Personal Data Processing Policy at OSTROJ a.s. – for external subjects

OSTROJ a.s. considers the protection of personal data important and pays due attention to it. When processing personal data, we proceed in accordance with legal regulations, especially the General Data Protection Regulation No. (EU) 2016/679 ("GDPR"), Act No. 110/2019 Coll., on the processing of personal data, and other related legislation.

This document provides information on the processing of personal data of external individuals and the rights related to this processing, particularly for the following data subjects:

• business partners, including potential ones,
• persons performing various support services for our company,
• contractual partners based on a validly concluded legal document,
• applicants for sponsorship or donation
• employees and cooperating persons of the above-mentioned persons,
• visitors to our premises,
• persons who fill out the contact form on our website,
• and other third parties whose personal data we will legitimately process.

We are the controllers of your personal data, and our primary contact details are:

OSTROJ a.s., IČO 451 93 681, se sídlem Těšínská 1586/66, Předměstí, 746 01 Opava
The company is registered in the Commercial Register of the Regional Court in Ostrava, Section B, Insert 349.
e-mail: gdpr@ostroj.cz, phone: + 420 553 872 111, www.ostroj.cz

Legal basis and purpose for processing your personal data:

• For measures necessary for the conclusion of a contract and subsequently for the fulfillment of the concluded contract, for the purpose of negotiating the conclusion of a contract, mutual negotiations and communication, including electronic communication, providing information and responses, including reactions to the completed contact form on our website, for the purpose of expressing a common intention or preliminary agreement before the conclusion of a contract, and for the purpose of fulfilling the conditions of the concluded contract (delivery and receipt of goods and services, fulfillment of warranty and service conditions, provision of sponsorship donation, etc.),
• For the fulfillment of legal obligations imposed on us by generally binding legal regulations, especially the Act on Business Corporations and the Civil Code, the Accounting Act, the VAT Act, the Income Tax Act, administrative regulations, etc., for the purpose of fulfilling legal obligations, communication and providing information to state authorities, issuing accounting and tax documents, keeping accounts, paying taxes, etc.,
• For our legitimate interest, especially for the purpose of protecting property and the health of persons, including resolving insurance claims, for the purpose of preventing damage and extraordinary events, and for the purpose of exercising and defending our legal claims, especially debt collection and defense against third-party claims, but always only if your interests and rights do not take precedence,

and this without the need for your consent.

With your consent:

There may be situations where we will require your explicit consent for certain purposes of personal data processing. In such cases, the provision of your personal data will be entirely voluntary and the consent can be revoked at any time. When granting consent, we will provide you with detailed information about this processing, its purpose, and your rights.

What personal data will we process:

We will process the following personal data, always only to the extent necessary. If we jointly conclude any legal document, the provision of personal data will be necessary for its conclusion.

1. Identification data, which mainly includes name and surname, name/business name, title, date of birth, ID No., type and number of identity document, physical appearance captured within the camera system,
2. Contact data, which mainly includes permanent residence address, registered office or place of business address, delivery address, email address, phone number, or other contact details you provide to us,
3. Payment and billing data, which mainly includes bank account number and billing address, VAT No.,
4. Other data beyond the data mentioned in A–D, such as goods or activities you order from us or we order from you, data from mutual communication, data stated in the contractual document, data obtained during a visit to our premises, vehicle registration number, etc.

For completeness, we state that personal data is obtained directly from you and/or from publicly available sources (e.g., commercial register, trade register, real estate register, from your websites, etc.). If you provide us with more personal data than necessary, we will not process it.

We operate a surveillance camera system

ithin our properties (premises), we operate a camera system for the purpose of protecting property, life, and health of persons, safety, and prevention of damage and extraordinary events. When operating the camera system, personal data of persons is processed, consisting of capturing their physical appearance on camera footage. The scope and location of individual camera systems are available here. Specific locations are clearly marked with an information sign. Records are stored on secure storage for a maximum of 7 days and then overwritten in loops, unless a longer storage period is necessary for the protection of our legitimate interests (for the purposes of investigation by the Police of the Czech Republic, etc.). Further information on the operation of the camera system will be provided by the head of Property Management (use the contact details listed above).

What security measures will be in place for your personal data?

We handle your personal data with due care and in accordance with GDPR and other generally binding legal regulations. We strictly adhere to security measures and protect personal data to the maximum extent possible, corresponding to the technical level of available means. Only employees who are instructed and trained regarding their obligations in processing personal data will have access to personal data. Personal data in electronic form will be processed in a secure information system and secure applications. We place great emphasis on cybersecurity.

You have the right to:

1. Access your personal data that we process – simply put, you have the right to know what data we process about you and why;
2. Correct your personal data if it is incomplete or inaccurate;
3. Delete your personal data or restrict its processing if we do not have a legal reason for its processing;
4. Object to processing based on our legitimate interest;
5. Transfer the personal data you provided to us to another controller;
6. Withdraw consent if we process personal data based on your consent, without any additional costs or consequences. Withdrawal of consent will not affect the legality of personal data processing based on this consent before its withdrawal.

Sharing of personal data with third parties

We do not normally provide personal data to third parties. Exceptions are situations where this obligation arises from legal regulations (especially in relation to state authorities) or in relation to external companies that provide support services for us (e.g., security of premises, brokerage services and insurance), to which we provide personal data only to the minimally necessary extent and contractually commit to appropriate protection and security of personal data.

We do not intend to transfer personal data to third countries or international organizations outside the EU. If we are nevertheless forced to do so, we will comply with the conditions for transfer set out in GDPR and simultaneously inform you about it, or request your explicit consent.

We do not engage in automated decision-making.

Your personal data will not be used for decision-making based solely on automated processing or profiling.

How long do we retain personal data?

We keep personal data only for the time necessary to fulfill the purpose for which we process it, and further only for the time necessary to protect our legitimate interests, especially for the exercise or defense of our legal claims. Normally, this period does not exceed 3 years from the last contact with you. In some cases, it may be a longer period, in connection with archival periods set by generally binding legal regulations, e.g., the Archival Act, the Accounting Act, etc.

You can contact us at any time.

You can contact us anytime via email at: gdpr@ostroj.cz, or use the other contact details provided above. We will address your request promptly, but you may be asked for additional information. The request may be subject to a fee under certain conditions, particularly if it is clearly unjustified or excessive, especially if it is repetitive.

You have the right to file a complaint with the supervisory authority.

Contact details for the supervisory authority: The Office for Personal Data Protection, located at Pplk. Sochora 27, 170 00 Prague 7., www.uoou.cz