PERSONAL DATA PROCESSING POLICY
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “GDPR”), the following information is provided to you as data subjects, in particular:
(a) what personal data we collect;
(b) how we handle that data;
(c) on what legal basis we process personal data and for what purposes we use personal data;
(d) to whom we are entitled to disclose that personal data;
(e) what your data protection rights are; and
(f) where you can obtain information about the personal data we process about you.
GRANTEX ADVISORY GROUP is a consultancy group consisting of experts in the field of grant consultancy, accounting and payroll consultancy, tax consultancy and legal services, which includes the following companies that act as data controllers in relation to data subjects.
We are ready to answer any questions you may have by contacting us at: email@example.com or
at the registered office of the company/companies at Tržiště 366/13, Malá Strana (Prague 1), 118 00 Prague.
A) Identity of the administrator (controller)
GRANTEX dotace s.r.o., ID No.: 291 47 832, with registered office at Dělnická 1628/9, Holešovice, 170 00 Prague 7, registered in the Commercial Register maintained by the Municipal Court in Prague under file no. C 204155 (hereinafter referred to as “GRANTEX subsidies“),
GRANTEX management s.r.o., ID No.: 028 34 201, with registered office at Dělnická 1628/9, Holešovice, 170 00 Prague 7, registered in the Commercial Register maintained by the Municipal Court in Prague under file no. C 224476 (hereinafter referred to as “GRANTEX Management“),
GRANTEX accounting s.r.o., ID No.: 054 38 012, with registered office at Dělnická 1628/9, Holešovice, 170 00 Prague 7, registered in the Commercial Register maintained by the Municipal Court in Prague under file no. C 262459 (hereinafter referred to as “GRANTEX accounting“),
GRANTEX legal s.r.o., advokátní kancelář, ID No.: 079 02 158, with registered office at Dělnická 1628/9, Holešovice, 170 00 Prague 7, registered in the Commercial Register maintained by the Municipal Court in Prague under file no. C 309599 (hereinafter referred to as “GRANTEX legal“),
(GRANTEX Grants, GRANTEX Management, GRANTEX Accounting and GRANTEX Legal, hereinafter collectively referred to as “GRANTEX” or “Controller“).
GRANTEX does not have a designated data protection officer. To exercise your rights relating to the processing of your personal data, you may contact any controller directly via our contact details:
contact address: Dělnická 1628/9, Holešovice, 170 00 Prague 7, contact e-mail: firstname.lastname@example.org, contact telephone number: 800 151 111.
B) Information on the processing of personal data
GRANTEX, as a data controller, handles your personal data in accordance with the applicable legislation and always in such a way as to ensure the security of your data (personal data) to the maximum extent possible. GRANTEX complies with the principles of personal data processing set out in the applicable legislation and fully respects the highest standards of data protection.
These principles apply to all personal data subjects (natural persons) – clients, suppliers and customers of GRANTEX, as well as to anyone else who contacts GRANTEX or otherwise provides GRANTEX with information (unless otherwise stated below). This includes anyone who uses GRANTEX, services with or through GRANTEX or provides services, subcontracts or is in any other contractual relationship with GRANTEX.
GRANTEX may store and otherwise process the personal data of clients and other persons where necessary in connection with the use of subsidy, legal, tax, insurance and accounting services, or the personal data of other persons who have provided their personal data to GRANTEX and have given their consent to the processing of their personal data.
GRANTEX may also collect categories of personal data that originate from public sources, including public registers and the Internet, but only for the purposes for which these public sources and registers are created. GRANTEX may also collect categories of personal data it receives from third parties (employers, collaborators, business partners or other third parties) in connection with in connection with the provision of services.
Purposes of the processing of personal data, Legal basis for the processing of personal data:
GRANTEX processes your personal data only to the extent necessary for the purpose and for the period of time necessary to fulfil the purpose.
Processing of personal data without your consent:
GRANTEX processes personal data without your consent for the following purposes and under the following legal titles:
(a) the fulfilment of contractual obligations, including the fulfilment of the obligation to provide performance under the contract and the making of payment (storage period: for the duration of the contract and the obligations arising from the contract, or for the period provided for by the relevant legislation); legal basis for processing: (i) performance of the contract, (ii) performance of a legal obligation;
(b) the possibility of asserting and enforcing legal claims against the controller, the beneficiaries or other relevant persons, or the protection of legal claims, including the enforcement of legal claims, the development of and development of the products and services provided, dispute resolution, in particular for the purposes of litigation or other disputes (storage period: personal data are processed until 1 year after the end of the limitation period (3 years), or further for the necessary time for the purposes of the protection of legal claims; legal basis for processing: (i) legitimate interest of the controller or third parties
(c) direct marketing – offering GRANTEX business, services and products, sending commercial communications to existing customers in the sense of offering information society services in accordance with the relevant legal regulation (storage period: personal data are processed for the duration of the relationship on the basis of which the direct marketing is carried out by the controller); legal basis for processing: (i) legitimate interest of the controller;
(d) keeping and processing of employee records; (storage period: personal data are processed for the period of time specified by the relevant legislation); legal basis for processing (i) compliance with a legal obligation.
