PRIVACY POLICY
GUIDANCE ON PERSONAL DATA PROCESSING:
In line with Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the Protection of Natural Persons with regard to Processing of Personal Data and on the Free Movement of such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter the “GDPR”), you, as data subjects, are hereby provided with the below information, primarily on (i) what data we collect, (ii) how we deal with this data, (iii) based on what legal basis we process personal data and for what purposes we use personal data, (iv) to whom we are authorised to provide this personal data, (v) what are your rights in respect of the personal data protection, as well as (vi) where you can get information on your personal data that we process.
We hereby would like to ask you to read this Guidance on Personal Data Processing
(the “Guidance”). We are ready to answer your questions, if any, at the contact email gdpr@cargoprague.cz, or at the address Na Hroudě 16, CZ-100 00 Prague 10.
This Guidance that contains general principles of personal data processing is intended for all
natural persons whose personal data is processed by our company, primarily for customers, business partners, job applicants, users of the company’s website, etc.
1.GENERAL INFORMATION:
Identity of the controller: CARGO PRAGUE, spol. s r.o., corporate ID: 49827910, with its registered office at Průběžná 135, 252 42 Jesenice, recorded in the Register of Companies held by the Municipal Court in Prague, File C, Insert 34403 (the “company” or the “controller”).
Controller’s contact information: (i) contact address: Na Hroudě 16, CZ-100 00 Prague 10,
(ii) contact e-mail: info@cargoprague.cz, (iii) contact telephone: +420227202300.
2.INFORMATION ON PERSONAL DATA PROCESSING:
The company, as the personal data controller, deals with your personal data in line with the applicable legal regulation and always in a manner to ensure the safety and security of your data (personal data) to the maximum possible extent. The controller adheres to the principles of personal data processing stipulated by the applicable legal regulation and fully complies with the highest standards of personal data protection.
Purposes of personal data processing. Legal basis for personal data processing:
The controller processes your personal data only in the scope necessary for the specific purpose and over the period that is necessary for such purpose. When such purpose is achieved, the controller may process your personal data for other purposes than those for which it was collected; the controller always informs you of such other purposes.
Processing of personal data without your consent:
The controller processes personal data without your consent for the following purposes and on the following legal basis:
(i) meeting the contractual obligations of the controller, including the obligation to provide performance under the contract and to make the payment (period of personal data archiving: over the contractual term); legal basis of processing: performance of the contract;
(ii) meeting the legal obligations, including for example keeping and processing of accounting records (period of personal data archiving: personal data is processed over the period stipulated by legal regulations); legal basis of processing: meeting a legal obligation;
(iii) possibility of exercising and enforcing legal titles of the controller, entitled recipients or other relevant persons, or protection of legal titles, including enforcing of legal titles, development of provided products and services, dealing with contestable issues primarily for the purposes of legal or other disputes (period of personal data archiving: personal data is processed within
1 year after the end of the limitation period, or longer over the necessary period for protection of legal titles); legal basis of processing: legitimate interest of the controller or a third party;
(iv) direct marketing – offering of business, services and products of the company, sending of commercial messages to existing customers, i.e. offer of services of the information company in accordance with the applicable legal regulation;
(v) keeping and processing of records relating to employee recruitment (period of personal data archiving: a) for the event the job applicant succeeds in the tender and becomes an employee: over the employment period, b) for other purposes relating to the employee hiring records within 1 year after the end of the limitation period, or for a longer period necessary for the purposes of protection of legal titles); legal basis: (i) performance of the contract (processing for contract conclusion purposes), (ii) legitimate interest of the controller).
Processing of personal data with your consent:
The controller processes personal data with your consent for the following purposes
(i) offer of business, services and products of the company, sending of commercial messages;
(ii) preferential, statistic and/or marketing cookies; or
(iii) selected aspects in connection with the keeping and processing of records relating to employee recruitment.
Period of personal data archiving: personal data based on the consent is processed over
the period of 3 years. To document the meeting of the obligations of the controller in accordance with applicable legal regulations for personal data protection, the controller is authorised, even after withdrawal of the consent, to archive/process the information regarding the obtaining of the consent (i.e. how the consent was obtained and what such consent related to), over a reasonable period (no longer than 4 years).
The legal basis for processing is the consent with personal data processing granted by the data subject.
