Internal directive of QUIX EVENT, s.r.o. on personal data protection
Employer QUIX EVENT, s.r.o. with registered office at Zelený pruh 1560/99, Braník, 140 00 Prague 4 ID no. 02723832 company registered in the Commercial Register kept by the Municipal Court in Prague, section C, insert 221305
I. Purpose of the directive
1. The purpose of this directive, as one of the organizational measures pursuant to Article 32 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter "GDPR"), is to establish rules for the processing of personal data by the employer and principles of data protection applied to all information concerning an identified or identifiable data subject.
2. This directive also regulates the procedures in case of a breach of personal data security within the meaning of Articles 33 and 34 of the GDPR.
II. Definition of terms
1. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
2. Personal data - Any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
3. Supervisory authority - The Office for Personal Data Protection, unless otherwise provided by law.
4. Employer - QUIX EVENT, s.r.o.
5. Data subject - Any natural person, including self-employed persons.
6. Controller - The controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
7. Processor - The processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
8. Authorized person - Any person, including legal entities, who performs activities for the employer, which involves the processing of personal data of data subjects, including employees of the employer, and possibly members of its bodies.
9. Authorized person - A person authorized by the employer to perform specific activities related to the processing of personal data, in particular incident prevention, securing the processing of personal data, handling complaints and requests, managing systems, and other activities.
III. Principles of Personal Data Processing
1. This directive applies to any authorized person when fulfilling their obligations.
2. Personal data may be processed and stored provided that:
• the processing is necessary for the fulfillment of a legal obligation that applies to the controller;
• the processing is necessary for the performance of a contract whose contracting party is the data subject, or for the implementation of measures taken before the conclusion of the contract at the request of the data subject;
• the processing is necessary to protect the vital interests of the data subject or another natural person;
• the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• the data subject has given consent to the processing.
3. Any processing of personal data must be carried out in a lawful, fair, and transparent manner.
Personal data may only be collected for specific, explicit, and legitimate purposes and may not be further processed in a manner that is incompatible with these purposes.
5. Personal data must only be processed in a way that is adequate and limited to the extent necessary in relation to the purposes for which it is processed.
6. Personal data must be accurate and, where necessary, kept up to date; all reasonable measures must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or corrected without delay.
7. Personal data may be stored in a form that allows identification of the data subject only for the necessary period of time for the purposes for which they are processed.
8. When processing personal data, appropriate technical and organizational measures must always be taken to ensure the security of personal data and to prevent unauthorized or unlawful processing, loss, destruction, or damage of personal data.
9. Every authorized person must be informed of this directive and, to demonstrate that they have understood it properly and have no further questions, must sign the signature sheet.
10. The employer keeps a record of the processing of personal data activities.
11. The employer checks the accuracy, completeness, and timeliness of personal data concerning clients, suppliers, and employees, always within a reasonable time, depending on the nature of the personal data concerned.
12. Regarding the personal data of employees, the employer will process personal data for the duration of the employment contract or for the period necessary to fulfill the employer's archival obligations according to applicable legal regulations, in particular Act No. 563/1991 Coll., on Accounting, Act No. 235/2004 Coll., on Value Added Tax, Act No. 582/1991 Coll., on the Organization and Implementation of Social Security, Act No. 499/2004 Coll., on Archives and Records Management, and the Labour Code, Act No. 262/2006 Coll.
13. As for personal data processed based on the cooperation of the employer with suppliers or clients, personal data will be processed for the period necessary to settle all relations between the employer and suppliers or clients, and possibly for a longer period if necessary to protect the employer's legitimate interests arising from the relevant contracts, unless otherwise agreed between the employer and the parties concerned in the interest of personal data protection.
14. When using personal data in the course of performing work tasks, employees are obliged to behave in such a way as to prevent a breach of security that could lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to the transmitted, stored, or otherwise processed personal data.
15. Each employee who processes data and personal information is responsible for protecting the data and personal information. Direct superiors of these employees are also responsible for their protection. They are required to perform control activities and verify whether personal data is handled in accordance with the GDPR and this directive.
16. The employer processes personal data in both electronic and paper form.
17. The employer will provide regular training to authorized persons on the principles of complying with personal data protection under the GDPR every 18 months.
IV. Obligations of authorized persons
1. The authorized person is obliged to process personal data in relation to the data subject correctly and in a lawful manner. The authorized person may not disclose the obtained information to any other third party without the employer's instruction, whether in the Czech Republic or abroad, i.e. they have an obligation of confidentiality.
