Personal Data Protection

Ochrana osobních
údajů
 

PERSONAL DATA PROCESSING AND PROTECTION PRINCIPLES

(hereinafter “Principles“)

These personal data processing Principles are the fulfilment of the informational obligation in relation to affected persons within the meaning of Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR“).

In this document, we provide you with detailed information about the processing of the affected person’s personal data under the conditions of our company as a provider of architectural, design and related services, in the position of data controller and processor.

Identity and contact details of the personal data controller (processor):

ATELIER KUNC architects, s.r.o.

Identification Number: 24181927, Tax Identification Number: CZ 24181927

Registered office: K Zatáčce 2156/4, Prague 4 Modřany, Post Code: 143 00

Delivery address: Nad Spádem 650/12, Prague 4 – Podolí, 1847 00

Entered in the Commercial Register maintained by the Municipal Court in Prague, file ref. C 186309

Represented by: Michal Kunc, MgA, Director

(hereinafter “Provider“)

Contact details for exercising your rights: gdpr@atelierkunc.com

affected persons are data subjects, i.e. in particular natural persons who are interested in concluding, and/or have concluded, a Contract for Work, Collaboration Agreement or Service Agreement with the Provider (hereinafter “Contract“), and entered into negotiations with the Provider for this purpose (hereinafter also referred to as “affected person, data subject or client“).

When handling personal data, we proceed in accordance with the Legal Code of the Czech Republic and directly usable European Union regulations, in particular Act no. 101/2000 Coll., on the Protection of Personal Data, as amended (hereinafter “PDPA“) and Act no. 480/2004 Coll., on Certain Information Society Services and on Amendments to Some Acts, as amended

I. Personal data

Personal data is understood to mean all information which identifies, or can identify, a specific natural person. For the purposes set forth below in this document, we process the following personal data categories:

a) Contractual relationships – a legal person’s (potential) clients

address and identification personal data of the legal person’s representative or contact person – the contact person’s title, name, surname, contact telephone number, e-mail address and position;

b) Contractual relationships – (potential) clients of a natural person engaged in business

address and identification personal data – title, name, surname, registered office, delivery address, Identification Number, Tax Identification Number, date of birth (ID number), contact telephone number, e-mail address, bank account number;

c) Contractual relationships – (potential) clients of a natural person not engaged in business

address and identification personal data – title, name, surname, residential address, delivery address,  date of birth, ID number, bank account number, contact telephone number, e-mail address;

d) Contractual relationships – natural or legal persons engaged in business as suppliers of services/activities (subcontractors)

address and identification personal data – title, name, surname, contact person’s name and surname, residential address, registered office, delivery address, Identification Number, Tax Identification Number (ID number), contact telephone number, e-mail address, bank account number;

e) Contractual relationships in general

Descriptive information: description of fulfilment (subject of Contract), description of the client’s property including photograph, information from communication between the Provider and the data subject relating to the provision of services by or to the Provider.

II. Purpose, and legal basis, of the personal data processing

1. The data subject provides personal data to us primarily when delivering an order for services, in paper or electronic form, and during negotiations for the purpose of concluding a Contract with the Provider. If stipulated by legal regulations, we may also add data from publicly accessible registers, lists, records or third parties.

2. The Provider processes the affected person’s personal data for the following purposes:

a) Communication aimed at the conclusion of a Contract (including an order), precontractual relationships, conclusion of a future contract or Contract, and fulfilment of the Contracting Parties‘ obligations arising from the Contract, including the issuance of a tax document, and identification of the data subject for these purposes. The legal basis is the fulfilment of the Contract, or precontractual obligations.

b) Fulfilment of a legal obligation stipulated by a generally binding legal regulation on the basis of Article 6 paragraph 1 section c) of the GDPR (e.g. the obligation to keep accounting and tax documents, etc.). The legal basis is the fulfilment of legal obligations imposed on the Provider by legal regulations such as the Accounting Act, tax laws etc.).

c) Documentation, exercise or defence of legal claims on the basis of Article 6 paragraph 1 section f) of the GDPR. The legal basis is our legitimate interest which consists of the right to recover debts and obtain compensation for damage, as well as other claims which could or can arise during our contractual relationship.

d) Sending of information, commercial messages, materials or offers relating to our services to clients. The legal basis is our legitimate interest in the proper fulfilment of obligations, and to provide and offer products or services to you which are similar to those which were provided to you on the basis of our joint contractual relationship.

e) Sending of commercial messages relating to the Provider’s services to third parties (potential clients). The legal basis is prior consent to the sending of commercial (marketing) messages in accordance with Act no. 480/2004 Coll., on Certain Information Society Services.

f) Presentation of the Provider and their activity on the Provider’s website, in printed and online media, and on social networks. The legal basis is the client’s prior consent.

