Reporting duty

LAYER I - Personal Data Protection

This site will tell you everything about the personal data processing that we carry out including information on your rights and on the manner in which you can exercise your rights. You will find more details about each individual processing, your rights and the manner in which your rights may be exercised under the following headings - links to each individual processing of personal data.

I. Marketing
II. Customer Satisfaction Research
III. Retail and servicing of vehicles and connected services
IV. Third party performance - supplier database maintenance, contract on provision of services
V. Bookkeeping and retention of accounting documents 

LAYER II - Key characteristics of each individual processing

I. Marketing – identifying the best offer (profiling) for customers.

Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available below.

II. Customer Satisfaction Research

Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available below.

III. Retail and servicing of vehicles and connected services

Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available below.

IV. Third party performance - supplier database maintenance, contract on provision of services
Find herein below a comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised.

V. Bookkeeping and retention of accounting documents
Find herein below a comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised.



LAYER III – Specific parameters of the processing of personal data

I. Marketing


1. CONTROLLER
The personal data controller is Mercedes-Benz Trucks Česká republika s.r.o., with its registered office located at Prague 5 - Stodůlky. Bavorská 2666/2, ZIP Code 155 00, ID No.: 064 18 147, registered in the Commercial Register maintained with the Municipal Court in Prague, Section C, Entry No. 281781 (hereinafter the “Controller”).

2. RIGHTS OF THE DATA SUBJECTS
The data subjects have the following rights in respect of the personal data processing concerned:

a. WITHDRAWAL OF CONSENT – The consent may be withdrawn at any time in the manner stipulated below. The withdrawal of consent shall not affect the lawfulness of the processing of personal data carried out before the withdrawal;
b. ACCESS – The right to be informed whether or not personal data are being processed. If subject’s personal data are being processed, it has the right to obtain the prescribed information about the processing and the right, under certain conditions, to obtain a copy of the processed personal data;
c. RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
d. ERASURE (right to be forgotten) - Right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
e. RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legitimate interests);
f. COMPLAINT – The right to lodge a complaint against the Controller, the processing or the terms and conditions of exercising your rights to the Office for Personal Data Protection. See www.uoou.cz for the contact details and other information about the Office;
g. PORTABILITY – The right to obtain, under certain conditions stipulated by law, the data for the purposes of their further processing by another person determined by the data subject and to transmit the data to such person or to request that the data be transmitted directly to the other person. 

In addition, data subjects have the right:
TO OBJECT – The right to request that subject’s personal data be no longer processed for the performance of tasks carried out in the public interest, for legitimate interests of the Controller or a third party or for marketing purposes.

Use the relevant link to find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised. See how to exercise the rights below. 

3. PURPOSE OF PROCESSING
The Controller processes personal data for the purpose of:
1. Organisation of marketing events incl. distribution of invitations to such events
2. Sending out of commercial communication, gifts, and newsletters
3. Organisation of competitions

4. LEGAL GROUND FOR PROCESSING
The legal ground for the processing of personal data is:
1. consent of the data subject Art. 6(1)(a) of the GDPR
2. consent of the data subject Art. 6(1)(a) of the GDPR, legitimate interest Art. 6(1)(f) of the GDPR
3. consent of the data subject Art. 6(1)(a) of the GDPR

5. SCOPE OF THE DATA being processed
The Controller processes the following data for the above purpose:
1. name, surname, address, phone no., driver’s licence and ID card number
2. name, surname, address, phone no., model of the purchased vehicle, date of the purchase contract, date of vehicle hand over, number of vehicles
3. name, surname, address, email

6. PROVISION OF DATA IS VOLUNTARY/MANDATORY/NECESSARY
The provision of personal data is voluntary as it is processed based on a consent. Should the processing be conducted to fulfil Controller’s legitimate interest, the provision of personal data is mandatory. The subject of the interest may always raise an objection regarding the respective data processing.

7. PERIOD for which the personal data are stored and processed
The Controller processes personal data for 5 years.

8. PLACE where the personal data are being processed
The place of the processing of personal data shall be the Controller’s registered office or Processor’s Controller’s registered office.

9. THIRD COUNTRY
In the processing of personal data, personal data WILL NOT be transferred outside the EU.  

10. PROCESSOR
A personal data processor pursuant to Art. 4(8) of the GDPR or a third party authorized by the Controller to process personal data may be engaged in the processing of personal data. In such cases, the Controller will minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data.

