Effective Date: 2022 / 05 / 01
Here you shall find all the information about personal data processing and their protection by our association Czexpats in Science z. s. (registered association), ID 07794282, with its registered office at 5. května 1868, 272 01 Kladno, The Czech Republic (EU), registered in the association register maintained by Municipal court in Prague under file no. L 71331.
The personal data protection is our priority; therefore, we strive for a transparent, comprehensible, and cooperative approach to the maximum extent possible. In case of any questions, if anything in this area needs to be explained, or if you have comments about personal data processing, please do not hesitate to contact us at any time via the e-mail address: gdpr@czexpats.org.
We process personal data in full compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation / GDPR) and in accordance with Act No. 110/2019 Sb., on personal data processing, as amended, which elaborates some passages of GDPR within the territory of the Czech Republic.
For more information about our activities, mission, and our association, see: https://czexpats.org/en/
This privacy policy may change over time; however, we try to prevent such changes. In any case, such changes do not affect the scope of your rights (see point 6) or the standards of personal data protection. In addition, we properly notify all affected entities and persons of any changes in advance, depending on the importance of such changes.
1. What personal data do we process?
In the context of our activities, we process the following personal data:
- identification data
- name and surname
- place of residence
- birth date
- contact data
- e-mail address
- phone number
- professional data
- name of the institution
- address of the institution
- contact data of the institution in the range of phone number and e-mail address
- job classification (field, position)
- technical data
- cookies to the extent necessary for operating the website
- IP address
- additional data
- website
- photo
- other individually provided data potentially being personal data
However, to no extent we process sensitive personal data or data falling into special categories of personal data. In the same way, during our activities, the personal data of different data subjects are not combined, nor are they modified or interfered with.
We obtain personal data primarily through an internet form located on our website, or through organized events with accompanying registration.
2. How do we use your personal data?
We use and process personal data for the purpose of providing our services and carrying out our activities, as well as for the purpose of closely related communication. We thus process personal data based on the following legal grounds that enable us to do this activity and for the relevant purposes:
- necessity for the performance of a contract to which the data subject is party (personal data are necessary for using our services by you)
- necessity for compliance with a legal obligation to which we are subject (it means for example all the related security, evidential, archival and accountant obligations we are obliged to meet)
- necessity for the purposes of our legitimate interests (in accordance with legal options, especially in the scope of direct contacting to the extent necessary, optimization of our services and ensuring security)
- given consent to the processing of personal data (based on signing up to use our services or otherwise provided consent)
The individual legal grounds may justify the processing of multiple personal data (for example, all the listed identification data are needed to use our services), just as the given personal data may be processed based on multiple legal grounds (for example, we process name, surname and e-mail address for the possibility of using our services, as well as for sending the newsletter).
Personal data are not used or processed in any way for profiling or automated decision-making, to any extent.
3. Who can access the personal data?
As we ensure proper and comprehensive personal data protection, these data are stored and used within our association. We transfer personal data to third parties only to the extent necessary for the implementation of our services, always based on a thorough verification of such third party and only after the conclusion of an appropriate contract on personal data processing (whereby the third party becomes a processor of personal data in relation to us), so that we have certainty and guaranty in the questions of security of the given personal data. These are selected providers that we use to improve the quality of our own services or to carry out our activities. Such third parties are only:
- server, web, cloud and IT services
- Google LLC (Google Drive, Google Analytics)
- Mapotic s.r.o. (Ltd.) (interactive map)
- collaborating subjects within the individual activities
Personal data are generally processed only within the European Union, or within the European Economic Area and are generally not transferred in this sense to third countries or international organizations. Should such a situation occur, such a procedure will be individually addressed for each personal data with the corresponding data subject.
4. How long do we keep the personal data?
We always process personal data only for the time necessary for their use and for the purpose for which the personal data were collected (see point 2), fully in accordance with the established internal system of retention periods. This system was set up to reflect our needs on the one hand, and the principle of limiting their storage and your interests on the other. Among the basic criteria for setting the system of retention periods, the following can be mentioned in particular:
- are personal data required to provide our services?
- are personal data processed based on consent or based on another legal ground?
- has the given consent to the personal data processing been withdrawn?
- is it necessary to process the personal data?
Even when one of the legal grounds and the related specific purpose ceases, personal data may continue to be processed due to the existence of another legal ground and purpose. And so, even after the personal data is no longer needed, for example, for the performance of a contract (for using our services), the given personal data continues to be processed for compliance with legal obligations to which we are subject (archiving and other obligations).
5. How are the personal data secured?
The security of personal data is a sensitive issue. We are aware that the nature of personal data requires high standards of security. For this purpose, we try to effectively use all the available security precautions to eliminate misuse or other unauthorized access to personal data. We classify them as follows:
- organizational-administrative precautions
- limited access to personal data
- an established and regularly updated directive on personal data protection, as well as related documents
- regular training of all employees and other collaborators in the field of personal data protection
- ensuring the contractual liability of all employees and other collaborators
- standardized processes for handling personal data
- technical precautions
- secured access to personal data through verified software
- introduction of means to prevent unauthorized reading and handling personal data
- regular checking and updating of devices used for personal data processing
If, despite the established security precautions, a personal data breach would occur that would likely result in a high risk to your rights and freedoms, we will inform you immediately to fulfil the communication obligation. Likewise, we will proceed with the introduction of appropriate precautions at the organizational-administrative and technical level, so that the given situation does not happen again.
6. What are your rights?
Beyond the possibility of comments or questions, as mentioned in the introduction, you can exercise the specific rights related to personal data and their processing. The individual rights listed below can be exercised via the same e-mail address: gdpr@czexpats.org.
Our activities are also supervised by The Office for the Personal Data Protection as a national supervisory authority, with whom we coordinate the mandatory requirements for personal data processing, consult on any ambiguities, and whom you can contact with a specific complaint in case of need or dissatisfaction. For more information see: http://uoou.cz/en/
Among the individual rights in relation to your personal data processing, we recognize:
- right of access by the data subject (you can request information and confirmation as to whether or not we process personal data, for what purpose, to what extent and for how long we process personal data, or who accesses the personal data; you can also request a copy of the personal data processed in this way)
- right to rectification (you can request rectification or addition of personal data if they are inaccurate, incomplete or otherwise incorrect)
- right to erasure (“right to be forgotten”) (you can request that we no longer process personal data. However, this right has its limits, which lie, for example, in the strength of individual legal grounds (see point 2). In other words, it may happen that one of the legal grounds prevails over the request to delete personal data – for example in compliance with a legal obligations)
- right to restriction of processing (you can request that we do not process personal data in situations where we solve contentious issues in the matter of personal data protection together, beyond the simple storage)
- right to object (you can object to the processing in specific situations, for example processing for the purpose of direct marketing. Even here, however, it is necessary to draw attention to the limits of this right lying in the necessary reviewability of its application, especially regarding the existence of any other legal grounds for personal data processing)
- right to data portability (you can receive the personal data you have provided to us in a structured, commonly used and machine-readable format, or to transmit it on directly to another controller)
- right to lodge a complaint with the competent supervisory authority (in the worst case scenario, you can lodge a complaint about personal data processing with The Office for Personal Data Protection, which supervises our activities)
When exercising the individual rights, it is always necessary to remember that for their successful exercise, it is necessary to request the additional information about your person (to verify your true identity and to eliminate fraudulent activities), as well as it is needed to keep in mind that exercising the rights does not necessarily have an immediate effect (e.g. when personal data is deleted, it may happen that a newsletter is sent in the meantime based on the personal data existing at that time).
Hana Hušková
Czexpats in Science z. s.