Headquarters of Fatra a.s., Napajedla
Headquarters of Fatra a.s., Napajedla

Personal data protection

All personal data is in complete safety. We protect data exactly in accordance with the law and EU regulations.

Fatra, a.s., with its registered office at Napajedla, třída Tomáše Bati 1541, postcode 763 61, ID 27465021, a company entered in the Commercial Register kept by the Regional Court in Brno under file number B 4598 (hereinafter „Fatra“ or „our company“), is the controller of your personal data, which means that it determines the purpose and means of personal data processing, performs the processing of your personal data and is responsible for this processing.

In this document you will find general information about the way our company processes personal data, as well as information about some of the most common types of personal data processing that occur in the activities of Fatra, a.s. and which the company processes in accordance with personal data protection regulations, in particular EU Regulation No. 2016/679 (hereinafter the „Regulation“).

Below you will find:

  1. GENERAL INFORMATION ON THE PROCESSING OF PERSONAL DATA BY FATRA
  2. INFORMATION ON THE PROCESSING OF PERSONAL DATA FOR FATRA'S CONTRACTUAL PARTNERS
  3. INFORMATION ON THE PROCESSING OF PERSONAL DATA FOR CONTACT PERSONS OF FATRA'S CONTRACTUAL PARTNERS
  4. INFORMATION ON THE PROCESSING OF PERSONAL DATA OF JOB APPLICANTS AT FATRA
  5. INFORMATION ON THE PROCESSING OF PERSONAL DATA OF VISITORS TO FATRA'S WEBSITE
  6. RISKS AND RECOMMENDED PROCEDURES

Our company also carries out other personal data processing, but provides information on such processing only directly to the affected individuals.

1. GENERAL INFORMATION ON THE PROCESSING OF PERSONAL DATA BY FATRA

Principles of personal data processing

When processing personal data, we respect all the rights of data subjects. Our company observes in particular the following principles:

  • personal data is processed fairly, lawfully and transparently;
  • personal data is collected exclusively for legitimate purposes and processed in a way compatible with those purposes;
  • when processing personal data, we limit ourselves to the minimum necessary to fulfil the stated purposes;
  • we take all reasonable and available measures to secure personal data during processing;
  • we process only accurate and up-to-date personal data; inaccurate or unnecessary data is corrected or deleted;
  • personal data is stored for the period necessary for the purposes for which it is processed;
  • personal data processing takes place only in a manner that ensures appropriate security of the data, including its protection by suitable technical and organisational measures against unauthorised or unlawful processing, accidental loss, destruction or damage.

What personal data do we process?

For the purposes we have defined, we process in particular the following categories of personal data:

  • identification and address data: name, surname, title, date of birth, address (residence, delivery or other contact address); for a self-employed natural person also the trade name or addition appended to the name, place of business and identification number;
  • electronic contact data: telephone, mobile phone, fax, e-mail address, data box ID;
  • other electronic data: IP address, location data, data transmitted from the customer's web browser, etc.;
  • other personal data needed for the performance of the contract: bank account number, invoiced amount, etc.;
  • creditworthiness and trustworthiness information: records of meeting payment obligations, including information from public registers.

How do we obtain your personal data?

We obtain your personal data from you, from third parties, from publicly available sources or from our own activities. When we obtain personal data from you, we always inform you whether the provision of the data is a legal or contractual requirement and whether you are obliged to provide the data, as well as the possible consequences of not providing it.

  • from you, in particular:

– based on your requests and during contract negotiations;

– during telephone communications;

– during personal or written communication with you, including communication by electronic means (e-mail).

  • from third parties, in particular:

– from state administration bodies or third parties when fulfilling our legal obligations or on the basis of special legal regulations;

– from cooperating third parties.

  • from publicly available sources, in particular:

– from social networks and the internet, if you have made the data public yourself;

– from the Commercial Register;

– from the Insolvency Register.

  • from our own activities:

– when evaluating data you provide to us in connection with the use of our products or services

For what purposes do we process your personal data?

We process your personal data only to the extent necessary for the given purpose and for the period necessary to fulfil that purpose. After fulfilling the purpose, we may process your personal data for purposes other than those for which it was collected. We will always inform you of these other purposes as well.