2. When obtaining personal data from the data subject or another person, the authorized person is obliged to inform the authorized person designated by the employer, who fulfills the obligations of the administrator or processor towards the data subject, unless otherwise stated in this directive.
3. Each authorized person may process personal data only for the purpose specified by the employer and only with the means specified by the employer.
4. The authorized person is authorized to process personal data only in accordance with the employer's instructions. The authorized person may process only the personal data necessary to fulfill their obligations towards the employer. For this purpose, the employer establishes exclusive access to the necessary records of personal data for authorized persons.
5. If the authorized person discovers that personal data of any data subject are inaccurate, incomplete or outdated, they shall report it to the authorized person.
6. If the authorized person discovers that personal data are being processed for longer than necessary for the purposes for which they are processed, they shall report it to the authorized person.
7. The authorized person working with personal data in paper form is obliged to ensure that they are always secured before leaving the workplace, so that no unauthorized person has access to them.
8. The authorized person working with personal data in electronic form on a computer must always ensure that a password is required to access them in their absence, which must not be disclosed to any third party. The access password must be changed at regular intervals, at least once every 6 months.
V. Rights of data subjects
1. Each data subject is entitled to exercise their rights regarding the protection of their personal data with the controller of their personal data. The controller is obliged to allow the data subject to exercise these rights. The following rights are involved:
• right of access to personal data;
• right to rectification of personal data;
• right to erasure of personal data;
• right to restriction of processing of personal data;
• right to object to processing;
• right to data portability;
• right not to be subject to automated decision-making, including profiling;
• optionally, the right to withdraw consent to the processing of personal data.
2. An authorized person who receives a request or complaint from a natural person in any form (in writing, by phone, in person) relating to or possibly relating to the protection of personal data, particularly requests within the meaning of Articles 15-22 of the GDPR, shall notify the designated person of this fact.
3. The designated person handles requests from data subjects in accordance with the general guidelines of the employer, but always in such a way that the data subject's requests are met without undue delay, at the latest within 1 month of the request being received, and that all information is provided to him/her to process his/her request, and if the request is not granted, the reasons for this decision shall be communicated.
4. The designated person is obliged to verify the identity of the data subject requesting the data before responding to the request, always in a reasonable way that ensures sufficient identification of the data subject with regard to the form of submission, the communication tool used and the content of the data subject's request.
5. In the case of a data subject's request for access to personal data, the relevant designated person shall provide the data subject with at least the information as to whether the personal data concerning the data subject is or is not being processed and shall provide him/her with the information notice under the GDPR.
6. The information under this article shall be provided by the company to the data subject in the same form in which the data subject requested the information.
VI. Reporting of personal data security breaches to the supervisory authority
1. A breach of personal data security is a breach that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to transmitted, stored, or otherwise processed personal data. This may include theft or destruction of written information, theft or destruction of electronic media including PCs, or a hacker attack.
2. Any authorized person who discovers a breach of personal data security is obliged to inform the authorized person immediately.
3. Any breach of personal data security by the employer, through its representative, must be reported to the supervisory authority without undue delay from the moment it became aware of it, unless it is unlikely that such breach would result in a risk to the rights and freedoms of individuals.
4. Reporting to the supervisory authority under this article must contain at least:
• a description of the nature of the breach of personal data security, including, where possible, categories and approximate numbers of affected data subjects and categories and approximate quantities of affected personal data records;
• a description of the likely consequences of the breach of personal data security;
• a description of the measures taken or proposed by the employer to address the breach of personal data security, including any measures to mitigate potential adverse effects. If it is not possible to provide all of this information at once, it may be provided gradually without undue delay.
5. If it is likely that a particular breach of personal data security will result in a high risk to the rights and freedoms of individuals, the employer shall notify the data subject of the breach without undue delay.
6. The employer, through an authorized person, documents all cases of personal data security breaches, indicating the facts relating to the breach, its effects, and corrective measures taken.
VII. Compliance Monitoring
1. The employer is responsible for monitoring compliance with this policy and generally binding legal regulations related to GDPR.
2. The employer's representative serves as the contact person for authorized persons in matters of security and personal data protection. In case of any doubts about the interpretation of this policy or the scope and content of legal obligations, the employer's representative provides a binding interpretation that authorized persons are obliged to follow.
VIII. FINAL PROVISIONS
1. This directive is an integral part of the comprehensive system of employer's internal regulations.
2. This directive was approved on February 6th, 2019 and becomes effective on the same day.
