GDPR

We would like to inform you clearly and transparently about how we process your personal data and what rights you have in this regard. Therefore, we provide all the essential information here in a clear manner.

We process and protect personal data fully in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - also referred to as the “GDPR Regulation”), and Act No. 110/2019 Coll., on the processing of personal data. When processing personal data, we adhere to the following basic principles:

1. we process personal data in a fair, lawful, and transparent manner;
2. we collect personal data for specific, explicitly stated, and legitimate purposes and do not process it further in a manner that is incompatible with those purposes;
3. we process only such personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
4. we process only accurate (and where necessary, updated) personal data;
5. we process personal data only for as long as is necessary for the purposes for which it is processed;
6. we process personal data in a manner that ensures its adequate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

The personal data controller is DALUMA s.r.o., ID: 13989537, with its registered office at Korunní 1143/84, Vinohrady, 101 00 Prague 10, registered in the Commercial Register maintained by the Municipal Court in Prague, File No. C 358469 (hereinafter referred to as the “Controller”). The Controller is responsible for the processing of personal data, and you can exercise most of your rights mentioned below with the Controller.

The Controller has not appointed a Data Protection Officer but has designated a person responsible for this area who oversees the proper processing and protection of personal data.

In case of any questions regarding the processing of personal data or if you wish to exercise your rights, you can contact the Controller in one of the following ways:

1. in person at the Controller's registered office at Korunní 1143/84, Vinohrady, 101 00 Prague 10, Czech Republic;
2. by letter delivered to the Controller's registered office at Korunní 1143/84, Vinohrady, 101 00 Prague 10, Czech Republic;
3. by email sent to the Controller's email address info@daluma.cz;
4. by phone at the Controller's phone number +420 776 464 855;
5. by message delivered to the Controller's data box with the identifier 764tvdw.

We process only such personal data that we necessarily need to be able to comply with our legal obligations, fulfill our contractual commitments properly, and protect our legitimate interests, or if we have your consent for the processing. For these reasons, we process personal data of the following persons:

1. job applicants;
2. our employees (including former ones);
3. our directors and partners (including former ones);
4. our business partners (including former ones);
5. our suppliers and subcontractors (including former ones);
6. our clients and employees or representatives of our clients (including former ones);
7. exceptionally, other natural persons.

We always process personal data only to the extent necessary for the given purpose of processing.

We determine the purposes of processing personal data mainly concerning the nature of the contractual or other relationship with you, or concerning the services provided to you or our legitimate interests.

1. We process personal data of job applicants for the purpose of selecting a new employee or creating a database of job applicants and contacting persons included in the database with job offers.
2. We process personal data of employees for the purpose of fulfilling the employer's obligations set out in the employment contract, agreement on work activity, or agreement on the performance of work concluded with the respective employee, as well as for fulfilling the employer's obligations towards employees during the employment relationship set out in the relevant legal regulations. We process employees' photographs for the purpose of promoting and presenting our company and our business.
3. We process personal data of our directors and partners for the purpose of fulfilling the obligations of a limited liability company in relation to the commercial register set out in the relevant legal regulation and in the case of directors also for fulfilling the corporation's obligations towards the directors set out in the contract on the performance of the director's function concluded with the respective director. We process directors' photographs for the purpose of promoting and presenting our company and our business.
4. We process personal data of our business partners for the purpose of fulfilling our obligations as a contracting party under the concluded contract and for the purpose of offering our other services.
5. We process personal data of our suppliers and subcontractors for the purpose of fulfilling our obligations as a contracting party under the concluded contract and for the purpose of offering our other services.
6. We process personal data of our clients, natural persons, and employees or representatives of our clients, legal persons, and, where applicable, also personal data of other natural persons for the purpose of fulfilling our obligations as a contracting party under the concluded contract and for the purpose of offering our other services. Exceptionally, we may process photographs of our clients, natural persons, and employees or representatives of our clients, legal persons, taken at events organized by us for the purpose of promoting and presenting our company and our business.
7. We may process personal data of former employees, directors, partners, business partners, suppliers and subcontractors, clients, natural persons, and employees or representatives of our clients, legal persons, for the purpose of defending in a dispute with the respective person or enforcing claims against such person.

We always process personal data based on at least one legal reason (title). If this were not the case, we would not be acting in accordance with the principle of legality as one of the most important principles of the GDPR Regulation.

