GDPR

A) Introduction

We, SYNER, s.r.o, company ID 48292516, with registered office at Dr. Milady Horákové 580/7, 460 01 Liberec, registered in the Commercial Register maintained by the Regional Court in Ústí nad Labem, Section C, Insert 5153 (hereinafter also referred to as "Controller" or "Company"), issue this declaration on the protection of personal data, which we have prepared in accordance with the applicable legislation, including Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "Regulation"). Through this statement, we want to inform our business partners, employees and the general public about how we handle personal data in our company.

B) Terms

Personal data - is any information relating to an identified or identifiable natural person (data subject); an identifiable person means a person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
Sensitive data - Special categories of personal data which are indicative of a natural person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life or sexual orientation. Genetic and biometric data which are processed for the purpose of uniquely identifying a natural person are also considered to be a special category of data.
Data Subject - is any natural person whose personal data is handled by the Company, including personal data of employees.
Data Controller - is the entity that determines the purposes and means of processing personal data and is responsible for the processing. In this case, the data controller is the Company.
Data Processor - is any natural or legal person, public authority, agency or any other entity processing personal data on behalf of the Data Controller (data processing through a subcontractor - e.g. a company that processes payroll on a contractor basis).
Data Protection Officer - a person designated by the data controller to monitor compliance of the handling of personal data with the Regulation and other applicable law, provide information and advice to the data controller (including employees involved in the processing of personal data) or data processors. The Company is not obliged to appoint a Data Protection Officer within the meaning of Article 37 of the Regulation and has not appointed a Data Protection Officer within the meaning of Article 37 of the Regulation.
Handling of personal data - means any operation or set of operations performed on personal data, such as collection, recording, organization, storage, alteration or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. This includes the manual processing of personal data in structured files.
Automated individual decisions - are decisions which have legal consequences for or significantly affect the data subject and which are based solely on automated data processing designed to evaluate certain personal aspects of the data subject, such as his or her job performance, creditworthiness, reliability, behaviour, etc.
Recipient - means any natural or legal person, public authority, agency or any other entity to which the data are disclosed, whether or not it is a third party. However, public authorities that may receive data in the context of an individual enquiry are not considered recipients.
Third party (person) - is a person or entity other than the data controller. Third parties do not include data subjects or persons or entities that have an obligation to collect, process or use personal data in the Czech Republic, another member state of the European Union or another state that has concluded the European Economic Area Agreement.

C) Sources of personal data

The controller collects personal data in the course of its activities:

directly from the data subject when negotiating a deal or providing a service and during their subsequent implementation,
from publicly accessible registers, lists and records (commercial register, trade register, land register, public telephone directory, etc.) and from other public,
from other bodies, if a specific regulation so provides,
within the framework of the consent given by the data subject (processing of photographs, use of personal data for the purpose of personnel management, etc.),
where appropriate, from other bodies, if the data subject has given his/her consent.

D) Scope of the personal data

The controller processes the personal data of data subjects to the following extent:

identification data of the data subject, in particular name, surname, title, birth number, date and place of birth, sex, marital status, nationality, permanent address, contact address and telephone connection, in the case of a natural person running a business, his/her business name, distinguishing supplement or other designation, place of business and identification number, likeness, signature,
contact details of the data subject, in particular email address, telephone number,
other descriptive data (bank account, educational qualifications, etc.),
personal data of a person related to the data subject (identification and contact details of a family member such as husband, wife, partner, companion, descendants),
information from external sources, in particular from publicly accessible registers (e.g. commercial register, trade register, land register, insolvency register, public telephone directory, etc.).
Sensitive data only to the extent strictly necessary.

E) Purpose of the processing of personal data and duration of the processing of personal data

