Information on personal data processing
The purpose of this document is to provide visitors to the website, prospective and existing clients (hereinafter referred to as the “Client”) of data controller Flexipal IČ 05137764 with its registered office at Křoví 124, 594 54 Křoví (hereinafter referred to as the “Controller”) with information about the types of personal data processed by the Controller, methods of their processing, purpose of processing and about the Client’s rights regarding the processed personal data. In personal data processing, the Controller acts as a personal data controller.
Personal data processing
Personal data processing in general means the systematic treatment of personal data, in particular the collection of data, the recording and storage of data on data media, their adaptation or alteration, retrieval, consultation, use, transfer, dissemination or any other disclosure, classification or combination, blocking, restriction, erasure or destruction of personal data.
For the purposes of rendering services to its Clients, the Controller is obliged to process their personal data. The processing of the Clients’ personal data is necessary for the conclusion of the contractual relation, and even for negotiations of its conclusion, for the fulfilment of contractual obligations as well as for the purposes of clear identification of the Client.
The Controller processes its Clients’ personal data both manually and in an electronic information system. In this way, the personal data is under permanent physical, technological and electronic control. The Controller’s security mechanisms are set to ensure the maximum possible protection of all data and of personal data processed by the Controller so as to prevent, in particular, their misuse, damage, loss or destruction. Access to the Clients’ personal data processed is only permitted to the Controller’s authorized staff who are bound by the obligation of confidentiality.
In specific cases, the Controller shall notify the Client, in a method stipulated by legal regulations, of an impending data breach that would result in a high risk for the Client’s rights and freedoms.
Legal grounds for personal data processing
The Controller processes its Clients’ personal data based on their consent. The Controller may process the Clients’ personal data without their consent only in cases stipulated by law, based on a statutory obligation of a Controller, for the purpose of performance of obligations arising from the contractual relation with the Client, due to legitimate interests of the Controller or for another legitimate purpose of processing.
Personal data processing based on a Client’s consent
Provision of consent to the processing of personal data by the Client is voluntary. The Client may grant consent to the processing of his/her personal data to the Controller for purposes that are specified in the consent.
Personal data processing without a Client’s consent
Within the framework of service provision, the Controller is obliged (at the conclusion and during the term of the contractual relation) to collect and process its Clients’ personal data as stipulated by legal regulations. For the purpose of service provision, the Controller is not obliged to procure the Clients’ consent to process personal data. It the Client refuses to provide his/her personal data to the Controller, the law stipulates that he/she cannot be rendered the Controller’s services.
The Controller is entitled to process the personal data of its Clients even without their consent, in particular for the following purposes:
- fulfilment of the Controller’s obligations ensuing from legal regulations,
- fulfilment of obligations ensuing from a contract concluded with the Client,
- legitimate interests of the Controller,
- protection of the Controller’s rights and protected interests.
Personal data processed
The Controller processes the below data of its Clients, mainly for the purpose of addressing prospective Clients, their identification and further communication concerning the conclusion of the contractual relation with the Controller, i.e.:
- basic identification data, in particular first name, surname, date of birth, birth certificate number, company name, identification number
- contact details, in particular telephone number, e-mail address, postal address, permanent address, address of the registered office.
For the purposes of service provision, the Controller also retains and processes other data to the extent necessary for the provision of services, performance of the contract and compliance with statutory obligations.
The above personal data of the Clients are used for the above purposes, or as the case may be, for the purposes specified in the consent granted by the Client.
Personal data sources
The Controller only processes the personal data provided by the Clients themselves in the course of negotiations of the conclusion of the contractual relation and during the term of the contractual relation.
The Controller shall process the Clients’ personal data for the period of service provision and contract performance. After that, the Controller shall retain the personal data of the Clients or prospective Clients for the period stipulated by legal regulations. In case the personal data are processed based on consent, the Controller shall process such data for the period for which the Client granted the consent thereto.
Any and all personal data of the Clients or prospective Clients shall be erased from the Controller’s systems as soon as the data processing periods elapse.
The Clients’ personal data may be disclosed to third parties without the Clients’ consent in particular:
- as part of fulfilment of obligations stipulated by legal regulations,
- to other persons for the purpose of protection of the Controller’s rights and protected interests,
- to persons authorized by the Controller to perform its contractual and statutory obligations,
- upon consent of the Client or upon his/her instruction to transfer the data to other entities.
