GDPR
DECLARATION ON THE PROCESSING OF PERSONAL DATA
Declaration on the processing of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the information of data subjects (hereinafter referred to as GDPR)
1. Personal data controller
Botanicus, spol. s r.o., with registered office at Ostrá 8, Lysá nad Labem, 289 22 Ostrá, ID No.: 45147264 (hereinafter referred to as the ‘Controller’) hereby informs you about the processing of your personal data and your rights in accordance with Article 12 of the GDPR.
2. Scope of processing of personal data
Personal data is processed to the extent that the relevant data subject has provided it to the controller, in connection with the conclusion of a contractual or other legal relationship with the controller, or which the controller has otherwise collected and processes in accordance with applicable law or to fulfil the controller's obligations.
3. Sources of personal data
· directly from the data subject
· distributor
· camera system
· publicly accessible registers, lists and records (e.g. commercial register, trade register, land register, public telephone directory, etc.)
4. Categories of personal data subject to processing
· address and identification data used to uniquely and unmistakably identify the data subject (e.g. name, surname, title, birth number, date of birth, permanent address, ID number, VAT number) and data enabling contact with the data subject (contact data - e.g. contact address, telephone number, fax number, e-mail address and other similar information)
· descriptive data (e.g. bank details, CCTV images)
· other data necessary for the performance of the contract
· data provided outside the scope of the relevant laws processed within the scope of the data subject's consent (processing of photographs, use of personal data for the purpose of personnel management, etc.)
5. Category of data subject
· customer of the controller (only for subjects registered on the e-shop)
· persons registering in the booking system
· employee of the controller
· carrier
· service provider
· other person who is in a contractual relationship with the controller
· job seeker
6. Categories of recipients of personal data
· wholesalers
· financial administration
· public institutes, authorities
· processor
· contractors
· state etc. authorities in the framework of the fulfilment of legal obligations set out in the relevant legislation
· other recipients (e.g. transfer of personal data abroad - EU countries)
7. Purpose of the processing of personal data
· the purposes contained in the data subject's consent
· negotiation of a contractual relationship
· performance of a contract
· protection of the rights of the controller, the recipient or other persons concerned (e.g. recovery of claims by the controller)
· archiving carried out on the basis of the law
· selection procedures for vacancies
· performance of legal obligations by the controller
· protection of the vital interests of the data subject
8. Method of processing and protection of personal data
The processing of personal data is carried out by the controller. The processing is carried out at the controller's premises, branches and headquarters by individual authorised employees of the controller or by the processor. The processing is carried out by means of computer technology or, in the case of personal data in paper form, manually, in compliance with all security principles for the management and processing of personal data. To this end, the controller has taken technical and organisational measures to ensure the protection of personal data, in particular measures to prevent unauthorised or accidental access to, alteration, destruction or loss of personal data, unauthorised transmission, unauthorised processing or other misuse of personal data. All entities to which personal data may be disclosed shall respect the right of privacy of data subjects and shall comply with applicable data protection legislation.
9. Duration of processing of personal data
In accordance with the time limits set out in the relevant contracts, in the controller's filing and shredding system or in the relevant legislation, this is the time necessary to ensure the rights and obligations arising from both the contractual relationship and the relevant legislation.
10. Instructions
The controller processes data with the consent of the data subject, except in the cases provided for by law where the processing of personal data does not require the consent of the data subject.
In accordance with Art. 6 para. 1 of the GDPR, the controller may process the following data without the consent of the data subject:
– the data subject has given consent for one or more specific purposes,
– processing is necessary for the performance of a contract to which the data subject is a party or for the performance of measures taken prior to entering into a contract at the request of the data subject,
– processing is necessary for compliance with a legal obligation to which the controller is subject,
– processing is necessary for the protection of the vital interests of the data subject or of another natural person,
– processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
– processing is necessary for the purposes of the legitimate interests of the controller or of a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data.
11. Rights of data subjects
1. In accordance with Article 12 of the GDPR, the controller shall, at the request of the data subject, inform the data subject of the right of access to personal data and of the following information:
– the purpose of the processing,
– the category of personal data concerned,
– the recipients or categories of recipients to whom the personal data have been or will be disclosed,
– the intended period for which the personal data will be stored,
– any available information on the source of the personal data, unless obtained from the data subject,
– the fact whether automated decision-making, including profiling, is taking place.
2. Any data subject who becomes aware or believes that the controller or processor is carrying out processing of his or her personal data which is contrary to the protection of the private and personal life of the data subject or contrary to the law, in particular if the personal data are inaccurate with regard to the purpose of the processing, may:
– Request an explanation from the controller.
– Request that the controller remedy the situation. In particular, this may involve blocking, rectifying, supplementing or erasing the personal data.
– If the data subject's request under paragraph 1 is found to be justified, the controller shall rectify the defective situation without delay.
– If the controller does not comply with the data subject's request pursuant to paragraph 1, the data subject shall have the right to apply directly to the supervisory authority, i.e. the Office for Personal Data Protection.
– The procedure referred to in paragraph 1 does not preclude the data subject from submitting his or her complaint directly to the supervisory authority.
– The controller shall have the right to charge a reasonable fee for the provision of the information, not exceeding the costs necessary to provide the information.
This declaration is publicly available on the website of the controller, on the controller's intranet, on request at the registered office of Botanicus s.r.o.