In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter also referred to as “GDPR Regulation”), you, as a data subject, are hereby provided the following information, in particular on: (i) which personal data we collect, (ii) how we handle these data, (iii) on which legal bases we process personal data and for which purposes we use personal data, (iv) to whom we are authorised to provide/disclose such personal data, (v) what your rights in the field of protection of personal data are, as well as (vi) where information on your personal data processed by us may be obtained.

We would like to kindly ask you to get acquainted with the contents of the present Information on Processing of Personal Data (the “Information”). We are ready to answer any questions of yours at the contact e-mail address: info@ak-sv.cz, and/or in the registered office of our law office at the address: Dlouhá 16, CZ-110 00 Prague 1.

The present Information, which contains general principles of processing of personal data, is addressed to all and any natural persons whose personal data are processed by our company, i.e. in particular those of customers, business partners, job-seekers, users of websites of our company etc.

Identity of the Controller:

Sedláček, Vaca & spol., advokátní kancelář, s.r.o., ID No.: 03781038, the registered office of which is at Dlouhá 705/16, Staré Město, CZ-110 00 Prague 1, registered in the Commercial Register administered by the City Court of Prague, Section C, Entry 237555 (the “Company” or also the “Controller”).

Contact data of the Controller: (i) contact address: Dlouhá 16, CZ-110 00 Prague 1, (ii) contact e-mail address: info@ak-sv.cz, (iii) contact phone number: 221779970.

The Company, as the Controller of personal data, handles personal data in connection with the exercise of its business activities for individual purposes, as indicated below in the present Information. The Company handles your personal data in accordance with the applicable laws and regulations in force and always in a manner to guarantee security of your data (personal data) to the maximum extent possible. The Company observes the principles of processing of personal data stipulated by the applicable laws and regulations in force and fully respects the highest standards of protection of personal data.

The Company has no data protection officer within the meaning of GDPR Regulation.

Purposes of Processing of Personal Data. Legal Basis for Processing of Personal Data:

The Controller processes your personal data only to the extent necessary for the purpose in question and for the period necessary for attaining of the purpose in question. Following the attaining of the purpose in question, the Controller may process your personal data for other purposes than those for which they have been collected; the Controller will always inform you of such other purposes.

Processing of Personal Data without Your Consent:

The Controller processes personal data without your consent for the following purposes and on the following legal grounds:

(i) performance of contractual obligations of the Controller, including the discharge of an obligation to provide performance under a contract and payment (in particular provision of legal services, contract on provision of legal services, legal relationships with clients, recruitment), as well as handling of requests sent electronically – registration of participation in professional seminars/training events (storage period of personal data: for the duration of the contract and for the further period of 10 years from the termination of contractual relationship); legal ground of processing: performance of a contract, including its conclusion;

(ii) compliance with a legal obligation, including e.g. (a) bookkeeping issues, (b) management of client files, including communication with the client, (c) identification of clients within the meaning of Act. No. 253/2008 Coll., on certain measures against laundering of the proceeds from crime and financing of terrorism, and/or (d) registration of provided legal services (storage period of personal data: personal data are processed for the period stipulated by the applicable laws and regulations); legal ground of processing: compliance with a legal obligation;

(iii) protection of legitimate interests of the Controller or third parties: to ensure the exercise and defence of legal claims of the Controller, protection of legitimate interest of third parties as stipulated by the laws and regulations in the field of legal profession, identification of clients within the meaning of Act. No. 85/1996 Coll. (Bar Act), identification of third parties, protection of legal claims of the Controller, including defence of legal claims, development of provided services, litigation, in particular for the purposes of handling of judicial and other disputes (storage period of personal data: personal data are processed till the expiry of 1 year from the end of the limitation period unless the applicable laws and regulations provide for a different limitation period, or for any further period to ensure the protection of legal claims); legal ground of processing: legitimate interest of the Controller or a third party;

