Policy for Processing Personal Data of the Company V TOWER Prague, a.s.
1. Objective of the Document
1.1. The objective of this document is to summarise basic information on the policy for processing personal data, which our company follows and which our company adopted in order to ensure compliance with Regulation (EU) 2016/679 (hereinafter referred to as the “GDPR”).
1.2. Our company took all the necessary steps to enhance the security and confidentiality of the processed data and to comply with all the obligations defined by the legislation of the Czech Republic.
2. Basic Information
2.1. Our company, V TOWER Prague, a.s., having its registered office at Praha 4 – Nusle, Na Strži 1702/65, PSČ 14062, Company ID No.: 27415171, registered in the Companies Register administrated by the Municipal Court in Prague, Section B, File 10448, is in the position of a personal data controller in relation to the visitors to the website vtower.cz, customers, clients, employees and selected contractual partners.
2.2. Our company processes personal data according to the following principles in accordance with the GDPR:
a) Lawfulness, fairness and transparency – We only carry out processing if there is a legitimate reason for it (such as a statutory obligation, performance of a contract, protection of our interests, protection of 3rd party interests or a consent granted by the data subject). We carry out the processing transparently and we inform the data subjects about how their personal data are handled, who has access to their personal data and what rights the data subjects have.
b) Purpose limitation – We only collect personal data for specific, explicit and legitimate purposes (see above).
c) Data minimisation – We only process personal data to such a degree and extent, which is necessary in relation to the given purpose.
d) Accuracy – We only process up-to-date personal data that reflect the actual state of affairs.
e) Storage limitation – We only store personal data for no longer than is necessary and legal.
f) Integrity and confidentiality – We have implemented sufficient technical and organisational measures to protect personal data from accidental or illegal destruction, loss, change or unauthorised provision or access of transmitted, stored or otherwise processed personal data.
g) Accountability – We are able to present evidence of compliance with the principles referred to in clauses a) through g).
2.3. We process most personal data in order to fulfil obligations required by the law and in order to perform the contracts with our clients. This concerns particularly the personal data necessary for entering into and performing a contract, that is, particularly the identification and contact information (title; name; surname; address; date of birth; national identifier, if applicable; trade name; name; registered office; place of business; identification number; e-mail address; bank account).
2.4. Under the applicable contract, a data subject is duly informed of the policy for processing personal data and acknowledges that the Controller is authorised to allow other processors or, as the case may be, controllers to have access to the personal data in accordance with the valid legislation.
2.5. If we carry out processing, the purpose of which is not to fulfil obligations required by the law, then it is a case of personal data processing, for which we need an explicit, free, specific and informed consent of the data subjects. In that case, the personal data are mainly processed for marketing purposes, and in each such case, the client is informed of the scope of processing in advance. The granting of such a consent is entirely voluntary and the consent can be withdrawn at any time or other rights, which are described in the consent, can be exercised at any time.
3. Technical and Organisational Measures
3.1. The company adopted measures necessary for ensuring security of processed personal data both in their hardcopy and electronic formats. These measures include particularly defining rules for work with the given information systems; making sure that the systems for automated personal data processing are only used by authorised persons and that these persons have access only to such personal data as corresponds to the authorisations of such persons; making electronic logs that will make it possible to identify and verify who, for what reason and when personal data were recorded or otherwise processed; preventing unauthorised access to data carriers, particularly by setting passwords, access rights and encryption; preparing documents for the adopted technical-organisational measures; increasing security by installing locks, etc.
3.2. All the employees and persons who have access to personal data as part of our operations have been properly trained and are aware of the security and confidentiality rules for handling personal data.
4.1. As concerns full use of the data from cookies, the legal basis for processing is the user’s consent, normally obtained by the setting of the user’s browser. If the device is used by multiple users, it is assumed that the user agrees with the settings of the device because otherwise the user would set the device differently.
4.2. Similarly, a terminal device in a workplace may be set by the employer and the employee agrees with this, even if the employee would wish to set the saving of cookies differently.
4.3. Cookies necessary for operation of a website and Internet services do not require any consent.
4.4. According to the GDPR, handling data obtained from cookies is personal data processing.
5. Transferring Data to Third Parties and Abroad
5.1. We only transfer personal data to third parties in the cases required by the law (mandatory reports to governmental authorities) or, in the necessary scope, to selected suppliers who provide us with certain services, which are necessary for implementation of the services for our clients. We have clearly defined contractual relationships with all such parties and all the suppliers comply with the necessary rules for processing personal data to the extent and in the parameters required by the GDPR.
5.2. We transfer personal data abroad only in a clearly defined scope for the purpose of ensuring services for our clients and we do so only to selected suppliers and all the entities concerned are always informed of such a transfer.
6. Reporting Security Incidents
6.1. We have a system for reporting possible security incidents in place. If any leak of any data occurs, we proceed in accordance with the GDPR in order to minimise possible damages, and we submit the appropriate reports to the Office for Personal Data Protection (www.uoou.cz) in the required cases.
7. Contact Information
7.1. If you believe that we carry out personal data processing, which is in violation of the protection of privacy or in violation of the law, particularly if personal data are inaccurate with regard to the purpose of their processing, you can send us an objection or ask for an explanation. In such cases, do not hesitate to contact us either by telephone: +420 241 481 145 or electronically at the address firstname.lastname@example.org at any time.