Personal data processing and protection principles

1.   Information about the company

1.1.   Principles of processing and protection of personal data in Aspena, s.r.o., ID: 607 51 185, with registered office in Brno, Veveří, Gorkého 64/15, postcode 602 00, registered in the Commercial Register under sp. no. C 19243, registered at the Regional Court in Brno (hereinafter referred to as "Company"), regulates the rules for handling personal data of the following natural persons (hereinafter also "Subjects"):

  • visitors of the website www.aspena.cz,
  • customers of the Company,
  • suppliers of the Company,
  • job applicants and employees of the Company, the Company,
  • any third parties.

1.2.   The Company proceeds with the processing of personal data of natural persons in accordance with Regulation of the European Parliament and Council (EU) 2016/679 of 27. april 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (General Data Protection Regulation ‑ GDPR, also "GDPR Regulation"), or in accordance with other legislation in the field of personal data protection.

1.3.   In processing personal data, the Company acts principally as a controller, which itself determines the purposes and means of processing personal data of natural persons or to which certain operations of processing personal data are imposed by law.

1.4.   The Company acts as a processor of the personal data of natural persons in the event that it processes the personal data of natural persons for another controller according to its instructions.

1.5.   The Company is not obliged to appoint a Data Protection Officer .

1.6.   Contact details of the Company: Aspena, s.r.o., Gorkého 64/15, 602 00 Brno, e‑mail: gdpr@aspena.cz.


2.   What principles do we follow when processing your personal data?

2.1.   We process personal data in a lawful manner in accordance with the GDPR, and this on the basis of at least one of legal titles.

2.2.   We only process personal data for specific and legitimate purposes. We ensure that personal data collected for different purposes is kept separately and not used for other purposes without further use.

2.3.   We process personal data in a proportionate manner, always only to the extent necessary in relation to the purpose in question.

2.4.   We only retain personal data for the period of time strictly necessary to achieve the purpose in question.  Personal data for which the statutory period for their retention has expired and which we no longer need are securely disposed of or anonymised without undue delay.

2.5.   We keep personal data accurate and updated where necessary. We have appropriate measures in place to correct or delete inaccurate personal data.

2.6.   We process personal data correctly and completely transparently.  We always properly inform personal data subjects, i.e. natural persons whose personal data we obtain, in accordance with the GDPR Regulation, in particular about who we are, for what purpose and on what legal basis we process personal data, how long we store them and what rights they can exercise in relation to their personal data.

2.7.   We appropriately secure personal data against unauthorised or unlawful processing and against accidental loss, damage or destruction. We only disclose personal data to authorised persons and institutions.


3.   What legal titles do we use when processing personal data?

When processes personal data, we mainly use the following legal grounds (legal titles):

  • we are fulfilling a legal obligation that applies to the Company, or
  • we are fulfilling a contract to which the Data Subject is a party, or we are carrying out measures taken prior to the conclusion of the contract at the request of the Data Subject, or
  • we are implementing the legitimate interest of the Company, or
  • if none of the preceding legal titles can be used, we will request consent to the processing of personal data. Consent may be withdrawn at any time, but withdrawal of consent is not retroactive.


4.   What personal data and for what purpose do we process?

In connection with the provision of our services, we process, under conditions and within the limits set by the applicable legislation, in particular the GDPR and related legislation, in particular the personal data of the following Subjects:

4.1.   Personal data provided by potential or existing customers of the Company, usually within the scope of identification and contact data (e.g. name, surname, address, email address, telephone number, VAT number), other operational data (e.g.

  • for the purpose of concluding and subsequent performance of the contract with the customer,
  • for the purpose of fulfilling legal obligations under relevant legislation (in particular accounting, financial and tax matters),
  • for the purpose of pursuing the Company's legitimate interests (in particular direct marketing, judicial and out‑of‑court debt recovery, etc.

4.2.   Personal data provided by potential or existing suppliers to the Company, usually within the scope of identification and contact details (e.g. name, surname, address, e‑mail address, telephone number, VAT number), other operational data (e.g.

  • for the purpose of concluding and subsequent performance of the contract with the supplier,
  • for the purpose of fulfilling legal obligations under relevant legislation (in particular accounting, financial and tax matters),
  • for the purpose of pursuing the Company's legitimate interests (in particular direct marketing, judicial and out‑of‑court debt recovery, etc.).

4.3.   Personal data provided by a candidate for employment with the Company, usually within the scope of identification and contact data (e.g. name, surname, date of birth, RČ, address, telephone number, e‑mail address), and furthermore other operational data necessary in relation to the given job (e.g.   

  • for the purpose of conducting a selection process for the relevant job,
  • for the purpose of keeping a register of candidates for other jobs in the Company for a limited period of time.