(iv) offer of services, sending of business communication in the field of law: sending of business communication or information bulletins/newsletters, offer of services to the existing clients within the meaning of the offer of information society services under the applicable laws and regulations – see S. 7 (3) of Act. No. 480/2004 Coll. (storage period of personal data: for the period stipulated by the applicable laws and regulations); legal ground of processing: legitimate interest of the Controller;

(v) recruitment of employees, including handling of requests sent electronically (storage period of personal data: (a) if the job-seeker is successful and becomes an employee: for the duration of employment of the employee, (b) for other purposes in connection with the recruitment of employees: till the expiry of 1 year from the end of the limitation period, or for any further period to ensure the protection of legal claims); legal ground of processing: (i) performance of a contract (processing for the purposes of entering into a contract), (ii) legitimate interest of the Controller).

Processing of Personal Data with Your Consent:

The Controller processes personal data with your consent for the following purposes of marketing, namely promotion of services and products of the Company, sending of commercial communications.

Storage period of personal data: personal data based on the consent are processed for the duration of consent with the processing of personal data (but no longer than 3 years).

Legal basis of processing is the consent to the processing of personal data given by a data subject.

For the purposes of demonstrating the compliance with obligations of the Controller under the applicable laws and regulations in the field of protection of personal data, the Controller may store/process information on obtaining the consent (i.e. how the consent was obtained and which it concerned) even after the withdrawal of the consent by the data subject, namely for a reasonable period (not longer than 4 years from the withdrawal of the consent).

Categories of Personal Data:

For the above purposes, the Company processes the following:

(i) identification data and contact data, i.e. in particular name, surname, academic title, phone number, e-mail address, address (address of the residence, address for the purposes of service or any other contact address), date of birth, birth identification number, signature; in case of natural person – business person also business name, registered office of business and ID No., Fiscal No., data box ID,

(ii) other personal data, i.e. for example bank data (bank account number), and/or any other transaction data, (b) any other personal data concerning the client or third parties,

(iii) personal data pertinent to the recruitment issues, i.e. for example identification and contact data, data on achieved qualifications, data on language skills and also data on previous employers, as well as any other personal data pertinent to the recruitment issues (in particular further data contained in the CVs or cover letters).

Legal Ground of Processing of Your Personal Data Is (See above):

• compliance with a legal obligation which applies to the Controller (Art. 6 (1) (c) of GDPR Regulation),
• performance of a contract entered into with you, as a data subject, (Art. 6 (1) (b) of GDPR Regulation),
• legitimate interest of the Controller or a third party (Art. 6 (1) (f) of GDPR Regulation),
• consent to the processing of personal data if given by a data subject (Art. 6 (1) (a) of GDPR Regulation).

Your personal data may be processed manually and by automated means directly through specially authorised employees of the Controller as well as through processors instructed by the Controller under a contract on processing of personal data.

Source of Personal Data:

The Company, as the Controller, obtains personal data of data subjects (i) from data subjects (such as, (a) from requests from data subjects, (b) as a part of negotiations with the data subject on conclusion of a contract, (c) from forms completed by data subjects or (d) in communication (personal and written) with data subjects, including communication by electronic means), (ii) from third parties (such as, (a) from public authorities, (b) from cooperating third parties, (c) from third parties to comply with our legal obligations as the Controller, and/or (d) under special laws and regulations) or (iii) from publicly available sources (e.g. from public registers). If the Controller obtains personal data from data subjects, it will always inform data subjects on whether the provision of personal data is a statutory or a contractual requirement and whether the data subject is obliged to provide his/her personal data, as well as of possible consequences of failure to provide of personal data.

Recipient, Categories of Recipients:

Your personal data may be transferred in particular to the following categories recipients (always on a ground of the relevant legal title and to the extent necessary to attain the purpose of processing in question):

• authorised employees of the Company,
• public authorities to which the Company is obliged to disclose your personal data and/or which are authorised to require your personal data from the Company (such as, law enforcement authorities etc.),
• third parties with whom the Company has entered into a written contract on processing of personal data, i.e. processors (such as, providers of IT services, providers of accounting services, auditors, tax consultants, cooperating attorneys-at-law, experts and expert institutes, translators and interpreters etc.),
• business partners of the company (in particular carriers, courier services etc.).

