Public notice on personal data protection
This Policy has been developed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (GDPR) and on the basis of the requirements of Act No. 110/2019 Sb., Personal Data Processing Act and Act no. 480/2004 Sb., Act on certain Information Society Services and on Amendments to some Acts (Certain Information Society Services Act). The aim of this Policy is to provide everyone with the basic information regarding personal data processing, their protection and way of processing.
Definition of the terms used in this public notification on personal data protection:
- "personal data" – any information that may identify you now or anytime in future;
- "processing" – any operation which is performed on your personal data such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- "consent" – any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- "controller" - a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
- "processor" -a natural or legal person, public authority, agency or other body which processes personal data for us;
- "recipient" - a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
We would like to inform you by this document how we handle your personal data and assure you that your personal data are the most valuable thing we protect all the time. Our employees handle your personal data in accordance with the applicable legal regulations of the Czech Republic and the European Union. Our IT systems and processes are regularly inspected by the company's internal security processes so that we always work with your personal data in the best and most secure way. We are aware that your personal data that you have entrusted to us in order to provide you with our service are not our property, and we value your trust. In the event that we would like to use your personal data for purposes other than those listed here, we shall inform you in a proper manner prior to starting such processing. Without your knowledge, we shall never do so, even if we have a relevant, so-called legal title.
Who are we and who can access your personal information?
We would like to be sufficiently transparent in respect of you when processing your personal data, and therefore we shall always inform you who can access and process your personal data and contact you for the purposes listed below. For the Czech Republic, the controller of your personal data is KPCS CZ s.r.o., Kubánské náměstí 1391/11, Praha 10, 100 00.
We use external processors mainly for storing, backup and transfer of your personal data, and you can find a list of these processors (partners) below, or you have the right to request a complete list of processors. These processors are contractually secured, including a non-disclosure agreement and, if the relationship with them so requires, also by processing agreements in which they declare the adoption of appropriate security measures.
We store, back up, and transfer your personal data using our processors. Our processors provide us with internal systems and storage with maximum protection. In the global representation, this concerns mainly Microsoft, your data is located exclusively in the countries of the European Union, as well as the data center providers where we have our servers stored.
- SuperNetwork s.r.o., Bilejova 407, 463 03 Stráž nad Nisou locating servers in DATACENTRUM TTC, Tiskařská 10, 108 00 Praha 10
- SITEL, spol. s r.o., Nad Elektrárnou 1526/45, 106 00 Praha 10 - Slatiny locating servers at CE Colo, address Praha 10, Nad elektrárnou 1428/47
We chose these companies because they meet the highest security standards available in the Czech Republic (meeting the Tier3 standard granted for data centres).
Some situations require us to involve external co-operators (self-employed persons), in the processing of your personal data, but who need to comply with the same conditions as other processors.
We never proactively transfer or disclose your personal data. Your personal data remains completely secure with us. Should we need to transfer your personal data to another recipient, we will inform you of this fact and will not transfer your data without your knowledge.
For the avoidance of doubt, KPCS Consulting LLC, 209 Surrey St., 89074 Henderson, NV, USA does not have access to your personal data.
What happens if you do not provide us with your personal data? In most cases, we will not be able to enter into a contract with you and / or provide you with our services thereunder. If we need to obtain consent from you for the processing of your personal data for some processing, then the non-granting of this consent will not affect the use of our services by you.
Your personal data is safe with us, which is why we want to inform you how we protect it
The personal data you entrust to us are under our constant physical, electronic and procedural control. We have modern control, technical and security mechanisms in place to ensure the maximum possible protection of the processed data against unauthorized access or transmission, against their loss or destruction, as well as against other possible misuses. All the persons who come into contact with your personal data in the course of performing their work or contractual obligations are bound by a legal or contractual non-disclosure obligation. Our security solutions meet high standards, especially with regard to data encryption during transmission and storage, access protection, multi-factor verification or complete audit supervision, controlled by the ATOM ONE service, which we designed and developed internally. We focus primarily on Microsoft products and services, and therefore we use all the tools available to our largest partner for automated security incident detection.
