Processing of Personal Data

Statement on the Processing of Personal Data pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”).

I. Introduction

This statement has been prepared and published in order to provide information about the procedures and commitments of our company regarding the application of GDPR requirements. The following terms are used in this document:

• PD – personal data, i.e. all information leading to the identification of a specific person
• Data Subject – the individual whose personal data is held and processed by our company
• Controller – our company, which records, processes, archives and protects your personal data
• Processor – a company engaged by us to process your personal data on the basis of a contract. This ensures that the system of handling, processing and protecting your personal data complies with GDPR requirements and that your rights are not restricted.
  
  

II. Personal Data Controller

MTM Transport, a.s., Company ID: 28628268, contact address for personal data protection matters: info@mtmtransport.cz, phone number: +420 596 753 564-5 (hereinafter referred to as the “Controller”), hereby informs you, in accordance with Article 12 of the GDPR, about the processing of your personal data and your rights.

III. Scope of Personal Data Processing

Personal data are processed to the extent provided by the data subject to the Controller, based on their free decision when establishing a relationship or registration, and subsequently within the framework of a contractual or other legal relationship with the Controller, or which the Controller has otherwise collected and processes in accordance with applicable legal regulations or to fulfill the Controller’s legal obligations.

IV. Sources of Personal Data

We obtain personal data from data subjects (business communication, purchases, supply of products and services, website contact form, telephone communication, business cards, etc.).

Another source of personal data consists of information necessarily provided by job applicants and employees. If personal data are obtained from public sources, they are used exclusively for the purpose of establishing a business relationship or in accordance with the consent obtained from the data subject.

V. Categories of Personal Data Processed

• Identification data enabling the clear and unmistakable identification of the data subject (first name, last name, date of birth, personal identification number, permanent address, etc.)
• Descriptive data (e.g. bank details)
• Data necessary for contract performance (email, phone number, workplace address, position) and others
• Data provided beyond the scope of applicable laws and regulations, processed based on the consent granted by the data subject
  
  

VI. Categories of Data Subjects

These include in particular:

• Customers
• Customers of customers
• Employees and workers under agreements outside employment and job applicants
• Personal data subjects of suppliers and partners providing services necessary for our company’s operations
• Other persons in a contractual relationship with the Controller
  
  

VII. Categories of Recipients of Personal Data

• State and other authorities in fulfilling legal obligations under applicable legislation
• Financial institutions and public administration bodies
• Processors based on concluded contracts
• Third parties and organizations based on the consent of the data subject
• Our company as the Controller
  
  

VIII. Purpose of Personal Data Processing

• Purposes included within the data subject’s consent and negotiations of a contractual relationship
• Performance of a contract
• Protection of the rights of the Controller, recipient or other concerned persons
• Archiving in accordance with legal requirements
• Recruitment procedures for vacant positions
• Fulfillment of the Controller’s legal obligations
• Protection of the vital interests of the data subject or other individuals
  
  

IX. Method of Processing and Protection of Personal Data

Personal data are processed by the Controller or by a Processor with whom the Controller has concluded a contract guaranteeing compliance with all responsibilities in processing personal data and respecting the rights of the data subject.

Processing is carried out at the Controller’s registered office and premises or at the Processor’s premises. Processing takes place using computer technology or manually in the case of paper-based personal data, in compliance with all security principles for the management and processing of personal data. For this purpose, the Controller has adopted technical and organizational measures to ensure the protection of personal data, particularly measures to prevent unauthorized or accidental access, alteration, destruction, loss, unauthorized transfer or misuse. All entities to whom personal data may be disclosed respect the data subject’s right to privacy and are obliged to act in accordance with applicable data protection legislation.

X. Duration of Personal Data Processing

In accordance with the time limits specified in relevant contracts, the Controller’s filing and retention policy, or applicable legal regulations, personal data are processed only for the period necessary to ensure the rights and obligations arising from contractual relationships, the legitimate interests of the Controller, and applicable legal regulations.

XI. Information

The Controller processes data with the consent of the data subject, except in cases stipulated by law where personal data processing does not require such consent.

In accordance with Article 6(1) GDPR, the Controller may process personal data without the data subject’s consent if:

• Processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into a contract.
• Processing is necessary for compliance with a legal obligation to which the Controller is subject.
• Processing is necessary to protect the vital interests of the data subject or another natural person.
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
• Processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring protection of personal data.

In other cases, the consent of the data subject granted under GDPR conditions is required.

XII. Rights of the Data Subject

• In accordance with Article 12 GDPR, the Controller informs the data subject, upon request, of the right of access to personal data and the following information:
  • The purpose of processing
  • The categories of personal data concerned
  • The recipients or categories of recipients to whom personal data have been disclosed
  • The planned period for which personal data will be stored
  • All available information about the source of personal data
  • Whether automated decision-making, including profiling, takes place
• Any data subject who believes that the Controller or Processor is processing personal data in violation of the protection of personal and private life or in violation of the law, particularly if the personal data are inaccurate with regard to the purpose of processing, may:
• Request an explanation from the Controller in person or via info@mtmtransport.cz
• Request that the Controller remedy the situation. This may include blocking, correction, completion or erasure (“right to be forgotten”) of personal data.
• If the request is found to be justified, the Controller shall promptly remedy the defective state.
• If the Controller does not comply with the request, the data subject has the right to contact the supervisory authority directly, i.e. the Office for Personal Data Protection.
• The above procedure does not exclude the data subject’s right to contact the supervisory authority directly.
• The Controller may request a reasonable fee for providing information not exceeding the necessary costs of providing such information.