PRINCIPLES OF PERSONAL DATA PROCESSING
Controller: B.B.N.P. národní podnik, B.B.N.P, National Corporation, B.B.N.P, Entreprise Nationale
K. Světlé 512/4, 370 04 České Budějovice 3, delivery code 370 21
Represented by Mgr. Petr Dvořák, Director of the company
Maintained in the Commercial Register at the Regional Court in České Budějovice under file No. AV 325
(hereinafter referred to as “BBNP”)
The objective of these Principles of Personal Data Processing (hereinafter referred to as the “Principles“) is to provide information about what personal data are processed by BBNP concerning you as a data subject, how long we process them, to whom and for what reason BBNP can transmit them, and to inform you about your rights.
The personal data of individual data subjects are always processed to the extent corresponding to the position of the particular data subject in relation to BBNP.
These Principles enter into effect on 25 May 2018 and are issued in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (hereinafter referred to as the “Regulation” or “GDPR”).
I. Categories of personal data
Personal data are any information relating to a natural person who can be identified by reference to the information. BBNP may process the following categories of personal data.
- Basic personal identification data and address data necessary for the conclusion and performance of a contract, in particular
- academic degree
- name and surname
- date of birth or personal identification number
- address of permanent residence
- banking details
- Data for ascertaining the needs and requirements of a customer
- records of communication
- Data obtained from monitoring
- Camera recordings from the premises guarded by a camera system. The premises of BBNP and certain other operational facilities of BBNP are guarded by a camera system in order to protect legitimate interests of BBNP. The premises where the cameras are located are marked with a warning sign.
- Data necessary for the participation in loyalty programs or similar programs, namely the basic personal identification data and address data
BBNP always processes such required and obtained personal data of the above stated categories only for the specified purposes of processing on the applicable legal bases for the processing and to an appropriate extent, so that the personal data processing is lawful.
II. Legal bases for personal data processing
The extent of the processed data depends on the purpose of processing. For certain purposes it is possible to process data directly on the grounds of a contract, legitimate interest of BBNP or under law, while for other purposes data may only be processed on the basis of the consent.
- The processing is necessary for the performance of a contract and negotiation on a contract. In particular, the following purposes are concerned
- negotiation to conclude a purchase or other contract
- conclusion of a contract, its administration and performance
- The processing is necessary on the grounds of the legitimate interests of BBNP; in such case, BBNP processes data in the following situations, in particular
- processing the data of non-contracting parties, i.e. the data of persons who are not parties to a concluded contract, but are stated in or bound to the contract (e.g. responsible persons, contact persons and guarantors);
- marketing activities, provided that the data subject may reasonably expect such processing with regard to the circumstances. The data subject has the right to object to such processing. If the data subject raises such objection, his or her personal data will not be processed for such purposes any longer;
- keeping the communication – BBNP keeps the communication with a data subject, provided that the processing of such communication is necessary on the grounds of the legitimate interests and is carried out for the following purposes: performance of a contract and the obligations arising from the contract if the data subject whose communication with BBNP is kept is not a contracting party. The records are kept and protected in a manner securing that they are not accessible to unauthorised persons, and BBNP has taken necessary measures to prevent unauthorised handling of such kept personal data;
- camera systems, physical and IT security – BBNP uses camera security guarding and physical security guarding and processes personal data from the records for the following purposes: security and protection of buildings and premises of BBNP, protection of property and people in those buildings and premises, protection of data, and prevention, detection and investigation of criminal activities or breaches of internal regulations of BBNP. BBNP always considers the extent of the camera security guarding, so that it does not cover an area larger than required for the above stated purposes;
- handling your inquiries, complaints and requirements;
- development and support of the Controller’s business activities within the scope of direct marketing.
- Processing is necessary for the fulfilment of legal obligations applying to the controller, in particular for
- handling complaints
- fulfilling other obligations imposed by other applicable legal regulations, in particular by Value Added Tax Act No. 235/2004 of the Collection of Laws of the Czech Republic (Coll.), Income Taxes Act No. 586/1992 Coll., and Accounting Act No. 563/1991 Coll. Processing on the grounds of performance of a contract, legitimate interests of the controller and fulfilment of statutory obligations cannot be refused. Personal data are processed to the extent necessary for the performance of such activities, for the period necessary to attain them or for the period directly set out by legal regulations. Afterwards the personal data are erased or anonymised.
- Processing on the basis of the consent – the particular purposes of processing and periods of processing are stated in the data subject’s consent to the personal data processing, which concerns, in particular, the consent to receive marketing and commercial communications, and participation in loyalty and other similar programs. Giving the consent is not compulsory. Refusal to give the consent does not affect the statutory rights of the data subject, just a certain service bound to giving the consent cannot be provided. The consent may be withdrawn at any time. Consent withdrawal also does not affect the statutory rights of the data subject.
III. CATEGORIES OF RECIPIENTS OF PERSONAL DATA
When fulfilling its duties and obligations from contracts and in its business, BBNP uses professional services of other parties. If such contractors process the personal data of data subjects that were transmitted by BBNP, they have the position of personal data controllers and process personal data only on instructions from BBNP. Each such party is carefully selected with regard to meeting the statutory requirements, and a contract for personal data processing is concluded with each selected party, setting out strict obligations for the controller to protect and safeguard the personal data.
