INFORMATION ON THE PROCESSING OF PERSONAL DATA

Information of the controller to data subjects on the processing of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and the instruction of data subjects (hereinafter referred to as « GDPR »)


1. Data controller

Personal data controller:

PBtisk a.s.

with registered office at Příbram I, Dělostřelecká 344, 26101
ID NO.: 48244627
Email contact: gdpr@pbtisk.cz
phone contact: +420 318 493 711
(hereinafter referred to as the « Administrator »):

in accordance with Article 12 an. GDPR informs data subjects about the processing of their personal data and their rights.

2. Scope of the processing of personal data

The personal data are processed to the extent that the respective data subject has provided them to the controller in connection with the conclusion of a contractual or other legal relationship with the controller, or which the controller has lawfully obtained from a third party or which the controller has lawfully collected otherwise and processes in accordance with applicable law or for the performance of the controller’s legal obligations

3. Sources of personal data

  • Directly from the data subjects (in particular, in the context of negotiating the relevant contract, on the basis of an order, registration, by e-mail, telephone, chat, via the website, the contact form on the website, via social networks, by handing over a business card, on the basis of the consent given, by taking an audio or video recording made via the technical equipment of the controller, etc.) from a third party (in particular a contracting party in the context of the performance of a specific contractual relationship) from public records – for the purposes of this document, public records are: the public register pursuant to Act No. 304/2013 Coll., on public registers of legal and natural persons, as amended, i.e. the Federal Register, the Foundation Register, the Register of Institutions, the Register of Unit Owners’ Associations, the Commercial Register and the Register of Benefit Corporations; other registers within the meaning of No 111/2009 Coll., on basic registers, as amended

4. Categories of personal data subject to processing by the controller

Depending on the specific purpose and type of personal data processing, the controller processes the following categories of personal data:

  • name and surname
  • business name (for natural persons engaged in business)
  • address, registered office, delivery address or temporary residence
  • date of birth
  • birth number
  • e-mail address
  • telephone number – private, business
  • tel-fax number
  • ID NUMBER
  • VAT NUMBER
  • bank connection
  • web pages
  • Data box ID
  • password, login
  • photo
  • video record
  • audio (telephone) recording
  • IP address
  • location data (GPS, CCS)
  • insurance card number
  • contract number under which the subject is registered with the controller
  • staff number, employee number
  • education
  • income from employment (salary, pension income)
  • personal data of children or spouse/partner
  • cookies
  • signature

5. Categories of data subjects

The data subject is the natural person to whom the personal data relate, namely:

  • an employee of the controller (based on an employment contract, work performance agreement, work activity agreement)
  • an applicant for employment with the controller
  • an employee of an agency of the controller
  • statutory bodies – natural persons of legal persons dealing with the controller
  • contractual partner of the administrator (natural person – entrepreneur, non-entrepreneur)
    • client
    • customer
    • buyer
    • seller
    • supplier
    • transporter, carrier
    • contractor
    • tenant
    • lessor
    • charterer
    • proprietaire
    • authorised
    • obligor
    • mortgagee
    • lender
    • debtor
    • user
    • future contracting party (based on the conclusion of a future contract or measures taken before the conclusion of the contract at the request of the data subject)
    • etc.
  • subject in a pre-contractual relationship with the controller (customer before acceptance of the order, enquirer, etc.)
  • party to the procedure
  • intervener
  • person concerned, interested party
  • applicant
  • interviewer
  • payer
  • recipient
  • authorised
  • obliged
  • damaged

6. Categories of processors and recipients of personal data

  •  An external body providing services to the controller, in particular providing:
    • the services of tax advisers and auditors
    • occupational health and safety, fire protection services
    • transporters, carriers
    • sales representatives
    • IT services, cloud storage
    • advertising, marketing services
    • training, education services
    • services consisting in securing grants and subsidies
    • public authorities
    • local authorities
    • banking institutions
    • insurance companies

7. Purpose and reasons for processing personal data

The processing of personal data takes place at the controller:

  • on the basis of the data subject’s consent
  • in the performance of a contract with the data subject
  • in the implementation of measures taken before the conclusion of the contract at the request of the data subject
  • for compliance with a legal obligation applicable to the controller
  • for a legitimate interest of the controller or a third party (including archiving based on a legitimate interest of the controller)
  • for the protection of the vital interests of the data subject or of another natural person

8. Method of processing and protection of personal data

The processing of personal data is carried out by the controller. The processing is carried out at the controller’s premises, branches and headquarters by individual authorised employees of the controller or by the processor. The processing is carried out by means of computer technology or, in the case of personal data in paper form, manually, in compliance with all security principles for the management and processing of personal data.

