INFORMATION ON THE PROCESSING AND PROTECTION OF PERSONAL DATA

The purpose of this document is to provide data subjects with complete information on the principles of processing and protection of their personal data when using the Podpisovna Site in accordance with the relevant legislation, in particular Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the "GDPR").

Definition of basic terms

V This information uses words and phrases (terms) which are assigned the following meanings in accordance with the relevant legislation:

1.       Purpose of processing personal data

The company processes personal data of data subjects for the purpose of providing the services of the Podpisovna Office - i.e. electronic signing of documents in connection with electronic identification.

2.       Categories of personal data

The personal data that may be processed by the Company include the following data (the above list is demonstrative and does not exclude the processing of other personal data provided by the data subject in the course of using the Podpisovna Site; and conversely, the above list does not imply that the Company will process all of the data listed below. The exact scope of the data that the Company will process will always be the responsibility of the data subject, depending on which data they share with the Company, or with individual electronic identification providers such as BankID or MojeID - i.e. other controllers):

Identification data: academic degree, first name, last name and other data as appropriate (e.g. your bank ID, ID number, VAT number, date and place of birth, age, gender, ID number, data box ID, etc.)

Contact details: permanent home address, correspondence address, telephone number, e-mail address, etc.

Other data: bank account number, URL, IM, etc.

The company does not process sensitive personal data.

3.       Legal basis for processing personal data

·         The primary legal basis for the Company's processing of the above personal data is the conclusion and performance of a contract (for the provision of electronic document signing services in relation to electronic identification), or the Company's legitimate interest in processing the data in connection with the provision of these services or consent in the case of setting up a user account. The Company may also process certain data for the purpose of asserting or defending legal claims.

4.       Period of processing of personal data

4.1.        The Company processes personal data only for the time strictly necessary to fulfil the purpose for which it was collected or for the period specified by the relevant legal regulations.

4.2.        Some data are only kept for the duration of the contractual relationship or the provision of the service (signing of the document by all signatories). In the case of the establishment of a user account and the consent of the data subject, the Company retains this data even longer, until the consent is withdrawn or the user account is cancelled, or after a reasonable period in the case of no further use of the services.

4.3.        Some data is retained for a certain period of time after the end of the contractual relationship. To the extent necessary (possibly in pseudonymised form), the company retains data longer for the purpose of asserting and defending its legal claims, for the duration of the limitation periods within the meaning of generally binding legal regulations (3 to 15 years).

4.4.        Once the relevant period for which the personal data of the data subjects is stored has expired, the Company shall anonymise or completely erase the personal data from its own databases and information systems, shred paper documents containing personal data and destroy other portable media containing personal data.

5.       Sources of personal data

5.1.        The Company obtains personal data from the following sources:

·         directly from data subjects

·         from other data controllers providing electronic identification of the data subject (e.g. BankID, My ID)

·         from publicly accessible sources (public registers, public records or lists, etc.)

6.       Categories of recipients of personal data

6.1.        The Company transfers or may transfer (only some) personal data of data subjects to the following recipients:

·         to service providers necessary for the performance of the Company's business (e.g. IT service providers, lawyers, etc.). For these purposes, we only select trustworthy entities that are contractually or legally bound by confidentiality obligations in relation to the handling of personal data, as well as other obligations to protect personal data in accordance with the relevant legislation

·         to public authorities (e.g. administrative authorities, courts, bailiffs, etc.)

7.       Method of processing personal data

7.1.        The processing of personal data of data subjects occurs primarily in electronic form by means of computer technology, however, some data may also be processed in paper form by manual means. The Company has implemented adequate technical and organizational measures to ensure the protection of the personal data it processes, in particular measures to prevent unauthorized or accidental access to this personal data, its alteration, destruction, loss, unauthorized transfer, unauthorized processing, as well as other misuse of personal data (e.g. encryption, access security with strong passwords, multi-factor authentication, security software, storage in locked cabinets or premises, access allowed only to selected persons who necessarily need the personal data to fulfil the aforementioned processing purposes). All persons to whom such personal data may be disclosed respect the data subjects' right to privacy, are bound by confidentiality obligations and are required to comply with data protection legislation. We also require our data storage providers to comply with relevant industry security standards.

7.2.        No automated decision-making or profiling is performed on data subjects in the processing of their personal data.

8.       Transfer of personal data abroad

8.1.        Some personal data may be transferred to or stored at a destination outside the European Economic Area (EEA). Regardless of the location, we will apply the same data protection safeguards as we apply in the EEA.

