Smetana's Litomyšl
GDPR
Personal data processing principles
Smetanova Litomyšl (SL)
Purpose of the document
The purpose of this document is to summarize basic information about the principles of personal data processing that SL follows and has adopted to ensure compliance with the EU Regulation 2016/679 (hereinafter referred to as “GDPR”), the Act on Personal Data Processing 110/2019 Coll. and other related legislation.
SL has taken all steps necessary to ensure the security and confidentiality of the processed data and to comply with all prescribed obligations under Czech law.
Basic information
Smetanova Litomyšl, o.p.s., with its registered office at 133 Jiráskova Street, Záhradí, Litomyšl, ID No.: 25918206, registered in the register of public benefit corporations maintained by the Regional Court in Hradec Králové, Section O, Insert 49, is in the position of a personal data controller with respect to visitors of organized cultural events, users of provided services, products and visitors of operated websites, as well as employees and business partners. In accordance with the GDPR, SL complies with the following principles when processing personal data:
- – Lawfulness, fairness and transparency – SL only processes data where there is a legitimate reason to do so (e.g. a legal obligation, performance of a contract, protection of SL’s interests, protection of third party interests or consent given by the data subject). Data is processed transparently and data subjects are informed about how their personal data is handled, who has access to it and what rights they have.
- – Purpose limitation – SL collects personal data only for specific, explicit and legitimate purposes (see above).
- – Data minimisation – SL only processes personal data to the extent and to the extent necessary in relation to the purpose.
- – Accuracy – SL only processes up-to-date personal data that corresponds to reality.
- – Storage limitations – personal data is not held by SL for longer than is necessary and lawful.
- – Integrity, confidentiality – SL has sufficient technical and organisational measures in place to protect personal data transmitted, stored or otherwise processed against accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access.
- – Accountability – SL shall be able to demonstrate compliance with the principles above at any time.
SL processes most of the personal data in order to comply with statutory obligations and to fulfil contracts with clients. This includes in particular personal data necessary for the conclusion and performance of the contract, i.e. in particular identification and contact data (title, name, surname, address, date of birth, national identifier if applicable, company name, name, registered office, place of business, identification number, e-mail address, bank connection).
The data subject is duly informed of the principles of personal data processing in the context of the conclusion of the contract and acknowledges that SL is entitled to disclose personal data to other processors or administrators, as appropriate, in accordance with applicable law.
If SL processes personal data for purposes other than to comply with statutory obligations, then this is processing of personal data for which the express, free, specific and informed consent of the data subjects is required. In this case, the processing of personal data is mainly for marketing purposes and in any such case the client is informed in advance of the scope of the processing. The provision of such consent is entirely voluntary and the data subject may withdraw consent at any time or exercise other rights described in the consent.
Technical and organisational measures
The Company has taken the necessary measures to ensure the security of the personal data processed in both physical and electronic form. These measures include, in particular, establishing rules for working with the information systems in question, ensuring that only authorised persons use the systems for automated processing of personal data, that these persons have access only to personal data corresponding to the authorisation of these persons, and making electronic records, identifying and verifying when, by whom and for what reason personal data were recorded or otherwise processed, and preventing unauthorised access to data media, in particular by setting passwords, access rights, encryption, drawing up documentation on the technical and organisational measures taken, increasing security by installing locks, etc.
All employees and persons who have access to personal data within the scope of SL’s activities are properly trained and familiar with the rules of security and confidentiality when handling personal data.
Cookies
In order to fully use the cookie data, the legal title of the processing is the user’s consent, which is normally obtained by setting the user’s browser. If more than one user uses the device, it is assumed that the user is aware of how the device is set up, as otherwise he would have set it up differently.
Similarly, the endpoint device can be set up in the workplace by the employer and the employee is aware of this, even if they would prefer to set up the storage of cookies differently.
Consent is not required for cookies strictly necessary for the operation of the website and internet services.
According to the GDPR, the handling of data obtained from cookies is the processing of personal data.
Transfer of data to third parties and abroad
SL transfers personal data to third parties only in cases prescribed by law (mandatory reporting to state administration authorities) or to the extent necessary to selected suppliers who provide certain services for SL that are necessary to provide services to clients. SL has clear contractual relationships with all such parties and all suppliers comply with the necessary rules for processing personal data within the scope and parameters required by the GDPR.
SL transfers personal data abroad within a clearly defined scope for the purpose of providing services to its clients, only to selected suppliers, and all affected parties are always informed of such transfers.
Security Incident Reporting
SL has a system in place for reporting potential security incidents. In the event of any data leakage, the GDPR is complied with in order to minimise potential damage and appropriate reports are sent to the Data Protection Authority (www.uoou.cz) in prescribed cases.
Contact information
In the event of suspected processing of personal data in violation of privacy protection or in violation of the law, in particular if the personal data are inaccurate with regard to the purpose of their processing, it is possible to send SL an objection or request an explanation. The contact person of the Data Protection Officer, Jitka Nazdravetská, is nazdravetska@smetanovalitomysl.cz, phone 461 612 575.
Download the document here.