Managing Personal Data

PRINCIPLES OF THE MANAGER ON THE PROCEDURE FOR REFLECTING THE RIGHTS OF PERSONAL DATA

of the company BeerPass sro, with its registered office at Dětská 1326/152, Strašnice, 100 00 Prague 10, IČ 08098344, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, Insert 312975 (hereinafter referred to as the “Administrator”), pursuant to Regulation of the European Parliament and (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter “the Regulation”).

I. General conditions
Michael Risser (hereinafter referred to as the “Responsible Person”) is responsible for processing all requests and fulfilling the Administrator’s obligations under this Policy. All submitted applications and other related notes and documents shall be forwarded to the Responsible Person without undue delay.

All notices, information, calls and other notes sent to personal data subjects, eventually recipients of personal data, or other persons, shall be signed by the statutory body of the administrator – executive.

The Subject of Personal Data submits requests under this Policy:

a) Personally

b) In writing, including electronic form (by e-mail)

c) Data box

At each request under these Principles, the Responsible Person verifies the identity of the applicant – the data subject – as follows:

a) Personal filing – identity is verified by presenting an identity document (identity card, passport) – The responsible person notes that the identity of the applicant has been verified

(b) Application in writing, including electronic form – signature on request must be officially verified, in case of electronic form, the application must be signed by a recognized electronic signature

(c) Data box application – the identity of the applicant shall be considered as verified.

In the event that the application does not contain the requisites necessary to verify the identity of the applicant, the controller shall invite the applicant to prove his / her identity in one of the ways specified above and notify the applicant of the consequences of non-compliance. If the applicant fails to prove his / her identity afterwards, his / her application will not be accepted and the Regulation’s provisions will not be accepted, with the applicant being informed of the possibility of filing a complaint with the supervisory authority and requesting judicial protection.

An application submitted in electronic form is handled electronically (e-mail, data message) if the subject of the personal data does not request another way. In the case of applications made in person or in writing, communications, information, invitations and other documents shall be sent with a receipt to the permanent address of the personal data subject or to the requested delivery address, which the data subject communicated to the controller.

As a rule, the responsible person handles the request within 7 days, for more complex applications within 14 days of the date of receipt of the request.

When processing the application, the Responsible Person draws on the lustration of the electronic database of personal data processed.

Processing of the application is free of charge.

In the event of an unreasonable or disproportionate request (in particular in the case of a repeated request), the controller shall:

a) deposit a fee of 300 CZK

or

(b) refuses to comply with the request – the refusal must be justified and the data subject must be informed within one month of the date of receipt of the request of the possibility of complaining to the supervisory authority and requesting judicial protection

All requests from personal data subjects and communications, information, prompts and other administrator notices, including all related supporting documents, shall be based on the Personal Data Register, unless otherwise stated in this Policy. The Responsible Person is responsible for keeping the agenda.

II. Individual rights of personal data subject
1) RIGHT TO INFORMATION

Partners – natural persons doing business were forwarded the information against the signature at the conclusion of the Partnership Contract.

Clients were provided with this Information during registration, Information forms part of the Registration Form. The information is further posted on the webmaster’s website.

2) RIGHT TO ACCESS PERSONAL DATA

The data subject has the right to obtain from the controller confirmation that personal data relating to him or her are being processed and, if so, has the right to access such personal data and the information specified in the Regulation.

In the data subject’s communication, the controller confirms whether or not personal data relating to the data subjects are being processed.

If personal data are processed, the Administrator informs the subject of personal data about the following:

– Purposes of processing

– Categories of personal data concerned

– Beneficiaries or categories of beneficiaries to whom personal data have been or will be made available, in particular recipients in third countries or international organizations. If personal data are transferred to a third country or international organization, the entity has the right to be informed of the appropriate safeguards under Article 46 of the Regulation that apply to the transfer (personal data are not transferred to third countries or international organizations)

– Scheduled time for which personal data will be stored

– All available information about the source of personal data, if not obtained from the data subject

The Communication also contains the following information:

– the existence of the right to require the controller to rectify or delete personal data relating to the data subject or to limit their processing or to object to such processing

– the right to file a complaint with the supervisory authority

– the fact that there is automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the Regulation, and at least in such cases meaningful information regarding the procedure used and the significance and implied consequences of such processing for the data subject (now on no automated decision making including manager profiling)

The communication includes a copy of the personal data being processed. For further copies at the request of the data subject, CZK 30 per page is charged. If the copies contain personal data of other entities, it is necessary to remove these personal data from the deeds.

