Personal data processing principles

1. Introductory provisions

1.1) The company PKV BUILD s. r. o., ID No.: 281 49 785, with registered office at Senožaty No. p. 284, Postal Code 394 56, which is registered in the Commercial Register kept at the Regional Court in České Budějovice, Section C, Insert No. 21506, contact person: Ing. Barbora Dudová, contact e-mail address: info@pkv.cz (hereinafter also referred to as the "Company" or "Administrator"), with regard to the necessity of fulfilling the obligations in the area of personal data protection, arising in particular from Act No. 101/2000 Coll., on the protection of personal data and on the amendment of certain laws, as amended, and Regulation No. 2016 of the European Parliament and of the Council of the EU/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) sets out the following data processing principles applicable to the processing of personal data of users of the https://www.pkv.cz/ website (hereinafter referred to as the "Website").

To make your journey to savings and a lower carbon footprint really convenient, we work with cookies on the web. By using the site, you agree to this. Find out what we use your personal information for and how we protect it from others.

1.2) In this document, the controller provides website users with information about which of their personal data it processes, for what purpose and on what legal basis. It also provides information on which rights and obligations they have in relation to the processing of personal data. This document does not cover the processing of other personal data, if any.

1.3) This document may be revised and updated as necessary.

1.4) The controller processes personal data manually and automatically and keeps records of all activities in which personal data are processed.

2. Basic concepts

2.1) The Company is the controller of personal data, as it determines the purposes and means of processing personal data; it processes personal data itself or uses the services of other persons, i.e. processors, for this purpose.

2.2) Personal data is any information about an identified or identifiable natural person ("data subject"); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.3) Processing of personal data means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated processes, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, restriction, erasure or destruction.

2.4) The processor of personal data may be any natural or legal person or other entity that processes personal data for the controller.

3. Basic processing principles

3.1) When processing personal data, the controller

(a) process personal data fairly, lawfully and transparently in relation to data subjects,

(b) collects personal data only for specified, explicit and legitimate purposes and does not further process them in a way that is incompatible with those purposes,

(c) process only personal data that are adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed,

(d) process only personal data which are accurate and, where necessary, kept up to date; to this end, the controller shall take all reasonable measures to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay,

(e) store personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed,

(f) process personal data in a manner that ensures appropriate security of the personal data, including protection by appropriate technical or organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage.

3.2) The Administrator is responsible for compliance with all of the above policies and must be able to demonstrate compliance.

3.3) The controller is only entitled to process personal data on the basis of one of the legal grounds for processing set out in the legislation. Only if no other legal ground for processing is given, the controller must obtain the data subject's consent.

3.4) The controller shall continuously update the processed personal data, in particular if it discovers an inaccuracy of any of the processed personal data or receives information from the data subject about a change in any of the processed personal data.

4. Sending commercial messages (direct marketing)

4.1) The Controller may send commercial communications to website users via electronic mail (e-mail) offering services.

4.2) In this context, the controller processes personal data: contact e-mail address for sending commercial communications.

4.3) The administrator is only entitled to send commercial communications after obtaining the consent of the website user. This consent is given by the user by filling in the web form. In this case, the legal basis for the processing of personal data is consent, which may be withdrawn by the user at any time. The controller is entitled to process personal data for these purposes until the data subject (user) withdraws his/her consent, but for no longer than five (5) years from the date on which the consent was given. Failure to provide such consent or its withdrawal shall not affect the ability of the controller to provide the services.

5. Use of cookies and other marketing

5.1) With the consent of the website user, the administrator places files on the computer of this person for the purpose of sending back data about the user's behaviour on the website (so-called cookies) and processes the data obtained in this way for the purpose of adjusting the website according to the user's observed behaviour and improving the administrator's services. In this context, the controller may carry out further marketing (in particular, displaying advertisements on other websites). In the context of further marketing, the controller processes the following personal data: the IP address.

5.2) Consent to the placement of cookies shall be deemed to include, in particular, the setting of the user's computer or the software used in such a way that it allows cookies to be stored on the computer. The user is informed before giving consent, or on the first visit to the website, that this consent can be withdrawn at any time. Revocation of consent is also considered to be the setting of the user's computer or the software used so that it no longer allows cookies to be stored on the computer, including the possible deletion of cookies already stored on the computer.

5.3) The legal basis for the processing of personal data when storing cookies is the consent of the data subject. Failure to provide such consent or withdrawal of such consent shall have no effect on the controller's ability to provide services. The controller processes these personal data for the duration of the consent. The legal basis for further marketing is its necessity for the purposes of the legitimate interests of the controller, which is to carry out marketing. The data subject's consent to this processing is not required. However, the controller is obliged to terminate this processing if the data subject informs the controller that he or she does not consent to this processing.