11. AUTOMATED DECISION-MAKING AND PROFILING
Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.
Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, etc.

In connection with the processing of personal data, automated decision-making WILL NOT be used.
In connection with the processing of personal data, profiling WILL be used. Specifically, profiling will be used to determine the scope of subjects who will be addressed with commercial offers, offers of marketing, special-interest and propagation events. 

II. CUSTOMER SATISFACTION RESEARCH

1. CONTROLLER
The personal data controller is Mercedes-Benz Trucks Česká republika s.r.o., with its registered office located at Prague 5 - Stodůlky. Bavorská 2666/2, ZIP Code 155 00, ID No.: 064 18 147, registered in the Commercial Register maintained with the Municipal Court in Prague, Section C, Entry No. 281781 (hereinafter the “Controller”).

2. RIGHTS OF THE DATA SUBJECTS
The data subjects have the following rights in respect of the personal data processing concerned: 

a. WITHDRAWAL OF CONSENT – The consent may be withdrawn at any time in the manner stipulated below. The withdrawal of consent shall not affect the lawfulness of the processing of personal data carried out before the withdrawal;
b. ACCESS – The right to be informed whether or not personal data are being processed. If subject’s personal data are being processed, it has the right to obtain the prescribed information about the processing and the right, under certain conditions, to obtain a copy of the processed personal data;
c. RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
d. ERASURE (right to be forgotten) - Right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
e. RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legitimate interests);
f. COMPLAINT – The right to lodge a complaint against the Controller, the processing or the terms and conditions of exercising your rights to the Office for Personal Data Protection. See www.uoou.cz for the contact details and other information about the Office;
g. PORTABILITY – The right to obtain, under certain conditions stipulated by law, the data for the purposes of their further processing by another person determined by the data subject and to transmit the data to such person or to request that the data be transmitted directly to the other person. 

In addition, data subjects have the right:
TO OBJECT – The right to request that subject’s personal data be no longer processed for the performance of tasks carried out in the public interest, for legitimate interests of the Controller or a third party or for marketing purposes.

Use the relevant link to find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised. See how to exercise the rights herein below. 

3. PURPOSE OF PROCESSING
The Controller processes personal data for the purpose of:
Satisfaction and loyalty research (CSI and CLI) of dealers’ customers and research outcome data evaluation.

4. LEGAL GROUND FOR PROCESSING
The legal ground for the processing of personal data is:
Consent of the data subject Art. 6(1)(a) of the GDPR.

5. SCOPE OF THE DATA being processed
The Controller processes the following data for the above purpose:
Name, surname, address, phone no., email, vehicle’s VIN no., Number of contract/order, date of vehicle’s handover or order pickup.

6. PROVISION OF DATA IS VOLUNTARY/MANDATORY/NECESSARY
The provision of personal data is voluntary as it is processed based on a consent.

7. PERIOD for which the personal data are stored and processed
The Controller processes personal data for 2 years.

8. PLACE where the personal data are being processed
The place of the processing of personal data shall be the Controller’s registered office or Processor’s Controller’s registered office.

9. THIRD COUNTRY
In the processing of personal data, personal data WILL NOT be transferred outside the EU.
 

10. PROCESSOR
A personal data processor pursuant to Art. 4(8) of the GDPR or a third party authorized by the Controller to process personal data may be engaged in the processing of personal data. In such cases, the Controller will minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data.

11. AUTOMATED DECISION-MAKING AND PROFILING
Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.
Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, etc.

In connection with the processing of personal data, automated decision-making WILL NOT be used.
In connection with the processing of personal data, profiling WILL NOT be used.
 

III. Retail and servicing of vehicles and connected services

1. CONTROLLER
The personal data controller is Mercedes-Benz Trucks Česká republika s.r.o., with its registered office located at Prague 5 - Stodůlky. Bavorská 2666/2, ZIP Code 155 00, ID No.: 064 18 147, registered in the Commercial Register maintained with the Municipal Court in Prague, Section C, Entry No. 281781 (hereinafter the “Controller”).

