Personal Data Protection — Maršálek & Žíla

PRINCIPLES OF PERSONAL DATA PROCESSING

1. Controller of personal data

1.1 The controller of personal data is the Maršálek & Žíla Law Firm (partnership of attorneys), located at Stará Cesta 676, 75501 Vsetín (hereinafter referred to as the “Law Firm”), e-mail vsetin@marsalekzila.cz, phone no.: 571410895.

1.2 The purpose of this document is to comply with certain obligations of the Law Firm as the controller of personal data, as required by the Regulation (EU) of the European Parliament and Council n. 2016/679, of 27 April 2016, on the protection of natural persons in the context of personal data processing and the free movement of such data and repealing Regulation n. 95/46/EC (General Data Protection Regulation; hereinafter referred to as “GDPR”) and other regulations for the protection of personal data in respect to the natural person clients of the Law Firm (hereinafter referred to as “Clients”) and in respect to prospective clients of the Law Firm, who are natural persons (hereinafter referred to as “Prospects”).

1.3 This document shall be applied mutatis mutandis to the processing of personal data of natural persons in connection with the Clients/Prospects of the Law Firm, who are legal entities (as concerns their employees, directors and officers, etc.) and the processing of personal data of natural persons associated with the Law Firm’s Clients/Prospects, who are natural persons (especially a firm’s employees, etc.).

2. Legal basis for the processing of Personal Data and its purposes

2.1 The legal basis for the processing of personal data of the Law Firm’s Clients is:

- performance of contracts;

- legal compliance;

- legitimate interest.

2.2 The processing of clients’ personal data takes place for the following purposes:

- entering into a contractual agreement for legal services and performance of the duties of the Law Firm as they arise from the agreement (performance of a contract);

- compliance with legal tax obligations, obligations pursuant to act n. 85/1996 Coll., governing the legal profession, as amended (hereinafter referred to as the “Legal Profession Law”) and pursuant to act n. 253/2008 Coll., on some measures to combat the laundering of proceeds from criminal activities (money laundering) and terrorist financing, as amended (hereinafter referred to as the “Money Laundering Law”) (compliance with legal obligations);

- to obtain evidence in the event of necessary enforcement of the Law Firm’s rights and the enforcement of such rights (legitimate interest).

2.3 The legal basis and purpose for the processing of personal data of the Law Firm’s Prospects is legitimate interest in winning new clients and promoting awareness of the Law Firm’s services and activities.

3. Categories of personal data processed

3.1 The Law Firm processes Clients’ personal data to the following extent:

- identification and contact data (name, surname, title, birth certificate number, date of birth, address of residence, phone number, e-mail address, fax)

- payment information (banking details)

- personal data related to taking court, tax and administrative proceedings (including data necessary to provide a defence in penal proceedings)

- other data, as appropriate, necessary for the due provision of legal services and compliance with legal obligations.

3.2 The Law Firm processes personal data of Prospects usually in the following extent: name, surname, title, phone number, e-mail address.

4. Categories of personal data recipients

4.1 Recipients of the personal data of clients and prospective clients may, in specific cases, include:

- public authorities (e.g. courts of law, administrative agencies)

- external providers of technical and specialised services (personal data processors) (e.g. accountant, IT firm, translation agency, tax advisor)

- other recipients as needed and instructed by the client.

4.2 Where personal data is processed by the Controller and the processors, such processing takes place based on data processing contracts concluded as consistent with GDPR.

5. Transfer of personal data to a third country

5.1 Personal data of Clients or Prospects is not transferred to any third country (outside the EU).

6. Duration of personal data processing

6.1 Personal data of Clients is processed for the term of the above contractual agreements for legal services and, once the contractual agreement has terminated, such data is handled in keeping with the applicable legal regulations (esp. the Act on the Legal Profession, legal ethics regulations, act n. 499/2004 coll., on archiving and records management and amending certain acts, as amended, and GDPR).

