Data protection rules
Companies under ePurse Group in the Czech Republic, i. e. the companies Railtrek a.s., Paynovatio a.s. and Vissto s.r.o. (hereinafter referred to individually as the Company),
have, in accordance with the regulation of the European Parliament and Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive no. 95/46/ES (General Data Protection Regulation) (hereinafter referred to as GDPR), adopted
the following data protection rules (hereinafter referred to as rules):
- Introductory provisions
- The objective of the rules is to provide information about which personal data the Company (as administrator) processes about natural persons during their business activities, for what purpose and for how long the Company processes such data with regard to relevant legal regulations, and to inform such natural persons about their rights with regard to the processing of their personal data.
- The rules concern the processing of the personal data of visitors to the commercial area, clients (service users) of the Company, employees and applicants for employment in the Company and other natural persons cooperating with the Company, always to the extent of personal data appropriate to their status with respect to the Company.
- The rules and rights and obligations of such persons are governed by the GDPR and related legal regulations. If not stated differently, the terms used in the rules have the same meaning as the terms used in the GDPR.
- The contact details of the Company, which may be used in exercising any rights in regard to the Company and in communicating with the Company, are stated in Art. 8.1 of the rules.
- The rules are legally binding to the Company and the employees of the Company on their effective date. The Company ensures that the Company’s employees are familiar with the rules.
- Legal basis and purpose of processing
- The Company processes personal data in the extent necessary for the purpose of their business within their area of business as stated in the company register, in particular for the purpose of communicating with the customer through digital mobile technologies and the evaluation of the customer’s behaviour (Retailtrek a.s.), the implementation of payment solutions (Paynovatio a.s.) and services in the area of data visualisation (Vissto s.r.o.), fulfilling the legal obligations of the Company, including primarily fulfilling the obligations of the employer, and protection of their legal interests.
- The personal data of such natural persons are processed based on the legal grounds stated in the GDPR, for the purpose of the performance of a contract in which such natural person is the contracting party (Art. 6(1)(f) GDPR) or based on the agreement of said natural person (Art. 6(1)(a) GDPR).
- Extent of processed data
- The Company processes personal data regarding the following categories of subjects of data:
- visitors of commercial areas (for monitoring attendance and behaviour of customers);
- their clients (service users);
- their employees and applicants for employment;
- their statutory bodies and associates;
- their commercial partners;
- other persons whose personal data were communicated to the Company and the Company shall be using them in connection to their business
- The Company usually processes the aforementioned categories with regard to the specific status of the subject of data and with regard to the Company’s obligations:
- in the case of visitors of the commercial area:
operation and locating data (e.g. MAC address of the end device), video recording from commercial spaces of commercial partners of the Company, data of behaviour types of customers in commercial, basic personal data (e.g. sex and age). The aforementioned categories of personal data do not allow the Company to identify specific natural persons;
- in the case of clients (service users):
name, surname, telephone number, address of permanent residence and/or shipping address, date of birth, e-mail, bank details, Co. ID No., Tax ID No., information about services provided and other necessary identification or contact details;
- in the case of employees or applicants for employment:
name, surname and former surname, personal number, ID number, telephone number, address of permanent residence and/or shipping address, date of birth, place of birth, sex, marital status (respectively the name and surname of the spouse and name and address of their employer, name, surname and personal number of child), e-mail, bank details, education, former practice, health insurance company details, nationality, number of children (in the case of women), type of pension and other necessary identification of contact details;
- in the case of governing bodies and associates:
name and surname, telephone number, address of permanent residence and/or shipping address, date of birth, e-mail, bank details and other necessary identification or contact details;
- in the case of commercial partners:
name and surname, telephone number, address of permanent residence and/or shipping address, date of birth, e-mail, bank details, Co. ID No., Tax ID No. and other necessary identification or contact details;
- in the case of other persons;
name and surname, telephone number, address of permanent residence and/or shipping address, date of birth, e-mail, Co. ID No., Tax ID No. and other necessary identification or contact details.
- The Company may also process other personal data if necessary for the purpose of processing.
- Rights of data subjects
[Right to access personal data]
- Under the conditions of Art. 15 GDPR, the data subject has the right to access personal data, including the right to obtain from the Company confirmation as to whether or not the Company processes their personal data, and, where that is the case, the data subject has the right to gain access to such personal data and information about: (a) the purposes of processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or is to be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data is to be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the Company rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any information as to their source; (h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; (i) appropriate safeguards, if the personal data are transferred to a third country or an international organisation.