We provide your personal data to third parties only in justified cases. The recipients of such personal data may be our contracting partners which we need for the performance of the contract with you, IT contractors, providers of courier and logistic services, and where necessary, we may also provide your personal data to the parties designated to protect our rights or to other parties, in particular administrative authorities and offices stipulated by the legislation in effect, where this obligation is imposed on us by legal regulations.
IV. Period of storage of personal data
Your personal data will be processed for the duration of the concluded contract and afterwards for the limitation period of any claims arising from the contract. After expiry of such period, the controller will destroy your personal data, unless the controller is authorised/obliged to continue processing such data on another legal basis. Your personal data will also be processed by the controller for the duration of any litigations.
However, if the controller processes your personal data on the basis of your consent, then such personal data are kept by the controller for a period not exceeding the period for which you gave the controller your consent to such processing or until you withdraw your consent if you withdraw it prior to expiry of such a period.
Where applicable legislation requires so, any documents containing your personal data will be archived by the controller for the prescribed period.
V. Method of personal data processing
BBNP processes personal data manually and by automatic means. BBNP keeps records of all the activities during which personal data are processed.
VI. Information about the data subject’s rights with regard to personal data processing from 25 May 2018 according to the Regulation
- Right of access to the personal data (Article 15 of the Regulation)
- The data subject has the right to obtain from BBNP, at the request,
- confirmation as to whether or not personal data concerning the data subject are being processed by the controller
- access to such data if they are being processed by BBNP
- information about the purpose of processing, the categories of personal data concerned, the recipients to whom the personal data have been or will be disclosed, the envisaged period of processing, about the existence of the right to request from BBNP rectification or erasure of personal data concerning the data subject, about any restriction of their processing and an option to object to such processing, about the right to lodge a complaint with a supervisory authority, about the source of the personal data if they were not collected from the data subject, about the existence of automated decision-making, including profiling, and about appropriate safeguards where personal data are transferred outside the EU
- a copy of the personal data, provided that the rights and freedoms of others are not adversely affected thereby.
- Where a request is lodged repeatedly, BBNP may charge a reasonable fee based on administrative costs for the copy of the personal data.
- Right to rectification of inaccurate data (Article 16 of the Regulation)
- The data subject has the right to obtain from BBNP the rectification of inaccurate personal data concerning him or her. At the same time, the data subject is obliged to communicate any changes of his or her personal data and prove to BBNP that such a change took place. The data subject is also obliged to provide assistance to BBNP where it is found out that the personal data concerning him or her are not accurate. The rectification shall be carried out without undue delay with regard to the technical capacities.
- Right to erasure (Article 17 of the Regulation)
- The data subject has the right to have the personal data concerning him or her erased, unless BBNP proves legitimate grounds for their processing. BBNP has mechanisms in place to render personal data anonymous or erase them if they are no longer necessary in relation to the purpose for which they were processed. The data subject may request the erasure in writing.
- Right to restriction of processing (Article 18 of the Regulation)
- The data subject has the right to obtain restriction of processing for the time until settlement of the motion where the accuracy of the personal data or the reasons for their processing have been contested by the data subject or where the data subject has objected to their processing.
- Right to notification of rectification, erasure or restriction of processing (Article 19 of the Regulation)
- The data subject has the right to have any rectification or erasure of the personal data or restriction of their processing communicated by BBNP to all recipients to whom the data have been disclosed, unless this is impossible or involves disproportionate effort. At a written request of the data subject, BBNP shall inform him or her about such recipients.
- Right to personal data portability (Article 20 of the Regulation)
- The data subject has the right, at the request, to receive the personal data concerning him or her, which he or she has provided to BBNP, in a structured, commonly used and machine-readable format, and has the right to transmit those data to another controller, where:
- the processing is based on consent or contract between the data subject and BBNP
- the processing is carried out by automated means.
- Where technically feasible, BBNP may, at the data subject’s request, transmit the personal data directly to the specified controller, provided that the person acting on behalf of the concerned controller is duly specified and can be authorised.
- The exercise of this right shall not adversely affect the rights and freedoms of others.
- Right to object to personal data processing (Article 21 of the Regulation)
- The data subject has the right to object to the processing of the personal data concerning him or her due to an illegitimate interest of BBNP, and shall do so in writing.
- Right to withdraw consent (Article 7 of the Regulation)
- Any given consent to the personal data processing may be withdrawn at any time. The withdrawal has to be express, intelligible and clear.
- Automated individual decision-making, including profiling (Article 22 of the Regulation)
- The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which would produce legal effects concerning him or her or would similarly significantly affect him or her.
- BBNP does not carry out automated decision-making without influence of human assessment with legal effects for data subjects.
- Right to turn to the Office for Personal Data Protection (Article 13(2)(d) of the Regulation)
- The data subject has the right to turn to the Office for Personal Data Protection (www.uoou.cz).
Unless stated otherwise, requests or other exercises of rights of the data subject shall be submitted in writing and sent to the registered office of BBNP.
BBNP reserves the right to make changes in personal data protection. The most recent version is always published on the website.