The Controller of personal data pursuant to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR") is Rail-Com Systems s. r. o., ID: 08667934, with registered office generála Svobody 764, 533 51 Pardubice – Rosice, Czech Republic (hereinafter referred to as the "Controller").
Personal data means any information about an identified or identifiable natural person; an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Controller has not appointed a data protection officer.
II. Sources and categories of personal data processing
The Controller processes personal data that have been directly provided to it by the subject and/or personal data obtained by the Controller on the basis of filling in a contact form on the Controller's website or in the performance of a contractual relationship with the subject.
The Controller processes the identification, contact and contact data provided by the subject necessary for the performance of the contractual relationship or for communication with the subject within the contractual relationship.
III. Lawful basis and purpose of the processing of personal data
The lawful reason for processing personal data is:
performance of the contractual relationship between the subject and the Controller pursuant to Article 6(1)(b) of the GDPR,
the legitimate interest of the Controller in providing direct marketing (in particular for sending commercial communications and newsletters) pursuant to Article 6(1)(f) GDPR,
the subject's consent to processing for the purposes of providing direct marketing (in particular for sending commercial communications and newsletters) pursuant to Article 6(1)(a) GDPR in conjunction with Section 7(2) of Act No. 480/2004 Coll., on certain information society services, in the absence of an order for goods or services.
The purpose of processing personal data is:
the processing of the subject's order and the exercise of rights and obligations arising from the contractual relationship between the subject and the Controller; when placing an order, personal data are required that are necessary for the successful processing of the order (name and address, contact), the provision of personal data is a necessary requirement for the conclusion and performance of the contract, without the provision of personal data it is not possible to conclude the contract or its performance by the Controller,
sending information, commercial communications and other marketing activities.
There is no automatic individual decision-making by the Controller within the meaning of Article 22 GDPR. The subject has given his or her explicit consent to such processing.
IV. Data retention period
The Controller shall store personal data:
for the period necessary for the exercise of the rights and obligations arising from the contractual relationship between the subject and the Controller and the exercise of claims arising from that contractual relationship (for a period of 10 years from the termination of the contractual relationship),
for as long as the consent to the processing of personal data for marketing purposes is withdrawn, but no longer than 10 years if the personal data are processed on the basis of consent.
After the expiry of the retention period, the Controller shall delete the personal data.
V. Recipients of personal data (subcontractors and partners of the Controller)
The recipients of personal data are persons:
involved in the implementation of the contractual relationship (delivery of goods / services / execution of payments, etc.)
involved in the operation of the services,
providing marketing services.
The Controller transfers personal data to countries within the EU or to international organizations.
VI. Rights of the subject
Under the conditions set out in the GDPR, the subject has:
the right of access to his or her personal data pursuant to Article 15 of the GDPR,
the right to rectification of personal data pursuant to Article 16 GDPR or restriction of processing pursuant to Article 18 GDPR,
the right to erasure of personal data pursuant to Article 17 GDPR,
the right to object to processing pursuant to Article 21 GDPR,
the right to data portability pursuant to Article 20 GDPR,
The subject has the right to lodge a complaint with the Data Protection Authority if he/she considers that the right to data protection has been violated.
VII. Personal Data Security Terms and Conditions
The Controller declares that it has taken all appropriate technical and organizational measures to safeguard personal data.
The Controller has taken appropriate technical measures to secure data storage by means of encrypted data storage protected against unauthorized access and storage of personal data in paper form protected against unauthorized intrusion.
The Controller declares that only persons authorized by it have access to the personal data.
VIII. Final Provisions
By entering into a contractual relationship between the subject and the Controller, the subject confirms that he/she is aware of the conditions for the processing of personal data and accepts them in their entirety.
By entering into a contractual agreement between the subject and the Controller and/or by the direct provision of personal data by the subject via the Controller's website, the subject confirms that he/she has accepted the terms and conditions of the processing of personal data in their entirety.
The Controller is entitled to modify these conditions. The Controller will publish the newly issued terms and conditions for the processing of personal data on its website or, if requested by the subject, may send them to the email address provided to the Controller.
These terms and conditions for the processing of personal data are effective from 1 June 2020.