These principles are based on the Personal Data Management Directive and its annexes, adopted by Bristol Group s.r.o. (hereinafter referred to as the “Company”) for the processing and protection of personal data within the meaning of the General EP Regulation GDPR No. 2016/679 and in accordance with the valid legal order of the Czech Republic from 24.4.2019., as amended. The Principles provide information on the basic principles under which the Company processes the personal data of statutory representatives, job candidates, natural persons conducting business, clients, candidates, representatives of legal entities and suppliers, customers (customers), business and contractors, tenants, employees, temporary workers , and practice students, transporters, visitors, guests, service users, and other persons (data subject), and the Company's approach to the processing, protection and security of the data subject's personal data.
1.1. The Company, in the role of a personal data controller, processes the personal data of data subjects in all its main activities based on the division of the Company's departments, not only through controlled access to such information. Furthermore, it processes employees' personal data for legitimate purposes related to their employment with the Company.
1.2. Since 25.05.2018, the company has been processing the personal data of entities in accordance with Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), which is directly applicable in all EU Member States (General Data Protection Regulation “GDPR”). Furthermore, the Company processes the personal data of data subjects pursuant to Act No. 110/2019 Coll., On the processing of personal data and with effect from 24 April 2019.
1.3 The Company, as a legal entity, processes personal data and fulfills the duties of the controller of the data or its processor, as stipulated by the applicable legal regulations.
1.4. The Subject of Personal Data provides the Company with its personal data depending on the purpose of their processing, which is contained in its entirety in the form of Annex No. 1 issued by the Company's Internal Data Protection Directive.
- the selection procedure for the post;
- to provide the Company's services (in particular: accommodation, reservation, catering, spa and ambulatory, diagnostic and related care services);
- for the purposes of the legitimate interests of the Company or of a third party;
- to perform the contract between the entity and the Company;
- for communication with customers, suppliers, contractors and business partners;
- to ensure the purpose of the lease;
- for training and educational activities;
- to ensure the internal processes of security and protection of personal data, the administration of payroll and personnel administration and the resulting duties of keeping the Company's accounts;
- for other purposes with the consent of the entity to the processing of its personal data.
1.5. Consent to the processing of personal data is granted by the personal data subject in the event that no other legal title can be used for the purpose of processing.
The Company accepts the data subject's consent as a free, concrete, informed and unambiguous manifestation of the will by which the data subject gives its consent to the processing of its personal data by means of a statement or other obvious confirmation. The data subject shall have the right to withdraw his consent at any time. The withdrawal of the consent shall not affect the legality of the prior processing of the personal data of the entity, based on the previously granted consent. The data subject shall be informed before consent is given.
2. Purpose of personal data processing
2.1. Personal data of personal data subjects shall be collected only for certain, explicit and demonstrable purposes and may not be further processed in a way incompatible with those purposes. The processing of personal data is carried out primarily to cover the Company's principal activities, which include, in particular, production, trade and services not listed in Annexes 1 to 3 of the Trade Licensing Act, rental of real estate, apartments and non-residential premises. - physical therapy - individual physiotherapy - movement therapy using devices - group movement therapy - hydrotherapy; rehabilitation and physical medicine - medical rehabilitation care; internal medicine outpatient care - laboratory workplaces diagnostic medical care - clinical biochemistry; follow-up in-patient care: spa and rehabilitation care, hospitality, sale of fermented alcohol, consumer alcohol and spirits, massage, reconditioning and regeneration services, accounting consultancy, bookkeeping and tax records, provision of physical education and sports services in fitness and swimming, security of property and persons, exchange office and road and motor transport - freight operated by vehicles with a maximum authorized weight of 3.5 t or passenger transport intended for a maximum of nine persons.
3. Categories of personal data processed
3.1. The Company collects, processes and stores the following categories of personal data of entities whose composition is always determined by the necessity of processing personal data according to the defined purpose of processing personal data for the given data subject:
3.1.1. address, contact and identification personal data - especially: name, surname, date of birth or birth number, residence, telephone number, e-mail, delivery address, citizenship, OP number, CP number, license number, TP, number bank account, data box, personal experience; education,
3.1.2. descriptive personal data - in particular: the entity's data relating to the contractual relationship, such as, in particular, and in addition to the personal data already mentioned under 3.1.1. VAT number, registered office and business address, etc .;
3.1.3. specific categories of personal data, in particular sensitive data - categories of specific personal data, generally affecting the health of the data subject;
3.1.4. other personalized data - eg photographs or camera recordings;
4. The method of processing and storing personal data and the time of their storage with the Company
4.1. The Company processes the subject's personal data manually or by automated means and securely stores it in paper or electronic form for the period specified in the archiving, file and shredding regulations and the deadlines set by the relevant legislation in the Czech Republic. In relation to the purpose of processing, some of the subject's personal data are kept in the Company's information system (eg personnel system, economic information system, reservation and accommodation system, laboratory system including modules for the provision of services, etc.).
