Protection of Personal Data

information obligation under Article 13 of the GDPR

If you are our customer, newsletter subscriber, website visitor, our supplier or job seeker, you entrust us with your personal data. We are responsible for its protection and security.

Who is the controller?

We are the company TrustSoft, s.r.o. We provide the following services: Information technology services.

Contact information

If you want to contact us during processing, you can contact us by e-mail at: ota.seda@trustsoft.cz.

Declarations

We declare that, as the controller of your personal data, we comply with all legal obligations required by applicable legislation, in particular the Personal Data Protection Act and the GDPR, and therefore that:

• we will process your personal data only on the basis of a valid legal reason, in particular a legitimate interest, performance of a contract, legal obligation, or consent granted,
• we fulfil the information obligation according to Article 13 of the GDPR even before the processing of personal data begins,
• we will enable and support you in exercising your rights under the Personal Data Protection Act and the GDPR.

Scope of personal data and processing purposes

Provision of services and performance of a contract

1. personal data of customers and suppliers in the scope of: invoicing data, e-mail, telephone or correspondence address and information that we urgently need to fulfil the contract – business relationship.
2. personal data of newsletter subscribers in the scope of: name, surname, e-mail is processed only on the basis of your consent for the purpose stated in the consent.
3. personal data of website visitors in the scope of: name and surname, e-mail, telephone that we need in order to record the demand for our services
   

Cookies

When browsing our website, we record your IP address, how long you stay on the page and from which page you come. We perceive the use of cookies to measure website traffic and customize the display of the website as our legitimate interest of the controller as we believe that thanks to this we can offer you even better services.

Advertising targeting cookies will only be processed with your consent.

Our website can also be browsed in a mode that does not allow the collection of personal data. You can disable the use of cookies on your computer in your internet browser.

Security and protection of personal data

We protect personal data as much as possible using modern technologies that correspond to the level of technical development. We protect the data as if they it was our own. We have taken and maintain all possible (currently known) technical and organizational measures to prevent the misuse, damage or destruction of your personal data.

Transfer of personal data to third parties

Our employees and co-workers, who are bound by confidentiality and trained in the security of personal data processing, have access to your personal data.

We handle most processing operations ourselves and do not use third parties.

To ensure some specific processing operations, which we are unable to provide on our own, we use the services and applications of processors who specialize in the given processing and comply with the GDPR.

This includes providers of the following services: personnel and payroll services.

It is possible that in the future we will decide to use other applications or processors to facilitate and improve processing of personal data. However, we promise you that in such a case, when choosing our processors, we will apply at least the same demands on the processor for security and quality of processing as for our own data.

Data transfer outside the European Union

We process personal data exclusively in the European Union or in countries that provide an adequate level of protection based on the decision of the European Commission.

YOUR RIGHTS – RIGHTS OF DATA SUBJECTS

A) AUTOMATICALY APPLIED RIGHTS:
RIGHT TO INFORMATION ON THE PROCESSING OF PERSONAL DATA

The data subject has the right to be informed about the processing of their personal data. This means the right to certain information about the processing of their personal data. It is mainly information about the purpose of processing, the identity of the controller, its legitimate interests, and the recipients of personal data. In this case, it is a passive right since the activity must be developed against the data subject by the controller in order to provide or made available the required information set out in the GDPR to the data subject. The full list of information provided by the controller when collecting personal data can be found in Articles 13 and 14 of the GDPR.

RIGHT NOT TO BE SUBJECT TO AUTOMATED PROFILING DECISION-MAKING

This right ensures that the data subject will not be the subject to a decision based solely on automated processing, including profiling, which has legal effects for the data subject or significantly affects the data subject in a similar way.

Automated decision-making is permissible where it is necessary for the conclusion or performance of a contract between the data subject and the controller, if it is permitted by EU law or a Member State or if it is based on the explicit consent of the data subject. For example, speeding drivers cannot be automatically penalized without a physical person reviewing the fine. Or it is not possible to automatically reject a loan application without a physical person examining the application.

RIGHT TO ERASURE AND „RIGHT TO BE FORGOTTEN“

It is applied automatically where personal data is no longer needed for the purposes for which it was or for another compatible purpose, or if, for example, the data subject revokes their consent to the processing. If the controller does not proceed with the erasure automatically, the data subject has the right to request the exercise of the right. However, the right of erasure cannot be exercised where the data is further stored or processed for the purpose of fulfilling a legal obligation, protection of public health, archiving or, for example, for the exercise, determination or defense of legal claims.

RIGHT TO RECTIFICATION OR UPDATE OF PERSONAL DATA

The data subject has the right to rectify inaccurate personal data concerning them. This does not mean the controller’s obligation to actively search for inaccurate data (but nothing prevents it from doing so), nor does it mean the controller’s obligation to, for example, request the data subject to update their data every year. If the data subject considers that the controller is processing their inaccurate data, the data subject should notify the controller. It is the controller’s responsibility to deal with the data subject’s request if the data subject notifies it that they request rectification of their personal data.

