Data Processing Contract

Personal Data Processing and Security Terms & Condition – Data Processing Contract

Article I

Initial provisions

1. The Parties entered into a service contract. These Terms & Conditions constitute an inseparable part of the service contract pursuant to the preceding sentence. In the event of any discrepancies between the contract and these Terms & Conditions, the provisions of the contract shall prevail.
2. By signing these Terms & Conditions, the Parties fulfil their duties pursuant to the provision of Article 28 of the General Data Protection Regulation.
3. These Terms & Conditions regulate the rights and obligations of the Parties relating to the processing of personal data carried out by the Parties acting as the personal data controller and the personal data processor in order to ensure maximum security of the personal data being processed and of the information on data security, as well as transparency of the processing and compliance with the obligations laid down in the personal data protection legislation.
4. The positions of the Parties as either the personal data controller or the personal data processor, as well as the processing tasks of the processor, are stipulated in the contract referred to in paragraph 1 hereof.

Article II

Definitions

1. Unless expressly provided otherwise, the terms defined in Article 4 of the GDPR shall have the meaning ascribed to them in the provisions of the GDPR referred to above.
2. The following expressions shall have the meaning set forth below:
   1. Sensitive data – means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purposes of unique identification of a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;
   2. Public body – means an entity established by law and carrying out tasks stipulated by law in the public interest;
   3. Chain of processors – means a situation in which another person is engaged in the processing of personal data as a sub-processor on the basis of an agreement with the processor;
   4. Personal data sub-processor – means a person authorized by the processor to perform certain tasks in the processing of personal data carried out by the personal data processor for the personal data controller; the sub-processor and the personal data processor will enter into a contract for the sub-processing of personal data in a form corresponding to these Terms & Conditions, particularly in terms of security of the processing of personal data and security of the relevant information on the security of processing, and the fulfilment of the obligations laid down in the GDPR and in the legislation governing the protection of personal data in general;
   5. Security incident – means a personal data breach that leads to accidental or unlawful destruction, loss, alteration or unauthorized disclosure of the transferred, stored or otherwise processed personal data, or at least the risk of accidental or unlawful destruction, loss, alteration or unauthorized disclosure of personal data, or the loss or unauthorized disclosure of passwords, access data or other tools used to access the premises where the processing of personal data is carried out, the stored or processed personal data, or multimedia or computer technology used for the processing or storage of personal data; the above also applies to the information on security of the processing of personal data and the information on processing parameters, accordingly;
   6. Third country – means any country outside the European Union;
   7. Transfer of personal data to a third country – means the transfer of personal data to a third country to carry out a processing operation, including the use of cloud computing, if the services are, even in part, carried out in a third country;
   8. Notifier – means a person reporting a security incident;
   9. Notified person – means a person other than the notifier who is affected by the security incident to the extent of being the originator or initiator of the security incident.

Article III

Key Parameters and Terms & Conditions of Personal Data Processing

Rights and Obligations of the Parties

1. In connection with the processing of personal data, the processor will ensure for the controller the following tasks and the Parties will have the following rights and obligations:
   1. Providing each other with the necessary assistance and cooperation to ensure due fulfilment of the obligations laid down in the personal data protection legislation and adequate security of the personal data being processed and the information on their security, and to respect the rights and freedoms of the data subject and to facilitate, as much as possible, the exercise of rights by data subjects;
   2. The processor will only process the personal data on documented instructions from the controller;
   3. If, in connection with the processing of personal data, the personal data are to be transferred to third countries by the personal data processor, the processor shall notify the controller of such intention in writing or by e-mail well in advance before its implementation with a request for the controller’s opinion. If the controller does not provide its opinion within three business days from the receipt of the above notification, the controller shall be deemed to have approved the transfer of personal data to a third country. If the country is not a EU country, an EEC country, a country designated as a safe country by the EU Commission’s decision, a country that has ratified the Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data, or another country where the transfer of data outside the EU would be considered safe under the EU Commission’s decision, the processor has to ensure an adequate level of protection (e.g. standard contractual clauses pursuant to the Commission’s decision);
   4. The personal data processor shall implement the necessary technical and organizational measures to ensure an appropriate level of security of the processed personal data and of the information on their security, as well as all other necessary measures laid down in Article 32 of the GDPR in order to ensure security of the personal data and of the information on security of the processing;
   5. The personal data processor shall only engage in the processing of the personal data a sub-processor, if the conditions stipulated herein are met;
   6. The personal data processor shall provide the personal data controller with the necessary assistance and cooperation in fulfilling the controller’s obligations pursuant to Articles 32 through 36 of the GDPR;
   7. The personal data processor shall, on the instruction of the personal data controller, destroy, correct, modify or update the personal data being processed or the information about the processing of personal data;
   8. Should a data subject exercise with the data processor any of the data subject’s rights, in respect of which the data controller’s obligations to the data subject are not performed by the processor on behalf of the controller, the processor shall immediately notify the data controller of this fact and provide the data controller with all the necessary assistance and cooperation in order to allow the personal data controller to duly, and within the statutory deadline, respond to the exercise of the right by the data subject;
   9. The processor will maintain records of the processing operations carried out and of the related facts so that the data controller is able to demonstrate compliance with the statutory obligations, as laid down in Article 5(2) of the GDPR, in line with the principle of ‘accountability’;
   10. The processor will always process the personal data in such a manner that the basic personal data processing principles and obligations arising from Article 5 (1) of the GDPR and from other articles implementing and complementing the provision referred to above are fully complied with. For the above purpose, the processor shall, in particular, implement appropriate internal processes and measures to ensure adequate security of the personal data being processed and of the information on their security, and ensure that persons authorized to process the personal data and persons who come into contact with the information on the parameters of personal data processing or the information on the security of personal data processing are bound by confidentiality in respect of these facts and information;
   11. Upon the termination of the activities carried out for the controller, the processor shall hand over to the personal data controller or to another designated data processor, in a secure manner, all the personal data being processed and all related documents and information so as to allow for a smooth and uninterrupted continuation of the processing of personal data; in particular, if the processing of personal data is carried out by means of modern technologies, the data and related information will be transferred in an open format so that they can be used and further processed without any necessary intervention. The processor shall provide the controller with all documentation and information necessary to demonstrate the lawfulness of the processing and fulfilment of the related obligations, so that the controller is subsequently able to retrospectively demonstrate the lawfulness of the processing and compliance with the relevant obligations for a period equal to the longest statutory period of limitation or period of prescription determined for a tort or public offense, which could have been committed by the processor in the processing of personal data and for which the controller could (even to some extent) be held accountable;
   12. If the personal data processor reveals or suspects any irregularities in the conditions of the processing of personal data that are the responsibility of the personal data controller or in the processing of personal data as such, the personal data processor shall notify the personal data controller of the same.

