Principles of Personal Data Processing
I. Personal Data Controller and Personal Data Subject
The Controller of personal data is the Czech Environmental Partnership Foundation, Company identification number: 457 73 521, with the Head Office at Údolní 33, Brno-město, 602 00 Brno (hereinafter referred to as Partnership Foundation), registered under file number N 42 kept at the Regional Court in Brno.
Personal data within the meaning of Article 4 (1) of the GDPR means any information about an identified or identifiable natural person ("data subject"), an identifiable natural person is an individual who can be directly or indirectly identified, in particular by reference to a specific identifier, such as the name , identification number, data about the location, network identifier or one or more specific elements regarding physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
The data subject within the meaning of § 3 of the Data Protection Act means an individual to whom the personal data relate.
II. The Scope of the Personal Data
In the case of nominations for the Adapterra Awards competition and the database
- name and surname, and / or name of the owner, investor, implementer, designer
- e-mail, phone number,
- address of the subject
In the case of voting in the Adapterra Awards competition>
- name and surname of the data subject,
- e-mail address
In case of subscribing to the newsletter:
- name and surname of the data subject,
- e-mail address
In the case of signing to test the Tree Check app:
- name and surname of the data subject,
- e-mail address
In the case of using the Tree Check app:
- information that the data subject provides directly by setting up and using the account. Types of information include the name and surname, e-mail address, password, username, gender, photo, user device location.
- information collected automatically when using the application. Types of information include information about the device, hardware and software, information about using the application, IP address, or browser information.
- information collected through third parties, such as mobile platforms or third-party verifiers on social networks, which the data subject uses to sign into the application.
In the case of using the Tree Check PRO software:
- information about the organization in which the entity operates. Types of information include country of operation, name, ID number, e-mail address, postal address, telephone number.
- information that the subject provides directly by setting up and using the account. Types of information include name and surname, e-mail address and password.
In the case of registration for events organized by the Partnership Foundation:
- name and surname of the data subject,
- e-mail address, phone number
In the case of filling in attendance lists at events organized by the Partnership Foundation:
III. Legal Reasons and Purposes of Personal Data Processing
- name and surname of the subject,
- e-mail address, phone number,
The legal reasons for processing your personal data are:
IV. Principles of Personal Data Processing
- 1. In the case of a request to receive a newsletter and test the application, the legal reason for the processing of the personal data listed above is the consent of the data subject.
- 2. In the case of registration for events and filling in attendance lists, the legal reason for the processing of the personal data listed above is the legitimate interest of the controller.
The Partnership Foundation proceeds with the processing of your personal data in accordance with the principles of personal data processing in the sense of Article 5 of the GDPR.
- Personal data is:
- 1. processed fairly, lawfully and transparently in relation to the data subject ("legality, correctness and transparency");
- 2. collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with these purposes; according to the Article 89 (1), further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes ("purpose limitation");
- 3. reasonable, relevant and limited to the extent necessary in relation to the purpose for which they are processed ("data minimization");
- 4. accurate and, where necessary, kept up to date; all reasonable steps will be taken to ensure that personal data which are inaccurate, taking into account the purposes for which they are processed, are deleted or corrected without delay ("accuracy");
- 5. stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed; personal data may be stored for a longer period if they are processed exclusively for the purposes of archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes in accordance with Article 89 (1), provided that the appropriate technical and organizational measures required by this Regulation are implemented in order to guarantee the rights and freedoms of the data subject ("storage restrictions");
- 6. processed in a way that ensures adequate security of personal data, including their protection by appropriate technical or organizational measures against unauthorized or unlawful processing and against accidental loss, destruction or damage ("integrity and confidentiality");
V. Method of Processing and Protection of Personal Data
- The controller shall be responsible for compliance with paragraph 1 and shall be able to demonstrate such compliance ("liability").
The processing of personal data is performed by the controller. Processing is performed at the controller's registered office by individual authorized employees of the controller, or processor. The processing takes place using computers, or manually for personal data in paper form in compliance with all security principles for the management and processing of personal data. For this purpose, the controller has taken technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to, modification, destruction or loss of personal data, unauthorized transfers, unauthorized processing and other misuse of personal data.
VI. Period of Keeping Personal Data
We process your personal data for the time that is strictly necessary to fulfil a certain purpose of processing, ie typically for the period of performance of the contractual relationship or for the period expressly required by applicable law, or until the withdrawal of consent.
VII. Rights of the Data Subject
The data subject has the following rights:
- Right to withdraw consent (Article 7)
The data subject has the right to withdraw the consent with the processing of personal data at any time. Withdrawal of consent does not affect the lawfulness of processing based on the consent that was given before its withdrawal. Withdrawal of consent can be done by sending an e-mail to firstname.lastname@example.org
- Right to request access to his/her personal data (Article 15)
The data subject has the right to obtain confirmation from the controller whether the personal data concerning him/her are or are not processed and, if they are, they have the right to obtain access to this personal data and to the following information:
- processing purposes;
- categories of personal data concerned;
- recipients or categories of recipients to whom personal data have been or will be disclosed, in particular recipients in third countries or in international organizations;
- the planned period for which the personal data will be stored or, if this cannot be determined, the criteria used to determine this period;
- the existence of the right to request from the controller the correction or deletion of personal data concerning the data subject or to limit their processing or to raise an objection to such processing;
- the right to lodge a complaint with the supervisory authority;
- all available information on the source of the personal data, if not obtained from the data subject;
- the fact that there is automated decision-making, including profiling and, at least in these cases, meaningful information on the procedure used, as well as the significance and expected consequences of such processing for the data subject.
Where personal data are transferred to a third country or international organization, the data subject has the right to be informed of the appropriate safeguards that apply to the transfer. The controller will provide a copy of the processed personal data. The controller may charge a reasonable fee for additional copies at the request of the data subject, based on administrative costs. If the data subject submits the request in electronic form, the information shall be provided in the electronic form normally used, unless the data subject requests otherwise. The right to obtain a copy must not adversely affect the rights and freedoms of others.
- Right of rectification (Article 16)
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure ('right to be forgotten') (Article 17)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
- the data subject objects to the processing carried out in the public interest, in the exercise of public authority or for the legitimate interests of the controller or third party and there are no overriding legitimate reasons for processing or the data subject objects to processing for direct marketing purposes based on the legal title of legitimate interest;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services to a minor younger than sixteen (16) years of age
Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. The right to erasure cannot be applied if the processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, if it is likely that the right to erasure would prevent or seriously impair the achievement of the objectives of that processing;
- for the establishment, exercise or defence of legal claims.
- Right to restriction of processing (Article 18) (right to blocking according to the Data Protection Act)
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing in public interest, or for the legitimate interests of the administrator or a third party in the public interest until it is verified that the legitimate reasons of the controller outweigh the legitimate reasons of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.
- Right to data portability (Article 20)
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent to the processing of personal data or is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures taken before the conclusion of the contract at the request of the data subject
- the processing is carried out by automated means.
In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of the right referred to in this Article shall be without prejudice to the right to erasure. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right to data portability shall not adversely affect the rights and freedoms of others.
- Right to lodge a complaint with a supervisory authority (Article 77)
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the EU GDPR regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy. The supervisory authority for the Czech Republic is the Office for Personal Data Protection.