Implementation of the contractual relationship
1. The processing of personal data necessary for the proper performance of the rights and obligations arising for the Controller from the contractual relationship with the data subject (e.g. preparation of the conclusion of the contractual relationship, execution of transactions, control of the performance of contracts, etc.).
2. The Controller processes personal data for this purpose for the duration of the contractual relationship.
Legitimate interest of the Controller
1. The processing of personal data is necessary for this purpose (e.g. protection of the Controller's premises, internal reporting, dispute resolution with the data subject and protection and assertion of the Controller's rights, administration and recovery of claims).
2. The Controller processes personal data for this purpose for the duration of the contractual relationship and until the expiry of the limitation periods arising from the performance of rights and obligations under the contractual relationship, or for the time necessary if it is not connected with the contractual relationship between the Controller and the data subject.
Compliance with the obligations laid down by law
1. The processing of personal data is necessary for this purpose for the reason that its processing is required by law or other generally binding legal regulation (e.g. compliance with reporting obligations to public authorities, compliance with obligations relating to the enforcement of decisions, compliance with archiving obligations, compliance with obligations arising from regulations governing insurance premiums, taxes and accounting, obligations arising from regulations governing employment, etc.).
2. The controller processes personal data for this purpose to the extent provided for by the relevant legislation.
Processing on the basis of consent
1. The controller shall further process personal data to the extent and in the manner for which the data subject has given his or her consent.
2. The controller shall process personal data for this purpose for the duration of the consent.

F) Method of processing personal data

The controller shall process the personal data of the data subject by automated means and manually in compliance with all security principles for the management and processing of personal data. To this end, the Controller has adopted technical and organisational measures to ensure the protection of personal data, in particular measures to prevent unauthorised or accidental access to, alteration, destruction or loss of personal data, unauthorised transmissions, unauthorised processing and other misuse of personal data. All entities to which personal data may be disclosed shall respect the data subject's right to privacy and shall comply with applicable data protection laws.

G) Information about the disclosure of personal data to third parties - recipients of personal data

The Controller transfers the personal data of the subjects to the state supervisory authorities and other persons to whom it is obliged to disclose personal data on the basis of legal regulations - these are in particular state administration authorities, courts, law enforcement authorities, bailiffs, notaries, insolvency administrators, etc.
The Controller processes personal data through its own employees as a data controller or through its processors, on the basis of a contract concluded in accordance with the Regulation, while ensuring technical, organisational and personnel measures ensuring a high level of protection and security of the Subjects' personal data.

H) Rights of Data Subjects

Right of access to personal data
The Subject is entitled to request the Controller for access to his/her personal data, in particular for information on the processing of his/her personal data, including at least a statement of the purpose of the processing of personal data, the scope and content of the personal data (e.g. by way of a list), or the categories of personal data subject to processing, including any available information on their source, the nature of the automated processing in relation to its use for decision-making, if acts or decisions are made on the basis of this processing, the content of which is to interfere with the rights and legitimate interests of the Data Subject, and the recipients or categories of recipients of the personal data.
Right to rectification of personal data
The data subject shall be entitled to object to the incorrect processing of personal data and shall be entitled to request the rectification or completion of such personal data. In such a case, the controller shall inform the recipient of the data subject's request without undue delay.
Right to restriction of processing
1. The right to restriction of processing is available to the Data Subject if:
  1. denies the accuracy of the personal data for the period necessary to verify the accuracy of the personal data,
  2. the processing is unlawful and the Data Subject refuses to erase the personal data and instead requests a restriction on its use,
  3. if the Controller does not need the personal data of the data subject for the purposes of the processing but the data subject requires the personal data for the establishment, exercise or defence of legal claims,
  4. where the data subject has objected to the processing, until it is verified that the legitimate grounds of the controller for the processing override the interests, rights and freedoms of the data subject.
2. Restriction of processing means that the personal data of the data subject in respect of which processing has been restricted are identified and, for the duration of the restriction, the personal data, except for storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The data subject who has obtained a restriction on processing shall be notified in advance by the Data Controller that the restriction on processing will be lifted.
Right to erasure of personal data
The right to erasure of personal data applies only to personal data for the processing of which the data subject has given consent and there is no other legal basis for the processing of personal data.
Right to data portability
The data subject may request that the Data Controller provide the data subject's personal data for the purpose of transferring it to another data controller. However, this right only applies in respect of those data processed by the Data Controller by automated means on the basis of the data subject's consent or a contract with the data subject.
Right to object
1. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. If the data subject objects to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
2. Furthermore, the data subject shall have the right to object at any time to processing of personal data concerning him or her on grounds relating to his or her particular situation, where the processing is carried out for the performance of a task carried out in the public interest or for the legitimate interests of the controller or of a third party.
3. The controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests or rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Right to lodge a complaint with a supervisory authority
If the data subject considers that the processing of personal data infringes data protection legislation, he or she has the right to lodge a complaint with a supervisory authority. In the Czech Republic, the supervisory authority is the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz
Enquiries
If you have any questions regarding the protection of personal data, you can contact our employee responsible for the protection of personal data at: gdpr@syner.cz