6. Transfer of personal data to third parties

6.1) The controller uses the professional and specialized services of other entities to achieve the purposes for which it processes the personal data of website users. Insofar as these suppliers process personal data transmitted from the controller in the course of providing these services, they have the status of data processors and process this personal data only within the framework of instructions from the controller and may not use it otherwise. This includes in particular the following activities:

(a) sending commercial communications (direct marketing) - via Mailchimp.com,

(b) management of measurement codes - via Google Tag Manager,

(c) evaluating marketing activities and monitoring the technical functionality of the website - via Google Analytics,

(d) other marketing - via Google Ads and Sklik.

(e) store personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed,

(f) process personal data in a manner that ensures appropriate security of the personal data, including protection by appropriate technical or organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage.

At the request of the data subject, the controller shall disclose whether and to which subject his or her personal data have been disclosed and other relevant information.

6.2) Each such supplier shall be carefully selected by the controller and shall enter into a personal data processing contract with each of them, setting out the obligations to protect and secure personal data, including the obligation to maintain confidentiality.

6.3) The controller is entitled to transfer personal data only to those persons who provide sufficient guarantees by putting in place appropriate technical and organisational measures so that the processing complies with all the requirements laid down by law and to ensure the protection of the rights of data subjects.

7. Method of processing and access to personal data

7.1) Personal data are processed through the administrator's information system, the security of which against loss of personal data and against access by unauthorized persons is regularly verified. Access to the system is restricted according to the set managerial roles. The security of the transmission of personal data in electronic form to third parties is ensured by access to the administrator's information system protected by a secure password. The information system is standard, its supplier provides the usual security guarantees, its functionality and security is regularly tested and maintained by an external supplier with whom the controller has a contract for the processing of personal data.

7.2)The controller shall implement in particular the following technical and organisational measures when processing personal data:

(a) locking the controller's premises where personal data are processed,

(b) the processing of personal data only by responsible persons,

(c) training of the persons responsible for the handling of personal data.

7.3) The Controller shall keep the processed personal data up to date, in particular in connection with changes it learns from other persons or from publicly available sources.

7.4) If the controller has already achieved the purpose of processing the personal data and has no further reason for processing the personal data, the controller shall delete the personal data without the possibility of their recovery.

7.5) Access to personal data at the controller shall be restricted to persons for whom it is strictly necessary to achieve the purpose for which the personal data are processed.

7.6) Persons having access to personal data are duly trained on their protection and are obliged to maintain confidentiality.

8. Rights of the data subject

8.1) The data subject has the following rights in relation to the protection of personal data:

(a) to have access to his or her personal data, which includes in particular the right to obtain confirmation from the controller as to whether he or she processes his or her personal data, information on the purposes of the processing, the categories of personal data, the recipients to whom the personal data have been or will be disclosed, the intended duration of the processing, the existence of the right to request the controller to rectify or erase personal data concerning the data subject or to restrict or object to the processing,

(b) to rectify inaccurate personal data; however, the data subject is also obliged to notify changes to his or her personal data and to provide evidence that such changes have occurred. He or she shall also be obliged to cooperate if it is established that the personal data processed about him or her are inaccurate,

(c) the right to erasure of personal data concerning him or her, unless the controller demonstrates legitimate grounds for processing those personal data,

(d) to restrict the processing of personal data until the complaint is resolved, if he or she contests the accuracy of the personal data, the grounds for processing or if he or she objects to the processing,

(e) the right to be notified of the rectification, erasure or restriction of the processing of personal data, unless this proves impossible or requires disproportionate effort,

(f) the portability of the data in a structured, commonly used and machine-readable format and the right to request the transfer of those data to another controller,

(g) object to the processing of his or her personal data on the grounds of a legitimate interest of the controller (e.g. for further marketing); if it is not demonstrated that there is a compelling legitimate reason for the processing which overrides the interests or rights and freedoms of the data subject, the controller shall terminate the processing without undue delay on the basis of the objection,

(h) to withdraw consent to the processing of personal data at any time if the controller processes them on the basis of his consent; however, such withdrawal of consent shall not affect the lawfulness of the processing based on the consent given before its withdrawal,

(i) contact the Data Protection Authority (www.uoou.cz) with a complaint or suggestion.

9. Efficiency

9.1) This policy is effective from 20 March 2020