2. RIGHTS OF THE DATA SUBJECTS
The data subjects have the following rights in respect of the personal data processing concerned: 

a. WITHDRAWAL OF CONSENT – The consent may be withdrawn at any time in the manner stipulated below. The withdrawal of consent shall not affect the lawfulness of the processing of personal data carried out before the withdrawal;
b. ACCESS – The right to be informed whether or not personal data are being processed. If subject’s personal data are being processed, it has the right to obtain the prescribed information about the processing and the right, under certain conditions, to obtain a copy of the processed personal data;
c. RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
d. ERASURE (right to be forgotten) - Right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
e. RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legitimate interests);
f. COMPLAINT – The right to lodge a complaint against the Controller, the processing or the terms and conditions of exercising your rights to the Office for Personal Data Protection. See www.uoou.cz for the contact details and other information about the Office;
g. PORTABILITY – The right to obtain, under certain conditions stipulated by law, the data for the purposes of their further processing by another person determined by the data subject and to transmit the data to such person or to request that the data be transmitted directly to the other person. 

In addition, data subjects have the right:
TO OBJECT – The right to request that subject’s personal data be no longer processed for the performance of tasks carried out in the public interest, for legitimate interests of the Controller or a third party or for marketing purposes.

Use the relevant link to find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised. See how to exercise the rights below. 

3. PURPOSE OF PROCESSING
1. negotiation of and fulfilment of a contract with customers
2. administration of a dealers’ customers database
3. further education of customers’ employees

4. LEGAL GROUND FOR PROCESSING
1. Fulfilment of a contract concluded with the data subject Art. 6(1)(b) of the GDPR
2. Legitimate interest Art. 6(1)(f) of the GDPR
3. Fulfilment of a contract concluded with the data subject Art. 6(1)(b) of the GDPR

5. SCOPE OF THE DATA being processed
The Controller processes the following data for the above purpose:
1. Name, surname, address, email, date of birth, phone no., purchased product, vehicle details, banking details
2. Name, surname, address, vehicle details, phone no.
3. Name, surname

6. PROVISION OF DATA IS VOLUNTARY/MANDATORY/NECESSARY
The provision of personal data is mandatory as it is a contractual obligation.
The provision of personal data is mandatory as it is a legitimate interest of the controller.
The provision of personal data is mandatory as it is a contractual obligation.
The subject of the interest may always raise an objection regarding the respective data processing.

7. PERIOD for which the personal data are stored and processed
The Controller processes personal data for:
1.
a. 8 months in the case of servicing contract offer
b. 10 years when the servicing contract is concluded
2. 10 years.
3. 10 years

8. PLACE where the personal data are being processed
The place of the processing of personal data shall be the Controller’s registered office or Processor’s Controller’s registered office.

9. THIRD COUNTRY
In the processing of personal data, personal data WILL NOT be transferred outside the EU.  

 10. PROCESSOR
A personal data processor pursuant to Art. 4(8) of the GDPR or a third party authorized by the Controller to process personal data may be engaged in the processing of personal data. In such cases, the Controller will minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data.

11. AUTOMATED DECISION-MAKING AND PROFILING
Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.
Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, etc.

In connection with the processing of personal data, automated decision-making WILL NOT be used.
In connection with the processing of personal data, profiling WILL NOT be used.

IV. Third party performance - supplier database maintenance, contract on provision of services

1. CONTROLLER
The personal data controller is Mercedes-Benz Trucks Česká republika s.r.o., with its registered office located at Prague 5 - Stodůlky. Bavorská 2666/2, ZIP Code 155 00, ID No.: 064 18 147, registered in the Commercial Register maintained with the Municipal Court in Prague, Section C, Entry No. 281781 (hereinafter the “Controller”).

2. RIGHTS OF THE DATA SUBJECTS
The data subjects have the following rights in respect of the personal data processing concerned: 

a. WITHDRAWAL OF CONSENT – The consent may be withdrawn at any time in the manner stipulated hereunder. The withdrawal of consent shall not affect the lawfulness of the processing of personal data carried out before the withdrawal;
b. ACCESS – The right to be informed whether or not my personal data are being processed. If personal data are being processed, the right to obtain the prescribed information about the processing and the right, under certain conditions, to obtain a copy of the processed personal data;
c. RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
d. ERASURE (right to be forgotten) - Right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
e. RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legitimate interests);
f. COMPLAINT – The right to lodge a complaint against the Controller, the processing or the terms and conditions of exercising your rights to the Office for Personal Data Protection. See www.uoou.cz for the contact details and other information about the Office;
g. PORTABILITY – The right to obtain, under certain conditions stipulated by law, the data for the purposes of their further processing by another person determined by the data subject and to transmit the data to such person or to request that the data be transmitted directly to the other person. 