We process your personal data in particular:

a) for the purpose of concluding contracts, for the purpose of performing the contract we have concluded with you and when handling your requests,
b) for the purpose of fulfilling our legal obligations,
c) for the purpose of our legitimate interests,
d) for marketing purposes.

How do we process your personal data and how is the data secured?

When processing personal data, our company always proceeds in such a way that your personal data is well secured and cannot be misused.

The processing of your personal data may be both manual and automated. Automated processing takes place in Fatra's information systems or in the information systems of our processors.

Your personal data is processed mainly by relevant Fatra employees who need access to personal data to perform their work duties and who are bound by confidentiality regarding all facts and data they learn in the course of their work. In addition, your personal data is also accessible to employees of our processors, only to the extent necessary to carry out their activities for our company. We always conclude a written personal data processing agreement with all our processors, which contains guarantees for the security of your personal data.

What are your rights?

At any time during the processing of your personal data you may exercise the following rights:

  • the right of access to your personal data and to obtain a copy of the personal data we process about you,
  • the right to rectification and supplementation of your personal data if you find that we are processing inaccurate or incorrect personal data about you,
  • the right to erasure of your personal data if the conditions set by law are met,
  • the right to restriction of processing of your personal data, where, at your request, we may, under certain conditions set by law, restrict the handling of your personal data,
  • the right to portability of your personal data to another controller, where we process your personal data on the basis of your consent or for the purpose of performing the contract and at the same time the processing is automated,
  • the right to object to the processing of personal data, if the personal data is processed for the purposes of our company's legitimate interests. If you raise an objection, we will not process your personal data until we demonstrate compelling grounds for processing that override your interests or rights and freedoms or for the establishment, exercise or defence of legal claims. In the case of personal data processing for offering our products and services, we will immediately stop processing your personal data on this basis after you raise an objection.

If we receive a request to exercise any of your above rights, we will inform the requester of the measures taken without undue delay and in any case within one month of receiving the request. This period may be extended by another two months if necessary, taking into account the complexity and number of requests. In certain cases set by the Regulation, our company is not obliged to comply with a request in whole or in part. This will be the case in particular where the request is manifestly unfounded or excessive, especially because it is repetitive. In such cases we may either (i) impose a reasonable fee reflecting the administrative costs associated with providing the requested information or communication or with carrying out the requested action, or (ii) refuse to comply with the request.

If we receive the above request but have reasonable doubts about the identity of the requester, we may ask the requester to provide additional information necessary to confirm his or her identity.

We will keep information about the fact that the data subject has exercised their rights with us and how we have handled their request for a reasonable period (usually 3-4 years) for the purpose of documenting this fact, for statistical purposes, improving our services and protecting our rights.

If a data subject believes that Fatra is processing their personal data unlawfully or otherwise infringing their rights, they have the right to lodge a complaint with the supervisory authority (Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Praha 7) or the right to seek judicial protection.

We would also like to inform you that we do not carry out any decision-making based exclusively on automated processing, including profiling, that would have legal effects for you.

2. INFORMATION ON THE PROCESSING OF PERSONAL DATA FOR FATRA'S CONTRACTUAL PARTNERS

This information summarises the basic principles of personal data processing by Fatra in relation to personal data of actual or potential contractual partners – natural persons.

Overview of processed (types of) data and their sources

Personal data of contractual partners – natural persons (hereinafter „partner“) that Fatra will process include in particular data provided by such persons [typically name and surname, place of business, ID, VAT ID, account number, contact details (e-mail address and telephone number), date of birth, data set out in the contract, invoiced and paid (owed) amounts, data on ongoing performance and communication with partners (or their employees)]. In connection with communication with the partner, Fatra may also store certain technical data, namely the time of the communication with the partner and the IP address from which it was sent. For potential contractual partners – entrepreneurs, our company may process data obtained from open sources (e.g. their websites or advertisements they have placed) so that they can then be contacted by phone with a service offer. Such basic data can be saved by our company in its CRM system for further contact.

