Privacy Policy

Privacy Policy
(GDPR)

This privacy policy has been prepared based on the official Czech version. In the event of any discrepancies or differences in interpretation between this translation and the original Czech version, the Czech version shall prevail.

I. Introduction

This statement has been prepared and published to provide information about the practices and commitments of our company regarding the application of GDPR requirements.

In the text below, the following abbreviations are used:

• PD = personal data, i.e., all information leading to the identification of a specific person

• PD Owner – the data subject who owns the personal data held and processed by our company

• Controller – our company, which records, processes, stores, and protects your personal data

• Processor – a company we have contracted to process your personal data. This ensures that the handling, processing, and protection of your data complies with the requirements of the GDPR and that your rights are not restricted.

II. Personal Data Controller

Company: Stavounie-CZ, s.r.o., Company ID: 46961691, registered in the Commercial Register maintained by the Regional Court in Brno, file number C 6365.
Contact address for matters concerning personal data protection:
E-mail: info@stavounie.cz
Phone: +420 546 441 289

(Hereinafter referred to as the “Controller”) hereby informs you, in accordance with Article 12 of the GDPR, about the processing of your personal data and your rights.

III. Scope of Personal Data Processing

Personal data are processed to the extent that the data subject has provided them to the Controller, in connection with and based on a free decision at the time of establishing a relationship or registration, as well as within a contractual or other legal relationship with the Controller, or as otherwise collected by the Controller and processed in accordance with applicable legal regulations or to fulfill the Controller’s legal obligations.

IV. Sources of Personal Data

We obtain personal data from the data subjects themselves (e.g., business communication, purchases, delivery of goods and services, contact form on the website, phone communication, business cards, etc.)

Another source of personal data includes information necessarily provided by job applicants and employees. If personal data are obtained from publicly available sources, they are used solely for the purposes of initiating or conducting business relationships or in accordance with the data subject’s consent.

V. Categories of Personal Data Processed

• Identification data for clear and unambiguous identification of the data subject (e.g., name and surname, date of birth, personal ID number, permanent address, etc.)

• Descriptive data (e.g., bank account details)

• Data necessary for fulfilling a contract (e.g., email, phone number, workplace address, position), and others

• Data provided beyond statutory requirements, processed based on the data subject’s consent

VI. Categories of Data Subjects

• These include, in particular:

  • Customers

  • Customers of our customers

  • Employees and persons working under agreements outside employment and job applicants

  • Personal data owners of suppliers and partners providing services necessary for the operation of our company

  • Other persons in a contractual relationship with the Controller

VII. Categories of Personal Data Recipients

• State and other authorities in fulfilling legal obligations as stipulated by applicable legal regulations

• Financial institutions and public administration bodies

• Data processors based on contractual agreements

• Third parties and organizations based on the data subject’s consent

• Our company as the data controller

VIII. Purpose of Personal Data Processing

• Purposes stated in the data subject’s consent

• Negotiation of contractual relationships

• Fulfillment of a contract

• Protection of rights of the Controller, recipient, or other affected parties

• Archiving based on legal requirements

• Recruitment procedures for open positions

• Fulfillment of legal obligations by the Controller

• Protection of vital interests of the data subject or other individuals

IX. Method of Personal Data Processing and Protection

The processing of personal data is carried out by the Controller or by a Processor under a contractual agreement with the Controller that ensures full responsibility for data processing and protection of the data subject’s rights.

Processing is carried out at the Controller’s registered office and operating sites, or those of the Processor. It is conducted using IT systems or manually for physical records, always with adherence to all security principles for data handling and processing. The Controller has implemented technical and organizational measures to ensure the protection of personal data, especially measures against unauthorized or accidental access, alteration, destruction or loss, unauthorized use or transmission, or any other misuse. All entities that may have access to the data are obliged to respect the data subject’s right to privacy and to act in accordance with applicable data protection legislation.

X. Data Retention Period

In accordance with the periods specified in relevant contracts, the Controller’s filing and retention schedule, or applicable legal regulations, personal data are retained only for the time necessary to ensure the rights and obligations arising from contractual relationships, legitimate interests of the Processor, and applicable legislation.

XI. Legal Basis

The Controller processes personal data with the consent of the data subject, except in cases specified by law where processing does not require such consent.

In accordance with Article 6(1) of the GDPR, the Controller may process personal data without consent if:

• Processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the data subject’s request prior to entering into a contract

• Processing is necessary to comply with a legal obligation applicable to the Controller

• Processing is necessary to protect the vital interests of the data subject or another individual

• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller

• Processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring protection of personal data

In all other cases, the processing of personal data requires the data subject’s consent, given under the conditions set out in the GDPR.

XII. Rights of the Data Subject

In accordance with Article 12 of the GDPR, the Controller shall, upon request, inform the data subject of the right to access their personal data and to the following information:

• The purpose of data processing

• The categories of personal data concerned

• The recipients or categories of recipients to whom the data have been or will be disclosed

• The intended period for which the data will be stored

• All available information about the source of the data

• Whether automated decision-making, including profiling, takes place

The data subject may:

• Request an explanation from the Controller either in person or via email at info@stavounie.cz

• Request that the Controller remedy the situation, in particular by blocking, correcting, supplementing, or deleting (forgetting) the personal data

• If the request is found to be justified, the Controller shall immediately correct the situation

• If the Controller does not comply with the request, the data subject has the right to contact the supervisory authority directly – the Office for Personal Data Protection (ÚOOÚ)

• This procedure does not preclude the data subject from addressing the supervisory authority directly at any time

• The Controller has the right to request a reasonable fee for providing information, not exceeding the necessary costs of its provision