(Mo - Fr: 8:00 - 17:00)info@cdrmarket.eu

GDPR

General Data Protection Regulation (GDPR)

Date of last amendment to the Directive: Thursday 5 April 2018

I.

Introductory provisions

This Directive sets out the principles for the protection of personal data collected.

Denis Čišič hereby undertakes to comply with the general data protection applicable as of 25 May 2018, in accordance with the European Commission Regulation 679 / 2016, the so-called GDPR (hereinafter referred to as GDPR) and the national legislation related thereto.

Furthermore, Denis Čišič undertakes to take such steps to comply with the GDPR and the national legislation related thereto at all times.

 

II.

Definition of terms

Data subject - is the natural person to whom the personal data relates. that person is identified or identifiable by reference to data (e.g. name, identification number, location data, network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).

Personal data - is any data used to uniquely identify a specific natural person.

Sensitive data - is a special category of personal data revealing national, racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, biometric and genetic information, health and sex life of the data subject.

Controller - is the entity (natural or legal person, public authority or other body) which determines the purposes and means of processing personal data, obtains and further processes personal data of natural persons and is responsible for the processing. It may entrust the processing to a Processor if the law so provides.

Processor - is another entity, different from the Controller, which processes personal data of natural persons for the Controller on the basis of a pre-agreed purpose, does so on the basis of the law or on the basis of a mandate from the Controller.

Recipient - is a natural or legal person or other entity that receives the personal data provided for a pre-agreed purpose, and does not further process the data. A public authority which receives personal data in the context of its investigative powers is not considered a recipient, but its processing practices must comply with the applicable data protection rules according to the purpose of the processing.

Location - is the physical storage location where the personal data is stored (e.g. filing cabinet, cupboard, rack)

Legal title - is the legal basis, listed in the GDPR, on which a natural or legal person, public authority or other body records personal data.

Purpose of processing - is the justification for why the personal data is required and that it will be used for the purpose so defined and only for that purpose.

Period of processing - is the period of time for which we record specific personal data, this period is to be reasonable unless specified by law.

Data minimisation - is the process that leads the controller to request only the personal data that is necessary for the performance of its activities.

Restriction of processing - is the creation of a situation in which personal data is inaccessible for a certain period of time and cannot otherwise be processed.

Destruction of personal data - is the irretrievable destruction of personal data

 

III.

Rights and obligations

  1. 1. Our organisation has not appointed a data protection officer.
  1. 2. Only authorized employees have the right to work with personal data Denis Čišič
  1. 3.  The authorized personnel are: Jan Sklenička, Gabriela Pohlotová, Petra Škutová, Denis Čišič
  1. 4. The authorised personnel undertake to comply with the data protection principles, which are:
    1. Inform the data subject of his/her rights and obligations as a data controller
    2. Inform the data subject of the legal title, the purpose of the processing and the duration of the processing of his/her personal data
    3. Request only such personal data as are necessary for the performance of their activities
    4. Record personal data only on specified documents and in specified systems
    5. Not to transmit any personal data to unauthorised persons
  1. 5. The Company undertakes to handle personal data only in suitably secure buildings and rooms.

Suitably secure buildings and rooms are:

CDRmarket warehouse+offices with rooms Corridor, Office 1

  1. 6. When leaving a room where personal data is located, the authorised employee must secure the individual locations and the room against unauthorised entry.
  1. 7. Printed documents and IT equipment containing personal data that are not currently being handled must be stored in designated storage areas by authorised personnel.
    These storage areas are: Archives
  1. 8. Any IT equipment on which personal data is handled must be appropriately secured, at a minimum, with sufficient security or physical and electronic security to prevent data leakage.


Suitably secured IT devices are: SERVER-POHODA server, Binargon data storage, Ecomail data storage, Camera system data storage with HDD.

 