3. The data subject provides personal data voluntarily for the purpose of concluding the Contract, fulfilling the Contracting Parties‘ obligations arising from the Contract, and other communication with the Provider.

III. List of the affected person’s processed personal data

1. The personal data will be processed in the following extent:

a) for the purposes as per Article I paragraph 2 section a) of these Principles (conclusion of Contract, fulfilment of obligations arising from Contract, precontractual relationships etc.): name and surname, ID number, date of birth, Identification Number, address of (permanent) residence, registered office, delivery address, e-mail address, telephone number;

b) for the purposes as per Article I paragraph 2 section b) of these Principles (fulfilment of obligations stipulated by legal regulations):name and surname, ID number, address of (permanent) residence, registered office, delivery address, date of birth, e-mail address, and accounting information (bank account number) or information on tax documents (Identification Number, Tax Identification Number);

c) for the purposes as per Article I paragraph 2 section c) of these Principles (exercise of claims arising from contractual relationship): name, surname, date of birth, Identification Number, address of (permanent) residence, registered office, delivery address, which are necessary after the end of the contractual relationship for settling claims regarding defects, debt recovery and other contractual obligations arising from the Contract;

d) for the purposes as per Article I. paragraph 2 sections d) and e) of these Principles (sending of information and materials relating to our services): identification information, i.e. name, surname and contact details (e-mail address);

e) for the purposes as per Article I. paragraph 2 section f) of these Principles (presentation of the Provider): subject of Contract (description of fulfilment), and description or photographs of the work realised for the client.

VI. Personal data processing and storage period

1. The Provider is entitled to process and store data subjects‘ personal data for the period of validity and effectiveness of the Contract, as well as after the end of the contractual relationship, if it is necessary to achieve the purpose of the processing, in particular for the purposes of invoicing, receipt and recording of payments, recovery and assignment of debts, handling of complaints and claims regarding defects, or the exercise of rights or fulfilment of obligations stipulated by legal regulations.

2. The personal data will only be processed for the period necessary with respect to the purpose of its processing. With regard to the above:

a) for the purpose as per Article I paragraph 2 section a) of these Principles, the personal data will be processed until the termination of the obligations arising from the relevant Contract concluded with the data subject. This does not affect the Provider’s ability to subsequently process this personal data (in the necessary extent) for the purpose as per Article I. paragraph 2 sections b), c), and d) of these Principles;

b) for the purpose as per Article I. paragraph 2 section b) of these Principles, the personal data will be processed for the duration of the Provider’s relevant legal obligation;

c) for the purpose as per Article I paragraph 2 section c) of these Principles, the personal data will be processed until the end of a 3-year limitation period, commencing on the day on which the right arising from the Contract could first be exercised. In the event of the commencement and continuation of judicial, administrative, distraint or other proceedings, which govern the Provider’s rights and obligations in relation to the relevant affected person, the personal data processing period will not end before the termination of such proceedings, or the end of the limitation period during which a right arising from an executable decision can be exercised in a distraint;

d) for the purpose of sending information as per Article I. paragraph 2 section d) of these Principles, the personal data will be processed for the duration of the Provider’s business activity, but no later than the revocation of the consent to the processing of this data by the client.

e) for the purposes of sending commercial messages (information) to potential clients as per Article I. paragraph 2 section e) of these Principles, the personal data will be processed for the duration of the Provider’s business activity, or for the period of activity of the Provider’s web interface via which the consent was granted, but no later than the revocation of the consent to the processing of this data by the data subject.

f) for the purposes of the presentation of the Provider as per Article I. paragraph 2 section f) of these Principles, the data will be processed for the duration of the Provider’s business activity, but no later than the revocation of the consent to the processing of this data by the client.

3. The Provider is obliged to archive the Contract and invoices for a period of 10 years after the end of the contractual relationship.

V. Deletion of the personal data

1. The Provider will arrange the deletion of the personal data, without undue delay, after:

a) the termination of all contractual relationships between the Provider and the data subject, and all of the data subject’s obligations towards the Provider,

b) all of the client’s claims have been handled,

c) all of the purposes of the processing stipulated by legal regulations, or the purposes of the processing to which the data subject granted their consent (if the processing took place on the basis of granted consent) have been fulfilled,

d) the period for which the consent was granted expired, or the data subject revoked their consent,

e) the data subject’s request to delete the personal data was accommodated, and one of the reasons justifying the accommodation of this request was fulfilled (the Provider does not have to delete data, which they are obliged to store even after the termination of the Contract, at the data subject’s request), and at the same time all of the Provider’s obligations stipulated by generally binding legal regulations, which require the storage of the personal data, were terminated.

