Declaration concerning the processing of personal data pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and pursuant to Act No. 110/2019 Coll., on personal data processing, as amended (hereinafter referred to as the “Regulation”)

1. Personal data administrator Progresus invest holding core a.s., Co. ID No.: 13995758, registered offices at Václavské náměstí 2132/47, 110 00 Prague 1, a company incorporated in the commercial register of the Municipal Court in Prague, section B, file 26807 (referred to as the “Administrator”). Pursuant to Art. 12 of the Regulation, the Administrator hereby informs you concerning the processing of your personal data and of your rights in this respect.

2. Extent of personal data processing: personal data is processed to the extent to which such data was provided by the data subject in question in connection with the type of contractual or legal relationship entered into with the Administrator, or personal data collected in another fashion is processed by the Administrator in accordance with applicable legislation or for the purposes of performing the Administrator’s legal obligations.

3. Sources of personal data

1. directly from the data subject (e-mails, telephone calls, website, website contact forms, business cards etc.)

2. publicly accessible registers, lists and records (e.g. commercial register, trade register, land registry etc.) for the purposes of creating accounting documents and checking the accuracy of information

4. Categories of personal data subject to processing

1. address and identification data serving towards unequivocal and unquestionable identification of the data subject (e.g. name, surname, title, and further birth reg. number, date of birth, registered address, Co. ID No., Tax ID No.)  and data facilitating contact with the data subject (contact details – e.g. correspondence address, telephone number, e-mail address and other similar information)

2. relevant information (e.g. bank details)

3. other data essential for performance of contract

4. data provided over and above the requirements of applicable legislation processed on the basis of permission given by the data subject (processing of photographs, use of personal data for the purposes of human resources procedures, for the purposes of sending commercial messages or information etc.)

5. Data subject categories

1. Administrator’s client

2. Administrator’s employee

3. service provider

4. other entity in contractual relationship with the Administrator

5. job applicant

6. Personal data recipient categories – the Administrator does not intend to transfer personal data to non-EU countries, the Administrator is entitled to entrust the processing of personal data to a processor with whom the Administrator has a processing agreement and who provides sufficient guarantee of protection of your personal data. Otherwise, data subjects shall be informed of such transfer in all circumstances. Personal data recipient categories are the following:

1. financial institutions

2. public organisations

3. processor

4. state and other authorities in the event of performing legal obligations as stipulated by applicable legislation

7. Purposes of processing personal data

1. purposes contained in data subject consent (e.g. marketing purposes)  

2. negotiations concerning contractual relationship

3. performance of contract

4. protection of the rights of the Administrator, recipient or other affected persons

5. archiving performed pursuant to legislation

6. selection procedure for advertised job

7. performance of legal obligations on the part of the Administrator

8. protection of the vital interests of the data subject

9. transmission of commercial communications or other information to serve the legitimate interests of the Administrator

8. Personal data processing and protection methods – the processing of personal data is performed by the Administrator. Processing takes place at the commercial premises, branches and headquarters of the Administrator by individual entrusted employees of the Administrator, or else by the processor.  All security regulations for administration and processing of personal data are observed during processing. With this in mind, the Administrator has adopted technical, organisational and legal measures to ensure protection of personal data, specifically measures to prevent unauthorised or random access to personal data, amendment, deletion or loss, unauthorised transmission thereof and any other type of misuse of personal data. All entities to whom personal data may be made accessible respect the right of the data subjects to protection of their privacy and freedoms and are obligated to proceed according to applicable legislation concerning personal data protection.

9. Duration of processing personal data – in accordance with the time limits specified in relevant contracts, information documents and consents, with the time limits prescribed for handling in the case of the legitimate rights of the Administrator or a third party; in applicable legislation such duration is the period essential for performing the rights and obligations arising both from a contractual relationship and that prescribed in applicable legislation.    

10.  Guidance – the Administrator shall process data with the consent of the data subject, with the exception of situations foreseen in the law when processing of personal data does not require the consent of the data subject, in other words when a different legal basis for processing exists. Pursuant to Art. 6(1) of the Regulation, the Administrator may process the following data without the consent of the data subject:

1. processing essential for performance of a contract whose contracting party is the data subject, or for implementing measures adopted before entering into such contract at the request of the data subject,

2. processing essential for performing legal obligations relating to the Administrator,

3. processing essential for protection of vital interests of the data subject or other natural person,

4. processing essential for performance of tasks implemented in the public interest or during execution of tasks required by public authorities with which the Administrator is charged,

5. processing essential for the purposes of the legitimate interests of the Administrator or a third party, with the exception of cases where the interests or the fundamental rights of the data subject demanding protection of personal data have priority over the aforesaid interests.

11.  Rights of the data subject:

1. The data subject is entitled to a confirmation from the Administrator stating whether or not personal data that concerns him/her are being processed. If such data are being processed, the data subject shall be entitled to gain access to such data and to the following information:    

a. the purposes of processing,

b. the categories of the personal data in question,

c. the recipients or categories of recipients who have access to this personal data,

d. the planned duration for which this personal data will be stored, and/or the criteria used to stipulate such duration,  

e. the existence of the right to demand rectification or deletion of personal data relating to the data subject or restriction of the processing thereof, the right to object against the processing thereof,

f. the right to lodge a complaint with a supervising authority,

g.  all available information about the source of personal data if such data was not obtained from the data subject,

h. whether automated decision-making is occurring, including profiling.

2. In return for provision of the information listed under item a), the Administrator is entitled to request adequate payment not exceeding the essential costs for providing such information for the second and any subsequent copies thereof to cover the administrative costs incurred for such additional provision of information.

12.  Each data subject who discovers or believes that the Administrator is performing processing of his/her personal data contrary to the principles of protection of the private and personal life of the data subject, especially in the case of personal data that is imprecise with regard to the purpose of their processing, may:

1. demand an explanation from the Administrator.

2. demand that the Administrator rectify such an arisen situation; rectification may involve the blocking, correction, addition to or deletion of such personal data.

If a request by the data subject pursuant to par. 11, item b) is seen to be justified, the Administrator shall rectify the undesirable situation without undue delay. Should the Administrator fail to comply with the data subject’s request pursuant to par. 11, item b), the data subject is entitled to contact the relevant supervisory authority, i.e. the Office for Personal Data Protection, directly. Procedure pursuant to par. 11, item b) does not preclude the data subject from sending his/her complaint directly to the supervisory authority.

1. The data subject is entitled at any time to revoke his/her consent to the processing of his/her personal data that he/she granted to the Administrator.

2. The right of the data subject to demand rectification or deletion of personal data relating to the data subject or restriction of the processing thereof, the right to lodge a complaint against processing and the right to portability of such data, if technically feasible.

In Prague, 9 June 2023