To this end, the controller has adopted technical and organisational measures to ensure the protection of personal data, in particular measures to prevent unauthorised or accidental access to, alteration, destruction or loss of personal data, unauthorised transmission, unauthorised processing or other misuse of personal data. All entities to which personal data may be disclosed are vetted by the controller, contractually assured of their respect for the data subjects’ rights to data protection and privacy, and are obliged to comply with applicable data protection laws.

9. Duration of processing of personal data

In accordance with the time limits set out in the relevant contracts, in the internal regulations of the controller or in the relevant legislation, in all cases of processing of personal data, the period of time is the time necessary to ensure the rights and obligations arising from the contracts, legitimate interests and the relevant legislation.

10. Instructions

The controller shall process data with the consent of the data subject, except in cases provided for by law where the processing of personal data does not require the consent of the data subject. In accordance with Art. 6 para. The controller may process the following data without the consent of the data subject: the data subject has given consent for one or more specific purposes, the processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures taken prior to the conclusion of the contract at the request of the data subject, the processing is necessary for compliance with a legal obligation to which the controller is subject, the processing is necessary for the protection of the vital interests of the data subject or of another natural person, the processing is necessary for the purposes of the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data override those interests.

11. Rights of data subjects

  1. In accordance with Article 12 of the GDPR, the controller informs the data subject of the right to access personal data and to the following information:
    a) the purpose of the processing,
    b) the category of personal data concerned,
    c) the recipients or categories of recipients to whom the personal data have been or will be disclosed,
    d) the intended period for which the personal data will be stored,
    e) any available information on the source of the personal data,
    f) if not obtained from the data subject, whether automated decision-making, including profiling, is involved.
  2. Any data subject who becomes aware or considers that the controller or processor is carrying out processing of his or her personal data which is contrary to the protection of the data subject’s private and personal life or contrary to law, in particular where the personal data are inaccurate with regard to the purpose of the processing, may:
    a) Ask the controller for an explanation.
    b) Request that the controller remedy the situation. In particular, this may involve blocking, rectifying, supplementing or erasing the personal data.
    c) If the data subject’s request is found to be justified, the controller shall rectify the defective situation without delay.
    d) If the controller does not comply with the data subject’s request, the data subject shall have the right to apply directly to the supervisory authority, which is the Office for Personal Data Protection.
    e) The data subject shall have the right to submit his or her complaint directly to the supervisory authority without having to take any prior steps.
  3. The controller shall provide information and communication to data subjects in a concise, transparent, comprehensible and easily accessible manner using clear and plain language. The controller may provide information and communication to data subjects in writing, or, where appropriate, electronically or orally, provided that it verifies the identity of the data subject concerned.
  4. The controller is obliged to respond to a request for information from data subjects without undue delay, but no later than 1 month after receiving such a request. In justified cases, the controller may extend this time limit, but no longer than 2 months. The controller shall inform the data subject of the extension, also within 1 month of receipt of the data subject’s request, and shall inform the data subject of the reasons for the extension. If the data subject submits a request for information and communication electronically, the CONTROLLER shall provide the information and communication to the data subject electronically, unless the data subject requests another method of providing the information and communication, e.g. in writing.
  5. If the data subject requests the controller to take certain measures (rectification of his/her personal data, erasure, etc.) and the controller does not take such measures, the controller shall inform the data subject thereof without delay, and at the latest within 1 month of the request to take the appropriate measures, including the reasons for not taking such measures, as well as information on the possibility for the data subject to lodge a complaint with the Office for Personal Data Protection or to apply to the court.
  6. The information and communication shall be provided by the controller to the data subject free of charge. In the event that the data subject makes repeated requests, or if such requests are unfounded or unreasonable, the controller may refuse the data subject’s request or impose a reasonable fee covering the administrative costs associated with providing the information and communication or with implementing the requested measures. The controller must be able to demonstrate the unreasonableness or inadequacy of the data subject’s request.
  7. Where the controller obtains personal data directly from the data subject, the controller shall communicate the following information to the data subject when obtaining the data:
     a) the identification and contact details of the controller and of the controller’s representative, if any;
    b) the purposes of the processing for which the personal data are intended and the legal basis for the processing;
    c) the legitimate interests of the controller or of a third party where the processing is necessary for the purposes of the legitimate interests of the controller or of the third party;
