Statement concerning the personal data processing under the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and guidance to data subjects (hereinafter referred to as “GDPR”)
REIWAG Facility Services s.r.o., registered office at Perucká 2542/10, 120 00 Praha 2, Company ID:40763544, VAT registration no.: CZ40763544, registered on 21 Aug 1991 in the Company Register kept by the Prague Municipal Court, Part C, File 3581 (hereinafter referred to as “Controller”), hereby informs you on the processing of your personal data and advises you on your rights in accordance with GDPR, Article 12.
2. Extent of personal data processing
Personal data are processed in an extent in which the personal data have been provided to the Controller in relation to entering into a contract or another legal relationship with the Controller, or that have been collected and processed by the Controller in accordance with the applicable legal regulations or for the Controller’s compliance with legal obligations.
3. Sources of personal data
- directly from data subjects (e-mails, phone calls, chat, websites, contact forms on websites, social networks, business cards, etc.)
- publicly accessible registers, lists and files (e.g. Company Register, Trade Register, Real Estate Register, public telephone directory, etc.)
4. Categories of personal data subject to processing
- address and identification data allowing unique and distinct identification of the data subject (e.g. name, surname, academic degree, or birth identification number, date of birth, permanent address, company ID, VAT registration number) and contact details allowing to contact the data subject (contact details – e.g. contact address, phone number, fax number, e-mail address and other similar information)
- description data (e.g. bank details)
- other data necessary for the performance of a contract
- data provided beyond the applicable laws, processed within the consent given by the data subject (processing of photographs, personal data used for the purposes of human resource procedures, etc.)
5. Categories of data subjects
- customers of the Controller (only for subjects registered in the e-shop system)
- employees of the Controller
- service providers
- other persons who have a contractual relationship with the Controller
- job candidates
6. Categories of personal data recipients
- financial institutions
- public institutions
- national and other authorities in terms of compliance with legal obligations set out by the applicable legal regulations
- other recipients (e.g. transfers of personal data abroad – EU countries)
7. The purpose of personal data processing
- purposes covered by the data subject’s consent
- negotiations on contractual relations
- performance of a contract
- protection of the rights of the Controller, recipient or other persons concerned (e.g. recovery of the Collector’s claims)
- archiving performed under the law on recruitment for vacant positions
- compliance with legal obligations by the Controller
- protection of the data subject’s vital interests
8. Methods of personal data processing and protection
The processing of personal data is carried out by the Controller. The processing is performed in the Controller’s places of business, branches and registered office by individually authorised employees of the Controller, or by the processor, as the case may be. The processing is performed with the help of computer technology or, in case of personal data in documentary form, also manually while observing all security rules applicable to personal data management and processing. To meet this purpose, the Controller has implemented technical and organisational measures in order to ensure the protection of personal data, particularly measures to prevent unauthorised or accidental access to, alteration, destruction or loss, unlawful transfers, unauthorised processing, or any other misuse of personal data. Any and all subjects that may be given access to personal data shall respect the right of data subjects to privacy protection and shall act in compliance with the applicable legal regulations concerning the personal data protection.
9. Duration of personal data processing
In compliance with the time limits referred to in relevant contracts, record management and retention policy of the Controller, or in the applicable legal regulations, the duration means a period of time strictly necessary to safeguard the rights and obligations resulting from both the contractual relationship and the applicable legal regulations.
The Controller processes data with the consent of the data subject with the exception of cases provided for by law when personal data processing does not require any consent of the data subject. In accordance with Article 6, para 1 of GDPR, the Controller is permitted to process the following data without the consent of the data subject:
- the data subject has given consent for one or more specific purposes,
- processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract,
- processing is necessary for compliance with a legal obligation to which the Controller is subject,
- data processing is necessary in order to protect the vital interests of the data subject or that of another natural person,
- data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller,
- data processing is necessary for the purposes of legitimate interests pursued by the Controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data
11. The rights of data subjects
1) In accordance with Article 12 of GDPR, the Controller shall, at the data subject’s request, inform the data subject of the right of access to personal data and the following information:
- the purposes of processing,
- the category of personal data concerned,
- recipients or categories of recipients to whom the personal data have been or will be disclosed,
- the envisaged period for which the personal data will be stored,
- any available information as to the source of personal data,
- where the personal data are not collected from the data subject, the existence of automated decision-making, including profiling.
2) Every data subject who becomes aware of or considers that the Controller or processor carries out processing of their personal data in infringement of the protection of the data subject’s private and personal life or of the law, especially when such personal data are inaccurate with respect to the purpose of the processing, shall have the right to:
- Ask the Controller or processor for explanation.
- Request the Controller to rectify the condition. This may, in particular, include blocking, correcting, completing or deleting of personal data.
- If, pursuant to para 1 herein, the request of the data subject is found justified, the Controller shall rectify the detrimental condition immediately.
- If the Controller fails to satisfy the data subject’s request pursuant to para 1 herein, the data subject shall have the right to bring their complaint directly to the attention of the supervisory authority, i.e. the Office for Personal Data Protection.
- Acting in accordance with the procedure referred to in para 1 shall not preclude the data subject’s right to bring their complaint directly to the attention of the supervisory authority.
- The Controller shall have the right to request reasonable compensation for the provision of information not exceeding the necessary costs of its provision.
This statement is publicly available on the Controller’s website.