In addition, I acknowledge that I have the right:
TO OBJECT – The right to request that my personal data be no longer processed for the performance of tasks carried out in the public interest, for legitimate interests of the Controller or a third party or for marketing purposes.

Use the relevant link to find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised. See how to exercise the rights in Layer IV. hereof.
 

3. PURPOSE OF PROCESSING
The Controller processes personal data for the purpose of:
4. Managing of the supplier’s database;
5. Negotiations before entering into a contract with suppliers and fulfilling of contracts with suppliers.

4. LEGAL GROUND FOR PROCESSING
The legal ground for the processing of personal data is:
4. Fulfilment of a contract concluded with the data subject Art. 6(1)(b) of the GDPR
5. Fulfilment of a contract concluded with the data subject Art. 6(1)(b) of the GDPR

5. SCOPE OF THE DATA being processed
The Controller processes the following data for the above purpose:
4. name, surname, address, phone no., email, bank details
5. name, surname, address, phone no., email, bank details


6. PROVISION OF DATA IS VOLUNTARY/MANDATORY/NECESSARY
1. The provision of personal data is mandatory as it is a contractual obligation.
2. The provision of personal data is mandatory as it is a contractual obligation.

7. PERIOD for which the personal data are stored and processed
The Controller processes personal data for:
1. 3 years from the supplier’s approval
2. 10 years from the contracts fulfilment

8. PLACE where the personal data are being processed
The place of the processing of personal data shall be the Controller’s registered office or data Processor registered office.

9. THIRD COUNTRY
In the processing of personal data, personal data WILL NOT be transferred outside the EU.  

10. PROCESSOR
A personal data processor pursuant to Art. 4(8) of the GDPR or a third party authorized by the Controller to process personal data may be engaged in the processing of personal data. In such cases, the Controller will minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data.

11. AUTOMATED DECISION-MAKING AND PROFILING
Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.
Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, etc.

In connection with the processing of personal data, automated decision-making WILL NOT be used.
In connection with the processing of personal data, profiling WILL NOT be used.

V. BOOKKEEPING AND RETENTION OF ACCOUNTING DOCUMENTS

1. CONTROLLER
The personal data controller is Mercedes-Benz Trucks Česká republika s.r.o., with its registered office located at Prague 5 - Stodůlky. Bavorská 2666/2, ZIP Code 155 00, ID No.: 064 18 147, registered in the Commercial Register maintained with the Municipal Court in Prague, Section C, Entry No. 281781 (hereinafter the “Controller”).

2. RIGHTS OF THE DATA SUBJECTS
The data subjects have the following rights in respect of the personal data processing concerned: 

a. WITHDRAWAL OF CONSENT – The consent may be withdrawn at any time in the manner stipulated hereunder. The withdrawal of consent shall not affect the lawfulness of the processing of personal data carried out before the withdrawal;
b. ACCESS – The right to be informed whether or not my personal data are being processed. If personal data are being processed, the right to obtain the prescribed information about the processing and the right, under certain conditions, to obtain a copy of the processed personal data;
c. RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
d. ERASURE (right to be forgotten) - Right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
e. RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legitimate interests);
f. COMPLAINT – The right to lodge a complaint against the Controller, the processing or the terms and conditions of exercising your rights to the Office for Personal Data Protection. See www.uoou.cz for the contact details and other information about the Office;
g. PORTABILITY – The right to obtain, under certain conditions stipulated by law, the data for the purposes of their further processing by another person determined by the data subject and to transmit the data to such person or to request that the data be transmitted directly to the other person. 

In addition, I acknowledge that I have the right:
TO OBJECT – The right to request that my personal data be no longer processed for the performance of tasks carried out in the public interest, for legitimate interests of the Controller or a third party or for marketing purposes.

Use the relevant link to find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised. See how to exercise the rights in Layer IV. hereof. 

3. PURPOSE OF PROCESSING
The Controller processes personal data for the purpose of:
1. Bookkeeping and archiving

4. LEGAL GROUND FOR PROCESSING
The legal ground for the processing of personal data is:
1. Fulfilment of legal obligations according to Art. 6(1)(c) of the GDPR


5. SCOPE OF THE DATA being processed
The Controller processes the following data for the above purpose:
1. name, surname, date of birth, address, bank details, e-mail, VIN


6. PROVISION OF DATA IS VOLUNTARY/MANDATORY/NECESSARY
1. The provision of personal data is mandatory as it is a legal obligation.


