1. To which cases does this policy apply?
The purpose of this document is to inform persons whose personal data is processed by Technistone, s.r.o. ("Technistone" or "Controller") in the capacity of controller, i.e. when Technistone itself determines the purpose and means of processing personal data in accordance with Article 4(7) of the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council), i.e. in particular in the case of:
(i) persons who have directly requested Technistone to provide a service offered by Technistone or to provide an offer of a service or goods of its partner or have given Technistone consent to the processing of personal data for the purpose of offering goods or services of its partners ("Customer"); and
(ii) Technistone's contractual partners, in the case of natural persons, as well as the persons named by the contractual partner in the contract concluded with Technistone ("Representative"). This policy does not apply to the processing of personal data of employees and job applicants, which is subject to specific policies with which the individuals concerned are familiar.
If you have been contacted by Technistone employees, please note that this is generally the case where Technistone acts as a data processor and has obtained your contact from a data controller who has the legal authority to process your personal data (usually the operator of the service you use or to which you have consented to the processing of your personal data). The processing of your personal data in this case is governed by the policies of the relevant data controller.
2. Identification of the Controller and contact details of the Data Protection Officer
The personal data controller is Technistone, s.r.o., ID No. 25932080,V Bratří Štefanů 1070/75a, Slezské Předměstí, 500 03 Hradec Králové, registered in C 47781/KSHK Regional Court in Hradec Králové.
3. Overview of processed (types of) data
The personal data that the Controller will process are as follows:
(i) personal data provided by the Customer (typically name and surname, date of birth, or birth number, residential address, delivery address, telephone, e-mail, occupation, personal data related to the service offered, data obtained from communication with the Customer, voice recording of telephone calls)
(ii) personal data of Representatives as provided by their employer or other authorized person in the contract concluded with Technistone (typically name and surname, job title, telephone, email).
4. Purposes of processing
The Controller processes the Customer's personal data for the purpose of providing the service in which the Customer has expressed interest.
If the Customer gives the Administrator consent to be contacted for the purpose of offering goods or services of the Administrator's partners, the Administrator will process the Customer's personal data for the purpose of sending commercial communications (e-mail marketing) and addressing via telemarketing, where the subject of these marketing communications will be the offers of the Administrator's business partners. In this case, this is so-called voluntary processing of personal data, which is based on the consent provided by the Customer.
The personal data of the Representatives are processed by the Controller for the purpose of the performance of the respective contract.
5. Legal basis for processing
The legal basis for the processing of the Customer's personal data is
a) Customer's consent - for the purpose of sending commercial communications (e-mail marketing) and telemarketing, we process the Customer's personal data on the basis of the Customer's consent.
b) Execution and conclusion of a contract - on this basis, the Controller processes the personal data of Customers who have asked the Controller to present an offer of a specific service or goods of its partner or to arrange a meeting (or arrangement of a similar matter) with our business partner.
The legal basis for the processing of personal data of Representatives is the performance of a contract (if the personal data of the contracting parties - natural persons) or a legitimate interest (if the personal data of persons mentioned in the contract who are not a contracting party).
6. Processing time
Customer data will be processed by the Controller for the following period,
a) in the case of processing based on the Customer's consent - for the period for which the consent was granted. If such consent is not limited in time, then for the period until the Customer withdraws his/her consent. However, even after the withdrawal of consent, the Controller will process basic data on when and in what matter the Customer was contacted by the Controller for a reasonable period of time (approximately 4 years) to prove the legitimacy of such contact.
b) in the case of processing for the performance and conclusion of a contract - for a period of time as requested by the partner whose service or goods the Controller has facilitated, taking into account the type of contract concluded, but as a rule for no longer than 4 years from the date of provision of personal data by the Customer. In the case of arranging a meeting with our business partner or a similar arrangement, the processing of the Customer's personal data is carried out for the period necessary to fulfil the purpose of processing, but no longer than 6 months from the date of provision of the personal data by the Customer.
The data of the Representatives will be processed by the Controller for the duration of the contract in question and subsequently for the duration of the limitation period for any claims of the parties arising during the contractual relationship, or for the duration of the proceedings on such a claim.