    d) the recipients or categories of recipients of the personal data, if any;
    e) the intention, if any, of the controller to transfer the personal data to a third country or an international organisation and the existence or otherwise of a decision of the European Commission that the third country or international organisation provides adequate protection for the personal data, and a reference to appropriate safeguards and means of obtaining a copy of the data or information on where the data have been disclosed.
  8. Where necessary to ensure fair and transparent processing, the controller shall also provide the data subject with further information, in particular the duration of the processing of the personal data and, where applicable, the criteria for its determination, as well as information on the data subject’s right to rectification, erasure, etc.
  9. If the controller does not obtain the personal data directly from the data subject, it shall communicate to the data subject, upon obtaining the personal data, the information referred to in paragraph 7(a), (b), (d) and (e) and, where applicable, the additional information referred to in paragraph 8.
  10. The controller shall inform the data subject of any change in the purpose of the processing of personal data whenever it occurs.
  11. The controller shall, upon request, provide the data subject with confirmation as to whether the controller processes personal data relating to him or her and, if so, provide the data subject with access to those data and to the following information:
    a) the purposes of the processing;
    b) the categories of personal data concerned;
    c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
    d) the intended period for which the personal data will be stored or, if this cannot be determined, the criteria used to determine that period;
    e) the existence of the right to request from the CONTROLLER the rectification or erasure of personal data relating to the data subject or the restriction of their processing or to object to such processing;
    f) the right to lodge a complaint with the Office for Personal Data Protection;
    g) any available information about the source of the personal data, unless it is obtained from the data subject.
  12. The controller shall, in accordance with the obligations set out in paragraph 11, provide the data subject with a copy of the personal data processed. The controller may charge a reasonable administrative fee for providing copies in accordance with the preceding sentence.
  13. The controller shall be obliged to rectify inaccurate personal data concerning the data subject without undue delay, to complete incomplete personal data, including by providing an additional declaration.
  14. The controller is obliged to erase personal data concerning the data subject without undue delay if one of the following grounds is met:
     a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
    b) the data subject withdraws consent where the personal data have been processed on the basis of that consent and there is no other legal basis for the processing;
    c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
    d) the personal data have been unlawfully processed;
    e) the personal data must be erased in order to comply with a legal obligation under European Union law or Czech law.
  15. Where the controller has disclosed the personal data of the data subject and is obliged to erase it, the controller must take reasonable steps (having regard to the technology and costs available) to inform other data controllers who process the personal data that the data subject has requested them to erase all references to the personal data, copies and replications thereof.
  16. The controller shall not be obliged to comply with the obligations under paragraphs 14 and 15 if the processing of the personal data is necessary for the controller, e.g. to comply with a legal obligation which requires the processing of personal data under European Union or Czech law to which the controller is subject, or for the establishment, exercise or defence of legal claims, etc.
  17. The controller is obliged to restrict the processing of personal data of the data subject if:
    a) the data subject contests the accuracy of the personal data for the period necessary to enable the controller to verify the accuracy of the personal data;
    b) the processing is unlawful and the data subject refuses to erase the personal data and requests instead that the use of the personal data be restricted;
    c) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims;
    d) the data subject has objected to the processing pursuant to paragraph 19 of this Article of the Directive until it is verified that the controller’s legitimate grounds for the processing override those of the data subject.
  18. Where the controller has restricted the processing of personal data pursuant to the preceding paragraph of this Directive, such personal data may be processed only with the data subject’s consent or for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the European Union or of a Member State of the European Union.
  19. The controller shall inform the data subject in advance of the lifting of the restriction on the processing of personal data pursuant to paragraph 17.
  20. The controller shall be obliged to notify individual recipients of any rectification or erasure of personal data, of the restriction of the processing of personal data, except where this proves impossible or requires disproportionate effort. The controller shall also inform the data subject of these recipients if the data subject so requests.
  21. If the data subject objects to the controller to the processing by the Community of Owners of personal data processed by the controller for the purposes of the controller’s legitimate interests or those of a third party, the controller shall no longer process the personal data on the basis of that objection, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. The controller must inform the data subject of this right at the latest at the time of the first communication with the data subject.

