Declaration of personal data processing according to the European Parliament and Council Regulation (EU) No 2016/679 on the protection of individuals with regards to the processing of personal data and instructions to the data subjects („GDPR“).
1. The personal data administrator:
Maximus Resort, a.s., VAT no.: 269 65 437, with registered offices at Hrázní 327/4a, 635 00 Brno, a company registered in commercial register by Brno Regional Court, section B, insert 4332, hereby informs you about processing of your personal data and about your rights, in accordance with the article 12 of GDPR.
2. Scope of the personal data processing
Personal data are processed in the scope that the relevant data subject provided to the administrator in connection to a contractual or any other legal relationship conclusion with the administrator, or which the administrator gathered differently and are processed in accordance with applicable law, or so that the administrator can fulfil their legal obligations.
3. Sources of the personal data
- directly from the data subjects (e-mails, telephone, web pages, web contact forms, business cards, etc.)
- publicly accessible registries, lists and databases (e.g. Business Register, Trade Register, Cadastre, etc.) with the purpose to create accounting documents and to check information accuracy
4. Categories of personal data which are the subject of processing
- address and identification data used for the data subject’s clear and unambiguous identification (e.g. name, surname, title, birth number, date of birth, permanent residency address, VAT no., company ID no.) and data enabling contact with the data subject (contact data – e.g. contact address, telephone number, e-mail address and other similar information)
- descriptive data (e.g. bank connection)
- other data necessary for contract fulfilment
- data provided beyond the applicable laws, processed within the given agreement from the data subject (photographs processing, using the personal data for personal procedures, sending commercial or informative communications etc.)
5. Categories of the data subjects
- client of the administrator
- employee of the administrator
- service supplier
- other person who is in contractual relationship to the administrator
- job applicant
6. Categories of the personal data recipients
The administrator has no intention to pass the personal data to a third country outside the EU. The administrator has the right to authorize a processor to process the personal data, who concluded a processing contract with the administrator and who provides sufficient guarantees of your personal data protection. Otherwise, the data subjects will be unconditionally informed about this transfer. Categories of the recipients thus are:
- financial institutes
- public institutes
- the processor
- state and other authorities within fulfilment of legal obligations given by applicable law
7. Purpose of the personal data processing
- purposes included in the data subjects’ agreement
- negotiation about a contractual relationship
- contract fulfilment
- protection of rights of the administrator, recipient or other concerned persons
- archiving conducted by law
- tenders for published job positions
- legal obligations fulfilment by the administrator
- protection of vital interests of the data subject
- transfer of commercial communication or other information in case of justified interests of the administrator
8. Method of the personal data processing and protection
Processing of the personal data is done by the administrator. Processing is done in their establishments, branch offices and the head office by individual authorized employees of the administrator, or by the processor. Processing happens while keeping all safety rules for the personal data administration and processing. For this purpose, the administrator accepted technical, organisational and legal precautions to provide the personal data protection, mainly the precaution to prevent an unauthorized or random access to the personal data, their change, destruction or loss, unauthorized transfers, unauthorized processing, or other misusage of the personal data. All the subjects who are allowed to access the personal data respect the data subjects’ rights to privacy and freedom protection, and they are obliged to proceed according to valid legal regulations related to the personal data protection.
9. Time of the personal data processing
In accordance with the periods stated in relevant contracts and agreements, periods prescribed for handling in case of legitimate interests of the administrator or the third party, in relevant legal regulations, it is an amount of time necessary to provide rights and obligations coming from both the liability relationship and the relevant legal regulations.
The administrator processes the data with agreement of the data subject except for the legally given examples when the personal data processing does not require the data subject agreement, thus when other legal basis exists for the processing purpose. In agreement with article 6, paragraph 1 of GDPR, the administrator can process these data without the data subject agreement
- the processing is necessary for a contract fulfilment whose contractual party is the data subject, or to execute measures accepted before the contract conduction requested by this data subject,
- the processing is necessary for legal obligations fulfilment that relates to the administrator,
- the processing is necessary for the data subject’s vital interests protection, or of other individual’s,
- the processing is necessary for fulfilment of a task executed in public interest or when exercising public authority assigned to the administrator,
- the processing is necessary for purposes of legitimate interests of the relevant administrator or the third party, except for cases when these interests are minor to the interests or basic rights and freedoms of the data subject requiring personal data protection.
11. Rights of the data subjects
A. In accordance to Article 12 of GDPR, the administrator informs the data subject, when required by the data subject, about the right of access to personal data and to the following information:
- purpose of processing,
- category of the affected personal data,
- recipient or category of recipients who have been or will be given access to personal data,
- planned period when personal data will be stored,
- all available information about personal data source,
- if not gathered from the data subjects, facts on whether automatic decisons are made, including profiling.
Administrator has the right to require an adequate refund for giving the information, not exceeding the cost necessary for providing the information, for second and any other copies within the administration cost connected with this.
B. Each data subject who find out or assume that the administrator or processor processes their personal data in a way that is in contradiction to protection of personal life of the data subjects, or in contradiction to the law, particularly if the personal data are incorrect in regards to their processing, they can:
- Require explanation from the administrator.
- Require that the administrator removes such a state. Particularly, it can mean blocking, correction, addition or deleting of personal data.
- If the data subject request is found legitimate according to Paragraph A, administrator removes the defect immediately.
- If the administrator does not comply with the data subject request according to Paragraph A, the data subject has the right to approach directly the supervisory office – Office for Personal Data Protection.
- Procedure according to Paragraph A does not exclude the option of the data subject approaching the supervisory office with their request directly.
C. The data subject has the right to withdraw their consent to process personal data that they gave to the personal data administrator earlier.
D. The data subjects rights thus are: use the right for correction, deleting, oblivion, limitation of processing. Also, right to transferability of the data if it is technically or organisationally feasible.