Article IV

Measures Implemented to Secure the Personal Data Being Processed

1. The level of security measures implemented to secure the personal data being processed and their carriers or the multimedia environment in which the personal data are stored or processed shall be adequate to the nature of the personal data being processed and the level of possible interference with the rights of the data subject to which they relate.
2. Security measures are measures that serve to ensure confidentiality, i.e. to prevent the disclosure of or access to the personal data and their carriers to/by any persons outside the group of persons authorized to carry out processing operations with or otherwise handle the personal data. Security measures further include measures that serve to prevent unauthorized access to and processing of the personal data as well as their unauthorized alteration, destruction, loss or deletion (e.g. making copies or backups).
3. The principle of necessity and minimization shall be observed in appointing authorized persons and assigning competencies relating to the personal data being processed; the authorization and its degree shall depend on the person’s job position and the competencies assigned to such position, so that the person concerned is only able to handle such personal data as are necessary for the proper performance of his/her position. The same shall apply to determining the scope of the processing operations the person will be authorized to perform and the cases in which he/she may use its authorization. The ultimate purpose of the processing of personal data shall always be taken into account.
4. Proper security includes regular reviews of the effectiveness and adequacy of the security measures adopted, training of staff and persons who have been engaged in the processing of personal data or who are in contact with the processing information and information on the security of processing, and verification of their knowledge, correct understanding of the functioning of security rules and compliance with the measures and practices.
5. The Personal data controller is entitled to conduct, on a regular basis, either directly or through a third party, audits and inspections of compliance with the personal data processor’s obligations, including a verification of sufficiency of the measures implemented to ensure security and compliance with the measures and procedures by the processor’s employees.
6. If, on the basis of a review/audit/inspection or other findings, the data controller brings to the attention of the data processor any irregularities regarding the performance of the processor’s obligations, the processor shall remedy the situation without undue delay. The processor will notify the controller of the remedy.
7. The provisions of this article shall also apply to ensuring security of the information on security of the personal data processing, accordingly.

Article V

Other Measures Implemented to Secure the Personal Data Being Processed

1. The processor shall implement security measures on the basis of a proper assessment of risks, the likelihood of risks and their possible negative consequences for the rights and freedoms of the data subjects. The primary objective must be to eliminate the risks, minimize the risks where elimination is not possible, and eliminate or at least minimize possible negative consequences for the rights and freedoms of the data subjects where minimization of risk is not possible.
2. The processor shall, inter alia, implement and guarantee, among other things, the following rules and principles designed to ensure security of the processed personal data and the security of their carriers and multimedia devices:
   1. An obligation to act in such a manner so as to prevent any loss, destruction or unauthorized alteration or disclosure of the processed personal data or information about their security. In the event of imminent risk of loss, unauthorized destruction, alteration or disclosure of personal data or information about their security, an obligation to take adequate steps to the necessary extent and to report to the responsible person, without undue delay, the steps taken, their reasons, progress and consequences;
   2. No one is allowed to handle the personal data and carry out processing operations beyond the scope of his/her authorization, outside the purpose of processing or without the legal ground for the processing operations and the fulfilment of all other legal obligations arising from the legislation governing the protection of personal data;
   3. Every person is obliged to immediately notify the responsible person, by e-mail or in writing, of any defect in the conditions or individual parameters of the processing of personal data;
   4. When the processing of personal data is carried out using, in particular, modern technologies, backups of the processed personal data and of the related data and information about the processing shall be made at such intervals so as to ensure continuity of processing, and keeping the processed personal data up to date and accurate even in the event of change or destruction of the personal data being processed; if the processed personal data are to be restored from the backup, the responsible person shall ensure, based on the information on and records of the processing of personal data, that the processing of personal data is brought into line with the data subjects’ rights previously exercised, as well as with other statutory obligations;
   5. Other appropriate and necessary security measures shall be implemented, such as regular forced change of access passwords;
   6. Technical and other security features that are part of the tools and other means used to process the personal data shall be used to the maximum extent possible; in particular, employees shall be obliged to:
      1. lock rooms, cabinets and other areas where personal data carriers are stored, unless a person authorized to access the personal data and their carriers is present on the site;
      2. log out, when they finish working with a technical or multimedia device or application, from the device, environment or application;
      3. keep secret and confidential passwords and login codes for access to devices, multimedia environment or individual applications;
      4. choose safe passwords, i.e. passwords consisting of at least 8 alphanumeric and non-alphanumeric characters and containing both upper and lower case;
      5. if using mobile phones and other similar devices, to always use security options to start and log in to the device, as well as to unlock it, at least by entering a four-digit PIN; a higher-level of security is preferable, if possible;
      6. refrain from installing any software or making any changes to multimedia devices and computer equipment entrusted to employees for the purposes of performance of their work tasks, without the consent and assistance of the responsible person; in particular, employees are not allowed to inactivate antivirus and other similar programs designed to ensure security of the processed personal data;
      7. if an employee is entrusted with a mobile phone or PC, or other similar multimedia device or computer technology and, particularly, if the employee is able to use such equipment outside the employer’s premises, the employee is obliged to implement and consistently apply such measures as to completely exclude access to and use of such equipment by any third party, as well as measures to prevent the destruction or damage of such equipment.

