Data processing principles
Information Regarding Processing of Personal Data
issued by Nielsen Legal, advokátní kancelář, s.r.o., Kozí 916/5, 110 00 Praha 1 – Staré Město, Co. Reg. No.: 24793345, registered in the Commercial Register with the Metropolitan Court of Prague under File No. C 174728
1. Scope of Processing
We process the following personal data of our clients and their representatives: basic identification (name, date of birth, etc.), contact (email address and telephone number) and other personal data disclosed by the client.
We further process the following personal data of our business partners, prospective business partners, and their representatives: basic identification (name, date of birth, etc.) and contact data (email address and telephone number).
2. Purpose, Legal Basis, Time Period for Processing
We process the personal data of our clients exclusively for the purposes of providing our legal services and/or services of our business partners (tax consultancy services, etc.), in accordance with a contract entered into by and between us and our clients and in accordance with applicable laws and regulations. The legal basis for processing the personal data of our clients – private individuals – is the performance of a contract entered into with the clients; the legal basis for processing the personal data of our clients – legal entities – is our legitimate interest in proper providing of legal services and/or complying with our legal obligations. We process the personal data of our clients for six years from the time the provision of legal services ended unless a longer period is required by law (in which case we process the personal data for the purposes and for as long as stipulated by law). We can transfer the personal data processed in the context of the provision of legal services to public authorities (courts, administrative agencies, etc.) and other parties to the proceedings to which the legal services relate.
We process other personal data for the purposes of conducting business correspondence and sending direct marketing communications. The legal basis for such processing is the legitimate interest in promoting our services in compliance with the professional code of conduct published by the Czech Bar Association. We process the personal data as long as no objection to such processing is lodged with us, up to a maximum of five years after the last communication from the data subject.
3. Processing Principles, Rules and Procedures
We process your personal data in accordance with the following principles and rules:
- We protect your personal data from unlawful use by or disclosure to unauthorised third parties, or from other breach.
- We do not disclose your personal data unless you consent to it.
- We can store your personal data also with the providers of accounting services and remote repository services; the said entities then being the processors of your personal data.
- When your personal data is breached with a likely high risk to your rights and freedoms, we notify you promptly by email that your personal data has been breached.
- If you have consented to the processing of your personal data, you have the right to withdraw your consent free of charge at any time by sending a request to email@example.com.
4. Your Rights Relating to Processing
Under Articles 15 to 22 and 77 of GDPR, you have the following rights:
- right of access to your personal data;
- right to rectification of your personal data;
- right to erasure of your personal data;
- right to restriction of processing your personal data;
- right to portability of your personal data;
- right to object;
- right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you; and
- right to lodge a complaint with a supervisory authority.
5. Exercising of Your Rights
We process your personal data as a data controller; therefore, you can exercise your rights directly with us. You can contact us by email at firstname.lastname@example.org, by letter sent to Kozí 916/5, 110 00 Praha 1 – Staré Město, 110 00 Praha 1, or in person at our office (subject to previous notification).
Given the confidentiality obligation, exercising of data subject’s rights may be limited in certain cases.
Once we receive your request to exercise your rights, we will need to verify your identity, i.e. verify that the request has been made by an authorised person. If we were not certain as to your identity, your personal data could be disclosed to a third party. We cannot act on your request where you refuse to assist us in verifying your identity.
We will respond to your request as soon as possible, however, no later than within one month from the date we receive your request. If your request cannot be processed for any reason within that time limit, we will notify you and extend the time limit by a maximum of two further months (i.e. we will respond to your request no later than within three months from the date we receive your request).
We will email our response to your request to the email address from which the request was submitted. If you insist that you be notified as of the results of your request by other means, e.g. by post, we kindly ask you to specify the means of communication directly in your request.
We process your requests free of charge. Please note, however, that we may ask you to reimburse us for the costs of providing the information or communication or taking the action requested where your request is excessive (in particular because of its repetitive character) in which case we can also refuse to act on your request.
