PRINCIPLES OF PERSONAL DATA PROCESSING AND PROTECTION
The purpose of these Personal Data Processing and Protection Principles (hereinafter referred to as „Principles“) is to provide information about which personal data about natural persons are processed for the provision of services and sales of goods by our company, for what purposes and for how long our company processes such personal data in accordance with applicable law, whom they can provide it to and for what reason, and also to inform about the rights that arise to natural persons in connection with the processing of their personal data. The Principles are effective from 25 May 2018 and are issued in accordance with the European Parliament and Council (EU) Regulation 2016/679 dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as „GDPR“).
1. Personal Data Manager, Contact Information for the GDPR
Personal Data Manager is the company GWL a.s., VAT ID CZ27651851, with registered office at Průmyslová 1472/11, Hostivař, 102 00 Prague 10, registered in the Commercial Register maintained by the Municipal Court in Prague in Section B, File No. 11525 (hereinafter referred to as the „Manager“). Any inquiries regarding the processing of personal data can be sent to the address of the Manager’s registered office, the Manager’s email address [email protected] or directed to tel. no. +420 277 007 550.
2. Scope of Processing and Categories of Personal Data Being Processed
Personal data are processed to the extent provided by the relevant Data Subject to the Manager in connection with the conclusion of a contractual or other legal relationship with the Manager, or otherwise collected by the Manager for processing in accordance with the applicable legal regulations or for the fulfillment of the Manager’s statutory duties. The Manager processes the following personal data categories:
a) name and surname, academic title if any,
b) company name,
c) ID, TAX ID,
d) permanent address,
e) the address of the registered office or place of business,
f) delivery address,
g) contact e-mail address,
h) contact telephone number,
i) job position and/or function in the company,
j) banking information,
k) cookie-obtained records of behaviors on websites managed by the Manager if cookies are enabled in a web browser.
3. The Purpose of Personal Data Processing
3.1 Processing for the purpose of this contract’s performance, fulfillment of legal obligations and for the purpose of the Manager’s legitimate interests The provision of personal data necessary for the performance of the contract, the fulfillment of the legal obligations of the Manager, and the protection of the legitimate interests of the Manager is obligatory. It would not be possible to provide services without providing personal data for these purposes. The Manager does not need the consent of the Personal Data Subject in order to process personal data for these purposes.
The basic partial purposes for the processing of personal data include, in particular::
a) processes relating to the identification and possible contacting of the customer (performance of the contract),
b) provision of services and delivery of ordered goods (performance of the contract),
c) billing for services, issuance of tax documents (performance of the contract),
d) fulfillment of statutory tax obligations (fulfillment of legal obligations),
e) recovery of customer receivables and other customer disputes (legitimate interest),
f) record of debtors (legitimate interest).
Personal data for these activities are processed to the extent necessary for the performance of these activities and for a period of time required to achieve them, or for a period of time prescribed by law. Personal data is then erased or anonymized. The basic deadlines for the processing of personal data are available below in Article 5 of the Principles.
3.2 Processing of customer data for marketing and business purposes with their consent
The Manager processes personal data for marketing and business purposes with the consent of the Data Subject for the purpose of creating an appropriate possible offer of the Manager's products and services and in relation to customer engagement, exclusively by means of electronic communication via a contact e-mail addresses. Granting of consent for marketing and business purposes is voluntary and the Data Subject may revoke it at any time. Such consent remains in effect for 10 years from being granted, or for the duration of the use of the Manager’s services and for the next 10 years thereafter, or until the Data Subject revokes it. All data categories specified in Article 2 of these Principles may be processed upon consent for marketing and business purposes. If the Data Subject revokes their consent, this is without prejudice to the processing of their personal data by the Manager for other purposes and based on other legal titles in accordance with these Principles.
3.3 Processing of cookies from websites operated by the Manager
If cookies are enabled by the Data Subject in their web browser, the Manager processes records of their behavior from the cookies placed on the websites operated by the Manager for the purpose of ensuring better operation of the Manager's web sites and for the Manager’s online advertising. In the case of consent to the processing of personal data for marketing and business purposes, these data are processed together with other personal data for this purpose.
4. Method of Personal Data Processing and Protection
The processing of personal data is done by the Manager. The processing is carried out at their premises and registered office by individual authorized employees of the Manager, or by the processor. The processing takes place via computing technology or manually in the case of personal data in paper form, with adherence to all security policies for personal data managing and processing. To this end, the Manager has adopted technical and organizational measures to ensure personal data protection, in particular measures to prevent unauthorized or accidental access to personal data, their alteration, destruction or loss, unauthorized transfer, unauthorized processing, and other misuse of personal data. All entities to whom personal data may be made available will respect the rights of Data Subjects to privacy protection and are required to comply with applicable laws on personal data protection. Automated decision-making within the meaning of Article 22 of the GDPR does not take place when processing personal data by the Manager.
5. Period of Personal Data Processing
The processing of personal data takes place for the time necessary to achieve the purposes for which the data is processed, in accordance with the deadlines specified in the relevant contracts, in the Manager’s file and shredding rules, or in the relevant legislation. The length of time that personal data will be stored for is determined as follows:
a) In the case of service customers, the Manager is entitled to process their basic personal, identification, contact details, service data and data from their communication with the Manager in the customer database for a period of 4 years from the date of termination of the last contract with the Manager, provided that they have met all their all their obligations to the Manager.
b) In case of purchase of goods from the Manager, they are entitled to process the basic personal, identification and contact information of the customer, data on goods and communication data between the customer and the Manager for a period of 4 years from the expiration of the warranty period for the goods.
c) In the case of negotiations between the Manager and the potential customer on the conclusion of a contract which did not end in a contract conclusion, the Manager is entitled to process the provided personal data for a period of 6 months from the end of the pre-contractual negotiations.
d) The tax documents issued by the Manager shall be archived in accordance with Section 35 of Act No. 235/2004 Coll. on value added tax for 10 years from the end of the tax period in which the performance took place. Due to the need to prove the legal reason for issuing invoices, customer contracts are also archived for 10 years from the date of the contract’s termination.
