Mgr. ANNA VEJMELKOVÁ, advokát

PERSONAL DATA PROTECTION PRINCIPLES

What is Purpose of these Principles?

The purpose of these principles is to provide data subjects comprehensive information on processing of their data by my law firm, according to respective law, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter as „General Data Protection Regulation“ or simply „GDPR“).

What do these principles explain?

These principles inform you about: 

CONTROLLER

What does Controller mean?

The Controller legally means natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data and is responsible for such processing.

Who is the Controller of your Personal Data?

For the purpose of this Principles the controller in connection to processing personal data of subjects stated herein is my law firm.

It means:

Mgr. ANNA VEJMELKOVÁ, advokát 

IČO: 03827232

with registered seat: Národní obrany 789/49,

Prague 6, ZIP code: 160 00

e-mail: advokat@vejmelkova.cz

phone: +420 731 150 576

PERSONAL DATA & SCOPE OF THEIR PROCESSING

What does Personal Data mean?

Personal data generally means any information relating to an identified or identifiable natural person (“Data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What does Special categories of Personal Data mean?

Special categories of personal data mean personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

What categories of Personal Data do I process?

(scope of Personal data processing)

Personal data generally processed by me include (following list is demonstrative only and does not exclude processing of also other personal data which you provide to me):

Identification data: academic title, name, surname, date of birth and, depending on circumstances, also others (e.g. occupation, ID number, passport number, company ID number, VAT number, bank account number, etc.).

Contact details: home address, work address, telephone number, email address, data box ID.

Photos: in connection to individual clients as a part of the evidence material, in connection to associate lawyers photos on the website of my law firm.

Sensitive data: depending on nature of a particular case I may also process sensitive data of clients or associate lawyers (e.g. data such as union membership or health status).

Criminal conduct data: I process this type of personal data in connection to some clients depending on nature of a particular case (e.g. criminal records, data in the criminal file).

Where do I acquire Personal Data?

I usually acquire personal data from the following sources:

  • data subjects,

  • clients,

  • public authorities,

  • counter-parties or representatives of counter-parties in case of a dispute of a client,

  • publicly accessible sources (public registers, public records or lists, information publicly available on the Internet which the data subject itself publishes).

LEGAL PURPOSES & LEGAL BASIS FOR PROCESSING OF PERSONAL DATA

What are the cases of processing Personal data?

I usually process personal data of data subjects in connection with:

  • provision of legal services to clients,

  • cooperation with associate lawyers.

What is the legal basis for processing of Personal data?

I process personal data relying on the below mentioned legal basis (for the sake of clarity, individual legal basis for the processing are stated in connection to respective category of processed personal data – legal basis for processing may also overlap in some cases):

What is the purpose of processing of Personal data?

I process personal data for the following purpose(s) (for the sake of clarity, individual purposes of the processing are stated in connection to respective category of processed personal data – purposes processing may also overlap in some cases): 

PŘÍJEMCI & ZPRACOVATELÉ ÚDAJŮ

RECIPIENTS & PROCESSORS OF PERSONAL DATA

What does the Recipient mean?

Recipient legally means natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

What does the Processor mean?

Processor legally means natural or legal person, public authority, agency or other body which processes personal data on behalf of me and according to my instructions.

Who are recipients of your personal data?

I may transfer or disclose (only selected) personal data of data subjects to the following recipients:

  • public authorities (e.g. courts, administrative bodies, criminal authorities) in cases as stated by applicable laws, or by contract for provision of legal services (mostly purpose of provision of legal services, your legal interests or instructions),

  • other subjects if necessary for the protection of legal rights (e.g. insurance companies in connection with insurance claims),

  • providers of services necessary for running of my law firm or for improvement of my legal services and also provides of other services (e.g. accounting and tax advisors, providers of IT services, translation agency, providers of server, web, cloud or IT services, etc.). For these purposes, I select only trusted entities that are contractually bound by the confidentiality obligation in relation to handling of personal data, as well as other obligations to protect personal data within the meaning of applicable laws.

