Statement on the personal data processing
Statement on personal data processing pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the personal data processing and on information for data subjects (hereinafter referred to as GDPR)
PEŠEK Machinery s.r.o., with its registered office at Dnešice 6, 334 43 Dnešice, Czech Republic, Business ID: 26401967 (hereinafter referred to as the Data Controller) hereby informs you about personal data processing and your rights in accordance with Article 12 of the GDPR.
Scope of personal data processing
Personal data shall be processed to the extent whereby the relevant Data Subject has provided it to the Data Controller in connection with concluding a contractual or other legal relationship with the Data Controller, or which has been collected by the Data Controller otherwise and processed in accordance with applicable law or to meet the Data Controller’s duties.
Sources of personal data
- Directly from the Data Subject (emails, telephone, chat, website, web contact form, social networks, business cards, etc.)
- Publicly accessible registers, directories and records (e.g., commercial register, trade licencing register, land register, public telephone directory, etc.)
Personal data categories that are subject to processing
- Address and identification data used for unambiguous and unmistakable identification of the - Data Subject (e.g., name, surname, degree, birth certificate number, date of birth, permanent address, identification number, VAT number) and data enabling contact with the Data Subject (contact details – e.g., contact address, phone number, email address, and other similar information)
- Descriptive data (e.g., bank account, video recordings from CCTV)
- Other information necessary for the contract’s performance
- Data provided in excess of the relevant laws processed within the Data Subject’s consent (photo processing, use of personal data for the purpose of personnel management, etc.)
Personal data recipient categories
- Financial management
- Public institutions, authorities
- State and other bodies within the fulfilment of legal obligations stipulated by the relevant legislation
- Other recipients (e.g., transfer of personal data abroad – EU member states)
Purpose of personal data processing
- Purposes contained within the Data Subject’s consent
- Contractual relationship negotiations
- Contract performance
- Protection of the Data Controller’s rights, recipient or other persons concerned (e.g., recovery of the Data Controller’s claims)
- Archiving under law
- Employee selection procedure
- Fulfilment of the Data Controller’s legal obligations
- Protection of the Data Subject’s vital interests
Personal data processing and protection methods
Personal data processing is carried out by the Data Controller. Processing is carried out at their premises, branches and the headquarters of the Data Controller by individual authorised employees of the Data Controller or processor. Processing takes place through computer technology, or also in manual form for personal data in paper form, in compliance with all safety principles for the management and personal data processing. To this end, the Data Controller has taken technical and organizational measures to ensure personal data processing, particularly measures to prevent unauthorised or accidental access to, alteration, destruction or loss of personal data, unauthorised transfers, unauthorised processing and other misuse of personal data. All Data Subjects to whom personal data may be disclosed respect the Data Subject’s right to privacy and are required to comply with applicable personal data protection legislation.
Time of personal data processing
In accordance with the deadlines specified in the relevant contracts, in the file and shredding rules of the Data Controller or in the relevant legislation, this is the time necessary to secure the rights and obligations arising from both the obligation relationship and the relevant legislation.
The Data Controller processes the data with the Data Subject’s consent, except in cases stipulated by law where personal data processing does not require the Data Subject’s consent.
In accordance with Article 6(1) of the GDPR, the Data Controller may process the following data without the Data Subject’s consent:
- The Data Subject has given their consent for one or more specific purposes;
- Processing is necessary for the contract performance to which the Data Subject is a Party or for implementing measures taken prior to the concluding the contract at the Data Subject’s request;
- Processing is necessary to fulfil the legal obligation applicable to the Data Controller;
- Processing is necessary to protect the Data Subject or other individual’s vital interests;
- Processing is necessary for the performance of a task carried out in the interests of the public or in the exercise of public authority conferred on the Data Controller;
- Processing is necessary for the purposes of the legitimate interests of the Data Controller or of a third party, except where the interests or fundamental rights and freedoms of the Data Subject requiring personal data protection take precedence over those interests.
Rights of Data subjects
In accordance with Article 12 of the GDPR, the Data Controller shall, at the Data Subject’s request, inform the Data Subject of the right to access their personal data and the following information:
- The purpose of processing;
- The category of personal data concerned;
- The recipients or categories of recipients to whom personal data has been or will be disclosed;
- The planned period during which personal data will be stored;
- All available information on the source of personal data, unless obtained from the data subject;
- Whether automated decision-making, including profiling, occurs.
2. Any Data Subject who discovers or thinks that the Data Controller or processor processes their personal data that is contrary to the protection of the Data Subject’s private and personal life or contrary to the law, particularly if the personal data is inaccurate for the purpose of their processing, can:
- Ask the Data Controller for an explanation.
- Require the Data Controller to remedy the situation. It may include blocking, repairing, supplementing or deleting personal data.
- If the Data Subject’s request under paragraph 1 is found justified, the Data Controller shall immediately remedy the defective condition.
- If the Data Controller fails to comply with the Data Subject’s request under paragraph 1, the Data Subject shall have the right to directly contact a supervisory authority, which is the Personal Data Protection Office.
- The procedure referred to in paragraph 1 shall not exclude the possibility of the Data Subject to contact the supervisory authority directly.
- The Data Controller has the right to demand reasonable compensation for providing information; the compensation shall not exceed the costs necessary to provide the information.