Personal data categories:
For the above listed purposes, the company processes your
- Identification information and contact information, i.e. name, surname, academic title, birth date, telephone, e-mail address, address (place of residence, delivery or another contact address), signature, for natural person – businessman also the name of the company, or supplement added to the name, place of business and corporate ID, tax ID, data box.
- Other personal data, i.e. for example bank information (bank account number), IP address, vehicle registration plate, personal data from the driving license.
- Personal data relating to recruitment records, i.e. for example identification and contact data, information on completed education, information on language skills or information on previous employers, as well as other personal data relating to recruitment records.
The legal basis for your personal data processing is (see above):
- Compliance with the legal obligation to which the controller is subject (Article 6, par. 1, letter c), of the GDPR)
- Performance of the contract concluded with you, as the data subject (Article 6, par. 1, letter b), of the GDPR)
- Legitimate interest of the controller or a third party (article 6, par. 1, letter f, of the GDPR)
- Consent with the personal data processing, if given by the data subject (Article 6, par. 1, letter a), of the GDPR).
Your personal data may be processed both manually and in an automated manner directly through authorised employees of the controller and through processors authorised by the controller pursuant to a contract for personal data processing.
Source of personal data:
The controller obtains personal data of data subjects from data subjects (e.g. as part of
a negotiation on the conclusion of the contract, from applications received from data subjects, from forms completed by data subjects, in personal or written communication with data subjects, including electronic means of communication), from third parties (from state authorities or third parties while adhering to our legal obligations or pursuant to special legal regulations, or from cooperating third parties) or from publicly available sources (e.g. from public registers). If the controller obtains personal data from you, it always informs you whether the provision of personal data is a statutory or contractual requirement and whether you have the obligation to provide personal data, as well as on possible consequences of non-provision of personal data.
Recipient, categories of recipients:
Your personal data may be disclosed to the following categories of recipients:
- Public authorities and other entities to which the company is obliged to communicate your personal data, or which are authorised to request your personal data from the company (e.g. tax administrator, customs administration, executors, insolvency administrators, courts, law enforcement authorities, etc.)
- Third parties with which the company concluded a written contract for personal data processing (e.g. IT services providers, accounting services providers, auditors, tax advisors, advocates, transporters, shippers, independent inspectors, insurance brokers, data service providers (Internet) etc.).
Possibly, your personal data may be disclosed to third parties for another reason in accordance with applicable legal regulations.
The controller does not intend to forward personal data to a third party outside the European Union or to an international organisation. However, as part of the performance under the contract, certain necessary personal data of yours (e.g. name, surname, e-mail address, telephone) may be provided to third countries, to cooperating business partners of the controller (processors), primarily in connection to the delivery to the place of destination. In relation to the personal data processing, appropriate guarantees are provided, primarily conclusion of standard contractual clauses on data protection, application of principles of the “Privacy Shield” system or forwarding based on a decision on adequate protection. Personal data may be also processed abroad in relation to the involvement of authorised processors, primarily in provision of IT services or other technical issues.
Automated decision-making:
Automated decision-making, including profiling, happens in the processing of personal data in selected types of cookies (primarily marketing, preferential). Other cases of processing do not involve automated decision-making, including profiling.
Automated decision-making, primarily profiling, will primarily take the form (procedure) of logical and/or algorithmic operations, when our system allows, depending on your use of products, services and company website, or your behaviour and your personal preferences, sending relevant personalised offers to you, in respect of which we believe that they will be interesting for you.
The meaning of the automated decision-making, primarily profiling, is to allow us to send you personalised offers of business, services and products of our company that might be interesting for you. In this respect, we believe that personalised offers of business, services and products of the company will allow us to contact you with offers that will appeal to you and that you will find interesting.
The result of the automated decision-making, primarily profiling, will be a procedure when you receive relevant commercial messages from us, as part of personalised offers, as our objective is to send you such personalised offers of business, products and services of our company that will be interesting for you.
Cookies:
The company’s website uses cookies to improve the functioning of the website, personalisation of the content and advertisements, provision of functions of social media and analysis of the usage level of the website. We share the information on your manner of use of the company’s website with our partners for social media, advertising and analyses, as well as with other business partners. Our partners may combine this data with other information that we provided to them previously or that they obtained because you use their services.
Certain cookie files are placed by services of third parties that appear on our website.
The company is authorised to place functional cookies in your device automatically. We use other types of cookie files with your consent.