7. PERIOD for which the personal data are stored and processed
The Controller processes personal data for:
1. 10 years

8. PLACE where the personal data are being processed
The place of the processing of personal data shall be the Controller’s registered office or data Processor registered office.

9. THIRD COUNTRY
In the processing of personal data, personal data WILL be transferred outside the EU, to the Philippines. In this context, the following guarantees will be provided: a standard contractual clause as decided by the Commission. 

10. PROCESSOR
A personal data processor pursuant to Art. 4(8) of the GDPR or a third party authorized by the Controller to process personal data may be engaged in the processing of personal data. In such cases, the Controller will minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data.

11. AUTOMATED DECISION-MAKING AND PROFILING
Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.
Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, etc.

In connection with the processing of personal data, automated decision-making WILL NOT be used.
In connection with the processing of personal data, profiling WILL NOT be used.
 

Rights and the exercise of rights

ARTICLE I - EXERCISE OF RIGHTS IN GENERAL

1. CHANNELS USED TO EXERCISE RIGHTS
Subject to the terms and conditions provided below, the rights may be exercised as follows:  

  • via the Controller’s data box;
  • via email address dataprotection.Trucks@daimler.com;
  • via written notification to the following address Daimlerova 2296/2, 149 45 Prague 4;
  • in person at the following address: Daimlerova 2296/2, 149 45 Prague 4;
  • by phone call to phone No. +420 271 077 482. 

 2. IDENTIFICATION AND SECURE COMMUNICATION
The exercise of rights must not negatively affect the rights and freedoms of third parties. Hence, the Controller has the right and obligation, in necessary cases, to identify the data subject requesting the exercise of rights. For that reason, the Controller must choose a safe and reliable communication channel. Communication via electronic mail with a certified electronic signature, communication via a data box, or communication via a postal service provider, where an authenticated signature of the responsible person is attached to the document being delivered or where the reply is served upon the addressee personally, shall be considered a reliable communication where the identity of the addressee need not be further verified.

3. RIGHTS EXERCISED ORALLY
Only in exceptional cases, when requested by the data subject, the information may be provided, or the rights exercised orally, provided that a written record is made of the oral provision of information or exercise or rights by the data subject. The identity of the data subject must be verified using an ID card, passport, driver’s license or another document that may serve as evidence that the rights are exercised by the person who is entitled to exercise those rights.

4. ELECTRONIC APPLICATION
Where the data subject makes the request or exercises its rights by electronic means, the response shall be provided by electronic means where possible, unless otherwise requested by the data subject.

5. CHARGE
The information provided to the data subjects, the copies of data provided to the data subjects and any communication and any action relating to the exercise of rights by the data subjects shall be free of charge.

6. REJECTION AND CHARGE
Where the data subject's request (exercise of right) is manifestly unfounded or unreasonable, particularly because it is identical or predominantly identical or excessive, and cannot be complied with within the statutory deadline,
a. compliance with the request shall be subject to a deposit to cover the administrative costs associated with the provision of the requested information or communication or with the requested actions; the deposit may be claimed up to the amount of the estimated costs and the requested information, communication, etc. shall only be released to the data subject after full reimbursement of the incurred costs, or
b. the request shall not be complied with, or the exercise of the right shall be declined in writing with a reasoning.

7. RESPONSE PERIOD
The data subjects’ requests and the exercise of the data subjects’ rights are responded to without undue delay. A response containing the requested information, or a description of the measures adopted following the data subject’s request, etc., must be delivered to the data subject no later than within 30 days from the date of receipt of the request by the Company. If, for serious reasons, the matter cannot be resolved within the above deadline, the data subject shall be notified in writing or by email, no later than by the end of the above deadline, that the deadline will not be met, together with the reasons for the delay and a new deadline within which the matter will be resolved; the deadline may not be extended by more than 60 days. 

