I. General provisions
The company FAVEX, s.r.o. with registered office in Prague, Slezská 2210/128, ID No.: 499 72 367, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, No. vl. 65218 (hereinafter also referred to as “FAVEX“), in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27. April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR“), after reviewing its own procedures for handling personal data in the course of its business activities and as a result of the summarisation of these procedures, hereby declares its basic rules of practice relating to the processing of personal data.
FAVEX is a personal data controller within the meaning of the GDPR, i.e. collects, stores and uses personal data of its customers, natural persons acting on behalf of corporate customers, other persons affected by its business activities, or. interested in business cooperation (collectively also referred to as the “data subject”), for the purpose of carrying out its business activity, which consists mainly in the sale of metallurgical materials and the provision of related services.
This Personal Data Processing Policy applies to:
- the processing of personal data carried out by FAVEX during communication with data subjects, respectively. FAVEX contractual partners via the website, e-mail or telephone,
- processing of personal data by FAVEX during the contractual relationship between the data subjects, respectively. FAVEX and FAVEX’s contractual partners and employees,
- processing of personal data in the performance of FAVEX’s legal obligations,
- processing of personal data necessary for the purposes of protecting the legitimate interests of FAVEX.
The personal data processing principles describe the purposes of personal data processing and the methods of processing, inform about the individual categories of personal data processed, their potential recipients, the retention period of personal data and the rights of persons in relation to the protection of personal data.
FAVEX ensures compliance with these principles in the processing of personal data by the attorney, his associates and in the case of suppliers – external processors of personal data has contractually ensured guarantees of adequate protection according to Art. 28 GDPR.
II. Identity and contact details of the administrator – FAVEX
When exercising the rights, if applicable. if the data subject wishes to clarify any of the information further, he or she may contact FAVEX using the following details:
Written contact:
FAVEX s.r.o.
Hradiště 98
687 08 Buchlovice
Electronic contact:
III. Purposes of the processing of personal data
FAVEX processes personal data solely in accordance with the legal grounds set out in Art. 6 GDPR, only to the extent and for the time necessary. The purposes of the processing of personal data and the duration of their processing shall be recorded by FAVEX for individual agendas in the records of processing activities pursuant to Art. 30 GDPR.
Only those persons who need to handle personal data in the performance of their tasks and duties for FAVEX have access to personal data. These persons shall maintain the confidentiality of the personal data with which they are acquainted; this obligation is contractually guaranteed.
Personal data may be processed by FAVEX for the following purposes: A/ Purposes for which the data subject’s consent is not required, namely:
- Contract execution (negotiation of the contract or its modification, conclusion of a purchase or other contract, implementation of the contractual relationship, recording and updating of contracts, storage of data in FAVEX systems),
- Fulfilling legal obligations (in particular obligations in terms of accounting and tax legislation, i.e. transferring personal data to the financial administration authorities or other public authorities in accordance with the relevant legislation; storing and archiving data in accordance with legal requirements),
- Protection of the legitimate interest of FAVEX (protection of the rights and legally protected interests of FAVEX, such as the enforcement of legal claims and debts, the implementation of marketing activities regarding FAVEX products and services, the internal needs of FAVEX relating in particular to monitoring the satisfaction of the data subject, identifying the quality of services, improving the quality of services provided, the development of new services, etc.),
- Protection of the legitimate interest of third parties (in particular the data subject or FAVEX contractual partners) in accordance with the rules governing business activities and competition.
B/ Purposes for which personal data may be processed only on the basis of the data subject’s consent:
- The provision of such consent is entirely at the discretion of the data subject. Consent is required for FAVEX marketing (to a certain extent, in these cases FAVEX is entitled to offer products and services to customers without obtaining their consent). Irrespective of whether the offering of products and services is carried out on the basis of law or consent, the data subject always has the right to express his/her disagreement with it by means of an act addressed to FAVEX in any form. In addition, it is also possible to withdraw consent to the provision of a copy of a personal document.
IV. Personal data processed
FAVEX is entitled to process the following personal data according to the purpose of processing:
Data subjects’ data | Purposes of processing |
---|---|
Name and surname | Performance of contract, Performance of legal obligations, Protection of legitimate interest of FAVEX, Consent |
Contact address, registered office, place of business | Performance of contract, Performance of legal obligations, Protection of legitimate interest of FAVEX, Consent |
Performance of contract, Performance of legal obligations, Protection of legitimate interest of FAVEX, Consent | |
Telephone number | Performance of contract, Performance of legal obligations, Protection of legitimate interest of FAVEX, Consent |
Account number and other transaction details | Performance of contract, Performance of legal obligations, Protection of legitimate interest of FAVEX, Consent |
ID NUMBER, VAT NUMBER | Performance of contract, Performance of legal obligations, Protection of legitimate interest of FAVEX, Consent |
Birth number | Fulfilling legal obligations |
Date of birth | Performance of contract, Performance of legal obligations |
Any other information regarding the client or third parties | Performance of contract, Performance of legal obligations, Protection of legitimate interest of third parties |
FAVEX processes personal data manually or in an automated manner and stores it securely in both paper and electronic form. The processing of personal data occurs mainly for the purpose of fulfilling the contractual relationship. In relation to the purpose of processing, the personal data of the data subjects are kept in the records of FAVEX customers, in the records of FAVEX suppliers and in the accounting system.
FAVEX declares that the personal data it processes are under constant control and that FAVEX has modern control, technical and security mechanisms in place to ensure the protection of the processed data against unauthorized access or transmission, against loss or destruction, as well as against other possible misuse. All persons who come into contact with the personal data of data subjects in the course of their work or contractual duties are bound by a legal or contractual duty of confidentiality. In the event that personal data is transferred to other entities, FAVEX has concluded an appropriate contract with the data processors, by which these entities guarantee compliance with the obligations relating to the processing of personal data under Czech law.
V. Recipients of personal data
FAVEX discloses personal data only to authorised employees or individual processors of personal data contracted by FAVEX or other controllers, but only to the extent necessary for the fulfilment of the individual purposes of processing and on the basis of the corresponding legal title for the processing of personal data.
FAVEX is entitled in the cases provided for by law to, respectively. obliged to transfer certain personal data on the basis of applicable law, for example to law enforcement authorities or other public authorities.
VI. Personal data of third parties
Personal data of third parties, which means the personal data of employees and customers of FAVEX contractual partners and other individuals involved in cooperation with FAVEX, respectively. other data that FAVEX receives from the contractual partner in connection with the conclusion or performance of the contract will be processed in accordance with applicable data protection legislation. This personal data will be used by FAVEX for the purpose of fulfilling contracts with contractual partners. FAVEX will process the personal data of third parties for the duration of the contractual relationship and for the period provided for by special legal regulations, if any. They will then be kept for a longer period of time if there is a justified need to keep the data in relation to a specific case.
VII. Retention period of personal data
FAVEX processes and stores the personal data for the period necessary to ensure all rights and obligations arising from the respective contractual relationship and for the period for which FAVEX, as the data controller, is obliged to store the personal data under generally binding legal regulations or for which FAVEX has given its consent to the processing. In other cases, the processing period is based on the purpose of the processing, which must be proportionate, or is determined by data protection legislation.
FAVEX takes care of the proper fulfilment of its obligations under the regulations governing archiving, complies with the legal deadlines for document storage and archiving, and carries out timely and proper shredding procedures.
We process personal data according to the purpose of processing for the period of time specified here:
Purpose of processing | Preservation time |
---|---|
Performance of the contract | for the duration of the contractual relationship and for a period of 10 years from the termination of the contractual relationship |
Fulfilling legal obligations | for the period of time specified by the relevant legislation |
Protection of the legitimate interest of FAVEX or third parties | for a maximum period of 3 years from the start of processing, unless otherwise provided for in specific legislation or unless there is a justified need to keep the data for a longer period in connection with a specific case |
Provision of consent | for a period of 3 years from the date of disclosure, unless the data subject requests an extension |
VIII. Rights of data subjects
FAVEX fulfils all the rights of data subjects. Upon request, the data subject shall receive from FAVEX all the information required by law concerning the processing of his or her data in a concise, comprehensible and easily accessible manner using clear and plain language.
FAVEX also includes:
- (a) keep records of the processing activities referred to in Art. 30 GDPR,
- (b) ensure that data subjects are informed in accordance with Article 2(1)(a) of Regulation (EC) No 1049/2001. 12 to 14 GDPR,
- (c) fulfil the other rights of data subjects under Art. 15 to 22 GDPR,
- (d) carry out reporting and notification of personal data breaches pursuant to Art. 33 and 34 GDPR.
Draft records, information, handling of requests/complaints and notifications are stored in FAVEX. Data subjects may submit their requests/complaints for the exercise of their rights to FAVEX, in particular by sending them to the FAVEX email address or in writing to the address of the FAVEX premises, see above.
In connection with the processing of personal data, the data subject has rights arising from legal regulations, which he or she may exercise at any time. It is a right:
- access to personal data,
- to correct inaccurate or incomplete personal data,
- to delete personal data if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed or if it is established that they were processed unlawfully,
- to limit the processing of personal data,
- on data portability,
- the right to object, after which the processing of personal data shall be terminated unless it is demonstrated that there are compelling legitimate grounds for the processing which override the interests or rights and freedoms of the data subject, in particular where the ground is the possible exercise of legal claims; and
- the right to contact the Office for Personal Data Protection.
- Right of access to personal data: The data subject has the right to obtain information about whether his or her personal data is being processed and, if so, the right to access his or her personal data. In the event of unreasonable, inappropriate or repeated requests, FAVEX shall be entitled to charge a reasonable fee for a copy of the personal data provided or to refuse the request (the foregoing applies mutatis mutandis to the exercise of the rights set out below).
- Right to rectification of inaccurate and completion of incomplete personal data: if the data subject becomes convinced that FAVEX processes inaccurate or incomplete personal data about him or her, he or she has the right to request their rectification and completion. FAVEX will correct or complete the data without undue delay, but always taking into account the technical possibilities.
- Right to erasure: In the event that the data subject requests the erasure of his/her personal data, FAVEX will erase his/her personal data if (i) are no longer necessary for the purposes for which they were collected or otherwise processed, (ii) the processing is unlawful, (iii) the data subject objects to the processing and there are no overriding legitimate grounds for processing his or her personal data, or (iv) the legal obligation to process under European Union law or national law has ceased.
- Right to restriction of processing of personal data: in the event that the data subject requests restriction of processing, FAVEX shall make the personal data inaccessible, temporarily delete or store them or carry out other processing operations necessary for the proper exercise of the exercised right. 6
- Right to data portability: if the data subject requests that FAVEX transfer the personal data that it processes about the data subject in electronic form on the basis of a contract or consent to a third party, the data subject may exercise his or her right to data portability. In the event that the exercise of this right would adversely affect the rights and freedoms of others, FAVEX shall not comply with the request.
- Right to object: The data subject has the right to object to the processing of personal data which are processed for the performance of a task carried out in the public interest or in the exercise of official authority or for the protection of the legitimate interests of FAVEX. If FAVEX does not prove that there is a compelling legitimate reason for the processing that overrides the interests or rights and freedoms of the client, it shall terminate the processing without undue delay on the basis of the objection. In the event of repeated or manifestly unjustified requests for the exercise of the above rights, FAVEX shall be entitled to charge a reasonable fee for the exercise of the right in question or to refuse to exercise the right. The data subject will always be duly informed of this procedure.
IX. Transfer of personal data to third countries
FAVEX processes personal data only in the Czech Republic or in EU member states. We do not transfer personal data to third countries outside the EU.
X. Final Provisions
FAVEX has carried out a risk analysis of the processing of personal data and has taken reasonable technical and organisational measures to secure the processing as described above. The risk analysis concluded as follows: the processing of personal data does not pose high risks to the rights and freedoms of the data subjects concerned and therefore a Data Protection Impact Assessment (“DPIA”) is not necessary.
FAVEX has carried out an assessment of the processing of personal data in the light of Art. 37 GDPR. FAVEX does not meet the conditions for the appointment of a Data Protection Officer (“DPO”) in accordance with Recital 91 of the GDPR and is not obliged to appoint a DPO. A DPO was therefore not appointed at FAVEX.
In addition to records of processing activities pursuant to Art. 30 GDPR keeps a record of any consent to the processing of personal data, unless there is no other legal title for the processing of personal data, and a record of personal data breaches.
FAVEX regularly, at least once a year, evaluates compliance with the rules of personal data protection, incl. technical and organisational measures and takes corrective action, if necessary. update internal documentation related to the protection of personal data as necessary.
The Office for Personal Data Protection oversees the protection of privacy and personal data.
address. Sochora 27
170 00 Prague 7
tel.: 234 665 111
Web: www.uoou.cz
This Personal Data Processing Policy is effective from 26.10.2020 and will be updated regularly. The valid version will always be available at the FAVEX Secretariat.