To assure you that your personal data are safe with us, we list some selected tools that we use to protect your data.
- Customer LockBox, due to which we have full control of access of the Microsoft employees and Microsoft processors according to the Microsoft Online Service Terms. Their access is possible only after an express approval by our company
- Security and Compliance v Office 365, due to which we monitor spam, detect ransomware or settle your requests to exercise your rights
- eDiscovery Advanced eDiscovery due to which we can very quickly find all data sources that contain your personal data
- Office 365 ATP, Azure ATP a Windows Defender ATP, due to which we prevent the occurrence of security incidents and automatically check all the e-mail messages and their attachments for any malicious code, such as Ransomware
- Threat Inteligence, due to which we test our users against the opening of malware that may be hidden in the e-mails
- Azure Information Protection, due to which we encrypt selected important documents both internally and externally. We also apply the validity period of each document to selected documents so that it cannot be misused.
- SharePoint Information Right Management due to which we protect content when it is copied from our document repository
- Azure Security Center, Audit Log a ATOM ONE built on Log Analytics platform, due which we know about the attack before the attacker has the opportunity to penetrate inside or prevent the use of our services
- BitLocker, versioning of the documents, regular backups, monitoring, atd. are a matter of course for us today, which is an integral part of every server and every workstation that works with our or your personal data.
Although the processing of your personal data is only a related ancillary activity for us, we would like to inform you that we carry out all the processing in a lawful manner.
In order to provide you with our service, we need to work with your personal data, and therefore we use the contractual terms and conditions between you and KPCS CZ s.r.o. for most of the processing we carry out, even if it is only an order of our services, which you have done through the website
- ATOM ONE - https://www.atomone.net/en/
However, we may have some data beyond our obligations and for such we shall always obtain consent from you, which you can grant freely and which shall not restrict you in using the services we offer. The legal regulations also impose certain obligations on us, which we must meet, and that is why we also process data about you required by the legal regulations of the Czech Republic.
ATOM ONE Service
For what purposes and what personal data do we process about you?
Creation of your account to access the service
- Microsoft ID, LiveID, name, surname, telephone contact, e-mail address, address, payments for services, identification number, tax number
Management of your supervisory environment
- Usernames, computer names, IP addresses, MAC addresses, visited websites, times of login to systems, applications used on servers and computers, login to internal web applications
Providing support and making changes to the service
- Name, surname, contact telephone number of the notifier, but also contact telephone number of other data subjects, if required by the request
Invoicing for services and licenses provided by us
- Name, surname, address, payments for services, identification number, tax number
Marketing and sending of commercial communications
- E-mail addresses
Processing of receivables arising from the operation of the service
- Name, surname, address, payments for services, identification number, tax number
Who may access your personal data (processors or third parties)?
We also use processors or third parties, which are the following companies
- Microsoft in the global representation
- External co-operators (self-employed persons)
Where can your personal data (data transfers) occur?
Under certain circumstances (such as service outages or load balancing), your data may be relocated beyond the borders of the European Economic Area (EEC). In order to protect your personal data, our processor, Microsoft, uses in particular the EU-U.S and the Swiss-U.S. Privacy Shield Frameworks, which provides the path of data transfer between the territory of Switzerland and the US and the European Union, and the US. Privacy Shield Frameworks, which secures the data transfer between the territory of Switzerland and the US, and the European Union and the US.
Why can we carry out this processing (legal title)?
Based on the consent to the personal data processing | For the performance of the contract | For the compliance with a legal obligation |
---|---|---|
Direct marketing and sending of commercial communications | Creation of your account to access the service | Invoicing for services and licenses provided by us |
Management of your supervisory environment | Processing of receivables arising from the operation of the service |
How long shall we retain your personal data (retention period)?
We shall not have your personal data forever, but only for the period strictly necessary. Depending on the plan you select during your order, this can range from 31 days to 730 days, and we shall have all the information about your payments for the duration of the contractual relationship and for as long as it is prescribed by the applicable legal regulations of the Czech Republic.
