DECLARATION ON THE PROCESSING OF PERSONAL DATA

Declaration on the processing of personal data pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter the “GDPR”) and instructions for data subjects

I. Introduction

The purpose of this declaration is to provide information about the procedures and obligations of our company in the application of the requirements of the General Data Protection Regulation. The following terms are used in the text below:

• PD – personal data, i.e. any information leading to the identification of a particular person
• PD owner – the subject that is the keeper of the personal data that our company possesses and is processing
• Controller – our company, which keeps records of, processes, archives and protects your personal data
• Processor – a company that we have contractually engaged for the processing of your personal data; this company guarantees that its system of handling, processing and protecting your personal data is ensured to the extent of the requirements of the GDPR, and your rights are not limited

II. Personal Data Controller

The company SCS-Engineering a.s., registered office: Vinecká 317, 293 01 Mladá Boleslav, Czech Republic, Company ID: 01682369, registered in the Commercial Register maintained by the Municipal Court in Prague, Section B, Entry 19109, contact e-mail address for personal data protection matters: gdpr@scs-engineering.cz, telephone number: +420 724 090 860 (hereinafter the “Controller”) hereby informs you in accordance with the provisions of Article 12 of the GDPR about the processing of your personal data and about your rights.

III. Extent of Processing of Personal Data

Personal data are processed to the extent that they have been provided to the controller by the relevant subject in connection with and on the basis of free choice at the moment of entering into this relationship or registration and also within the framework of the contractual or other legal relationship with the controller, or which the controller has otherwise compiled and is processing in accordance with applicable legislation or for the performance of the lawful duties of a controller.

IV. Sources of Personal Data

We obtain personal data from PD owners (commercial communication, purchases, the supplying of goods and services, on-line contact forms, telephone communication, business cards, etc.).

Other sources of personal data are information necessarily provided by job applicants and workers. If personal data are obtained from public sources, they are used solely for the purpose of the realization of a commercial relationship or in accordance with the secured consent of the holder of the personal data.

V. Categories of Personal Data Subjected to Processing

• Identifying data serving for the clear, unambiguous identification of the PD owner (given name and surname, date of birth, birth ID number, permanent residence address, etc.)
• Descriptive data (e.g. bank account)
• Data required for contractual performance (e-mail address, telephone number, work address, job title, etc.)
• Data provided above and beyond the framework of applicable laws and regulations, processed within the framework of consent granted by the PD owner

VI. Categories of Personal Data Owners

• Customers
• Customers’ customers
• Employees, independent contractors and job applicants
• Owners of the personal data of suppliers and partners providing services required for our company’s operations
• Other parties in a contractual relationship with the PD controller

VII. Categories of Personal Data Recipients

• State officials and other authorities performing their lawful duties as established by applicable legislation
• Financial institutions and institutions of public administration
• PD processors on the basis of signed contracts
• Third parties and organisations on the basis of consent granted by the PD owner
• Our company as the PD controller

VIII. Purpose of Processing of Personal Data

• Purposes contained in the consent of the data subject
• Contractual negotiations
• Contractual performance
• Protection of the rights of the controller, recipient or other relevant parties
• Archiving maintained on the basis of legislation
• Hiring procedures for job openings
• Performance of lawful duties on the part of the controller
• Protection of the vital interests of the PD owner or of other subjects

IX. Method of Processing and Protecting Personal Data

The processing of personal data is performed by the controller or by a processor with whom the controller has entered into a contract, which guarantees that all responsibilities for the processing of personal data and the rights of the PD owner shall be observed.

The processing is carried out at the headquarters and worksites of the controller or processor. Processing is performed either using computer technology or manually in case of PD in a hard-copy format, in compliance with all security principles for the administration and processing of personal data. For this purpose, the controller has adopted technical organizational measures to secure the protection of the PD, and in particular measures to prevent unauthorized or random access to the PD, their alteration, destruction or loss, unauthorized use or transmission of PD or any other misuse thereof. All subjects to which access to PD may be granted shall respect the right of the PD owner for the protection of privacy, and they shall proceed in accordance with applicable legislation concerning the protection of PD.

X. Term of Processing of Personal Data

In accordance with the deadlines set forth in relevant contracts, in the controller’s rules on the storing and discarding of files of the controller or of applicable legislation, this is the period that is absolutely necessary for the securing of rights and duties arising from a contractual relationship, from the legitimate interests of the processor and from applicable legislation.

XI. Instructions

The controller processes data with the consent of the PD owner with the exception of cases established by law, when the processing of personal data does not require the consent of the PD owner.

In accordance with the provision of Article 6 (1) of the GDPR, the controller may process data without the consent of the PD owner if:

• The processing is necessary for the performance of an agreement to which the PD owner is a contractual party, or for the enactment of measures adopted before the signing of the contract at the request of that PD owner;
• The processing is necessary for the performance of a legal duty that applies to the controller;
• The processing is necessary for the protection of the vital interests of the PD owner or of another individual person;
• The processing is necessary in the performance of a task carried out in the public interest or in the course of the exercise of public power for which the controller is authorized;
• The processing is necessary for the purposes of the legitimate interests of the controller in question, with the exception of cases when the interests or fundamental rights and freedoms of the PD owner requiring the protection of personal data take precedence over those interests.

In all other cases, the consent of the PD owner granted under the conditions established by the GDPR is required for the processing of PD.

XII. Rights of the Data Subject

1. In accordance with the provisions of Article 12 of the GDPR, the controller shall – at the request of the PD owner – inform the data subject about the right of access to personal data and to the following information:

• Purpose of the processing of the personal data;
• Categories of relevant personal data;
• The recipients or categories of recipients to whom the personal data have been made accessible;
• The period for which the storage of the personal data is planned;
• All available information about the source of personal data;
• Information about whether automated decision-making, including profiling of personal data, takes place.

2. Any PD owner who determines or believes that the controller or processor is performing the processing of his/her personal data in a manner inconsistent with the protection of the PD owner’s privacy or personal life or in violation of the law, especially if the personal data are inaccurate with respect to the purposes of their processing, may:

• Demand an explanation from the controller in person or through their e-mail address gdpr@scs-engineering.cz;
• Demand that the controller correct such a situation; in particular, this may involve blocking, correcting, supplementing or deleting (forgetting) of personal data.

3. If the request of the PD owner pursuant to paragraph 1 above is found to be justified, the controller shall correct the improper state of affairs without delay.
4. If a controller denies the request of a data subject pursuant to paragraph 1 above, the PD owner is entitled to approach the supervisory authority – this being the Personal Data Protection Authority (Úřad pro ochranu osobních údajů, ÚOOÚ) – directly.
5. The procedure in accordance with paragraph 1 above does not preclude the PD owner from making a complaint directly to the supervisory authority.
6. For the provision of information, the controller is entitled to demand adequate compensation not exceeding the necessary costs of providing the information in question.