Act No. 110/2019, on the processing of personal data (hereinafter referred to as the “Act”)
I. Administrator of personal data
JTEKT COLUMN SYSTEMS CZECH s.r.o. (hereinafter JCSCZ), with registered office at Podnikatelská 1144/8, 301 00 Plzeň, ID 26733561, registered at the Regional Court in Pilsen, section C, file 15492, (hereinafter referred to as the “Company” or “administrator”), as a personal data administrator, hereby allows to inform on the basis of this Act about the manner and extent of personal data processing, including the extent of the rights of related data subjects, unless otherwise stated by the Act, this is a provision of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection natural persons in connection with the processing of personal data and the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation) – (hereinafter referred to as “GDPR”).
II. Scope of personal data processing
Personal data is processed to the extent that the relevant data subject has provided it to the controller, in connection with the conclusion of a contractual or other legal relationship with the controller, or that the controller has collected otherwise and processes it in accordance with applicable legal regulations or to fulfill the controller’s legal obligations as amended by the Act.
III. Sources of personal data
Directly from entities providing personal data voluntarily (e.g. when providing services and other support, e.g. from email, personal or telephone communications) and these sources are a basic prerequisite not only for concluding or changing a contractual relationship, but at the same time primarily serve for unambiguous and unmistakable identification of entities data, which are determined by generally binding regulations, as necessary and necessary for the conduct of the contracting parties and the fulfillment of the law by the Company, while this mainly concerns the transferred personal data, but also data derived from the provided data, publicly available registers, lists and registers/records ( e.g. commercial register, trade register, public telephone directory, etc.) camera systems that are managed or owned by the administrator, and their operation is carried out for the purpose of protecting the persons and property of the administrator against possible illegal actions by other entities.
IV. Categories of personal data that are the subject of processing
- Identification data: identification data means in particular: name, surname, title, date of birth, VAT number, address/address, place of delivery, signature, etc. Identification data is also personal data on the basis of which we are able to identify you unmistakably.
- Contact data: contact data is, in particular, a contact or delivery address, telephone number, e-mail address, etc. Contact data is thus personal data on the basis of which we are able to contact you.
- Service purchase data, this is data about what services you use from us. More detailed information regarding the specific categories of personal data that we process can be found in the text of the document, by which you either give us your consent to the processing of personal data, or by which we inform you about the processing of personal data when selling a product or service based on our contractual or legal obligation, or on the basis of legitimate interest.
- descriptive and authentication data (e.g. bank connection or login/registration data), other data necessary for the performance of the contract, data provided beyond the scope of the relevant laws processed within the framework of the consent granted by the data subject (processing of photos and video recordings, use of personal data for purpose of personnel management, etc.)
- data on behavior on our website (more information is provided in the document Principles of working with cookies, published on the website: www.jtekt-cs.cz
V. Categories of data subjects
An employee of the administrator, an external collaborator (natural persons and non-entrepreneurs), a partner of the administrator, a carrier, a service provider, a customer, a customer or another person who is in a contractual relationship with the administrator, as well as a job applicant, natural persons involved in the processing of personal data.
VI. Categories of recipients of personal data
Public administration bodies (police, bailiffs, and others), or state and other authorities within the framework of the fulfillment of legal obligations established by the relevant legal regulations or on the basis of your consent to the processing of personal data of a public institution and a financial and insurance institution, any person providing postal and e-mail mailings of a person or who provide IT management, hosting services, satisfaction questionnaires and technical processing operations (suppliers of information systems and applications) and other processors of the controller or other possible recipients in the territory of the Czech Republic and in EU states. More detailed information regarding processors and recipients of personal data can be found in the text of the document, with which you either grant us consent to the processing of personal data, or with which we inform you about the processing of personal data when providing a specific service based on our contractual obligation, or on the basis of a legitimate interest.
VII. The purpose of personal data processing
Purposes of processing personal data of data subjects:
- automotive manufacturing and related services;
- conclusion and fulfillment of a rental agreement according to Act No. 89/2012, Civil Code, negotiation of contractual relationship, fulfillment of the contract;
- internal administrative needs and internal records and protection of the rights and interests of the administrator, recipient or other affected persons (e.g. debt collection, claims for compensation for damages, administrative proceedings according to special regulations, creation of statistics), archiving conducted on the basis of the law, tendering for vacancies jobs, fulfillment of legal obligations by the controller and based on its legal activities, protection of vital interests of the data subject, improvement of the website of the controller and services based on their use
- statistical reporting.
VIII. Method of processing and protection of personal data
It is carried out only at workplaces and at the headquarters by employees of the administrator, as processors with the help of computer technology, or also in a manual way for personal data in paper form in compliance with all security principles and technical or organizational measures for the management and processing of personal data.
