+420 326 700 610 cmsys@cmsys.cz

Information on the processing of personal data

Statement on the processing of personal data pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR”)

 

I. Personal data controller
CMS s.r.o., with its registered office at Nádražní 296/7, Mladá Boleslav III, postal code 293 01, ID No. 26119684, VAT No.: CZ26119684, has been registered in the Commercial Register maintained by the Municipal Court in Prague, File No. C 71817, since October 11, 1999 (hereinafter referred to as the “controller”) hereby informs you in accordance with Article 12 of the GDPR about the processing of your personal data and your rights.

II. Scope of personal data processing
Personal data is processed to the extent that the relevant data subject has provided it to the controller in connection with the conclusion of a contractual or other legal relationship with the controller, or which the controller has collected otherwise and processes it in accordance with applicable law or to fulfill the controller’s legal obligations.

III. Sources of personal data
– directly from data subjects (registration and purchases via e-shop, e-mails, telephone, chat, website, contact form on the website, social networks, business cards, etc.)
distributor
– publicly accessible registers, lists, and records (e.g., commercial register, trade register, land register, public telephone directory, etc.)

IV. Categories of personal data that are subject to processing
– address and identification data used for the unambiguous and unmistakable identification of the data subject (e.g., name, surname, title, birth number, date of birth, permanent address, ID number, tax ID number) and data enabling contact with the data subject (contact details – e.g., contact address, telephone number, fax number, e-mail address, and other similar information)
– descriptive data (e.g., bank details)
– other data necessary for the performance of the contract
– data provided beyond the scope of the relevant laws processed within the scope of the consent granted by the data subject (processing of photographs, use of personal data for personnel management purposes, etc.)

V. Categories of data subjects
– customer of the controller (only for entities registered in the e-shop)
– employee of the controller
– carrier
– service provider
– other person who is in a contractual relationship with the controller
– job applicant

VI. Categories of recipients of personal data
– wholesalers
– financial institutions
– public institutions
– Processor
– State and other authorities in the performance of their legal obligations under the relevant legislation
– Other recipients (e.g., transfer of personal data abroad – EU countries)

VII. Purpose of personal data processing
– Purposes included in the data subject’s consent
– Negotiation of a contractual relationship
– Performance of a contract
– protection of the rights of the controller, recipient, or other affected persons (e.g., –enforcement of the controller’s claims)
– archiving conducted on the basis of the law on selection procedures for vacant positions
– fulfillment of legal obligations on the part of the controller
– protection of the vital interests of the data subject

VIII. Method of processing and protecting personal data
Personal data is processed by the controller. Processing is carried out at the controller’s premises, branches, and headquarters by individual authorized employees of the controller or, where applicable, by a processor. Processing is carried out using computer technology or, where applicable, manually in the case of personal data in paper form, in compliance with all security principles for the management and processing of personal data. To this end, the controller has taken technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to personal data, its alteration, destruction or loss, unauthorized transfers, unauthorized processing, and other misuse of personal data. All entities to whom personal data may be disclosed respect the data subjects’ right to privacy and are required to comply with applicable laws and regulations regarding the protection of personal data.

IX. Period of personal data processing
In accordance with the deadlines specified in the relevant contracts, in the controller’s filing and disposal rules, or in the relevant legal regulations, this is the period necessary to ensure the rights and obligations arising from both the contractual relationship and the relevant legal regulations.

X. Information
The controller processes data with the consent of the data subject, except in cases specified by law where the processing of personal data does not require the consent of the data subject.
In accordance with Article 6(1) of the GDPR, the controller may process the following data without the consent of the data subject:

– the data subject has given consent for one or more specific purposes,
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
– processing is necessary for compliance with a legal obligation to which the controller is subject,
– processing is necessary to protect the vital interests of the data subject or another natural person,
– processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
– processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data

XI. Rights of data subjects
1) In accordance with Article 12 of the GDPR, the controller shall, at the request of the data subject, inform the data subject of their right of access to personal data and the following information:

– the purpose of the processing,
the source of the personal data,
the category of personal data concerned,
the recipients or categories of recipients to whom the personal data have been or will be disclosed,
the envisaged period for which the personal data will be stored,
any available information obtained from the data subject, whether automated decision-making, including profiling, is carried out.

2) Any data subject who discovers or believes that the controller or processor is processing their personal data in a manner that is contrary to the protection of the data subject’s private and personal life or contrary to the law, in particular if the personal data are inaccurate with regard to the purpose of their processing, may:

Request an explanation from the controller.
Request that the controller remedy the situation. In particular, this may involve blocking, correcting, supplementing, or deleting personal data.
If the data subject’s request under paragraph 1 is found to be justified, the controller shall remedy the situation without delay.
If the controller does not comply with the data subject’s request under paragraph 1, the data subject has the right to contact the supervisory authority, i.e., the Office for Personal Data Protection, directly.
The procedure under paragraph 1 does not preclude the data subject from contacting the supervisory authority directly with their complaint.
The controller has the right to request reasonable compensation for providing the information, not exceeding the costs necessary to provide the information.