Rules for processing personal data

Advocuts v.o.s., law firm, ID: 14101025, with its registered office at Na strži 2102/61a, Krč, 140 00 Prague 4, e-mail: info@advocuts.cz (hereinafter referred to as the „law firm“), as the controller of personal data, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the „GDPR“) has reviewed its own procedures for handling personal data during the performance of its law practice and, as a result of their summary, hereby declares these rules of procedures related to the processing of personal data.
 
The law firm ensures compliance with these rules when processing personal data by its partners, collaborators and, in the case of suppliers – external processors of personal data, has contractually secured guarantees of adequate protection pursuant to Article 28 of the GDPR.
 
In order to exercise any rights pursuant to the GDPR, or within the framework of any other communication, the data subject may contact the law firm primarily via e-mail address, but also by post or data message.
 
The law firm processes the following categories of personal data: names, surnames, dates of birth, addresses, e-mail addresses, telephone numbers, or others in accordance with the purpose of processing.
 
The legal basis for processing is a contract for the provision of legal services, for the duration of the contract, after its termination or, if not concluded, the fulfillment of legal obligations and legitimate interests of the law firm, which last for 10 years.
 
Without the provision of personal data by the data subject – the client (hereinafter referred to as the „klient"), the law firm is unable to fulfill the obligations arising from the above-mentioned contract. The law firm obtains personal data from the client, or from the commercial register, trade register, insolvency register, list of executions and other publicly available sources.
 
In the event that the legal basis for processing personal data is consent, the client will be provided with qualified written instructions before the processing begins and will be able to decide whether to grant consent or not.

 
II.
 
The law firm processes personal data exclusively in accordance with the legal grounds set out in Article 6 of the GDPR, only to the extent necessary and for the necessary period. The law firm records the purposes of processing personal data and the period of processing for individual agendas in records of processing activities pursuant to Article 30 of the GDPR.
 
Only persons who need to handle them in the performance of their tasks and obligations for the law firm have access to personal data. These persons maintain confidentiality regarding the personal data they become familiar with; this obligation is contractually guaranteed. Other recipients of personal data are public authorities, cooperating lawyers and employees or collaborators of the law firm, and recipients according to the needs and instructions of the client.
 
The purpose of processing is the provision of legal services under the contract concluded with the client, the legitimate interests of the law firm and the fulfillment of legal obligations, in particular under Act No. 85/1996 Coll., on advocacy, as amended, and Act No. 253/2008 Coll., on certain measures against the legalization of proceeds from crime and the financing of terrorism and other relevant regulations, as amended.
 
​
III.
 The Law Society, in accordance with the regulations on advocacy and the usual standard practices in the field of advocacy, guarantees the appropriate secure processing of personal data and takes measures to secure personal data, in particular:

• ensuring the presence of the persons referred to in Article 2 in the premises where personal data are processed, for the period when these premises are accessible to other persons, or locking documents with personal data if the person referred to in Article 2 is not present at this time,

• locking the premises in which personal data are stored,

• protecting access to computer technology that processes personal data with individual strong passwords and protecting these passwords from disclosure,

• protecting computer technology with antivirus programs; this also applies to portable devices, if such programs are commonly available for them,

• other appropriate measures for the protection of portable computing equipment or portable data storage (in particular, constant supervision, locked shipping packaging, foil on the display, password protection of data, personal manipulation of the storage when copying data to another device),

• password protection of files with a large amount of personal data or with easily misused or sensitive personal data in the case of sending a file by e-mail or storing it on a shared storage and, if it is necessary to transfer these files, communication of the password via a communication channel other than the one through which they were sent (telephone, SMS). 

 
The law firm ensures the proper fulfillment of obligations under the regulations governing archiving, observes the statutory deadlines for storing documents and archiving, and also carries out the disposal procedure in a timely and proper manner.
 
Personal data will be processed for the duration of the above-mentioned contract or for the duration of the legitimate interests of the law firm. After this period, they will be handled in accordance with applicable law.
 
The client's personal data is processed in electronic form by automated means. Personal data is also processed manually in accordance with the relevant purpose, where manual processing is necessary or appropriate. No profiling or automated decision-making is carried out.

 
IV.
 
The Law Society fulfills all the rights of data subjects. The processing of all requests from data subjects is in accordance with the regulations on advocacy, i.e., the principles and principles of the practice of advocacy must not be jeopardized, in particular the obligation of confidentiality arising from Section 21 of the Advocacy Act and other obligations arising from the law, the code of ethics and other chamber standards.