B) AT THE REQUEST OF THE DATA SUBJECT:
THE RIGHT TO RECEIVE A CONFIRMATION OF DATA PROCESSING

from the controller is granted to every data subject. The data subject has the opportunity to apply this right through requests to any data controller and then obtain confirmation from the controller whether their personal data is being processed.

THE RIGHT OF THE SUBJECT TO ACCESS THEIR PERSONAL DATA

The data subject has the right to access their data and information, in particular, regarding the scope, purpose and period of processing of their personal data, including information on the source from which the data was obtained.

THE RIGHT TO OBTAIN A COPY OF PERSONAL DATA PROCESSED

is another part of the right of access to personal data, which can be exercised at the request of the data subject. The controller is then obliged to provide the data subject with a copy of the processed personal data.

THE RIGHT TO RESTRICT PROCESSING

is grated to the data subject in some special cases provided that the accuracy of the personal data processed needs to be verified or if reasons are given for erasure which cannot be realized for various reasons; the data is necessary for legal claims or the data subject has objected to its processing.

RIGHT TO DATA PORTABILITY

is a completely new right of the data subject, the essence of which is the possibility to obtain, under certain conditions, personal data concerning them in a structured, commonly used and machine-readable format, and the right to transfer this data to another controller without the original controller preventing the transfer. At the same time, the data subject has the right to request that the controller transfers their personal data in a structured, commonly used and machine-readable format to another controller, if technically feasible.

Common conditions for the exercise of the right to portability:

• t must concern processing based on the legal ground of a consent or contract,
• processing is performed automatically.

The exercise of the right of portability must not adversely affect the rights and freedoms of
others.

RIGHT TO OBJECT

The data subject has the right at any time to object to the processing of personal data which is
processed based on a legal reason:

• processing is necessary for the performance of a task carried out in the public interest or in
  the exercise of official authority vested in the controller.
• processing is necessary for the legitimate interests of the controller or a third party concerned.

The controller may not further process the personal data unless it proves valid legitimate reasons for the processing which prevail over the interests or rights and freedoms of the data subject or for the determination, exercise, or defense of legal claims.

Objections may also be raised against the processing of personal data for the purposes of direct marketing or profiling. If the data subject objects to processing for direct marketing purposes, personal data will no longer be processed for these purposes.

In the case of a request under Articles 15 to 22 of the GDPR, information on the measures taken must be provided without undue delay and in any case within one month of receipt of the request. The period may be extended by two months in exceptional cases, of which, including the reasons, the data subject must be notified.

Where requests submitted by the data subject are manifestly unfounded or disproportionate, in particular because they are repetitive, the controller may either charge a reasonable fee or refuse to comply with the requests. It is the obligation of the data controller to prove that the request is clearly unjustified.

OUR RESPONSIBILITIES – OBLIGATIONS OF THE CONTROLLER

CORRECTNESS AND TRANSPARENCY OF PROCESSING, which means that all information on processing must be accessible free of charge, easily and transparently, in clear and comprehensible language and, when published, the data should be published in writing (orally at the request of the data subject) and, where possible, electronically. A tangible expression of transparency is, among other things, the information obligation of the controller towards data subjects.

PURPOSE RESTRICTIONS ON THE COLLECTION OF PERSONAL DATA, which requires controllers to process personal data exclusively for the purpose for which it was collected and in ways that are compatible with the purposes.

MINIMIZATION OF PERSONAL DATA PROCESSED, which requires that personal data may be collected only to a reasonable extent and to the extent necessary in relation to the given purpose of processing.

ACCURACY OF PERSONAL DATA, which means that only accurate personal data should be processed, which will be updated if necessary, and the controller will take all measures to rectify or erase inaccurate data.

RESTRICTED STORAGE OF PERSONAL DATA, which means that data is stored only for the time necessary to achieve the given purpose of processing, after which personal data should be automatically erased.

INTEGRITY AND CONFIDENTIALITY OF PROCESSING, which means the requirement of adequate data security and data protection by appropriate technical or organizational measures against unauthorized and unlawful processing, accidental loss and destruction or damage.

RESPONSIBILITY OF THE CONTROLLER, which means the obligation of the controller to comply with all obligations arising from the GDPR principles and at the same time the obligation of the controller to demonstrate compliance of all its data processing procedures and processes with these principles.

OBLIGATION TO ENSURE ADEQUATE SECURITY OF PERSONAL DATA: According to the GDPR, both the controller and the data processor, taking into account the state of the art, the costs of implementation, the nature, the context and the scope of processing and the risks of varying probabilities and severity, must take all appropriate technical and organizational measures to ensure the security of processing, such as encryption, pseudonymisation (temporary or temporary anonymization of data for the purposes of a certain phase or process of its processing), ensuring constant confidentiality, integrity, availability and resilience of systems and services, ability to recover data in case of security incidents through a rational system of backup, automation of recovery processes, etc.

Controller: Milan Hybner
Released on: 12.02.2021