General Data Protection Regulation (GDPR)

Date of last change to the directive: Thursday 5 April 2018

I.

Introductory provisions

This directive sets out the principles for the protection of personal data collected.

Denis Čišič hereby undertakes to comply with the general protection of personal data valid from 25 May 2018, in accordance with the European Commission Regulation 679 / 2016, the so-called GDPR (hereinafter referred to as GDPR) and national legislation related thereto.

Moreover, Denis Čišič undertakes to take such steps to comply with the GDPR and related national regulations at all times.

 

II.

Definition of the terms

Data subject - is the natural person to whom the personal data relates. This person is identified or identifiable on the basis of data (e.g. name, identification number, location data, network identifier or one or more specific elements of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person).

Personal data - is any data used to uniquely identify a specific natural person.

Sensitive data - is a special category of personal data revealing national, racial or ethnic origin, political opinions, trade union membership, religion and philosophical beliefs, biometric and genetic information, health and sex life of the data subject.

Administrator - is the entity (natural or legal person, public authority or other entity) that determines the purposes and means of processing personal data, obtains and further processes personal data of natural persons and is responsible for the processing. It may entrust the processing to a Processor if the law so provides.

Processor - is another entity different from the Administrator, which processes personal data of natural persons for the Administrator on the basis of a pre-agreed purpose, does so on the basis of the law or on the basis of a mandate from the Administrator.

Recipient - is a natural or legal person or other entity that receives the personal data provided for a pre-agreed purpose and does not further process the data. A public authority which receives personal data in the context of its investigative powers is not considered a recipient, but its processing must comply with the applicable data protection rules according to the purpose of the processing.

Location - is the physical storage location where personal data is stored (e.g., binder, cabinet, rack)

Legal title - is the legal basis, listed in the GDPR, on the basis of which a natural or legal person, public authority or other entity records personal data.

Purpose of processing - is the justification of why the personal data is required and that it will be used only for the defined purpose.

Processing period - is the period of time for which we record specific personal data, this period is to be reasonable, unless provided for by law.

Data minimisation - is a process that results in the administrator requesting only the personal data that is necessary for the performance of his or her activities.

Restriction of processing - is the creation of a state in which personal data is inaccessible for a certain period of time and cannot otherwise be processed.

Destruction of personal data - is the irreversible destruction of personal data

 

III.

Rights and obligations

1. 1.      Our organisation has not appointed a data protection officer.

1. 2.      Only authorised personnel have the right to handle personal data Denis Čišič

1. 3.      The authorised personnel are: Jan Sklenička, Gabriela Pohlotová, Jana Váchová, Denis Čišič

1. 4.       The authorized personnel undertake to comply with the Privacy Policy, which is: 
   1. Inform the data subject of his or her rights and obligations as a controller
   2. Inform the data subject of the legal title, the purpose of the processing and the duration of the processing of their personal data
   3. Request only such personal data as are necessary for the performance of their activities
   4. To record personal data only on designated documents and in designated systems
   5. Not to pass on any personal data to unauthorised persons

1. 5.       The Company undertakes to handle personal data only in suitably secure buildings and rooms.

Suitably secured buildings and rooms are:

 • CDRmarket warehouse+offices with rooms Corridor, Office 1

1. 6.       When leaving the room where the personal data is located, the authorized employee is obliged to secure the individual locations and the room against the intrusion of unauthorized persons.

1. 7.       Printed documents and IT devices containing personal data that are not currently being handled must be stored in designated storage areas by authorised personnel.
   These repositories are: Archives

1. 8.       Any IT equipment on which personal data is handled must be appropriately secured, at a minimum, with sufficient security or physical and electronic security to prevent data leakage.

 

Suitably secured IT devices are:SERVER-POHODA server, Binargon data storage, Ecomail data storage, Camera system with HDD.

 

1. 9.       When leaving the workplace, the authorized employee is obliged to secure the IT equipment by locking the screen and then requiring a password or turning off the equipment.

1. 10.    Denis Čišič undertakes to regularly back up the data containing personal data. Denis Čišič regularly backs up his data to the following backup devices.

1. 11.    Denis Čišič operates the websites www.CDRmarket.cz, www.CDRmarket.sk, www.CDRmarket.hu, www.CDRmarket.eu, www.CDRmarket.pl, www.CDRmarket.ro,www.CDRmarket.it on which he undertakes to insert information about the processing of cookies, the principles of processing personal data on the website and the rights of the data subject, or to provide those places where personal data is collected with an informative obligation.