The provisions of this paragraph also apply to the security of information on security of the processing of personal data, accordingly.

Article VI

Communication

1. Any communication (by phone, e-mail, ordinary mail) relating to the processing of personal data, whether within one Party or between the Parties or towards third parties (contractors, clients, public authorities, etc.), shall always be carried out in the most secure and discreet manner, so that no person other than the legitimate addressee can acquire knowledge of the content of the communication, including the transmitted personal data.
2. Personal data shall be transferred using a data box, an e-mail message, an electronic storage service or a postal services provider or another similar method of physical delivery of the data carrier to the addressee (messenger service, etc.).
3. If possible with regard to the nature of the addressee and the provided services, the data box will be the exclusive form of communication. In these cases, it is not possible to transfer personal data by phone, e-mail or otherwise.
4. If it is not possible to use the data box, the data may be transferred using an e-mail or a postal services provider or another similar method of physical delivery of the data carrier to the addressee (messenger service, etc.). In such cases, it is always necessary to identify the particular addressee and to use the receipt confirmation service, or the personal delivery option.
5. The transfer of personal data via an e-mail message is subject to proper security of the transferred personal data. Security means that the file being transferred will be at least compressed to the ZIP or similar file format, and encoded using a safe password. A safe password means a password with at least 8 characters containing both alphanumeric (uppercase and lowercase letters and numbers) and non-alphanumeric characters. The password must be agreed with the addressee in advance and transferred safely; the transfer of a password in an open email message is not considered safe; the same applies to password changes.
6. The responsible representatives of the Parties shall select a secure password and shall inform each other of the password in a discrete manner.
7. The transfer of personal data by phone may only be used in exceptional cases; the use of phone includes short text messages (SMS), multimedia messages (MMS) or mobile applications with similar functions. Personal data can only be provided by phone if: the identity of the caller has been securely verified, it is certain that no person other than the duly identified caller can attend the call, and if the data are transferred between the controller and the processor, between two controllers, or between the processor and a sub-processor, it is certain that the data are properly recorded. If data are transferred using an SMS, MMS, or an application with similar functions, the message shall be deleted immediately after the data have been properly recorded.

Article VII

Security Incident

1. If the personal data processor becomes aware of a security incident, the processor shall immediately notify the incident to the personal data controller. The same applies if there are reasonable grounds to suspect a security incident.
2. The notification pursuant to this Article shall always be based on the following:
   1. honesty and integrity on the part of the notifier;
   2. the notifier’s firm belief that the notification is true;
   3. the notifier’s firm belief that the conduct/notification is lawful;
   4. verification of the reported information.

Other notifications that do not meet the above criteria (unverified or dishonest notifications made with the intention to harm someone) may give rise to an obligation to compensate the harm (tangible or intangible) suffered by the controller, the notified person or other affected persons (family members of the notified person, etc.).

3. A security incident shall be notified in a discreet manner to the person designated by the controller.
4. The personal data processor shall ensure that the notification by the notifier is made in such a manner that the notified person is not aware of the notification, if the notification affects the processor’s co-worker or member or another person who is to be qualified as a law offender.
5. The notification shall be made in writing or by email.
6. The notification shall include the following (to the extent that it is inherently possible):
   1. the notifier’s name and surname, job position and contact information;
   2. all information about the notified security incident known to the notifier and to any third parties (i.e. a description of the security incident);
   3. the names and surnames of all persons participating in the security incident, including their job positions or the institution in which they work, and identification of the notified person;
   4. the names and surnames of the persons who have any information about the security incident, including their contact information;
   5. information about how or from whom the notifier found out about the security incident;
   6. information about how the truthfulness and accuracy of the revealed information was verified by the notifier and by the processor;
   7. the processing of personal data, processing operations and personal data affected by the security incident, including the scope of affected data subject;
   8. possible risks to the rights and freedoms of data subjects, to the controller, to the processor or to third parties arising from the security incident.

All evidence available to the processor shall be attached to the notification; Article VII shall apply accordingly.

7. 7. The notification shall be made in the Czech language.

Article VIII

Terms & Conditions of Engaging a Sub-processor

1. The personal data processor is entitled to engage a sub-processor in the processing of personal data.
2. The personal data sub-processor may be a person who will sufficiently guarantee the implementation of adequate technical and organizational measures to ensure compliance of the processing with the personal data protection legislation and safety and protection of the personal data and the rights and freedoms of the data subjects. The personal data processor shall be liable for a proper verification of reliability of the sub-processor the processor intends to engage in the processing of personal data.
3. The personal data processor shall notify the personal data controller in writing of an intention to engage a sub-processor in the processing of personal data. The personal data controller shall have the right to object to the engagement of a personal data sub-processor; alternatively, the controller reserves the right to approve the person who will act as the sub-processor. If the controller fails to inform the processor of its decision concerning the approval of engagement of a sub-processor within 5 business days from the date of receipt of the notification of an intention to engage a sub-processor in the processing of personal data, the processor of personal data shall be allowed to engage a sub-processor in the processing of personal data.
4. The personal data processor shall oblige the sub-processor to fulfil the obligations stipulated in the personal data protection legislation and to ensure security of the personal data being processed and the information on their security at least to the extent laid down herein. The same applies to other content of these Terms & Conditions.
5. The personal data processor is liable to the personal data controller for the activities carried out by the personal data sub-processor as if the activities for the controller were carried out or the obligations fulfilled by the processor.