12. Verification of the data subject’s identity

  1. In the event that the controller receives a submission from a natural person – the data subject, which, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (« GDPR »)
    1. a) exercises the right to access his/her personal data, and/or,
      b) requests a request for confirmation as to whether the controller processes personal data relating to the applicant within the meaning of the GDPR, and/or,
      c) requests that copies of the personal data processed be provided free of charge; and/or,
      d) requests a communication of which categories of personal data are processed,and/or,
      e) asks to be told for what purpose the personal data are processed, and/or,
      f) asks to be told what is the intended period for which the personal data will be stored or, if this cannot be determined, what are the criteria used to determine this period, and/or,
      g) asks to be informed whether (and under what conditions) he/she may request the controller to rectify or erase the personal data, to restrict their processing, or whether and how the data subject may object to the processing of my personal data, and/or,
      h) asks to be informed whether (and how) the data subject may lodge a complaint with a supervisory authority and who that supervisory authority is, and/or,
      i) requests the communication of any available information about the source of the personal data concerning the data subject, unless it has been obtained directly from the data subject, and/or,
      j) requests a disclosure of whether automated decision-making, including profiling as referred to in Article 22(1) and (4) of the GDPR, also takes place in relation to the processing of the data subject’s personal data and, at least in these cases, further requests the provision of meaningful information concerning the procedure used as well as the relevance and likely consequences of such processing for the data subject, and/or,
      k) requests to be told who the recipients of the data subject’s personal data are or, where appropriate, to indicate the categories of recipients to whom his or her personal data have been or will be disclosed, and/or,
      l) requests to be informed of the recipients in third countries and international organisations who have had or will have personal data of the data subject, and/or,
      m) requests information regarding the safeguards under Article 46 of the GDPR in case personal data are transferred to a third country or an international organisation, the controller is always obliged to sufficiently verify the identity of the applicant before processing the above requests. If the controller has doubts about the identity of the applicant, he has the right to request from the applicant the additional information necessary to confirm his identity (Article 12(6) GDPR).
    2. The controller is entitled, in case of doubt as to the identity of the applicant, to request from that person:
      a) sending the application with the applicant’s certified signature if the applicant has made the application in paper form,
      b) sending the request with an electronic signature, i.e. with data in electronic form attached to or logically associated with the data message, which serves as a method to unambiguously verify the identity of the signatory in relation to the data message
      c) sending the application by data mailbox, if the applicant has one
    3. The controller is not entitled to request further information to verify the identity of the applicant, in particular where:
       a) at the relevant time (i.e. the time of the submission of the relevant application), the controller processes the email contact as personal data of the applicant from which the relevant application was sent
      b) the controller processes the telephone number of the applicant at the relevant time, then makes a telephone call to that telephone number to verify the identity of the applicant and, as agreed with the applicant, then sends the requested information or communicates other facts relating to the processing of personal data electronically to the email address provided by the applicant or in writing to the address provided by the applicant,
      c) the controller has the possibility to verify the identity of the applicant in other ways (e.g. through public registers, existing communications)
      d) the applicant has made the request in person in front of a competent employee of the controller or another person authorised by the controller.

13. Final provisions

In case of questions concerning the processing of personal data of data subjects, the controller may be contacted in writing, electronically or by telephone at the following contacts:

PBtisk a.s.

Příbram I, Dělostřelecká 344, PSČ 26101

Email: gdpr@pbtisk.cz
Phone: +420 318 493 711

Last updated on 25 May 2018