1. 12.    Denis Čišič undertakes to provide each document and form on which he initiates the processing of personal data of natural persons with an informative addendum on the processing of personal data with reference to the full text of the Personal Data Processing Policy.

1. 13.    Denis Čišič operates the following information systems in which it records personal data. Stormware Pohoda, MailChimp. All these information systems must be secured with access rights and suitably secured against unauthorised misuse and access.

1. 14.    All information systems must be backed up and backups must be stored in secure locations.

1. 15.    Each document containing personal data must have a specified legal title, purpose of processing and period of processing.Denis Čišič records personal data on the basis of the following legal titles: Performance of a contract, Legal obligation, Legitimate interest, Ex officio, Vital interest, Consent, Express consent.

1. 16.    Denis Čišič uses the following personal data for his activities: Name, Address, Surname, Birth number, Telephone number, Tax ID number of natural person, Bank account number, Employee number, Delivery address, Email, Date of birth, CCTV footage - audio, video, photo.

1. 17.    Denis Čišič may transfer personal data to its contractual partners (processors). These processors are Pavla Krausová, FEO digital agency s.r.o., BINARGON s.r.o. The personal data transferred in this way are defined in the scope of the records on the processing of personal data.

1. 18.    The organisation is obliged to negotiate with these processors an addendum to the contract or a contract on the handling of the personal data transferred in the sense of personal data protection and to carry out a possible control of compliance with the principles of personal data protection by these processors.

1. 19.    Denis Čišič may also transfer personal data to recipients. These recipients are: PPL CZ s.r.o., branch plant West Bohemia, ČESKÁ POŠTA s.p., Zásilkovna s.r.o. The personal data transmitted in this way are defined in the scope of records on the processing of personal data.

1. 20.    Denis Čišič has chosen the following options as a secure form of transmission of personal data: transmission takes place at the organization's location, Private email, Work email, Data box, Letter, Registered letter, Cloud, Web storage.

1. 21.    Denis Čišič undertakes to liquidate the personal data after the expiry of the processing period.

1. 22.    Denis Čišič undertakes to carry out regular training of authorised personnel, at least once a year.

1. 23.    Denis Čišič undertakes to carry out a data protection compliance check at least once a year, to respond to findings and threats, to optimise the processing, storage and security of personal data and to record changes.

1. 24.    Denis Čišič undertakes to keep a record of requests for erasure, rectification and objections to processing. It also undertakes to keep a record of documents relating to reactions and responses to the processing of personal data of natural persons.

1. 25.    Denis Čišič undertakes to keep a record of security incidents and corrective actions. In the event that a serious security incident should occur, or does occur, any employee who becomes aware of such a fact shall notify the person responsible for data protection in the organisation.

1. 26.    If a serious security incident is detected, the organisation is obliged to report any such security incident to the supervisory authority within 72 hours of such detection.

1. 27.    Every data subject, natural person, has the right to information about the personal data recorded about his or her person. If such a person exercises his right, this request shall be forwarded to the person responsible, who shall ensure the information obligation within 30 days at the latest. Denis Čišič will take into account the reasonableness and frequency of such requests from the same applicant. A record will be made of this fact, indicating the date of the request, the name of the applicant, the description of the solution and keeping a subsequent attachment of a copy of the reply letter to the applicant for further evidence.

1. 28.    The data subject shall have the right to rectification of the personal data recorded concerning his or her person. If rectification is requested, such rectification shall be carried out taking into account other circumstances and possibilities. A conclusive record shall be made of this fact.

1. 29.    The data subject has the right to have the personal data recorded which have been given by consent or explicit consent, or those for which the time limit for processing has expired, deleted, or if the organisation considers that it is no longer necessary to process them. A conclusive record will be made of this request and any erasure of personal data, indicating the date of the request, the name of the requester, a description of the solution and ensuring that the data requested is actually erased for future processing from all active systems.

1. 30.    The data subject has the right to object to the processing of personal data. If he or she objects, Denis Čišič shall be obliged to take steps or implement measures to restrict the processing of such personal data. A conclusive record of this fact will be made with the date of the request, the name of the applicant and a description of the solution for possible control.

 

IV.

Penalty

1. 1.       Any contractual partner or entity in a similar legal relationship that violates this Directive will be subject to a one-off penalty of 419,19 EUR.
2. 2.       Any contractual partner or entity in a similar legal relationship that repeatedly or in a particularly significant manner violates this directive will be subject to a fine of up to 2 095,96 EUR.
3. 3.       Any employee who violates this directive will be subject to compensation by the employer for the damages he or she has caused the employer, up to 4.5 times the average salary for each individual case.