Purposes of processing

The primary purpose of processing the personal data of a contractual partner is the conclusion and performance of the contract. In this context, the data will be further used for record-keeping and proper performance of Fatra's contractual relationships, for monitoring the activities of our employees, for statistical purposes, further development of Fatra's services — either of the service to which the concluded contract relates or of internal administrative procedures at Fatra — for debt collection and protection of the rights of Fatra and third parties (e.g. other contractual partners), in particular against unlawful conduct. Data (especially data obtained from communication with the partner, such as IP address and time of communication) will also be used for the purpose of Fatra's IT security. Furthermore, the partner's personal data will be used by Fatra for the purpose of fulfilling its legal obligations, in particular under regulations governing accounting and taxes, regulations on personal data protection (whether the partner or persons acting on its behalf), regulations on advertising regulation, etc., and for the purposes of direct marketing (i.e. in particular sending offers for our other products and services, namely by contacting by e-mail or telephone).

Legal basis of processing

The legal basis for processing partners' personal data is the necessity of contract performance (incl. enforcement of receivables that have arisen), Fatra's legitimate interests (driven by an interest in record-keeping of contractual relationships and an interest in protecting their rights against unlawful conduct including IT security, and the further development of Fatra's products or services, processing for direct marketing) and those of third parties (in particular other contractual partners involved in the performance in which the partner will also participate) and compliance with statutory requirements (in particular preventing wrongful conduct, fulfilling requirements under regulations on personal data protection (in particular Act No. 101/2000 Coll. and the Regulation), accounting and fulfilling obligations under tax regulations.

Right to object

If the legal ground for processing the partner's personal data is the legitimate interest of Fatra (this concerns in particular the processing of data for IT security purposes, statistical purposes and the further development of Fatra's supplier-customer relationships and the protection of the rights of Fatra and third parties), the partner has the right to object at any time, on grounds relating to their specific situation, to such processing of personal data. In such a case Fatra will no longer process such personal data unless there are compelling legitimate grounds for processing that override the interests of the partner or their rights and freedoms, or for the establishment, exercise or defence of legal claims. The partner can raise an objection to processing through the contact details given below or, ideally, by e-mail to osobní.udaje@fatra.cz. In the e-mail please describe the specific situation that leads you to conclude that Fatra should not process the data.

In the case of data processing for direct marketing purposes (sending marketing messages), it is always possible to object without further reason, so in such a case you do not have to provide any reasons why you do not wish to continue receiving marketing messages. In these cases the best way to object is to unsubscribe from further sending of communications using the link that will usually be included for this purpose.

Please note that even in the above-mentioned cases, parallel processing of personal data may sometimes be ongoing for other purposes that justify Fatra continuing to process such data.

Period for which the data will be processed

Fatra will process partners' contact data for the purpose of sending commercial communications until the partner expresses disagreement with such sending. Even after that, however, Fatra will process basic data on why it sent commercial communications to the partner for a reasonable period in order to demonstrate the legitimacy of such sending.

Personal data will be processed for a reasonable period with regard to the purpose of processing (e.g. contracts will normally be kept for 10 years from their termination). Where the processing period is set by law, the personal data will be processed for that period unless the reasons stated below justify a longer processing period. When determining the appropriate length of the personal data processing period, the following criteria will also be taken into account: (i) the length of the limitation period, (ii) the likelihood of legal claims being made, (iii) common market practice, (iv) the likelihood and significance of pending risks, and (v) any recommendations of supervisory authorities.

Updating data

To update data, you may contact Fatra at the contacts given below, ideally by e-mail to osobni.udaje@fatra.cz.

Commercial communications

We may also process data about our potential, current or former partners for so-called direct marketing purposes, which is typically sending e-mails or telephone contacts with offers of similar products or services to those you have purchased from us. There is no time limit on the sending of offers, but if you express the wish that we no longer send you such offers, we will not send them. We will, however, continue to process basic data about the sending for a reasonable period so that we can demonstrate why we sent you those offers. We will not pass your data to any third parties for the purpose of sending offers (apart from our subcontractors – processors who will carry out the processing for us).

