Personal Data Processing Policy at OSTROJ a.s. – for external subjects

OSTROJ a.s. considers the protection of personal data important and pays appropriate attention to it. We process personal data in accordance with legal regulations, in particular the General Data Protection Regulation (EU) 2016/679 (“GDPR”), Act No. 110/2019 Coll., on the Processing of Personal Data, and other related legislation.

This document provides information on the processing of personal data of external persons and on the rights related to such processing, specifically of the following categories of data subjects:

• business partners, including potential partners,
• persons performing various support services for our company,
• contractual partners based on a validly concluded legal document,
• applicants for sponsorship or donation,
• employees and cooperating persons of the above-mentioned entities,
• visitors to our premises,
• persons who complete a contact form on our website,
• and other third parties whose personal data we are entitled to process.

We are the controller of your personal data, and our basic contact details are:

OSTROJ a.s., IČO 451 93 681, se sídlem Těšínská 1586/66, Předměstí, 746 01 Opava
The company is registered in the Commercial Register of the Regional Court in Ostrava, Section B, Insert 349.
e-mail: gdpr@ostroj.cz, phone: + 420 553 872 111, www.ostroj.cz

Legal basis and purpose for processing your personal data

• For the purpose of taking steps necessary to enter into a contract and subsequently to fulfil a concluded contract, in particular negotiations regarding the conclusion of a contract, mutual meetings and communication (including electronic communication), providing information and responses, including responses to a completed contact form on our website, expressing a mutual intention or preliminary agreement before concluding a contract, and fulfilling the conditions of a concluded contract (delivery and acceptance of goods and services, fulfilment of warranty and service conditions, provision of sponsorship donations, etc.).
• For the purpose of complying with legal obligations imposed on us by generally binding legal regulations, especially the Business Corporations Act and the Civil Code, the Accounting Act, the VAT Act, the Income Tax Act, administrative regulations, etc., for fulfilling statutory obligations, communication and provision of information to public authorities, issuing accounting and tax documents, bookkeeping, payment of taxes, etc.
• Based on our legitimate interest, in particular for the purpose of protecting property and the health of individuals, including handling insurance claims; preventing damage, extraordinary events and unlawful conduct; and exercising and defending our legal claims, in particular enforcing receivables and defending against claims of third parties - but always only where your rights and interests do not override our interests.

In all the above cases, your consent is not required.

With your consent:

There may be situations where we require your explicit consent for a particular processing purpose. In such a case, the provision of your personal data will be entirely voluntary, and the consent may be withdrawn at any time. When requesting consent, we will provide detailed information about the processing, its purpose and your rights.

What personal data will we process:

We will process specifically the following personal data, always only to the extent strictly necessary. If we enter into any legal document together, the provision of personal data will be necessary for its conclusion.

1. Identification data, including in particular:
   name and surname, company name/business name, academic title, date of birth, ID number, type and number of identity document, physical appearance captured by the CCTV system.
2. Contact details, including in particular:
   permanent residence address, registered office or place of business, mailing address, e mail address, telephone number, or other contact details provided by you.
3. Payment and billing data, including in particular:
   bank account number, billing address, VAT number.
4. Other data beyond the categories A-D, such as:
   goods or services ordered by you from us or provided by us to you, data from mutual communication, data included in a contractual document, data obtained during your visit and movement within our premises, vehicle licence plate number, etc.

For completeness, we note that personal data is obtained either directly from you and/or from publicly accessible sources (e.g. Commercial Register, Trade Register, Land Register, your website, etc.). If you provide us with more personal data than necessary, we will not process such data.

We Operate a CCTV System

Within our premises, we operate a CCTV system based on our legitimate interest for the purpose of protecting property, life and health of individuals, ensuring safety and preventing damage, extraordinary events and unlawful activities, and addressing such events, including insurance claims. The operation of the CCTV system involves the processing of personal data consisting of capturing individuals’ physical appearance in the video footage, vehicle licence plates number, and, to the necessary extent, information on movement within the monitored area.
For reasons of property protection and overall security, detailed information regarding the exact placement of cameras is not publicly available. Monitored areas are marked with information signs.

Recordings are stored in secure storage systems for a maximum of 7 days and are subsequently overwritten in loops, unless a longer retention period is necessary to protect our legitimate interests (e.g. for Police of the Czech Republic investigations, clarification of incidents, etc.).
Access to the data is restricted to a limited group of authorised employees and an external company providing site security. In case of an incident, the recipients of the data may also include public authorities, insurance companies and their intermediaries.

What security measures will be in place for your personal data?

We handle your personal data with due care and in accordance with GDPR and other generally binding legal regulations. We strictly adhere to security measures and protect personal data to the maximum extent corresponding to the technical level of available means. Only employees who have been instructed and trained regarding personal data processing will have access to personal data. Electronic personal data is processed in a secure information system and protected applications. We place great emphasis on cybersecurity.

You have the right to:

1. Access your personal data that we process — you have the right to know what data we process and why;
2. Rectification of your personal data if it is incomplete or inaccurate;
3. Erasure of your personal data, or restriction of its processing, if we no longer have a legal basis for processing;
4. Object to processing based on our legitimate interest;
5. Data portability to another controller;
6. Withdraw consent, if the processing is based on your consent, without any additional costs or consequences. Withdrawal of consent does not affect the lawfulness of processing based on the consent before its withdrawal.

Sharing of personal data with third parties

We generally do not disclose personal data to third parties. Exceptions apply where the obligation arises from legal regulations (particularly in relation to state authorities) or in relation to external service providers (e.g. site security, brokerage services, insurance), who receive only the minimum necessary data and are contractually obliged to ensure adequate protection and security of the personal data.

We do not intend to transfer personal data to third-world countries or international organizations outside the EU. If such a transfer becomes necessary, we will comply with GDPR requirements and inform you in advance, or request your explicit consent where appropriate.

We do not engage in automated decision-making.

Your personal data will not be used for decision-making based solely on automated processing nor for profiling.

How long do we retain personal data?

Personal data is stored only for the period necessary to fulfil the purpose for which it was processed and further only for the period necessary to protect our legitimate interests, particularly for exercising or defending our legal claims. This period typically does not exceed 3 years from the last contact with you. In some cases, the period may be longer, depending on statutory archiving obligations under applicable legislation (e.g. the Archives Act, Accounting Act, etc.).

You can contact us at any time.

Contact us anytime at gdpr@ostroj.cz, or use other contact details listed above. We will process your request promptly; however, you may be asked to provide additional information. Under certain conditions, a request may be subject to a fee, particularly if it is manifestly unfounded or excessive, especially due to its repetitive character.

You have the right to file a complaint with the supervisory authority.

Contact details for the supervisory authority: The Office for Personal Data Protection, located at Pplk. Sochora 27, 170 00 Prague 7., www.uoou.cz