Clients’ rights related to personal data processing
Right of access
The Client is entitled to request information on whether and which personal data concerning him/her are processed by the Controller and to access such personal data to the extent stipulated by legal regulations. The Controller shall provide all necessary assistance to the Client without undue delay after the Client makes the request.
Right of rectification
The Client is entitled to request explanation from the Controller in case he/she believes that the Controller or processor processes e.g. inaccurate personal data concerning him/her. In this context, the Client is entitled to claim rectification/completion of his/her personal data.
Right to data transferability
The Client has the right to obtain his/her personal data from the Controller in a structured, commonly used, machine-readable format, and the right to transfer the data to another controller (or request that the Controller transfer the data to another controller directly, if technically feasible) without the Controller hindering the process. This applies to the case where personal data processing is based on the Client’s consent, the contractual relation with the Controller or in case the processing is performed by automatic means.
Right to object
The Client is entitled to raise an objection to the processing of his/her personal data. In response to the objection made, the Controller undertakes to communicate to the Client the grounds on which the Controller is entitled to process the personal data. If the Client objects to the processing of his/her personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to restriction of processing
The Client is entitled to request from the Controller restriction of processing his/her personal data if the accuracy of the personal data is contested by the Client, if the processing is unlawful and the Client opposes the erasure of the personal data, if the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Client for the establishment, exercise or defence of legal claims, or if the Client objected to the processing.
The restriction of the processing of the Client’s personal data shall last for a period determined by legal regulations. The Controller shall notify the Client of the fact that the restriction shall be subsequently cancelled.
Withdrawal of consent to personal data processing
The Client is entitled to withdraw his/her consent to the processing of personal data at any time.
Based on the consent withdrawal, the Controller shall cease processing the data for which the Client previously granted the consent. However, the Controller is obliged to process the Clients’ personal data for the purpose of fulfilment of obligations stipulated by legal regulations, e.g. Act No. 563/1991 Coll., on Accounting, etc., for the purpose of fulfilment of obligations within the contractual relation with the Client as well as for the purpose of establishment, exercise or defence of legal claims, as the case may be. The Clients’ personal data shall continue to be processed only on the above mentioned grounds for a period determined by legal regulations. Withdrawal of consent to personal data processing shall not affect the lawfulness of processing that occurred before such withdrawal.
Except for cases stipulated by legal regulations, where the data processing does not require the Client’s consent (see Article 6(1) Regulation (EC) No. 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data – GDPR), the Controller processes the personal data of its Clients only upon their voluntary consent.
After the termination of all contractual relations with the Controller, the Client may withdraw his/her consent to the processing of personal data and the birth certificate number for purposes not stipulated by legal regulations. In case the Client withdraws the consent to the processing of his/her personal data, the Controller shall retain only those data that are necessary for the fulfilment of the Controller’s obligations ensuing from legal regulations.
Right to erasure
The Client is also entitled to request the destruction of his/her personal data if he/she considers that the Controller processes such personal data in violation of the protection of his/her private life or in violation of legal regulations. The Client has the right to request the Controller the erasure of personal data concerning him/her in case they are no longer necessary in relation to the purposes for which they were processed, in case the personal data were unlawfully processed, in case the Client withdraws the previously granted consent and there is no other legal ground for the processing, and also in case the Client objects to the processing of his/her personal data and there are no overriding legitimate grounds for the processing.
Exercise of the Client’s rights
The Client may exercise his/her rights by contacting the Controller at the e-mail address firstname.lastname@example.org or by a letter addressed to the registered office of the Controller: Křoví 124, 594 54 Křoví .
The Client shall be informed about the settlement of his/her request by the Controller without undue delay except for cases where this is not feasible or where it requires unreasonable effort. If the Client’s requests are clearly unfounded or unreasonable, in particular because they are made repeatedly, the Controller may charge the Client a fee reflecting the administrative costs of providing the requested information or communication or taking the requested action, or refuse to comply with the request.
The Client is also entitled to address its complaint to the supervisory authority, which is the Office for Personal Data Protection, with its registered office at Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz.