Information on the processing of personal data – GDPR

Released on: 23rd May 2018

This document describes how the data you entrust to our website is processed. Our company is aware of the importance of the protection of personal data. We therefore pledge to take all necessary steps to prevent the misuse of your personal data entrusted to this website. We will only process your personal data for the purposes that we inform you about or agree to and only for the necessary period of time.

1. Administrator identity and contact details

The administrator of personal data entrusted to this website is:
IMA s.r.o.
Na Valentince 1003/1
150 00 Prague 5
CRN 45277397
(hereinafter referred to as “administrator”)

2. What legislation governs personal data processing?

The field of personal data processing is governed by the following legislation:

  • Regulation 2016/679 of the European Parliament and of the Council of 27th May 2016 on protection of individuals with regard to personal data processing and free movement of such data and repealing Directive 95/46/ES (hereinafter referred to as GDPR)
  • Act No. 101/2000 Coll. on the Protection of Personal Data as amended (hereinafter referred to as APPD)
  • Convention for the protection of human rights and fundamental freedoms (protection of the rights and freedoms of individuals, in particular the right for privacy, see Article 7)
  • Resolution no. 2/1992 Coll. of ČNR proclaiming the Charter of Fundamental Rights and Freedoms as part of the constitutional order of the Czech Republic
  • Individual areas are regulated by special laws / Labour Code, Accounting Act, VAT Act, etc.)

For the lawful processing of your personal data, at least one of the conditions listed in Article 6 of GDPR must be fulfilled. In case of a special category of personal data, at least one of the conditions listed in Article 9 of GDPR must be fulfilled. In both cases, the principles of personal data processing set out in Article 5 of GDPR must be respected.

You can find up-to-date information on personal data protection here: GDPR and APPD.

3. Definition of terms

Allow us to explain some basic terms that are used in the field of personal data protection.

Cookies:

A Cookie refers to a small amount of data that the web server sends to your browser, which then stores it on your computer, tablet, or other device that you use to access the website. With each subsequent visit to the same server, the browser sends the data back to the Web server.

Cookies are commonly used to distinguish individual users, save user preferences, etc. They are also used to let the server know what pages you already went through, so that it is for example able to return you to previous page. Cookies can also be set on the server side.

Cookies as such do not constitute an executable code and are not dangerous to your computer but may constitute a means of interfering with your privacy.

Supervisory authority concerned:

The supervisory authority concerned with personal data processing, because:

  1. the administrator or processor is established in the territory of the member states of this supervisory authority;
  2. data subjects residing in the member states of that supervisory authority are or are likely to be substantially affected by the processing, or
  3. a complaint has been lodged with it.

Supervisory authority:

An independent public authority established by a member state pursuant to article 51 of GDPR.

International organizations:

Organizations and their subordinate entities subject to international law or other subjects established by or on the basis of an agreement between two or more countries.

Processing restrictions:

Marking of stored personal data in order to limit their processing in the future.

Personal data:

Any information on an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is a natural person who can be identified directly or indirectly, in particular by reference to an identifier, such as name, ID number, location data, network identifier or one or more specific elements of physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

Personal data security breach:

A security breach leading to accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to transferred, saved or otherwise processed personal data.

Profiling:

Any form of automated processing of personal data consisting in their use to evaluate certain personal aspects related to a natural person, in particular to analyse or estimate aspects related to his or her work performance, economic situation, personal preferences, interests, reliability, behaviour, place of residence or movement.

Cross-border processing:

  1. Processing of personal data done in connection with activities of establishments in more than one member state of the administrator or processor in the Union, if that administrator or processor is established in more than one member state; or
  2. Processing of personal data taking place in connection with activities of a single establishment of the administrator or processor in the Union but which will or is likely to substantially affect data subjects in more than one member state.

Recipient:

A natural or legal person, public authority, agency or other body to whom personal data is provided, whether or not a third party. However, public authorities which may obtain personal data as part of a specific investigation in accordance with member state law shall not be considered as recipients; processing of such personal data by these authorities must comply with the applicable data protection rules for the purposes of processing.

Pseudonymization:

Processing of personal data in such a way that it can no longer be assigned to a particular data subject without the use of additional information, provided that such information is kept separately and is subject to technical and organizational measures to ensure that it cannot be assigned to any identified or identifiable natural person.

Relevant and reasonable objection:

An objection to the draft decision in order to assess whether there has been a breach of the GDPR or whether the intended act in relation to the administrator or processor is in accordance with the GDPR, which clearly demonstrates the materiality of risks arising from the draft decision as regards the fundamental rights and freedoms of data subjects and, where appropriate, the free movement of personal data within the Union.

Data subject consent:

Any free, specific, informed and unequivocal expression of will by which the data subject gives his or her consent to the processing of his or her data by declaration or other clear form of confirmation.

Administrator:

A natural or legal person, public authority, agency or other body which, alone of jointly with others, determines the purposes and means of processing personal data; if the purposes and means of such processing are determined by the Union or a member state law, this law can determine the administrator concerned or the specific criteria for its designation.

Third party:

A natural or legal person, public authority, agency or other body which is not a data subject, administrator, processor or person directly subject to the administrator or processor, authorized to process personal data.

Health data:

Personal data related to physical or mental health of a natural person, including data on provision of health services indicating his or her state of health.

Processing:

Any operation or set of operations with personal data or personal data files that is carried out by or without the assistance of automated procedures, such as collection, recording, arrangement, structuring, storage, adaptation or alteration, finding, consulting, using, making available by transferring, sharing or any other form of disclosure, sorting or combination, restriction, deletion or destruction.

Processor:

A natural or legal person, public authority, agency or other body that processes personal data for the administrator.

4. Processed data and legal reason for their processing

This website processes several categories of personal data.

Information you fill in the forms on this website.

Information from cookies that can be used for various purposes. In principle, they are divided into two groups. Those that are necessary to ensure that the website functions properly, and those that collect data for statistical evaluation or behaviour of visitors that we use to optimize the content on the site and to analyse its traffic. Detailed information about cookies available here.

We respect the principle of minimalism, therefore for each processing purpose we limit the scope of the data processed to only the data that is necessary for processing for that particular purpose .

5. Purposes and period of processing of personal data

The basic purposes of processing of your personal data entrusted to us through this website are as follows:

Answering your question, suggestion or complaint, where your personal data filled in the form will be used solely to answer your query and will be deleted within 60 days after the end of communication regarding the question or initiative, except where we need to keep this communication for the purposes of legal protection. The question and answer can be anonymized, generalized and used in the FREQUENTLY ASKED QUESTIONS section.

Responding to your request. In this case, your personal data will be processed for the purpose of negotiations leading to entering the contract. If no contract is concluded, your personal data will be deleted within one year of the termination of the communication.

In some cases, we ask you to fill in your first and last name, although it would be possible to process your request just on the basis of the provided e-mail address. For example, to respond to a query. Providing your first and last name or your phone number will allow us to communicate with your more effectively, identify you when communicating (e.g. when we call you, we can verify whether it is really you – anyone can make a mistake when it comes to telephone numbers, including you as well as our employees), and thus prevent your data from reaching someone else and provide you with a better service. Filling in this data is voluntary and by doing so, you are telling us that you wish to communicate with us in a more effective way .

If you are or will become our customer, we are obliged to keep your billing information and keep accounting documents that contain them for 10 years. We are also entitled to inform you about news and services related to the product or products that we have supplied you with. You have the right to terminate the process of sending you this information at any time by sending a request to terminate this communication to .

There is no automatic individual decision-making on the part of the administrator/processor within the meaning of Article 22 of GDPR or individual profiling.

6. Who else will have access to your personal data?

In addition to our employees, your personal data may be accessed by employees of companies that manage and develop the website for the administrator and provide technical support for its internal IT system.

With all such entities, the administrator concludes a contract for the processing of personal data within the meaning of Article 28 of GDPR.

The administrator does not intend to pass your personal data to a country outside the EU or an international organisation.

7. Your rights

We respect the principle of transparency contained within GDPR with regards to processing personal data. In accordance with this principle, we are ready to provide you with information about what personal data we process and for what purposes.

Please note that we are obliged to properly verify the identity of the applicant or submitter and document this verification. If there is any doubt as to the identity of the data subject who makes a request for information on the processing of personal data, exercises any of data subject’s rights or gives the administrator a suggestion, we may ask the data subject to provide additional information necessary to confirm his or her identity.

8. Where can you lodge a complaint?

Contact information for any questions, complaints or suggestions in connection with the processing of personal data:

IMA s.r.o.
Na Valentince 1003/1
150 00 Prague 5

The company has not appointed a Data Protection Officer because it is not obliged to do so on the basis of the nature of its activities.

For more detailed information about GDPR and your rights, see www.uoou.cz.

Our supervisory authority with whom you can lodge a complaint if you are not satisfied with our approach to meeting your requests or how we treat your personal data, is:

Úřad pro ochranu osobních údajů ( Office for Personal Data Protection )
Pplk. Sochora 27
170 00 Prague 7
https://www.uoou.cz

9. Policy updates

As the field of data protection and corresponding legislation evolves dynamically, we will regularly check the compliance of these policies with legislation and established practice. This text may see updates on the basis of these checks.