You can set blocking of cookie files in your browser. As a result of the disabling (blocking) of cookie files, the company’s website may not function as you wish. Some of the browsers however may not allow the disabling (blocking) of cookie files.
Our website works with the following cookies:
Functional: functional cookie files make our website usable by allowing basic functions, such as navigation of the website and access to secured sections of the website. Without these files, our website could not work correctly;
Statistic: statistic cookie files show us how visitors use our website. These files collect and provide the information anonymously.
3.YOUR RIGHTS RELATING TO PERSONAL DATA PROCESSING:
- Right to access personal data (Article 15 of the GDPR)
- Right to rectification (Article 16 of the GDPR)
- Right to erasure (Article 17 of the GDPR)
- Right to restriction of processing (Article 18 of the GDPR)
- Right to data portability (Article 20 of the GDPR)
- Right to object (Article 21 of the GDPR)
If, based on the legitimate interest of the controller, your personal data is processed for the purposes of direct marketing, you have the right to make an objection against processing of personal data relating to you for such marketing at any time.
- Right to lodge a complaint with a supervisory authority (Article 77 of the GDPR):
If you believe that the processing of your personal data breaches legal regulations/GDPR, you have the right to lodge a complaint about the procedure of the controller with any supervisory authority; the supervisory authority for the Czech Republic is the Office for Personal Data Protection, with its registered office at Pplk. Sochora 27, 170 00 Prague 7 (www.uoou.cz). This does not affect any other means of administrative or court protection determined for the protection of data subjects by valid legal regulations.
- Right to withdraw your consent:
You are not obliged to grant the consent with the processing of your personal data to the company. You have the right to withdraw your consent with personal data processing, granted for the above purposes (or some of them), at any time. The withdrawal of your consent does not affect the processing of your personal data before it is withdrawn. You may withdraw your consent with personal data processing (i) by signed written notification on the withdrawal of your consent sent in writing to the contact address of the company or (ii) notification on the withdrawal of your consent in the form of an e-mail sent to the contact e-mail of the company listed above in this Guidance.
Please note that we are authorised to process certain personal data for specific purposes without your consent. If you withdraw your consent, the company discontinues the processing of relevant personal data for purposes requiring your consent for which the consent with its processing was withdrawn, however, the company may be authorised, or alternatively obliged, to continue to process the same personal data on a different legal basis (i.e. another legal reason for processing).”
4. INFORMATION ON PERSONAL DATA PROCESSING OF SELECTED DATA
SUBJECTS:
Information on personal data processing of contractual partners:
This information on processing of personal data of contractual partners does not affect other provisions of this Guidance.
The controller processes personal data of a contractual partner (i) primarily for the purposes of contract conclusion and performance, or (ii) meeting a legal obligation (primarily obligation stipulated by accounting and tax regulations, or regulations for personal data protection), or (iii) due to legitimate interests of the controller for the exercising and enforcing legal titles of the controller (recovery of receivables and protection of legal titles of the controller and third parties), or for purposes of marketing and advertising. The controller may use the data also for administrative needs (including the creation of records and list of contact persons).
In potential contractual partners, the controller may process the data obtained from public sources (public registers, website, etc.) for business contact purposes. The controller may use such data for administrative needs (including the creation of records and a list of contact persons).
The legal basis of processing is
- Contract performance
- Meeting a legal obligation that relates to the controller
- Legitimate interest of the controller or a third party
Categories of recipients:
- Suppliers of external IT services (services of IT technical support, provision of server services, provision of programming services, services of measuring the usage level of website, etc.);
- Suppliers of external legal and/or economic services, and possibly services of tax advisory and audit;
- Public authorities; and
- Other recipients (e.g. insurers).
A large part of the processing is automated (through computer systems), primarily in the CRM system of the controller, accounting and invoicing systems, etc. Concurrently, data may be processed also in records, card indexes, etc. (including systems of records / archiving of paper documents, business card files, etc.).
Archiving period of personal data:
- Contact and identification data for the purposes of commercial messages sending based on the consent are archived for 3 years;
- Contact and identification information for the purposes of information company services in accordance with the relevant legal regulation will be processed until a business partner opposes further sending of business offers;
- Personal data for the purposes of contract performance will be processed over the contract term (contracts will be recorded for archiving purposes for 10 years from their performance/termination/expiry);
- Personal data for meeting a legal obligation of the controller will be processed over the period stipulated by relevant legal regulations; and
- Personal data for the purposes of a legitimate interest of the controller or a third party will be processed within 1 year after the end of the limitation period, or over the necessary period for the protection of legal titles.
