DECLARATION ON PROCESSING AND PROTECTION OF PERSONAL DATA
pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the information of data subjects (hereinafter referred to as „GDPR“)
Dear Customers and Business Partners, PST CLC Mitsui-Soko a.s., IN 25397249, with registered office at Nádražní 969/112, 702 00 Ostrava, registered in the Commercial Register kept at the Regional Court in Ostrava, Section B, Insert 1895, is a data controller within the meaning of Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data (hereinafter GDPR), which processes or may process your personal data.
The proper processing of your personal data is very important to our company and its protection is a matter of course. We would like to provide you, our customers and business partners, with detailed information about the scope of processing and your rights arising from the processing.
- Personal data controller
PST CLC Mistui-Soko a.s.
with registered office at Nádražní 969/112, 702 00 Ostrava, Moravská Ostrava, ID: 25397249, VAT: CZ25397249, registered in the Commercial Register kept at the Commercial Register in Ostrava, Section B, Insert 1895 (hereinafter referred to as the „Administrator“).
The controller has not appointed a data protection officer.
- Scope of processing of personal data
Personal data are processed to the extent necessary for the fulfilment of the conditions arising from the concluded contractual relationship, the fulfilment of legal obligations and the provision of the legitimate interests of the controller. In our terms, the processing of personal data is primarily the collection, recording, storage, alteration, retrieval, use, disclosure by transmission, erasure. The data is processed manually and by means of the relevant software.
- Sources of personal data
- from data subjects
- from the client or supplier who is the data controller of its employees and customers
- publicly accessible registers, lists and records (e.g. commercial register, trade register, land register)
- Categories of personal data subject to processing
- identification data of the data subject – natural persons (name, surname, address, place of business, ID number, VAT number (birth number) and identification data of authorized and contact persons – employees (name and surname)
- data enabling contact with the data subject (contact address, telephone number, e-mail address)
- billing information (billing address, details of services ordered, bank account number)
- camera recording at the entrance to warehouse buildings.
- Categories of data subjects
- business partners – natural persons
- contact persons and responsible persons of business partners – employees of natural and legal persons
- the final customer – his personal data necessary for delivery
- external carriers – natural persons or employees of natural and legal persons carrying out transport and delivery of goods
- Categories of recipients of personal data
- employees of the administrator and persons authorized by the administrator
- processors (external carriers, network administrator, software suppliers)
- providers of SMS, email and other communication tools where they process personal data to facilitate our communications with you
- postal service providers
- state and other authorities in the performance of their statutory obligations under the relevant legislation
- external auditors, tax advisors, lawyers
- transfer of personal data abroad – EU and non-EU countries (in connection with the performance of the service for transport from/to abroad)
- Purpose of processing personal data
- negotiation of the contractual relationship
- the negotiation and execution of a contract where personal data of a business partner – a natural person – is processed
- negotiation and execution of one-off transport orders, where personal and contact data of the employees of natural and legal persons responsible for their negotiation and execution are processed
- contact with designated employees of business partners to resolve non- standard situations
- compliance with legal obligations (accounting and tax, compliance with binding transport conditions)
- protection of the rights of the controller, the beneficiary or other persons concerned (recovery of claims by the controller, legal proceedings, complaints)
- a filing service maintained on the basis of legal regulations
- use of postal services for sending correspondence
- business activities that consist in improving the quality of products and services already provided to existing business partners
- Legal basis for processing
- performance of the contract
- compliance with legal obligations (Civil Code, VAT Act, Accounting Act, transport conditions for individual types of transport, Act on measures against terrorism)
- legitimate interest of the administrator (ensuring protection of rights, property)
- consent of the data subject (contact persons – employees of business partners)
- Method of processing and protection of personal data
The processing of personal data is carried out by the controller. The processing is carried out at the controller’s premises, branches, and headquarters by individual authorized employees of the controller, and by the processor directly at his workplace. Processing is carried out by computer technology and in paper form (contracts, invoices, cash documents) in compliance with all security principles for the management and processing of personal data. To this end, the controller has adopted technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to, alteration, destruction or loss of personal data, unauthorized transmission, unauthorized processing, or other misuse of personal data. All parties to whom personal data may be disclosed (Article VI) respect the data subjects‘ right to privacy and have committed to acting in accordance with applicable data protection legislation.
- The period for which personal data are processed
In accordance with the time limits specified in the relevant contracts, in the administrator’s filing and shredding rules or in the relevant legislation, this is the time necessary to secure the rights and obligations arising from both the contractual relationship and the relevant legislation.
- personal data whose processing is related to the performance of the contract are processed for the duration of the contractual relationship and subsequently for as long as the rights of the parties are enforceable
- personal data processed for the purpose of compliance with legal obligations are processed for the period of time specified in the relevant legislation
- Lessons learned
In accordance with Article 6 (1) of the GDPR, the controller may process data for the following purposes without the data subject’s consent:
- the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject
- the processing is necessary for compliance with a legal obligation to which the controller is subject
- the processing is necessary for the purposes of the legitimate interests of the controller, or third party concerned, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data
- the processing is necessary to protect the vital interests of the data subject or another natural person
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
If the data subject does not provide the data necessary for the conclusion of the contract, it will not be possible for the controller to conclude such a contract and provide the relevant services. If the data subject does not provide contact details, this may affect the scope and level of services provided by the controller.
Consent of the data subject
Insofar as the controller processes personal data that are not necessary for the above categories, this is only possible on the basis of the data subject’s free consent. Consent to the processing of personal data as the sole legal basis for processing is based on the principle of voluntariness. This means that the data subject may withdraw it at any time.
If the data subject does not provide contact details, this may affect the scope and level of service provided by the controller.
- Rights of data subjects
The fundamental rights of data subjects include:
- the right to information on the processing of personal data (PD)
- the right of access to PD (the right to obtain confirmation of processing from the controller of personal data)
- PD, the right to obtain a copy of the processed PD
- the right to rectification
- the right to erasure („right to be forgotten“)
- the right to restriction of processing
- the right to data portability
- the right to object
- the right not to be subject to automated decisions
In accordance with Article 12 of the GDPR, the controller informs the data subject of:
- the purpose of processing
- the category of personal data concerned
- the recipients to whom the personal data have been or will be disclosed
- the planned period for which the personal data will be stored
- any available information about the sources of the personal data, unless it is obtained from the data subject
- whether automated decision-making, including profiling, takes place
Any data subject who becomes aware or believes that the controller or processor is processing his or her personal data in a manner contrary to the protection of his or her private and personal life shall have the right to:
- ask the administrator for an explanation (info@pst-clc.cz, see above for the address of the company’s registered office)
- require the controller to rectify the situation by correcting, supplementing or deleting the personal data
- if the data subject’s request pursuant to the paragraph is found to be justified, the controller shall promptly arrange for remedy; if the controller does not comply with the data subject’s request, the data subject shall have the right to apply directly to the supervisory authority, i.e. the Office for Personal Data Protection; the data subject shall have the possibility to apply directly to the supervisory authority without asking the controller (Office for Personal Data Protection, located at Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz)
In Ostrava on 2/1/2024