The partner acknowledges that Fatra will, within the meaning of Section 7 of Act No. 480/2004 Coll., send commercial communications to its address (including e-mail) and that the partner will be contacted with unsolicited direct mail containing commercial communications relating to Fatra's products, business and services. The partner may refuse such sending at any time at Fatra's registered office or via the e-mail address osobni.udaje@fatra.cz. Such refusal — unless the partner expressly states otherwise — does not affect the sending of other types of commercial communications than those to which the partner is responding.

How processing will take place and its consequences

Most processing takes place by computer, so we will usually process your data in a computer system (e.g. in our CRM system, in the IBM Notes application for e-mails, in our accounting system for data needed for invoicing, etc.). This of course does not exclude the processing of paper records in card files, such as a system for storing paper contracts or business-card files kept by individual employees.

Fatra will process personal data mainly in its computer systems and the computer systems of processors. Paper records will be processed by Fatra in its card files. The provision of processed data by the partner is voluntary (however, without the provision of certain data the contract will not be concluded, and in some cases certain data is then required by law, in particular by accounting regulations).

Birth number

We will only process your birth number if you voluntarily state it on the contract or if it is required by law (unless it is expressly required by law, our company does not insist that you state your birth number on contracts; we therefore prefer that you do not include it in the contract).

If a partner – a natural person provides Fatra, on the basis of or in connection with a concluded works contract, with their birth number, they consent, as the holder of this birth number within the meaning of Section 13c (1) of Act No. 133/2000 Coll., to Fatra using this birth number for the purposes of recording contracts, the performance provided and the protection of Fatra's rights, and to archiving, processing and using it for this purpose. Any withdrawal of consent under this article does not affect Fatra's right to process the information and data which arises from the relevant legal regulations or for other purposes, unless they expressly provide otherwise.

Sharing personal data with other persons (recipients of personal data)

Not all personal data processing is carried out by our company itself. We sometimes hire third parties for processing — so-called personal data processors. We try to choose only processors who are sufficiently trustworthy.

Fatra may make personal data available to third parties only in cases where it is required or permitted by law, or with the partner's consent. Fatra discloses personal data only to the usual extent to processors or other recipients — providers of external services (typically programming or other supporting technical services, providers of computer systems, server services, e-mail dispatch and providers of archiving services), operators of (backup) servers or operators of technologies used by Fatra, who process them for the purpose of ensuring the functionality of the relevant services. Furthermore, personal data may be made available to the extent necessary to legal, economic and tax advisers and auditors, who process them for the purpose of providing advisory services, or to persons forming a group with Fatra. Personal data concerning debtors may also be made available to a company providing receivables insurance or to other companies for the purpose of debt collection. On request or in the case of suspicion of unlawful conduct, personal data may also be passed to public administration bodies.

Transfer of personal data abroad
While the principle of free movement of personal data within the EU applies under the Regulation, the Regulation restricts the transfer of personal data abroad outside the EU. Our company does not normally transfer personal data abroad outside the EU. It may, however, happen that your personal data is processed in a computer system whose servers are located outside the EU, although we try to avoid such situations. Given the systems normally used in business, it would at most involve systems using servers located in the United States of America. In such a case we would choose as a contractual partner a company that meets the conditions approved by the European Commission for the safe transfer of data between the EU and the USA, the so-called Privacy Shield. If we were to transfer your personal data outside the EU, we would inform you appropriately if necessary.

3. INFORMATION ON THE PROCESSING OF PERSONAL DATA FOR CONTACT PERSONS OF FATRA'S CONTRACTUAL PARTNERS

As part of the processing of personal data of current or potential contractual partners, Fatra also processes data on their contact persons (e.g. their statutory bodies or employees who deal with Fatra). Within these data, the name and surname of such persons, their e-mail address, job position, telephone number and possibly minutes of meetings with them are usually processed. This data is processed for the same purposes and to a similar extent and for a similar duration as the data of contractual partners. Individual Fatra employees may keep their own lists of contact persons, e.g. in telephone address books or business-card holders. Telephone numbers with which communication has taken place from company devices are also stored for a reasonable period for the purpose of proper billing of telecommunications services, the protection of Fatra's rights and a possible distinction between private and business calls. However, in addition to system administrators, only the employees from whose devices the communication took place have access to such data.

