Based on the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter referred to as the “GDPR”) and based on Act No. 101/2000 Coll. the controller mentioned below publishes the following notification on personal data handling and protection.
I.1. The controller - within the meaning of Art. 4 (7) of the GDPR - of the personal data referred to in this document is STOPSAU s.r.o., Co. ID No. 28612931, with registered office 742 93 Slatina 68, registered in the Commercial Register maintained by the Regional Court in Ostrava, Section C, entry 34724 (hereinafter referred to as the “Controller”).
II.1. The controller has not designated a data protection officer.
III.1. The personal data provided by customer or cooperating entity shall be processed by the controller for the purpose of execution of goods or service purchase orders placed through ThreeS information system, i.e. for the purpose of performance of a contract in accordance with Art. 6 (1) (b) of the GDPR. The personal data include:
The provision of the personal data specified above is necessary for the performance of a contract on the controller’s part. If the personal data specified above are not provided, the order cannot be executed.
III.2. The controller shall retain the personal data specified in section III.1. of this document both in electronic and paper form for a period for which it is obliged by law to retain accounting and tax documents.
III.3. The following processors and joint controllers were entrusted by the controller with processing of the personal data specified in section III.1. of this document based on processing contracts and other arrangements for the purpose of provision of goods transport, i.e. for the purpose of performance of a contract in accordance with Art. 6 (1) (b) of the GDPR:
forwarding companies according to the specified place of delivery
The joint controller (forwarding company) shall retain the personal data provided by the controller for a time necessary to transport a consignment. After expiration of this time the data shall be retained by the joint controller based on its legitimate interest for the purpose of defence of its legal claims, protection of property and internal filing system and control for 10 years’ limitation period plus one year from its expiration with respect to the claims exercised at the end of the limitation period. In the event of institution of judicial, administrative or other proceeding the joint controller shall process the personal data in the necessary extent for entire duration of the proceeding and for the remaining part of the limitation period after the proceeding completion. The joint controller’s legitimate interests are defence of legal claims and securing of proper provision of services. The personal shall be processed by the joint controller for the purpose of performance of legal obligations for the period of 10 years.
IV.1. The following processors were entrusted by the controller with processing of the personal data specified in section III.1. of this document based on processing contracts for the purpose of securing general operability, i.e. for the purpose of legitimate interests pursued by the controller in accordance with Art. 6 (1)( f) of the GDPR:
the controller’s employees and cooperating entities classified into StopIN or StopEX category.
IV.2. A processor in charge for ACCOUNTANCY shall retain the personal data specified in section III.1. of this document both in electronic and paper form for a period for which it is obliged by law to retain accounting and tax documents.
V.1. The controller shall processes the personal data for the purpose of receiving of business messages regarding potential purchase of goods or services, i.e. for the purpose of legitimate interests pursued by the controller in accordance with Art. 6 (1)( f) of the GDPR in the following extent:
VI.1. If the controller is asked by an economic entity via e-mail message sent to address stopsau@stopsau.cz or in writing by letter sent to the address of the controller’s registered office for the list of its personal data processed, the controller shall issue free of charge for the economic entity a confirmation of the extent and manner of its personal data processing. The controller shall issue this confirmation only for and provide this confirmation only to the data subject, which has proved his or her identity to the controller, within 30 days of receipt of the request for issue of the confirmation. Any further confirmation issued by the controller for the data subject within the following 12 calendar months from the issue of the first conformation shall be charged for in the amount corresponding to the costs for application of technical means and time necessary for the issue of the confirmation.
VI.2. An economic entity has the right to rectification, erasure or restriction of processing of its personal data free of charge unless its personal data are processed based on law. This right can be exercised by the economic entity through requiring the controller via e-mail message sent to address stopsau@stopsau.cz or in writing by letter sent to the address of the controller’s registered office for rectification, erasure or restriction of processing of its personal data. If not contrary to the controller’s legal obligation or legitimate interests and if the data subject properly proves it identity, the controller shall comply with the request and take the required action within 30 days of receipt of the request giving notice to any other controllers or processors, to which the personal data were provided, of the necessity to take the same actions. Otherwise the controller shall provide reasons for refusal to comply with the request.
VI.3. An economic entity, which considers that its rights regarding its personal data are infringed by the controller, has the right to object against the processing of its personal data via e-mail message sent to address stopsau@stopsau.cz or in writing by letter sent to the address of the controller’s registered office. An economic entity, which considers that its right to personal data protection has been infringed, has also the right to lodge a complaint with the Office for Personal Data Protection.
VII.1. The controller hereby notifies the data subject that his or her personal data are not subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online application or practices without any human intervention.
The controller has taken technical and organizational measures necessary to protect the personal data against being accessed in an unauthorized or accidental way, against alteration, destruction, loss, unauthorized transmission, unauthorized processing as well as other abuse.
VIII.1. This personal data protection can be accepted only by a person aged at least 16. If this protection is accepted by a person younger than 16 without notifying the controller thereof without delay or without providing consent of the holder of parental responsibility over him or her, the controller shall be deemed to have been intentionally misled by him or her.
This document is valid from 1 January, 2021. The previous version is hereby cancelled with the effect from this date.
