Policy on the processing of personal data
Sokol, Novák, Trojan, Doleček and partners, advokátní kancelář s.r.o., with its registered seat at Na strži 2102/61a, Krč, 140 00 Praha 4, identification number: 241 96 509 (hereinafter referred to as the "the Company"), is a company whose object of business is the practise of a legal profession within the meaning of Act 85/1996 Coll., on the Legal Profession, as amended, and the conduct of business activities of the Company involve the processing of personal data within the meaning of General Data Protection Regulation (Regulation (EU) 2016/679).
The purpose of this policy on the processing of personal data (hereinafter referred to as “the Policy") is to inform you as data subjects, whose personal data are processed by the Company (hereinafter as "you"), about the processing of personal data carried out by the Company in the conduct of its business activities and your rights relating to this processing.
The protection of your personal data is a priority for the Company and the processing of personal data by the Company is carried out in accordance with all the requirements set out in data protection legislation and the fundamental principles of personal data processing.
PERSONAL DATA PROCESSED
The Company processes the following personal data (categories of personal data – In relation to a specific data subject however only to the extent necessary with regard to the purpose of the processing and the nature of the relationship between the data subject and the Company:
· identification data, in particular name, surname, date of birth, birth number and, where applicable, data on identity documents;
· contact data, in particular permanent residence address, other contact (correspondence) address, telephone number and e-mail address;
· payment data, i.e., data used to make payments, in particular bank account number;
· basic profile data, i.e., data on basic physical and socio-demographic characteristics of the person, in particular gender, nationality, marital status;
· professional profile data, in particular information on education, vocational and professional qualifications (including data contained in professional CVs);
· data of a financial nature, i.e., information on financial circumstances, payment behaviour and economic creditworthiness of a person, including information on debt;
· data of a contractual nature, i.e., data on contractual relations entered into by the Company, in particular data relating to goods and services supplied and provided by the Company or to the Company, including information on related requests and complaints and related communications;
· data on rights and legal claims, i.e., information on the rights and legal claims of a person against the Company and/or a third party (or vice versa);
· health information;
· data relating to criminal proceedings and criminal judgements; and
· audio/visual personal data, in particular photographs, video recordings and/or voice recordings.
The Company also processes (may process) other personal data not listed above relating to clients and other business partners of the Company and/or other third parties – the Company shall always properly
inform the data subjects in accordance with the requirements set out in data protection legislation and this Policy.
Personal data are obtained by the Company from various sources, primarily from the data subjects themselves. Personal data are also obtained by the Company from publicly available sources (in particular the Internet and public listings, indexes and registers, such as the Commercial Register, the Trade Register or the Insolvency Register). Personal data are also obtained by the Company through third parties, in particular clients and other business partners of the Company, but also governmental authorities.
THE PURPOSES OF THE PROCESSING OF PERSONAL DATA
The Company processes your personal data for the following purposes:
· contractual agenda, i.e., for the purpose of concluding contracts with clients and other business partners of the Company, their amendments and termination (including pre-contractual negotiations), performance of rights and obligations arising from contracts, keeping records of contracts and related communications with clients and other business partners of the Company.
Within this purpose, the Company processes in particular the following personal data of clients and other business partners of the Company and their representatives: identification data, contact data, payment data, data of a financial nature, data of a contractual nature and data on rights and legal claims.
· attorney's agenda, i.e., for the purpose of fulfilling the obligations set out in the legal regulations governing the practise of a legal profession, particularly the Act 85/1996 Coll., on the legal profession, as amended (hereinafter referred to as "Advocacy Act"), and regulations issued by the Czech Bar Association, in particular the obligation to protect and pursue the rights and legitimate interests of clients of the Company and the obligations while maintaining attorney’s files, etc., and for the purpose of practicing of the legal profession and providing legal advice and legal services to clients of the Company, including the protection of the legitimate interests of clients of the Company.
Within this purpose, the Company processes in particular the following personal data of the clients of the Company, their representatives and persons concerned with or affected by the legal services provided to the clients of the Company or by the legitimate interests of the clients of the Company: identification data, contact data, payment data, basic profile data, professional profile data, data of a financial nature, data on rights and legal claims, health information, data relating to criminal proceedings and criminal judgements and audio/visual personal data and other data necessary for the practice of the legal profession.