6. Right of Access
You have the right to obtain from us information as to whether your personal data is being processed, and if so, be informed of:
- the purposes of the processing;
- the categories of personal data processed;
- the recipients to whom the personal data has been or will be disclosed, in particular recipients in non-EU countries;
- the time period for which the personal data will be stored or the criteria used to determine that time period;
- the right to request from us rectification or erasure of personal data or restriction of processing of your personal data, or object to such processing;
- the right to lodge a complaint with a supervisory authority; that authority being, as a general rule, the Office for Personal Data Protection; and
- the source of any information not collected directly from you.
You have the right to obtain from us a copy of your personal data undergoing such processing and you agree to pay a reasonable fee (if any) for any further copies requested.
7. Right to Rectification
We process personal data in good faith and exert a maximum effort to ensure that the data is accurate and up to date. Due to an error, however, the personal data being processed can be inaccurate in which case you have the right to request us to rectify or complete any data that is inaccurate.
8. Right to Erasure
You have the right to obtain from us erasure of your personal data that we process where one of the following applies:
- Your personal data is no longer necessary in relation to the purpose for which it was originally collected or processed.
- You withdraw your consent to the processing of your personal data; however, only where there is no other legal ground for the processing.
- You object to the processing based on a legitimate or public interest; however, only where there are no overriding legitimate grounds for the processing, or you object only to the processing for direct marketing purposes.
- We process your personal data unlawfully.
- We, as the controller, are required to erase your personal data for compliance with a legal obligation in the Czech Republic or the European Union.
- You are aged 16 and over and you have consented to the collection of your personal data in relation to the offer of information society services, or we have obtained consent provided by the holder of parental responsibility over you if you are below the age of 16.
Please note that the requirements shown above are subject to derogations. We are not required to erase your personal data where the processing is necessary:
- for compliance with a legal obligation which requires processing by Czech or EU law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for the establishment, exercise or defence of legal claims; and
- for other reasons set out in Article 17(3) of GDPR.
Please note that we are not required to erase your personal data in other cases. Yet, we treat all our users fairly. Where your request to erase your personal data is reasoned, we will act on the request although we are not required to do so. Remember that you do not have a subjective right to such treatment.
Please note that you can erase your personal data also yourself in your user account.
9. Right to Restriction of Processing
You have the right to obtain from us restriction of processing where one of the following applies:
- You contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data.
- The processing is unlawful and you oppose the erasure of your personal data and request the restriction of their use instead.
- We no longer need your personal data for the purposes of the processing, but you require your personal data for the establishment, exercise or defence of legal claims.
- You have objected to the processing based on a legitimate interest pending the verification whether our legitimate grounds override those specified in your objection.
Where processing has been restricted, we will only process your personal data based on your consent to such processing. Please note that we may store your personal data even without your consent and process the same for the establishment, exercise or defence of legal claims or for the protection of the rights of another private individual or legal entity or for reasons of important public interest of the European Union or of a Member State.
Please note that we intend to restore the processing of your personal data.
10. Right to Data Portability
You have the right to receive your personal data from us where all of the following applies:
- You have provided the personal data based on your consent to the processing of the personal data or for the performance of a contract to which you are a party.
- We process the personal data by automated means.
You will receive from us the personal data in a structured, commonly used and machine-readable XLS or DOC format.
Where all of the following applies, you have the right to transmit the data to another controller or request us to transmit the data directly to another controller. We will act on your request if it is technically feasible.
11. Right to Object
You have the right to object to the processing of your personal data where the personal data is processed by us based on a legitimate or public interest; with us or a third party having the legitimate interest in processing. Once you object, we will no longer process your personal data unless we have compelling legitimate grounds overriding your interests, rights and/or freedoms, or where the processing of such personal data is necessary for the establishment, exercise or defence of legal claims. If applicable, we will notify you as of the compelling legitimate grounds without delay.
You have the right to object to the processing of your personal data where the personal data is processed by us for direct marketing purposes, including profiling. Once you object, we will no longer process your personal data.
12. Right to Lodge Complaint with Supervisory Authority
You have the right to lodge a complaint directly with a supervisory authority of a Member State; in the Czech Republic, contact the Office for Personal Data Protection. For more information regarding the activities of the Office for Personal Data Protection and instructions as to lodging a complain, please visit www.uoou.cz.