4. INFORMATION ON THE PROCESSING OF PERSONAL DATA OF JOB APPLICANTS AT FATRA

This document summarises the principles of processing personal data of job applicants at Fatra. Fatra acts as a controller in relation to applicants for a position at Fatra.

What data will we process about you?

We will process personal data that you submit to us or whose transmission you consent to, e.g. on candidate-data sharing servers (typically data contained in your CV — apart from your name, surname and contact details, also data on your previous work experience, your language skills, etc., and further data obtained in correspondence with you), or data that we obtain by basic checks of your personal data from public sources, e.g. the LinkedIn network (this will likewise involve only the strictly necessary data serving, to the extent permitted by law, to verify the applicant, in particular the data given in the CV). In connection with a personal interview or a telephone conversation with you, we may also note the impression you made on us or how your behaviour matches the data given in your CV.

If we contact you without your prior consent, we will only do so on the basis of data you have made public for that purpose.

In connection with your response to a job advertisement on our website, we may also save certain technical data, namely the time of your reply and the IP address from which it is sent.

If you give us consent to use your data, we will also keep a record of how and when this consent was given and when it was withdrawn.

How will we obtain data about you (what are the sources) and how will we process it?

We will primarily obtain the data directly from you.

For specialised positions we may also contact persons whose contact we obtain from public sources, e.g. the LinkedIn network, without having been previously contacted by these persons. In such cases we will subsequently approach you as a possible candidate with the offer to participate in the relevant selection procedure or to be included in our applicant database. If you agree, we will include you in the selection for the given position or in our database. If you do not agree, we will no longer process your data for this purpose (we may, however, store basic information about the fact that we contacted you and why for a reasonable period).

If you provide us with data on your references (contacts to your former colleagues, etc.) and consent to us contacting them, we will, to a reasonable extent, also process the data obtained from them.

For job applicants we also use our website https://www.fatra.cz/kariera.

By submitting personal data (e.g. by responding to an advertisement or filling in a form on the website) or by consenting to inclusion in the selection procedure, you allow our company to use your personal data to select a suitable candidate to fill a position in the relevant ongoing selection procedure or in another concurrent selection procedure for a comparable position. If we wished to use your personal data also when filling other positions or for future selection procedures, we would ask for your consent to such use.

We would like to inform you that you can withdraw your consent to participation in the selection procedure free of charge at any time at the contacts given below. We recommend either contacting the person from our HR department who is dealing with you, or using the e-mail address osobní.udaje@fatra.cz.

If your consent is withdrawn or you request the cancellation of your participation in the selection procedure, we will remove you from the relevant selection procedure. The withdrawal of consent does not affect the lawfulness of processing based on consent given before its withdrawal.

We may also obtain a contact for you through the sharing of your CV via a CV-sharing service in which you have registered (such as the jobdnes.cz or jobs.cz servers). Within such services, CVs are shared with your consent.

What (for what purpose) will we use your data?

Your personal data will primarily be used to select a suitable candidate to fill a position in ongoing selection procedures (including external cooperation). If you are selected to fill the given position and a contract is concluded with you, the data you have submitted (in particular your CV) may become part of your personal file.

Your basic identification data, obtained about you in your e-mail correspondence with us or in your activity on our website (e.g. data obtained when you respond to an advertisement), will also be used for the purposes of protecting our company's or third parties' rights against possible unlawful conduct that could be carried out in such activities, and for IT security purposes for our website and network.

Data about how you provided us with consent or basic data about you and how we obtained data about you will also be used to fulfil our legal obligations, in particular obligations under personal data protection regulations (documenting your consent to data processing, etc.) and possibly for purposes related to verifying compliance with contracts concluded with the operators of the above CV-sharing services.

How long will we process your data?

Personal data processing for the basic purpose, namely the selection of a suitable candidate to fill a position in an ongoing selection procedure, will be carried out until we fill the given position and then for approximately 6 months after it has been filled (so that we can contact you with an offer of this position should the originally selected candidate prove unsuitable; after that period, e-mails exchanged with you may still be archived for a reasonable period for the purpose of protecting our or third-party rights). If we hire you, the CV you sent and other similar data about you will become part of your personal file and we will process it for the duration of the file.