· tax agenda, i.e., for the purposes of preparing, processing and filing tax returns, tax reports and other tax statements, communication with the relevant government authorities and the performance of other duties set out in tax legislation.
Within this purpose, the Company processes in particular the following personal data: identification data, contact data, data of a financial nature and data on rights and legal claims.
· accounting agenda, i.e., for the purpose of carrying out accounting audits, fulfilling registration and record-keeping obligations, fulfilling reporting obligations, communication with the relevant government authorities and fulfilling other obligations set out in accounting legislation.
Within this purpose, the Company processes in particular the following personal data: identification data, contact data, payment data, data of a financial nature and data on rights and legal claims.
· the archiving agenda, i.e., for the purpose of fulfilling the archiving obligations set out in the relevant legal regulations, in particular the Act on archiving and filing service, tax regulations and accounting regulations.
Within this purpose, the Company processes in particular the following personal data: identification data, contact data, basic profile data, professional profile data, data of a financial nature and data rights and legal claims.
· interaction with public authorities, i.e., for the purpose of fulfilling various information, notification and other obligations towards public authorities (in particular courts, administrative authorities, financial administration authorities, law enforcement authorities) set out by the legislation.
Within this purpose, the Company processes in particular the following personal data: identification data, contact data, payment data, basic profile data, data of a financial nature, data on rights and legal claims and data relating to criminal proceedings and criminal convictions.
· management and administration of the Company, i.e., for the purpose of ensuring the effective management, administration and operation of the Company.
Within this purpose, the Company processes in particular the following personal data: identification data, contact data, payment data, basic profile data, professional profile data, data of a financial nature and data on rights and legal claims.
· marketing and promotion, i.e., for the purposes of marketing and promotion of the Company and its products and services (including sending commercial communications).
Within this purpose, the Company processes in particular the following personal data: identification data and contact data.
· protection of legal interests (claims) of the Company and third parties, i.e., for the purpose of determining, exercising and protecting rights, legal claims and other legal interests of the Company and third parties.
Within this purpose, the Company processes in particular the following personal data: identification data, contact data, payment data, basic profile data, data of a financial nature, data on rights and legal claims and health information.
· safety and security, i.e., for the purposes of ensuring security in the Company and protecting the Company's assets and third parties, including by means of a security camera system on the premises of the Law Firm offices.
Within this purpose, the Company processes in particular the following personal data: identification data and audio/visual personal data; and
· recruitment, i.e., for the purpose of recruiting new employees and associates of the Company (i.e., for purposes of receiving, processing and recording CVs, selecting (screening) job applicants, holding job interviews, evaluating job applicants, making offers of employment with the Company and communicating with applicants throughout the recruitment process) and keeping records of job applicants in the Company.
Within this purpose, the Company processes in particular the following personal data: identification data, contact data, basic profile data, professional profile data and audio/visual personal data.
In the event that the Company processes your personal data in the future for other purposes not listed above, the Company will duly inform you of such other processing purposes in accordance with the requirements set out in the data protection legislation and this Policy.
LEGAL GROUNDS FOR PROCESSING PERSONAL DATA
The Company processes your personal data on the basis of the following legal grounds (titles):
· for the performance of obligations set out by law;
· for the performance of a contract concluded between you and the Company;
· for the legitimate interests of the Company and/or third parties; and
· on the basis of your consent to processing.
Processing of personal data for the performance of obligations set out by law
On the basis of this legal ground, the Company processes personal data because the Company is required to do so by various legal regulations, including but not limited to tax regulations, accounting regulations, regulations governing the practice of the legal profession (providing for example for the obligation to keep a lawyer's file), archival regulations, and other legal regulations which impose various information or reporting obligations on the Company to public authorities (for example, anti-money laundering regulations). In the case of this legal reason (title) for processing, this includes processing for the following processing purposes: attorney’s agenda, tax agenda, accounting agenda, archival agenda and interaction with public authorities.
Processing of personal data in connection with the AML Act
In connection with the processing of personal data in order to fulfil the obligations set out in legal regulations we note further that the Company as a law firm is an obliged person within the meaning of Act 253/2008 Coll., on certain measures against the legalization of proceeds of crime and financing of terrorism, as amended (hereinafter also referred to as “the AML Act"), and as such the Company is obliged to implement measures under the AML Act and related regulations, in particular in certain cases to carry out identification and screening of clients.