METHODS OF PROCESSING PERSONAL DATA

What does processing of Personal Data mean?

Processing of Personal Data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

What methods of processing personal data do I use?

I mostly process personal data of data subjects in electronic form using the IT technology. In exceptional cases I also process personal manually in paper form.

I have implemented adequate technical and organisational measures to ensure protection of personal data which it processes, mainly measures preventing accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed, or other misuse of personal data (measures include for example encryption, password security, security software, storage of data in locked cabinets or spaces, access allowed to authorised persons only who need personal data to meet the above mentioned processing purposes).

All persons to whom such personal data may be made available respect the privacy rights of data subjects, they are bound by confidentiality obligations, and are required to comply with personal data protection laws.

I also require that my data storage providers comply with the relevant industry security standards.

Automated decision making or profiling

Personal data processed by me are not subject to automated decision making or profiling.

DATA RETENTION PERIOD

How long do I process Personal Data?

I process personal data only for the period necessary for the fulfilment of the purpose for which they have been collected or for the period as stated in the applicable law.

Some personal data are retained only for the duration of the contract with data subject and they are deleted or destroyed after the termination of the contract (e.g. photographs of associates).

Other data are kept for some time after the termination of a particular contract. I am obliged to respect retention periods as stated in applicable law and certain documents, including personal data therein, must be retained for the specific periods (e.g. clients’ files for the period of 5 years from the termination of provision of legal services).

I retains some other personal data or documents containing personal data to the extent necessary and for necessary time for exercising and defending its legal claims (legitimate interests), in particular for enforcing legal obligations,  resolving of disputes, etc. These data are usually retained for the duration of prescription periods as stated by respective applicable law (usually from 3 to 15 years).

However, some other personal data or documents containing personal data are also retained for an indefinite period of time, or more precisely for the entire duration of my practice as a lawyer. These data are, for example, retained for purpose of evaluation of a potential conflict of interests as stated by respective applicable law (see Article 19 section 1 point A of the Act No. 85/1996 Coll., on Advocacy – reason to refuse to provide legal services).

Once the respective retention period is over I will anonymise or entirely erase personal data from all of its databases and IT systems and shred all the paper documents and destroy all other portable media.

RIGHTS OF DATA SUBJECTS

What rights do you have?

Data subjects have the following rights in connection with processing of their personal data by me:

In some cases data subject has also right to withdraw consent.

Right of access to personal data

Data subject shall have access to all of his/her personal data processed by my law firm.

In this context, the data subject shall, in particular, have the right to obtain information whether his/her personal data are processed and, if so, what personal data are being processed and how they are processed.

Upon request of the data subject, I will provide copies of all personal data in structured form within one month from such request, provided that provision of data will not adversely affect rights or freedoms of other persons (it is therefore not possible to provide access in all cases to all information, especially in connection with data which are subject to trade secrets, intellectual property, copyrights, my know-how or know-how of third parties – e.g. software providers, even though they are related to the processing of personal data of the data subject, who has made a request to access these personal data).

If request is made in electronic form, data will be provided in the standardly used electronic form, unless data subject requests different form of providing data.

Data subjects may exercise the above-mentioned right of access to personal data using the following request form:

Right to rectification or completition of personal data

Data subject has also right to rectification of inaccurate personal data and completion of incomplete personal data. 

Upon request or information from the data subject I will rectify or update inaccurate/outdated personal data, without undue delay.

Data subjects may exercise the above-mentioned right to rectification or competition of personal data using the following request form:

Right to erasure („Right to be forgotten“)

The right to ensure of personal data generally means  a duty of data collector to ensure all personal data processed if certain conditions are met and data subject requests it.

Personal data of data subject will be erased without any undue delay subject to fulfilment of one or more of the following conditions:

  • personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,

  • data subject withdraws consent on which the processing is based and there is no other legal ground for the processing,

  • data subject objects to the processing and there are no overriding legitimate grounds for the processing,

  • personal data have been unlawfully processed

  • personal data have to be erased for compliance with a legal obligation under the EU law or Czech law,

  • personal data have been collected in relation to the offer of information society services (e.g. trough contact form on website).

