General Terms and Conditions for Processing Personal Data of Subjects at the Company
as per Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general regulation on personal data protection) (hereinafter referred to as “Terms & Conditions”)
1. Personal Data Controller
1.1 ARBES Technologies, a.s., Co. Reg. No.: 42192889, registered office at Plzeňská 345/5, Smíchov, 150 00 Prague 5, recorded in the Commercial Register maintained by the Municipal Court in Prague, section B, insert 22075 (hereinafter referred to as “Controller”), is authorized to process your personal data based on the explicit consent to process your personal data granted by you or based on other legal grounds, such as contractual obligations, legal obligations, protection of your vital interests or the vital interests of another natural person, the fulfillment of a task carried out in the public’s interest or during the exercise of public authority or authorized interest of the controller or a third-party, and this as per the Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repelling Directive 95/46/EC (hereinafter referred to as “GDPR”) and as per the law on personal data processing.
2.1 Personal Data includes all information on an identified or identifiable natural person (data subject); an identifiable natural person is a natural person who can be identified, directly or indirectly, especially by a specific identifier, such as a name, identification number, location data, network identifier or by one or several special features of physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person. A piece of personal data is also such data that may not specifically identify a person but may enable this identification if linked to another available piece of personal data. Technological resources must be considered when linking such personal data. For example an IP address can be considered personal data since thanks to technological resources it can be linked to another piece of personal data and this can enable identification even without active participation of the entity which keeps or processes the IP address. Personal data is also any type of information on purchases, used services or expropriated devices and (meta)data related to former behavior during the use of a service.
2.2 Processing personal data means any type of operation or a set of operations with personal data or personal data files, which are carried out with or without automated processes such as collecting, recording, organizing, structuring, saving, adjusting or modifying, searching, viewing, using, accessing via transfer, circulating or and other type of disclosure, sorting or combining, limiting, deleting or destroying. Such an operation or a set of operations that a controller or a processor carries out with personal data systematically, for a specific purpose or goal must be defined as personal data processing as per the GDPR as well and this regardless of the method and means of processing. It does not matter if the controller or processor processes the personal data manually, electronically or a combination of both, or if they use specific software tools or solutions. The commented definition still contains a demo list of operations, which are considered to be personal data processing. This can be the collection of data, its storage on data carriers, access, adjustments or modifications, searching, using, delivering, circulating, disclosing, keeping, exchanging, sorting or combining, blocking or liquidating.
2.3 Recipient is an entity, to whom personal data is provided – i.e. a natural person or a legal entity, a public authority, agency or another entity, to whom personal data is provided, whether they are a third-party or not. Public authorities, however, which can obtain personal data as part of special investigations under member state law are not considered to be recipients; processing of such personal data by these public authorities must be carried out according to applicable personal data regulation for that specific purpose of processing. A recipient is also a data subject, another controller, processor or a person directly reporting to the controller or processor, who is authorized to processed personal data (however not as an employee, where the controller or processor holds responsibility for the processing). Recipient status concurrently only constitutes the receipt of data. Recipients, however, are not public authorities exercising their investigative authority. In practice, this e.g. means tax authorities and customs or general administrative and regulatory authorities. The processing of personal data by these public authorities should be carried out as per valid personal data protection regulation according to the purpose of processing.
2.4 Data Subject is every natural person to whom the personal data relates. Typically this means EU residents whose rights the GDPR protects. Data subjects are not legal entities. Personal data can only relate to a living natural person since data of deceased persons is outside the scope of the GDPR.
2.5 Controller is a natural person or a legal entity, a public authority, agency or another entity, which on its own or in cooperation with others designates the purpose and means of processing personal data; if the purpose and means of this processing is designated by EU law or member state law, this right can also designate the affected controller or special criteria for its designation.
2.6 Processor is every natural person or a legal entity, public authority, agency or another entity, which processes personal data on behalf of the controller.
3. Scope of Personal Data Processing
3.1 Personal data is processed in the scope that was granted by the corresponding personal data subject in relation to the conclusion of a contractual or another legal agreement with the controller, or which the controller accumulated in another manner and is processing it according to valid legal regulation or to fulfill the controller’s legal obligations.
3.2 Personal data is only processed in the scope necessary in relation to the purposes specified in Article 8 of these Terms & Conditions.
4. Personal Data Sources
4.1 Personal data is obtained in the following manner:
- Directly from data subjects as per a contractual relationship or based on another legal basis (i.e. a purpose designated in Article 8),
- Based on information from public registers, lists and records (commercial register, trade license registry, real estate land registry, public telephone book etc.),
- From other persons acting as controllers and processors who provide personal data as part of fulfilling contractual obligations.
5. Personal Data Processing Categories
5.1 The following are specified categories of personal data, which the controller processes:
- Identification data used to identify a data subject in a manner that is unique and unchangeable:
- Last name
- Telephone number
- Residential address and postal address
- Bank account information
- Personal ID number
- Data that the data subject provides.
6. Data Subject Categories
6.1 The controller processes the following personal data subject categories:
- Job applicant,
- Controller’s employee,
- Recipient or user of services that the controller provides,
- Supplier of services provided to the controller.
7. Personal Data Recipient Categories
7.1 The controller provides personal data of data subjects to the following recipients based on the purposes listed in Article 8:
- Banking institutions,
- Insurance companies,
- Public employment office,
- Social security authority,
- Foreign police,
- Other public administrators,
- Recipient or user of services that the controller provides,
- Supplier of services provided to the controller,
- Public authorities fulfilling legal obligations set forth by corresponding legal regulations.