The processing of personal data is carried out based on the following legal titles:

1. fulfillment of a legal obligation that applies to us - in the case of processing personal data of our employees, directors, partners, business partners, suppliers and subcontractors, clients, natural persons, and employees or representatives of our clients, legal persons - these are particularly the following legal regulations:
• Act No. 262/2006 Coll., the Labour Code;
• Act No. 582/1991 Coll., on the organization and implementation of social security;
• Act No. 589/1992 Coll., on social security contributions and contributions to the state employment policy;
• Act No. 48/1997 Coll., on public health insurance;
• Act No. 586/1992 Coll., on income taxes;
• Act No. 187/2006 Coll., on sickness insurance;
• Act No. 89/2012 Coll., the Civil Code;
• Act No. 90/2012 Coll., on commercial companies and cooperatives (the Act on Business Corporations);
• Act No. 304/2013 Coll., on public registers of legal and natural persons and on the registration of trust funds;
• Act No. 253/2008 Coll., on certain measures against money laundering and financing of terrorism;
• implementing regulations to these laws.
2. fulfillment of a contract concluded with you - in the case of processing personal data of our employees, directors, partners, business partners, suppliers and subcontractors, clients, natural persons, and employees or representatives of our clients, legal persons.
3. granting your consent to the processing of personal data for one or more specific purposes - if you are applying for a job with us and we would like to keep your personal data even after the end of the selection procedure.
4. the existence of our legitimate interest - we rely on this legal reason for processing personal data only in cases where your interests or your fundamental rights and freedoms requiring the protection of personal data do not override our interests - this involves processing personal data of job applicants, further processing personal data for the purpose of defending in a dispute or enforcing claims, and processing personal data for the purpose of offering our other services or promoting and presenting our company and our business.

We retain personal data only for the necessary period concerning the purpose of processing. If the processing of personal data is required by a legal regulation, it usually also specifies the period for which we must act accordingly. If we process personal data to be able to fulfill a contract concluded with you, it is necessary to process personal data for the entire duration of the respective contract. Personal data processed based on granted consent is retained for the period for which the consent was granted, and of course only until the consent is revoked. If the processing of personal data is necessary for our legitimate interest, we process it only for the duration of that legitimate interest.

We primarily obtain personal data directly from you or in connection with a mutual contractual relationship. Thus, you have control over what personal data you provide us with and what you do not.

We may also obtain some personal data from public sources, such as some public registers or the internet. In certain cases, we obtain personal data from other controllers, but we are obliged to inform you about this.

Personal data is available to our employees, directors, and partners who need it for their work. Transfer of personal data outside our company occurs only in necessary, particularly the following cases:

1. the transfer of personal data is required by a legal regulation (this mainly involves the transfer of personal data to state authorities or offices);
2. the transfer of personal data is necessary to fulfill our obligation under the contract concluded with you;
3. we transfer personal data to our processor - this transfer occurs in situations where we are unable (or it is disadvantageous for us) to perform a certain activity involving the processing of personal data ourselves, and we have entrusted another person with its performance; this person is our processor from the GDPR perspective; we have verified that they provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing of personal data they carry out meets the GDPR requirements and ensures the protection of your rights; a written contract on the processing of personal data is always concluded with this processor, specifying the subject and duration of the processing, the nature and purpose of the processing, the type of personal data and the category of data subjects, our obligations and rights; this processor also has some obligations directly established by the GDPR; however, the responsibility for processing personal data always lies with the Controller (not the processor).

We never transfer your personal data to a third country (i.e., outside the European Union or the European Economic Area) or to international organizations.

In connection with the processing of your personal data, you have several rights, which are explained in detail below. First, however, it is necessary to provide some general information regarding the exercise of your rights.

We are obliged to facilitate the exercise of your rights, so it is possible to contact us in this regard in various ways (in person, by letter, email, phone, through the data box). Contact details for all these methods can be found above. Since it is our duty to verify your identity when examining your request, some methods of exercising your rights are more suitable than others. The ideal ways to exercise your rights, which will save you and us time, are as follows:

1. sending a letter to our registered office address with your officially verified signature;
2. sending an email to our email address signed with your qualified electronic signature;
3. sending a data message to our data box;
4. in person at a pre-arranged meeting.

To be able to handle your request quickly and properly, it is necessary that the request clearly states the following:

1. who is making the request (name and surname of the applicant, their date of birth, and address);
2. which right you are exercising with the request (it is enough to describe it in words or refer to the relevant article of the GDPR Regulation);
3. what you are seeking with the request and why (explained in more detail below under individual rights);
4. how you wish to receive the response (by letter, email, phone, to the data box);
5. your contact details (phone, email) for any additional questions we may have.

It is our duty to handle your requests free of charge. However, if your requests are clearly unfounded or excessive, particularly because they are repetitive, we have the right to charge you a reasonable fee reflecting the administrative costs of providing the requested information or communication or taking the requested action, or we have the right to refuse to comply with your request.

We will always respond to your request no later than one month after receiving it.

And now to the individual rights.

You have the right to ask us to confirm whether we process your personal data and to obtain an overview of these data from us. Furthermore, you have the right to obtain the following information from us in connection with the processing of your personal data:

1. purposes of processing your personal data;
2. categories of your personal data concerned;
3. recipients or categories of recipients to whom your personal data have been or will be disclosed;
4. planned retention period of your personal data;
5. the existence of the right to request correction or deletion of your personal data, the right to restrict their processing, or the right to object to their processing;
6. the right to lodge a complaint with a supervisory authority;
7. all available information about the source of personal data, if we have not obtained your personal data directly from you.

If this is not clear from your request, we may ask you to clarify which of your personal data your request pertains to.

