info@stavsi.cz
+420 602 234 107

STAVSI, s.r.o., and personal data protection (GDPR)

A.Internal implementing regulation GDPR 1/2018

Within the meaning of article. 30 of EU regulation no. 2016/679

The administrator of personal data:

STAVSI, s.r.o.

Boudova 590, 155 31 Praha 5-Lipence

IČO: 60198664

The recipient and processor of personal data:

Hynek Siedek

managing director STAVSI, s.r.o.

mobil: 602 234 107

e-mail: info@stavsi.cz

Accounting and payroll processing from the administrator credentials:

Ing. Iva Siedková

IČO 44288867

Date of update:

25.05.2018

Responsible person:

Hynek Siedek

managing director STAVSI, s.r.o.

mobil: 602 234 107

e-mail: info@stavsi.cz

Method of receiving personal data:

  1. E-mail from the data subject,

  2. By telephone from the data subject,

  3. In writing from the data subject,

  4. Supporting documents for the processing of accounts kept personally.

B. The methodology of the processing of personal data in the company STAVSI, s.r.o.  

The methodology addressing the issue of protection of personal data of the clients (buyers of construction material and related services) and workers of subcontracting companies (staff of destination for cooperation in addressing the supply of material and services for clients STAVSI, s. r. o.) in the company STAVSI, s. r. o., based on the methodology published on the website of the MOI CR.

The scope of the protection of personal data in the company STAVSI, s. r. o., corresponds reasonably to the requirements of in particular the following provisions:

  1. A regulation of the European parliament and of the Council (EU) 2016/679 of 27. April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and on the repeal of directive 95/46/EC (the general regulation on the protection of personal data, hereinafter “GDPR”);

  2. Act no. 101/2000 Coll., on the protection of personal data and on amendment to some acts, as amended;

  3. Act no. 499/2004 Coll., about archives and records service and amending certain laws, as amended.

The scope of the protection of personal data according to the requirements of the GDPR, come into force 25. 05. 2018.

GDPR sets out seven basic principles for the work with personal data of identified or identifiable living persons:

  1. the principle of legality, correctness and transparency,

  2. the principle of purpose limitation,

  3. the principle of data minimisation,

  4. the principle of accuracy,

  5. the principle of the limitation the imposition,

  6. the principle of integrity and confidentiality,

  7. the principle of responsibility.

In the company STAVSI, s. r. o., we approach the above principles as follows:

Add a) the principle of legality, correctness and transparency

From clients – physical persons – and from the workers of subcontracting companies, we process only those personal data which they get from their own volition or on the basis of their job description. These personal data is processed centrally, only in the premises of our company at its registered office. The personal data are physically and electronically protected against misuse by unauthorised persons. From the site of the company www.stavsi.cz no personal information our company does not handle and does not use any cookies. On our site are listed only such personal information and photos that we received directly from the persons concerned. Personal information of children under the age of 16, we do not process.

Add b) the principle of purpose limitation

Clients’ personal data processed for the purpose of concluding the business case – the contractual relationship – for the purchase and delivery of building material STAVSI and the delivery of services related thereto.

This is in particular about the processing of data:

  • in the performance of legal obligations (the law on accounting, law on value added tax, law on corporate income tax, etc.),

  • for the purpose of conclusion and performance of the business case, i.e. in the period when the business case is open, but always from the initiative of the client,

  • in the framework of the legitimate interest of the company STAVSI, s. r. o., deliver to clients quality service and building material.

In particular, these are basic sub-purposes – activities:

  • the provision of building material STAVSI and related services – in particular information on the benefits of the specific construction of the client, kladečský plan, floor plan and elevations for the construction of the client, offer price, etc. (the conclusion and implementation of the business case)

  • billing and invoicing for materials and services (the conclusion and implementation of the business case)

  • the fulfilment of statutory tax obligations (the fulfilment of legal obligations)

  • the purposes laid down by special laws for the purpose of criminal proceedings and for the fulfilment of the duties of liaison with the Police of the Czech republic and other state authorities (implementation of legal obligations)

  • installation of cctv and monitoring systems at the premises of our company for the purpose of preventing the occurrence of damages (legitimate interest)

  • recovery of debts for the client and the other client disputes (legitimate interest)

  • processes associated with the identification of the client (the conclusion and implementation of the business case)

  • securing evidence in case of an emergency for the defense of the rights of the company STAVSI, s. r. o. (legitimate interest)

  • registration of borrowers (the legitimate interest).

Add c) the principle of data minimisation

Due to the above-mentioned purposes are processed by STAVSI, s. r. o., with clients – natural persons – the following personal data (maximum):

  • name and surname, or title,

  • invoicing address (communication),

  • address of the delivery,

  • contact phone number,

  • contact e-mail,

  • bank connection,

  • identification data representative of the client (in the event that the client determines).

The workers of subcontracting companies (staff of destination for cooperation in addressing the supply of material and services for clients STAVSI, s. r. o.) the following personal data (maximum):

  • name and surname, or title,

  • the name of the company,

  • address of the registered office of the company,

  • IČO, DIČ,

  • contact phone number,

  • contact e-mail.