Where did we obtain your personal data (source of acquisition)?
- You disclosed your personal data to us yourself when ordering the service we provide. However, we may access personal data that are not provided directly by you, but that are recorded in the systems automatically when your user (employee, contractor, supplier employee, etc.) performs any activity on the device that is connected to our service. However, it is not in our power to contact each individual user, and it is therefore your responsibility to inform all of your users that the above-mentioned processing of personal data takes place.
- We may also have your personal data from our partners who have been and are obliged to inform you about the transfer of your personal data to us, and we shall always inform you if we obtain your personal data from a source other than directly from you, at the latest before the processing, and not more than 1 month from their receipt.
Business activities and their internal processing
For what purposes and what personal data do we process about you?
Management of the contractual relationship and performance of the subject-matter of the contract at single deliveries
- Name, surname, telephone contact, e-mail address, address, identification number, tax number
Management of the contractual relationship and performance of the subject-matter of the contract when providing long-term framework support services
- Name, surname, telephone contact, e-mail address, address, payments for services, identification number, tax number
Establishment and subsequent management of the access data entrusted by you
- Name and surname of the contact persons from your company
- Access data, access secrets, passwords, and security codes
Documentation of your ICT environment
- Name and surname of the contact persons from your company
Communication between us in relation to the performance of the subject-matter of the contract
- Name and surname of the contact persons from your company
- All information occurring mainly in the e-mail messages related to the subject-matter of the contract
Invoicing for services and licenses provided by us
- In particular, name, surname, address, payments for services, identification number, tax number and other data prescribed by the law
Processing of receivables arising from the operation of the service
- In particular, name, surname, address, payments for services, identification number, tax number and other data prescribed by the law
Who may access your personal data (processors or third parties)?
We also use processors or third parties, which are the following companies
- Microsoft in global representation, only under our constant control
- External co-operators (self-employed persons) bound by a processing contract or a non-disclosure agreement
Where can your personal data (data transfers) occur?
Under certain circumstances (such as service outages or load balancing), your data may be relocated beyond the borders of the European Economic Area (EEC). In order to protect your personal data, our processor, Microsoft, uses in particular the EU-U.S and the Swiss-U.S. Privacy Shield Frameworks, which provides the path of data transfer between the territory of Switzerland and the US and the European Union, and the US. Privacy Shield Frameworks, which secures the data transfer between the territory of Switzerland and the US, and the European Union and the US.
Why can we carry out this processing (legal title)?
Based on the consent to the personal data processing | For the performance of the contract | For the compliance with a legal obligation |
---|---|---|
We do not require your consent | Management of the contractual relationship and performance of the subject-matter of the contract at single deliveries | Invoicing for services and licenses provided by us |
Management of the contractual relationship and performance of the subject-matter of the contract when providing long-term framework support services | Processing of receivables arising from the operation of the service | |
Establishment and subsequent management of the access data entrusted by you | ||
Documentation of your ICT environment | ||
Communication between us in relation to the performance of the subject-matter of the contract |
How long shall we retain your personal data (retention period)?
We shall not have your personal data forever, but only for the period strictly necessary. Your personal data shall be stored in the information system for a maximum period of three months as of the termination of the contractual relationship between us and you or for the duration of the warranties, whichever is longer. We will also store some personal data in accordance with the applicable legal regulations of the Czech Republic.
Where did we obtain your personal data (source of acquisition)?
- You have disclosed your personal data to us in response to our offers of cooperation or as part of a contractual relationship.
- We may also have your personal data from our partners who have been and are obliged to inform you about the transfer of your personal data to us, and we shall always inform you if we obtain your personal data from a source other than directly from you, at the latest before processing, and not more than 1 month from their receipt.
Marketing and Public Relations (PR) activities
For what purposes and what personal data do we process about you?
