Declaration on the processing of personal data per Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regards to the processing of personal data and on the information of data subjects ("GDPR")

I. Personal data controllers

Personal data controllers:

Name (company): Strojírny Rožmitál, s.r.o.

Registered office: Žižkova 708, Příbram I, 261 01 Příbram

Ing. Lenka Janotová, Director of the company

ID NO.: 14082918

VAT NO: CZ14082918

and

Name (company): SMS CZ, s.r.o.

Registered office: Nám. U Saské brány 12, 337 01 Rokycany

Ing. Petr Jirsa, Managing director

ID NO.: 48360830

VAT NO: CZ48360830

(hereinafter referred to as "the administrators")

 

Hereby informs the data subjects about the processing of their data and their rights in compliance with Article 12 GDPR.

II. Scope of the processing of personal data

Personal data are processed to the extent that the respective data subject has provided them to the controllers in connection with the conclusion of a contractual or other legal relationship with the controllers or which the controllers have otherwise collected and processed by applicable law or to fulfil the controller's legal obligations. 

III.  Sources of personal data

• directly from data subjects (e.g. registration, emails, telephone, chat, website, web contact form, social networks, business cards, contracts, consents, video footage taken by the controller's technical equipment, etc.)
• public records - for this document, a public record is:
• the public register according to Act No. 304/2013 Coll., on public records of legal and natural persons, as amended, i.e. the Federal Register, the Foundation Register, the Register of Institutions, the Register of Unit Owners' Associations, the Commercial Register and the Register of Benefit Corporations;
• other registers within the meaning of No 111/2009 Coll., on basic registers, as amended

IV. Categories of personal data subject to processing by the controllers

Identification data, contact data, descriptive data, transaction data, and technical product data.

V. Categories of data subjects

The data subject is the natural person to whom the personal data relate, namely:

• an employee of the controllers
• an applicant for employment with the controllers
• a contractual partner of the controllers (natural person or business)
• a subject in a pre-contractual relationship with the controllers (customer before accepting an order, enquirer, etc.)
• party to the proceedings
• intervener
• person concerned, interested party
• applicant
• interviewer
• payer
• beneficiary
• authorized
• obliged
• victim

VI. Categories of processors and recipients of personal data

• public authorities
• local authorities
• public institutes
• banking institutions
• insurance companies
• an external entity providing services to the administrators in various areas (OSH, accounting, training, education) 

VII. Purpose and reasons for processing personal data 

The processing of personal data takes place at the controllers:

• based on the data subject's consent
• in the performance of a contract with the data subject
• for the implementation of measures taken before the conclusion of the contract at the request of the data subject
• for the fulfilment of a legal obligation applicable to the controllers (including archiving by law)
• for the protection of the vital interests of the data subject or another natural person
• for the performance of a task carried out in the public interest or the exercise of official authority vested in the controllers
• because of a legitimate interest of the controllers or of a third party (including archiving based on a legitimate interest of the controllers) 

Reasons for processing special categories of personal data

• explicit consent of the subject,
• compliance with obligations in the field of labour law, social security law and social protection,
• the protection of the vital interests of the data subject or of another natural person where the data subject is not physically or legally able to give consent,
• Generally know data disclosed by the data subject,
• establishing, exercising or defending legal claims or in the course of legal proceedings,
• significant public interest,
• archiving in the public interest, for scientific or historical research purposes or statistical purposes 

VIII. Method of processing and protection of personal data 

The controllers carries out the processing of personal data. Processing is carried out at the controller's premises, at the controller's headquarters, by individual authorised employees or the processor. The processing is carried out using computer technology or, in the case of personal data in paper form, manually, in compliance with all security principles for managing and processing personal data. To this end, the controllers have adopted technical and organisational measures to protect personal data, particularly steps to prevent unauthorised or accidental access to, alteration, destruction or loss of personal data, unauthorised transmission, unauthorised processing or another misuse of personal data. All entities to which personal data may be disclosed shall respect the right of privacy of data subjects and shall comply with applicable data protection legislation.

IX. Period of processing of personal data

Following the time limits specified in the relevant contracts, in the internal regulations of the controllers or the relevant legislation, this is the time necessary to ensure the rights and obligations arising from the contracts, legitimate interests and the applicable legislation.

X. Rights of data subjects

1. Under Article 12 of the GDPR, the controllers inform the data subject of the right to access personal data and the following information:

• the purpose of the processing,
• the category of personal data concerned,<
• the recipient or categories of recipients to whom the personal data have been or will be disclosed,
• the intended period for which the personal data will be stored,
• any available information on the source of the personal data,
• if not obtained from the data subject, whether automated decision-making, including profiling, occurs. 