3) RIGHT OF CORRECTION
The data subject has the right to have the administrator rectify inaccurate personal data relating to him without undue delay. Taking into account the processing purposes, the data subject has the right to complete incomplete personal data, including by providing an additional declaration.

The subject of personal data is obliged to prove inaccuracy or incompleteness of personal data (eg by submitting relevant documents). If the subject of personal data fails to prove this fact, he / she will be asked to submit it with a warning of the consequences of non-compliance with the call. If the personal data subject does not provide evidence of inaccuracy or incompleteness, then his / her application will not be accepted and the subject of personal data will be informed about the possibility to file a complaint with the supervisory authority and request judicial protection.

When the request is received, if the personal data subject denies the accuracy of personal data, it is necessary to limit the processing – see. Item 5 RIGHT TO LIMIT PROCESSING. The responsible person instructs persons with access to personal data (the other manager and other recipients (eg, the accountant) to limit processing. Personal data can only be stored but not processed. Restrictions – for example, temporarily moving data to another processing system, disabling personal data or temporary deletion of published data from websites.

In the data subject’s message:

a) Inform the subject of the personal data about the adoption of the measure – the repair was carried out and the processing was restricted from the date of receipt of the application until the day of the repair, or a supplement was made. If the personal data subject in his application has requested information on the recipients of personal data to which the personal data was made available, the administrator shall inform the data subject of such data

b) It informs the subject of personal data of non-acceptance of the measure – the correction or addition was not carried out and for what reasons processing was limited from the date of receipt of the request to the day of this communication, it is in the processing of personal information from the day following the day of this communication the complaint to the supervisory authority and to seek judicial protection

In addition, the responsible person prepares repair or supplement information for recipients of personal data that have been corrected or supplemented.

The responsible person corrects inaccurate and incomplete personal data even if he / she finds out inaccuracy or incompleteness other than on the basis of a request from a personal data subject (eg information of a person with access that processes personal data.

4) RIGHT TO DELAY
The data subject has the right to have the administrator delete personal data relating to the data subject without undue delay and the controller is obliged to delete the personal data without undue delay if any of the reasons specified in the Regulation are given.

The responsible person continuously monitors whether the purpose of the processing of personal data has already passed

Furthermore, personal data will be deleted:

1) if the data subject withdraws his consent for processing, even for one purpose, and there is no other legal reason to process them

(2) the data subject objects to the processing and these objections are considered justified

3) personal data has been processed illegally

4) personal data must be erased to fulfill the legal obligation laid down in Union law or in the law of the Czech Republic

5) in the case of a legitimate request by the data subject to delete personal data

Personal data will not be deleted if processing is necessary:

(a) for exercising the right to freedom of expression and information;

(b) to fulfill a legal obligation requiring processing under Union or Czech law or to carry out a task performed in the public interest or in the exercise of public authority entrusted to the controller

(c) for reasons of public interest in the field of public health, in accordance with Article 9 (2) (a); (h) and (i) and Article 9 (3) of the Regulation

(d) for the purposes of archiving in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89 (1) of the Regulation, where the right referred to in paragraph 1 is likely to render impossible or seriously compromise the achievement of the objectives of that processing;

(e) to determine, exercise or defend legal claims

If the personal data subject has made a request for deletion of personal data and this request has been considered justified, the controller informs the data subject of the action – the subject’s personal data have been deleted. If the personal data subject in his application has requested information on the recipients of personal data to which the personal data was made available, the administrator shall inform the data subject of such data. The administrator no longer creates this information.

Furthermore, the responsible person prepares the deletion information for the recipient of the personal data. The administrator no longer creates this information.

Furthermore, the responsible person prepares the deletion information for the recipient of the personal data. The administrator no longer creates this information.

In the event that a personal data subject has filed an application for deletion of personal data and the controller, after examining that request, finds that the deletion conditions are not met, the data subject shall inform the non-acceptance – the deletion has not been made and for what reasons and the possibility of complaining to the supervisory authority apply for judicial protection.

5) RIGHT TO REDUCE PROCESSING
The data subject has the right to have the controller restrict processing in the following cases:

(a) the data subject denies the accuracy of personal data for the time necessary for the controller to verify the accuracy of the personal data;

(b) processing is illegal and the data subject refuses to delete personal data and asks instead to limit their use;

(c) the controller no longer needs personal data for processing purposes, but the data subject requires them to determine, exercise or defend legal claims;

(d) the data subject has objected to the processing under Article 21 (1) of the Regulation until it has been verified that the legitimate reasons of the controller override the legitimate reasons for the data subject.

