Personal Data Protection Statement (GDPR)

Personal Data Protection Statement (GDPR)

PERSONAL DATA PROTECTION STATEMENT

The aim of this document is to provide data subjects comprehensive information on processing of their data by law firm Advokátní kancelář Vych & Partners, s.r.o. (hereinafter as „Law Firm“), according to respective law, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter as „General Data Protection Regulation“ or simply „GDPR“). Our goal is to inform you about what personal data, for which purpose and in what way we process, to whom we provide access to your personal data as well as about your legal rights regarding processing of your personal data by our Law Firm.

  1. Definition of basic terms

Words and terms used in this statement shall have the specific meaning as assigned to them by respective law:

Personal data

any information relating to an identified or identifiable natural person (“Data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Data subject

natural person whose personal data we process, thus particularly our clients, associate lawyers, employees, suppliers and other subjects

Processing of personal data

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Controller

natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data and is responsible for such processing; for the purpose of this statement the controller in connection to processing personal data of subjects stated herein is the Law Firm

Recipient

natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not

Processor

natural or legal person, public authority, agency or other body which processes personal data on behalf and according to instructions of the Law Firm

Consent

any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

Special categories of personal data

personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation

Office for Personal Data Protection

Czech Office for Personal Data Protection, with seat at Pplk. Sochora 27, Prague 7, zip code: 170 00, phone number +420 234 665 111, e-mail: posta@uoou.cz

  1. Examples of processing personal data

Law Firm processes personal data of data subjects in connection with:

  • Provision of legal services to clients
  • cooperation with associate lawyers
  • recruitment of new employees and employment of existing employees
  • browsing our web site
  • sending newsletters concerning legal matters
  • procurement of goods and services from our suppliers
  1. Categories of personal data

Personal data generally processed by our Law Firm include (following list is demonstrative only and does not exclude processing of also other personal data which you provide to us):

Identification data: academic title, name, surname, date of birth and, depending on circumstances, also others (e.g. occupation, ID number, passport number, company ID number, VAT number, bank account number, etc.)

Contact details: home address, work address, telephone number, email address, data box ID

Photos: in connection to individual clients as a part of the evidence material, in connection to associate lawyers and employees photos on the website of the Law Firm

Sensitive data: depending on nature of a particular case we may also process sensitive data of clients, associate lawyers or employees (e.g. data such as union membership or health status)

Criminal conduct data: we process this type of personal data in connection to some clients depending on nature of a particular case (e.g. criminal records, data in the criminal file)

Data from cookies in connection with browsing of our web site: e.g. selected language, standard website traffic tracking. The Law Firm does not process IP address, visitors’ location, etc.

Other data from persons interested in cooperation with our Law Firm in connection with provision of our legal services or from job applicants: data in the CV, motivation letter, employment certificate or recommendation from the former employer

Other data about employees: all data associated with a job performance in the Law Firm (e.g. type of work, occupation, work results and performance, salary information, information on social and health insurance, etc.)

  1. Purposes and legal basis for processing of personal data

Law Firm processes the above-mentioned personal data for the following purposes relying on the below mentioned legal basis (for the sake of clarity, individual purposes and legal basis for the processing are stated in connection to respective category of processed personal data. Purposes and legal basis for processing may also overlap in some cases):

Categories of personal data

Purpose(s) of processing

Legal basis for processing

Identification data

·         identification and evidence of clients, associates, employees, suppliers and other subjects

·         conclusion and performance of contract (for the provision of legal services, cooperation agreement, employment contract or other contract)

·         compliance with legal obligations (e.g. pursuant to Act No. 85/1996 Coll., on Advocacy and Act No. 253/2008 Coll., on Certain Measures Against the Legalization of Proceeds from Crime)

Contact details

·         communication with data subjects

·         sending newsletters to clients

·         conclusion and performance of contract

·         legitimate interest

Photographs

·         exercise or defence of legal claims of clients (e.g. need to present clients’ photographs as evidence)

·         marketing purposes (photographs of associates and employees on our website)

·         performance of contract on provision of legal services

·         compliance with legal obligations (in case of appointment as a defence attorney, guardian, etc., without entering into contract on provision of legal services)

·         consent of associates and employees

Sensitive data

·         exercise or defence of legal claims of clients

·         protection of health of employees and ensuring safe working environment

·         exercise or defence of legal claims

·         carrying out obligations and exercising specific rights in the field of employment and social security and social protection law

·         protection of vital interests of data subject where the data subject is physically or legally incapable of giving consent

Criminal conduct data

·         exercise or defence of legal claims of clients

·         exercise or defence of legal claims

Data from cookies on websites

·         tracking of website traffic or customizing the website resolution

·         legitimate interest in the proper functioning of the website

Other data from job applicants or potential associates

·         assessing the quality and ability to perform an agreed type of activity or work

·         conclusion and performance of cooperation agreement or employment contract

·         exercise or defence of legal claims

·         consent (in case of keeping data of the unsuccessful applicant for the purpose of potential future cooperation)

Other data of employees

·         evidence of employment agenda

·         assessment and evaluation of work performance

·         fulfilment of rights and obligations as an employer

·         performance of employment contract

·         compliance with obligations of the employer imposed by applicable law

  1. Data retention period
    1. Law Firm processes personal data only for the period necessary for the fulfilment of the purpose for which they have been collected or for the period as stated in the applicable law.
    2. Some personal data are retained only for the duration of the contract with data subject and they are deleted or destroyed after the termination of the contract (e.g. photographs of associates and employees).
    3. Other data are kept for some time after the termination of a particular contract. Law Firm is obliged to respect retention periods as stated in applicable law and certain documents, including personal data therein, must be retained for the specific periods (e.g. clients’ files for the period of 5 years from the termination of provision of legal services, employment documents for the period from 3 to 30 years).
    4. Law Firm retains some other documents containing personal to the extent necessary for exercising and defending its legal claims. These data are usually retained for the duration of prescription periods as stated by respective applicable law (usually from 3 to 15 years).
    5. Data from cookies located on our website are retained for the maximum of 13 months.
    6. Once the respective retention period is over Law Firm will anonymise or entirely erase personal data from all of its databases and IT systems and shred all the paper documents and destroy all other portable media.