ARTICLE II - RIGHT OF ACCESS TO AND RIGHT TO OBTAIN A COPY OF PERSONAL DATA

1. Upon request, the data subject shall have the right to obtain confirmation as to whether or not his/her personal data are being processed.
2. If the personal data concerning the data subject are being processed, the data subject shall receive the following information: 

  • the purposes of the processing and the legal basis/title for the processing of personal data, including reference to the provisions of the applicable legal regulation, and the scope and consequences of the processing;
  • the recipients or categories of recipients of personal data, if any;
  • the transfer of personal data to third countries, where applicable, including information on the appropriate safeguards to ensure security of the data transferred to a third country;
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the existence of the right to request access to and rectification or erasure of personal data concerning the data subject or the right to request restriction of processing or to object to the processing of personal data and the conditions under which the rights arise and the manner in which the rights may be exercised;
  • the existence of the right to data portability, the conditions under which the right arises and the conditions under which it may be exercised;
  • the existence of an automated decision-making process and the data subject’s rights connected with automated decision-making;
  • the source of personal data, and, where applicable, the fact that the personal data were obtained from publicly accessible sources;
  • the right to lodge a complaint with the supervisory authority (Office for Personal Data Protection);
  • the existence of an automated decision-making in the form of profiling and the significance and the envisaged consequences of such processing for the data subject. 

3. The data subject shall have the right to request a copy of the personal data undergoing processing. The first copy is free of charge. For any further copies, a reasonable fee may be charged. Article I, Paragraph 6 shall apply accordingly.
4. Where the right to obtain a copy could adversely affect the rights and freedoms of third parties (e.g. copies containing third party personal data which the requesting data subject has no legal title to obtain), the copy shall be anonymised in an appropriate manner. If anonymisation is not possible or if, as a result of the anonymisation, the requested information loses the strength of evidence, no copy shall be provided.  

ARTICLE III - RIGHT TO RECTIFICATION

1. The data subject shall have the right to obtain rectification of the personal data being processed, if the data are inaccurate or incomplete in relation to the purpose for which they are being processed. The data subject shall have the right to request that the personal data be rectified (and completed) or completed.
2. If the data subject has exercised the right to rectification of the personal data being processed, the Controller shall immediately review the processing of personal data that is the subject of the exercised right to rectification.
3. If the objection is found to be reasonable, at least to some degree, the Controller shall, without undue delay, ensure that the situation is remedied, i.e. that the processed personal data are rectified or completed.
4. The data subject will be notified in writing or by email of the result of the review and the measures adopted.  

ARTICLE IV - RIGHT TO ERASURE

1. The data subject shall only have the right to obtain from the data controller the erasure of personal data concerning him or her if one of the following grounds applies: 

  • a. the personal data are not necessary in relation to the purposes for which they were collected or otherwise processed;
  • b. the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
  • c. the data subject has raised a reasonable objection to the processing;
  • d. the personal data have been processed unlawfully, especially without legal grounds;
  • e. the personal data have to be erased for compliance with a legal obligation arising from a particular legal regulation or a decision based on a legal regulation;
  • f. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR. 

2. An erasure of personal data shall mean the physical destruction of the personal data carrier (e.g. destruction of documents) or the deletion of the data (from multimedia carriers) or other permanent exclusion of the personal data from further processing.
3. If the data subject has exercised the right to erasure of the processed personal data, the Controller shall review the data subject’s request. If the request is found to be reasonable, at least to some degree, the personal data shall be erased to the necessary extent. Article I, paragraph 7 hereof shall apply accordingly.
4. The data that are the subject of the right to erasure shall be marked until the data subject’s request is complied with.
5. The personal data shall not be erased to the extent that their processing is necessary: 

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation arising from legal regulations;
  • for reasons of public interest in the area of public health (points (h) and (i) of Art. 9(2) and Art. 9(3) of the GDPR);
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defence of the Controller’s rights.

ARTICLE V - RIGHT TO RESTRICTION OF PROCESSING

1. Where the data subject has exercised the right to restriction of processing in respect of a specific processing of personal data, the Controller shall immediately assess relevance of the data subject’s request, primarily the existence of the grounds for exercising the right to restriction of processing; the assessment shall take into account the content of the request as well as other facts and circumstances relating to the processing concerned.
2. The data subject shall have the right to restriction of processing where one of the following grounds applies:

  • the accuracy of the personal data is contested by the data subject;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests restriction of their use instead;
  • the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing. 

3. The personal data affected by restriction shall be marked.
4. Where processing has been restricted, the personal data concerned may, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
5. If the restriction of processing is lifted, the data subject shall be informed in writing or by email before the restriction of the processing of personal data is lifted. The information shall contain the date on which and the reasons why the restriction will be lifted. 

