Rules for processing personal data
AND.
Advocuts vos, law office , IČ: 14101025, with its registered office at Na strži 2102 / 61a, Krč, 140 00 Prague 4, e-mail: info@advocuts.cz (hereinafter referred to as the “ law firm ” ), as the administrator of personal data, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on free movement of such data and on repealing Directive 95/46 / EC (General Data Protection Regulation, hereinafter " GDPR "), revised its own procedures for the processing of personal data during its legal practice and, as a result of their summarisation, hereby declares these rules of personal data processing procedures.
The law firm ensures compliance with these rules when processing personal data by its partners, associates and, in the case of suppliers - external processors of personal data, has contractually provided guarantees of adequate protection in accordance with Article 28 of the GDPR.
In order to exercise any rights under the GDPR, or in any other communication, the data subject may contact the law firm primarily via e-mail address, but also by post or data message.
The law firm processes the following categories of personal data: names, surnames, dates of birth, addresses, e-mail addresses, telephone numbers, or others in accordance with the purpose of processing.
The legal basis for processing is a contract for the provision of legal services, for the duration of the contract, after its termination or if the fulfillment of legal obligations and legitimate interests of the company of lawyers, which last for a period of 10 years.
Without the provision of personal data by the data subject - the client (hereinafter referred to as the " client "), the law firm is not able to fulfill the obligations arising from the above contract. The law firm obtains personal data from the client, or executions and other publicly available resources.
If the legal basis for the processing of personal data is consent, the client will be provided with a qualified written instruction before the processing begins and will be able to decide whether or not to give consent.
II.
The law firm processes personal data only in accordance with the legal grounds set out in Article 6 of the GDPR, only to the extent necessary and for the time necessary. The purposes of personal data processing and the time of their processing are recorded by the company of lawyers for individual agendas in the records of processing activities pursuant to Article 30 of the GDPR.
Only persons who need to handle them in the performance of their tasks and duties for a company of lawyers have access to personal data. These persons maintain the confidentiality of the personal data with which they become acquainted, this obligation is contractually guaranteed. Other recipients of personal data are public authorities, cooperating lawyers and employees or associates of a law firm, as well as recipients according to the needs and instructions of the client.
The purpose of processing is to provide legal services under a contract concluded with a client, the legitimate interests of a law firm and the fulfillment of legal obligations, especially under Act No. 85/1996 Coll., On Advocacy, as amended, and Act No. 253/2008 Coll., on certain measures against money laundering and terrorist financing and other relevant regulations, as amended.
III.
In accordance with the regulations on advocacy and the usual standard practices in the field of advocacy, the law firm guarantees the appropriate secure processing of personal data and takes measures to secure personal data, in particular:
ensuring the presence of the persons referred to in Article 2 in the premises where personal data are processed, for the period when these premises are accessible to other persons, or locking the documents with personal data, if the person referred to in Article 2 is not present at that time,
locking of premises where personal data are stored,
protection of access to personal data processing technology by individual strong passwords and protection of these passwords against disclosure,
protection of computer technology by anti-virus programs; this also applies to portable devices, if such programs are commonly available for them,
other appropriate measures for the protection of portable computer technology or portable data storages (in particular constant supervision, locked transport packaging, transparencies on the display, data encryption, personal manipulation of the storage when copying data to another device),
encryption of files with a large amount of personal data or with easily misused or sensitive personal data in case of sending the file by e-mail or storing it in a shared storage and in case it is necessary to pass these files with a password via another communication channel than sent (phone, sms).
The law firm ensures that the obligations under the regulations governing archiving are properly fulfilled, that it complies with the legal deadlines for storing documents and archiving, and that it also conducts shredding procedures in a timely and proper manner.
Personal data will be processed for the period of validity of the above-mentioned contract or for the duration of the legitimate interests of the company of lawyers. After this period, they will be disposed of in accordance with applicable law.
The client's personal data are processed in electronic form by automated means. Personal data is also processed manually in accordance with the relevant purpose, where manual processing is necessary or appropriate. Neither profiling nor automated decision making is performed.
IV.
The law firm fulfills all the rights of data subjects. The handling of all data subjects' requests is in accordance with advocacy regulations, ie the principles and principles of advocacy must not be jeopardized, especially the duty of confidentiality arising from § 21 of the Advocacy Act and other obligations arising from the law, code of ethics and other camera standards.
