Personal Data Protection Statement (GDPR)

PERSONAL DATA PROTECTION STATEMENT

The aim of this document is to provide data subjects with comprehensive information on the processing of their data by the law firm Advokátní kancelář Vych & Partners, s.r.o. (hereinafter as "law firm"), according to respective law, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter as "General Data Protection Regulation" or simply "GDPR"). Our goal is to inform you about what personal data, for which purpose and in what way we process, to whom we provide access to your personal data as well as about your legal rights regarding processing of your personal data by our Law Firm.

Definition of basic terms

Words and terms used in this statement shall have the specific meaning as assigned to them by respective law:

Personal data	any information relating to an identified or identifiable natural person (“Data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Data subject	natural person whose personal data we process, thus particularly our clients, associate lawyers, employees, suppliers and other subjects
Processing of personal data	any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Controller	natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data and is responsible for such processing; for the purpose of this statement the controller in connection with processing personal data of subjects stated herein is the Law Firm
Container	natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not
Processor	natural or legal person, public authority, agency or other body which processes personal data on behalf and according to instructions of the Law Firm
CONSENT	any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
Special categories of personal data	personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation
Office for Personal Data Protection	Czech Office for Personal Data Protection, with seat at Pplk. Sochora 27, Prague 7, zip code: 170 00, phone number +420 234 665 111, e-mail: posta@uoou.cz

Examples of personal data processing

Law Firm processes personal data of data subjects in connection with:

Provision of legal services to clients
cooperation with associate lawyers
recruitment of new employees and employment of existing employees
browsing our website
sending newsletters concerning legal matters
procurement of goods and services from our suppliers

Categories of personal data

Personal data generally processed by our Law Firm include (following list is demonstrative only and does not exclude processing of also other personal data which you provide to us):

Identification data: academic title, name, surname, date of birth and, depending on circumstances, also others (eg occupation, ID number, passport number, company ID number, VAT number, bank account number, etc.)

Contact details: home address, work address, telephone number, email address, data box ID

Photos: in connection to individual clients as a part of the evidence material, in connection to associate lawyers and employees photos on the website of the Law Firm

Sensitive data: depending on the nature of a particular case we may also process sensitive data of clients, associate lawyers or employees (eg data such as union membership or health status)

Criminal conduct data: we process this type of personal data in connection to some clients depending on the nature of a particular case (eg criminal records, data in the criminal file)

Data from cookies in connection with browsing of our website: eg selected language, standard website traffic tracking. The Law Firm does not process IP address, visitors' location, etc.

Other data from persons interested in cooperation with our Law Firm in connection with the provision of our legal services or from job applicants: data in the CV, motivation letter, employment certificate or recommendation from the former employer

Other data about employees: all data associated with a job performance in the Law Firm (eg type of work, occupation, work results and performance, salary information, information on social and health insurance, etc.)

Purposes and legal basis for processing of personal data

Law Firm processes the above-mentioned personal data for the following purposes relying on the below mentioned legal basis (for the sake of clarity, individual purposes and legal basis for the processing are stated in connection to respective category of processed personal data. Purposes and legal basis for processing may also overlap in some cases):

Categories of personal data	Purpose(s) of processing	Legal basis for processing
Identification data	· identification and evidence of clients, associates, employees, suppliers and other subjects	· conclusion and performance of contract (for the provision of legal services, cooperation agreement, employment contract or other contract) compliance with legal obligations (eg pursuant to Act No. 85/1996 Coll., on Advocacy and Act No. 253/2008 Coll., on Certain Measures Against the Legalization of Proceeds from Crime)
Contact details	· communication with data subjects · sending newsletters to clients	· conclusion and performance of contract · legitimate interest
Photographs	· exercise or defense of legal claims of clients (eg need to present clients' photographs as evidence) · marketing purposes (photographs of associates and employees on our website)	· performance of contract on provision of legal services · compliance with legal obligations (in case of appointment as a defense attorney, guardian, etc., without entering into contract on provision of legal services) · consent of associates and employees
Sensitive data	· exercise or defense of legal claims of clients · protection of the health of employees and ensuring a safe working environment	· exercise or defense of legal claims · carrying out obligations and exercising specific rights in the field of employment and social security and social protection law · protection of vital interests of data subject where the data subject is physically or legally incapable of giving consent
Criminal conduct data	· exercise or defense of legal claims of clients	· exercise or defense of legal claims
Data from cookies on websites	· tracking of website traffic or customizing the website resolution	· legitimate interest in the proper functioning of the website
Other data from job applicants or potential associates	· assessing the quality and ability to perform an agreed type of activity or work	· conclusion and performance of cooperation agreement or employment contract · exercise or defense of legal claims · consent (in case of keeping data of the unsuccessful applicant for the purpose of potential future cooperation)
Other data of employees	· evidence of employment agenda · assessment and evaluation of work performance · fulfillment of rights and obligations as an employer	· performance of employment contract · compliance with obligations of the employer imposed by applicable law

Data retention period
1. Law Firm processes personal data only for the period necessary for the fulfillment of the purpose for which they have been collected or for the period as stated in the applicable law.
2. Some personal data are retained only for the duration of the contract with the data subject and they are deleted or destroyed after the termination of the contract (eg photographs of associates and employees).
3. Other data are kept for some time after the termination of a particular contract. Law Firm is obliged to respect retention periods as stated in applicable law and certain documents, including personal data therein, must be retained for the specific periods (eg clients' files for the period of 5 years from the termination of provision of legal services, employment documents for the period from 3 to 30 years).
4. Law Firm retains some other documents containing personal information to the extent necessary for exercising and defending its legal claims. These data are usually retained for the duration of prescription periods as stated by respective applicable law (usually from 3 to 15 years).
5. Data from cookies located on our website are retained for a maximum of 13 months.
6. Once the respective retention period is over Law Firm will anonymise or entirely erase personal data from all of its databases and IT systems and shred all the paper documents and destroy all other portable media.

