Logo - SIRS

GDPR

Personal Data Processing Policy at the State Investment and Development Company, a.s.

The State Investment and Development Company, a.s. (hereinafter referred to as "SIRS"), ID No. 21 33 38 58, Na Poříčí 1046/24, Nové Město, 110 00 Prague 1, strives to comply with all applicable laws and regulations regarding the protection of personal data.

This document outlines the fundamental policy of SIRS regarding the processing of personal data in accordance with the General Data Protection Regulation (GDPR) and describes the basic principles according to which SIRS processes the personal data of business partners, employees, and other individuals (hereinafter referred to as the "data subject").

1. Introduction

1.1. For the purposes of personal data processing, SIRS acts as a controller, determining the purposes and means of processing. As a controller, SIRS processes the personal data of data subjects in the course of its main activities, which primarily include business activities conducted in line with the purpose of establishing SIRS, as well as marketing and promotional activities for the public. To ensure its operations, SIRS processes the personal data of business partners within contractual relationships and accounting, as well as the personal data of employees in relation to their employment.

1.2. SIRS processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter "GDPR").

1.3. The data subject provides SIRS with their personal data lawfully depending on the purpose of processing:

a) To fulfill a legal obligation of SIRS

b) For the purposes of the legitimate interests of SIRS

c) To fulfill the contract between the data subject and SIRS

d) With the consent of the data subject for processing their personal data.

1.4. Consent to process personal data is granted by the data subject when another legal basis for processing cannot be used, particularly when it involves the subject's privacy. SIRS accepts the subject’s consent as a free, specific, informed, and unambiguous expression of will, in which the data subject provides consent by declaration or clear confirmation to process their personal data. The data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the legality of previous personal data processing based on the previously granted consent. The data subject will be informed of this before granting consent. Withdrawing consent must be as easy as granting it.

1.5. The failure to provide consent or its withdrawal does not affect the contractual relationship with SIRS or the use of SIRS products and services for which consent is not required.

2. Purpose of Processing Personal Data

2.1. The personal data of data subjects must be collected only for specific, explicit, and legitimate purposes and must not be further processed in a manner incompatible with those purposes. The data subject is transparently informed about the purpose of processing.

2.2. SIRS processes the personal data of subjects within its main activities, within established contractual relationships, and in the management of personnel and payroll records, including processing operations to fulfill legal obligations, manage accounting, maintain operational records, and ensure compliance, storage, control, and audit.

3. Categories of Personal Data Processed

3.1. SIRS collects, processes, and stores the following categories of personal data of data subjects:

- **Address and identification data**: such as name, surname, title, date of birth, social security number, residence, telephone number, email, contact address.

- **Descriptive personal data**: such as data relating to membership or provided services, contractual relationship, transactional data.

- **Other data**: such as photographs and CCTV recordings.

4. Method of Processing and Storing Personal Data and Retention Period

4.1. SIRS processes personal data manually or automatically and securely stores it in both paper and electronic form. Depending on the purpose of processing, personal data is maintained in business partner records, accounting records, and personal files.

4.2. SIRS does not apply automated decision-making using solely automatic means (software applications, algorithms, etc.).

4.3. SIRS retains documents containing personal data for the necessary period to fulfill all rights and obligations arising from the contract or employment relationship, as well as for the period required by applicable legal regulations. These periods are determined by the internal retention plan. The data subject is transparently informed about the retention period of their personal data based on the purpose of processing.

5. Transfer of Personal Data

5.1. SIRS may transfer the data subject's personal data to third parties only on a legal basis, particularly to fulfill obligations arising from legal regulations. The data subject is transparently informed about individual recipients of their personal data.

5.2. With the data subject’s consent, or if no objection is raised after being notified of SIRS's legitimate interest, their personal data may also be transferred to other entities.

5.3. In specific cases, SIRS may engage a processor to handle data processing, provided the processor offers sufficient guarantees, particularly regarding expertise, reliability, and data security. The processor's data handling is governed by a contract, binding them to SIRS with specific tasks and obligations concerning data processing. The data subject is informed of the transfer of their personal data to the processor within the scope of the given purpose.

6. Rights of the Data Subject

6.1. At the request of the data subject, SIRS provides all legally required information about the processing of their data, in a concise, comprehensible, and accessible manner, using clear and simple language.

6.2. When personal data is collected directly from the data subject, SIRS provides the following information at the time of collection:

  • The identity and contact details of SIRS and its representative (if applicable)
  • The purposes of the data processing and the legal basis for it
  • SIRS's legitimate interests (if processing is based on this legal ground)
  • The possible recipients of personal data, including any processors
  • SIRS's intent to transfer personal data to third countries or international organizations, along with appropriate safeguards
  • The retention period of personal data or the criteria used to determine this period
  • The existence of the right to request access, correction, or deletion of personal data, to restrict processing, to object to processing, and to data portability
  • If processing is based on consent, the right to withdraw consent at any time without affecting the legality of the prior processing
  • The right to file a complaint with a supervisory authority
  • Whether providing personal data is a legal or contractual requirement or a necessary condition for entering into a future contract, and the consequences of not providing personal data
  • Whether automated decision-making, including profiling, is being used and, if so, the logic involved and the potential consequences for the data subject.

6.3. If SIRS intends to process personal data for a purpose other than the one for which it was collected, it will provide the data subject with information about this new purpose before further processing.

6.4. SIRS is not required to provide information if the data subject already has the relevant information.

6.5. If SIRS processes personal data necessary to fulfill its legal obligations, it may provide the information by making it available remotely.

6.6. If personal data has not been obtained from the data subject, SIRS will provide the same information as well as:

  • The categories of personal data concerned
  • The source of the personal data and whether it comes from publicly available sources.

6.7. SIRS will not apply its information obligation when the acquisition or disclosure of personal data is explicitly stipulated by legal regulations that apply to SIRS, provided those regulations contain appropriate measures to protect the legitimate interests of the data subject.

6.8. A data subject who discovers or believes that SIRS, as the controller or any other person processing personal data for SIRS, is processing personal data in violation of GDPR, may request an explanation or demand that SIRS or the processor remedy the situation. If SIRS or the processor does not comply, the data subject may contact the Office for Personal Data Protection, without prejudice to their right to appeal directly to the supervisory authority.

6.9. The data subject has the following additional rights:

  • To obtain information about the processing of their personal data if the legal conditions are met
  • To access their personal data and receive confirmation as to whether SIRS processes personal data concerning them, along with additional legally required information
  • To correct inaccurate personal data or complete incomplete personal data
  • To have personal data erased if legal conditions are met, such as if personal data is no longer necessary for the purposes for which it was collected
  • To restrict the processing of personal data if the legal conditions are met
  • To receive personal data in a structured, commonly used, machine-readable format (data portability)
  • To object at any time, on grounds relating to their particular situation, to the processing of their personal data
  • To not be subject to automated individual decision-making, including profiling, unless they have given consent, except in cases where automated processing is mandated by law
  • To file a complaint with a supervisory authority.
  • 6.10. SIRS may require the data subject to provide personal identification when submitting a request to exercise any of the above rights. Requests can be submitted in person, with identification at the SIRS office, in writing with a verified signature, or electronically with a certificate.

6.11. SIRS is entitled to charge a reasonable fee for providing information about the processed personal data if the data subject's requests are manifestly unfounded or excessive, especially if they are repetitive. In such cases, SIRS may also refuse to comply with the request.

7. Final Provisions

1. The data subject can obtain all information regarding the processing of their personal data in person at the SIRS office, electronically via a data box (hdsw5ez), or by email at info@sirsdevelopment.cz.

Prague, October 3, 2024