8.2.        Certain countries outside the EEA (see the full list here https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en ) byly schváleny Evropskou komisí jako země poskytující ochranu, která je v podstatě ekvivalentní zákonům o ochraně osobních údajů v EHP, a proto k přenosu osobních údajů do těchto jurisdikcí není vyžadována žádná další záruka. Do zemí, které tato schválení nezískaly, předáme tyto údaje pouze pod podmínkou přistoupení k smluvním podmínkám schváleným Evropskou komisí, které ukládají rovnocenné povinnosti týkající se ochrany osobních údajů přímo příjemcům, pokud platné právní předpisy o ochraně osobních údajů neumožňují uskutečňovat takové přenosy bez uvedených formalit. V případě potřeby budeme od příjemce údajů v zahraničí vyžadovat přijetí dalších opatření či záruk k zajištění ekvivalentní ochrany osobních údajů jako v EHP.

9.       Rights of data subjects in relation to the processing of personal data

9.1.        In connection with the processing of personal data by the Company, data subjects have the following rights:

Right of access to personal data: The data subject shall have access to all personal data that the Company processes about him or her. If the data subject so requests, the Company shall provide him/her with a copy of such data in a structured format within one month of the request, provided that the transmission of such information does not adversely affect the rights and freedoms of other persons (i.e., it is not possible in all cases to provide information that is subject to, for example, trade secrets, intellectual property or copyright, information that constitutes the know-how of the Company and/or third parties - e.g., software providers, even if it is related to the processing of the personal data of the data subject who has made a request for access to such data). If the data subject makes a request in electronic form, the information shall be provided in the electronic form that is commonly used, unless the data subject requests a different method of provision.

Right to correction: If the data subject informs or requests the Company to do so, the Company shall correct/update inaccurate/outdated personal data without undue delay.

The right to erasure (the so-called "right to be forgotten"): The personal data of data subjects will be deleted without undue delay after one of the following grounds has been met:

·         the personal data are no longer necessary for the purposes for which they were processed

·         the data subject withdraws consent where the personal data have been processed on the basis of that consent and there is no other legal basis for the processing

·         the data subject objects to the processing and there are no overriding legitimate grounds for the processing

·         personal data have been unlawfully processed

·         the personal data was collected in connection with the offer of information society services (e.g. via a web contact form)

·         personal data must be erased in order to comply with a legal obligation under European Union law or Czech law

Personal data cannot be erased if the processing is necessary for compliance with legal obligations or for the establishment and defence of legal claims.

Right to withdraw consent: personal data will no longer be processed if the data subject withdraws consent to processing and there is no other legal ground for processing.

Right to restriction of processing: the processing of personal data of the data subject will be restricted in the following cases:

·         the data subject denies the accuracy of the personal data for the time necessary for the Company to verify the accuracy of the personal data

·         the processing is unlawful and the data subject refuses the erasure of the personal data and requests instead a restriction on their use

·         The company no longer needs the personal data for the purposes of processing, but the data subject requires it to assert or defend legal claims

·         the data subject has objected to the processing until it is verified that the legitimate grounds of the Company for the processing outweigh the legitimate grounds of the data subject

The restriction on processing therefore means that while the data is still stored, it cannot be otherwise processed until the restriction can be lifted. Therefore, where the processing of personal data is restricted, such personal data will only be processed with the consent of the data subject or for the establishment or defence of legal claims, for the protection of the rights of another natural or legal person or for reasons of important public interest. The Company shall inform the data subject in advance of the cancellation of the restriction on the processing of personal data.

The right to data portability: if the data subject so requests and if it is technically feasible, the Company will transfer his or her personal data to another controller in a commonly used, machine-readable format.

Right to object to processing: if the purpose of the processing is a legitimate interest of the Company and the data subject objects to the processing, the Company may further process the personal data if there are compelling legitimate grounds for the processing which override the interests or rights and freedoms of the data subject or for the establishment and defence of legal claims.

Vznesení stížnosti: Subjekt údajů má právo podat stížnost na Úřad pro ochranu osobních údajů ve vztahu ke zpracování jeho osobních údajů Společností.

The data subject may exercise the aforementioned rights with the Company:

·         by email at: info@podpisovna.cz

·         or by post at: EzConvey s.r.o., Lublaňská 267/12, Prague 2, 120 00

10.       Final provisions

Any rectification, erasure or restriction of the processing of personal data shall also be notified by the Company to the individual processors of the Company, except where this proves impossible or requires disproportionate effort.

If the data subject so requests, the Company will inform him or her of the specific recipients of his or her personal data to whom the Company transfers his or her personal data.

This information will be updated regularly in the future. The current version of the information will always be published on the Company's website in the "Privacy Policy" section.

Last updated on 8.2.2022