Sources of personal data
1. Law Firm acquires personal data from the following sources:

data subjects
customers
public authorities
counterparties or representatives of counterparties in case of a dispute of a client
publicly accessible sources(public registers, public records or lists, information publicly available on the Internet which the data subject himself publishes)
former employers(eg information stated in the employment certificate or in the recommendation from the former employer, etc.)

Methods of processing personal data
1. Law Firm processes personal data of data subjects in both electronic form using the IT technology as well as manually in paper form. Law Firm has implemented adequate technical and organizational measures to ensure protection of personal data which it processes, mainly measures preventing accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed, or other misuse of personal data (measures include for example encryption, password security, security software, storage of data in locked cabinets or spaces, access allowed to authorized persons only who need personal data to meet the above mentioned processing purposes). All persons to whom such personal data may be made available respect the privacy rights of data subjects, they are bound by confidentiality obligations, and are required to comply with personal data protection laws. We also require that our data storage providers comply with the relevant industry security standards.
2. Personal data processed by the Law Firm are not subject to automated decision making or profiling.
Categories of recipients of personal data
1. Law Firm may transfer or disclose (only selected) personal data of data subjects to the following recipients:

Public authorities(eg courts, administrative bodies, criminal authorities) in cases as stated by applicable laws
Other subjects if necessary for the protection of legal rights(eg insurance companies in connection with insurance claims)
Providers of services necessary for the running of our Law Firm(eg accounting and tax advisors, providers of IT services, translation agencies, etc.). For these purposes, we select only trusted entities that are contractually bound by the confidentiality obligation in relation to handling of personal data, as well as other obligations to protect personal data within the meaning of applicable laws.

Rights of data subjects in connection with processing of their personal data by the Law Firm
1. Data subjects have the following rights in connection with processing of their personal data by Law Firm:

Right of access to personal data: Data subject shall have access to all of his/her personal data processed by the Law firm. Upon request of the data subject, the Law Firm will provide copies of all personal data in structured form within one month from such request, provided that provision of data will not adversely affect rights or freedoms of other persons (it is therefore not possible to provide access in all cases to all information, especially in connection with data which are subject to trade secrets, intellectual property, copyrights, know-how of the Law Firm or third parties – eg software providers, even though they are related to the processing of personal data of the data subject, who has made a request to access these personal data). If the request is made in electronic form, data will be provided in the standard electronic form, unless the data subject requests a different form of providing data.

Right to rectification of inaccurate personal data and completion of incomplete personal data: Upon request or information from the data subject, the Law Firm will rectify or update inaccurate/outdated personal data, without undue delay.

Right to erasure ("Right to be forgotten"): Personal data of data subjects will be erased without any undue delay subject to fulfillment of one or more of the following conditions:

personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
data subject withdraws consent on which the processing is based and there is no other legal ground for the processing
data subject objects to the processing and there are no overriding legitimate grounds for the processing
personal data have been unlawfully processed
personal data have to be erased for compliance with a legal obligation under EU law or Czech law
personal data have been collected in relation to the offer of information society services (eg trough contact form on website)

Personal data cannot be erased if their processing is necessary for the fulfillment of legal obligations or exercising or defending legal claims.

Right to withdraw consent: Personal data shall not be further processed if the data subject withdraws his/her consent with processing and there is no other legal basis for their processing.

Right to restriction of processing: Processing of personal data of data subject shall be restricted in the following cases:

accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data
processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
Law Firm no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims
data subject has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject

Restriction of processing means that while the data are still stored, they cannot be otherwise processed until the restriction can be terminated. Therefore, if processing of personal data is limited, such personal data will be processed only with consent of the data subject or for the purpose of enforcing or defending legal claims, for the protection of the rights of another natural or legal person or for reasons of overriding public interest. The Law Firm shall inform data subject in advance about termination of restriction on processing of their personal data.

Right to data portability: subject to the request of the data subject and technical feasibility, the Law Firm shall transmit personal data to another controller in a structured, commonly used and machine-readable format.

Right to object: provided that purpose of processing is legitimate interest of the Law Firm and data subject will raise objection against such processing, the personal data shall no longer be processed unless there exist compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject , or for the establishment, exercise or defense of legal claims.

Filing and complaint: data subject is entitled to file a complaint to the Office for Personal Data Protection in connection with processing of his/her personal data by the Law Firm.

Data subjects may exercise the above-mentioned rights against the Law Firm using the request form available for download here. Requests may be sent via email to email address: office@ak-vych.cz or via post to address:

Advokátní kancelář Vych & Partners, s.r.o.
Lazarská 11/6
120 00 Prague 2 – New Town

Final provisions

All corrections, erasures or restrictions of processing will be notified to respective processors of the Law Firm except when it proves non-feasible or will require unreasonable effort.

Upon request of the data subject the Law Firm will disclose the individual recipients of his/her personal data, to whom the Law Firm transfers their data.

This information will be regularly updated.

Last update on October 1, 2022

Advokátní kancelář Vych & Partners, s.r.o.