The company of lawyers also in particular:
keep records of processing activities pursuant to Article 30 of the GDPR,
ensure that data subjects are informed in accordance with Articles 12 to 14 of the GDPR,
fulfills other rights of data subjects under Articles 15 to 22 of the GDPR,
carries out the reporting and notification of personal data breaches pursuant to Articles 33 and 34 of the GDPR.
Draft records, information, processing of requests / complaints, and notifications and notices are filed with a law firm.
Data subjects may submit their requests / complaints for the exercise of the rights described above to a law firm, in particular by sending them via the email address of the law firm or in writing to the registered office of the law firm.
IN.
The law firm has performed a risk analysis of the processing of personal data and has taken appropriate technical and organizational measures to ensure the processing as described above. The risk analysis concluded as follows: the processing of personal data does not pose a high risk to the rights and freedoms of the data subjects concerned and therefore no personal data protection impact assessment is required.
The law firm has assessed the processing of personal data in the light of Article 37 of the GDPR. The Bar Association does not meet the conditions for the appointment of a Data Protection Officer (" DPO ") in accordance with recital 91 of the GDPR and is not obliged to appoint a DPO. Therefore, the DPO was not appointed by the Bar Association.
In addition to records of processing activities pursuant to Article 30 of the GDPR, the law firm keeps records of possible consents to the processing of personal data, unless there is another legal title for the processing of personal data and records of cases of personal data breaches.
The Society of Lawyers regularly, at least once a year, evaluates compliance with the rules of personal data protection, incl. technical and organizational measures and takes remedial action, or updates internal documentation related to personal data protection as necessary.
VI.
The data subject has the following rights in accordance with the GDPR:
The right to request access to personal data concerning the data subject. Pursuant to Article 15 of the GDPR, the data subject has the right to obtain confirmation from the law firm whether or not the personal data concerning him or her are being processed and, if so, to have access to this personal data and to the following information:
processing purposes;
the categories of personal data concerned;
recipients or categories of recipients to whom personal data have been or will be disclosed, in particular recipients in third countries or in international organizations;
the planned period for which the personal data will be stored or, if this cannot be determined, the criteria used to determine this period;
the existence of the right to request or object to the lawyers' rectification or erasure of personal data concerning the data subject or to limit their processing;
the right to lodge a complaint with the supervisory authority;
all available information on the source of the personal data, if not obtained from the data subject;
the fact that there is automated decision-making, including profiling, as referred to in Article 22 (1) and (4) of the GDPR, and at least in these cases meaningful information on the procedure used as well as the significance and expected consequences of such processing for the data subject.
Right to repair. Pursuant to Article 16 of the GDPR, the data subject has the right to have the law firm correct inaccurate personal data concerning him without undue delay. Taking into account the purposes of the processing, the data subject has the right to supplement incomplete personal data, including by providing an additional statement.
The right to erasure ("the right to be forgotten"). Pursuant to Article 17 of the GDPR, the data subject has the right to have the law firm delete without undue delay the personal data concerning the data subject if one of the reasons is given in the GDPR, in particular:
personal data are no longer needed for the purposes for which they were collected or otherwise processed;
the data subject objects to the processing pursuant to Article 21 (1) of the GDPR and there are no overriding legitimate reasons for the processing or the data subject objects to the processing pursuant to Article 21 (2) of the GDPR;
personal data have been processed illegally;
personal data must be deleted in order to comply with a legal obligation laid down in Union or Member State law.
The right to restrict processing. Pursuant to Article 18 of the GDPR, the data subject has the right to have a law firm restrict processing in any of the following cases:
the data subject denies the accuracy of the personal data for the time necessary for the law firm to verify the accuracy of the personal data;
the processing is unlawful and the data subject refuses to delete the personal data and calls instead for restrictions on their use;
a law firm no longer needs personal data for processing purposes, but the data subject requires them to determine, enforce or defend legal claims;
the data subject has objected to the processing under Article 21 (1) of the GDPR until it is verified that the legitimate reasons of the law firm outweigh the legitimate reasons of the data subject.
The right to object to the processing. Pursuant to Article 21 of the GDPR, the data subject has the right to object to the processing of personal data at any time, for reasons relating to his specific situation, if the title is a legitimate interest of a law firm. If the data subject objects to the processing for direct marketing purposes, personal data will no longer be processed for those purposes, unless he has given his informed and free consent to such processing of personal data.
In accordance with Article 77 of the GDPR, the data subject has the right to lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection in the Czech Republic. Website of the Supervisory Authority: https://www.uoou.cz .