Contents

Introduction

In its activities, our company uses personal data of You, our customers and business partners, both existing and potential, as well as workers or visitors on PRECHEZA premises. We do not take protection of Your personal data and Your privacy lightly; we do everything we can to ensure their adequate protection. We treat personal data in full compliance with valid legislation.

The purpose of this document is to explain to You which personal data we collect, for what purpose, how we use them, what we do to ensure their security and what rights You can exercise. The legal framework is laid down by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).

Who we are (i.e. personal data controller)

Personal data controller[1] is our company[2], PRECHEZA, a.s., registered address Nábř. Dr. E. Beneše 1170/24, 750 02 Přerov, Companies Register Number (IČ): 268 72 307, entered in the Commercial Register kept by the Regional Court in Ostrava, Section B, Insert 2953.

Our company’s contact details can be found in the final section of this document.

Which data do we collect?

Without consent

  1. Identification data – personal data used for Your unambiguous and unmistakable identification, e.g. name, surname, title, date of birth, identification card, residence address, registered address / place of business, signature.
  2. Contact data – data using which we can contact You, e.g. telephone number, e-mail address, contact address.
  3. Data regarding Your purchases and our business cooperation, especially history of purchases, payment details, bank details, invoiced and paid (outstanding) amounts, data regarding running performance and communication with You or Your employees. In connection with communication, our company may also store some technical details, i.e. time of communication and IP address from which it was sent.
  4. Data regarding entering the premises of our company – electronic records of visitors and transit through the gates.
  5. Photographs.
  6. Camera records.
  7. Data on devices collected in connection with using Internet services and apps - when our company’s website www.precheza.cz is used, we rely on various technologies to collect and store information to identify Your browser and Your device (cookies and similar technologies), we collect data on devices (e.g. IP address or other unique identifiers of Your device, hardware model, operating system version, mobile network data, server protocols, Internet protocol address, date and time of Your query), location data (IP address).
  8. Data regarding the use of Your statutory rights and record of their application vis-a-vis our company.
  9. Other data which must be processed by our company pursuant to Czech or EU legislation.

With consent

In certain cases, our company will process the above data or other data based on Your consent. In such cases, the exact scope of processed personal data is defined in the consent You signed. In such cases, You may withdraw Your consent at any moment in time.  E.g.  data on job seekers contained in curriculum vitae or questionnaires (including photographs) are stored in our database with consent.

Personal identification code

We will process Your personal identification code only if You disclose it in the contract voluntarily, or where it is required by a statute (where it is not required by a statute, our company does not insist on using Your personal identification code, so we recommend You do not disclose it).

If You disclose Your personal identification code based on or in relation with a contract, by doing so You, as its owner, express Your consent under S. 13c par. (1) of Act No. 133/2000 Sb. with our company’s using Your personal identification code for keeping records of contracts, supplied performance and protection or our rights, as well as with its storage, processing and using. This consent may be withdrawn; however, this does not prejudice our right to processing information and data in cases defined by legislation or for other purposes, unless it is expressly provided otherwise

For what purpose and on what legal grounds?

In this section, You will find a list of purposes for which we will be using (processing) Your personal data, as well as legal basis (legal grounds) for processing. For processing to be lawful, it must always be based on a legal basis identified in S. 6 of the Regulation. Data is often used for more than one purpose and is processed based on more than one legal basis for processing. Where purpose of processing or legal basis for processing ceases to exist, personal data will not be processed anymore. We process personal data for a pre-defined purpose and only to the extent which is necessary for complying with the given purpose. Only in exceptional cases and under certain conditions described in the Regulation, we may process Your data also for purposes other than the ones for which they were originally collected.

