GDPR

I.

Introduction of a Personal Data Controller

  1. Principles of processing personal data of customers Karavanycesko.cz, operated by AIRWAYNET a.s. (hereinafter referred also “principles”) is governed by AIRWAYNET a.s, ID: 61058068, registered office at Hládkov 920/12, 169 00 Prague 6 – Střešovice, registered in the Commercial Register maintained by the Municipal Court in Prague, Section B, Insert 3877 (hereinafter referred also “Controller”), in the processing of customer’s personal data, thereby ensuring the confidentiality and security of such personal data. 
  2. These principles were developed in accordance with Act No. 101/2000 Coll. on the protection of personal data, as amended (hereinafter referred to as the “personal data protection act”) and in accordance with Regulations of the European Parliament and the Council (EU) 2016/679 from the 27th April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/ES (hereinafter to as the „GDPR“).

 

II.

Data Protection Officer

  1. The Data Protection Officer shall carry out the tasks referred to in Article 39 of the GDPR, in particular to:
  2. Provide information and advice to data Controllers or Processors and any employees that process personal data about their obligations under the GDPR and other Union or Member State data protection rules;
  3. Monitor compliance with GDPR, other Union or Member States data protection rules and the data protection Controller or Processor concepts, including the allocation of responsibilities, awareness-raising and training of all employees involved in processing operations and related audits;
  4. Provide on-demand advice, when it relates to the impact on personal data protection and monitor its implementation in accordance with Article 35 of the GDPR;
  5. Cooperates with the Supervisory Authority, which is the Office for Personal Data Protection; and
  6. It shall act as a contact point for the Supervisory Authority in the matters relating to the processing of personal data, including prior consultation under Article 36 of the GDPR, and, where appropriate, consult on any other matter.
  7. In carrying out his/her tasks, the Data Protection Officer shall take serious consideration of the risk associated with the processing of personal data, taking into account the nature, scope, context and purposes of such processing.
  8. The Data Protection Officer in matters concerning the processing of your personal data was named  

 

Ing. Filip Figala

e-mail: filip.figala@airwaynet.cz
phone: +420 605 040 454

III.

Personal data processing, the nature and purpose of the processing, the source of personal data and the way of processing personal data

  1. The Controller processes the following personal data of the customers, in particular for the purposes for which the customer’s personal data were passed on to him, namely:
  2. Personal data – name, surname, title, date of birth, signature, in case of a business entrepreneur a business identification number and VAT number. These are therefore personal data that allows the Processor to identify the customer unambiguously and unmistakably and the personal data is processed by the Controller in order to:
  3. Ensure fulfillment of the contractual relationship (in particular for the purpose of closure of a contract, fulfilling a contract, sending an offer of services to existing customers, settling refunds and complaints, processing orders, issuing invoices, recovering of claims from the Controller against the customer, including their right to exercise rights in courts or with insurance companies, etc.)
  4. Ensure fulfillment of obligations stipulated by generally binding legal regulations (especially fulfillment of tax obligations, obligations in the field of statistics, obligations towards law enforcement authorities, etc.)
  5. Ensure fulfillment and protection of the legitimate interests of the Controller (especially sending commercial messages and offers for products and services provided by the Controller – direct marketing, etc.)
  6. Address details – in particular, permanent address, delivery address, telephone number, e-mail address and other similar information. This is personal information that allows the Controller to contact the customer, so the personal information is processed by the Controller to:
  7. Ensure fulfillment of the contractual relationship (in particular for the purpose of closure of a contract, fulfilling a contract, sending an offer of services to existing customers, settling refunds and complaints, processing orders, issuing invoices, recovering of claims from the Controller against the customer, including their right to exercise rights in courts or with insurance companies, etc.)
  8. Ensure fulfillment of obligations stipulated by generally binding legal regulations (especially fulfillment of tax obligations, obligations in the field of statistics, obligations towards law enforcement authorities, etc.)
  9. Ensure fulfillment and protection of the legitimate interests of the Controller (especially sending commercial messages and offers for products and services provided by the Controller – direct marketing, etc.)
  10.  Information needed for the execution of payments and accounting – especially account number, bank code, IBAN, SWIFT. This is personal information that will make payments between the customer and the Controller, so the personal information is processed by the Controller to:
  11.  Ensure fulfillment of the contractual relationship (in particular for the purpose fulfillment of a contract, realisation of payments for provided services, refund of overpayments, processing orders, issuing invoices, recovering of claims from the Controller against the customer, etc.)
  12. Ensure fulfillment of obligations stipulated by generally binding legal regulations (especially fulfillment of tax obligations, obligations towards law enforcement authorities, etc.)
  13. The Controller obtains personal data directly from customers or from publicly accessible sources (public registers, internet, etc.)
  14. Personal data is processed by the Controller both manually and automatically. Automated processing of personal data is mainly used by the Controller to send invoices, request payments, for any commercial messages and offers of products and services to existing customers.

