INFORMATION MEMORANDUM ON THE PROCESSING OF PERSONAL DATA OF DINERS OF GTH catering a.s.
- PURPOSE OF THE DOCUMENT
This document is intended for you, our customers - diners, and has been prepared with the aim of providing clear and understandable information about:
- who our Company is and what services we provide for the processing of personal data (see Chapter 2)
- what principles we follow when processing personal data (see Chapter 3)
- what personal data we collect (see Chapter 4)
- why we process personal data and what entitles us to do so (see Chapter 5)
- where we primarily obtain personal data (see Chapter 6)
- where and for how long we store personal data (see Chapter 7)
- how we ensure the protection of processed personal data (see Chapter 8)
- to whom we disclose personal data (see Chapter 9)
- what your rights are as a data subject and how you can exercise them (see Chapter 10).
The Information Memorandum is effective from 25.5.2018 and is issued in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (GDPR)
If you do not find answers to your questions regarding the processing of personal data here, or if you want to explain any part of it in more detail, please do not hesitate to contact us.
- OUR COMPANY
Our company is called GTH catering a.s., ID 09342061 and we are based at Tomíčkova 2144/1, Chodov, Prague (hereinafter also referred to as the "Company") and we offer comprehensive solutions for catering services, especially in industrial enterprises and administration.
- PRINCIPLES OF PERSONAL DATA PROCESSING
All processing of personal data in our Company respects the following principles:
- any processing of personal data pursues a legitimate and legitimate purpose, and is carried out in a manner and means that are in accordance with the legislation on the protection of personal data
- we do not process personal data without a legitimate legal title
- we collect only the necessary personal data to fulfil the stated purpose
- we endeavour to process only accurate and up-to-date personal data
- we process personal data only for as long as necessary
- we will inform you about the methods of personal data processing
- we respect your rights as a data subject
- we strictly protect personal data
- WHAT PERSONAL DATA WE PROCESS
We process only such data that are necessary for the provision of our services and the fulfilment of obligations arising from binding legal regulations.
This includes in particular the personal data listed below, which may differ in particular according to the payment model for the services provided, e.g. in the context of commercial sales (paid by the diner in cash / via a customer or debit card) or in the context of non-commercial or partial commercial sales (paid by our institutional clients).
Common personal information
- name and surname, personal number and contact details (e-mail) of the diner
- the number of our customer/payment card or a third-party card used by the diner for payment
- information about the type of payment (e.g. cash, meal vouchers, credit card transactions)
- information about the employer and any obstacles to making a deduction from wages
- data necessary for the provision and invoicing of services provided, data relating to the circumstances of the occurrence of receivables against boarders/institutional clients and other data necessary to protect the Company's rights
Special categories of personal data (sensitive data)
- we do not process sensitive personal data
- WHY WE PROCESS PERSONAL DATA AND WHAT ENTITLES US TO DO SO
We process the personal data of boarders (see Chapter 4) for the following purposes.
|
Purpose of procesing |
Legal basis for processing |
|
Conclusion and performance of a contractual relationship with boarders/institutional clients. |
Performance of the contract. |
|
Issuance of a customer card to pay for services and maintenance of an account for this card. |
Performance of the contract. |
|
Provision of documents for invoicing. |
Performance of the contract. |
|
Documenting and calculating tax liabilities and bookkeeping. |
Fulfilment of legal obligations arising from the Accounting Act, the VAT Act and other Czech accounting and tax laws. |
|
Dispute resolution and legal enforcement of negotiated agreements. |
Legitimate interest of the Company. |
- WHERE WE OBTAIN PERSONAL DATA
The source of the personal data we process is the boarder himself (in commercial sales) or the boarder's employer (in non-commercial / partially commercial sales).
- WHERE AND FOR HOW LONG WE STORE PERSONAL DATA
The personal data collected by our Company is processed and stored in the territory of the EU / EFTA countries.
Our Company stores personal data only for the period strictly necessary. We keep them for up to ten years in order to comply with legal obligations (e.g. in documenting the calculation and payment of taxes) and the rules of prudence and due diligence, especially with regard to statutory limitation periods.
- HOW WE PROTECT PERSONAL DATA
In order to ensure the protection of personal data, we have taken adequate technical and organizational measures to ensure their security, in particular:
- we have established detailed rules for the collection and handling of personal data, which we strictly control
- we have limited access to personal data to only the necessary number of responsible persons
- we have bound the authorized persons to a duty of confidentiality
- If we already have to involve other entities (so-called processors) in the processing of personal data, we carefully assess whether they provide sufficient guarantees to ensure the security of personal data
If there is an unauthorized interference or leakage of personal data and such a situation poses a high risk to the data subject, we are obliged to notify the data subject and the Office for Personal Data Protection without undue delay.