Without consent

  1. For the purpose of making a contract and performing a contract. The contract determines which data must be collected to ensure that we can perform all contractual obligations and relevant statutory obligations. This purpose and legal basis for processing also applies to contract drafting, contractual negotiations or supplier selection procedures.
  2. For the purpose of and on the legal basis of statutory obligations (especially, Account Act, Tax Code, Labour Code, VAT Act, Records Management and Archiving Act, Consumer Protection Act and laws to regulate advertising).
  3. For the purpose of managing customer relations, statistical purposes and creation of analytical models – to ensure that we can develop our services and improve our products, we also process data on purchases, queries or complaints; we compare and analyze data on our company’s products, we create distribution statistics and forecasts to protect our rights and legitimate interests. In such cases, we try to apply anonymization to the highest extent possible. Legal basis for processing is performing a contract and legitimate interest of our company.
  4. For internal management purposes – to keep records of contracts and their performance, to check activities of our employees or other administrative procedures included in our internal corporate processes (e.g. internal management of our activities, creating reports on our activities or the company’ individual employees, efforts aimed at internal process optimization or employee training). Legal basis is the legitimate interest of our company.
  5. For safety and risk management purposes – where our company must comply with a statutory obligation, or to protect our legitimate interests, we process Your personal data to the necessary extent to secure safety on the premises of our company, to protect our property, to prevent and identify fraudulent or malicious acts etc.; some data (especially acquired through communication with a partner, such as IP address or time of communication) will also be used for IT security purposes. Legal basis is the legitimate interest of our company.
  6. For the purpose of exercising or defending a legitimate claim of our company or third parties, where we have to enforce our rights or claims, or to defend ourselves in judicial or administrative proceedings, we will use necessary personal data. Legal basis is the legitimate interest of our company.
  7. Marketing content distribution (direct marketing), typically, sending an e-mail or telephone contact with offers of products or services like the ones You purchased from us. We may distribute such offers unless You express Your wish to stop receiving such offers (see the right to object). We will not disclose Your data to any third parties for the purpose of sending offers (except for our subcontractor – processors processing data for us). Legal basis is the legitimate interest of our company.

!      Please note that marketing content will be distributed to You pursuant to S. 7 of Act 480/2004 Sb. to Your address (including e-mail address). You may be contacted by an unsolicited direct mail with marketing content related to products, business and services of our company. You may refuse distribution of marketing content at any point of time (see the right to object). Unless You expressly provide otherwise, such refusal does not have any effect on sending other types of marketing content than the one You are reacting to.

With consent.

With Your consent, we may process personal data also for other purposes (e.g. marketing). In such cases, the purpose of collection and further processing of personal data is exactly defined in Your consent. In such cases, You may withdraw Your consent at any point in time.

Use for other purpose than the one for which the data was collected?

In certain cases, our company may process personal data for other purposes than the one for which the data were collected. This is the case, especially, if:

  • We collect Your data for the purpose of performing a contract and it is determined by legislation for how long the data must be stored (e.g. under the Accounting Act,

 

  • invoices for prices of supplied goods or services must be archived for 10 years, even if we do not need the data to perform the contract any more).
  • We will collect Your data for the purpose of performing the contract and, subsequently, there is a dispute and we have to enforce our claims or defend our rights.
  • Pursuant to S. 7 of Act No. 480/2004 Sb., we send marketing content to customers or business partners with whom we had business transactions in the past and who disclosed their address to us – for more details see purpose of processing or the  right to object.

From which sources does our company acquire personal data?

  • Directly from You during negotiating a contract or a service and subsequent performance (in most cases).
  • From publicly available registers and databases, in justified cases when we exercise our legitimate interests, especially enforcing debts, selecting an appropriate supplier, verifying that an entity exists or verifying status of data.
  • From open or publicly available sources, e.g. partner’s website or advertising – for potential business partners for the purpose of establishing communication regarding possible business cooperation. Our company may store such basic data in its business partner database for the purpose of future contact.
  • We sometimes disclose data to other entities integrated in the Group for administrative purposes[3].
  • From other entities, if expressly permitted by a statute (e.g. in a legal dispute) or if You granted an express consent with disclosing Your data to such entity.

Are You obliged to disclose Your personal data to us?

If the data are processed based on Your consent, disclosure of Your personal data is discretionary.

If we process the data in connection with a contract concluded between You and our company, or a service we provide to You, You may decide whether you wish to conclude the contract or use the service, or not. If the contract is concluded or the service is used, You are obliged to disclose information necessary for performing the contract or using the service. Without such information, we cannot provide You the service or other performance.

If the purpose of collection and further processing of Your personal data is complying with legal obligations or protection of our legitimate interests, You are obliged to disclose Your personal data to us. In any case, we only ask for data necessary for performing the selected  purpose.

How will the processing take place?

Our company will process personal data especially in its computer systems and computer systems of processors (e.g. in our ERP system, in Outlook for e-mails, in our accounting system for data necessary for issuing invoices etc.). Hard copies of documents will be processed in our filing system.

How do we ensure protection of Your personal data?

Under valid legislation, our company ensures security of personal data using all appropriate technical and organizational measures to ensure the highest possible degree of protection considering the nature, extent and purposes of processing and probable risks. We have introduced security and control mechanisms to prevent unauthorized access or transfer of data, their loss, destruction or other potential abuse.