Article IX

Joint Provisions

1. Upon the personal data controller’s request, the processor will, without undue delay, make available to the personal data controller or to a person designated by the controller the personal data being processed or a particular part thereof, as well as the information concerning the processing of personal data, including the information on security of the processed personal data.
2. Upon the personal data controller’s request, the processor will, without undue delay, provide to the personal data controller or to a person designated by the controller a copy of the personal data being processed in the manner and format allowing for further processing of the provided personal data. The same applies to the information on the processing of personal data and their security.
3. Upon the personal data controller’s request, the processor will, without undue delay, submit to the personal data controller the documentation as evidence of the fact that the processing of the personal data carried out by the processor in favour of the controller has the relevant and valid legal ground.

Terms & Conditions of Security, Discreetness and Notification of Security Incidents

Article I

Representations

1. The provider undertakes to provide the agreed services or to supply the agreed goods to the receiving party.
2. The provided services do not include any processing operations carried out by the provider in respect of the personal data being processed by the receiving party. Even though the provider may, in the course of the activities carried out for the receiving party, come into contact with personal data and information about the parameters of the processing of personal data, including information on data security, the provider is not entitled to handle or manipulate with the data in any manner.
3. These Terms & Conditions constitute an inseparable part of the contract pursuant to Paragraph 1. In the event of any discrepancies between the contract and these Terms & Conditions, the provisions of the contract shall prevail.

Article II

Definitions

1. Unless expressly provided otherwise, the terms defined in Article 4 of the GDPR shall have the meaning ascribed to them in the provisions of the GDPR referred to above.
2. For the purposes of this contract, the following expressions shall have the meaning set forth below:
   1. Security incident – means a personal data breach that leads to accidental or unlawful destruction, loss, alteration or unauthorized disclosure of the transferred, stored or otherwise processed personal data, or at least the risk of accidental or unlawful destruction, loss, alteration or unauthorized disclosure of personal data, or the loss or unauthorized disclosure of passwords, access data or other tools used to access the premises where the processing of personal data is carried out, the stored or processed personal data, or multimedia or computer technology used for the processing or storage of personal data; the above also applies to the information on security of the processing of personal data, accordingly;
   2. Notifier – means a person reporting a security incident;
   3. Notified person – means a person other than the Notifier who is affected by the security incident to the extent of being the originator or initiator of the security incident.

Article III

Security Measures

1. In the course of the provider’s activities carried out for the receiving party, the provider is not authorized in any way to actively access the personal data being processed by the receiving party, or the information about the processing of personal data performed by the receiving party or the information about security of the processing of personal data.
2. Should the provider, in the course of the activities carried out for the receiving party, come into contact with personal data, information about security of personal data or information on the parameters of the processing of personal data, the provider shall be bound by confidentiality in respect of such information and shall ensure the provider’s employees and other persons engaged by the provider to also be bound by confidentiality to the necessary extent.
3. In the course of the activities carried out for the receiving party, the provider will proceed with maximum caution in the handling of and manipulation with the information and data carriers pursuant to Paragraph 1. The provider shall refrain from any interventions in the carriers, particularly interventions that could result in unauthorised disclosure, alteration, destruction, making unavailable, erasure or transfer of such information or data. The above shall also apply to the measures and tools implemented to secure the above data and information, accordingly.
4. The provider shall implement the necessary security and technical and organisational measures in order to fulfil the purpose of paragraphs 1 through 3 of this Article.
5. Proper security and fulfilment of the obligations pursuant to paragraphs 1 through 4 includes regular reviews of the effectiveness and adequacy of the security measures adopted, the training of employees and persons engaged in the activities for the receiving party and verification of their knowledge, correct understanding of the functioning of security rules and compliance with the applicable measures and guidelines.

Article IV

Other Measures Implemented to Ensure Security

1. The processor shall implement security measures on the basis of a proper assessment of risks, the likelihood of risks and their possible negative consequences for the rights and freedoms of the persons concerned. The primary objective must be to eliminate the risks, minimize the risks where elimination is not possible, and eliminate or at least minimize possible negative consequences for the rights and freedoms of the persons concerned where minimization of risk is not possible.
2. The Provider shall, inter alia, implement and guarantee, among other things, the following rules and principles designed to ensure security:
   1. An obligation to act in such a manner so as to prevent any loss, destruction or unauthorized alteration or disclosure of the data or information pursuant to Article III(1) and (2). In the event of imminent risk of loss, unauthorized destruction, alteration or disclosure of such data or the relevant data carriers, an obligation to take adequate steps to the necessary extent and to report to the receiving party, without undue delay, the steps taken, their reasons, progress and consequences;
   2. Every person is obliged to immediately notify the designated responsible person, by e-mail or in writing, of any defect in the conditions or individual parameters of the processing or related security;
   3. Other appropriate and necessary security measures shall be implemented, such as regular forced change of access passwords;
   4. Technical and other security features that are part of the tools and other means used in the activities performed for the receiving party shall be used to the maximum extent possible; in particular, employees shall be obliged to:
      1. lock rooms, cabinets and other areas where personal data carriers are stored, unless a person authorized to access the personal data and their carriers is present on the site;
      2. log out, when they finish working with a technical or multimedia device or application, from the device, environment or application;
      3. keep secret and confidential passwords and login codes for access to devices, multimedia environment or individual applications;
      4. choose safe passwords, i.e. passwords consisting of at least 8 alphanumeric and non-alphanumeric characters and containing both upper and lower case;
      5. if using mobile phones and other similar devices, to always use security options to start and log in to the device, as well as to unlock it, at least by entering a four-digit PIN; a higher-level of security is preferable, if possible;
      6. refrain from installing any software or making any changes to multimedia devices and computer equipment entrusted to employees for the purposes of performance of their work tasks, without the consent and assistance of the responsible person; in particular, employees are not allowed to inactivate antivirus and other similar programs designed to ensure the security of the processed personal data;
      7. if an employee is entrusted with a mobile phone or PC, or other similar multimedia device or computer technology and, particularly, if the employee is able to use such equipment outside the employer’s premises, the employee is obliged to implement and consistently apply such measures as to completely exclude access to and use of such equipment by any third party, as well as measures to prevent the destruction or damage of such equipment.

