Personal Data Protection Principles

Internal directive of QUIX EVENT, s.r.o. on personal data protection

Employer: QUIX EVENT, s.r.o.

registered office at Zelený pruh 1560/99, Braník, 140 00 Prague 4

ID No.: 02723832

company registered in the Commercial Register maintained by the Municipal Court in Prague, file no.

C 221305

  1. Purpose of the Directive
  1. The purpose of this directive, as one of the organizational measures within the meaning of Art. 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter also “GDPR”), is to establish rules for the processing of personal data by the employer and principles of protection of such data applied to all information regarding an identified or identifiable data subject.
  1. This directive further regulates procedures in the event of a personal data security breach within the meaning of Articles 33 and 34 of the GDPR.
  1. Definitions of Terms
  1. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
  1. Personal data – Any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  1. Supervisory Authority – The Office for Personal Data Protection, unless a legal regulation provides otherwise.
  1. Employer – the company QUIX EVENT, s.r.o.
  1. Data Subject – Every natural person, including self-employed persons.
  1. Controller – The controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  1. Processor – The processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  1. Authorized Person – Is any person, including legal persons, who performs such activity for the employer during which they come into contact with the personal data of subjects, including employees of the employer, or members of its bodies.
  1. Designated Person – Is an authorized person designated by the employer for specific activities related to the processing of personal data, in particular the prevention of incidents, security of personal data processing, handling of complaints and requests, system administration, and other activities. Every authorized person shall be informed of who holds the position of designated person at the employer; if no such designated person is specifically identified, the designated person is the managing director of the employer.
  1. Employee – A natural person in an employment or other similar relationship with the employer.
  1. Client/Customer (hereinafter referred to as “Client”) – A person in a legal relationship with the employer, towards whom the employer is in the position of a supplier.
  1. Supplier – A person in a legal relationship with the employer, towards whom the employer is in the position of a customer.
  1. Processing of Personal Data – Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

