CUSTOMER GTH zařízení školního stravování, spol. s r.o.

INFORMATION MEMORANDUM ON THE PROCESSING OF PERSONAL DATA OF DINERS OF GTH zařízení školního stravování, spol. s r.o.

  1. PURPOSE OF THE DOCUMENT

This document is intended for you, our customers - diners, and has been prepared with the aim of providing clear and understandable information about:

  • who our Company is and what services we provide for the processing of personal data (see Chapter 2)
  • what principles we follow when processing personal data (see Chapter 3)
  • what personal data we collect (see Chapter 4)
  • why we process personal data and what entitles us to do so (see Chapter 5)
  • where we primarily obtain personal data (see Chapter 6)
  • where and for how long we store personal data (see Chapter 7)
  • how we ensure the protection of processed personal data (see Chapter 8)
  • to whom we disclose personal data (see Chapter 9)
  • what your rights are as a data subject and how you can exercise them (see Chapter 10)

The Information Memorandum is effective from 25.5.2018 and is issued in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (GDPR).

If you do not find answers to your questions regarding the processing of personal data here, or if you want to explain any part of it in more detail, please do not hesitate to contact us.

  1. OUR COMPANY

Our company is called GTH zařízení školního stravování, spol. s r.o., ID 25753487 and we are based at Tomíčkova 2144/1, Chodov, 14800 Prague (hereinafter also referred to as the "Company") and we offer comprehensive solutions for catering services for all types of schools. We are registered in the Register of Schools and School Facilities under the RED_IZO: 650004604, published by the Ministry of Education, Youth and Sports of the Czech Republic.

  1. PRINCIPLES OF PERSONAL DATA PROCESSING

All processing of personal data in our Company respects the following principles:

  • any processing of personal data pursues a legitimate and legitimate purpose, and is carried out in a manner and means that are in accordance with the legislation on the protection of personal data
  • we do not process personal data without a legitimate legal title
  • we collect only the necessary personal data to fulfil the stated purpose
  • we endeavour to process only accurate and up-to-date personal data
  • we process personal data only for as long as necessary
  • we will inform you about the methods of personal data processing
  • we respect your rights as a data subject
  • we strictly protect personal data

 

4. WHAT PERSONAL DATA WE PROCESS

We process only such data that are necessary for the provision of our services and the fulfilment of obligations arising from binding legal regulations.

This includes in particular the personal data listed below:

Common personal information

  • name, surname, date of birth and birth number of the boarder, name of the school and class designation
  • name, surname, date of birth, contact details of the diners legal representatives
  • card number and personal number of the diner
  • data necessary for the provision and invoicing of services provided, data relating to the circumstances of the occurrence of receivables against boarders and other data necessary to protect the Company's rights

Special categories of personal data (sensitive data)

  • dietary or other dietary restrictions that may indicate the health status of the diner
  1. WHY WE PROCESS PERSONAL DATA AND WHAT ENTITLES US TO DO SO

We process the personal data of boarders (see Chapter 4) for the following purposes.

Purpose of processing

Legal basis for processing

Conclusion and performance of a contractual relationship with boarders

Performance of the contract

Classification of boarders into age groups

Legal obligation based on Decree No. 107/2005 Coll. on school meals

Ensuring the provision of dietary meals to boarders with dietary or other dietary restrictions

Explicit consent of the adult boarder / legal guardian of the minor boarder

Application and administration of food subsidies at the Ministry of Education, Youth and Sports of the Czech Republic

The legal obligation arising from Act No. No. 306/1999 Coll. on the provision of subsidies to private schools, pre-school and school facilities

Dispute resolution and legal enforcement of negotiated agreements

Legitimate interest of the Company
  1. WHERE WE OBTAIN PERSONAL DATA

The primary source of the personal data we process is the diner himself/herself, or, where applicable, his/her legal representative or the school.

 
  1. WHERE AND FOR HOW LONG WE STORE PERSONAL DATA

The personal data collected by our Company is processed and stored in the territory of the EU / EFTA countries.

Our Company stores personal data only for the period strictly necessary. We keep them for up to ten years in order to comply with legal obligations (e.g. in documenting the calculation and payment of taxes) and the rules of prudence and due diligence, especially with regard to statutory limitation periods.

  1. HOW WE PROTECT PERSONAL DATA

In order to ensure the protection of personal data, we have taken adequate technical and organizational measures to ensure their security, in particular:

  • we have established detailed rules for the collection and handling of personal data, which we strictly control
  • we have limited access to personal data to only the necessary number of responsible persons
  • we have bound the authorized persons to a duty of confidentiality
  • if we already have to involve other entities (so-called processors) in the processing of personal data, we carefully assess whether they provide sufficient guarantees to ensure the security of personal data

If there is an unauthorized interference or leakage of personal data and such a situation poses a high risk to the data subject, we are obliged to notify the data subject and the Office for Personal Data Protection without undue delay.

