GDPR
Rights and Duties in Connection with Personal Data and Consent to Personal Data Processing
I. Introductory Provisions. Interpretation of Certain Terms
1.1 “MA” is MODRÝ ANDĚL s.r.o., company ID number: 27218422, registered office: Českomoravská 1181/21, Libeň, 190 00 Prague, entered in the Commercial Register maintained by the Municipal Court in Prague, section C, entry 105306, represented by executive officer Robert Faltýnek.
1.2 The “Data Register” (hereinafter the “Register”) is a database containing data registered in connection with the Terms and Conditions for arranging transport by MA, as amended, and data registered in connection with the conclusion of contracts in accordance with legal regulations valid and effective in the territory of the Czech Republic.
1.3 The “Provider” is a natural person providing data to the Register.
1.4 The “GDPR” is REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation).
1.5 The Register and data in it, including personal data, are administered by MA. In relation to such data MA is the controller of the personal data in accordance with the relevant legal regulations governing personal data protection, in particular the GDPR (hereinafter the “Regulations”).
II. Bilateral Rights and Duties
2.1 The Provider confirms that for the purpose of records he has familiarised himself with the following information
- The personal data of the Provider or Contact Persons and representatives of the Provider will be processed by MA, as the controller, for the following purposes: - Records of the Provider in the Register based on the conclusion of a contract in accordance with valid legal regulations and the exercise of rights and performance of obligations resulting from them – the legal grounds of such processing are based on the performance of contracts and the taking of measures before the performance of contracts;
- Processing personal data of the Provider that are not necessary for the performance of Contracts, but the Provider provided them to MA, in particular, for the purpose of ensuring communication with MA when exercising rights and performing duties in accordance with contracts, as well as for the purpose of identification of the Provider when proving, exercising or defending his legal claims – the legal grounds of processing are based on the legitimate interest of MA consisting of ensuring communication with the Provider and ensuring compliance with contracts and the Provider’s legitimate interest consisting of ensuring the proving of his identity during communication with MA, as well as in relation to proving, exercising or defending his legal claims. - If MA is obligated to determine the responsible person in accordance with the Regulations, his contact details will be stated at the MA website address.
2.2 The extent of personal data processed by MA in accordance with Section 2.1 are - first name, surname, address, contact details (telephone number, e-mail address, fax) and IP address. In special cases, if necessary for the purposes of processing or if it results from legislation, also the Provider’s birth number and/or the number of his identification document.
2.3 MA processes the Provider’s personal data during a contractual relationship and for 6 months after the end of a contractual relationship; MA is entitled to store personal data after the expiry of such period, but for no more that the period of the same activities of the company’s business.
2.4 The Provider takes note that, when recording personal data, MA is entitled:
- As it sees fit or based on a proposal from the Provider, to optimise the data stated in the Register;
- To provide data from the Register to state administration bodies, courts, arbitration courts, including hidden data and historical data, in accordance with the relevant legal regulations as a part of the exercise of their official powers;
- To provide data from the Register to the necessary extent to third parties that prove to MA their legitimate interest in accordance with Regulations in obtaining such data for the purpose of proving, exercising or defending the legal claims of such persons.
2.5 Personal data processing in accordance with these “Rights and Duties in Connection with Personal Data and Consent to Personal Data Processing” is performed in member states of the European Union and European Economic Area; personal data processing in the territory of a third country in the sense of the Regulations can occur only with MA’s consent and provided there is compliance with special conditions stipulated in the GDPR.
2.6 Children and young people up to 16 years of age are obligated to produce consent to personal data processing from their statutory representative.
2.7 Assuming compliance with the requirements stipulated in the Regulations, the Provider has the following rights:
- Right to access data: The Provider is entitled to obtain from MA a confirmation of whether his personal data is being processed, which personal data are being processed, and the Provider can also request the provision of a copy of personal data processed;
- Right to rectification: The Provider is entitled to have incorrect personal data rectified or supplemented without undue delay;
- Right to erasure: The Provider is entitled to request that, without undue delay, his personal data are erased in the event of compliance with the conditions stated in the GDPR (the Provider has a right to erasure in particular if his personal data are no longer needed for the purposes for which they were processed or his personal data were processed unlawfully. The right to erasure does not apply, in particular, if personal data processing is necessary to prove, exercise or defend legal claims of MA or third parties);
- Right to restriction of processing: In the cases stipulated in the GDPR (e.g. if the Provider contests the correctness of personal data or processing is not in compliance with legal regulations or MA no longer requires the personal data for the contractually stipulated purposes, but the Provider needs them to prove, exercise or defend legal claims). The Provider has the right to request that MA restricts their processing;
- Right to data portability In the cases stipulated by the GDPR (if personal data are processed automatically based on the performance of a contract), the Provider has the right to obtain the personal data provided in a structured, ordinarily used and machine-readable format and has the right to request that such personal data are transmitted to another controller if such transmission is technically possible;
- Right to object: If the processing of personal data is on a legal basis - a legitimate interest in accordance with the GDPR, the Provider is entitled to object to such processing. MA cannot further process such data unless it proves necessary legitimate grounds for processing that predominate over the Provider’s interests, rights and freedoms, or grounds for proving, exercising or defending legal claims of MA or third parties. The Provider has the right, at any time, to object to the processing of personal data that are processed for the purposes of direct marketing; if he makes claims against the processing of personal data in accordance with this sentence, the personal data cannot be processed for such purposes.
- Right to rescind consent: If personal data is processed on the legal grounds of consent, the Provider can rescind such consent at any time. The rescinding of consent does not have an influence on the lawfulness of data processing that was based on consent before it was rescinded.
2.8 The Provider has the right to submit a complaint to the Office for Personal Data Protection or another relevant control office, in particular in the event they assume that there was a breach of personal data processing.
2.9 The Provider can exercise rights in accordance with Section 2.7 by contacting MA using the contact details stated at its web address. The Provider is also entitled to contact the responsible person using the contact details at MA’s web address. MA will deal with a request without undue delay and, in every case, within one month of its delivery, unless a longer period is necessary, where in such case the extended period cannot exceed two months.
2.10 If MA has legitimate doubts in connection with the identity of the natural person that exercised a right regarding it in accordance with Section 2.7, it can request the provision of additional information necessary to confirm the person’s identity.
III. Concluding Provisions
3.1 MA is not liable for personal data processing that is performed by third parties with which MA has a contractual relationship. A user is entitled to exercise his rights of an affected person in accordance with the relevant legal regulations that concern his contractual relationship with a third party in regard of such third party.
3.2 I provide my consent voluntarily after I was familiarised with the extent and purpose of personal data processing, the method of processing and the period of processing and I am aware that such consent is a condition for the storage of data in the Register.