Declaration on the processing of personal data under Regulation (EC) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and the instruction of data subjects (GDPR)

1. Privacy Manager: Marelax s.r.o., IN: 05635489, based Měšice 399, 391 56 Tábor. The company is registered in the Commercial Register maintained by the Regional Court in České Budějovice, file number C 11588,hereby inform You,that  in accordance with Article 12 of the GDPR, the processing of your personal data and your rights.

2. Scope of processing of personal data

Personal data is processed to the extent that the data subject has provided the data controller in connection with the conclusion of a contractual or other legal relationship with the trustee or which the controller has collected otherwise and processes them in accordance with the applicable legal regulations or to fulfill the statutory obligations of the trustee.

3. Sources of personal data

• directly from data subjects (emails, phone, web site, contact form on the web, business cards, etc.)
• publicly available registers, lists and records (eg business register, trade register, land register, etc.) for the purpose of creating accounting documents and checking the accuracy of information

4. Categories of personal data that are being processed

• addressing and identification data used for the unambiguous and unambiguous identification of the data subject (eg name, surname, title or birth identification number, date of birth, permanent address, ID, VAT number) and contact details of the data subject contact address, phone number, e-mail address and other similar information)
• descriptive data (e.g., bank account)
• other data necessary for performance of the contract
• data provided in excess of the applicable laws processed within the framework of the consent given by the data subject (processing of photographs, use of personal data for personnel management purposes, for the purpose of sending commercial communications or information messages, etc.)

5. Categories of data subjects

• client manager
• manager employee
• service provider
• another person who is in a contractual relationship with the trustee
• job applicant

6. Categories of recipients of personal data

The administrator does not intend to transfer personal data to a third country outside the EU, the administrator has the right to authorize the processing of personal data by the processor who has concluded a processing contract with the administrator and provides sufficient guarantees of protection of your personal data. Otherwise, the data subjects of this transfer will be informed without undue delay. The categories of recipients are:

• financial institutions
• public institutions
• processor
• state, etc. in the fulfillment of the legal obligations established by the relevant legal regulations

7. Purpose of processing of personal data

• purposes contained within the data subject's consent
• negotiations on a contractual relationship
• performance of the contract
• the rights of the controller, the recipient or other persons concerned
• archiving under the law
• job vacancies
• the statutory obligations on the part of the trustee
• protection of the vital interests of the data subject
• the transmission of business communications or other information in the event of an administrator's legitimate interests

8. Method of processing and protection of personal data

Processing of personal data is done by the administrator. Processing is carried out at its premises, branches and headquarters by individual authorized servants of the trustee, processor. The processing takes place in compliance with all security policies for the management and processing of personal data. To this end, the controller has adopted technical, organizational and legal measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to personal data, alteration, destruction or loss, unauthorized transmissions, unauthorized processing, and other misuse of personal data. All entities to whom personal data may be made available respect the right of privacy and data protection bodies and are required to comply with applicable data protection laws.

9. Time of processing of personal data

In accordance with the deadlines specified in the relevant contracts and approvals, the deadlines prescribed for the use of the legitimate interests of the trustee or third party in the relevant legislation are the time necessary to secure the rights and obligations arising from both the obligation relationship and the applicable legal regulations.

10. Lessons learned

• processing is necessary for the performance of the contract to which the data subject is subject or for the implementation of measures taken prior to the conclusion of the contract at the request of that data subject,
• processing is necessary to fulfill the legal obligation to which the manager is subject,
• processing is necessary to protect the vital interests of the data subject or other natural person,
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority entrusted to the controller,
• processing is necessary for the purposes of the legitimate interests of the relevant controller or third party, except in cases where the interests or fundamental rights and freedoms of the data subject that require the protection of personal data prevail over those interests.

11. Rights of data subjects

A. In accordance with Article 12 of the GDPR, the controller shall, at the request of the data subject, inform the data subject of the right of access to personal data and the following information:

• the purpose of processing,
• the category of personal data concerned,
• the recipients or categories of recipients whose personal data have been or will be made available,
• the planned time for which personal data will be stored,
• all available information about the personal data source,
• if they are not obtained from the data subject, the fact that automated decision making, including profiling, occurs.

The Administrator has the right to provide information with reasonable assurance that the information necessary for the provision of the information is reasonable and the second and every subsequent copy within the administrative costs associated with this information.

B. Any data subject who discovers or considers that the controller or processor carries out the processing of his or her personal data contrary to the protection of the privacy and privacy of the data subject, or in contravention of the law, in particular if personal data are inaccurate with respect to the purpose of their processing, may:

• Ask the administrator for an explanation.
• Require the administrator to remove the resulting state. In particular, it may be blocking, repairing, adding or deleting personal information.
• If the data subject's request under paragraph A is found to be justified, the controller shall immediately remove the malfunction.
• If the data controller does not satisfy the data subject's request under paragraph A, the data subject has the right to contact the Supervisory Authority, ie the Personal Data Protection Authority.
• The procedure under paragraph A does not exclude the data subject from turning to the supervisory authority directly.

C. The data subject has the right to withdraw consent to the processing of personal data previously granted by the personal data administrator.

D. The rights of data subjects are therefore: to exercise the right to repair, to delete, to forfeit, to limit processing. Furthermore, the right to data portability is technically or organizationally feasible.