For this purpose, all names and surname, title, birth number, date of birth, place of birth and sex, permanent or other residence and citizenship, occupation, identity card number, photographs from the identity card and other data contained in the identity card are processed. In the case of an entrepreneurial natural person also information on his/her business name, distinctive supplement or other designation, registered office and personal identification number. However, other contact details may also be processed, in particular telephone number and email address, and other data obtained in the course of the client's control and follow-up control and/or third parties and the fulfilment of other obligations under the AML Act.
Processing of personal data for the performance of a contract concluded between you and the Company
If you have entered into a contract with the Company, the Company will also process your personal data on the basis of that contract, since without the processing of such personal data it would not be possible to negotiate, conclude and perform the contract, or would have made its conclusion significantly more difficult. Therefore, in the case of this legal reason (title) for processing it means processing for the purposes of the contractual agenda.
Processing of personal data for the legitimate interests
The Company also processes your personal data for the so-called legitimate interests of the Company and/or third parties (in particular the Company's clients), but only on condition that the legitimate interests of the Company or third parties do not take precedence over your interests or your fundamental rights and freedoms requiring the protection of personal data.
In the case of processing carried out by the Company, these are the following legitimate interests of the Company and/or third parties:
· the management and administration of the Company where the Company's legitimate interest is the interest in ensuring effective management, operation and communication within the Company, i.e., the organisation and management of the Company, the realisation of objectives of the Company, meeting the requirements and objectives in the field of Corporate Compliance, etc.;
· protection of the Company's legal interests (claims) where the Company's legitimate interest is determination, exercise and protection of the Company's rights, legal claims and other legal interests, whether by judicial, non-judicial or other means;
· protection of legal interests (claims) of third parties where the legitimate interest of third parties (clients of the Company) is the determination, exercise and protection of the rights, legal claims and other legal interests of the Company's clients, whether by judicial, non-judicial or other means;
· marketing and promotion where the Company's legitimate interest is in the promotion of the Company and its goodwill, an interest in promoting the Company's products and services, and an interest in maintaining and expanding the Company's client portfolio;
· safety and security where the Company’s legitimate interest is in ensuring safety within the Company (physical security as well as IT and network security) and the protection of the Company's and third parties' property. Due to this legitimate interest, the Company's premises (offices) are equipped with security systems in the form of access control to the Company's premises (offices) and CCTV system; and
· recruitment where the Company’s legitimate interest is in recruiting new employees and associates of the Company and an interest in maintaining a database (register) of applicants for employment with the Company, in which we record personal data about selected job applicants who are likely to be made a new offer of employment with the Company (e.g. if the Company establishes a new position identical or similar to the position for which the job seeker originally applied).
Processing of personal data on the basis of consent to the processing of personal data
Finally, the Company processes (may process) your personal data also on the basis of your consent, however of course, only if you have given the Company your consent to process your personal data. In this case, the Company will of course only process your personal data for the purposes of processing of personal data for which you have given your consent to the Company.
The provision of your consent to the processing of personal data is entirely voluntary and you have the right to give to withdraw your consent to the processing of your personal data at any time.