 

The law firm also, in particular:

• keeps records of processing activities pursuant to Article 30 of the GDPR,

• ensures that data subjects are informed in accordance with Articles 12 to 14 of the GDPR, 

• fulfils other rights of data subjects pursuant to Articles 15 to 22 of the GDPR,

• carries out reporting and notification of personal data breaches pursuant to Articles 33 and 34 of the GDPR.

 
Drafts of records, information, handling of requests/complaints and notifications and notices are filed with the law firm. 
 
Data subjects may submit their requests/complaints to exercise the rights described above to the law firm, in particular by sending them via the law firm's email address or in writing to the address of the law firm's registered office.

 
V.
 
The law firm has conducted a risk analysis of the processing of personal data and has taken appropriate technical and organizational measures to secure the processing, as described above. The risk analysis concluded that the processing of personal data does not pose a high risk to the rights and freedoms of the data subjects concerned and therefore it is not necessary to prepare a data protection impact assessment.   
 
The law firm has carried out an assessment of the processing of personal data from the perspective of Article 37 of the GDPR. The law firm does not meet the conditions for the appointment of a data protection officer (hereinafter referred to as the „DPO“) in accordance with recital 91 of the GDPR and is not obliged to appoint a DPO. Therefore, a DPO has not been appointed at the law firm.
 
In addition to records of processing activities pursuant to Article 30 of the GDPR, the law firm keeps records of any consents to the processing of personal data, unless there is another legal title for the processing of personal data, and records of cases of personal data security breaches.
 
The law firm regularly, at least once a year, evaluates compliance with personal data protection rules, including technical and organizational measures, and takes corrective measures, or updates internal documentation related to personal data protection as necessary.

 
VI.
 
The data subject has the following rights in accordance with the GDPR:

• Right to request access to personal data concerning the data subject. The data subject has the right, pursuant to Article 15 GDPR, to obtain from the law firm confirmation as to whether or not personal data concerning him or her are being processed and, if so, to access those personal data and the following information:

  • purposes of processing;

  • the categories of personal data concerned;

  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

  • the planned period for which the personal data will be stored or, if this cannot be determined, the criteria used to determine this period;

  • the existence of the right to request from the law firm the correction or erasure of personal data concerning the data subject or the restriction of their processing or to object to such processing;

  • the right to file a complaint with a supervisory authority;

  • any available information about the source of the personal data, unless obtained from the data subject;

  • the fact that automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR, is taking place and, at least in such cases, meaningful information concerning the process involved, as well as the significance and envisaged consequences of such processing for the data subject.

 

• Right to rectification. According to Article 16 GDPR, the data subject has the right to obtain from the law firm without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing a supplementary statement.

 

• Right to erasure ("right to be forgotten"). According to Article 17 of the GDPR, the data subject has the right to have the law firm erase personal data concerning him or her without undue delay if one of the reasons in the GDPR applies, in particular:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

  • the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing or the data subject objects to the processing pursuant to Article 21(2) of the GDPR;

  • the personal data has been processed unlawfully;

  • the personal data must be erased to comply with a legal obligation laid down in Union or Member State law.

 

• Right to restriction of processing. The data subject has the right, pursuant to Article 18 GDPR, to have the law firm restrict processing in any of the following cases:

  • the data subject disputes the accuracy of the personal data, for a period necessary for the law firm to verify the accuracy of the personal data;

  • the processing is unlawful and the data subject refuses the erasure of the personal data and requests the restriction of their use instead;

  • the law firm no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims;

  • the data subject has objected to the processing pursuant to Article 21(1) of the GDPR, pending verification whether the legitimate grounds of the law firm override those of the data subject.

 

• Right to object to processing. The data subject has the right, pursuant to Article 21 of the GDPR, to object at any time to the processing of personal data, on grounds relating to his or her particular situation, to the processing of personal data, where the legitimate interest of the law firm is the basis. If the data subject objects to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes, unless the data subject has given his or her informed and free consent to such processing.

 

• The data subject has the right to lodge a complaint with the supervisory authority, which in the Czech Republic is the Office for Personal Data Protection, in accordance with Article 77 of the GDPR. The supervisory authority's website: https://www.uoou.cz.