Personal data protection
according to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
This document outlines the principles and procedures for the processing of personal data and rights, in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the Regulation), and Act No. 480/2004 Coll., on certain services of the information society, as amended.
I. Definitions
Personal Data: Any information relating to an identified or identifiable customer; an identifiable customer is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
Controller: Ryšavý s.r.o, (hereinafter referred to as the "Controller"), an entity that determines the purposes and means of the processing of personal data, carries out the processing and is responsible for it. The Controller may authorize or appoint a processor to process personal data, unless otherwise stipulated by special law;
Processor: Any entity that processes personal data based on special law or authorization from the Controller in accordance with the Law and the Regulation, on the basis of a personal data processing agreement;
Data Subject (hereinafter referred to as the "customer"): A natural person (including self-employed persons) to whom the personal data relate (e.g., a potential, existing, or lost customer).
II. Principles of personal data processing
The Controller processes personal data in the spirit of the following principles derived from the Regulation:
- Lawfulness, fairness, and transparency of processing;
- Purpose limitation – collection only for specified, explicit, and legitimate purposes;
- Data minimization – adequacy, relevance, and limitation of processing to what is necessary in relation to the purpose;
- Accuracy and timeliness – the Controller takes all reasonable steps to ensure that personal data that are inaccurate, considering the purposes for which they are processed, are erased or rectified without delay;
- Storage limitation – personal data are kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, subject to the implementation of appropriate technical and organizational measures required by current legislation to safeguard the rights and freedoms of the data subject;
- Integrity and confidentiality – personal data are processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using suitable technical or organizational measures.
III. Customer rights
The customer has the right to the following information:
- Information about the purposes of processing
- Information about the processed personal data
- Information about the processors
- Information about the planned period for which personal data will be stored, or if this cannot be determined, the criteria used to determine this period
- Specification of the legitimate interest of the controller or a third party if the processing is based on this reason
- Information about the source from which personal data originate
The customer has the right:
- a) To access their processed personal data, to have them corrected, deleted, or to restrict their processing;
- b) To object to this processing;
- c) To lodge a complaint with a supervisory authority;
- d) To withdraw consent to the processing of personal data at any time with effect for the future;
- e) To obtain confirmation from the controller as to whether or not their personal data are being processed;
- f) To have the controller correct without undue delay any inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed;
- g) To have the controller erase personal data without undue delay (also the right to be forgotten) concerning the data subject, and the controller is obliged to erase personal data without undue delay in the cases specified in the Regulation: a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) the customer withdraws consent on which the processing is based and there is no other legal ground for the processing; c) the customer objects to the processing and there are no overriding legitimate grounds for the processing; d) the personal data have been unlawfully processed; e) the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; f) the personal data have been collected in relation to the offer of information society services. Details and exceptions to the exercise of this right are regulated by the Regulation;
- h) To have the controller restrict processing in any of the following cases: a) the data subject contests the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data; b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; d) the data subject has objected to processing pending the verification of whether the legitimate grounds of the controller override those of the data subject;
- i) To data portability, i.e., to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: a) the processing is based on consent or on a contract, and b) the processing is carried out by automated means;
- j) To object to the processing of personal data at any time. The controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims;
- k) Not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Exceptions and details are specified by the Regulation.
IV. Options for exercising customer rights with the Controller
List of communication channels through which a customer request can be received and responded to:
- By e-mail: info@rysavy-cz.com
- By post to the adress: Ryšavý s.r.o, Brněnská 127, 691 63 Velké Němčice
- By phone: +420 539 003 430
V. Sources of personal data
The Controller obtains personal data of its customers primarily from the customers themselves during negotiations for the conclusion of a Processing Agreement.
The Controller also obtains personal data based on Consent to the Processing of Personal Data.
VI. Scope of processing
The Controller and its contracted processors process the following personal data, or categories of personal data, in connection with the relevant legal title and purpose of processing:
- a) Name, surname, business address, identification number, bank account number
- b) Electronic contact details: telephone, mobile phone, email address
- c) Other electronic data: IP address, cookies, authentication certificates, identifiers in social networks and communication platforms (e.g., Skype)
VII. Processing of personal data
The Controller processes customer personal data based on the following legal grounds (titles):
- Legitimate interest of the Controller
- Performance of a contract
- Valid consent to the processing of personal data.
