppliers/vendors, clients) shall have the right to object on grounds relating to his or her particular situation (and in case of direct marketing at any time) to processing of personal data concerning him or her unless the controller demonstrates compelling legitimate grounds for the processing:

  • in legitimate interest,
  • in the public interest,
  • in the exercise of official authority.

Right to lodge a complaint with a supervisory authority

Every data subject shall have the right to lodge a complaint with the competent supervisory authority in the European Union if the data subject considers that the processing of personal data relating to him or her infringes the Act no. 101/2000 Coll., on the Protection of Personal Data and/or the General Data Protection Regulation. The supervisory authority of the Czech Republic is the Office for personal data protection, residing at Pplk. Sochora 27, 170 00 Praha 7, www.uoou.cz

Data protection officer:

Jana Tvrdková
Contact: tvrdkova@cheminvest.cz

“The data protection officer has been designated pursuant to the General Data Protection Regulation (GDPR) and he or she is an independent guarantor of correct handling with personal data as well as the intermediary among the organisation, the supervisory authority (the Office for personal data protection ) and the public (data subject).”