- TO WHOM WE DISCLOSE PERSONAL DATA
The processed personal data may be made available to the following entities:
- external suppliers who provide us with important services, especially IT infrastructure
- to the competent state authorities in the exercise of their powers based on the applicable legislation, e.g. law enforcement authorities, insolvency administrators, supervisory and control authorities
- courts and bailiffs, etc., for the purpose of enforcing negotiated agreements
- YOUR RIGHTS AND HOW TO EXERCISE THEM
In connection with the protection of your personal data, you have the right to request:
- confirmation of whether our Company processes personal data about you
- personal data, the fact that automated decision-making, including profiling, takes place, appropriate safeguards when transferring data outside the EU a free copy of the personal data, provided that the rights and freedoms of others are not adversely affected
- rectification of your inaccurate personal data or their completion by providing an additional statement, revoking your consent to the processing of your personal data, erasure of your personal data, restriction or objection to their processing
You also have the right to file a complaint with the Office for Personal Data Protection, by letter to Pplk. Sochora 27, 170 00 Prague 7, by e-mail posta@uoou.cz or by phone +420 234 665 111.
These rights can be exercised by means of a written request delivered to Tomíčkova 2144/1, 148 00 Prague 4, to the e-mail box oznamto@gthcatering.cz, or to the data box j5zdyh9. It is necessary to include the text "Personal data" in the subject of the message.
We will provide you with information about the evaluation of your application and the measures taken without undue delay, no later than 30 days after the delivery of the application. In exceptional cases, we are entitled to extend this period by two months. We will also inform you about such an extension and its reasons.
More detailed information on the rights of data subjects and the conditions for their exercise can be found in the Annex.
------------------------------------------------------------------------
ANNEX TO INFORMATION MEMORANDA ON THE PROCESSING OF PERSONAL DATA
This document contains a detailed list of the rights of data subjects arising from Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data (GDPR).
Right of access
The data subject has the right to access his/her personal data, i.e. the right to request:
- confirmation whether our Company processes personal data about him
- information about the purposes of the processing, the categories of personal data concerned, the recipients of the personal data, the planned period of processing, the rights of the data subject, the sources of personal data, the fact that automated decision-making, including profiling, takes place, and appropriate safeguards when data is transferred outside the EU
- a free copy of the personal data, provided that the rights and freedoms of others are not adversely affected
If the request is evaluated as justified, we will allow the data subject to access their personal data without undue delay, no later than 30 days from the receipt of the request. In exceptional cases, we are entitled to extend this period by two months. We will inform him about such an extension and its justification.
Right to rectification of inaccurate data
The data subject has the right to request the rectification of their inaccurate personal data or their completion by providing an additional statement.
Right to erasure (right to be forgotten)
The data subject has the right to request the erasure of his/her personal data if one of the following conditions is met1:
- the personal data are no longer necessary for the purposes for which they were processed
- the consent of the data subject has been withdrawn and there is no other legal reason for the processing
- the personal data has been processed unlawfully
- personal data must be erased to comply with a legal obligation
- personal data have been collected in connection with the offer of information society services to the child
Right to restriction of processing
Our Company is obliged to restrict the processing of personal data if any of the following reasons are met:
- the data subject denies the accuracy of the PD; the restriction will be accepted for the period necessary for us to verify the accuracy of the personal data
- the data subject considers that the processing is unlawful, but at the same time refuses its erasure and requests the restriction of its use instead
- the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims
- the data subject requests personal data for the establishment, exercise or defence of legal claims, although our Company no longer needs them
Personal data may be further processed (with the exception of their storage) only a) with the consent of the data subject, b) for the purpose of determining, exercising or defending legal claims, c) for the protection of the rights of another natural or legal person or d) for reasons of important public interest.
If the restriction is lifted by the Company, we will notify the data subject of this situation in advance.
Object to processing
The data subject may object to the processing of his or her personal data relating to his or her particular situation. After raising a legitimate objection, it is the duty of our Company to prove that our legitimate interests outweigh the fundamental rights and freedoms of the data subject.
Objection is possible only to the processing of the ongoing:
- on the basis of the legitimate interest of our Company or on the basis of the performance of a task carried out in the public interest or in the exercise of official authority, including profiling
- for the purposes of scientific or historical research or for statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest
If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
Automated individual decision-making, including profiling
The data subject has the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects for him or her or similarly significantly affects him/her.
Lodge complaints with the supervisory authority
The data subject has the right to complain to the Office for Personal Data Protection. Complaints can be sent by letter to Pplk. Sochora 2 7, 170 00 Prague 7, by e-mail posta@uoou.cz or by phone +420 234 665 111.