(e) maintenance and processing of the recruitment agenda; (period of storage of personal data: personal data are processed for a period of one month after the outcome of the selection procedure); legal basis for processing: (i) legitimate interest of the controller.
Categories of personal data processed without consent:
In the case of processing of personal data without your consent, GRANTEX processes your personal data in relation to the above purposes:
(a) identification data and contact data, i.e. name, surname, telephone number and e-mail address, address (home, delivery or other contact address), birth number, in the case of a natural person who is an entrepreneur, also the business name or an addendum attached to the name, the registered office of the business and the registration number/ID number;
The legal basis for processing your personal data is (see above):
The legitimate interest of the controller or a third party (Article 6(1)(f) of the GDPR); the performance of a contract to which the data subject is a party (Article 6(1)(b) of the GDPR); the fulfilment of a legal obligation to which the controller is subject (Article 6(1)(c) of the GDPR).
Processing of personal data with your consent:
GRANTEX processes personal data with your consent for the following purposes:
(a) offering services, products and sending commercial communications;
(b) marketing communications;
(c) analytical and marketing cookies (consent granted through your web browser settings);
(d) selected aspects in connection with the management and processing of employee records (e.g. use of photographs on promotional materials);
(e) the transfer of personal data to RENOMIA, a. s., ID No. 48391301, registered office at Holandská 874/8, Štýřice, 639 00 Brno, registered in the Commercial Register maintained by the Regional Court in Brno under file no. B 3930 (hereinafter referred to as “RENOMIA“), in case of filling in the inquiry form on the website grantex.cz in the RENOMIA tab for the purpose of offering RENOMIA services.
Period of storage of personal data for the purposes (a), (b) and (c) of this article above: personal data based on consent are processed until the consent to the processing of personal data is withdrawn. Duration of storage of personal data for the purposes of (d) of this Article above: personal data based on consent shall be processed for the duration of the employment or other similar relationship or until the consent to the processing of personal data for this purpose is withdrawn.
Consent to the processing of personal data by the data subject for the benefit of any of the GRANTEX companies for the purposes set out in Ad (a) – Ad (c) above is given at the moment of filling in and submitting the contact form on the grantex.cz website.
Consent to the processing of personal data by the data subject for the benefit of GRANTEX and RENOMIA for the purpose referred to in Ad (e) above is granted at the moment of filling in and submitting the contact form on the grantex.cz website under the RENOMIA tab. The treatment of personal data transmitted to RENOMIA in this way is governed by the Personal Data Processing Policy available at https://www.renomia.cz/informace-o-zpracovani-osobnich-udaju.
In order to demonstrate compliance with the controller’s obligations under the applicable data protection legislation, the controller is entitled to store/process information regarding the consent obtained (i.e. how the consent was obtained and what the consent related to), even after the consent has been withdrawn, for as long as necessary. The legal basis for the processing is the consent to the processing of personal data given by the data subject.
Categories of personal data processed with consent:
In the case of processing of personal data with your consent granted by GRANTEX in relation to the above purposes, GRANTEX processes your:
(a) identification data and contact data, i.e. name, surname, telephone number and email address; The legal basis for processing your personal data is (see above):
Consent to the processing of personal data, if given by the data subject (Article 6(1)(a) of the GDPR).
GRANTEX may process (i) functional cookies, which ensure the basic functionality of the website, without which the website cannot function, (ii) analytical cookies, the purpose of which is to calculate website traffic and collect statistics that allow the website operator to observe user behaviour, and (iii) marketing cookies, the collection of which ensures the offering of GRANTEX services.
If the website user does not wish to consent to the use of any of the optional types of cookies, he/she must tick the non-optional box “Necessary only”, in which case the operator will only use so-called necessary or functional cookies whose use is essential for the operation of the website.