4.2. The Company processes personal data in such a way as to ensure that it is adequately protected by means of established security measures against unauthorized or unlawful processing and accidental loss, destruction or damage, eg through controlled access to such information, encryption and pseudonymization of personal data, data or, for example, regular checks and audits of security measures in place.
5. Transfer of personal data
5.1. The Company shall not pass on personal data to other persons except personal data processors unless the obligation to transfer it to the authorities, authorities or institutions is not imposed by law or the consent of the data subject has been given.
6. Rights of the data subject
6.1. Upon request, the data subject shall receive from the Company, unless specified in the request, all information on the processing of its data, in a concise, understandable and easily accessible manner, using clear and simple language means.
6.2. The request may be submitted by electronic means, filed by means of a data box or postal service provider, or by oral filing made with the Company; the request cannot be made by telephone.
6.3. If personal data relating to the data subject are obtained directly from him, the Company shall provide him with the following information at the time he receives the personal data:
- the identity and contact details of the controller;
- the contact details of the DPO;
- the purposes of the processing for which the personal data are intended and processed and the legal basis for their processing;
- the legitimate interests of the controller or a third party if the processing is based on this legal title,
- any recipients or categories of recipients of personal data, including any processor;
- any intention of the controller to transfer personal data to a third country or international the organization, including a reference to appropriate warranties,
- the period for which personal data will be stored with the Company or, if it is not possible to determine it, the criteria used to determine this period will be used;
- the existence of the right to request from the Company access to, rectification or deletion of personal data concerning the data subject, and, where appropriate, restrictions on processing, and to object to the processing as well as the right to data portability;
- where the processing is based on the data subject's consent, the existence of the right to withdraw the consent at any time, without prejudice to the lawfulness of the processing based on the consent granted prior to its withdrawal;
- possibility to lodge a complaint with the supervisory authority,
- whether the provision of personal data is a legal or contractual requirement or a requirement to be included in a future contract and whether the data subject is obliged to provide personal data and the possible consequences of not providing such data;
- whether there is automated decision-making, including profiling, and at least in such cases, meaningful information regarding the process used, as well as the significance and expected consequences of such processing for the data subject.
- pro splnění smlouvy mezi subjektem a Společnosti;
- pro komunikaci s zákazníky, dodavateli, smluvními a obchodními partnery;
- pro zajištění účelu pronájmu;
- pro školící a vzdělávací činnost;
- pro zajištění interních procesů bezpečnostni a ochrany osobních údajů, vedení mzdové a personální agendy a vyplývající povinnosti vedení účetnictví Společnosti;
- pro jiné účely se souhlasem subjektu se zpracováním jeho osobních údajů.
6.4. If the Company intends to further process personal data for a purpose other than the purpose for which it was collected, it will provide the data subject with information about that other purpose before such further processing.
6.5. The Company need not provide processing information to the data subject if and to the extent that the data subject already has that information.
6.6. If personal data have not been obtained from the data subject, the Company shall provide it with the same information and, in addition, the source from which the personal data originate and, where appropriate, whether the data originates from publicly available sources.
6.7. The Company shall not impose any disclosure duty in the case of obtaining personal data from someone other than the data subject, unless the acquisition or disclosure is expressly provided for by the law applicable to the Company and which lays down security and organizational measures to protect the data subject's legitimate interests.
6.8. The data subject shall have the following additional rights:
- to obtain from the Company, if the conditions are met, information on the processing of its personal data (identity and contact details of the controller and his or her representative, if any; contact details of the Data Protection Officer (DPO); the personal data are identified and the legal basis for the processing, any recipients or categories of recipients of personal data and other information necessary to ensure transparent and fair processing of their personal data),
- to obtain access to personal data from the Company, ie to obtain confirmation from the Company whether it is processing personal data relating to it and, if so, the data subject has the right to access and other legal information,
- to correct their incorrect personal data, respectively. to complete incomplete personal data,
- for the deletion of his / her personal data if the legal conditions have been fulfilled, eg if the personal data are no longer needed for the purposes for which they were obtained or otherwise processed, or eg if the entity withdraws its consent under which the personal data were processed ,
- to limit the processing of personal data by the Company, if the legal conditions are met,
- the portability of the data, ie the collection of personal data relating to it provided to the Company in a structured, commonly used and machine-readable format;
- object to the processing of personal data concerning him at any time on the grounds of his particular situation;
- not be subject to automated individual decision-making, including profiling, unless the entity has given its consent, except where automated processing is permitted by law;
- file a complaint with the supervisory authority.
6.9. The Company is entitled to require the subject of personal data when submitting an application for fulfillment of any of the above rights, personal identification by verification of the relevant employee, or identification by other available methods (eg data box, notarial verification / Czechpoint verification of signature on subject in person at the registered office of the Company).
6.10. The Company is entitled, in cases defined by law, to provide reasonable information to the entity for providing information about the personal data processed, not exceeding the costs necessary to provide the information.
7. Final provisions
7.1. The personal data subject may obtain all information for processing his personal data personally or by e-mail. Current contact information per person of the Data Protection Officer is available on our Company's website at www.bristolgroup.cz.