Purpose, aim and scope of the activity
By this document, Black-Storm s.r.o. undertakes to apply and comply with the principles listed below with regard to Regulation No. 2016/679, the General Data Protection Regulation (“GDPR”) towards the data subject (towards employees, suppliers and customers).
A description of the policies that the organization follows:
Transparency and fairness
- We ensure that all information and all communications relating to the processing of such personal data are easily accessible and understandable and are given using clear and plain language
Limitation of purpose
- We only collect PI for relevant purposes (specific, unambiguous, legitimate).
- We do not process OU in a way that conflicts with these purposes.
- In case of change of purpose:
- we monitor the link between the purposes and the circumstances in which the personal data were collected,
- we monitor the nature of the personal data (whether special categories are processed),
- we monitor and minimise the possible consequences of the intended further processing for data subjects,
- we ensure that appropriate guarantees are in place
Data minimization for the necessary time
- We observe and apply: proportionality, relevance and limitation to the necessary scope in relation to the purpose for which we process the Personal Data.
- We always assess whether the interference with the data subject’s rights resulting from the processing is:
– reasonable,
– legitimate in relation to the purpose of the processing. - If it turns out that the processing of specific personal data for a particular purpose is superfluous or such processing of personal data is not in accordance with the GDPR, we do not process such personal data.
Accuracy
- We always keep the processed OA accurate and updated as needed.
- We ensure that those OUs that are inaccurate are promptly deleted or corrected:
we take all reasonable steps to ensure that PI that is inaccurate in light of the purposes for which we process it is deleted or corrected without delay.
Integrity and confidentiality
- We declare that the processing method will ensure appropriate security of personal data, including the protection of personal data, by means of appropriate technical or organisational measures against:
- unauthorised or unlawful processing and from
- accidental loss, destruction or damage (‘integrity and confidentiality’).
Responsibilities of the data controller
- As the administrator of the OU, we claim responsibility for:
- processing of OU in accordance with the principles of the GDPR and we are able to demonstrate this compliance.
- If we (the OU controller) process personal data through a third party processor, the third party processor is: entitled to process personal data only on our (the OU controller’s) instructions, except where required by EU or Member State law (e.g. the Police of the Czech Republic or OLAF).
Rights of data subjects (employees, suppliers, customers)
- We (the OA controller) take such appropriate measures to ensure that data subjects (employees, suppliers, customers):
- all information obtained from the data subject has been provided,
- all communications have been made in accordance with the rights of data subjects, namely:
- in a concise, transparent, comprehensible and easily accessible manner,
- using clear and simple language.
- We will provide information in writing or by other means – for example, electronically (where appropriate).
- As the data controller, we will provide the data subject with information on the measures taken at his/her request, namely:
- without undue delay – within 1 month (the deadline can be extended by another 2 months – after informing the data subject with the reasons for the extension).
- We provide the information and all communications free of charge, but if the requests made by the data subject are manifestly unfounded or unreasonable or repetitive), the data controller may impose a reasonable fee taking into account the administrative costs or refuse to comply with the request (the manifest unfoundedness or unreasonableness of the request shall be documented by the data controller).
Data subject’s right of access to personal data
- The data subject (employees, suppliers, customers) has the right to obtain confirmation from the controller of the OU as to whether or not the personal data concerning him or her are being processed and, if so, to obtain access to such personal data and to the following information:
- the purposes of the processing and the categories of personal data concerned,
- beneficiaries or categories of beneficiaries,
- the intended period of time for which the personal data are stored or the criteria for the determination,
- information about the source of the personal data, unless it is obtained from the data subject,
- information on whether automated decision-making, including profiling, is taking place.
- The data subject (employees, suppliers, customers) has the right to request from the controller the rectification or erasure or restriction of their processing or to object to such processing.
- The data subject (employees, suppliers, customers) has the right to lodge a complaint with the supervisory authority.
- We (the data controller) undertake to provide a copy of the personal data processed to the data subject (employees, suppliers, customers). We charge a reasonable fee for additional copies upon request based on administrative costs.
- We provide the information in the form in which the request was made, unless the data subject requests otherwise.
- Where personal data are transferred to a third country or an international organisation, the data subject has the right to be informed of appropriate safeguards.
The right to repair the OU
- We (the data controller) are aware that the data subject (employees, suppliers, customers) has the right (without undue delay) to rectification of the Dossier and completion of the Dossier.
Right to erasure of the OU
- We (the data controller) are aware that the data subject (employees, suppliers, customers) has the right (without undue delay) to have the Personal Data erased and the data controller is obliged to do so if, in particular:
- the personal data is no longer necessary for the purposes for which it was collected,
- the data subject (employees, suppliers, customers) withdraws consent to processing,
- the data subject objects to the processing,
- personal data have been unlawfully processed,
- of legal obligation.
Right of the data subject to restriction of processing of personal data
- The data subject (employees, suppliers, customers) has the right to have the data controller restrict processing in any of the following cases:- the data subject denies the accuracy of the personal data,
- the processing is unlawful and the data subject refuses the erasure of the personal data and instead requests a restriction on its use,
- the data controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims,
- the data subject has objected to the processing until it is verified that the legitimate grounds of the data controller override the legitimate grounds of the data subject,
- OUs can only be saved unless:
- are processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or of a Member State.
- The data subject (employees, suppliers, customers) who has achieved the restriction of processing is notified in advance by the controller that the restriction of processing will be lifted.
The right to portability of personal data The data subject (employee, supplier, customer) has the right to obtain the personal data concerning him or her that he or she has provided to the data controller, namely:
- to obtain, in a structured, commonly used and machine-readable format, the right to transmit that data to another data controller, if:
– the processing is based on consent or a contract and the processing is carried out by automated means,
– the right to have the DPAs transmitted directly from one controller to another where technically feasible, - the exercise of the right of portability shall be without prejudice to the right to be forgotten:
this right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right of the data subject to object
- The data subject (employee, supplier, customer) has the right to object to the processing of his or her personal data on grounds relating to his or her particular situation (and in the case of direct marketing, at any time). Unless there are compelling legitimate grounds for processing:
- in a legitimate interest,
- in the public interest,
- exercise of public authority.
Right of the data subject (employer, customer, supplier) to lodge a complaint
- Any data subject has the right to lodge a complaint with a supervisory authority in the European Union if he or she considers that the processing of his or her personal data violates the Data Protection Act and/or the General Data Protection Regulation. The locally competent supervisory authority in the Czech Republic is the Office for Personal Data Protection, located at Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz.