Declaration on the processing of personal data according to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in connection with the processing of personal data and the instruction of data subjects (hereinafter referred to as “GDPR” )

1. Personal data manager:

CONSTRA, s.r.o., ID: 26980509, with registered office at Sochorova 3178/23, Žabovřesky, 616 00 Brno. The company is registered in the commercial register maintained by the Regional Court in Brno. In accordance with Article 12 GDPR, we hereby inform you about the processing of your personal data and about your rights.

2. Scope of personal data processing:

Personal data is processed to the extent that the relevant data subject has provided it to the controller, in connection with the conclusion of a contractual or other legal relationship with the controller, or that the controller has otherwise collected and processes is in accordance with applicable legal regulations or to fulfill the administrator’s legal obligations.

3. Sources of personal data:

• directly from the data subjects (e-mails, telephone, website, contact form on the website, business cards, etc.)
• publicly accessible registers, lists and records (e.g. commercial register, trade register, real estate register, etc.) for the purpose of creating accounting documents and checking the correctness of information.

4. Categories of personal data that are the subject of processing:

• address and identification data used for unambiguous and unmistakable identification of the data subject (e.g. first name, surname, title, possibly social security number, date of birth, address of permanent residence, ID number, VAT number ) and data enabling contact with the data subject (contact data – e.g. contact address, telephone number, e-mail address and other similar information)
• descriptive data (e.g. bank details)
• other data necessary for the performance of the contract
• data provided beyond the scope of relevant laws processed within the framework of the consent granted by the data subject (processing of photographs, use of personal data for the purpose of personnel management, for the purpose of sending business communications or informational communications, etc.)

5. Category of data subjects:

• admin client
• an employee of the administrator
• service provider
• another person who is in a contractual relationship with the administrator
• job seeker

6. Category of recipients of personal data:

The administrator does not intend to transfer personal data to a third country outside the EU, the administrator has the right to entrust the processing of personal data to a processor who has concluded a processing contract with the administrator and provides sufficient guarantees for the protection of your personal data. Otherwise, data subjects will be informed of this transfer without reservation. The categories of beneficiaries are therefore:
• financial institutions
• public institutions
• processor
• state and other authorities within the framework of the fulfillment of legal obligations established by the relevant legal regulations

7. Purpose of personal data processing:

• purposes contained within the consent of the data subject
• negotiating a contractual relationship
• performance of the contract
• protection of the rights of the administrator, beneficiary or other affected persons
• archiving conducted on the basis of the law
• selection procedures for advertised job positions
• fulfillment of legal obligations by the administrator
• protection of vital interests of the data subject
• transfer of business messages or other information in the case of legitimate interests of the administrator

8. Method of processing and protection of personal data:

The processing of personal data is carried out by the administrator. The processing is carried out in its establishments, branches and the administrator’s headquarters by individual authorized employees of the administrator, or processor. The processing takes place in compliance with all security principles for the management and processing of personal data. For this purpose, the administrator has taken technical, organizational and legal measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to personal data, their change, destruction or loss, unauthorized transfers, their unauthorized processing, as well as other misuse of personal data. All entities to which personal data may be made available respect the data subjects’ right to protection of privacy and freedoms and are obliged to proceed in accordance with applicable legal regulations regarding the protection of personal data.

9. Personal data processing time:

In accordance with the periods specified in the relevant contracts and consents, the periods prescribed for handling in the case of the legitimate interests of the administrator or a third party, in the relevant legal regulations, this is the period absolutely necessary to secure the rights and obligations arising both from the contractual relationship and from the relevant legal regulations.

10. Lesson learned:

The administrator processes data with the consent of the data subject, with the exception of cases provided by law when the processing of personal data does not require the consent of the data subject, i.e. when there is another legal basis for the purpose of processing. In accordance with Article 6, paragraph 1 of the GDPR, the controller may process the following data without the consent of the data subject:
• processing is necessary for the fulfillment of a contract to which the data subject is a contracting party, or for the implementation of measures taken prior to the conclusion of the contract at the request of the data subject,
• processing is necessary to fulfill a legal obligation that applies to the administrator,
• processing is necessary to protect the vital interests of the data subject or other natural person,
• processing is necessary for the fulfillment of a task carried out in the public interest or in the exercise of public authority entrusted to the administrator,
• processing is necessary for the purposes of the legitimate interests of the relevant administrator or a third party, except in cases where the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data take precedence over these interests.

11. Rights of data subjects:

A. In accordance with Article 12 of the GDPR, the controller, at the request of the data subject, informs the data subject of the right to access personal data and the following information:

• purpose of processing,
• the category of personal data concerned,
• recipients or categories of recipients to whom personal data has been or will be made available,
• the planned period for which personal data will be stored,
• all available information about the source of personal data,
• if they are not obtained from the data subject, the facts of whether automated decision-making takes place, including profiling.

The administrator has the right to request a reasonable payment for the provision of the information not exceeding the costs necessary to provide the information, for the second and each additional copy within the administrative costs associated therewith.

B. Any data subject who discovers or believes that the administrator or processor is processing his personal data in violation of the protection of the private and personal life of the data subject or in violation of the law, especially if the personal data is inaccurate with regard to the purpose of their processing, can:

• Ask the administrator for an explanation.
• Require the administrator to remove the state thus created. In particular, this may involve blocking, correcting, supplementing or deleting personal data.
• If the data subject’s request according to paragraph A. is found to be justified, the controller will immediately remove the objectionable state.
• If the administrator does not comply with the data subject’s request according to paragraph A., the data subject has the right to contact the supervisory authority, i.e. the Office for Personal Data Protection.
• The procedure according to paragraph A. does not preclude the data subject from contacting the supervisory authority directly.

C. The data subject has the right to revoke the consent to the processing of personal data previously granted to the personal data administrator.

D. The rights of data subjects are therefore: to exercise the right to correction, erasure, oblivion, and restriction of processing. Furthermore, the right to data portability if this is technically or organizationally feasible.