4.4.    The scope and purposes of the processing of personal data of the Company's employees are regulated separately.

4.5.   Data provided by visitors to the website in the form of storing cookies, which contain information about the visit to the website and other activity of the visitor on the website. The company uses Google Analytics for this purpose with data anonymization and is not able to identify individual website visitors. The information collected is therefore anonymous data and is not personal data processing subject to the GDPR.

4.6.   Special categories of personal data of customers or suppliers (sensitive data) are not processed by the Company.


5.   How long will we process personal data?

5.1.   We will only process personal data for the period of time necessary to achieve the purpose for which it was obtained ‑ for example, from the moment the customer provides personal data in the context of pre‑contractual arrangements with the Company, for the duration of the contractual relationship until the termination of the contractual obligations, or until the expiry of the last of the legal grounds (legal titles) that entitled the Company to process it.

5.2.   As soon as the purpose of the processing ceases or the Company has no further legal grounds for further processing of the personal data, the personal data will be securely erased and destroyed.


6.   To whom may we transfer personal data?

The Company reserves the right to provide personal data:

  •   to suppliers who, under a processing agreement, provide the Company with accounting, IT, HR and marketing services; to suppliers who, under a processing agreement, provide the Company with translation, interpretation and graphic design services; to state authorities and other public authorities on the basis of a legal obligation to provide such personal data.7. What rights do you have to your personal data? 7.1. In accordance with the principle of transparency, you have the right to information about the processing of your personal data.  
  •    
  •   


    

       The Company provides information about the processing of personal data without request in the form of information notices to individual groups of Subjects and this information obligation includes in particular information about who we are, for what purpose, on what legal basis and for how long we will process personal data, to whom we intend to transfer personal data and what rights you can exercise in relation to your personal data. General information about personal data processing activities is also contained in this Policy. For a full list of the information provided, see the provisions of Articles 13 and 14 GDPR Regulation.

7.2.   Additional rights under the provisions of Article 15 ‑22 of the GDPR Regulation can be exercised by way of a request, and these are:

  • the right to confirm whether or not your personal data is being processed by the Company, and if it is being processed, you have the right to obtain access to your personal data including the provision of further information about its processing.
  • The right to have inaccurate personal data rectified, where appropriate taking into account the purposes of the processing, the right to complete incomplete personal data, and this also by providing an additional statement.
  • The right to have personal data erased if your personal data is no longer necessary for the purpose of the processing, you have withdrawn your consent to their processing, you have objected to the processing of personal data and there are no overriding legitimate grounds for the processing.
  • The right to restrict the processing of personal data if you have objected to or contested the accuracy of the personal data, and for the time necessary to verify the accuracy of the personal data, or if the Company no longer needs your personal data for the purpose of the processing, but you require it for the establishment, exercise or defence of legal claims.
  • The right to the portability of automatically processed personal data obtained by the Company directly from you on the basis of consent or performance of a contract, where the Company will transfer the personal data to you or to another controller of your choice in a commonly used and machine‑readable format.
  •  The right to object to the processing of your personal data where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company, the processing is necessary for the purposes of the legitimate interests of the Company or a third party, for direct marketing purposes or for scientific or historical research purposes or for statistical purposes.
  •  The right not to be subject to any decision based solely on automated processing, including profiling with legal effects for the Subject, otherwise you have the right to human intervention by the Company (human review of the decision), the right to express your opinion or the right to challenge the decision.

7.3.   If the processing of personal data is based on consent, you have the right to withdraw consent at any time in writing to the Company's address or electronically to email gdpr@aspena.cz. Withdrawal of consent does not affect the lawfulness of the processing based on consent prior to its withdrawal.

7.4.   In addition to the above rights, you have the right to lodge a complaint with the competent supervisory authority, if you believe that the processing of personal data by the Company is in violation of legal regulations. The competent supervisory authority in the Czech Republic is the Office for Personal Data Protection.


8.   How do we protect personal data?

8.1.   The handling of personal data is carried out in full compliance with applicable laws, including the GDPR. The personal data of the Subjects are secured by the Company through the set organizational and technical measures.

8.2.   All personal data in paper form are stored in locked places, which are accessible only by authorized persons who need to handle the personal data immediately for the purposes set out in this Policy, and only to the extent necessary. Access to this personal data is protected by physical and electronic security means.

8 . 3.   All personal information in electronic form is stored in databases and systems, which may be accessed only by authorized persons who have an immediate need to handle the personal information for the purposes set forth in this Policy, and only to the extent necessary. Access to such personal data is protected by physical and electronic computer security measures.

8.4.   The Company's employees and contractors who process personal data are required to maintain confidentiality of the Subjects' personal data and of security measures whose disclosure would compromise the security of the personal data. This confidentiality shall survive the termination of the engagement with the Company.


9.   Do you have any further questions?

If you have any questions in relation to the protection of your personal data and its processing in the Company, as well as for the purpose of exercising your rights, you can contact  gdpr@aspena.cz.


10.   Effectiveness

This policy on the processing and protection of personal data in the Company shall take effect on 25 May 2018.