Our employees are bound to observe confidentiality. If we disclose data to third parties, such third parties are bound by statutory or contractual obligation to observe confidentiality.

How can You Yourselves mitigate the risks?

Every instance of personal data processing involves certain risks. Risks depend on the extent of processed data and form of their processing. Below, You will find some of the recommended procedures to help You protect Your data:

 

  • If You disclose Your data to us, always consider whether disclosure is necessary. You should consider disclosure of data related to Your private life and other aspects not connected with the purposes for which You provide the data or data intended for disclosure (such as Your comments under articles etc.) with extra care. If You believe we are asking You for too much data, contact us and we will evaluate adequacy of our request.
  • If You disclose personal data of third parties to us or under our services (Your family members or other employees of Your company etc.), consider whether such disclosure if essential and necessary. Where necessary, ask for consent of such third parties.
  • If any of our colleagues asks to disclose data, do not hesitate to ask whether it is necessary and whether the purpose of processing cannot be met without providing such data.
  • Persons under 18 are especially vulnerable. Where process of data transfer involves such individuals, all circumstances must be considered with extra care. At the same time, it is necessary to consider whether consent of such individuals or their legal guardians (e.g. parents) is necessary for disclosure of such data. If You are a person under 18 and You are not sure whether You are able to make the right decision, please discuss this issue with Your parent or contact us separately.
  • If You sign in to our systems using a password, always use a unique strong password which You will not use for other devices and access. Do not make Your password available and do not disclose it to anyone including our staff. We will never ask You to disclose Your password; be cautious of any e-mails asking You to provide Your password, even if they are signed by the name of our company. It is likely they are fraudulent acts with the intention of acquiring and abusing Your password.
  • If You send us any confidential data, try to use a safe communication method, e.g. protecting Your file with a password with encryption and sending the password using a different communication channel.
  • If You believe that our company failed to fulfill any of its obligations, there was an unauthorized data leak or somebody pretends to be our employee without proper authorization, let us know as soon as possible, either by sending an e-mail to  osobni.udaje@precheza.cz or use other contact addresses.
  • We always try to keep these instructions up-to-date. Therefore, from time to time, we will update these rules. We will notify You of any major changes; however, it is recommended to consult these rules regularly.
  • Keep Your data in our service interface up-to-date.

Who do we transfer Your personal data to?

  1. Processors – most processing activities are performed in-house by our company; in some cases, we use third party services (“processors”). We try to valid legislation.

Processors include:

  • IT systems, apps and cloud storage facility providers
  • guards
  1. To our external advisors or partners who process personal data themselves – if necessary for provision of consulting services or if we assumed the obligation to purchase some service for You to ensure maximum comfort for You, or where it is necessary for protection of rights and interests of our company (e.g. to a counsel, a tax or an economic advisor, an auditor, an insurance company or an insurance broker, a bank, a court, an enforcement officer, an auctioneer, a carrier or Česká pošta postal service operator)
  2. To our suppliers of external services who may gain access to personal data processed by our company while providing their services, but they are not authorized to process personal data themselves (typically, programming or other technical support, suppliers of computer systems, server services, sending e-mails and providers of archiving services, (back-up) server operators or technology operators).
  3. Within AGROFERT group, individual entities transfer personal data of our business partners or customers between each other, primarily for internal management and reporting. However, facilitation of contracting, performance or addressing certain issues may also be a purpose.
  4. To state authorities and other entities, if required by legislation (e.g. bodies of state administration, supervising bodies, law enforcement authorities, courts, enforcement officers, insolvency administrators).
  5. With Your consent or based on Your instructions, Your personal data may be disclosed to further entities.

!     Under the Regulation, the principle of free movement of persons in the EU remains in force; however, the Regulation places restrictions on transfer of personal data to non-member states. Normally, our company does not transfer personal data to any third countries. However, it can happen that Your personal data may be processed in a computer system with servers outside of the EU, although we try to avoid such situations. Considering the systems we use for business purposes, these systems would use servers located in the United States of America. In such case, we would the European Commission for safe data transfer between the EU and the USA, the so-called Privacy Shield. If we intend to transfer Your personal data outside of the EU, we will inform You accordingly.

Group membership

Our company is a member of AGROFERT Group.

Your personal data storage period

Our company may not process Your personal data for an unlimited period; processing period is restricted as the period during which we really need Your data. We try to limit the length of this period to reflect both Yours and our interests. In some cases, we cannot put a number on the processing period because it is not possible to disclose the exact length of the period for safety reasons, so below, we would like to at least describe some of the criteria which we use to determine the length of the period during which Your personal data will be processed.