Your personal data may be possibly transferred to third parties on other grounds in accordance with the applicable laws and regulations in force.

The Controller does not intend to transfer personal data to any third country and/or to an international organization.

Decision-making by Automated Means:

Neither decision making, nor profiling by automated means occurs during the processing of your personal data.

Processing of Personal Data of Third Parties:

Besides the personal data of clients, business partners, employees, job-seekers, and/or any other cooperating persons (data subjects), the Controller also processes personal data which are provided/disclosed in connection with entering into or performance of a contract by the client, and/or a supplier. Such personal data are also processed by the Controller (i) in accordance with the applicable laws and regulations, including the GDPR Regulation, (ii) for certain purposes, i.e. entering into/performance of a contract and (iii) for the duration of a contract and also for the period stipulated by the applicable laws and regulations (if any), and/or in justified cases for a longer period if further processing is necessary in connection with a particular case.

The Right to Access to Personal Data (Article 15 of GDPR Regulation):

As a data subject, you have the right to obtain from the Controller confirmation as to whether or not personal data concerning you are processed, and where that is the case, you have the right to get access to these personal data and the following information on:

(a) purposes of processing;

(b) categories of personal data in question;

(c) recipient or categories of recipients to whom personal data have been or will be disclosed;

(d) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e) the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or the right to object to such processing;

(f) the right to lodge a complaint with a supervisory authority (the Office for Personal Data Protection);

(g) all and any available information on the source of personal data;

(h) the existence of decision-making, including profiling, by automated means, the logic involved, as well as the significance and the envisaged consequences of such processing.

Should personal data be transferred to a third country or to an international organization, you have the right to be informed of appropriate safeguards that apply to their transfer.

The Controller shall provide you with a copy of the processed personal data. The Controller shall be authorised to charge a reasonable fee for further copies based on administrative costs. It is established that the right to obtain a copy cannot adversely affect the rights and freedoms of others.

The Right to Rectification (Article 16 of GDPR Regulation):

As a data subject, you have the right to obtain from the Controller the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

The Right to Erasure (Article 17 of GDPR Regulation):

As a data subject, you have the right you have the right to obtain from the Controller the erasure of personal data concerning you without undue delay where one of the following grounds applies:

(a) personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) you have withdrawn your consent on which the data were processed and there is no other legal ground for the processing;

(c) data subject has objected to the processing, if the objecting is permitted under GDPR Regulation, and there are no overriding legitimate grounds for the processing;

(d) personal data were processed unlawfully;

(e) personal data must be erased to comply with a legal obligation;

(f) personal data were collected in relation to the offer of information society services under Art. 8 (1) of GDPR Regulation.

The right to erasure shall not apply if a statutory exception applies, in particular if the processing of personal data is necessary to (a) comply with a legal obligation which requires processing by Union or Member State law to which the Controller is subject, or (b) for establishment, exercise or defence of legal claims.

The Right to Restriction of Processing (Article 18 of GDPR Regulation):

As a data subject, you have the right to obtain from the Controller restriction of processing where one of the following applies:

(a) you contest the accuracy of the personal data – where that is the case, the processing will be limited for a period enabling the Controller to verify the accuracy of the personal data;

(b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

(c) the Controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims;

(d) the data subject objected to the processing under Art. 21 (1) of GDPR Regulation – pending the verification whether the legitimate grounds of the Controller override legitimate grounds of the data subject.

If the processing was restricted, these personal data may be processed, with the exception of storage, only:

(a) with the consent of a data subject,

(b) for the establishment, exercise or defence of legal claims,

(c) for the protection of the rights of another natural person or legal entity, or

(d) for reasons of important public interest of the European Union or of a Member State.

