Privacy statement
As part of the harmonization of personal data protection with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “Regulation“) and the Act on the Processing of Personal Data No 110/2019 Sb. (hereinafter referred to as the “Act“),
1. Identification of data controller
Cardiomedical, s.r.o.
Company ID: 05448841
with its seat at Na Poříčí 1079/3a, Nové Město, 110 00 Praha 1, Czech Republic
incorporated in the Business Register kept by the Municipal Court of Prague, Insert No: C 263797
(hereinafter referred to as the „controller“)
Contact for personal data protection:
ID of data mailbox: r2q39yv
e-mail: objednavky@cardiomedical.cz
Company is not obliged to appoint a data protection officer.
2. Definitions
- processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as the „data subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
- processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;
- special categories of personal data mean personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be only permitted in exhaustively defined cases.
3. Processing of personal data
Processing of personal data without data subject´s consent is lawful only if at least one of the following conditions is met and only to the extent applicable:
a. processing is necessary for the performance of a contract between the data subject and controller
(e.g. purchase contract, service contract, work contract, lease contract…)
b. processing is necessary for controller´s compliance with a legal obligation
(e.g. obligations of employer according to labour law, regulations on health and social security and regulations on tax records, maintenance of medical records to the extent prescribed by the relevant legislation, processing of data from requests for examination of biological material…)
c. processing is necessary to protect an interest which is essential for the data subject´s or another person´s vital interests
(e.g. humanitarian purposes, monitoring epidemics and their spread, humanitarian emergencies, in particular natural and man-made disasters…)
d. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
(controller may be called upon by official authorities to participate in their activities e.g. subcontracting, dealing with humanitarian situations…)
e. processing is necessary on grounds of the legitimate interests of a controller or a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subjects requiring the protection of personal data, in particular where the data subject is a child
(e.g. operating CCTV systems or maintaining a guest book to ensure the safety and security of property…)
The processing of personal data for purposes other than those mentioned above is only possible with the consent of the data subject. The data subject has the right to withdraw his or her consent at any time, in the same way as consent was given, or by sending a message to the data mailbox or e-mail address objednavky@cardiomedical.cz. Withdrawal of consent shall not affect the lawfulness of processing based on consent given before its withdrawal. The withdrawal of consent shall also not affect the processing of personal data which the controller processes on the basis of a legal title other than consent.
4. Data subjects, categories of personal data
Company in particular processes data of
- Its employees, or persons close to them
- customers, business partners
Company does not process special categories of personal data.
Depending on the purpose and the data subject, following categories of personal data may be processed:
- employees
- name
- surname
- gender
- age
- place of birth
- date of birth
- birth certificate number
- personal status
- address, temporary or other residence
- telephone number
- bank account number
- number of children
- education
- professional knowledge and skills
- health insurance company code
- height
- weight
- clothing size
- footwear size
- trade union membership
- facial image
- image recording
- health condition
- allergies
- customers, business partners
- name
- surname
- date of birth
- birth certificate number
- address, temporary or other residence
- telephone number
- bank account number
5. Access to personal data
Processing of personal data is performed by company itself, or it is delegated to a third party (processor). Employees of the company and other processors are bound by a duty of confidentiality and may not use the data provided for any purpose other than that for which it was made available to them.
The company and the processors are obliged to ensure such technical and organisational security of personal data that unauthorised or accidental access to the data or other misuse of the data cannot occur.
Third parties / recipients, who can have access to personal data are:
- public authorities and entities established by them
- suppliers of accounting, auditing and legal services
- suppliers providing the technical operation of services or operating the necessary technology
- suppliers of archiving services
- suppliers of postal and transport services
- providers of payment gateways
- entities to which the company is obliged to transfer certain personal data on the basis of valid legal regulations, e.g. the Police of the Czech Republic, or other law enforcement authorities, courts, health insurance companies, social security authorities, financial authorities.
All of the aforementioned entities are granted access to personal data only to the extent strictly necessary.
6. Storage period
In accordance with the principle of storage limitation personal data are processed only for the time necessary to fulfil the purpose of processing. In the case of consent to the processing of personal data for a maximum period of 10 years, unless the data subject withdraws this consent earlier.
The company is entitled to further process personal data to comply with its other legal obligations (e.g. archiving, security, defence of legal claims), in accordance with the relevant legislation and for the period of time specified by it, even after any withdrawal of the data subject’s consent.
7. Protection of personal data
In order to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access to, the company:
a. protects the premises, where documents or data carriers containing processed personal data are stored (locks, access codes, monitoring systems, security personnel, etc.).
b. instructs the staff responsible for processing personal data on the rules governing the processing and protection of personal data and on other obligations arising from the Regulation and related legislation,
c. uses technical equipment and software in such a way as to prevent unauthorised or accidental access to personal data to the greatest extent possible (access passwords, screen savers, encryption, virus filters, etc.),
d. performs remote transmission of personal data by means of secure communication,
e. carries out regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures in place to ensure processing security.
8. Rights of data subjects
a. Right to access the data. Data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. Data subject has the right to access the personal data processed and to obtain information on the purpose of the processing, the category of personal data concerned, the recipient or category of recipients, the intended period of storage, the existence of his or her rights, information on the source of the personal data, automated decision-making, profiling. The controller is obliged to provide the data subject with a copy of the personal data processed upon request. For additional copies, the controller may charge a reasonable fee based on administrative costs.
b. Right to rectification. Data subject has the right to obtain without undue delay the rectification of inaccurate personal data, data subject shall has the right to have incomplete personal data completed.
c. Right to erasure („right to be forgotten“). Data subject has the right to obtain from the controller the erasure of their personal data if one of the following reason is given:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed
- the data subject withdraws consent to the processing and there is no further legal basis for the processing
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing
- personal data have been processed unlawfully
- personal data must be erased to comply with a legal obligation
d. Right to restriction of processing. Data subject has the right to obtain from the controller restriction of processing of personal data if:
- the data subject denies the accuracy of the personal data
- the processing is unlawful, the data subject refuses erasure and requests instead a restriction of use
- the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims
- the data subject has objected to the processing
e. Right to data portability. Data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been disclosed, where the processing is based on the data subject’s consent or on a contract and is carried out by automated means.
f. Right to object. Data subject has the right, on grounds relating to his or her particular situation, to object at any time to processing of personal data concerning him or her.
9. Supervisory authority
Monitoring the application of the Regulation to protect the fundamental rights and freedoms of natural persons with regard to the processing of their personal data is the responsibility of the supervisory authorities in each EU Member State.
If the data subject considers that the processing of his or her personal data infringes the Regulation, he or she has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of employment or place of the alleged infringement.
Supervisory authority for Czechia is:
Úřad pro ochranu osobních údajů
Pplk. Sochora 27,
170 00 Praha 7
Company ID: 70837627
ID of data mailbox: qkbaa2n
E-mail: posta@uoou.gov.cz
Consultations for GDPR: +420 234 665 800