RECIPIENTS (CATEGORIES OF RECIPIENTS) OF PERSONAL DATA
Your personal data are (might be) transferred by the Company to third parties as so-called recipients of personal data – with regard to the purposes for which the Company processes personal data, your personal data are (might be) transferred by the Company to the following recipients (categories of recipients):
· contractual agenda – in connection with the contractual agenda, personal data are transferred mainly to commercial partners of the Company who participate as subcontractors in the performance of contracts concluded by the Company;
· attorney’s agenda – within this purpose, personal data are transferred mainly to the Company's clients, lawyers cooperating with the Company and other persons involved in the provision of legal services of the Company, or provide related services to the Company's clients (e.g. financial or economic advisors of the Company's clients), counterparties of the Company's clients and their legal representatives. In connection with the attorney’s agenda, personal data are (might be) also transferred to the Czech Bar Association;
· tax agenda – in connection with the tax agenda, personal data are transferred in particular to the Company's tax advisors and financial administration authorities;
· accounting agenda – within this scope, personal data are transferred to persons providing services to the Company in the field of accounting and auditing and to the financial administration authorities;
· archival agenda – in the area of archiving, personal data are transferred to public authorities with competence in the field of archiving;
· interaction with public authorities – in connection with the performance of various information, notification and other obligations set out in legal regulations, personal data are also transferred to the relevant state authorities, in particular courts, administrative authorities, financial administration authorities, law enforcement authorities;
· marketing and promotion – in connection with the processing of personal data for marketing and promotion purposes, personal data are (might be) transferred to advertising agencies, graphic studios and other persons providing services to the Company in connection with the Company's marketing and promotion;
· protection of legal interests (claims) of the Company and third parties – in connection with this purpose of processing, personal data are transferred to persons involved in the determination, exercise and protection of rights, legal claims and other legal interests of the Company and the Company's clients (whether by judicial, non-judicial or other means), and to the public authorities (in particular courts, administrative authorities, financial administration authorities, law enforcement authorities and other authorities);
· security and protection – in this context, personal data are transferred to persons providing the Company security and asset protection services and to persons providing services to the Company in the area of IT security and protection;
· management and administration of the Company – in this area, personal data are transferred to persons who provide to the Company various management and administration support services, including IT services (e.g. internet connection, webhosting, etc.), secure data disposal services, banking and financial services (including insurance), back office services, etc. To a limited extent in the field of management and administration of the Company, there are also transfers of personal data to persons belonging to the same business group as the Company; and
· recruitment – in connection with recruitment, personal data are (might be) transferred in particular to recruitment agencies.
TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
Your personal data are not transferred by default by the Company to third countries, i.e., countries that are not members of the European Union, Iceland, Norway and Liechtenstein.
Thus, the transfer of personal data to third countries only occurs in very exceptional cases, and only when the following conditions are met:
· under the condition that the personal data are transferred to a third country in respect of which an decision on an adequacy of personal data protection has been issued by the European Commission; or
· under the condition that the recipient of the personal data (i.e., the person to whom the personal data are transferred) provides appropriate safeguards for the personal data protection; or
· under the conditions set out by the relevant legal regulations concerning personal data protection, in particular where (1) the transfer of personal data to a third country is necessary for the performance of a contract between the Company and yourself or a contract entered into for the benefit of yourself; or (2) where the transfer is necessary for the determination, exercise or defence of legal claims, or (3) where you have given your express consent to the transfer.
STORAGE PERIOD OF PERSONAL DATA
The Company will only store your personal data for as long as is necessary for the relevant purposes and reasons of processing your personal data.
In the case of processing based on the fulfilment of legal obligations, the Company shall process your personal data for the period of time specified by the relevant legal regulations, in particular tax regulations, accounting regulations, regulations governing the practice of the legal profession and archival regulations. In the case of processing personal data in connection with the Company's obligations under the AML Act, personal data are processed for a period of ten (10) years after the end of the provision of legal services.
In the case of processing carried out for the performance of a contract concluded between you and the Company, the Company shall process your personal data for the duration of the relevant contractual relationship and for a period of ten (10) years from the termination of the the relevant contractual relationship.
In the case of processing of personal data carried out on the basis of legitimate interests of the Company and/or third parties (in particular the Company's clients), the Company shall process your personal data for the following period:
· in the case of the Company's legitimate interest in the management and administration of the Company, for a period of two (2) years from the date of the collection of the personal data;
· in the case of the Company's legitimate interest in protection of the Company's legal interests (claims) for the duration of the relevant contractual relationship and for a period of ten (10) years from the termination of the relevant contractual relationship, otherwise for a period of ten (10) years from the collection of the personal data;
· in the case of legitimate interest to protect the legal interests (claims) of third parties for a period of ten (10) years from the collection of the personal data;
· in the case of the Company's legitimate interest in marketing and promotion for the duration of the contractual relationship and for a period of five (5) years after its termination, otherwise for a period of five (5) years from the collection of personal data;
· in the case of the Company having a legitimate interest in safety and security, for a period of one (1) year from the collection of personal data, in the area of IT security for a maximum of six (6) months from the collection of personal data and in the case of personal data processed through CCTV system for a maximum period of one (1) month after the collection of the personal data (however, in the case of the occurrence of a security incident, personal data may be processed for a longer period of time, but only for as long as it is necessary to clarify and resolve the security incident); and
· in the case of a legitimate interest of the Company in recruiting employees, for the duration of the selection process and in the case of maintaining a record of applicants for employment, for a period of six (6) months following the conclusion of the selection process.