Personal data cannot be erased if their processing is necessary for the fulfilment of legal obligations or exercising or defending legal claims.

Data subjects may exercise the above-mentioned right to erasure using the following request form:

Right to restriction of processing

Data subject has right to restriction of processing personal data in certain cases.

Processing of personal data of data subject shall be restricted in the following cases:

  • accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data

  • processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead

  • collector no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims

  • data subject has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject

Restriction of processing means that while the data are still stored, they cannot be otherwise processed until the restriction can be terminated. Therefore, if processing of personal data is limited, such personal data will be processed only with consent of the data subject or for the purpose of enforcing or defending legal claims, for the protection of the rights of another natural or legal person or for reasons of overriding public interest. 

I shall inform data subject in advance about termination of restriction on processing of their personal data.

 

Data subjects may exercise the above-mentioned right to restriction using the following request form:

Right to data portability

Right to data portability allows the data subject to obtain the personal data provided by the data controller in structured, commonly used and machine-readable format.

Subject to the request of data subject and technical feasibility, collector shall transmit personal data to another controller in structured, commonly used and machine-readable format.

 

Data subjects may exercise the above-mentioned right to data portability using the following request form:

Right to object

Data subject has the right to object against processing which is based on the legitimate interests of the data controller, a third party or is performed in the public interest or exercised by official authority.

Provided that purpose of processing is legitimate interest of data controller and data subject will raise objection against such processing, the personal data shall no longer be processed unless there exist compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Data subjects may exercise the above-mentioned right to object using the following request form:

Right to file a complaint

In case that data subjects are dissatisfied with the processing of their personal data by data controller, they may file a complaint to data controller.

Data subjects are also entitled to file a complaint to the Office for Personal Data Protection in connection with processing of their personal data by data controller.

Right to withdraw consent

Personal data shall not be further processed if data subjects withdraws their consent with processing and there exist no other legal basis for their processing.

Right to withdraw the consent to the processing of personal data shall not apply in cases where personal data are processed for the purpose of performance of the contract concluded with the data subject, it means without consent to processing.

SOURCES OF FUTHER INFORMATION

Office for Personal Data Protection

Contact details:

Czech Office for Personal Data Protection, with seat at Pplk. Sochora 27, Prague 7, ZIP code: 170 00, phone number: +420 234 665 111, e-mail: posta@uoou.cz.

More information relation to rights of data subject is available on the website of the Office for Personal Data Protection (see: https://www.uoou.cz/6-prava-subjektu-udaj/d-27276).

 

VALIDITY & UPDATES OF THESE PRINCIPLES

These principles came into force and effect on  25.5.2018

These principles has been updated on 10.4.2019

Scroll to Top

DATA SUBJECT REQUEST FORM

RIGHT TO ACCESS

Identification of data subject

Specification of request to access

Additional reason for request

DATA SUBJECT REQUEST FORM

RIGHT TO RECTIFICATION/COMPLETION

Identification of data subject

Specification of request to rectification/completion

Additional reason for request

DATA SUBJECT REQUEST FORM

RIGHT TO ERASURE

Identification of data subject

Specification of request to erasure

Reason for request

Additional declaration

DATA SUBJECT REQUEST FORM

RIGHT TO RESTRICTION OF PROCESSING

Identification of data subject

Specification of request to restriction

Reason for request

Additional declaration

DATA SUBJECT REQUEST FORM

RIGHT TO DATA PORTABILITY

Identification of data subject

Specification of request for transfer of data

Identification of new controller

(fill in only in case your have chosen to transfer the data to the new data controller)

Additional reasons or information relating to this request

DATA SUBJECT REQUEST FORM

RIGHT TO OBJECT AGAINST PROCESSING

Identification of data subject

Specification of objection against processing

Reason for request