INFORMATION ON PERSONAL DATA PROCESSING

This document describes the method of processing personal data, as performed by Česká centrála cestovního ruchu – CzechTourism (hereinafter “CzechTourism”), an allowance organisation of the Ministry for Regional Development of the Czech Republic, while being aware of the importance of protecting your personal data.
CzechTourism, which can be contacted at the following address, is the controller of your personal data:
 
Česká centrála cestovního ruchu – CzechTourism
Štěpánská 567/15
120 00 Prague 2
Company ID: 49277600
data box: yr9mzxx
 
When processing personal data, CzechTourism proceeds according to the valid legal regulation, namely in compliance with:

• Directive of the European Parliament and Council No. 2016/679 of 27 April 2016, on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the GDPR);
• Act No. 110/2019 Coll., on personal data processing;
• Resolution of the Presidium of the Czech National Council No. 2/1993 Coll., on the promulgation of the Charter of Fundamental Rights and Freedoms as a part of the constitutional order of the Czech Republic; and
• Other legal regulations concerning the individual areas of labour law, accounting, financial law, etc.

 
For better orientation, there are several basic terms you may come across in the text below:
Personal data – all information about the identified or identifiable person (name, surname, date of birth, e-mail, telephone number, other elements of physical, physiological, mental, economic, cultural and social identity).
Data subject – an individual whose personal data is processed (legal entities such as business corporations or other organisations do not have personal data).
Processing – any operation with personal data performed with or without the use of automated procedures (collecting, recording, sorting, storing, searching, using, copying, etc.).
Controller – CzechTourism as the subject who has determined the purpose and means of personal data processing.
Processor – an individual or a legal entity, a public authority, agency, or another subject that processes personal data for the controller.
Recipient – an individual or a legal entity, a public authority, agency, or another subject who is provided personal data.
Profiling – any form of automated personal data processing consisting in its use for the assessment of some personal aspects related to the individual (work performance, economic situation, state of health, personal preferences, interests, behaviour, etc.).
 
When processing your personal data, CzechTourism adheres to the principles defined by legal regulations, and therefore:

• processes personal data in a correct, legal and transparent manner;
• only collects personal data for a purpose that is specific, legitimate and explicitly defined;
• only processes personal data to an extent necessary for the fulfilment of the defined purpose;
• personal data is only kept for a period that is strictly necessary or for a legally stipulated period; and
• personal data is secured in a manner that prevents their unauthorised, illegal processing, misuse, destruction, loss or damage.

 
CzechTourism never processes your personal data just because it wants or can, but always for a precisely set and defined purpose, i.e.:

1. to meet its legal obligations (such as those stipulated by the act on public procurement, act on accounting, act on archiving and records management, and on amendments of certain other acts, etc.);
2. to fulfil tasks in the public interest or to exercise public authority (e.g., answering queries, complaints and other public filings);
3. to conclude and fulfil contractual relations (e.g., supplier contracts);
4. for the purpose of its authorised interests (such as property protection through technical components of security, protection of expended financial resources, etc.);
5. based on the consent with personal data processing (e.g., publishing photographs of employees on the website, arranging participation in competitions, workshops and other events organised by the agency).

 
The individual categories of your personal data are processed in relation to the individual purposes of processing:

• address and identification data – name, surname, address, login information, etc.;
• descriptive data – about education, language skills, participation in events organised by the agency;

• special data category – such as data on the health status of employees; and
• data about other persons – such as employee relatives.

 
The personal data is only provided to other recipients when it is necessary to fulfil the aforesaid purposes, to protect and exercise the rights and interests of CzechTourism and in compliance with related regulations. Such recipients mostly include suppliers of IT services, providers of wage and accounting services, external consultants, cooperating law firms, co-organisers of events for the public and training. Other recipients include authorities active in criminal proceedings, courts, the Czech Police, etc.
 
CzechTourism may only process your personal data for a period required or permitted by the law, and for the period you have granted us consent with its processing, or until the moment you withdraw your consent.
 
CzechTourism approaches the processing responsibly and therefore your personal data is secured accordingly. Appropriate technical, physical and organisational measures are taken to secure personal data. Access to personal data is restricted to authorised recipients. Extra attention is paid to IT security and it is regularly revised.
All persons who encounter personal data by virtue of their job position (or within contractually accepted obligations) are trained and bound by the confidentiality obligation.
 
You may also exercise your data subject rights in relation to personal data processing:

• to access the personal data;
• to correct or update your inaccurate or out of date personal data;
• to erasure if the data is processed in contradiction to the protection defined in respective legislation or in contradiction with the granted consent, or when the consent has been withdrawn;
• to restrict processing;
• to raise an objection against processing;
• to data transferability;
• to address the controller when the data is processed based on consent, also for the purpose of withdrawing the consent with personal data processing;
• to file a complaint with the supervisory authority, which is the Office for Personal Data Protection, with its registered seat at Pplk. Sochora 27, 170 00 Prague 7, e‑mail: posta@uoou.cz, data box ID: qkbaa2n. 

 
You may exercise your rights with CzechTourism as the controller of your personal data, either by post or electronic communication at privacy@czechtourism.cz.
 
This information on personal data processing takes effect on 8 December 2020.