The company STAVSI, s. r. o., including our web site no one is watching and does not make a marketing campaign.

For processing they get to us only the personal information that clients and workers of subcontractors, communicate. As soon as our client contacts – either via the contact form on our web site, by phone, e-mail, in writing whose personally – and communicate to us your contact personal data, there arises for the company STAVSI, s. r. o., built business case, and this constitutes a legitimate interest of our company to the processing of such data.

On the basis of the contractual relationship with the webhosting company Active24, operate web service and e-mails. Our company directly does not process the information from the cookies. Cookies from our site are processed by Google Analytics.

Add d) the principle of accuracy

We process personal information exactly as it is from clients and workers of subcontractors can get. In no way is neagregujeme, we don’t edit or arbitrarily change.

Add e) the principle of the limitation the imposition

Range of data processed depends on the purpose of the processing. For the purposes of conclusion and performance of the business case, the legitimate interest of the company STAVSI, s. r. o., or for the fulfilment of legal obligations it is possible to process personal data without consent.

For other purposes (in particular marketing, etc.), company STAVSI, s. r. o., personal data does not handle.

The provision of personal data necessary for conclusion and performance of the business case, for the performance of statutory obligations of the company STAVSI, s. r. o., and for the protection of the legitimate interests of the company STAVSI, s. r. o., is mandatory. Without the provision of personal data for those purposes would not be possible building material and services with the delivery of the united provide. With the processing of personal data for these purposes starts the company STAVSI, s. r. o., only after the client consent. If the client does not agree to the processing of personal data due to the implementation of the business case and performance of statutory duties, can not be a business case to conclude and perform.

Personal information to the extent necessary to fulfill the purpose of the conclusion and implementation of the business case and for the fulfilment of legal obligations of the company STAVSI, s. r. o., are processed for the time necessary to achieve and the fulfillment of those purposes.

In the case of the fulfilment of legal obligations of the company STAVSI, s. r. o., is that after a period of time set by law. For example, invoices issued by the company STAVSI, s. r. o., are in accordance with § 35 of act no. 235/2004 Coll., the value added tax archived for a period of 10 years from their issue.

The company’s clients STAVSI, s. r. o., our company is entitled to in the event that they have fulfilled all their obligations to her, processed in the database of the clients of their personal data for the rest of the calendar year and for the next 5 years from the date of termination of the performance of a closed business case.

In the case of an open business case with a potential client, is a company STAVSI, s. r. o., is authorised to process the personal data provided for the remainder of the calendar year and throughout an additional 2 years from the date of obtaining the personal data from the client in the context and extent of the client demand supplied by our company. In the event that the client notifies the company of STAVSI, s. r. o., that it no longer wants to continue negotiations on the conclusion and implementation of the business case, quits the company processing his personal data not later than within 30 calendar days from receipt of such notification.

Personal data of workers of subcontracting companies company STAVSI, s. r. o., process for the rest of the calendar year and the entire next 1 year from the date of the termination of cooperation with a specific company. In the event that the worker is sub-contracted firm shall notify the company STAVSI, s. r. o., that already doesn’t want and will not cooperate further, terminates our company processing his personal data not later than within 30 calendar days from receipt of such notification.

After the personal data are deleted or anonymised.

Add f) the principle of integrity and confidentiality

Personal data of the clients and workers of subcontracting companies are processed centrally in a single database in electronic form. To the electronic database is taken by one of the backup copy on the current medium. The content of the database is continuously updated.

The accounts of the company STAVSI, s. r. o., is held partly in electronic form, both in one print in paper form.

Access to personal data is restricted to trained, authorised persons of the administrator of personal data, such as company executive STAVSI, s. r. o., or a person with a proven track record by committing itself to the obligations regarding the processing of personal data. Such a person is required to maintain the confidentiality of personal data and security measures for their security, shall not make copies of the databases. Accounting for the company STAVSI, s. r. o., process ing. Iva Siedková, ID 44288867.

Add g) the principle of responsibility

Databases are accessible only at the premises of the company at its registered office, and are protected by multi-level physical blocking access to unauthorised persons (locks, alarms, cameras). The electronic database is protected by access password. The database is not enabled remote access and its protection is updated regularly.

C. The rights of data subjects in relation to the processing of personal data

In accordance with the requirements of the GDPR has the data subject (natural person) from 25. 5. 2018 in the case, that will be for the company STAVSI, s. r. o., an identifiable natural person and demonstrate our company its identity, the following law:

1.The right of access to personal data

In accordance with article. 15 of the GDPR, the data subject has the right of access to personal data, which includes both the right to obtain from our company:

  • confirming whether the processing of his personal data,

  • information about the purposes of the processing, the categories of the personal data concerned, recipients to whom the personal data have been or will be made available, the scheduled time of the processing, the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or the limitations of their processing or to object to such processing, the right to lodge a complaint with the supervisory authority, of any information available about the source of the personal data, if they are not collected from the data subject,

  • in the case that they will not adversely affect the rights and freedoms of other persons, a copy of the personal data.