IV.

Consent of the Data Subject to the processing of their personal data

In case that the processing of personal data is not pursued under the Art. 6) Par. 1 letter b to f) under the GDPR, the Controller will always ask the customer for his consent to the processing of personal data, and if the customer does not give such consent to the Controller, the Controller will not process the customer’s personal data.

V.

Processor of personal data and transfer of personal data to third countries

  1. Access to personal data processed by the Controller is also available to other entities (recipients) that process personal data for the Controller in the context of the services provided by the Controller and are therefore personal data Processors within the meaning of Article 4 Paragraph 8 of the GDPR. These entities provide the Processor with the following services in particular:
  2. Accounting consultancy, bookkeeping, tax records, payroll administration and related services.
  3. IT services (network management, server management, administration system administration, hosting, etc.)
  4. Marketing services.
  5. Legal services including debt collection.
  6. The Controller has concluded contracts on processing of personal data in accordance with the Personal Data Protection Act and GDPR with all entities processing customers’ personal data for the Controller and, if not, they are subject to the legal obligation of confidentiality.

 VI.

Transfer of personal data abroad

The controller shall not transfer personal data of customers to third countries or international organizations under Articles 44 to 50 of the GDPR.

VII.

Use of cookies

  1. In accordance with generally binding legal regulations, the website of the Data Processor of www.karavanycesko.cz stores files, which are generally called cookies, from the customers and other persons who visit these websites (hereinafter referred to as “website visitors“).
  2. Cookies are small data files that let websites that users visit remember the actions of the website visitors and the settings they have made, so they don’t have to re-enter this information each time. Cookies are not dangerous, but are important for privacy. Cookies cannot be used to identify visitors of any site or to abuse their login information.
  3. For example, the Processor can use cookies to keep the display from mobile devices to the PC version of the website and to maintain the preferences of website visitors when browsing.
  4. The Processor also uses third-party cookies (such as Google Analytics for traffic analysis). These cookies are managed by third parties and the Processor does not have access to read or write this data.
  5. Consent for Cookies – Most browsers automatically accept cookies unless otherwise set. By using this website, visitors agree to the storage of cookies. The use of cookies can be restricted or blocked in each visitors’ individual browser. Information about the settings of each individual browsers available can be found at the following addresses:

Internet Explorer: windows.microsoft.com

Google Chrome: support.google.com

Mozilla Firefox: support.mozilla.org

Opera: help.opera.com

Safari: support.apple.com

 

VIII.

Retention of personal data

  1. The Controller keeps the personal data of customers only for the time period that is strictly necessary for the purpose of their processing, ie the period of retention of personal data is limited to the minimum necessary time. The Controller shall store personal data in particular for the time period necessary to ensure fulfillment of all rights and obligations resulting from the concluded contracts and for the time necessary to fulfill all obligations arising from generally binding legal regulations.
  2. Personal data is processed by the Controller to the extent necessary, in particular, to fulfill the purposes specified in Article III. and for the time required to achieve those; or for a time period directly determined by generally binding legal regulations. Upon expiry of the time needed to process personal data contained in data files in the Controller’s databases are permanently deleted and the personal data contained in files, documents (including in paper form) are shredded.
  3. The basic retention period for personal data by the Controller are as follows:
  4. The Controller is entitled to process basic personal, identification, contact, service and communication data between the Customer and the Data Controller, if all rights and obligations were fulfilled; the Controller is entitled to this processing for a time period of 6 months from the date when the last Service Agreement between the Controller and customer was terminated, unless stipulated otherwise.
  5. In the case of any goods purchased by the customer from the Controller, if all obligations on the customer’s part are fulfilled, the Controller is entitled to process the basic personal data of the customer, data about the goods and data from any communication with the customer with the Controller for a time period of 6 months from the expiry date for the goods, or deadlines from exercising legal rights from defective goods, unless stipulated otherwise.
  6. In the case of any negotiations on the conclusion of a contract that has not been concluded, the Controller is authorized to process the provided contract negotiations.
  7. In the case of any invoices and other tax documents issued by the Controller, he/she is obliged under Section 35 of Act No. 235/2004 Coll., on value added tax (or VAT), to archive these invoices and other tax documents for a period of 10 years from the date of the issue; due to the need to justify the legal reasons for issuing invoices and other tax documents are for a period of 10 years from the date of the termination of the contract; contracts are included in this 10 year time period if the invoices and other tax documents were issued on their basis. 
  8. In the case of customers who have any debt to the Controller, the Controller retains the customer’s personal debt-related information for the entire time period needed to recover such debt.
  9. In the case of processing of personal data for the purpose of sending commercial messages and offers of services provided by the Controller, the Controller keeps personal data for the whole duration of the contractual relationship for direct marketing, or for the duration of consent to processing of personal data in other cases.