7. Transfer of personal data to third parties
The controller shall disclose personal data to third parties where required or permitted by law. In particular, the Controller discloses the personal data of Customers to its partners who provide services in which the Customer is interested or if the Customer has consented to this. Furthermore, the Controller discloses the personal data of Customers/Representatives to the usual extent to processors or other recipients - external service providers, legal, economic and tax advisors and auditors.
Personal data relating to debtors may also be disclosed to debt collection agencies for the purpose of debt collection or recovery. Personal data may also be disclosed to public authorities on request or in the event of suspected infringements.
There are no transfers of personal data outside the EU.
8. How the processing will be carried out
The manner in which the Controller processes personal data includes manual and automated processing in the information systems of the Controller or its processors. The Controller will process the personal data in its filing system.
In particular, personal data are disclosed to the Controller's employees in connection with the performance of their work duties, which require the handling of personal data, but only to the extent necessary in each case and in compliance with all security measures.
When processing personal data, the Controller shall comply with the highest standards of personal data protection data and complies in particular with the following principles:
(a) personal data shall always be processed by the Controller for a clearly and comprehensibly stated purpose, by specified means, in a specified manner, and only for the time necessary in relation to the purposes for which they are processed; the Controller shall process only accurate personal data;
b) the Controller shall observe appropriate technical and organisational measures to ensure an adequate level of security; all persons who come into contact with the personal data of Customers or Representatives shall be obliged to maintain the confidentiality of information obtained in connection with the processing of such data.
9. Withdrawal of consent
Where the processing of personal data is based on the data subject's consent to the processing of personal data, the data subject has the right to withdraw consent to the processing of his or her personal data at any time. The withdrawal of the data subject's consent to the processing of personal data shall not affect the lawfulness of the processing of personal data prior to its withdrawal.
10. Right to object
Pursuant to Article 21 of the GDPR, the data subject has the right to object to the processing of his or her personal data by the controller on grounds relating to his or her particular situation if the controller carries out the processing of personal data on the basis of his or her legitimate interest. If the data subject objects to the controller to the processing of his or her personal data, the controller shall no longer process the personal data of the data subject to the extent of the objection, unless the data subject demonstrates compelling legitimate grounds for the processing which override the interests or rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
11. Information on the rights of data subjects
The natural person has the right with the Controller to:
(a) to request access to personal data processed by the Controller, which means the right to obtain confirmation from the Controller whether or not personal data concerning him or her are processed and, if so, the right to obtain access to such personal data and to other information referred to in Article 15 of the GDPR,
(b) to request the rectification of personal data processed about her if it is inaccurate (Article 16 GDPR). Taking into account the purposes of the processing, she also has the right to request the completion of incomplete personal data in certain cases,
c) to request the erasure of personal data in the cases provided for in Article 17 GDPR.
d) to request the restriction of data processing in the cases provided for in Article 18 GDPR,
e) request the transfer of personal data in the cases regulated in Article 20 GDPR,
(f) to obtain, on request, personal data relating to him or her and
– which Technistone processes with her consent, or
– which Technistone processes for the performance of a contract to which such natural person is a party or for the performance of measures taken before the conclusion of the contract; or
– are processed by automated means in a structured, commonly used and machine-readable format, whereby he or she has the right to have that personal data transmitted directly to another controller, subject to the conditions and limitations set out in Article 20 of the GDPR.
If the Controller receives such a request, it will inform the applicant of the measures taken without undue delay and in any event within one month of receipt of the request. This period may be extended by a further two months if necessary and taking into account the complexity and number of requests. The controller is not obliged to comply with the request in whole or in part in certain cases provided for in the GDPR. This will be the case, in particular, if the request is manifestly unfounded or disproportionate, in particular because it is repetitive. In such cases, the Controller may
(i) impose a reasonable fee taking into account the administrative costs involved in providing the requested information or communication or in taking the requested action; or
(ii) refuse to comply with the request.
If the Controller receives the above request but has reasonable doubt as to the identity of the applicant, the Controller may request the applicant to provide additional information necessary to confirm his or her identity.
The information that the data subject has exercised his/her rights with the Controller and how we have dealt with his/her request will be stored by the Controller for a reasonable period of time (usually 3-4 years) to document this fact, for statistical purposes, to improve our services and to protect his/her rights.
If the data subject believes that the Data Controller is processing his/her personal data unlawfully or otherwise violating his/her rights, he/she has the right to lodge a complaint with a supervisory authority (i.e. the Data Protection Authority) or seek judicial protection.