Source of personal data:
GRANTEX obtains personal data of data subjects from data subjects (e.g., in the context of contract negotiations, from requests from data subjects, in personal or written communications with data subjects, including electronic communications) or from its own activities (in the context of evaluating the data you provide to us in connection with the use of our products or services, or from public sources). If GRANTEX obtains personal data from you, GRANTEX informs you whether the provision of personal data is a legal or contractual requirement and whether you are obliged to provide personal data, as well as the possible consequences of not providing personal data.
In the case of the processing of personal data on the basis of the data subject’s consent, the individual GRANTEX controllers listed in this notice shall be joint controllers with regard to the joint determination of the means and purposes of the processing of personal data, and they shall individually transfer the personal data so processed between themselves.
In order to comply with the obligations of Article 26 of the GDPR, GRANTEX hereby informs the data subject in cases where it acts as a joint controller, that the responsibility for compliance with the GDPR, in particular in relation to Articles 13 and 14 of the GDPR, lies with GRANTEX subsidies. Notwithstanding the foregoing, however, the data subject may exercise his or her rights under the GDPR with and against each of the controllers.
Beneficiary, categories of beneficiaries:
Your personal data may be transferred to the following categories of recipients:
public authorities and other entities to which GRANTEX is obliged to disclose your personal data or which are entitled to request your personal data from GRANTEX (e.g. tax authorities, customs administration, bailiffs, insolvency administrators, courts, law enforcement authorities, etc.);
third parties with whom GRANTEX has a written contract for the processing of personal data (e.g. IT service providers, accounting service providers, security service providers, etc.);
employees or persons in a similar position with respect to GRANTEX, or other persons on your instructions;
Your personal data may be disclosed to third parties for other reasons in accordance with applicable law. GRANTEX does not intend to transfer personal data to a third country outside the European Union or an international organisation;
to individual GRANTEX and RENOMIA companies.
Transmission of personal data with the consent of the data subject
GRANTEX and RENOMIA offer the possibility of sending you up-to-date information relating to the activities carried out by GRANTEX and RENOMIA. In the event of consent by the data subject, GRANTEX and RENOMIA transmit personal data to each other for the purpose of sending marketing communications to the data subject. GRANTEX may, in the event of consent, transmit personal data to RENOMIA as a separate data controller for the purpose of sending marketing communications and service offers.
C) Your rights in relation to the processing of personal data
Right of access to personal data:
As a data subject, you have the right to obtain confirmation from the controller as to whether or not the personal data relating to you are being processed and, if so, to obtain access to that personal data and to the following information about:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed;
(d) the intended period of time for which the personal data will be stored or, if that period cannot be determined, the criteria used to determine that period;
(e) the existence of the right to request the controller to rectify or erase the personal data, to restrict processing or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority (the Data Protection Authority);
(g) any available information about the source of the personal data;
(h) whether automated decision-making, including profiling, takes place, the procedure used and the significance and foreseeable consequences of such processing.
The controller further declares that it is entitled to authorise the processor to process personal data within the contractually specified scope, for the contractually specified purpose and for the period of time specified in the contract.
The controller will provide you with a copy of the personal data processed. For further copies, the controller is entitled to charge a reasonable fee based on administrative costs. It applies that the right to obtain a copy must not adversely affect the rights and freedoms of other persons.
Right to rectification:
As a data subject, you have the right to have inaccurate personal data concerning you rectified by the controller without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by providing an additional declaration.
Right to erasure:
As a data subject, you have the right to have the controller erase personal data concerning you without undue delay if one of the following reasons applies:
(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
(b) you have withdrawn the consent on the basis of which the data was processed and there is no further legal basis for the processing;
(c) the data subject has objected to the processing, where an objection is permissible under the GDPR, and there are no overriding legitimate grounds for the processing;
(d) the personal data have been unlawfully processed;
(e) the personal data must be erased to comply with a legal obligation.
The right to erasure shall not apply where a lawful exception applies, in particular where the processing of personal data is necessary for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the establishment, exercise or defence of legal claims.
Right to restriction of processing:
As a data subject, you have the right to have the controller restrict processing in any of the following cases:
(a) you contest the accuracy of the personal data – in this case, the processing will be limited to the time necessary for the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and you refuse to erase the personal data and request instead to restrict their use;
(c) the controller no longer needs the personal data for the purposes of the processing but you require the personal data for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to the processing pursuant to Article 21(1) of the GDPR – until it is verified that the legitimate grounds of the controller override the legitimate grounds of the data subject.
If the processing has been restricted, these personal data may, with the exception of their storage, only be processed:
(a) with the data subject’s consent;
(b) for the establishment, exercise or defence of legal claims;
(c) for the protection of the rights of another natural or legal person; or
(d) for reasons of important public interest of the European Union or of a Member State.