IX Time of personal data processing
In accordance with the periods specified in the relevant contracts, in the file and shredding regulations of the administrator or in the relevant legal regulations, this is the time absolutely necessary to ensure the rights and obligations arising from the contractual relationship as well as from the relevant legal regulations, which the administrator must comply with.
The administrator processes data with the consent of the data subject, with the exception of cases provided for by law, where the processing of personal data does not require the consent of the data subject within the meaning of the Act, unless otherwise stipulated as a result of statutory exceptions, and/or GDPR.
In accordance with the provisions of the Act and further on the basis of Article 6, paragraph 1 of the GDPR, the controller may process the following data without the consent of the data subject:
- the data subject has given consent for one or more specific purposes,
- processing is necessary for the fulfillment of a contract to which the data subject is a contracting party, or for the implementation of measures taken prior to the conclusion of the contract at the request of the data subject,
- processing is necessary to fulfill a legal obligation that applies to the administrator,
- processing is necessary to protect the vital interests of the data subject or other natural person,
- processing is necessary for the purposes of the legitimate interests of the relevant administrator or third party, except in cases where the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data take precedence over these interests.
XI. Technical and organizational measures for the security of personal data of data subjects
1. The administrator has adopted and maintains in particular the following measures to ensure the level of security of personal data:
- all persons who will be granted access to personal data have been or will be instructed on the obligations and properly trained by the administrator in the field of personal data processing before this access is granted;
- the functionality and effectiveness of measures to ensure the security of personal data are checked regularly and to the extent necessary, in the form of own audit and revision activities in the area of measures and documentation;
- making records that will allow determining and verifying when and by whom personal data was recorded or otherwise processed;
- performing encryption and/or anonymization of personal data;
- the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services, given the technical measures in place and their regular review;
- the ability to restore the availability of personal data;
- an established process of regular testing, assessment and evaluation of the effectiveness of measures implemented to ensure processing security;
- the ability to ensure the protection of the integrity of communication networks;
- antivirus protection and unauthorized access control;
- secure data transfer, which enables unambiguous identification of the recipient through tools;
- when processing personal data, personal data will be stored exclusively on secure servers or on secure data carriers, if personal data is in electronic form.
2. The administrator continuously accepts additional guarantees for the purpose of technical and organizational security of personal data, in particular measures to prevent unauthorized or accidental access to personal data, accidental or unlawful destruction, loss, alteration or unauthorized disclosure (hereinafter referred to as “breach of personal data security data”), at its discretion and taking into account the state of the art.
XII. Rights of data subjects
1. The basic and necessary requirements for applications to exercise the rights of data subjects are published in the document Requirements for the exercise of rights, published on all our websites. In the mentioned document, the rights of data subjects are enumerated and at the same time forms are prepared for exercising the rights of data subjects, always at the email address firstname.lastname@example.org or at the administrator’s workplace.
2. In accordance with the provisions of § 28 of the Act, the administrator shall, at the request of the data subject, inform the data subject of the right to access personal data and the following information:
- purpose of processing, category of personal data concerned,
- recipients or categories of recipients to whom personal data has been or will be made available, the planned period for which personal data will be stored, all available information about the source of personal data,
- if not obtained from the data subject, the fact whether automated decision-making is taking place, including profiling, instruction on the rights to request correction, restriction of processing or erasure of personal data and the sources of such data.
3. Any data subject who discovers or believes that the administrator or processor is processing his personal data in violation of the protection of the private and personal life of the data subject or in violation of the law, especially if the personal data is inaccurate with regard to the purpose of their processing, may:
- ask the administrator for an explanation, further request that the administrator remove the state thus created. In particular, it may involve blocking, correcting, supplementing or deleting personal data,
- if the data subject’s request according to paragraph 1 is found to be justified, the controller will immediately remove the objectionable state,
- if the administrator does not comply with the data subject’s request according to paragraph 1, the data subject has the right to contact the supervisory authority, i.e. the Office for the Protection of Personal Data, located at the address: Plk. Sochora 27, 170 00, Prague 7, phone: 234 665 800 or email: email@example.com,
- the procedure according to paragraph 1 does not preclude the data subject from contacting the supervisory authority directly,
- contact information for the personal data protection officer of the Company: Algotech, a.s., at: Sokolovská 668/136d, 186 00 Prague, e-mail: firstname.lastname@example.org.
- Contact information for the person in charge of the administrator’s personal data protection agenda in the Czech Republic: Jiří Hrabák, e-mail: email@example.com or address of the administrator’s headquarters.