CLINITEX s.r.o., Vratimovská 672/42, Kunčičky, 718 00 Ostrava, Company ID No.: 26869551, hereinafter the “Controller”, processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and Act No. 110/2019 Coll., on the Processing of Personal Data.
Definitions
Data subject: An identified or identifiable natural person, e.g.:
- Employee of the Controller,
- Job applicant,
- Customer,
- Customer’s representative
- External worker,
- Supplier’s representative,
- Client / end-customer
- Natural person (citizen)
- Natural person–entrepreneur (with Company ID/“IČ”)
Personal data: Any information relating to an identified or identifiable natural person, such as: first name, surname, date of birth, personal identification number, location data (address), network identifiers (telephone number, e-mail, social networks, etc.).
Special categories of personal data: Specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person, i.e. personal data revealing racial or ethnic origin, political opinions, membership in trade unions, religion or philosophical beliefs, criminal convictions, health status and sex life, as well as biometric data enabling the direct identification or authentication of the data subject.
Responsibility of the Controller
As the Controller, we are responsible for all processing of your personal data carried out within the agendas used in our organisation. We also handle your requests (e.g. for rectification, erasure, information about your personal data), your objections, and provide you with information on how and why we handle your personal data.
Principles of Personal Data Processing
When processing personal data, we apply the highest standards of personal data protection and in particular observe the following principles:
a) We always process personal data for a clearly and intelligibly defined purpose, by defined means, in a defined manner, and only for the period necessary with regard to the purposes of processing. We process only accurate personal data, and the processing corresponds to the defined purposes and is necessary for their fulfilment;
b) Personal data are protected in a manner that reflects the current state of the art. The highest possible level of security is ensured to prevent any unauthorised or accidental access to personal data, their alteration, destruction or loss, unauthorised transmission, other unauthorised processing, or any other misuse;
c) Data subjects are informed about the processing of their personal data and about their right to receive precise and complete information about the circumstances of such processing, as well as about other related rights;
d) As the Controller, we observe appropriate technical and organisational measures.,
Information on Personal Data Processing
The Controller processes personal data for the following purposes:
- Fulfilment of statutory obligations, where it acts in the position of Controller of personal data;
- Fulfilment of contractual obligations, where personal data have been provided directly by the data subjects;
- Fulfilment of contractual obligations, where personal data have been provided to the Controller by controllers of the other contracting parties and the Controller acts as a processor;
- Fulfilment of contractual obligations where the data subject is a party to the contract;
- Protection of the rights and legitimate interests of the Controller;
- Business and marketing purposes, where the data subject has given consent, or where processing is based on the Controller’s legitimate interest in the case of clients and cooperating entities of the Company..
Scope of Processed Personal Data:
The Controller processes personal data to the extent necessary to achieve the purposes set out above. In particular, the following personal data are processed:
a) First name and surname;
b) Date of birth;
c) Personal identification number (rodné číslo), where applicable;
d) Address;
e) E-mail address;
f) Telephone number;
g) IP address and other electronic identifiers;
h) Other personal data that the Controller is obliged to process on the basis of specific legal grounds applicable to particular cases of personal data processing. The Controller does not process special categories of personal data unless there is a legal basis for such processing.
Method of Personal Data Processing
The methods used by the Controller to process personal data include both manual and automated processing in the Controller’s information systems. Personal data are processed primarily by the Controller’s employees and, to the necessary extent, also by third parties. Before any personal data are transferred to a third party, a contract is concluded with that party which contains the same guarantees for the processing of personal data as those observed by the Controller in accordance with its statutory obligations. The Controller has adopted technical and organisational measures to ensure the protection of personal data, in particular measures preventing unauthorised or accidental access to personal data, their alteration, destruction or loss, unauthorised transfers, unauthorised processing, or other misuse.
Recipients of Personal Data
Personal data are made available primarily to the Controller’s employees in connection with the performance of their work duties where it is necessary to handle personal data, but only to the extent necessary in each particular case and subject to all applicable security measures. Personal data may be provided to third parties involved in the processing of personal data or may be made accessible to them for other reasons in accordance with the law. Before any personal data are transferred to a third party, a written contract is always concluded with that party to regulate the processing of personal data and to ensure that it includes the same guarantees for personal data processing as those observed by the Controller itself.
In accordance with the relevant legal regulations, the Controller is entitled or directly obliged to transfer your personal data to:
a) Competent public authorities, courts and law-enforcement authorities for the purpose of fulfilling their duties and enforcing decisions;
b) Payment service providers, where necessary for the prevention, investigation or detection of fraud in payment transactions;
c) Public administration bodies and other public authorities for the purpose of fulfilling statutory obligations;
d) Other entities to the extent laid down by legal regulations, such as third parties for debt recovery purposes;
e) Entities providing services to the Controller on an outsourcing basis and acting as processors of personal data.
