Principles Relating to the Processing of Personal Data in ISOTRA a. s.

ISOTRA a. s., ID No.: 47679191, registered office: Bílovecká 2411/1, Předměstí, CZ-74601 Opava, Czech Republic, entered in the Commercial Register maintained by the Regional Court in Ostrava, under reference B/3169 (hereinafter “ISOTRA”), hereby declares that it always processes data subjects’ personal data in accordance with principles specified below that are based on Art. 5 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”):

• Principle of lawfulness, fairness, and transparency of processing – data subjects’ personal data are always processed by ISOTRA on the basis of a valid legal title, fairly, and in transparent manner;
  
• Principle of purpose limitation – data subjects’ personal data are collected and processed by ISOTRA exclusively for legitimate reasons. Personal data are not processed by ISOTRA in a manner incompatible with those purposes;
  
• Principle of data minimisation – ISOTRA only processes personal data in an extent adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
  
• Principle of data accuracy – ISOTRA processes personal data that are accurate and, where necessary, kept up to date. ISOTRA implements reasonable steps to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  
• Principle of storage and processing limitation – personal data are stored and processed by ISOTRA in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  
• Principle of integrity and confidentiality – ISOTRA processes personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
  
• Employees, members of the company bodies, and other entities that cooperate with ISOTRA always process personal data in accordance with the rules and principles specified in GDPR and the internal directive on the protection of personal data, including security measures introduced to protect personal data.

Exercise of Data Subjects’ Rights with ISOTRA

Data subjects shall have the following rights, as specified in Art. 15 through 22 GDPR, in relation to the processing by ISOTRA of their personal data:

• Right of access to personal data
  The right of access is the right of the data subject to obtain the following information from ISOTRA:
  (a) whether or not personal data concerning him or her are being processed,
  (b) the purposes of the processing,
  (c) the categories of personal data concerned,
  (d) whether or not personal data concerning him or her are disclosed to other recipients,
  (e) the envisaged period for which the personal data will be processed,
  (f) information about the rights of the data subject relating to the personal data being processed. At the same time, the data subject shall be entitled to receive a copy of the personal data undergoing processing.
  
• Right to rectification of personal data
  The right to rectification includes the right of the data subject to obtain from ISOTRA the rectification of inaccurate personal data being processed concerning him or her, and the right to have incomplete personal data completed.
  
• Right to erasure of personal data
  The right to erasure includes the right of the data subject to obtain from ISOTRA the erasure of personal data concerning him or her in case of absence of a valid legal title for the processing thereof. The data subject shall not be entitled to require from ISOTRA erasure of the personal data being processed if ISOTRA has a valid legal title for the processing thereof (i.e. especially throughout the period where ISOTRA is entitled to the processing on the grounds of the performance of a contract or performance of obligations specified by valid legislation).
  
• Right to restriction of processing of personal data
  The right to restriction of processing includes the right of the data subject to obtain from ISOTRA restriction of the extent of processing of personal data where one of the following applies:
  (a) the accuracy of the personal data is contested by the data subject – the processing may be restricted until a decision is made;
  (b) the processing is unlawful, but the data subject only requests the restriction of the processing of personal data;
  (c) ISOTRA only needs the personal data for the establishment, exercise or defence of legal claims;
  (d) the data subject has objected to processing, pending the verification.
  
• Right to portability of personal data
  The right to data portability includes the data subject’s right to receive from ISOTRA the personal data being processed in a structured, commonly used, and machine-readable format for the purpose of transmitting those data to another controller (the right to have the personal data transmitted directly from one controller to another, where technically feasible). This right may only be exercised under a condition that the processing is based on a legal title being the performance of a contract or consent given by the data subject and is carried out by ISOTRA through an information system (in an automated manner).
  
• Right to object to the processing of personal data
  The data subject shall have the right to object in cases where the processing by ISOTRA of personal data concerning him or her is based on a legal title of legitimate interests of the controller or for direct marketing purposes. Once the data subject objects to processing, the personal data shall no longer be processed by ISOTRA unless ISOTRA demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defence of legal claims.

The above rights must always be exercised with the personal data controller, which means that said rights cannot be exercised against ISOTRA in cases where ISOTRA is only a data processor for the specific purpose of processing.

The above rights shall be exercised by the data subject with ISOTRA in a written, paper form with an officially verified signature, sent to the address: Bílovecká 2411/1, Předměstí, CZ-74601 Opava, Czech Republic; or in electronic form by an electronic message with a recognised electronic signature, sent to the e-mail address specified at www.isotra.cz; or by means of a data box ID: 8wiemb6.

ISOTRA hereby informs the data subjects that they are entitled to lodge a complaint with the Office for Personal Data Protection under conditions specified in Art. 77 GDPR, if they consider that the processing by ISOTRA of personal data relating to them infringes GDPR.

ISOTRA hereby informs the data subjects that they are entitled, under conditions specified in Art. 79 GDPR, to an effective judicial remedy, if they consider that their rights have been infringed as a result of the processing by ISOTRA of their personal data in non-compliance with GDPR.

Fulfilling of reporting obligations pursuant to art. 13 GDPR (pdf)

ISOTRA a.s.