In all cases, any limitation of processing will be made at the request of the data subject or in connection with the request, so the controller himself does not continuously check whether the reasons are met.

Upon receipt of the request, the Responsible Person instructs persons with access to personal data and recipients to limit processing. Personal data can only be stored, but not processed. Restrictions – for example, temporarily moving data to another processing system or disabling selected personal data.

The subject of personal data is obliged to prove inaccuracy of personal data (eg by submitting relevant documents). If the subject of personal data fails to prove this fact, he will be asked by the administrator to warn of the consequences of non-compliance with the call. If the subject of personal data does not even prove the inaccuracy of personal data afterwards, his / her request will not be accepted and the subject of personal data will be informed about the possibility to file a complaint with the supervisory authority and request judicial protection.

The responsible person assesses whether the reason for the correction is fulfilled or whether the objection must be upheld. Subsequently, the controller sends a message to the data subject.

In the data subject’s message:

a) Inform the subject of personal data about the adoption of the measure – a correction has been made and the processing was limited from the date of receipt of the request until the date of the correction. If the entity has requested in its application information on the recipients of personal data to which the personal data in question has been made available, the controller shall inform the data subject of the recipients

b) The subject of personal data shall be informed of the non-acceptance of the measure – the correction was not carried out and for what reasons, the processing was limited from the day following the day of this communication to the processing of personal data , the subject of personal data is further informed that he / she has the opportunity to file a complaint with the supervisory authority and request judicial protection

c) Inform the subject of personal data about the adoption of the measure – the objection was granted and the processing was limited after and from the date of receipt of the request until the date of this communication. If the entity has requested in its application information on the recipients of personal data to which the personal data in question has been made available, the controller shall inform the data subject of the recipients

d) Inform the subject of personal data about the non-acceptance of the measure – the objection was not complied with and for what reasons the processing was restricted from the day following the day of this communication processing, the personal data subject continues, the data subject he is further informed that he has the possibility to lodge a complaint with the supervisory authority and to seek judicial protection

Letters b) and c)

The responsible person assesses whether there is a reason to limit processing. Subsequently, the controller sends the data subjects to the data.

In the controller’s personal information:

a) Inform the subject of personal data about the adoption of the measure – the application was considered justified and the processing was limited from the date of this communication, if the subject requested information about the recipients of personal data to which the personal data was made available, the administrator informs the data subject beneficiaries

b) Inform the subject of personal data about non-acceptance of the measure – the application was assessed as unfounded and the processing of personal data will not be limited, and the possibility to lodge a complaint with the supervisory authority and request for judicial protection

The responsible person prepares information on the processing limitations for the recipient of personal data to which the personal data have been disclosed.

The processing restrictions on individual personal data are clearly and clearly marked on the system.

Processing restrictions may be revoked and personal data processed further:

1) if the personal data subject has given consent

(2) for the purposes of designation, enforcement or defense of legal claims

(3) for the protection of the rights of another natural or legal person

(4) because of the important public interest of the Union or a Member State

Before the restriction is removed, the data subject is notified that the processing restriction will be canceled.

6) RIGHT TO TRANSFERABLE DATA
This right applies to:

– Personal data was provided to the controller by the data subject itself

– Processing is based on the consent of the data subject (Article 6 (1) (a) of the Regulation) or on performance of the contract (Article 6 (1) (b) of the Regulation); and

– Processing is done automatically

In the controller’s personal information:

a) Inform the subject of personal data about the adoption of the measure – personal data were transferred to the other administrator

b) The subject of personal data informs the non-acceptance of the measure – his / her request was not complied with and for what reasons, the data subject must be further informed about the possibility to file a complaint to the supervisory authority and request for judicial protection

The responsible person will arrange for the transfer of personal data to the other administrator, including the preparation of the cover letter. Personal data must be provided in a commonly used and machine-readable format.

If the administrator no longer has any legal reason for further processing of personal data, personal data must be deleted.