6. Categories of Personal Data Recipients
When fulfilling their commitments and contractual obligations arising from the contracts, the Manager uses professional and specialized services of other entities. If these suppliers process personal data provided by the Manager, they have the status of a personal data processor and process personal data only under the instructions from the Manager and must not use them in other ways. These processors include, in particular, freight forwarders, payment gateway providers, experts, lawyers, auditors, IT system administrators, internet advertising providers, or sales representatives. Each such entity is carefully selected by the Manager and each concludes a personal data processing agreement in which the processor sets out strict obligations to protect and secure personal data.
7. Rights of Data Subjects
In accordance with the GDPR, the Personal Data Subject has the rights stated below. With regard to the rights to the Manager, the Data Subject is entitled to exercise them at the contact addresses listed in Article 1 of these Principles.
7.1 Right of Access to Personal Data
Under Article 15 of the GDPR, the Data Subject has the right of access to personal data, which includes the right to obtain a confirmation from the Manager whether the personal data concerning them are processed or not, and if they are, the Data Subject has the right to have access to these personal data and information regarding:
a) the purposes of processing,
b) the categories of personal data concerned,
c) the recipients whom the personal data have been or will be made available,
d) the planned processing periods,
e) the existence of the right to request the correction or deletion of personal data from the Manager relating to the Data Subject or the restriction of their processing, or to object to such processing,
f) the right to file a complaint with the supervisory authority,
g) any available information on the source of personal data if it is not obtained from the Data Subject,
h) the fact that automated decision-making is taking place, including profiling,
i) appropriate guarantees when transmitting data outside the EU.
Unless the rights and freedoms of other persons are adversely affected, the Data Subject also has the right to request a copy of the processed personal data. In case of a repeated request, the Manager is entitled to charge a reasonable fee for a copy of the personal data.
7.2 Right to Correct Inaccurate Data
Under Article 16 of the GDPR, the Data Subject has the right to correct or complete inaccurate or incomplete personal data about them processed by the Manager. The Data Subject has the obligation to announce changes to their personal data and to demonstrate that such a change has taken place. At the same time, they are required to provide the Manager with assistance if it is determined that their processed personal data is inaccurate.
7.3 Right to Deletion
Under Article 17 of the GDPR, the Data Subject has the right to deletion of personal data concerning them if the Manager does not demonstrate legitimate reasons for the processing of such personal data.
7.4 Right to Limit the Processing
Under Article 18 of the GDPR, the Data Subject has the right to limit the processing if they deny the accuracy of the personal data, the reasons for the processing, or file an objection to the processing of the data until the initiative is resolved. Where processing has been restricted, the personal data in question may be processed, with the exception of its saving, only with the consent of the Data Subject or for the purpose of determining, enforcing or defending legal rights, for the protection of the rights of another natural or legal person, or for reasons of overriding public interest of the EU or one of its Member States.
7.5 The Manager’s Notification Obligation Regarding the Correction or Deletion of Personal Data or Limitation of Processing
In the event of correction, deletion, or limitation of personal data processing, the Manager shall, in accordance with Article 19 of the GDPR, be obliged to inform the individual personal data recipients of this fact, except where this proves to be impossible or requires unreasonable effort. Based on the Data Subject's request, the Manager will provide the Data Subject with information on these recipients.
7.6 Right to Personal Data Portability
Under Article 20 of the GDPR, the Data Subject has the right to the portability of the data concerning them and provided to the Manager in a structured, commonly used and machine readable format, and the right to request the Manager to transfer the data to another manager if the processing of personal data occurred based on contract conclusion and performance or based on the Data Subject’s consent, and if this processing is carried out automatically. Such a request cannot be met if the exercise of this right could adversely affect the rights and freedoms of third parties.
7.7 Right to Object to the Processing of Personal Data
Under Article 21 of the GDPR, the Data Subject has the right to object to the processing of their personal data due to the legitimate interest of the Manager. If the Manager does not prove that there are serious legitimate reasons for processing that prevail over the interests or rights and freedoms of the Data Subject, the Manager shall immediately terminate the processing on the basis of the objection.
7.8 Right to Revoke the Consent to Personal Data Processing
Consent to the personal data processing for marketing and business purposes may be revoked at any time. Revocation needs to be made in an explicit, comprehensible and certain manner of will. Processing of cookie data can be avoided in the web browser settings.
7.9 Right to be Informed about a Breach to Personal Data Security
According to Article 34 of the GDPR, the Data Subject has the right to be informed without undue delay by the Manager regarding the breach of security of personal data received by the Manager, if it is likely that the breach of personal data security will result in a high risk to the rights and freedoms of natural persons.
7.10 Right to Appeal to the Office for Personal Data Protection
The Data Subject has the right to appeal to the Office for Personal Data Protection (www.uoou.cz) if they find or believe that the Manager or processor carries out the processing of their personal data contrary to the protection of the Data Subject’s private and personal life or in violation of applicable laws.