1. What is personal data?
Personal data is any information that can be used separately or together with other data to uniquely identify any living person (hereinafter referred to as the “Data Subject”), e.g. your name, email addresses, telephone numbers, location data, etc., which relate to your person.
2. Personal data controller
The Controller of your personal data processed for the purposes stated in this Policy is the company SAFIBRA, s.r.o., established under the law of the Czech Republic, IN 25787012, registered in the Commercial Register kept by the Municipal Court in Prague, file No. C 70191 (hereinafter referred to as the “Controller”). The Controller’s registered office is located at Černokostelecká 1621, district Prague – East, 251 01 Říčany, Czech Republic.
You can contact the person responsible for personal data protection in our company at firstname.lastname@example.org.
The Controller is responsible for ensuring that your personal data is processed in accordance with this Policy and with applicable legislation.
3. Sources of personal data
The Controller obtains your personal data from the following sources:
- directly from Data Subjects: emails, telephone, websites (which include
the company’s website www.safibra.cz and microsites www.monitoringkonstrukci.cz (collectively referred to as the “Website”), contact forms on the Website, social networks, business cards, negotiations
on concluding a contract, the recruitment process, etc.,
- distributor, business partner or representative,
- publicly accessible registers, lists and records (e.g. commercial register, trade register, cadastre of real estate, etc.),
- state administration bodies,
- on the basis of special legislation
4. Whose personal data do we collect?
The Controller collects your personal data if:
A. You personally or through a third party or through one of the forms on the Controller’s Website or through another communication channel, have provided the Controller with your contact details in order to:
- send general information about the Controller’s company or products,
or potential business opportunities, etc. (e.g. you gave your business card
to the Controller’s employee at the trade fair, or you sent a request
via the contact form on the Controller’s Website or through other communication channels),
- obtain technical support,
- file a complaint or make a claim,
- obtain a pre-sale consultation.
B. You are an employee of the Controller or otherwise represent him.
C. You are a company representative or self-employed person to whom the Controller sells its products, solutions and/or services or which/who supplies the Controller with its products, solutions and/or services.
D. You are a job seeker and you have provided Controller with your personal data via one of the forms on the Website, e-mail or the job offer portal or the Controller obtained your personal data from an employment agency which is the joint controller in relation to your personal data.
E. You do not belong to any of these categories of natural persons, but you have contacted the Controller or the Controller has contacted you directly,
5. Categories of personal data
The Controller processes the following categories of personal data:
A. Address and identification data: usually name, surname, title, or birth number, date of birth, address of permanent residence, IN, TIN.
B. Contact details: usually your contact address, email addresses and telephone numbers.
C. Employment details: typically a business name and contact details of your employer, your job position, your photo.
D. System data: data that the Controller needs due to a legal obligation or in order to maintain the quality of the services provided, such as IP address, port number, cookie files or other operational and location data.
E. Billing details: the details that the Controller requests from you if you pay him
for products, solutions and/or services or if he pays you for products, solutions and/or services, including your and your employer’s name, your and your company’s address(es) and email address(es) and financial information corresponding to your selected payment method (e.g. information about your payment card or bank account).
F. Information necessary for the recruitment process: Data about you, which you voluntarily provide to the Controller, for example in a CV, cover letter and other contexts (e.g. details of your qualifications, skills, work experience, about your entitlement to work in the Czech Republic etc.).
The Controller may also collect personal data about you from third parties, such as references supplied by former employers. The Controller will seek this information from third parties only once a job offer to you has been made
and he will inform you that he is doing so.
G. Other data that you intentionally share: information about you that you voluntarily submit to the Controller in order to conclude a contract, or through free text fields in Website forms or in other contexts.
6. Purpose and legal basis for personal data processing
Personal data are processed to the extent that the relevant Data Subject has provided them to the Controller, for the purposes and legal reasons set out below:
- in connection with the negotiation or conclusion of a contractual or other legal relationship with the Controller and the fulfilment of contractual obligations arising from this relationship,
- due to the fulfilment of legal obligations of the Controller (e.g. archiving kept
on the basis of the law, etc.),
- due to a legitimate interest, (e.g. maintaining a contractual relationship, launching new products on the market, making the Controller’s products and services visible, etc.),
- on the basis of the provided consent (e.g. sending out marketing communications, for the purposes of recruitment process, etc.),
- protection of the rights and legitimate interests of the Controller, the recipient
or other persons concerned, except in cases where the interests or fundamental rights and freedoms of the Data Subject requiring the protection of personal data take precedence over these interests (e.g. recovery of the Controller’s claims),
- processing is necessary to protect the vital interests of the Data Subject or another natural person,
- processing is necessary for the performance of a task performed in the public interest or in the exercise of public power entrusted to the Controller.
7. Method of processing and protection of personal data
The processing of personal data is performed by the Controller. Processing is performed in on the premises, branches and registered office of the Controller by authorized employees of the Controller, or processor. The processing takes place through computer technology, or also manually by personal data in paper form, in compliance with all security principles for the management and processing of personal data. To this end, the Controller has taken technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized
or accidental access to, alteration, destruction or loss of personal data, unauthorized transfers, unauthorized processing, as well as other misuse of personal data. All subjects to whom personal data may be made available respect the Data Subject’s right to privacy and are obliged to proceed in accordance with the applicable legal regulations concerning the protection of personal data.