Right to data portability:
As a data subject, you have the right (under the conditions set out in Article 20 of the GDPR) to obtain personal data relating to you that you have provided to the controller on the basis of consent or for the purposes of performance of a contract. Upon your request, the controller will provide you with the data in a structured, commonly used and machine-readable format or, where technically feasible, to another clearly identified controller. The right to data portability does not apply to personal data that are not processed by automated means. The exercise of the right to data portability must not adversely affect the rights and freedoms of other persons.
Right to object:
You have the right to object to the processing of personal data on the basis of a legitimate interest pursued by GRANTEX, in particular in connection with direct marketing.
WHEN YOU CAN OBJECT TO PROCESSING AND WHAT THIS MEANS:
According to Article 21 of the GDPR, you have the right to object to the processing of your personal data at any time if the processing is based on an authorisation for the performance of a task carried out in the public interest or is necessary for the purposes of the legitimate interests of GRANTEX. In the case of GRANTEX, you can object to the processing of your personal data processed for direct marketing purposes. If you do not want GRANTEX to continue to send you its newsletter or other commercial communications in connection with direct marketing, you can object to this at any time. GRANTEX will then no longer process your personal data for this purpose and will no longer send you further commercial communications. You can object by sending an e-mail to email@example.com or by clicking on the link provided within each electronic commercial communication concerning the information that you do not wish to receive further commercial communications from us.
The right to lodge a complaint with the supervisory authority:
If you believe that the processing of your personal data violates GDPR legislation/regulations, you have the right to file a complaint with a supervisory authority against the controller’s practices.The supervisory authority for the Czech Republic is the Office for Personal Data Protection, located at Pplk. Sochor 27, 170 00 Prague 7 (www.uoou.cz). This is without prejudice to any other administrative or judicial remedies provided for the protection of the data subject by applicable law.
Right to withdraw consent:
You are not obliged to give consent to GRANTEX or RENOMIA to process your personal data. You have the right to withdraw your consent to the processing of your personal data for the above purposes (or any of them) at any time. The withdrawal of consent does not affect the processing of your personal data prior to its withdrawal. You may withdraw your consent to the processing of your personal data by:
(a) a signed written notice of withdrawal of consent sent in writing to GRANTEX’s contact address; or
(b) notice of withdrawal of consent by email sent to the GRANTEX contact email address set out above in this Instruction; or
(c) a signed written notice of withdrawal of consent sent in writing to RENOMIA’s contact address in accordance with the rules set out in RENOMIA’s Data Processing Policy, available at https://www.renomia.cz/.
Please note that we may also process certain personal data for certain purposes without your consent. If you withdraw your consent, GRANTEX will cease processing the relevant personal data for the purposes requiring your consent for which the consent to process has been withdrawn. Even so, GRANTEX may be entitled or even obliged to continue to process the same personal data on the basis of another legal basis (other legal basis for processing).
D) Further information
How the data subject may exercise his or her rights:
As a personal data subject, you may exercise your rights in relation to the processing of personal data against the controller by contacting the controller at the contact address Dělnická 1628/9, Holešovice, 170 00 Prague 7, or by contacting the controller by e-mail at firstname.lastname@example.org.
Provision of information by the controller:
The controller provides information in writing in electronic form (by e-mail), unless the controller provides you with information electronically, unless you request that the information be provided in paper form. This is without prejudice to your right to data portability.
If we receive a request from you pursuant to Articles 15 to 22 of the GDPR, we will inform you of the measures taken without undue delay, at the latest we will inform you of the measures taken, refusal or extension of the deadline within one month after the request is received by us. Taking into account the complexity of the request or the number of requests, we may extend the deadline for informing you of the measures taken (and therefore for taking the relevant measures) by a further two months. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
The information that the data subject has exercised his or her rights with the controller and how his or her request has been dealt with by the controller shall be stored by the controller for a reasonable period of time for the purpose of:
(a) to substantiate that fact;
(b) for statistical purposes;
(c) to improve the services of the controller; and
(d) to protect the rights of the controller.
Where personal data is processed on the basis of your consent, the provision of your personal data is not a legal or contractual requirement. Therefore, in such cases, it is not your obligation to provide the personal data in question for the purpose in question, nor is it your obligation to consent to its processing. In the event that GRANTEX uses personal data for a purpose other than that set out in this Instruction, it will promptly provide the data subject with information about this other purpose and the other information set out in this Instruction.
At [____] on [____]