The Controller ABPLAST s.r.o., ID No.: 27531813, with its registered office at No. 421, 569 56 Čistá, registered in the Commercial Register maintained by the Regional Court in Hradec Králové, file No. C 24433 (hereinafter referred to as the “Controller”), hereby, on the basis of Act No. 110/2019 Coll., on the Processing of Personal Data, as amended (hereinafter referred to as the “Act”), and also in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as the “Regulation”), informs data subjects about the processing of personal data which it may process about them.

Controller Contact Details

The Controller can be contacted either in writing at the registered office address or electronically:

1. by e-mail at: info@abplast.cz
2. via data mailbox: zt4iwea

The Controller is entitled to request proof of identity of the contacting person for the purpose of ensuring personal data protection; for the same reason, all communication between the Controller and the contacting person may be monitored.

Processed Data and Scope of Processing

The Controller will process the provided personal data in accordance with the Act and the Regulation to the extent in which they were provided to the Controller and only in connection with the purpose of processing (see Section 3).

In particular, this includes the following personal data:

• contact details – e.g. e-mail address, telephone number, bank details, contact address, etc.,
• data provided beyond the scope of applicable legal regulations, processed on the basis of the data subject’s consent to the processing of personal data.

Purpose of Personal Data Processing

Personal data provided to the Controller may be processed for the purpose of:

• performance of a contract concluded between the Controller and the data subject,
• mediation or ensuring the preparation of legal documents necessary for the implementation of a contract between the Controller and the data subject or contractual obligations arising from such contract,
• fulfilment of the Controller’s legal obligations and its legitimate interests,
• communication between the Controller and the data subject, sending newsletters and other commercial communications with updates on the Controller’s activities or activities and events related to the Controller’s services, sending advertising emails, all in written and electronic form (in particular via e-mail, SMS messages, telemarketing) pursuant to Act No. 480/2004 Coll., on certain information society services, as amended,
• offering goods and services of the Controller or other entities whose services or products are related to the Controller’s services,
• other marketing activities of the Controller.

Legal Basis for Personal Data Processing

Personal data are processed by the Controller on the basis of the following legal grounds:

• consent of the data subject,
• necessity of processing personal data for the performance of a contract concluded between the Controller and the data subject, if such contract exists,
• necessity of processing personal data for compliance with a legal obligation applicable to the Controller,
• necessity of processing personal data for the purposes of the legitimate interests of the Controller.

In the case of consent to processing, the provision of such consent is entirely voluntary; there is no legal obligation to provide it and no sanction for not providing it.

Duration of Personal Data Processing

Personal data will be processed for the duration of the contractual relationship and subsequently for a further period of 10 years, or for a period in accordance with applicable legal regulations of the Czech Republic on document archiving (if such period is longer).

Personal data provided to the Controller on the basis of the data subject’s consent will be processed for an indefinite period, until the consent to their processing is withdrawn.

Persons Authorized to Process Personal Data

Personal data are processed by the Controller or, where applicable, by third parties providing means and guarantees of proper and lawful processing of personal data, ensuring the security of personal data and the protection of your rights (hereinafter referred to as “Processors”). Processors will have direct access to your personal data only for the period strictly necessary and only to the extent necessary for the performance of processing. Processors include:

• IT system administrators and software service providers,
• external partners – providers of payroll and accounting services, financial, tax and legal advisory services, etc.

Recipients of Personal Data

The Controller informs that personal data of data subjects may be transferred to third parties on the basis of obligations arising from the law. These third parties include in particular:

• public authorities, administrative authorities, courts, Czech Social Security Administration, health insurance companies.
• external partners – providers of payroll and accounting services, financial, tax and legal advisory services, etc.

Rights of Data Subjects

In relation to personal data subject to processing, the data subject has in particular the following rights:

• the right to be informed about the processing of their personal data,
• the right of access to personal data,
• the right to rectify or supplement personal data,
• the right to erasure of personal data (the “right to be forgotten”),
• the right to request restriction of processing,
• the right to request data portability to another controller,
• the right to object to the processing of your personal data,
• the right not to be subject to automated individual decision-making with legal or similar effects, including profiling,
• the right to be informed of a personal data breach in certain cases,
• other rights set out in the General Regulation.

Consent to the processing of personal data may be withdrawn at any time during the processing period. Withdrawal of consent must be delivered in writing or via electronic communication (e-mail, data mailbox) to the Controller. The effects of withdrawal of consent take effect on the day the withdrawal is delivered to the Controller and do not apply to the processing of personal data that is necessary and carried out on a legal basis other than such consent.

Right to Lodge a Complaint with a Supervisory Authority

If the data subject has doubts about compliance with the principles contained in this document or in the General Regulation, or suspects that the Controller’s activities violate their rights, they have the right to lodge a complaint against the Controller with the competent supervisory authority (Office for Personal Data Protection).

Objections to Personal Data Processing

Objections to the processing of personal data may be raised on the grounds specified in the Act and the Regulation. Where the right to object is exercised, the Controller will no longer process the personal data unless it has a legitimate interest or the processing serves the public interest.

Security of Personal Data

Personal data provided for processing will be secured by security procedures and technologies determined by the Controller for this purpose and assessed as appropriate and adequate.

In the event of a security breach and possible disclosure of personal data, the Controller will promptly inform the data subject as well as the relevant supervisory authority, in accordance with the obligations set out in applicable legal regulations.

Consent granted electronically (in particular by confirmation or “clicking” consent via the internet or another electronic network) is considered explicit, specific and informed consent and is deemed equivalent to written consent.