1. Any data subject who becomes aware or considers that the controllers or processor are carrying out a process of processing of their data which is contrary to the protection of the data subject's private and personal life or contrary to law, in particular where the personal data are inaccurate concerning the purpose of the processing, may:

• Request an explanation from the controllers.
• Request that the controllers remede the situation. In particular, this may involve blocking, rectifying, supplementing or erasing personal data.
• If the data subject's request is justified, the controllers shall rectify the lousy situation immediately.
• If the controllers do not comply with the data subject's request, the data subject has the right to apply directly to the supervisory authority, the Office for Personal Data Protection.
• The data subject has the right to address their complaint directly to the supervisory authority without taking any preparatory steps. 

1. The controllers shall provide information and communication to data subjects in a concise, transparent, understandable and easily accessible manner using clear and plain language. The controllers may provide information and communication to data subjects in writing and, where appropriate, electronically or orally, provided that it verifies the identity of the data subject concerned.
2. The controllers shall respond to data subjects' requests for information without undue delay but, at the latest, within one month of receipt of such a request. In justified cases, the controllers may extend this time limit, but no longer than two months. The controllers shall inform the data subject of the extension within one month of receipt of the data subject's request and shall inform the data subject of the reasons for the extension. Suppose the data subject submits a request for information and communication electronically. In that case, the CONTROLLERS shall provide the information and communication to the data subject electronically unless the subject requests another method, e.g. in writing.
3. If the data subject requests the controllers to take specific measures (rectification of their data, erasure, etc.) and the controllers do not take such steps, the controllers shall inform the data subject thereof without delay, and at the latest within one month of the request for taking the relevant measures, including the reasons for not taking such steps, as well as information on the possibility for the data subject to lodge a complaint with the Office for Personal Data Protection or to apply to the court.
4. The controllers shall provide the information and communication to the data subject free of charge. Suppose the data subject makes repeated requests, or such requests are unfounded or excessive. In that case, the controllers may refuse the request or impose a reasonable fee covering the administrative costs associated with providing the information and communication or implementing the requested measures. The controllers must demonstrate the unfoundedness or unreasonableness of the data subject's request.
5. Where the controllers obtain personal data directly from the data subject, the controllers shall communicate the following information to the data subject when receiving the data:

            (a) the identification and contact details of the controllers and the controller's representative, if any;

            (b) the purposes of the processing for which the personal data are intended and the legal basis for the processing;

            (c) the legitimate interests of the controllers or of a third party where the processing is necessary for the legitimate interests of the controllers or the third party;

            (d) the possible recipients or categories of recipients of the personal data;

            (e) the intention, if any, of the controllers to transfer the personal data to a third country or an international organisation and the existence or otherwise of a decision of the European Commission that the third country or international organisation provides adequate protection for the personal data and a reference to appropriate safeguards and means of obtaining a copy of the data or information on where the data have been disclosed.

1. Where necessary to ensure fair and transparent processing, the controllers shall also provide the data subject with further information, in particular the duration of the processing of the personal data, or the criteria for determining it, and information on the data subject's right to rectification, erasure, etc.
2. If the controllers do not obtain the personal data directly from the data subject, the controllers shall communicate to the data subject, upon receiving the personal data, the information referred to in paragraphs 7(a), (b), (d) and (e), and, where applicable, further information according to paragraph 8. 

1. The controllers shall inform the data subject of any change in the purpose of the processing of personal data whenever it occurs. 

1. The controllers shall, upon request, provide the data subject with confirmation as to whether the controllers process personal data relating to them and, if so, provide the data subject with access to such data and to the following information:

            (a) the purposes of the processing;

            (b) the categories of personal data concerned;

            (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

            (d) the intended period for which the personal data will be stored or, if this cannot be determined, the criteria used to determine that period;

            (e) the existence of the right to request from the CONTROLLERS the rectification or erasure of personal data relating to the data subject or the restriction of their processing or to object to such processing;

            (f) the right to complain to the Data Protection Authority;

            (g) any available information about the source of the personal data unless obtained from the data subject.

1. The controllers shall, by the obligations set out in paragraph 11, provide the data subject with a copy of the personal data processed. The controllers may charge a reasonable administrative fee for providing documents under the preceding sentence.
2. The controllers are obliged to correct inaccurate personal data concerning the data subject without undue delay to complete incomplete personal data, including by providing an additional declaration.
3. The controllers are obliged to erase personal data concerning the data subject without undue delay if one of the following grounds is met:

            (a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

            (b) the data subject withdraws consent where the personal data were processed based on that consent, and there is no further legal basis for the processing;

            (c) the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;

            (d) the personal data have been unlawfully processed;

            (e) the personal data must be erased to comply with a legal obligation under European Union or Czech law. 

(15) Where a controllers have disclosed the personal data of a data subject and is obliged to erase it, the controllers must take reasonable steps (having regard to available technology and costs) to inform other controllers of personal data that process that personal data that the data subject has requested them to erase all references to that personal data, copies and replications thereof.