2. After the purpose of its processing has been achieved, the personal data is anonymised and liquidated without undue delay. The liquidation of physical documents which contain clients‘ personal data takes place by shredding. Personal data stored electronically is irrecoverably deleted from the devices on which it was stored (from databases, information systems).

VI. Recipients, and categories of recipients, of the personal data

1. Affected persons‘ personal data is not made available to third parties, with the exception of the cases set forth in these Principles, and unless this obligation is imposed by a special legal regulation.

2. The affected person’s personal data is provided to:

a) courts, other public administration, state administration, self-government and other state bodies, if it is necessary for the exercise of the Provider’s rights in relation to the data subject or the fulfilment of the Provider’s legal obligation, or for the fulfilment of an obligation arising from the Contract or an authorisation granted to the Provider by the data subject,

b) third parties who will act on the Provider’s behalf, on the basis of the Provider’s authorisation, when providing services (the Provider’s subcontractors), or third parties for the purposes of the performance of other activities relating to the provision of the Provider’s services (business activity) (e.g. legal, accounting and tax advisors, as well as providers of information and communication systems, technical infrastructure and Occupational Safety and Health). The Provider will implement appropriate measures to protect the data; in particular, they will conclude personal data processing agreements with third parties if necessary.

VII. Information regarding the affected person’s rights

1. During the processing of the personal data, the affected person (data subject) can exercise the following rights against the Provider:

a) right to information regarding the processing of the personal data relating to the affected person,

b) right to access the personal data relating to the affected person as per Article 15 of the GDPR,

c) right to the correction of the personal data relating to the affected person as per Article 16 of the GDPR,

d) right to the deletion of the personal data relating to the affected person as per Article 17 paragraph 1 sections a), and c) to f) of the GDPR,

e) right to the restriction of the personal data processing as per Article 18 of the GDPR,

f) right to object to the processing of the personal data relating to the affected person as per Article 21 of the GDPR,

g) right to the transfer of the personal data relating to the affected person as per Article 20 of the GDPR,

h) right to revoke the consent at any time (where consent is necessary for the processing of the personal data).

2. The data subject has the right to file a complaint with the Office for Personal Data Protection if they believe that their right to personal data protection was breached.

3. The provision of data is voluntary, i.e. the data subject is under no obligation to provide personal data. However, the provision of personal data is a requirement for the conclusion and fulfilment of the Contract with the Provider; without the provision of personal data, the Contract cannot be concluded or fulfilled by the Provider.

4. The Provider does not engage in automatic individual decision-making within the meaning of Article 22 of the GDPR.

VIII. Manner in which rights are exercised

  1. The affected person (data subject) can exercise their rights in the form of a written request sent to the Provider’s e-mail address, gdpr@atelierkunc.com, or a written request send to the Provider’s correspondence address. The content of the request must clearly and definitely indicate the affected person’s identity, by stating their name, surname, address, date of birth, e-mail address and the fact that the affected person is exercising one of the afore-mentioned rights, with a designation of the right they are exercising.
  2. If the Provider does not accommodate the affected person’s request or objection, then the affected person has the right to contact the Office for Personal Data Protection (https://www.uoou.cz/) as the supervisory body, with a registered office at Pplk. Sochora 27, 170 00 Prague 7.
  3. Familiarisation with personal data processing Principles
  4. By concluding the Contract with the Provider, the affected subject confirms that they have familiarised themselves with these personal data protection Principles, and that they accept them in full.
  5. Where consent is necessary for personal data processing, for example for purposes other than those stipulated by a legal regulation, the data subject can revoke their consent at any time in writing, by delivering a consent revocation notice to the Provider’s e-mail address, gdpr@atelierkunc.com, or to the Provider’s registered office.
  6. Final provisions
  7. The personal data processing takes place both manually, and in electronic information systems which are subject to physical, technical and procedural control.
  8. These Principles are also published on the Provider’s website, www.atelierkunc.com.
  9. All personal data is processed in the Czech Republic. We do not transfer personal data to any third country or international organisation.
  10. These personal data processing and protection Principles come into effect on 25/05/2018.

ATELIER KUNC architects, s.r.o.