 

  1. Sources of personal data
    1. Law Firm acquires personal data from the following sources:
  • data subjects
  • clients
  • public authorities
  • counterparties or representatives of counterparties in case of a dispute of a client
  • publicly accessible sources(public registers, public records or lists, information publicly available on the Internet which the data subject itself publishes)
  • former employers(e.g. information stated in the employment certificate or in the recommendation from the former employer, etc.)
  1. Methods of processing personal data
    1. Law Firm processes personal data of data subjects in both electronic form using the IT technology as well as manually in paper form. Law Firm has implemented adequate technical and organisational measures to ensure protection of personal data which it processes, mainly measures preventing accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed, or other misuse of personal data (measures include for example encryption, password security, security software, storage of data in locked cabinets or spaces, access allowed to authorised persons only who need personal data to meet the above mentioned processing purposes). All persons to whom such personal data may be made available respect the privacy rights of data subjects, they are bound by confidentiality obligations, and are required to comply with personal data protection laws. We also require that our data storage providers comply with the relevant industry security standards.
    2. UPersonal data processed by the Law Firm are not subject to automated decision making or profiling.
  2. Categories of recipients of personal data
    1. Law Firm may transfer or disclose (only selected) personal data of data subjects to the following recipients:
  • Public authorities(e.g. courts, administrative bodies, criminal authorities) in cases as stated by applicable laws
  • Other subjects if necessary for the protection of legal rights(e.g. insurance companies in connection with insurance claims)
  • Providers of services necessary for running of our Law Firm(e.g. accounting and tax advisors, providers of IT services, translation agency, etc.). For these purposes, we select only trusted entities that are contractually bound by the confidentiality obligation in relation to handling of personal data, as well as other obligations to protect personal data within the meaning of applicable laws.
  1. Rights of data subjects in connection with processing of their personal data by the Law Firm
    1. Data subjects have the following rights in connection with processing of their personal data by Law Firm:

Right of access to personal data: Data subject shall have access to all of his/her personal data processed by the Law firm. Upon request of the data subject, the Law Firm will provide copies of all personal data in structured form within one month from such request, provided that provision of data will not adversely affect rights or freedoms of other persons (it is therefore not possible to provide access in all cases to all information, especially in connection with data which are subject to trade secrets, intellectual property, copyrights, know-how of the Law Firm or third parties – e.g. software providers, even though they are related to the processing of personal data of the data subject, who has made a request to access these personal data). If request is made in electronic form, data will be provided in the standardly used electronic form, unless data subject requests different form of providing data.

Right to rectification of inaccurate personal data and completion of incomplete personal data: Upon request or information from the data subject the Law Firm will rectify or update inaccurate/outdated personal data, without undue delay.

Right to erasure („Right to be forgotten“): Personal data of data subjects will be erased without any undue delay subject to fulfilment of one or more of the following conditions:

  • personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
  • data subject withdraws consent on which the processing is based and there is no other legal ground for the processing
  • data subject objects to the processing and there are no overriding legitimate grounds for the processing
  • personal data have been unlawfully processed
  • personal data have to be erased for compliance with a legal obligation under the EU law or Czech law
  • personal data have been collected in relation to the offer of information society services (e.g. trough contact form on website)

Personal data cannot be erased if their processing is necessary for the fulfilment of legal obligations or exercising or defending legal claims.

Right to withdraw consent: Personal data shall not be further processed if data subject withdraws his/her consent with processing and there exist no other legal basis for their processing.

Right to restriction of processing: Processing of personal data of data subject shall be restricted in the following cases:

  • accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data
  • processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
  • Law Firm no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims
  • data subject has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject

Restriction of processing means that while the data are still stored, they cannot be otherwise processed until the restriction can be terminated. Therefore, if processing of personal data is limited, such personal data will be processed only with consent of the data subject or for the purpose of enforcing or defending legal claims, for the protection of the rights of another natural or legal person or for reasons of overriding public interest. The Law Firm shall inform data subject in advance about termination of restriction on processing of their personal data.

Right to data portability: subject to the request of data subject and technical feasibility, the Law Firm shall transmit personal data to another controller in structured, commonly used and machine-readable format.

Right to object: provided that purpose of processing is legitimate interest of the Law Firm and data subject will raise objection against such processing, the personal data shall no longer be processed unless there exist compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Filing a complaint: data subject is entitled to file a complaint to the Office for Personal Data Protection in connection with processing of his/her personal data by the Law Firm.

Data subjects may exercise the above-mentioned rights against the Law Firm using request form available for download here. Requests may be sent via email to email address: office@ak-vych.cz or via post to address:

Advokátní kancelář Vych & Partners, s.r.o.
Lazarská 11/6
120 00 Praha 2 – Nové město

  1. Final provisions

All corrections, erasures or restrictions of processing will be notified to respective processors of the Law Firm except when it proves non-feasible or will require unreasonable effort.

Upon request of the data subject the Law Firm will disclose the individual recipients of his/her personal data, to whom the Law Firm transfers their data.

This information will be regularly updated.

Last update on October 1, 2022

Advokátní kancelář Vych & Partners, s.r.o.

Contact us