Article V

Communication

1. Any communication (by phone, e-mail, ordinary mail) relating to the activities carried out by the provider for the receiving party, whether within one Party or between the Parties or towards third parties (contractors, clients, public authorities, etc.), shall always be carried out in the most secure and discreet manner, so that no person other than the legitimate addressee can acquire knowledge of the content of the communication, including the transmitted information and data.
2. Messages containing information pursuant to Article III(1) and (2) shall be transferred using a data box, e-mail message, electronic storage service or a postal services provider or another similar method of physical delivery of the data carrier to the addressee (messenger service, etc.).
3. If possible with regard to the nature of the addressee and the provided services, a data box will be the preferable form of communication.
4. If it is not possible to use the data box, the data may be transferred using an e-mail or a postal services provider or another similar method of physical delivery of the data carrier to the addressee (messenger service, etc.), if it is required by the nature and security of the transferred information. In such cases, it is always necessary to identify the particular addressee and to use the receipt confirmation service, or the personal delivery option.
5. The transfer of information via an e-mail message pursuant to paragraph 4 is subject to proper security of the transferred information. Security means that the file being transferred will be at least compressed to the ZIP or similar file format, and encoded using a safe password. A safe password means a password with at least 8 characters containing both alphanumeric (uppercase and lowercase letters and numbers) and non-alphanumeric characters. The password must be agreed with the addressee in advance and transferred safely; the transfer of a password in an open email message is not considered safe; the same applies to password changes.
6. The responsible representatives of the Parties shall inform each other of the agreed password in a discrete manner.

Article VI

Security Incident

1. If the provider becomes aware of a security incident, the provider shall immediately notify the incident to the receiving party. The same applies if there are reasonable grounds to suspect a security incident.
2. The notification pursuant to this Article shall always be based on the following:
   1. honesty and integrity on the part of the notifier;
   2. the notifier’s firm belief that the notification is true;
   3. the notifier’s firm belief that the conduct/notification is lawful;
   4. verification of the reported information.

Other notifications that do not meet the above criteria (unverified or dishonest notifications made with the intention to harm someone) may give rise to an obligation to compensate the harm (tangible or intangible).

3. A security incident shall be notified in a discreet manner to the person designated by the receiving party.
4. The provider shall ensure that the notification by the notifier is made in such a manner that the notified person is not aware of the notification, if the notification affects the provider’s co-worker or member or another person who is to be qualified as a law offender.
5. The notification shall be made in writing or by email.
6. The notification shall include the following (to the extent that it is inherently possible):
   1. the notifier’s name and surname, job position and contact information;
   2. all information about the notified security incident known to the notifier and to any third parties (i.e. a description of the security incident);
   3. the names and surnames of all persons participating in the security incident, including their job positions or the institution in which they work, and identification of the notified person;
   4. the names and surnames of the persons who have any information about the security incident, including their contact information;
   5. information about how or from whom the notifier found out about the security incident;
   6. information about how the truthfulness and accuracy of the revealed information was verified by the notifier and by the processor;
   7. the processing of personal data, processing operations and personal data affected by the security incident, including the scope of affected data subject;
   8. possible risks to the rights and freedoms of data subjects, to the controller, to the processor or to third parties arising from the security incident.

All evidence available to the provider shall be attached to the notification.

7. The notification shall be made in the Czech language.

Personal Data Protection

This site will tell you everything about the personal data processing that we carry out including information on your rights and on the manner in which you can exercise your rights. You will find more details about each individual processing, your rights and the manner in which your rights may be exercised under the following headings – links to each individual processing of personal data.

I. Employee personal data

II. CCTV

Key characteristics of each individual processing

I. Employee personal data – the processing of employees’ personal data to ensure compliance with the employer’s legal obligations (performance of employment obligations) and exercise and protection of the employer’s rights and legal interests.

Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available HERE.

II. CCTV – camera system for the protection of the employer’s and third party (e.g. employees, clients) property, life and health.

Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available HERE.

Specific parameters of the processing of personal data

I. EXAMPLE

1. 1. CONTROLLER
      The personal data controller is ŠMÍDOVÁ LANDSCAPE ARCHITECTS s.r.o. with its registered office located at Křižíkova 213/44, Praha 8, 186 00, ID No.: 05919878, registered in the Commercial Register maintained with municipal court in Prague, Section C, Entry No. 273033 (hereinafter the “Controller”).
   2. YOUR RIGHTS
      You have the following rights in respect of the personal data processing concerned:
      1. ACCESS – The right to be informed whether or not your personal data are being processed. If your personal data are being processed, you have the right to obtain the prescribed information about the processing and the right, under certain conditions, to obtain a copy of the processed personal data;
      2. RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
      3. ERASURE (right to be forgotten) – Right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
      4. RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legitimate interests);
      5. COMPLAINT – The right to lodge a complaint against the Controller, the processing or the terms and conditions of exercising your rights to the Office for Personal Data Protection. See www.uoou.cz for the contact details and other information about the Office;

      In addition, you have the right:
      – TO OBJECT – The right to request that your personal data be no longer processed for the performance of tasks carried out in the public interest, for legitimate interests of the Controller or a third party or for marketing purposes.