8. Personal Data Processing Purposes
8.1 Controller processes personal data for the reasons specified below:
- Fulfillment of the controller’s legal obligations,
- Contract negotiations,
- Contract fulfillment – providing services, executing an employment agreement, etc.,
- Hiring process for open positions
- Purposes contained as part of data subject consent,
- Archiving carried out as per legal regulations,
- Monitoring customer service quality,
- Arranging a meeting,
- Collection of market feedback,
- Purposes listed in the consent granted for personal data processing,
- For purposes of protecting vital interests of the data subject or another natural person,
- Fulfilling a task that is carried out in the public’s interest or when exercising public authority that the controller has been entrusted with,
- Authorized interests of the controller or a third-party (besides those instances when interests or basic rights and freedoms of data subjects needing personal data protection have precedence over these interests, especially if the data subject is a child).
9. Methods of Processing and Protecting Personal Data
9.1 The controller carries out the personal data processing. Processing is carried out at the controller’s seat, in his offices or branches by individual authorized employees of the controller.
9.2 Other processors are used to process your personal data if it is necessary in order to fulfill the purposes listed in Article 8 especially sales representatives of the controller’s partners. The categories of these processors are listed in Article 7.
9.3 Prior to providing personal data to a third-party as is listed above, a contract is always concluded with this person. This contract covers the processing of personal data and contains guarantees for personal data processing as per the GDPR and under the law on the processing of personal data.
9.4 Personal data may be provided abroad within the EU, especially where the controller’s service is provided to a customer from another member EU state or if a supplier’s service is provided to the controller by a supplier from another EU member state. We do not send or disclose your personal data outside of the EU.
9.5 Processing personal data is carried out automatically via computing systems, where manual processing is not ruled out for personal data in paper form while maintaining all security measures for the protection of personal data.
9.6 The controller has implemented technical and organizational measures for this purpose in order to provide protection of personal data, especially measures to prevent unauthorized or accidental access to personal data, its modification, damage or loss, unauthorized transfers, its unauthorized processing as well as other misuse of personal data.
9.7 All subjects, to whom personal data may be provided, respect the data subjects’ rights to the protection of privacy and are obligated to proceed as per valid legal regulations related to personal data protection.
10. Personal Data Storing Period
10.1 Data subjects’ personal data is stored for the period of active use of controller’s services or for the period of employment or other similar activities carried out for the controller and further according to the deadlines listed in the controller’s guidelines for the management of records and shredding; this is always only the period necessary to comply with the rights and obligations as per the relevant legal regulation or a contractual obligation of the controller.
11.2 Cookies that can be used on websites fall under the categories listed below. These descriptions will help you determine if and how you would prefer to communicate with our website and other online services:
- Strictly Necessary Cookies
11.3 If you do not wish to give your consent to our or third-party cookies, you can change the setting of your viewer to reject cookies. Since this action is different browser to browser, please visit the Help menu on your web browser for further details. Please bear in mind that if you decide to decline our cookies, it can negatively affect certain functionalities of this website and services.
12. Data Subject Rights
12.1 As per Sec. 12 of the GDPR and in connection to Sec. 15 of the GDOR, the controller informs the data subject of the rights to access personal data and the following based on a data subject request:
- Purpose of processing,
- Personal data recipient categories,
- Recipient categories or recipients to whom personal data was or will be provided,
- Planned period for which personal data will be kept,
- All available information on the source of personal data,
- If they are not obtained from data subjects, the fact whether automated decision-making is being carried out including profiling.
12.2 Each data subject who learns or has reason to believe that the controller or processor is processing their personal data in a manner that is in conflict with the protection of private and personal life of the data subject or that is in breach of the law, especially if personal data is inaccurate with regard to the purpose of its processing, then the data subject may:
- Ask the controller for an explanation,
- Require that the controller remedy this and can also negotiate that corrections are carried out, information is added or limited or that personal data is deleted,
- Raise an objection to processing,
- Request the portability of personal data,
- Obtain provided personal data in a structured, standard and readable format,
- Require that personal data provided is given to another controller.
12.3 The data subject can apply these rights as per the above with the controller through a personal data protection officer, whose contact is listed in sec. 13.2.
12.4 If the data subject request as per sec. 12.2 is valid, the controller shall remedy the problem immediately. If the controller does not comply with the data subject’s request, the data subject has a right to contact the supervisory office directly, which is the Office for Personal Data Protection, with a seat at Pplk. Sochora 727/27, 170 00 Prague 7- Holešovice. The process as per sec. 12.2 does not prevent the data subject from contacting the supervisory office directly with their request.
12.5 The controller shall provide the required information to the data subjects without undue delay within one month from the receipt of the request at the latest. This period may be extended to two months with regard to the complexity of the request and the number of requests; the data subject must be informed of this fact.
12.6 The controller shall provide data subjects all the requested information in a concise, transparent, clear and easily accessible manner through the use of clear and simple means. The controller does so for free.
13. General Provisions
13.1 This statement of the controller is available to the public on the controller’s website (www.arbes.com).
13.2 If you have any questions with regard to the processing of your personal data please contact us in writing or via telephone using the contact information of the personal data protection officer below:
Czech DPO Office s.r.o.
Czech Data Protection Officers Office
You can find the query form here
Tel: +420 736 456 122