1. Legitimate interest of the controller
Personal data will be processed for the purpose of identifying contractual parties and fulfilling the contract, as well as for the purpose of recording the contract and any future assertion and defense of the rights and obligations of the contractual parties. Such processing is permitted under Article 6(1)(b) and (f) of the Regulation.
Personal data will be processed for the duration of the contractual relationship and further to the necessary extent for 10 years after the end of the contractual relationship, unless a different legal regulation requires the retention of contractual documentation for a longer period.
The processing of personal data is carried out by the Controller, but personal data may also be processed for the Controller by the following processors:
- Provider of the economic and accounting system,
- Provider of the email client,
- Relevant banking institution,
- Potentially other providers of processing software, services, and applications, which the Controller does not currently use.
According to the Regulation, the customer has the right to:
- Request information from the Controller about what personal data it processes,
- Request access to these data and have them updated or corrected, or request a restriction on processing,
- Request the deletion of these personal data,
- Object to the processing based on the legitimate interest of the Controller,
- Data portability and the right to request a copy of the processed personal data,
- Lodge a complaint with the Office for Personal Data Protection and the right to effective judicial protection if they believe their rights under the Regulation have been violated as a result of the processing of their personal data in violation of the Regulation.
2. Performance of the contract
The Controller processes personal data of data subjects for purposes arising from the concluded Service Provision Agreement with the customer. The scope of processed personal data is defined in the Processing Agreement. Typically, these data include: name, surname, delivery or other contact address, business address, identification number, bank account number, email, and phone number.
The processing period is defined by the duration of the customer's contractual relationship with the Controller.
3. Valid Consent to the Processing of Personal Data
If the Controller processes the customer's personal data for other purposes that cannot be categorized under legitimate interest or performance of the contract, it may do so only based on valid consent to the processing of personal data provided by the customer, which is an expression of the customer's free will and constitutes a specific title for such handling of personal data.
The customer provides consent by filling out a form on www.rysavy-cz.com, consenting to the processing of their personal data – the processing of their email address.
The email address will be processed for the purpose of inclusion in the database for sending commercial communications.
Personal data will be processed for 3 years from the date of consent, unless this period is extended.
Consent can be withdrawn at any time, for example, by sending a letter, an email, or clicking on a link in the commercial communication. Withdrawal of consent will result in the cessation of sending commercial communications.
The processing of personal data is carried out by the Controller, but personal data may also be processed for the Controller by the following processors:
- 1. Other providers of processing software, services, and applications, which the Controller does not currently use.
According to the Regulation, the customer has the right to:
- Request information from the Controller about what personal data it processes,
- Request access to these data and have them updated or corrected, or request a restriction on processing,
- Request the deletion of these personal data,
- Data portability and the right to request a copy of the processed personal data,
- Lodge a complaint with the Office for Personal Data Protection and the right to effective judicial protection if they believe their rights under the Regulation have been violated as a result of the processing of their personal data in violation of the Regulation.
VIII. Methods of processing
Personal data are processed both automatically and manually and may be made available to the Controller's employees if it is necessary to fulfill their job duties, to processors with whom the Controller has concluded a data processing agreement, and potentially to other persons in accordance with the Law and the Regulation. The list of data processors is included in the List of Processors.
IX. Data processors
Personal data processing may be carried out for the Controller by processors solely based on a data processing agreement, i.e., with guarantees of organizational and technical security of these data and with a defined purpose of processing, whereby processors may not use the data for other purposes.
X. Data protection
The Controller handles customer data in other processing systems, and their protection is ensured by unique usernames and passwords. Usernames and passwords are stored on the Controller's secure server, which requires a username and password for access.
Personal data processing may be carried out for the Controller by processors solely based on a data processing agreement, i.e., with guarantees of organizational and technical security of these data and with a defined purpose of processing, whereby processors may not use the data for other purposes.
XI. Termination of data handling
The Controller will cease handling customer data after the termination of the contractual relationship, after the expiration of the period specified in the consent to personal data processing, or after the legal reasons for archiving personal data have ceased.
XII. Security breach
In the event of a security breach in data handling or data leakage, the Controller will promptly notify the customer and the Office for Personal Data Protection within 24 hours.