Principles of personal data processing

STATEMENT ON THE PROCESSING OF PERSONAL DATA

Statement on the processing of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in connection with the processing of personal data and the instruction of data subjects (hereinafter referred to as "GDPR")

1. Administrator of personal data

Exponet s.r.o., Na Záhonech 838/22, Prague 4, 141 00, CZ026197456, (hereinafter referred to as the "administrator") hereby informs you in accordance with Article 12 GDPR about the processing of your personal data and about your rights.

Personal data processing principles: When processing personal data, we honor and respect personal data protection standards and adhere to the following principles: we always process personal data for a clearly and comprehensibly defined purpose, by defined means and in a manner only for the time that is absolutely necessary. We collect the personal data of our clients and employees only to the extent necessary and do not pass them on to third parties, with the exception of those who are directly involved in processes within the company for the purpose of their necessary processing, in justified cases of joint administration. Collaborating persons (employees, subcontractors) are forced to subscribe to the administrator's personal data processing policies and undergo regular training.

2. Scope of personal data processing

Personal data is processed to the extent that the relevant data subject has provided it to the administrator, in connection with the conclusion of a contractual or other legal relationship with the administrator, i.e. due to a legitimate interest, or that the administrator has collected otherwise and processes them in accordance with applicable legal regulations or to fulfill the administrator's legal obligations.

3. Sources of personal data

  • directly from data subjects (registration, web contact forms and chat, e-mails, telephone, websites, business cards, etc.)

  • publicly accessible registers, lists and records (e.g. commercial register, trade register, real estate register, etc.)

  • "Cookie" technology and other common technologies for recognizing the participant's device without the possibility of unambiguous user identification. This tracking technology can be rejected in the user's browser.

4. Categories of personal data that are the subject of processing

  • address and identification data used for unambiguous and unmistakable identification of the data subject (e.g. first name, surname, title, possibly birth number, date of birth, address of permanent residence, ID number, VAT number) and data enabling contact with the data subject (contact data - e.g. contact address, telephone number, fax number, e-mail address and other similar information)

  • descriptive data (e.g. bank details)

  • other data necessary for the performance of the contract

  • data provided beyond the scope of relevant laws processed within the framework of consent granted by the data subject (photo processing, use of personal data for the purpose of personnel management, etc.)

5. Categories of data subjects, processors, other administrators of personal data

  • an employee of the administrator

  • carrier

  • service provider

  • another person who is in a contractual relationship with the administrator

  • job applicant

In justified cases, your personal data may be processed by third parties (Administrators and processors) subject to EU legislation and on the territory of EU countries, such as third parties participating in the organization of events and the acquisition of audiovisual recordings.

6. Categories of recipients of personal data

  • state administration in cases of legal obligation stipulated by relevant legal regulations

  • processor authorized by the administrator

  • employees

  • joint administrators

7. Purpose of personal data processing

  • purposes contained within the consent of the data subject

  • negotiating a contractual relationship

  • fulfillment of the contract

  • protection of the rights of the administrator, beneficiary or other affected persons (e.g. enforcement of the administrator's claims)

  • archiving conducted on the basis of the law

  • tenders for vacancies

  • fulfillment of legal obligations by the administrator

8. Method of processing and protection of personal data

The processing of personal data is carried out by the administrator. The processing is carried out in its establishments, the customer's premises, at branches and the administrator's headquarters by individual authorized employees of the administrator, or processor. In justified cases, personal data may also be managed by another administrator, with the status of a joint administrator. The processing takes place through computer technology, or also in a manual way for personal data in paper form in compliance with all security principles for the management and processing of personal data. For this purpose, the administrator has adopted technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to personal data, their change, destruction or loss, unauthorized transmission, their unauthorized processing, as well as other misuse of personal data. All entities to which personal data may be made available respect the data subjects' right to privacy protection and are obliged to proceed in accordance with applicable legal regulations regarding the protection of personal data.

9. Time of personal data processing

In accordance with the deadlines specified in the relevant contracts, in the file and shredding regulations of the administrator or in the relevant legal regulations, this is the time absolutely necessary to ensure the rights and obligations arising both from the contractual relationship and from the relevant legal regulations.

10. Lessons learned

The administrator processes data with the consent of the data subject, with the exception of cases provided by law, when the processing of personal data does not require the consent of the data subject.

In accordance with Article 6, paragraph 1 of the GDPR, the controller may process the following data without the consent of the data subject:

  • the data subject has given consent for one or more specific purposes,

  • processing is necessary for the fulfillment of a contract to which the data subject is a contracting party, or for the implementation of measures taken prior to the conclusion of the contract at the request of the data subject,

  • processing is necessary to fulfill a legal obligation that applies to the controller,

  • processing is necessary to protect the vital interests of the data subject or another natural person,

  • processing is necessary for the fulfillment of a task carried out in the public interest or in the exercise of public authority entrusted to the controller, processing is necessary for the purposes of the legitimate interests of the relevant controller or third party, except in cases where the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data take precedence over these interests.

11. Rights of data subjects

1) In accordance with Article 12 of the GDPR, at the request of the data subject, the administrator informs the data subject of the right to access personal data and the following information:

  • purpose of processing,

  • the category of personal data concerned,

  • recipients or categories of recipients to whom personal data has been or will be made available,

  • the planned period for which personal data will be stored,

  • all available information about the source of personal data,

  • if not obtained from the data subject, whether automated decision-making is taking place, including profiling.

2) Any data subject who discovers or believes that the administrator or processor is processing his personal data in violation of the protection of the private and personal life of the data subject or in violation of the law, especially if the personal data is inaccurate with regard to the purpose of their processing, may:

  • Ask the administrator for an explanation.

  • Require the administrator to remove the state thus created. In particular, this may involve blocking, correcting, supplementing or deleting personal data.

  • If the data subject's request according to paragraph 1 is found to be justified, the administrator will remove the objectionable situation immediately.

  • If the administrator does not comply with the data subject's request according to paragraph 1, the data subject has the right to contact the supervisory authority, i.e. the Office for Personal Data Protection.

  • The procedure according to paragraph 1 does not preclude the data subject from contacting the supervisory authority directly with their request.

  • The administrator has the right to request a reasonable payment for the provision of information not exceeding the costs necessary to provide the information, if the requests for information submitted by the data subject are clearly unreasonable, especially because they are repeated.

This statement is publicly available on the administrator's website.