ARTICLE VI - RIGHT TO PORTABILITY

1. If the processing of personal data involves personal data obtained from the data subject (either data directly provided by the data subject or data obtained about his/her activities, etc.) and concerning the data subject, the data subject shall have the right to portability (receipt and transmission) of those data if the processing is based on consent of the data subject or on a contract with the data subject and the processing is carried out by automated means. The right to portability does not apply to the data and information created by the Controller on the basis of the data obtained from the data subject (e.g. profiling of the envisaged consumer behaviour of the data subject based on the data obtained from the data subject, etc.).
2. In exercising the right to portability of data, the data subject may request the following:

  • have the personal data that are subject to the right to portability transferred to the data subject in a structured, commonly used and machine-readable format; format requiring special paid license or format excluding further editing of or other manipulation with (processing of) the personal data (e.g. *.pdf) shall be avoided;
  • have the personal data that are subject to the right to portability transferred to another personal data controller designated in the data subject’s request for the transfer of data, in a structured, commonly used and machine-readable format; format requiring special paid license or format excluding further editing of or other manipulation with (processing of) the personal data (e.g. *.pdf) shall be avoided. 

3. A request of the data subject shall not be complied with if, inter alia (Article I(6)), compliance with the request would adversely affect the rights and freedoms of other persons (data subjects).
4. A request for portability of data pursuant to Paragraph 2(b) shall further not be complied with, if the transfer of data is technically not feasible; transfer of data that cannot be adequately secured by available technical means given the nature of the transferred personal data and the risks involved shall also be considered to be technically not feasible.
5. In addition to the transferred personal data, information on the purposes of the processing of personal data shall be transferred and, where requested by the data subject, also information on the processing of personal data to the extent of Article 13 of the GDPR. 

ARTICLE VII - AUTOMATED INDIVIDUAL DECISION-MAKING INCLUDING PROFILING

1. No decision or legal act concerning the data subject or other measures or procedures which produce adverse legal effects concerning the data subject or similarly significantly affect the data subject (e.g. automated refusal of an online credit application, e-recruiting practices without any human involvement and review of the electronic system’s negative decisions) can be based on automated individual decision-making, including profiling, unless the decision is: 

  • necessary for entering into, or performance of, a contract between the data subject and the data controller;
  • authorised by legal regulations which lay down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
  • based on the data subject's explicit consent. 

2. In the cases referred to in points (a) and (c) of Paragraph 1, the Controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests and prevent them from negative effects of automated individual decision-making. Such measures include at least the data subject having a chance to express his/her point of view prior to the implementation of the action with negative consequences, a chance to have the decision reviewed by the Controller-appointed person and the right to obtain human intervention, e.g. a regular review of the functionality of the automated decision-making system and a setup of its functionality so as to exclude unreasonable interference with the rights and freedoms or legitimate interests of the data subject.
3. Where the processing involves sensitive data, or where individual decisions pursuant to Paragraph 1 are to be based on sensitive data, Paragraph 2 shall only apply if sufficient safeguards have been ensured pursuant to Paragraph 2 of this Article on condition that the processing of personal data is based on explicit consent of the data subject pursuant to Article 9(2) point (a) of the GDPR, or the processing is necessary for reasons of important public interest stipulated by law and the processing is adequate to the envisioned objectives, compliant with the personal data protection law and provides sufficient and specific safeguards of the protection of fundamental rights and interests of the data subject.
 

ARTICLE VIII - RIGHT TO OBJECT

1. If the processing of personal data is based on point (e) of Article 6(1) of the GDPR (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or point (f) of Article 6(1) of the GDPR (processing is necessary for the purposes of protection of the rights and legitimate interests pursued by the controller), the data subject shall have the right to object to the processing of personal data concerned.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object, at any time, to the processing of the personal data concerning him or her for such marketing, including profiling to the extent that it relates to such direct marketing. Where the data subject has objected to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
3. If the data subject has exercised the right to object, the Controller shall investigate the objection without undue delay.
4. The personal data or the processing of personal data concerned shall be marked until the data subject’s objection is resolved.
5. The personal data that are the subject of a justified objection can no longer be processed, unless: 

  • further processing is important for serious legitimate reasons that override the interests or rights and freedoms of the data subject, or
  • further processing is necessary for the establishment, exercise or defence of the Controller’s rights.