  1. 9. When leaving the workplace, the authorized employee is obliged to secure the IT device by locking the screen with subsequent request for a password, or by turning off the device.
  1. 10. Denis Čišič undertakes to regularly back up the data with personal data. Denis Čišič regularly backs up data to the following backup devices.
  1. 11. Denis Čišič operates the websites www.CDRmarket.cz, www.CDRmarket.sk, www.CDRmarket.hu, www.CDRmarket.eu, www.CDRmarket.pl, www.CDRmarket.ro, www.CDRmarket.it, www.CDRmarket.bg on which he undertakes to insert information about the processing of cookies, the principles of processing personal data on the website and the rights of the data subject, or to provide those places where personal data are collected with an informative obligation.
  1. 12. Denis Čišič undertakes to provide each document and form on which he initiates the processing of personal data of natural persons with an informative addendum on the processing of personal data with reference to the full text of the Personal Data Processing Policy.
  1. 13. Denis Čišič operates the following information systems in which it records personal data. Stormware Pohoda, MailChimp. All these information systems must be secured with access rights and suitably secured against unauthorised misuse and access.
  1. 14. All information systems must be backed up and backups must be stored in secure locations.
  1. 15. Each document containing personal data must have a specified legal title, purpose of processing and period of processing. Denis Čišič records personal data on the basis of the following legal titles: Performance of a contract, Legal obligation, Legitimate interest, Ex officio, Vital interest, Consent, Express consent.
  1. 16. Denis Čišič works with the following personal data for his activity: Name, Address, Surname, Birth number, Telephone number, Tax ID number of natural person, Bank account number, Employee number, Delivery address, Email, Date of birth, CCTV footage - audio, video, photo.
  1. 17. Denis Čišič may transfer personal data to his contractual partners (processors). These processors are: Pavla Krausová, FEO digital agency s.r.o., BINARGON s.r.o.. The personal data transmitted in this way are defined in the scope of the personal data processing records.
  1. 18. The organisation is obliged to negotiate with these processors an addendum to the contract or a contract on the handling of the personal data transferred in the sense of personal data protection and to carry out a possible control of compliance with the principles of personal data protection by these processors.
  1. 19. Denis Čišič may also transfer personal data to recipients. These recipients are: PPL CZ s.r.o., branch plant West Bohemia, ČESKÁ POŠTA s.p., Zásilkovna s.r.o. The personal data transmitted in this way are defined in the scope of the personal data processing records.
  1. 20. Denis Čišič has chosen the following options as a secure form of transmission of personal data.
  1. 21. Denis Čišič undertakes to carry out the destruction of personal data after the expiry of the processing period.
  1. 22. Denis Čišič undertakes to carry out regular training of authorised personnel, at least once a year.
  1. 23. Denis Čišič undertakes to carry out a data protection compliance check at least once a year, to respond to findings and threats, to optimise the processing, storage and security of personal data and to record changes.
  1. 24. Denis Čišič undertakes to keep records of requests for erasure, rectification and objections to processing. He also undertakes to keep a record of documents relating to reactions and responses to the processing of personal data of natural persons.
  1. 25. Denis Čišič undertakes to keep a record of security incidents and corrective measures. In the event that a serious security incident should occur or does occur, any employee who becomes aware of such a fact shall inform the person responsible for the protection of personal data in the organisation.
  1. 26. The organisation shall, in the event of the discovery of a serious security incident, report any such security incident to the supervisory authority within 72 hours of such discovery.
  1. 27. Every data subject, natural person, has the right to information about the personal data recorded concerning his or her person. If such a person exercises his right, this request shall be forwarded to the responsible person, who shall ensure the information obligation within 30 days at the latest. Denis Čišič will take into account the reasonableness and frequency of such requests from the same applicant. A record will be made of this fact, indicating the date of the request, the name of the applicant, the description of the solution and keeping a subsequent attachment of a copy of the reply letter to the applicant for further evidence.
  1. 28. The data subject shall have the right to rectification of the personal data recorded concerning him or her. If a request for rectification is made, such rectification shall be made taking into account other circumstances and possibilities. A conclusive record shall be made of this fact.
  1. 29. The data subject shall have the right to erasure of personal data recorded which have been given by consent or explicit consent, or those for which the period for processing has expired, or where the organisation considers that there is no longer a need to process them. A conclusive record will be made of this request and any erasure of personal data, indicating the date of the request, the name of the requester, a description of the solution and ensuring that the data requested is actually erased for future processing from all active systems.
  1. 30. The data subject has the right to object to the processing of personal data. If he or she objects, Denis Čišič shall implement the measures or implement measures to restrict the processing of such personal data. A conclusive record of this fact will be made with the date of the request, the name of the applicant and a description of the solution for possible control.

 

IV.

Sanctions

 

  1. 1. Any contractual partner or entity in a similar legal relationship who infringes this Directive shall be subject to a one-off penalty of 397,98 EUR.
  2. 2. Any contractual partner or entity in a similar legal relationship that repeatedly or in a particularly significant manner breaches this Directive shall be liable to a fine of up to 1 989,95 EUR.
  3. 3. Any employee who violates this Directive shall be subject to compensation by the employer for the damage caused to the employer in each individual case up to 4.5 times the average salary.