      Use the relevant link to find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised. See how to exercise your rights HERE.

      The administrator for the protection of personal data is not appointed.

   3. PURPOSE OF PROCESSING
      The Controller processes personal data for the purpose of:
      the conclusion of the contract and the possible subsequent performance of a contract with customers or goods.
   4. LEGAL GROUND FOR PROCESSING
      The legal ground for the processing of personal data is:
      performance of a contract with the data subject (Art. 6(1)(b) of the GDPR)
      consent of the data subject; legitimate interest pursued by the Controller or by a third party
   5. SCOPE OF THE DATA being processed
      The Controller processes the following data for the above purpose: /e.g. identification and contact data, i.e. the first name, surname, place of residence, date of birth, phone number, email address, as well as qualification data, i.e. education, previous experience and other competencies (language knowledge, driving license, etc.
   6. PROVISION OF DATA IS NECESSARY
      The provision of personal data is a requirement necessary to enter into a contract.
   7. PERIOD for which the personal data are stored and processed
      The Controller processes personal data: 5 yers.
   8. PLACE where the personal data are being processed
      The place of the processing of personal data shall be: the Controller’s registered office.
   9. RECIPIENTS to whom the personal data may be disclosed
      The personal data will be disclosed to the following recipients (categories of recipients): NO RECIPIENTS.
   10. THIRD COUNTRY
       In the processing of personal data, personal data WILL NOT be transferred outside the EU.
   11. PROCESSOR
       A personal data processor pursuant to Art. 4(8) of the GDPR or a third party authorized by the Controller to process personal data may be engaged in the processing of personal data. In such cases, the Controller will minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data.
   12. AUTOMATED DECISION-MAKING AND PROFILING
       Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.
       Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, etc.
       In connection with the processing of personal data, automated decision-making WILL NOT/
       In connection with the processing of personal data, profiling WILL NOT.

 

II. CCTV

1. 1. CONTROLLER
      The personal data controller is ŠMÍDOVÁ LANDSCAPE ARCHITECTS s.r.o. with its registered office located at Křižíkova 213/44, Praha 8, 186 00, ID No.: 05919878, registered in the Commercial Register maintained with municipal court in Prague, Section C, Entry No. 273033 (hereinafter the “Controller”).
   2. YOUR RIGHTS
      You have the following rights in respect of the personal data processing concerned:
      1. ACCESS – The right to be informed whether or not your personal data are being processed. If your personal data are being processed, you have the right to obtain the prescribed information about the processing and the right, under certain conditions, to obtain a copy of the processed personal data;
      2. RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
      3. ERASURE (right to be forgotten) – Right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
      4. RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legitimate interests);
      5. COMPLAINT – The right to lodge a complaint against the Controller, the processing or the terms and conditions of exercising your rights to the Office for Personal Data Protection. See www.uoou.cz for the contact details and other information about the Office;

      In addition, you have the right:
      – TO OBJECT – The right to request that your personal data be no longer processed for the performance of tasks carried out in the public interest, for legitimate interests of the Controller or a third party or for marketing purposes.

      Use the relevant link to find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised. See how to exercise your rights HERE.

      The administrator for the protection of personal data is not appointed.

   3. PURPOSE OF PROCESSING
      The Controller processes personal data for the purpose of:
      the conclusion of the contract and the possible subsequent performance of a contract with customers or goods.
   4. LEGAL GROUND FOR PROCESSING
      The legal ground for the processing of personal data is:
      performance of a contract with the data subject (Art. 6(1)(b) of the GDPR)
      consent of the data subject; legitimate interest pursued by the Controller or by a third party
   5. SCOPE OF THE DATA being processed
      The Controller processes the following data for the above purpose: /e.g. identification and contact data, i.e. the first name, surname, place of residence, date of birth, phone number, email address, as well as qualification data, i.e. education, previous experience and other competencies (language knowledge, driving license, etc.
   6. PROVISION OF DATA IS NECESSARY
      The provision of personal data is a requirement necessary to enter into a contract.
   7. PERIOD for which the personal data are stored and processed
      The Controller processes personal data: 5 yers.
   8. PLACE where the personal data are being processed
      The place of the processing of personal data shall be: the Controller’s registered office.
   9. RECIPIENTS to whom the personal data may be disclosed
      The personal data will be disclosed to the following recipients (categories of recipients): NO RECIPIENTS.
   10. THIRD COUNTRY
       In the processing of personal data, personal data WILL NOT be transferred outside the EU.
   11. PROCESSOR
       A personal data processor pursuant to Art. 4(8) of the GDPR or a third party authorized by the Controller to process personal data may be engaged in the processing of personal data. In such cases, the Controller will minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data.
   12. AUTOMATED DECISION-MAKING AND PROFILING
       Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.
       Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, etc.
       In connection with the processing of personal data, automated decision-making WILL NOT/
       In connection with the processing of personal data, profiling WILL NOT.

 

Rights and the exercise of rights

ARTICLE I

EXERCISE OF RIGHTS IN GENERAL

1. CHANNELS USED TO EXERCISE RIGHTS

Subject to the terms and conditions provided below, the rights may be exercised as follows:

1. 1. via email address: info@landscape.archi
   2. via written notification to the following address: Křižíkova 213/44, Praha 8, 186 00
   3. in person at the following address: Křižíkova 213/44, Praha 8, 186 00

2. IDENTIFICATION AND SECURE COMMUNICATION

The exercise of rights must not negatively affect the rights and freedoms of third parties. Hence, the Controller has the right and obligation, in necessary cases, to identify the data subject requesting the exercise of rights. For that reason, the Controller must choose a safe and reliable communication channel. Communication via electronic mail with a certified electronic signature, communication via a data box, or communication via a postal service provider, where an authenticated signature of the responsible person is attached to the document being delivered or where the reply is served upon the addressee personally, shall be considered a reliable communication where the identity of the addressee need not be further verified.