7) RIGHT TO RETURN THE OBJECT
The data subject shall have the right to object:

– Processing based on the performance of a task carried out in the public interest or in the exercise of official authority entrusted to the controller (Article 6 (1) (e) of the Regulation) – in the case of a controller, does not apply

– Processing based on legitimate interests of the controller or a third party (Article 6 (1) (f) of the Regulation) – From the date of receipt of the opposition until it has been verified that the legitimate reasons of the controller override the legitimate reasons of the data subject personal data

– Processing for direct marketing purposes

– Processing for the purposes of scientific or historical research or for stratistic purposes – not applicable in the case of an administrator

The data subject is explicitly informed about this right in the Information Processing and Privacy Policy.

In the admin message:

a) Inform the subject of personal data about the adoption of the measure – his objection was granted and personal data are not processed from the date of this communication processing, the processing was limited from the date of receipt of the request until the day of this communication. If the entity has requested in its application information on the recipients of personal data to which the personal data has been made available, the controller shall inform the data subject of the recipients.

(b) Informs the data subject of the non-action – his or her opposition has been refused and for what reasons (serious legitimate grounds for processing which outweigh the interests or rights and freedoms of the data subject, or to determine, exercise or defend legal claims) receipt of the request by the day of this communication, processing has been limited, the processing of personal data is continued from the day following the day of this communication, the data subject of the personal data must be further informed about the possibility of complaining to the supervisory authority and the right to request judicial protection

If a personal data subject objects to processing for direct marketing purposes, personal data will no longer be processed for that purpose.

8. THE RIGHT TO SUBMIT A COMPLAINT TO THE PERSONAL DATA PROTECTION OFFICE, THE RIGHT TO JUDICIAL PROTECTION
Extract from the Regulation – Articles 77 to 78:

Article 77
Right to lodge a complaint with the supervisory authority

1. Without prejudice to any other means of administrative or judicial protection, any data subject shall have the right to lodge a complaint with a supervisory authority, in particular the Member State of his habitual residence, the place of employment or the place where the alleged infringement occurred, that the processing of his personal data violates this Regulation.

2. The supervisory authority to which the complaint is lodged shall inform the complainant of the progress made in resolving the complaint and of its outcome and of the possibility of judicial protection under Article 78.

Article 79
Right to effective judicial protection against the controller or processor

1. Without prejudice to any available administrative or extrajudicial protection, including the right to lodge a complaint with a supervisory authority under Article 77, each data subject shall have the right to effective judicial protection if he considers that his rights under this Regulation have been infringed as a result of processing his personal data contrary to this Regulation.

2. Proceedings against the controller or processor shall be brought before the courts of the Member State in which the controller or processor concerned has an establishment. Where appropriate, proceedings may also be brought before the courts of the Member State where the data subject has his habitual residence, except where the controller or processor is a public authority of a Member State acting in the exercise of official authority.

The subject of personal data is explicitly informed about the right to file a complaint with the Office for Personal Data Protection within the Information on the processing and protection of personal data.

Furthermore, the subject is informed about the possibility of filing a complaint and applying for judicial protection in the absence of measures – non-compliance with the request of the subject of personal data – see. above

9. THE RIGHT TO NOT BE SUBJECT TO AUTOMATED INDIVIDUAL DECISION MAKING INCLUDING PROFILING
Automated decision making and profiling are not used by the administrator.

10. NOTIFICATION OF CASES OF BREACH OF PERSONAL DATA SECURITY TO PERSONAL DATA BODIES

If a security breach is likely to result in a high risk to the rights and freedoms of individuals, the controller shall notify the breach without undue delay.

The notification shall contain the following particulars:

a) Description of the nature of personal data breaches

(b) Name and contact details of the contact person who may provide further information

c) A description of the likely consequences of personal data breaches

(d) A description of the measures taken or proposed by the controller to address the personal data breach, including any mitigation measures;

A data subject’s notification is not required if any of the following conditions is met:

(a) the controller has put in place appropriate technical and organizational safeguards, and such measures have been applied to personal data affected by the breach of personal data, in particular those that render such data incomprehensible to anyone who is not authorized to access them, such as encryption

(b) the controller has taken follow-up measures to ensure that the high risk for data subjects’ rights and freedoms is unlikely to be reflected

(c) this would require a disproportionate effort. In this case, the data subjects must be informed in an equally effective way by means of a public notice or similar measure

III. Final Provisions
The responsible person continuously monitors the timeliness and correctness of these Principles and makes changes to these Principles with regard to developments in time, knowledge of practice and the company’s needs.

This English version is a translation of the original Czech version. It is only of an informative nature. In the event of any discrepancy between the English and Czech versions, the Czech version takes precedence.