8. Sharing of personal data
The Controller operates globally and thus he may share your personal data with his group of companies and business partners – but only for the purposes described in this Policy. This means that he may transfer your personal data to organizations in countries within and outside the European Union and the European Economic Area.
He will not transfer any of your personal data to organizations in countries outside
of the European Union and the European Economic Area (third country) without ensuring appropriate safeguards for the protection of your personal data, for example the existence of a so called ‘adequacy decision’ by the Commission or the inclusion of the so-called ‘standard contractual clauses’ (as approved by the European Commission from time to time) in a contract between him and the third country recipient company of your personal data.
Furthermore, personal data may be made available by the Controller to the extent necessary to legal, economic and tax advisors. Personal data relating to debtors may also be made available to collection agencies for the purpose of recovery of debts. Upon request or in case of suspicion of an illegal act, personal data may also be passed on to public administration bodies.
9. Time of processing personal data
Your personal data provided for the purpose of sending general information concerning the Controller’s company, products, or potential business opportunities, etc., will be processed by the Controller only for the time strictly necessary to fulfil this purpose, but no longer than three years, unless generally binding legislation requires a longer period.
The Controller will process the data provided by the job seeker only for the time strictly necessary to fulfil the stated purpose, but no longer than for a period of one year from the conclusion of the recruitment process.
Data directly related to any obligations that the Controller has towards you/your company on the basis of a partnership or contract concluded with you/your company are processed in full only for the duration of the contractual relationship and after expiration the data are processed only within legal regulations. After the termination of the contractual relationship, personal data are kept only for the time strictly necessary for a legitimate reason of the Controller or for the performance of legal obligations, but for a maximum period of 10 years. The stated deadlines apply when settling all liabilities (borrowed devices, invoices, equipment, etc.), otherwise your data will be kept until mutual settlement. These deadlines can also be extended, for example, by litigation, tax control, etc.Data provided for other purposes that you have expressly requested from the Controller, for example if you have decided to engage in one or more specific activities he offers, will only be processed for the time strictly necessary to fulfil the stated purpose stated in this Policy..
10. Rights of data subjects
According to the GDPR, the Data Subject has the following rights:
- Request free access to personal data of the Data Subject processed
by the Controller on, i.e. obtain from the Controller information on whether or not personal data concerning him/her are being processed. If so, he/she has the right to access this data.
- Request the correction or addition of personal data of the Data Subject processed by the Controller if they are inaccurate.
- Require the deletion of all or only some personal data if the purpose
of the processing has already passed, if the Data Subject revokes the consent,
if he raises objections to the processing, or if the personal data are processed illegally by the Controller.
- Require that the Controller limits or stops processing all or some data.
- Obtain those personal data which concern him/her and which are processed
with his/her consent or which are processed for the performance of the contract
or for the implementation of measures taken before the conclusion of the contract.
- Obtain his/her personal data in a structured, commonly used and machine-readable format; the Data Subject acquires the right to transfer this data to another controller.
- Data Subject has the right to object to the processing of his/her personal data.
- Data Subject has the right to complain to the supervisory authority – if the Data Subject considers that his/her personal data has been misused or the Controller otherwise violates his/her rights, he/she has the right to complain to the supervisory authority of an alleged breach of a general regulation, especially in the member state of usual residence or work.
If you wish to exercise any of these rights, you may send your requests and questions to the person responsible for GDPR at email@example.com. The Controller will immediately inform the applicant about the acceptance of each application according to the above points and will submit the required information or information on the measures taken without undue delay, but no later than within 1 month.
This period may be extended by a further two months if necessary and taking into account the complexity and number of applications. In certain specific cases defined in the GDPR, the Controller is not obliged to comply in full or in part with the request. This will be the case in particular if the request is manifestly unfounded or disproportionate, in particular because it is repeated. In such cases, the Controller may impose a reasonable fee taking into account the administrative costs associated with providing the requested information or refuse to comply with the request. The applicant will always be informed of this.
In the event that the Controller has reasonable doubts about the identity of the applicant for information, he may request him/her to provide additional information necessary to confirm his/her identity.
Information on the exercise of the Data Subject’s rights shall be stored by the data Controller for a reasonable period of time (typically 3 years) for the purpose of recording and documenting this fact, for statistical purposes, improving his/her services and protecting his/her rights.The Controller warns that if the Data Subject asks him to delete or restrict the use of any personal data, he may not be able to continue to provide his/her services.
11. Right to object
If the legal reason for processing personal data is the so-called legitimate interest, the Data Subject has the right to raise a factual objection to such processing of personal data at any time. In such a case, personal data will not be further processed unless there are serious legitimate reasons for the processing which outweigh the interests of the Data Subject or his/her rights and freedoms, or unless they are processed for the determination, exercise or defence of legal claims. The concerned Data Subject may object to the processing directly to the person responsible for GDPR at firstname.lastname@example.org. Please indicate in the email the specific situation that leads you to the conclusion that the Controller should not process your data. In the case of data processing for direct marketing purposes, it is always possible to raise an objection without further justification.
12. Changes to this policy
This Policy was last updated on November 1, 2020 and is publicly available on the Controller’s Website.