If you also wish to receive a copy of your personal data that we process, you have the right to do so, and the first provision of such data is free of charge. For further copies, we may charge a reasonable fee not exceeding the necessary costs of providing the information. Exercising this right must not adversely affect the rights and freedoms of other persons.

You have the right to ask us to correct your personal data that we process if it is incorrect or inaccurate. Just let us know which data and how we should correct it. We will do so without undue delay.

You also have the right to ask us to complete your personal data that we process and that is incomplete, according to your instructions. We will comply with this request if the additional personal data are indeed needed for the purpose of the given processing.

If you request it in the exercise of this right, we will inform you of the recipients of your personal data to whom your personal data have been disclosed in the past and to whom we have notified the corrections or completions of your personal data.

You have the right to request the deletion of your personal data from us in the following cases:

1. you believe that we no longer need your personal data for the purposes for which we collected or otherwise processed it;
2. you have withdrawn your consent to the processing of personal data on which we based our processing, and you believe that we no longer have any other legal reason for their processing;
3. you have objected to our processing of your personal data based on our legitimate interests, and you believe that we no longer have any overriding legitimate grounds for processing it;
4. you have objected to our processing of personal data for direct marketing purposes;
5. you believe that we are processing your personal data unlawfully;
6. you believe that we are required to delete your personal data under the law of the European Union or the law of a member state of the European Union.

When exercising this right, it is necessary to state in your request on which of the above grounds you are requesting the deletion of your personal data and which of your personal data you are requesting to be deleted. Your request should also be duly justified; otherwise, it cannot be complied with.

If we find your request justified and the processing of your personal data is not necessary:

1. for exercising the right to freedom of expression and information;
2. for compliance with a legal obligation that requires processing under European Union or member state law that applies to us, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
3. for reasons of public interest in the area of public health;
4. for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, where the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing;
5. for the establishment, exercise, or defense of legal claims;

we will delete the personal data you requested without undue delay.

If we have made your personal data public and subsequently deleted it in the exercise of your right to erasure, we are also obliged, taking into account the available technology and the cost of implementation, including technical measures, to ensure that controllers who process your personal data are informed that you have requested the deletion of all links to such personal data, its copies, or replicas.

If you request it in the exercise of this right, we will inform you of the recipients of your personal data to whom your personal data have been disclosed in the past and to whom we have notified the deletions of your personal data.

Restriction of processing personal data means their marking and termination of all their processing except for storage. In other words, personal data whose processing is restricted remain with the controller (they cannot be deleted), but the controller is not entitled to use such personal data in any way.

You have the right to request the restriction of the processing of your personal data from us in the following cases:

1. you dispute the accuracy of your personal data;
2. you believe that we are processing your personal data unlawfully, but instead of deleting your personal data, you request only the restriction of their use;
3. we no longer need your personal data for the purposes of processing (we should therefore delete it), but you require it for the establishment, exercise, or defense of legal claims;
4. you have objected to our processing of your personal data based on our legitimate interests, which has not yet been decided by us.

When exercising this right, it is necessary to state in your request on which of the above grounds you are requesting the restriction of processing of your personal data and which of your personal data you are requesting to be restricted. Your request should also be duly justified; otherwise, it cannot be complied with.

If we find your request justified, we will restrict the processing of the personal data you requested without undue delay. During the duration of this restriction, we are entitled to process such personal data only with your consent, for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or a member state of the European Union.

If the reasons for the restriction of the processing of your personal data cease to exist, we will notify you of this, and then we will lift the restriction on processing.

If you request it in the exercise of this right, we will inform you of the recipients of your personal data to whom your personal data have been disclosed in the past and to whom we have notified the restriction of the processing of your personal data.

If we process your personal data based on our legitimate interest, you have the right to object at any time and request that we no longer process your personal data in this way. Your request must clearly state which of your personal data the objection relates to and against which processing the objection is raised. Your request should also be reasonably justified.

Upon receiving your request, it is our duty to stop processing your personal data or to demonstrate to you that there are compelling legitimate grounds for the processing that override your interests or rights and freedoms, or that the processing of your personal data is necessary for the establishment, exercise, or defense of legal claims.

If we process your personal data for direct marketing purposes, you have the right to object at any time and request that we no longer process your personal data for such purposes. Your request must clearly state that the objection is raised against processing for direct marketing purposes and to which of your personal data it relates.

Upon receiving your request, it is our duty to stop processing your personal data for direct marketing purposes.

If we process your personal data based on your consent to the processing of personal data, you have the right to withdraw this consent at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

If you believe that the processing of your personal data has violated the GDPR Regulation, you have the right to lodge a complaint with a supervisory authority, particularly in the state of your habitual residence, place of employment, or place of the alleged infringement. The supervisory authority for the Czech Republic is the Office for Personal Data Protection, with its registered office at Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, ID: 708 37 627, www.uoou.cz.

We firmly believe that the information provided above is understandable to you. If you still do not understand something or are unsure about anything, you can always contact us with a question. This will prevent a number of misunderstandings.

In Prague on January 1, 2024

DALUMA s.r.o.