 

IX.

Rights of customer as Data Subject

As a data subject, the customer has certain rights with respect to the protection of personal data under the GDPR and the Data Protection Act which he is entitled to exercise against the Controller, namely:

  • Right to access personal data

In the event that the data subject (customer) is interested to find out what personal data is being processed by the Controller; he/she the right to obtain this information from the Controller on whether his/her personal data is being processed and, if so, he/she has the right to access the personal data. In the event of a repeated request from the customer, the Processor is entitled to request a reasonable fee from the customer in the form of a deposit and if the customer fails to pay the deposit, the information will not be provided.

  • Right to rectification of personal data

In the event that the Controller processes data about customers that are untrue or incorrect personal data, the customer has the right to request rectification. The Controller must be obliged to carry out such rectification of personal data without undue delay, but he/must always communicate his personal and technical limitations.  

  • Right to request clarification

In the event that the processing of the customer’s personal data would undermine the protection of the personal and private life of the customer or if the customer’s personal data was processed in violation of law, the customer is entitled to ask the administrator for explanations.

  • Right to make a complaint to Supervisory Authority

If the customer is convinced that the administrator is violating the customer’s right to privacy, he has the right to contact the Supervisory Authority, which is the Office for Personal Data Protection, ID: 70837627, registered office Pplk. Sochora 27, 170 00 Prague 7, Czech Republic.

  • Right to erasure of personal data

If the customer’s personal data is  no longer needed for the purposes for which it was processed, or if it is processed by the Processors unlawfully, the customer has the right to request for their personal data to be deleted.

  • Right to restrict processing

In case the customer is not interested in deleting his/her personal data, but only on a temporary limitation of the scope of processing of his/her personal data, he/she has the right to ask the Processor to limit processing of such personal data.

  • Right to data portability

If the customer is interested in having the Controller transfer his/her personal data to another entity, he/she has the right to transfer the data to this entity. However, if the exercise of this right could adversely affect the rights and freedoms of third parties, the Processor shall refuse such a request.

  • Right to object to processing

The customer has the right to object at any time to the processing of personal data that is processed for the purpose of performing a task in the public interest or in the exercise of public authority or for the protection of the legitimate interests of the Controller. If the Controller does not prove that there is a valid legitimate reason for the processing of the customer’s personal data, which prevails over the interests or rights and freedoms of the customer, the Controller is obliged to terminate the processing of personal data without undue delay.

  • Right to rescind consent

In the event that the Processor processes personal data based on the consent given by the customer, the customer is entitled to withdraw this consent at any time.

  1. In exercising the rights referred to in the preceding paragraph, customers may contact the Processor in writing at the registered office address of the Controller: AIRWAYNET a.s., Hládkov 920/12, 169 00 Prague 6 – Střešovice or by e-mail to the Controller’s e-mail address: info@airwaynet.cz
  2. The Data Protection Officer shall respond to requests of customers under this Article exercising their rights of data subjects under Paragraph 1 of this Article no later than 30 days from the date of receipt of the request. If necessary, the Controller is entitled to extend the time limit by a maximum of 2 months. The Controller is obliged to inform the customer about the extension of the deadline, including the reasons for its extension.

 

These Principles of processing personal data by Karavany Česko customers come into force and effect on 25.05.2018.

 

In Prague 25.05.2018

AIRWAYNET a.s.

Miloslav Novák

Chairman of the Board