  1. TO WHOM WE DISCLOSE PERSONAL DATA

The processed personal data may be made available to the following entities:

  • parent company GTH catering a.s., IČO 09342061, Tomíčkova 2144/1, Chodov, 148 00 Praha 4, with our Company ensures the management of IT systems and personnel, payroll and accounting agenda
  • external suppliers who provide us with important services, especially IT infrastructure
  • to the competent state authorities in the exercise of their powers based on the applicable legislation, e.g. law enforcement authorities, insolvency administrators, supervisory and control authorities
  • courts and bailiffs, etc., for the purpose of enforcing negotiated agreements
  1. YOUR RIGHTS AND HOW TO EXERCISE THEM

In connection with the protection of your personal data, you have the right to request:

  • confirmation of whether our Company processes personal data about you
  • information on the purposes of processing, the categories of personal data concerned, the recipients of the personal data, the planned period of processing, the rights of the data subject, the sources of personal data, the fact that automated decision-making, including profiling, takes place, and appropriate safeguards when data is transferred outside the EU
  • a free copy of the personal data, provided that the rights and freedoms of others are not adversely affected
  • rectification of your inaccurate personal data or their completion by providing an additional statement
  • revoking your consent to the processing of your personal data
  • erasure of your personal data, restriction or objection to their processing

You also have the right to file a complaint with the Office for Personal Data Protection, by letter to Pplk. Sochora 27, 170 00 Prague 7, by e-mail posta@uoou.cz or by phone +420 234 665 111.

These rights can be exercised by means of a written request delivered to Tomíčkova 2144/1, 148 00 Prague 4, to the e-mail box oznamto@gthcatering.cz, or to the data box nxz883e. It is necessary to include the text "Personal data" in the subject of the message.

We will provide you with information about the evaluation of your application and the measures taken without undue delay, no later than 30 days after the delivery of the application. In exceptional cases, we are entitled to extend this period by two months. We will also inform you about such an extension and its reasons.

More detailed information on the rights of data subjects and the conditions for their exercise can be found in the Annex.

------------------------------------------------------------------------

ANNEX TO INFORMATION MEMORANDA ON THE PROCESSING OF PERSONAL DATA

This document contains a detailed list of the rights of data subjects arising from Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data (GDPR).

Right of access

The data subject has the right to access his/her personal data, i.e. the right to request:

  • confirmation whether our Company processes personal data about him
  • information about the purposes of the processing, the categories of personal data concerned, the recipients of the personal data, the planned period of processing, the rights of the data subject, the sources of personal data, the fact that automated decision-making, including profiling, takes place, and appropriate safeguards when data is transferred outside the EU
  • a free copy of the personal data, provided that the rights and freedoms of others are not adversely affected

If the request is evaluated as justified, we will allow the data subject to access their personal data without undue delay, no later than 30 days from the receipt of the request. In exceptional cases, we are entitled to extend this period by two months. We will inform him about such an extension and its justification.

Right to rectification of inaccurate data

The data subject has the right to request the rectification of their inaccurate personal data or their completion by providing an additional statement.

Right to erasure (right to be forgotten)

The data subject has the right to request the erasure of his/her personal data if one of the following conditions is met1:

  • the personal data are no longer necessary for the purposes for which they were processed
  • the consent of the data subject has been withdrawn and there is no other legal reason for the processing
  • the personal data has been processed unlawfully
  • personal data must be erased to comply with a legal obligation
  • personal data have been collected in connection with the offer of information society services to the child

Right to restriction of processing

Our Company is obliged to restrict the processing of personal data if any of the following reasons are met:

  • the data subject denies the accuracy of the PD; the restriction will be accepted for the period necessary for us to verify the accuracy of the personal data
  • the data subject considers that the processing is unlawful, but at the same time refuses its erasure and requests the restriction of its use instead
  • the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims
  • the data subject requests personal data for the establishment, exercise or defence of legal claims, although our Company no longer needs them

Personal data may be further processed (with the exception of their storage) only a) with the consent of the data subject, b) for the purpose of determining, exercising or defending legal claims, c) for the protection of the rights of another natural or legal person or d) for reasons of important public interest.

If the restriction is lifted by the Company, we will notify the data subject of this situation in advance.

Object to processing

The data subject may object to the processing of his or her personal data relating to his or her particular situation. After raising a legitimate objection, it is the duty of our Company to prove that our legitimate interests outweigh the fundamental rights and freedoms of the data subject.

Objection is possible only to the processing of the ongoing:

  • on the basis of the legitimate interest of our Company or on the basis of the performance of a task carried out in the public interest or in the exercise of official authority, including profiling
  • for the purposes of scientific or historical research or for statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest

If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

Automated individual decision-making, including profiling

The data subject has the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects for him or her or similarly significantly affects him/her.

Lodge complaints with the supervisory authority

The data subject has the right to complain to the Office for Personal Data Protection. Complaints can be sent by letter to Pplk. Sochora 2 7, 170 00 Prague 7, by e-mail posta@uoou.cz or by phone +420 234 665 111.

Back