Direct marketing
- Name, surname, telephone contact, e-mail address, title/position, employer
Sending of news related to the subject-matter of our or partner´s business activity
- Name, surname, telephone contact, e-mail address, title/position, employer
Organizing events for those who are interested (conferences, lectures, webinars, seminars, webcasts, podcasts, etc.)
- Name, surname, telephone contact, e-mail address, title/position, employer, signature
Photographing and recording audio and video of our or partner events
Name, surname, telephone contact, e-mail address, address, employer
- Documentary group photograph, if applicable
Giving you presents for your anniversaries
- Name, surname, date of birth
Organizing competitions
- Name, surname, date of birth, telephone contact, e-mail address, signature
Who may access your personal data (processors or third parties)?
We also use processors or third parties, which are the following companies
- External partners (self-employed persons) bound by a processing contract or a non-disclosure agreement
- Agencies that address you on behalf of us, bound by the processing contract or a non-disclosure agreement
- Agencies that organize events for us, bound by the processing contract or a non-disclosure agreement
Where can your personal data (data transfers) occur?
Under certain circumstances (such as service outages or load balancing), your data may be relocated beyond the borders of the European Economic Area (EEC). In order to protect your personal data, our processor, Microsoft, uses in particular the EU-U.S and the Swiss-U.S. Privacy Shield Frameworks, which provides the path of data transfer between the territory of Switzerland and the US and the European Union, and the US. Privacy Shield Frameworks, which secures the data transfer between the territory of Switzerland and the US, and the European Union and the US.
Why can we carry out this processing (legal title)?
Based on the consent to the personal data processing | For our legitimate interests |
---|---|
Direct marketing | Photographing and recording audio and video of our or partner events |
Sending of news related to the subject-matter of our or partner´s business activity | |
Organizing events for those who are interested (conferences, lectures, webinars, seminars, webcasts, podcasts, etc.) | |
Giving you presents for your anniversaries | |
Organizing competitions |
How long shall we retain your personal data (retention period)?
- If you consent to the retention of information from your CV, then we shall retain this information for a maximum of 1 year from the granting of the consent or until the withdrawal of the consent by you.
- If we use legitimate interests, then your personal data shall only be processed for the period strictly necessary. However, as these include photographs or audio or video recordings used exclusively for PR and Marketing purposes, their ultimate deletion cannot be guaranteed, as these photographs may be shared on the Internet without the possibility of retrospective checking and thus their deletion from all the places where they may occur cannot be secured. If you do not agree to be photographed or to make audio or video recordings of our event, then you are obliged to inform the event organizer or company representative, whose contact is listed below in this document, about this fact. This person shall then ensure that your personal data are not processed during the event.
Where did we obtain your personal data (source of acquisition)?
- You have disclosed your personal data to us as part of a contractual relationship, in response to our offers for cooperation or as part of registration for our events, or we have obtained it from a third party to whom you have given your consent for the transfer of your personal data to us.
- We may also have your personal data from our partners who have been and are obliged to inform you about the transfer of your personal data to us, and we shall always inform you if we obtain your personal data from a source other than directly from you, at the latest before processing, and not more than 1 month from their receipt.
Sometimes we also process your personal data on behalf of the controller
Although it is not our obligation under the GDPR Regulation to inform you about the processing of personal data as a processor (usually a supplier for the controller), we would like to inform you in a transparent manner about the processing of your personal data.
These include in particular other services than those we provide to our customers and they are the following:
- Providing consultations and services related to the successful implementation of the GDPR Regulation rules, ISO27xxx standards or laws such as the Act on Cyber Security
- Provision of health checks of IT systems, sometimes also in connection with Article 32 of the GDPR Regulation
- Provision of VPN services or AP as a Service, where we provide you with secure access to your environment as a service
- Providing full or partial outsourcing services for your environment
- Providing the implementation of any IT services that are determined within your demand
Depending on the service provided, its scope, method of performance and complexity of the solution, we may become acquainted with a considerable amount of personal data, in particular personal data of your employees, partners, external co-operators, etc., and therefore it is now not possible to define this scope, but you shall always get acquainted therewith before starting the project itself. A respective contract is concluded between us and you for any such processing, by which we are bound to protect all the personal data processed by us.