III. Principles of Personal Data Processing

  1. This directive applies to every authorized person in the performance of their duties.
  1. Personal data may be processed and stored provided that:
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • the data subject has given consent to the processing.
  1. Any processing of personal data must be carried out in a lawful, fair, and transparent manner.
  1. Personal data may be collected only for specified, explicit, and legitimate purposes and may not be further processed in a manner that is incompatible with those purposes.
  1. Personal data must be processed only adequately and limited to what is necessary in relation to the purpose of the processing.
  1. Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  1. Personal data may be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  1. When processing personal data, appropriate security of the personal data must always be ensured using technical and organizational measures to prevent unauthorized or unlawful processing, loss, destruction, or damage to personal data.
  1. Every authorized person must be acquainted with this directive and, as proof that they have properly understood it and have no further questions regarding it, shall attach their signature to the signature sheet.
  1. The employer maintains a record of personal data processing activities.
  1. The employer carries out checks on the accuracy, completeness, and up-to-dateness of personal data of clients, suppliers, and employees, always within a reasonable time depending on the nature of the given personal data.
  1. Regarding the personal data of employees, the employer shall process personal data for the duration of the employment contract, or for the period necessary to fulfill the employer’s archiving obligations according to applicable legal regulations, in particular Act No. 563/1991 Coll., on Accounting, Act No. 235/2004 Coll., on Value Added Tax, Act No. 582/1991 Coll., on the Organization and Implementation of Social Security, Act No. 499/2004 Coll., on Archiving and File Service, and Act No. 262/2006 Coll., the Labor Code.
  1. Regarding personal data processed on the basis of the employer’s cooperation with suppliers or clients, personal data shall be processed for the period necessary to settle all relationships of the employer with suppliers or clients and possibly for a longer period if necessary to protect the legitimate interests of the employer arising from the relevant contracts, unless otherwise agreed between the employer and the said parties in the interest of personal data protection.
  1. When using personal data within the scope of fulfilling work tasks, employees are obliged to behave in such a way as to avoid a security breach leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  1. Every employee who processes data and personal data is responsible for their protection. Their direct supervisor is also responsible for their protection. The supervisor is obliged to carry out control activities and verify whether personal data is handled in accordance with the GDPR and this directive.
  1. The employer processes personal data in both electronic and paper form.
  1. The employer shall ensure regular training of authorized persons on the principles of compliance with personal data protection within the meaning of GDPR every 18 months.
  1. Obligations of the Authorized Person
  1. The authorized person is obliged to process personal data in relation to the data subject fairly and lawfully. The authorized person must not pass on the obtained information to any third party without instruction from the employer, neither in the Czech Republic nor abroad; i.e., they have a duty of confidentiality.
  1. Upon obtaining personal data from a data subject or another person, the authorized person is obliged to inform the designated person, who fulfills the duties of the controller or processor on behalf of the employer towards the data subject, unless stated otherwise in this directive.
  1. Each authorized person may process personal data only for the purpose determined by the employer, and only by means determined by the employer.
  1. The authorized person is entitled to process personal data only in accordance with the employer’s instructions. The authorized person may process only personal data necessary for the fulfillment of their duties towards the employer. For this purpose, the employer grants authorized persons access exclusively to necessary personal data records.
  1. If an authorized person finds that the personal data of any data subject are inaccurate, incomplete, or outdated, they shall report this to the designated person.
  1. If an authorized person finds that personal data are being processed longer than is necessary for the purposes for which they are processed, they shall report this to the designated person.
  1. An authorized person working with personal data in paper form is obliged to always secure them before leaving the workplace so that no unauthorized person has access to them.
  1. An authorized person working with personal data in electronic form on a computer must always ensure that during their absence, it is necessary to enter an access password to access them, which they must not disclose to a third party. The access password must be changed at regular intervals, at least once every 6 months.
  1. Rights of Data Subjects
  1. Each data subject is entitled to exercise their rights regarding the protection of their personal data with the controller of their personal data. The controller is obliged to enable the exercise of these rights by the data subject. These are the following rights:
  • the right of access to personal data;
  • the right to rectification of personal data;
  • the right to erasure of personal data;
  • the right to restriction of processing of personal data;
  • the right to object to processing;
  • the right to data portability;
  • the right not to be subject to automated decision-making, including profiling;
  • and, where applicable, the right to withdraw consent to the processing of personal data.
  1. An authorized person who has received a request or complaint from a natural person in any form (in writing, by telephone, in person) which concerns or could concern the protection of personal data, in particular requests within the meaning of Art. 15 – 22 GDPR, shall notify this fact to the designated person.
  1. The designated person handles the requests of data subjects in accordance with the general instructions of the employer, but always so that the request of the data subject is complied with without undue delay, no later than 1 month from the date of receipt of the request, and so that all information is provided to settle their request, and in the event that the request was not complied with, the reasons for this decision are communicated.
  1. Before responding to a request, the designated person is obliged to verify the identity of the requesting data subject, doing so always in an appropriate manner that guarantees sufficient identification of the data subject with regard to the form of submission, the communication medium used, and the content of the data subject’s request.
  1. In the case of a request by a data subject for access to personal data, the relevant designated person shall provide the data subject with at least information as to whether or not personal data concerning the data subject are being processed and shall provide them with an information clause pursuant to GDPR.
  1. The company provides information under this article to the data subject in the same form in which the data subject requested the information.
  1. Reporting Personal Data Security Breaches to the Supervisory Authority
  1. A personal data security breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. This may involve, in particular, theft or destruction of written information, theft or destruction of electronic media including PCs, or a hacker attack.
  1. An authorized person who discovers that a personal data security breach has occurred is obliged to inform the designated person immediately.
  1. Any personal data security breach shall be reported by the employer, through its managing director, to the supervisory authority without undue delay from the moment it became aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  1. The notification to the supervisory authority under this article must contain at least:
  • a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • a description of the likely consequences of the personal data breach;
  • a description of the measures taken or proposed to be taken by the employer to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

  1. If a certain personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the employer shall communicate this breach to the data subject without undue delay.
  1. The employer, through the designated person, shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

VII. Monitoring Compliance with the Directive

  1. Supervision over compliance with this directive and generally binding legal regulations related to GDPR is exercised by the employer.
  1. The managing director of the employer serves as the contact person for the authorized person in matters of security and personal data protection. In case of any doubts regarding the interpretation of this directive or the scope and content of legal obligations, the managing director of the employer provides a binding interpretation which authorized persons are obliged to follow.

VII. FINAL PROVISIONS

  1. This directive is an integral part of the complex system of internal regulations of the employer.
  1. This directive was approved on 6 February 2019 and becomes effective on the same day.