In the case of processing of personal data carried out on the basis of your consent, the Company processes your personal data for the period specified in the relevant consent (or for the period otherwise demonstrably communicated to you).
YOUR RIGHTS
You have the following rights in relation to the processing of your personal data by the Company.
The right to withdraw consent to the processing of personal data
In the case of the Company processing your personal data on the basis of your consent, you have the right to withdraw your consent to the processing of your personal data at any time, in whole or in part, in relation to only certain types of your personal data or only for certain purposes of processing.
Right of access to personal data
You have the right to obtain confirmation from the Company as to whether your personal data are being processed by the Company (or not) and, if so, the right to access your personal data.
Right to correction and completion of personal data
You have the right to have inaccurate personal data relating to you corrected by the Company without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by providing an additional declaration.
Right to erasure ("right to be forgotten")
You have the right to have your personal data erased by the Company without undue delay if: (a) they are no longer necessary for the purposes for which they were collected by the Company; (b) you withdraw your consent to processing where the Company is processing your personal data on the basis of your consent; and at the same time if there is no other legal ground for processing of your personal data, (c) you object to processing of your personal data and simultaneously there are no overriding legitimate grounds for processing, (d) you object to processing for direct marketing purposes; (e) the personal data have been processed by the Company unlawfully, or (f) your personal data must be erased to comply with a legal obligation imposed by applicable law to which the Company is bound.
Right to restriction of processing
You have the right to have the Company restrict the processing of your personal data in the following cases: (a) you contest the accuracy of your personal data, for the period necessary to enable the Company to verify the accuracy of the personal data; (b) the processing of your personal data is unlawful and you refuse to erase your personal data and instead request that we restrict the use thereof; (c) the Company no longer needs your personal data for the purposes of processing but you require it for determination, exercise or defence of your legal claims; or (d) you object to the processing, pending verification that the Company's legitimate grounds outweigh your legitimate grounds.
Right to data portability
You have the right to require us to transfer your personal data (which you have provided to the Company)
to another data controller (i.e., a person of your choice), but only if: (a) the processing of your personal data is based on your consent or the performance of a contract between the Company and you; and (b) the processing of your personal data is carried out by the Company by automated means (i.e., not manually).
Right to object
You have the right to object to the processing of your personal data at any time for reasons relating to your particular situation based on legitimate interest – if you object, the Company will not process your personal data further unless (a) the Company demonstrates compelling legitimate grounds for such processing which overrides your interests or rights and freedoms, or (b) it is necessary for the determination, exercise or defence of legal claims. In addition, you have the right to object at any time to the processing of your personal data for direct marketing purposes.
Right to compensation for damages
You have the right to compensation from the Company for any (tangible or intangible) damage you suffer as a result of the breach Company's obligations in the area of processing and protection of personal data.
Right to lodge a complaint with a supervisory authority
In case of doubt about the lawful processing of your personal data by the Company or if the Company does not comply with your request concerning your personal data, you have the right to contact the Personal Data Protection Office as the supervisory authority in the field of personal data protection. However, you may contact the Personal Data Protection Office without a prior request to the Company.
The Personal Data Protection Office can be contacted through the following communication channels:
· by telephone: +420 234 665 111; or
· by e-mail: posta@uoou.cz.
Right to judicial protection
In case of doubt about the lawfulness of the processing of your personal data or in the event of discovering a violation of your rights in connection with the processing of your personal data, you have the right to effective judicial protection.
NOTICE
However, in view of the specific nature of the Company's business, which is the practice of the legal profession, the Company also informs you that some of your rights related to the processing of personal data carried out by the Company may be limited, precisely because of the specific nature of the Company's activities.
CONTACT DETAILS
If you have any questions regarding the processing and protection of your personal data or if you intend to exercise any of your rights in relation to the processing of personal data by the Company, you may contact the Company through the following communication channels:
· by telephone: +420 224 941 946; or
· by e-mail at advokati@sntd.eu
*