You have your rights in relation to us, so do not hesitate to contact us at any time
If you do not agree with the processing we perform or you want to contact us with only a question, you may contact us at any time. You can contact us with confidence, and after proving your identity, you shall be allowed to withdraw your consent free of charge, or you can exercise your rights, which are inherent in the applicable legal regulations of the Czech Republic.
Right of access | We will provide you with information about what we have done with your personal data during their lifetime in our company, including the copy of the personal data you have sent. However, we cannot give you all the information, especially such that would violate our intellectual property or infringe the privacy of others. |
---|---|
Right to be forgotten | Right to be forgotten We shall delete or anonymize your personal data that you have provided to us or that we have obtained through our activities. |
Right to restriction of processing | If you object to the processing we perform, then we shall restrict the processing performed by us during the period of validity of the objection. A similar situation will occur if you consider that we are processing out-of-date data, then we shall restrict the processing until such personal data is up to date. Where applicable, this may also happen automatically if any of the processing becomes unlawful or a breach of your privacy is threatening. |
Right to object to the processing | You have the right to object to the processing we perform within direct marketing. Where applicable, if you consider that the processing we perform, which is carried out on the basis of a legitimate interest, interferes too much with your privacy. |
Right not to be subject to automated decision-making, including profiling | We do not currently carry out any automated decision-making, including profiling, and for this reason we cannot guarantee the exercise of this right. |
Right to data portability | We will be happy to provide you with a copy of the personal data you provided to us, in a machine-readable format, in order to ensure the possibility of their transfer to another company. However, we cannot give you all the information, especially such that would violate our intellectual property or infringe the privacy of others. |
To exercise your rights, you can contact an employee authorized by us, who is responsible for the performance of our obligations in accordance with the applicable legal regulations of the Czech Republic, whose name is Daniel Hejda, by e-mail privacy@kpcs.cz on the central telephone number +420 778 411 744, during the week days from 9:00 to 17:00. You can also visit us at the above-mentioned address, and we will be happy to arrange everything for you while you wait directly at the company's branch. Please note that exercising your rights may be in certain situations charged, provided that we have determined that you already have the information or that the number of your requests will be disproportionately high given the time you are applying for your rights.
If we obtain information from a source other than from you, then we shall inform you of this fact, and you may exercise your rights. We shall provide you with the information no later than one month from the moment we receive this information about you, but always before the start of the processing itself. We want to assure you that no processing shall begin until you are notified.
We do not have your personal data forever. How long shall we retain your personal data?
We shall not keep record of your personal data forever, but only for the period strictly necessary so that we could offer you our services and innovations of the existing ones. In accordance with the principles of our main business activity, your personal data shall be stored in the information system for the period strictly necessary, as set out for each provided service described above in this document. Provided that the law requires us to keep record of the information about you for a longer period of time, we shall have some personal data longer, but if you exercise your rights, we will inform you thereabout.
We always work with up-to-date information.
We regularly update all the personal data we keep record of about you. We do not carry out processing of any incomplete or outdated information, as we are aware that your personal data may change over time, so we shall regularly request you to update your personal data stored with us. We would be very happy if you could help us keep our contact database up to date, so we would greatly appreciate it if you could provide us with information about any changes to your personal data.
Final provisions
All legal relationships arising on the basis or in connection with the processing of personal data are governed by the legal regulations of the Czech Republic, regardless of where the access thereto was made. The Czech courts, that shall apply Czech law, are competent to resolve any disputes arising in connection with the protection of privacy between you and KPCS CZ, s.r.o.
We may and shall regularly update the wording of this Public notification on personal data protection. We shall inform you in advance of any such change here on the website at least 10 days before the change takes effect, in the form of news published on our website.
This Public notification on personal data protection becomes effective on 1 September 2020.
Share on social media