Transfer of Personal Data Abroad
Personal data are processed within the territory of the Czech Republic and are not transferred to third countries.
Period of Personal Data Processing
The Controller processes personal data only for the period necessary with regard to the purposes of their processing. The retention period of personal data follows from the individual legal grounds and legal regulations on the basis of which the Controller processes personal data and is further aligned with the Controller’s Filing, Archiving and Disposal Rules.
Processing of Personal Data in Electronic Communication
In the context of electronic communication and within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), the Controller processes in particular the following personal data (where provided):
- First name and surname;
- E-mail address;
- IP address;
- Password.
First name, surname, e-mail address, IP address and other data are processed for the purpose of enabling communication between you and our company. We record and process personal data in accordance with the applicable laws of the Czech Republic and GDPR for the purpose of handling your order or enquiry. Personal data are stored and processed for the above purpose for a period of 6 months from the sending of the message in electronic communication, unless another legal regulation requires a longer retention period. This processing is permitted under Article 6(1)(b) GDPR as processing necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract. After this period, your data will be erased and physically destroyed.
Rights of the Data Subject
1. Right to Information
You have the right to request from the Controller information about which personal data we process about you, to what extent and for what purpose. We will provide this information in accordance with the principles of GDPR, and in exceptional cases no later than within 90 days. You will be informed in advance of any extension of the deadline in exceptional cases. If you request information about the data we keep about you, we must first verify that you are indeed the person to whom the data relate. Therefore, please include sufficient identifying information in your request. If necessary, we are entitled to request additional information to confirm your identity before providing personal data. We are entitled to reject information requests that are manifestly unfounded, unreasonably repetitive, or whose retrieval would require disproportionate effort or would be difficult to obtain (typically from backup systems, archives, etc.).
2. Updating Data, Right to Rectification
As personal data may change over time (for example, surname), we will appreciate it if you inform us of any such changes so that your personal data remain up to date and no errors occur. Providing information about changes is necessary for us to properly perform our duties as Controller. This is closely related to your right to rectification of personal data that we keep about you. If you find that our data are no longer up to date, you have the right to request their rectification.
3. Objections
If you believe that we do not process your personal data in accordance with the applicable laws of the Czech Republic or the European Union, you have the right to object, and we will then examine the legitimacy of your request. You are also entitled to lodge a complaint regarding the processing of your personal data with the competent supervisory authority for data protection at:
Úřad pro ochranu osobních údajů
Pplk. Sochora 27
170 00 Praha 7
Czech Republic
4. Right to Erasure (“Right to be Forgotten”)
If you have given us consent to process your personal data, you have the right to withdraw this consent at any time, and we are then obliged to erase the data that we process solely on the basis of your consent. The right to erasure does not apply to data processed in connection with the performance of a contract, statutory obligations or legitimate interests. If some of your data are stored in backup systems that automatically ensure the resilience of all our systems and protect against data loss in case of failures, it is not within our power to erase these data from the backup systems as well. However, these data are no longer actively processed and will not be used for further processing purposes.
5. Right to Restriction of Processing
This right allows you to object to the processing of your personal data if you find or believe that your personal data are processed contrary to applicable legislation or the processing could threaten your rights and freedoms. Situations in which this may occur include, for example:
- Right to rectification – you contest the accuracy of your personal data. For the period during which we, as Controller, verify the accuracy of the data, you have the right to request that the use of such data be restricted.
- The processing of personal data is unlawful, but you do not request their erasure, only the restriction of their use.
- We, as Controller, no longer need the personal data for processing purposes (and would otherwise erase them), but you require them for the establishment, exercise or defence of legal claims.
- You have lodged an objection to processing. For the period during which it is being assessed whether our legitimate interests as Controller override your interests as data subject, the processing of such data must be restricted.
6. Right to Data Portability
1. As a data subject, you have the right to receive the personal data concerning you, which you have provided to the Controller, in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another controller without hindrance from the Controller, where: the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b); and the processing is carried out by automated means.
2. In exercising your right to data portability under paragraph 1, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 shall be without prejudice to Article 17 GDPR. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 must not adversely affect the rights and freedoms of others.
7. Right Not to Be Subject to Automated Individual Decision-Making
This right ensures that you, as a data subject, are not subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. In other words, it ensures that decisions with legal effects concerning you are not made solely by automated procedures without human intervention, except for possible exceptions.
Automated decision-making is permissible where it is necessary for entering into or performance of a contract between you and the Controller, where it is authorised by EU or Member State law, or where it is based on your explicit consent.
Contact Details
If you have any questions regarding personal data protection, you can contact us by e-mail at:
info@clinitex.cz or at the registered office of the Controller:
CLINITEX s r.o.,
Vratimovská 672/42
718 00 Ostrava-Kunčičky
Czech Republic