(16) The controllers shall not be obliged to comply with the obligations under paragraphs 14 and 15 if the processing of personal data is necessary for the controllers, e.g. to comply with a legal obligation which requires the processing of personal data under the European Union or Czech law to which the controllers are subjects, or for the establishment, exercise or defence of legal claims, etc.

1. The controllers are obliged to restrict the processing of personal data of the data subject if:

            (a) the data subject contests the accuracy of the personal data for the period necessary to enable the controllers to verify the accuracy of the personal data;

            (b) the processing is unlawful, and the data subject refuses to erase the personal data and requests instead the restriction of their use;

            (c) the controllers no longer needs the personal data for the processing, but the data subject requires them for the establishment, exercise or defence of legal claims;

            (d) the data subject has objected to the processing under paragraph 19 of this Article of the Directive, pending verification that the controller's legitimate grounds for the processing override those of the subject. 

1. Where the controllers have restricted the processing of personal data under the preceding paragraph, such personal data may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person or reasons of substantial public interest of the European Union or a Member State of the European Union. 

1. The controllers shall inform the data subject before lifting the restriction on the processing of personal data under paragraph 17. 

1. The controllers shall notify individual recipients of any rectification or erasure of personal data, of any restriction on the processing of personal data, except where this proves impossible or requires disproportionate effort. The controllers shall also inform the data subject of these recipients if the data subject so requests. 

1. If the data subject objects to the controllers to the processing by the Community of Owners of personal data processed by the controllers for the legitimate interests of the controllers or a third party, the controllers shall no longer process the personal data based on the objection unless the controllers demonstrate compelling legitimate grounds for the processing which override the interests or rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. The controllers must inform the data subject of this right at the latest at the time of the first communication with the data subject. 

XI. Verification of the identity of the data subject

1. If the controllers receive a submission from a natural person - data subject, which, by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (from now on referred to as "GDPR")

            (a) exercise the right of access to their data, and,

            (b) requests confirmation as to whether the controllers processe personal data relating to the applicant within the meaning of the GDPR and,

            (c) requests that copies of the personal data processed to be provided free of charge; and,

            (d) requests a communication of which categories of personal data are processed and,

            (e) requests a statement of the purpose for which the personal data are processed and,

            (f) asks for a statement of the intended period for which the personal data will be stored or, if this cannot be determined, the criteria used to determine that period and,

            (g) asks to be informed whether (and under what conditions) they may request the controllers to rectify or erase the personal data, to restrict their processing, or whether and how the data subject may object to the processing of my data, and,

            (h) asks to be informed whether (and how) the data subject may lodge a complaint with a supervisory authority and who that supervisory authority is, and,

            (i) ask for the disclosure of any available information about the source of the personal data concerning the data subject, if not obtained directly from the data subject, and,

            (j) requests to be informed whether, about the processing of the personal data of the data subject, automated decision-making, including profiling as referred to in Article 22(1) and (4) of the GDPR, also takes place and, at least in these cases, further requests to be provided with meaningful information concerning the procedure used as well as the relevance and foreseeable consequences of such processing for the data subject, and,

            (k) requests to be told who the recipients of the data subject's data are or, where appropriate, to indicate the categories of recipients to whom their data have been or will be disclosed, and,

            (l) requests to be informed of the recipients in third countries and international organisations who have had or will have personal data of the data subject and,

            (m) requests information regarding the safeguards under Article 46 of the GDPR where personal data are transferred to a third country or international organisation,

the controllers are always obliged to sufficiently verify the applicant's identity before processing the above requests. If the controllers doubts the applicant's identity, he can request additional information to confirm his identity (Article 12(6) GDPR). 

1. The administrators is entitled, in case of doubt as to the identity of the applicant, to request from that person:

            (a) to send the application with the applicant's signature certified if the applicant has made the application in paper form,

            (b) sending the application with an electronic signature, i.e. with data in electronic form attached to or logically associated with the data message, which serves as a method to unambiguously verify the identity of the signatory about the data message

            (c) sending the application by data mailbox, if the applicant has one 

1. The controllers shall not be entitled to request further information to verify the identity of the applicant, in particular, where:

            (a) at the relevant time (i.e. the time of the submission of the appropriate application), the controllers processe the email contact as personal data of the applicant from which the proper application was sent

1.           b)the controllers processe the telephone number of the applicant at the relevant time, then makes a telephone call to that telephone number to verify the identity of the applicant and, as agreed with the applicant, then sends the requested information or communicates other facts relating to the processing of personal data electronically to the email address provided by the applicant or in writing to the address provided by the applicant,

            (c) the controllers can verify the identity of the applicant in other ways (e.g. through public registers and existing communications)

            (d) the applicant has requested in person in front of a competent controllers official or another person authorised by the controllers. 

XII. Final provisions

The Declaration is publicly available on the website of the administrators: www.czechfarmtechnology.com

This Declaration was last updated on 01.12.2024