For the purposes of personal data update, it is possible to contact the controller at the above listed contact address or contact email.
Information on personal data processing of company’s website users:
This information on the processing of personal data of website users does not affect other provisions of this Guidance.
Users of the controller’s website may be users who are/will be in a legal relationship with the controller (e.g. a customer of the company), and users who are not/will not be in a legal relationship with the controller (i.e. a person who only “browses” through the website and does not request/order/want anything). The controller processes personal data of website users for legitimate (authorised by law) purposes (e.g. for the purposes of accounting issues/records or for contract performance in the request system or shipment tracking system, or meeting other legal regulations such as documenting the consent with personal data processing), or based on the consent of the data subject, i.e. for the purposes for which the data subject granted his/her consent.
The source of personal data is the activity of the specific data subject on the website.
The legal basis of processing is
- Meeting a legal obligation that relates to the controller (e.g. keeping of records/accounting records);
- Contract performance;
- Legitimate interest of the controller or a third party; and
- Consent (if granted by the data subject).
The controller processes the following personal data relating to the activity of data subjects on the website: IP address, date and time of access, information on the manner and time of consent granting (including IP address from which the consent was granted (clicked/checked off), etc.
Personal data is processed over the period stipulated by applicable legal regulations.
Categories of recipients:
- Suppliers of external IT services (services of network administrator / IT technical support, providers of server services, providers of programming services, services of measurement of usage level of the website, etc.)
- Public authorities
If the legal basis for processing was the consent, such consent can be withdrawn at any time free of charge. If it is not the processing based on the consent, contract performance or meeting
a legal obligation, the data subject has the right to make an objection.
5. OTHER INFORMATION
Manner of exercising rights by a data subject:
As a data subject, you may exercise your rights relating to personal data processing towards the controller by contacting it at the contact address: Na Hroudě 16, Prague 10, or contact email address of the controller: gdpr@cargoprague.cz.
Provision of information by the controller:
The controller provides information in writing, in a paper form. If, however, you contact the controller electronically at the contact email address of the controller, it will provide you information electronically (in the form of an e-mail message), unless you ask for the provision of information in a paper form. This does not affect your right to data portability.
If we receive a request from you in accordance with Articles 15 to 22 of the GDPR, we will inform you on adopted measures without undue delay; we will inform you on the adopted measures, rejection of extension of the period not later than within one month from the delivery of the request to us. Given the complexity of the request or number of requests, we may extend the period for provision of information on the adopted measures (and consequently for an adoption of relevant measures) by another two months. We will inform you on such extension within one month of the receipt of the request and we will state the reasons for such postponement.
The information on the fact that the data subject exercised its rights with the controller and the way the request was dealt with by the controller, is archived by the controller over a reasonable period (usually 3 to 4 years), for the purpose of (i) documentation of this fact, (ii) statistical purposes, (iii) improvement of controller’s services, and (iv) protection of controller’s rights.
Other information:
When your personal data is processed without your consent, its provision is required for the following reasons: (i) it is necessary for the performance of the obligations arising from the contract, or (ii) its provision is required by law, (iii) legitimate interests of the controller or third parties. The failure to provide data for these purposes (some of it) may result in the failure to conclude a contract, or inability to perform, etc.
The sending of electronic commercial messages to customers, taking the form of an offer of services of an information company (the so called customer exemption) in accordance with the relevant legal regulation can be cancelled through a link contained in each individual commercial message.
When personal data is processed based on your consent, the provision of your personal data does not constitute a statutory or contractual condition (statutory or contractual requirement), and you do not have to grant your consent. In such cases, it is not your obligation to provide the subject-matter personal data for a specific purpose or grant your consent with its processing. If you do not grant your consent, it may result in the fact that the company will not be able to apply certain procedures, primarily in relation to marketing.
If the controller uses personal data for another purpose than the one stipulated in this Guidance, it will immediately provide the data subject with the information on the purpose and further information listed in this Guidance.
The current version of this Guidance is available at www.cargoprague.com/privacy-policy
CARGO PRAGUE, spol. s r.o.