The Right to Data Portability (Article 20 of GDPR Regulation):

Under conditions stipulated by Article 20 of GDPR Regulation, you (as a data subject) have the right to receive personal data concerning you which you provide to the Controller with your consent or for the purposes of performance of a contract. Upon your request, the Controller will provide you with data in a structured, commonly used and machine-readable format, or will transmit them upon your request to another uniquely determined controller if it is technically feasible. The right to data portability does not apply to personal data which are not processed by automated means. Under conditions stipulated by Article 20 of GDPR Regulation, you (as a data subject) have the right to receive personal data concerning you which you provide to the Controller with your consent or for the purposes of performance of a contract. Upon your request, the Controller will provide you with data in a structured, commonly used and machine-readable format, or will transmit them upon your request to another uniquely determined controller if it is technically feasible. The right to data portability does not apply to personal data which are not processed by automated means. The exercise of the right to data portability cannot adversely affect the rights and freedoms of others.

The Right to Object (Article 21 of GDPR Regulation):

You (as a data subject) have the right (under conditions stipulated by Article 21 of GDPR Regulation) to object, on grounds relating to your own particular situation, to processing of personal data concerning you which are processed on the grounds of legitimate interests of the Controller or for the purposes of the performance of a task carried out in the public interest or in the exercise of official public authority; at any time. The Controller will no longer process the personal data (i) unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests or rights and freedoms, or (ii) they are necessary for the establishment, exercise or defence of legal claims of the Controller.

The Right to Lodge a Complaint with a Supervisory Authority (Article 77 of GDPR Regulation):

If you believe that the processing of your personal data infringes laws or regulations / GDPR Regulation, you have the right to lodge a complaint against practices of the Controller with a supervisory authority; the supervisory authority for the Czech Republic is the Office for Personal Data Protection, the seat of which is at Pplk. Sochora 27, CZ-170 00, Prague 7 (www.uoou.cz). This is without prejudice to any other remedies of administrative or judicial protection provided for the protection of a data subject by the applicable laws and regulations in force.

The Right to Withdraw Your Consent:

You are not obliged to give the Company the consent with the processing of your personal data. You have the right to withdraw your consent to the processing of personal data given for the above purposes (or some of them) at any time. The withdrawal of your consent is without prejudice to the processing of your personal data before its withdrawal. You can withdraw your consent to the processing of personal data (i) by a signed written statement on withdrawal of consent sent in writing to the contact address of the Company or (ii) by a statement on withdrawal of consent sent by e-mail to the contact e-mail of the Company mentioned above in the present Information. You are not obliged to give the Company the consent with the processing of your personal data. You have the right to withdraw your consent to the processing of personal data given for the above purposes (or some of them) at any time. The withdrawal of your consent is without prejudice to the processing of your personal data before its withdrawal. You can withdraw your consent to the processing of personal data (i) by a signed written statement on withdrawal of consent sent in writing to the contact address of the Company or (ii) by a statement on withdrawal of consent sent by e-mail to the contact e-mail of the Company mentioned above in the present Information.

We would also like to inform you that we are authorised to process certain personal data for certain purposes also without your consent. If you withdraw your consent, the Company will cease to process your personal data for the purposes requiring your consent with regard to which the consent has been withdrawn, however, the Company may be authorised and/or obliged to process such personal data on any other legal basis (i.e. on other legal ground(s) of processing).

Information on the processing of personal data of business partners:

This information on the processing of personal data of business partners is without prejudice to other provisions of the present Information.

The Controller processes personal data of a business partners (i) primarily for the purposes of entering into and performance of a contract and/or (ii) for the compliance with a legal obligation (in particular obligation stipulated by accounting and fiscal laws and regulations and/or laws and regulations to protect personal data) and/or (iii) on the grounds of legitimate interests of the Controller to ensure exercise and defence of legal claims of the Controller and third parties (defence of claims and protection of legal claims of the Controller and third parties), and/or for marketing purposes. The Controller may use the data also for administrative purposes (including creation of registers/databases and lists of contact persons).

Legal ground of processing is:

• performance of a contract (including processing for the purposes of entering into a contract),
• compliance with a legal obligation which applies to the Controller,
• legitimate interests of the Controller or a third party.

