Statement on the Processing of Personal Data
Statement on the processing of personal data pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “General Regulation”), and information for data subjects.
Data Controller
Pilsen Region, Regional Office of the Pilsen Region, Company ID: 70890366, with registered office at Škroupova 18, 306 13 Pilsen (hereinafter the “Controller”), hereby informs data subjects, in accordance with Article 12 of the General Regulation, about the processing of personal data and their rights.
Scope of Personal Data Processing
Personal data are processed to the extent provided to the Controller by the relevant data subject, in connection with entering into a contractual or other legal relationship with the Controller, or data which the Controller has otherwise collected and processes in accordance with applicable legal regulations or to fulfill the Controller’s statutory obligations.
Sources of Personal Data
- Directly from the data subject (e.g., contact form on the Pilsenň Region website);
- From other public or state authorities;
- Non-public registers (ISEO, ROB);
- Publicly accessible registers, directories, lists, and records (ROS, RÚIAN, commercial register, trade register, land registry, etc.).
Categories of Personal Data Processed
- Address and identification data enabling unambiguous identification of the data subject (e.g., name, surname, title, date of birth, permanent address, Company ID, Tax ID) and contact details (e.g., address, phone number, fax, email, or similar information);
- Descriptive data (e.g., bank account details);
- Other data necessary to perform a contract;
- Data provided beyond legal requirements processed on the basis of consent from the data subject (e.g., processing photographs, use of personal data for HR purposes, etc.).
Categories of Data Subjects
- Employees of the Controller;
- Supervisory authorities;
- Other persons in a contractual relationship with the Controller;
- Job applicants.
Categories of Recipients of Personal Data
- Supervisory authorities;
- Tax authorities;
- Public administration bodies;
- Processor;
- State and other authorities in the fulfillment of legal obligations;
- Other recipients.
Purpose of Personal Data Processing
- Purposes specified in the data subject’s consent;
- Negotiation of contractual relationships;
- Performance of a contract;
- Protection of rights of the Controller, recipients, or other affected persons (e.g., debt recovery);
- Archiving based on legal requirements;
- Recruitment for job vacancies;
- Compliance with statutory obligations of the Controller;
- Protection of vital interests of the data subject.
- Method of Processing and Protection of Personal Data
Personal data are processed by the Controller. Processing is carried out at the Controller’s registered office by authorized employees, or, where applicable, by a processor. Processing occurs via IT systems or manually for paper records, ensuring full compliance with security principles for the management and processing of personal data. The Controller has implemented technical and organizational measures to ensure data protection, particularly to prevent unauthorized or accidental access, alteration, destruction, loss, unlawful transfer, or other misuse of personal data. All parties with access to personal data respect the privacy rights of data subjects and are obliged to comply with applicable legal regulations on data protection.
The Controller commits to processing personal data in accordance with applicable laws and to use the data only to the extent necessary to fulfill the purposes for which the data were collected, always ensuring no harm to the data subject.
Where personal data are to be disclosed to third parties and consent is required, the data subject will be asked for consent, e.g., when concluding a contract.
Retention Period of Personal Data
In accordance with the periods specified in relevant contracts, the Controller’s filing and retention rules, or applicable legal regulations, personal data will be retained only as long as necessary to ensure the rights and obligations arising from contractual relationships or statutory requirements.
Information to Data Subjects
The Controller processes personal data based on the consent of the data subject (which may be given for one or more specific purposes) except in cases where the law allows processing without consent.
In accordance with Article 6(1) of the General Regulation, the Controller may process data without consent where:
- Processing is necessary to perform a contract with the data subject, or to take steps prior to entering into a contract at the request of the data subject;
- Processing is necessary to comply with a legal obligation of the Controller;
- Processing is necessary to protect the vital interests of the data subject or another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- Processing is necessary for the legitimate interests of the Controller or a third party, except where such interests are overridden by the rights and fundamental freedoms of the data subject requiring protection of personal data.
Rights of Data Subjects
In accordance with Article 12 of the General Regulation, the Controller informs data subjects, upon request, of their right to access personal data and the following information:
- Purpose of processing;
- Categories of personal data concerned;
- Recipients or categories of recipients to whom personal data have been or will be disclosed;
- Planned retention period;
- All available information about the source of the personal data if not obtained directly from the data subject;
- Whether automated decision-making, including profiling, occurs.
Any data subject who finds or believes that the Controller or Processor processes their personal data in a way that violates their privacy or the law, particularly if the data are inaccurate for the purposes of processing, may:
- Request an explanation from the Controller;
- Request the Controller to rectify the situation, including correction, supplementation, or deletion of personal data. If the request is found justified, the Controller will immediately correct the issue.
Requests must always be properly assessed. If there is doubt about the identity of the person requesting information, the Controller may request additional information to confirm the data subject’s identity, in accordance with Article 12(6) of the General Regulation.
For requests under Articles 15–22 of the General Regulation, information about measures taken must be provided without undue delay, and in any case within one month of receipt. In exceptional cases, the period may be extended by two months, and the data subject must be informed, including the reasons for the extension.
All information and actions under Articles 13, 14, 15–22, and 34 of the General Regulation are provided free of charge. Only if requests are manifestly unfounded or excessive, particularly repetitive, may a reasonable fee be charged, or the request may be refused, with proper justification.
If the Controller does not comply with the data subject’s request, the data subject has the right to contact the supervisory authority, i.e., the Office for Personal Data Protection, directly. The data subject may do so without first contacting the Controller.
Data Protection Officer
Contact for the Data Protection Officer of the Regional Office of the Pilsen Region:
Mgr. Milan Švarc, Head of Internal Audit Unit, Data Protection Officer
Tel.: +420 377 195 751
E-mail: milan.svarc@plzensky-kraj.cz