In the case of repeated requests, the company will STAVSI, s. r. o., for a copy of the personal data to charge a fee 500 czk. The right to confirmation of processing of personal data and on the information it will be possible to apply in writing to the registered address of the company STAVSI, s. r. o. the Right to send a copy of the personal data will be necessary to apply in writing to the registered address of the company STAVSI, s. r. o., provided proof of the legitimacy of that request.

2. The right to rectification of inaccurate data

In accordance with article. 16 GDPR, the data subject has the right to request the rectification of inaccurate personal data, which the company will STAVSI, s. r. o., process. The client company STAVSI, s. r. o., also has the obligation to notify changes to their personal data and to demonstrate that such a change occurred. At the same time, it is required to provide our company the synergies will be established that the personal information which our company handles, are not accurate. Repair, the company shall make STAVSI, s. r. o., without undue delay, always, however, with regard to the technical options. Request for correction of personal data should be submitted in writing to the registered address of the company STAVSI, s. r. o., provided proof of the legitimacy of that request.

3. The right to erasure

In accordance with article. 17 of the GDPR, the data subject has the right to erasure of personal data relating to him, if the company STAVSI, s. r. o., demonstrates legitimate grounds for the processing of such personal data. The company has set mechanisms to ensure the anonymization or deletion of personal data in the event that they are no longer needed for the purpose for which they were processed. If the data subject considers that there has been no deletion of its personal data, you may appeal by writing to the address of the registered office of the company STAVSI, s. r. o.

4. Right to restriction of processing

In accordance with article. 18 GDPR, the data subject has the time resolution of the sent the complaint right to restriction of processing, if you will deny the accuracy of the personal data, the reasons for their processing, or if an objection against their treatment, in writing to the registered address of the company STAVSI, s. r. o.

5. The right to notification of the rectification, erasure or restriction of processing

In accordance with article. 19 of the GDPR, the data subject has the right to notification by the company STAVSI, s. r. o., in the case of rectification, erasure or restriction of processing of personal data. If there is a correction or deletion of personal data, the company will STAVSI, s. r. o., inform the individual of the recipient, with the exception of cases when this proves impossible or involves a disproportionate effort.

6. The right to portability of personal data

In accordance with article. 20 GDPR, the data subject has the right to data portability, which concern him and which provided administrators, in a structured, commonly used machine-readable format, and the right to request the company STAVSI, s. r. o., on the transfer of such data to another controller. In the event that the exercise of such rights could be adverse prejudice to the rights and freedoms of third parties, will not be possible to request the entity to comply. The request should be sent in writing to the registered address of the company STAVSI, s. r. o., after the request has been substantiated.

7. The right to object to the processing of personal data

In accordance with article. 21 GDPR, the data subject has the right to object against the processing of his personal data due to the legitimate interest of the company STAVSI, s. r. o.

In the event that the company STAVSI, s. r. o., shows that there is a compelling legitimate ground for processing, which prevails over the interests or the rights and freedoms of the data subject, the company STAVSI, s. r. o., processing on the basis of the objection be terminated without undue delay. The objection should be sent in writing to the registered address of the company STAVSI, s. r. o.

8. The right to appeal the consent to the processing of personal data

Consent to the processing of personal data for commercial purposes, effective from 25.05.2018, it is possible at any time after that date to appeal. The appeal is required to make an explicit, clear and certain expression of their will, in writing, to the registered address of the company STAVSI, s. r. o.

9. The right to file a complaint

The data subject has the right to lodge a complaint with the Office for personal data protection, if it considers that there has been in the processing of his personal data to the violation of the legislation on protection of personal data.

Processed by

Hynek Siedek                                                                                                                25.05.2018

The technical and organizational internal measures

Physical security

The premises of the company STAVSI, s. r. o., at the headquarters of the company are against the physical assault of stored personal data secured entry security doors, further lockable interior doors and the contents of the selected cabinet is protected by locking. The spaces are protected by multi-level electronic security system. In the areas with the personal data of the camera is installed. The whole object of the seat is protected by an external camera system. PC with personal data is connected to the internet network through the firewall and communication and files are secure sw product ESET INTERNET SECURITY. Outside working hours the PC is disconnected from the wifi signal. The PC is not involved in the network. The input to the PC is guarded with a password. The password is regularly changed at intervals of approximately 60 calendar days.

System security

Personal data are processed in the database xls. Each client or worker of the subcontractor has personal data held in one row of the database. Documents needed for a specific business case is with databases tied using pseudoanymizace through the numbers of the agenda, which is the same in the personal data database and in the documents, vtahujících to a specific line of the database of personal data. Backup the database of personal data shall be updated as necessary and is stored out of the reach of unauthorized persons. The financial agenda in electronic form and in paper form is stored in secure and secured premises with personal data. According to the needs of the personal data is updated and, where appropriate, erased, made anonymous. The changes are data subjects informed by email or by phone.

Risk assessment the processing of personal data:

Personnel security

Entry into the premises of the company STAVSI, s r. o., and access to personal data only by authorised and instructed persons. This is a director of the company and the processor’s financial agenda.

Processed  by           Hynek Siedek                                                                                             25.05.2018