Categories of recipients:

• suppliers of external IT services (IT technical support services, provision of server services, provision of programming services, services of measurement of visits of websites etc.),
• providers of accounting services, providers of business services, providers of services of tax consultancy or auditing services,
• public authorities,
• other recipients (such as, insurance companies, translators, interpreters, experts etc.).

Personal data are processed by automated means and manually by the Controller. However, most of the processing occurs by automated means (through computing systems), in particular through the CRM-system of the Controller, or through accounting, invoicing and similar systems of the Controller. However, personal data may also be processed in registers, files etc. (including systems of registration/storage of paper documents, files of business cards etc.) by the Controller.

Storage period of personal data:

• contact and identification data for the purposes of sending of business communication processed with the consent are stored for the period of: 3 years,
• contact data for the purposes of the offer of information society services under the applicable laws and regulations will be processed by the Controller for the period stipulated by the applicable laws and regulations (until the business partner opposes further sending of business communication),
• personal data for performance of a contract will be processed for the duration of a contract (contracts will be stored for archiving purposes for the period of 10 years from their discharge/termination/end),
• personal data to comply with a legal obligation by the Controller will be processed for the period stipulated by the applicable laws and regulations,
• personal data for the purposes of legitimate interest of the Controller or a third party will be processed till the expiry of 1 year from the end of the general limitation period, or for any further period to ensure the protection of legal claims.

For the purposes of updating of personal data, the Controller may be contacted at the above contact address and/or contact e-mail address.

Manner of Defence of Rights by a Data Subject:

As a data subject, you may defend your rights pertinent to the processing of personal data vis-à-vis the Controller by contacting the Controller at the contact address of the registered office of the law firm at Dlouhá 16, CZ-11000 Prague 1, and/or at the contact e-mail address of the Controller: info@ak-sv.cz. For the purposes of exercise of rights (making a request) by a data subject, the Controller may verify the identity of the data subject defending his/her rights/making a request in an adequate manner.

Information by the Controller:

The Controller provides information in writing in paper form. However, if you contact the Controller electronically at the contact e-mail address of the Controller, the Controller will provide you with information electronically (by e-mail) unless you ask for provision of information in paper form. This is without prejudice to your right to data portability.

If we receive a request under Articles 15 – 22 of GDPR Regulation from you, we will inform you of measures that have been taken without undue delay, we will inform you of measures that have been taken, refusal or extension of the period not later than one month from the receipt of your request. Depending on the complexity of a complaint or their number, we may extend the time limit for providing information on measures that have been taken (and therefore also for taking such measures) for a further period of two months. We will inform you of such extension, including the grounds for such delay, within one month of receiving your request.

Information on invoking of his/her rights by a data subject against the Controller and information on how his/her request was responded to by the Controller is stored by the Controller for a reasonable period of time (usually for the period of 3 years), namely for the purpose of (i) proving this fact (making and response to the request), as well as (ii) for statistical purposes, (iii) and/or (iii) protection of right of the Controller.

Further Information:

If your personal data are processed without your consent, their provision is required on the grounds that (i) they are necessary to discharge obligations arising from a contract, and/or (ii) their provision is required by laws, or (iii) to protect legitimate interests of the Controller or a third party. Failure to provide data for these purposes (some of them) may result in non-conclusion of a contract and/or impossibility of performance etc.

Sending of electronic business communication to clients within the meaning of the offer of information society services (the so-called customer exception within the meaning of S. 7 (3) of Act No. 480/2004 Coll.) under the applicable laws and regulations may be cancelled through the link contained in each single business communication.

If your personal data are processed with your consent, provision of your personal data is neither a statutory, nor a contractual condition (neither a statutory, nor a contractual requirement), therefore, you are not obliged to give your consent. In such cases, you are therefore neither obliged to provide the personal data in question for this purpose, nor to give your consent to their processing. If you fail to give your consent, it may result in a situation in which the Company will not be able to use some procedures, in particular those pertinent to marketing.

If the Controller uses personal data for a different purpose than the purpose contained in the present Information, it will provide the data subject in question information on such other purpose, as well as other information contained in the present Information immediately.