3. RIGHTS EXERCISED ORALLY

In exceptional cases, when requested by the data subject, the information may be provided or the rights exercised orally, provided that a written record is made of the oral provision of information or exercise or rights by the data subject. The identity of the data subject must be verified using an ID card, passport, driver’s license or another document that may serve as evidence that the rights are exercised by the person who is entitled to exercise those rights, unless the data subject is personally known to the person responding to the request.

4. ELECTRONIC APPLICATION

Where the data subject makes the request or exercises its rights by electronic means, the response shall be provided by electronic means where possible, unless otherwise requested by the data subject.

5. CHARGE

The information provided to the data subjects, the copies of data provided to the data subjects and any communication and any action relating to the exercise of rights by the data subjects shall be free of charge.

6. REJECTION AND CHARGE

Where the data subject’s request (exercise of right) is manifestly unfounded or unreasonable, particularly because it is identical or predominantly identical or excessive, and cannot be complied with within the statutory deadline,

1. 1. compliance with the request shall be subject to a deposit to cover the administrative costs associated with the provision of the requested information or communication or with the requested actions; the deposit may be claimed up to the amount of the estimated costs and the requested information, communication, etc. shall only be released to the data subject after full reimbursement of the incurred costs, or
   2. the request shall not be complied with, or the exercise of the right shall be declined in writing with a reasoning.

7. RESPONSE PERIOD

The data subjects’ requests and the exercise of the data subjects’ rights are responded to without undue delay. A response containing the requested information or a description of the measures adopted following the data subject’s request, etc., must be delivered to the data subject no later than within 30 days from the date of receipt of the request. If, for serious reasons, the matter cannot be resolved within the above deadline, the data subject shall be notified in writing or by email, no later than by the end of the above deadline, that the deadline will not be met, together with the reasons for the delay and a new deadline within which the matter will be resolved; the deadline may not be extended by more than 60 days.

ARTICLE II

RIGHT OF ACCESS TO AND RIGHT TO OBTAIN A COPY OF PERSONAL DATA

1. Upon request, the data subject shall have the right to obtain confirmation as to whether or not his/her personal data are being processed.

2. If the personal data concerning the data subject are being processed, the data subject shall receive the following information:

1. 1. the purposes of the processing and the legal basis/title for the processing of personal data, including reference to the provisions of the applicable legal regulation, and the scope and consequences of the processing;
   2. the recipients or categories of recipients of personal data, if any;
   3. the transfer of personal data to third countries, where applicable, including information on the appropriate safeguards to ensure security of the data transferred to a third country;
   4. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
   5. the existence of the right to request access to and rectification or erasure of personal data concerning the data subject or the right to request restriction of processing or to object to the processing of personal data and the conditions under which the rights arise and the manner in which the rights may be exercised; the information shall only include the rights the exercise of which is relevant to the nature of the processing of personal data;
   6. the existence of the right to data portability, the conditions under which the right arises and the conditions under which it may be exercised, to the extent that the exercise of such right is relevant to the nature of the processing of personal data;
   7. the existence of an automated decision-making process and the data subject’s rights connected with automated decision-making;
   8. the source of personal data, and, where applicable, the fact that the personal data were obtained from publicly accessible sources;
   9. the right to lodge a complaint with the supervisory authority (Office for Personal Data Protection);
   10. the existence of an automated decision-making in the form of profiling and the significance and the envisaged consequences of such processing for the data subject.

3. The data subject shall have the right to request a copy of the personal data undergoing processing. The first copy is free of charge. For any further copies, a reasonable fee may be charged. Article I, Paragraph 6 shall apply accordingly.

4. Where the right to obtain a copy could adversely affect the rights and freedoms of third parties (e.g. copies containing third party personal data which the requesting data subject has no legal title to obtain), the copy shall be anonymised in an appropriate manner. If anonymisation is not possible or if, as a result of the anonymisation, the requested information loses the strength of evidence, no copy shall be provided.

ARTICLE III

RIGHT TO RECTIFICATION

1. The data subject shall have the right to obtain rectification of the personal data being processed, if the data are inaccurate or incomplete in relation to the purpose for which they are being processed. The data subject shall have the right to request that the personal data be rectified (and completed) or completed.

2. If the data subject has exercised the right to rectification of the personal data being processed, the Controller shall immediately review the processing of personal data that is the subject of the exercised right to rectification.

3. If the objection is found to be reasonable, at least to some degree, the Controller shall, without undue delay, ensure that the situation is remedied, i.e. that the processed personal data are rectified or completed.

4. The data subject will be notified in writing or by email of the result of the review and the measures adopted.

ARTICLE IV

RIGHT TO ERASURE

1. The data subject shall only have the right to obtain from the data controller the erasure of personal data concerning him or her if one of the following grounds applies:

1. 1. the personal data are not necessary in relation to the purposes for which they were collected or otherwise processed;
   2. the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
   3. the data subject has raised a reasonable objection to the processing;
   4. the personal data have been processed unlawfully, especially without legal grounds;
   5. the personal data have to be erased for compliance with a legal obligation arising from a particular legal regulation or a decision based on a legal regulation;
   6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

2. An erasure of personal data shall mean the physical destruction of the personal data carrier (e.g. destruction of documents) or the deletion of the data (from multimedia carriers) or other permanent exclusion of the personal data from further processing.

3. If the data subject has exercised the right to erasure of the processed personal data, the Controller shall review the data subject’s request. If the request is found to be reasonable, at least to some degree, the personal data shall be erased to the necessary extent. Article I, paragraph 7 hereof shall apply accordingly.