- If the data subject was acquainted with the information mentioned hereinabove in paragraph 4.1 through the rules or differently, the Company is not obliged to provide the information separately.
- The Company does not use automated decision-making or profiling.
[Right to rectification]
- Under the conditions of Art. 16 GDPR, the data subject has the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning him or her, and the right to have incomplete personal completed, if the purpose of their processing by the Company demands it.
[Right to erasure]
- Under the conditions of Art. 17 GDPR, the data subject has the right to obtain from the Company the erasure of personal data concerning him or her without undue delay, if (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject objects to the processing conducted for the purposes of the Company’s business and justified protection of the Company’s interests and there are no overriding legitimate grounds for the processing; or (iii) the personal data have been unlawfully processed.
- The Company shall not fulfil the request for rectification if legal obligations exist requiring the Company to store the said personal data.
[Right to restriction of processing]
- Under the conditions of Art. 18 GDPR the data subject has the right to obtain from the Company restriction of processing where one of the following applies: (i) the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; (iv) the data subject has objected to processing conducted for the purposes of the Company’s business and justified protection of the Company’s interests, pending the verification whether the legitimate grounds of the Company override those of the data subject.
[Right to lodge a complaint]
- The data subject has the right to file a complaint at The Office for Personal Data Protection (Pplk. Sochora 27 170 00 Prague 7, e-mail: email@example.com, uoou.cz)
[Right to object]
- The data subject has the right to object to processing of personal data concerning him or her that the Company is processing for the purposes of the Company’s business or for the purposes of protection of the Company’s other justified interests. The Company shall not process such personal data if no justified reasons exist that which would override the interests or fundamental rights and freedoms of the data subject, or for establishment, exercise or defence of legal claims.
[Processing which does not require identification]
- In case of visitors of commercial areas (see Art. 3.2.1 of the rules) the Company processes solely personal data that do not allow the Company to identify a specific natural person. In this case, the Company is obliged to refuse the data subject to exercise his or her rights, according to Art. 11(2) GDPR, unless the data subject provides additional information enabling his or her identification
- Obligations of the data subject and other persons
- In the event of a change in personal data, the data subject or another person that provided his or her personal data to the Company shall inform the Company, about such change without undue delay so that the personal data processed by the Company are relevant and exact.
- As an employee, failure to provide personal data necessary for the Company’s business or fulfilling obligations of an employer may be viewed as a violation of obligation of an employee as stated in and with consequences anticipated in the Labour Code.
- No one may use or process personal data processed by the Company for a different purpose than for which they are being processed by the Company as stated in the rules, if not stated otherwise in legislation.
- Personal data transfer
- The Company may transfer personal data which are being processed by the Company to public administration authorities, courts or administrative authorities, as to companies of the ePurse Group and the Company’s legal, tax, accountancy and other advisors in the extent necessary for their business and fulfilment of their legal obligations or if it is necessary for the protection of their rights or justified interests.
- With the consent or the direction of a natural person, his or her personal data may be transferred to other subjects.
- Period and manner in which personal data is stored
- The Company stores personal data for a period necessary to fulfil the purposes of processing stated in Art. 2.1 or for a period defined by legislation. After the said period, the personal data shall be erased (eliminated) or anonymized.
- Regardless of the above, the Company may store any personal data at least for a period during which administrative, judicial or other proceedings regarding said data subject are being held, if it is necessary for the protection of justified interests of the Company, fulfilling their legal obligations or for the protection of the rights of the data subject.
- The Company processes personal data manually and automatically. Personal data are stored securely in an electronic or written format. The Company ensures appropriate security or the personal data that is being processed against unauthorized access or transfer, against their loss or destruction, as against other potential abuse.
- Final provisions
- Any questions regarding to personal data processing by any of the ePurse Group companies, including requests to exercise the rights of the data subject, may be addressed to Retailtrek a.s., Co. ID No. 059 03 637, registered office at Krakovská 583/9, Nové Město, 110 01 Prague 1, registered in the commercial register kept at the Municipal Court of Prague under section B, file 22291, e-mail: , tel.: .
- None of the provisions of the rules impose, and cannot be interpreted as imposing, any obligation over and above the obligations anticipated in the GDPR.
- If any of the provisions would be invalid or ineffective, this shall not affect the validity and effectiveness of other provisions.
- The aforementioned rules are valid and effective on their effective date.