We process Your data for a period which is essential for achieving the purpose for which the data were collected, or a related other purpose. Where specific period of storage is not established by legislation, we understand that the purpose of processing survives, at least, for the period during which there is a risk of legal claims enforced in connection with processing activity and for one more calendar year after termination of all possible legal claims.[4]

To establish adequacy of the period of processing personal date, we will take into consideration the following aspects: (i) length of time lapse period, (ii) probability of presenting legal claims, (iii) usual procedures on the market, (iv) probability and significance of possible risks and (v) recommendations of supervising authorities.

For the purpose of distributing marketing content, our company will be processing Your contact details as long as the partner withdraws his/her consent with such activities. Even then, we may continue processing basic data regarding why we were distributing marketing content for an adequate period to prove lawfulness of such distribution.

Data updates

Considering that one of our obligations as a personal data controller is to process accurate data, we would like to ask You to inform us about any change in Your personal data, doing so either through our employee with whom You normally communicate, or by reaching out to one of the contacts below.

Contact persons of contractual partners

While processing personal data of our existing or potential contractual partners, our company also processes data of their contact persons (e.g. their governing bodies or employees communicating with our company). These data usually include such persons’ name and surname, their e-mail address, position, telephone number and, possibly, minutes from our meetings with them. These data are processed for the same purposes and to the same extent and for the same period as data of our contractual partners. Our employees may keep their own lists of contact persons, e.g. in their telephone directories or business card catalogues. Telephone numbers used for communication with corporate devices are also stored for an adequate period for the purposes of proper invoicing telco services, protecting the rights of our company and possible differentiation between private and business calls. Besides system administrators, only employees from whose devices communication took place have access to such data.

The right to object

Where personal data are processed for the purpose of legitimate interests of our company or a third party, You may object against such processing in cases where Your particular situation justifies doing so, i.e. if processing itself is permissible but there are specific reasons on Your side due to which You wish that Your data do not get processed.

Our company will have to review processing. Such personal data may not be processed further if there are no compelling legitimate grounds for processing overriding Your interest in privacy protection or other interests, rights and freedoms, or if processing is not done for determination, exercise or defense of our company’s legal claims.

If we process personal data for direct marketing purposes, You may raise an objection against such personal data processing. This right may be exercised using technical means (unsubscribe from marketing content distribution). After that, our company will not be processing Your personal data for direct marketing purposes any longer; however, the data may be processed for other purposes.

You may raise Your objections or exercise any other rights using the contact details below. Please, describe the circumstances which lead You to believing that our company should not be processing Your data.

The right to object does not extend to all cases of processing; it cannot be exercised in cases when we process Your data on a legal basis other than necessity for a legitimate purpose, e.g. as a necessity for performing a contract or statutory obligations.

What other rights and possibilities do You have?

1.Right to information and explanation

Our company is obligated to provide information contained in this document to You in a brief, transparent and understandable form. If any of the provisions of these Principles are not clear to You or You find them difficult to understand, do not hesitate to contact us.

2.The right to withdraw consent

Whenever we collect data and process them based on Your consent, You may withdraw Your consent at any point in time. Your consent is provided entirely on Your discretion. If You withdraw Your consent, it has no impact on those processing activities that took place during the time when Your consent was valid and those processing activities which our company was obligated to conduct for the reason of an earlier consent and performed processing activities (to comply with legal obligations or to protect our legitimate interests).

You can withdraw Your consent free of charge, doing so in any form, ideally in the form that You used for granting consent in the first place. E.g. if You granted consent in an application we operate, the application also has the option of withdrawing consent. In other cases, You can withdraw Your consent in writing or by e-mail using our contact details below. You need to provide Your identification data and for which purpose You originally provided the consent You wish to withdraw.

3.Right to access to personal data

You have the right to have an idea regarding which of Your data we process. You can ask us to provide information regarding whether Your personal data is processed by our company. If we process Your personal data, we will provide You all related information pursuant to S. 15 of GDPR, including copies of processed personal data.[5]

Rights of other persons may not be prejudiced when Your right of access to personal data is exercised.

To ensure that this right is not abused by a different person and to prevent providing all Your personal data to another person, we are obligated to establish the identity of the person exercising the right of access.

4.Right to rectification or completion of incomplete data

If You believe that we process inaccurate data about You, You may notify us and ask to rectify or complete incomplete data.