4. The data that are the subject of the right to erasure shall be marked until the data subject’s request is complied with.

5. The personal data shall not be erased to the extent that their processing is necessary:

1. 1. for exercising the right of freedom of expression and information;
   2. for compliance with a legal obligation arising from legal regulations;
   3. for reasons of public interest in the area of public health (points (h) and (i) of Art. 9(2) and Art. 9(3) of the GDPR);
   4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
   5. for the establishment, exercise or defence of the Controller’s rights.

ARTICLE V

RIGHT TO RESTRICTION OF PROCESSING

1. Where the data subject has exercised the right to restriction of processing in respect of a specific processing of personal data, the Controller shall immediately assess relevance of the data subject’s request, primarily the existence of the grounds for exercising the right to restriction of processing; the assessment shall take into account the content of the request as well as other facts and circumstances relating to the processing concerned.

2. The data subject shall have the right to restriction of processing where one of the following grounds applies:

1. 1. the accuracy of the personal data is contested by the data subject;
   2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests restriction of their use instead;
   3. the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
   4. the data subject has objected to processing.

3. The personal data affected by restriction shall be marked.

4. Where processing has been restricted, the personal data concerned may, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

5. If the restriction of processing is lifted, the data subject shall be informed in writing or by email before the restriction of the processing of personal data is lifted. The information shall contain the date on which and the reasons why the restriction will be lifted.

ARTICLE VI

RIGHT TO PORTABILITY

1. If the processing of personal data involves personal data obtained from the data subject (either data directly provided by the data subject or data obtained about his/her activities, etc.) and concerning the data subject, the data subject shall have the right to portability (receipt and transmission) of those data if the processing is based on consent of the data subject or on a contract with the data subject and the processing is carried out by automated means. The right to portability does not apply to the data and information created by the Controller on the basis of the data obtained from the data subject (e.g. profiling of the envisaged consumer behaviour of the data subject based on the data obtained from the data subject, etc.).

2. In exercising the right to portability of data, the data subject may request the following:

1. 1. have the personal data that are subject to the right to portability transferred to the data subject in a structured, commonly used and machine-readable format; format requiring special paid license or format excluding further editing of or other manipulation with (processing of) the personal data (e.g. *.pdf) shall be avoided;
   2. have the personal data that are subject to the right to portability transferred to another personal data controller designated in the data subject’s request for the transfer of data, in a structured, commonly used and machine-readable format; format requiring special paid license or format excluding further editing of or other manipulation with (processing of) the personal data (e.g. *.pdf) shall be avoided.

3. A request of the data subject shall not be complied with if, inter alia (Article I(6)), compliance with the request would adversely affect the rights and freedoms of other persons (data subjects).

4. A request for portability of data pursuant to Paragraph 2(b) shall further not be complied with, if the transfer of data is technically not feasible; transfer of data that cannot be adequately secured by available technical means given the nature of the transferred personal data and the risks involved shall also be considered to be technically not feasible.

5. In addition to the transferred personal data, information on the purposes of the processing of personal data shall be transferred and, where requested by the data subject, also information on the processing of personal data to the extent of Article 13 of the GDPR.

ARTICLE VII

AUTOMATED INDIVIDUAL DECISION-MAKING INCLUDING PROFILING

1. No decision or legal act concerning the data subject or other measures or procedures which produce adverse legal effects concerning the data subject or similarly significantly affect the data subject (e.g. automated refusal of an online credit application, e-recruiting practices without any human involvement and review of the electronic system’s negative decisions) can be based on automated individual decision-making, including profiling, unless the decision is:

1. 1. necessary for entering into, or performance of, a contract between the data subject and the data controller;
   2. authorised by legal regulations which lay down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
   3. based on the data subject’s explicit consent.

2. In the cases referred to in points (a) and (c) of Paragraph 1, the Controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests and prevent them from negative effects of automated individual decision-making. Such measures include at least the data subject having a chance to express his/her point of view prior to the implementation of the action with negative consequences, a chance to have the decision reviewed by the Controller-appointed person and the right to obtain human intervention, e.g. a regular review of the functionality of the automated decision-making system and a setup of its functionality so as to exclude unreasonable interference with the rights and freedoms or legitimate interests of the data subject.

3. Where the processing involves sensitive data, or where individual decisions pursuant to Paragraph 1 are to be based on sensitive data, Paragraph 2 shall only apply if sufficient safeguards have been ensured pursuant to Paragraph 2 of this Article on condition that the processing of personal data is based on explicit consent of the data subject pursuant to Article 9(2) point (a) of the GDPR, or the processing is necessary for reasons of important public interest stipulated by law and the processing is adequate to the envisioned objectives, compliant with the personal data protection law and provides sufficient and specific safeguards of the protection of fundamental rights and interests of the data subject.

ARTICLE VIII

RIGHT TO OBJECT

1. If the processing of personal data is based on point (e) of Article 6(1) of the GDPR (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or point (f) of Article 6(1) of the GDPR (processing is necessary for the purposes of protection of the rights and legitimate interests pursued by the controller), the data subject shall have the right to object to the processing of personal data concerned.

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object, at any time, to the processing of the personal data concerning him or her for such marketing, including profiling to the extent that it relates to such direct marketing. Where the data subject has objected to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

3. If the data subject has exercised the right to object, the Controller shall investigate the objection without undue delay.

4. The personal data or the processing of personal data concerned shall be marked until the data subject’s objection is resolved.

5. The personal data that are the subject of a justified objection can no longer be processed, unless:

1. 1. further processing is important for serious legitimate reasons that override the interests or rights and freedoms of the data subject, or
   2. further processing is necessary for the establishment, exercise or defence of the Controller’s rights.