6.2 Personal data of Prospects is processed for the duration of the Law Firm’s legitimate interest in the personal data processing, however not longer than 3 years from its collection, or possibly until a Prospect objects legitimately to further processing.

7.Rights of Clients and Prospects

7.1 As a consequence of personal data processing, each Client/Prospect of the Law Firm has the following rights:

7.1.1 Right to request from the Law Firm access to his/her personal data

7.1.2 Right to the rectification of inaccurate personal data processed by the Law Firm on the subject

7.1.3 Right to restriction of processing. Restriction of processing means that the Law Firm must reserve such restricted personal data for the duration of the restriction and is not allowed to further process such data, except the storage of such data. The right to restriction of processing is available to a Client/Prospect if:

- the accuracy of the personal data is contested by the Client/Prospect, for a period enabling the Law Firm to verify the accuracy of the personal data;

- the processing is unlawful and the Client/Prospect opposes the erasure of the personal data and requests the restriction of its use instead;

- the Law Firm no longer needs the personal data for the purpose of processing, but it is required by the Client/Prospect for the establishment, exercise or defence of legal claims;

- the Client/Prospect objected to processing as set out in clause 7.1.7 hereof, pending verification whether the legitimate grounds of the Law Firm for processing override the interests or rights and freedoms of the Client/Prospect.

7.1.4 Right to erasure of personal data. The right to erasure of personal data only applies to personal data that the Law Firm processes for purposes other than the Law Firm’s compliance with its legal obligation. The right to erasure is only given exclusively where such personal data is no longer needed for a particular purpose, the processing is based on consent and such consent is withdrawn by the Client/Prospect, or the Client/Prospect objects to processing and no overriding legitimate grounds exist for further processing, personal data has been processed unlawfully, such erasure is imposed on the Law Firm by a legal regulation or if personal data was collected in connection with an offer of services by an information firm pursuant to Article 8, par. 1 of GDPR.

7.1.5 Right to data portability. A Client may request that the Law Firm provides the Client’s personal data to the Client for the purposes of its transmission to another data controller or that the Law Firm transmits the data to another data controller. The Client however only has this right in respect to personal data processed by the Law Firm by automated means, based on the Client’s consent or a contract with the Client.

7.1.6 Right to lodge a complaint with a supervisory authority. If the Client considers that the processing of personal data relating to him or her infringes the regulations on personal data protection. A complaint may be lodged by the Client/Prospect with a supervisory authority at the place of his or her habitual residence, place of work or place of the alleged infringement. The competent authority in the Czech Republic is the Personal Data Protection Office (Úřad na ochranu osobních údajů), seated at Pplk. Sochora 27, 170 00 Praha 7, web: www.uoou.cz;

7.1.7 Where the Law Firm processes the personal data of a Client/Prospect on grounds of legitimate interests of the Law Firm or of a third party, the Client/Prospect has the right to object to such processing at any time. A Client/Prospect may raise his or her objection at the address of the Law Firm or at its e-mail address specified here above. If a Client/Prospect raises such an objection, the Law Firm has the right to continue such processing further only if relevant legitimate grounds can be established for processing, overriding the interests or rights and freedoms of the Client/Prospect, and if such processing is necessary to evidence, execute or defend legal claims.

8. Method of personal data processing

8.1 Personal data processing takes place primarily at the seat (registered office) and branch offices of the Law Firm by individual appointed employees of the Law Firm, possibly by processors. Personal data is processed with the use of computer technology, the internet or, possibly, manually in respect to personal data in paper form.

8.2 For the purposes of securing the protection of personal data processed and to provide for processing in accordance with GDPR, pursuant to Articles 24 and 25 of GDPR, the Law Firm has adopted and maintains reasonable organisational and technical measures.

8.3 The Law Firm does not run completely automated decision-making on its Clients’/Prospects’ data and does not perform profiling of Clients/Prospects.

9. Final provisions

9.1 These terms and conditions are available from the Law Firm’s website at http://www.marsalekzila.cz/ under the “Data Protection” section.