5.Right to erasure (so-called “right to be forgotten”)

You may ask to have Your personal data erased if at least one of the conditions below is satisfied:

  • personal data are no longer necessary for the purpose for which they were collected or processed otherwise,
  • the data subject has withdrawn his/her consent, and there is no further legal basis for processing,
  • the data subject has raised objections against processing and there are no prevailing legitimate grounds for processing,
  • personal data were processed unlawfully,
  • personal data must be a legal obligation,
  • personal data were collected in connection with an offer of services of an information company.

Under S. 17 par. 3 of GDPR, our company is not obligated to erase requested data if processing is necessary:

  • for determination, exercise or defense of our company’s legal claims,
  • for exercising the right to freedom of speech and information,
  • for complying with a legal obligation imposed on our company by Czech or EU legislation,
  • for performing a task carried out in the public interest, if our company was authorized to carry out such task,
  • for public interest in public health when processing is done for preventive or occupational medicine etc.[6]
  • For archiving for public interest purpose, for statistical purposes or for the purpose of scientific and historical research, or if deletion would jeopardize such goals significantly.[7]

6.Right to data portability

Valid legislation gives You the right to acquire personal data You provided to our company, and to receive them in a structured, generally used machine-readable format. Such data will be provided to You or to another controller upon Your request, if it is technically feasible. This right may be exercised if:

  • processing is done on the grounds of Your consent or performing a contract or using a service provided by our company, while at the same time,
  • our company processes data using automated means.

By exercising this right, rights and freedoms of other persons may not be impacted in a negative way. This right may not be exercised if we process Your personal data to perform a task carried out in public interest, if our company was authorized to do so.

7.How do we process Your objections and requests?

If You approach our company with an objection or a request concerning one of Your lawful rights, we will inform You about measures we adopted. We will also inform You if we do not adopt any measures, explaining the reasons for our decision. This information will be provided to You within one month from Your request. If, due to complexity and number of requests, it is necessary to extend this deadline, we will notify You also within one month from Your request and provide reasons for delay. This period will be extended for a maximum of two more months. We will do everything to make sure that information on adopted measures is provided to You as soon as possible.

All objections and requests, as well as our response, are processed and provided free of charge. However, in certain cases specified in the Regulation, our company may decline Your request, especially if the requests are repeated or are manifestly unfounded or excessive. In such cases, we may charge an adequate fee to cover administrative costs related to provision of information or we may even reject the request altogether.

Our company can satisfy Your request or objection only if it does not have reasonable doubts regarding the identity of the person who raised the objection or filed the request. We must ensure that rights are not abused by other persons, and that Your personal data are not disclosed unlawfully to a stranger. For this reason, our company establishes the identity of the applicant either by asking to provide additional information to prove the applicant’s identity, or by submitting the objection or the request with the signature certified by a notary public. If the request or the objection is raised at our branch office, we will ask You to prove Your identity by presenting Your identity card.

8.The right to raise an objection with the supervisory authority

If You disagree with the way we process Your personal data, or You disagree with our company’s approach, You may reach out to the supervisory authority with Your complaint at any time:

Personal Data Protection office

Pplk. Sochora 27, 170 00 Praha 7

tel.: 234 665 111

e-mail: osta@uoou.cz

web: www.uoou.cz

 

How can You contact us?

Address Your questions, requests or objections to our company

by mail: PRECHEZA a.s.

Nábř. Dr. E. Beneše 1170/24, 750 02 Přerov

By e-mail: osobni.udaje@precheza.cz

In conclusion

This document is subject to regular updates and additions.

 

[1] All information about identified or identifiable individual (also called “data subject”) is considered personal data; an identifiable individual is an individual who can be identified, directly or indirectly, especially referring to a specific identifier, such as name, identification number, location data, network identifier, or to one or more of specific element of the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

[2] A personal data controller is an entity which determines which personal data and why will be collected, and how they will be protected.

[3] In AGROFERT Group, individual entities share personal data of our business partners, customers or employees, primarily for internal management and reporting. However, facilitation of contracting, performance or addressing certain issues may also be a purpose.

[4] For instance, when goods are purchased, and warranty period expires, period of limitation commences, during which the customer may present legal claims against our company. After that, we continue storing personal data for another year to be sure that even on the last day of the period no claim was presented against our company

in court or with a different authority.

[5]We will tell You which personal data categories we process, for which purposes, to which recipient category personal data may be made accessible, what the planned processing period is, as well as information regarding the source of such data, information regarding Your rights and information whether automated decision-making takes place.

[6] S. 9 par. 2 (h) and (i) and S. 9 par. 3 of GDPR

[7] Under S. 89 par. 1 of GDPR

 

Personal Data Protection Principles