If you give us consent to use your data for offers of further positions in the future as well, we will process your data for the above purpose until the withdrawal of your consent.

To document fulfilment of our obligations under personal data protection regulations, we may store information on how we obtained consent and what it concerned for a reasonable period (usually no more than 4 years), even after consent is withdrawn.

The above periods may also be exceeded in individual cases where this is justified by the circumstances, e.g. in the event of court proceedings.

For the other purposes mentioned above (protection of rights, IT security, fulfilment of legal obligations) we will process the necessary data about you (usually, however, not the CV you submitted) for a reasonable period, taking into account in particular the following criteria when determining the appropriate length of the personal data processing period: (i) the length of the limitation period with a margin to allow us to learn that a lawsuit has been filed or other proceedings have been initiated, (ii) the likelihood of legal claims being made against our company, (iii) the expected periods for detecting attacks on our network or other detections of security breaches, (iv) common market practice, (v) the likelihood and significance of pending risks, and (vi) recommended procedures of supervisory authorities.

On what legal basis do we process your data?

The legal basis for the above processing is your consent (for the purpose of including you in the selection procedure or in our CV database for the purpose of offering job positions in the future) and our company's legitimate interests (in particular in the case of initial obtaining of contacts to you otherwise than with your consent, for the purpose of processing your data for the protection of our or third-party rights against possible unlawful conduct and for IT security purposes).

We point out that providing personal data for processing with your consent is voluntary on your part; without your consent, however, we will not be able to include you in the relevant selection procedures.

The legal basis for the above processing is also fulfilment of our company's legal obligations, in particular in the field of personal data protection regulations (EU Regulation No. 2016/679).

We point out that if the basis for the processing of your data is consent, you have the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent given before its withdrawal.

Right to object

If the legal ground for processing your personal data is the legitimate interest of our company (this concerns in particular data obtained about your activity on our website processed for the purposes of protecting rights and IT security and data on your correspondence with us), you have the right, on grounds relating to your specific situation, to object at any time to such processing of personal data. In such a case we will no longer process your personal data unless there are compelling legitimate grounds for processing that override your interests or rights and freedoms, or for the establishment, exercise or defence of legal claims. You can raise an objection to processing through the contact details given below or, ideally, by e-mail to osobní.udaje@fatra.cz. In the e-mail please describe your specific situation that leads you to the conclusion that we should not process your data.

Updating data

If there is a change in the data you have provided in your CV or other data you have submitted (e.g. you obtain a higher qualification, learn additional languages, etc.), please inform us. We will then be able to better select the position to offer you.

To whom can we make data about you available?

We may make your data available to the usual extent to processors or other recipients — providers of external services for our company (typically programming or other supporting technical services, including the records system for keeping the applicant database, e-mail dispatch), operators of our servers or operators of technologies we use, who process them for the purpose of ensuring the functionality of the relevant services. Furthermore, personal data may be made available to the extent necessary to our legal, economic and tax advisers and auditors, who process them for the purpose of providing advisory services. On request or in the case of suspicion of unlawful conduct, personal data may also be passed to public administration bodies.

5. INFORMATION ON THE PROCESSING OF PERSONAL DATA OF VISITORS TO FATRA'S WEBSITE

For what purposes do we process your data?

Our company does not process users' personal data for purposes other than those permitted by law or those to which the user has consented, in particular for the following purposes:

  • Measuring traffic on our pages
  • Improving the content of our pages and their development
  • Ensuring the security of our systems and network against external attacks or misuse by users, in the standard manner customary on the market
  • Organising consumer competitions
  • For the purposes of accounting and fulfilling other statutory obligations (e.g. documenting consent to the processing of personal data, etc.).

We usually process your data in our own computer systems or may use systems of third parties (so-called processors).

Legal basis of processing

The legal basis for processing your personal data is the necessity of contract performance (including the enforcement of receivables that have arisen), legitimate interests (driven by an interest in protecting our rights, processing for statistical purposes, measuring traffic on our pages and the interest of third parties (in particular our contractual partners involved in providing services to you) and compliance with statutory requirements (in particular preventing wrongful conduct, fulfilling requirements under regulations on personal data protection (in particular Act No. 101/2000 Coll. and Regulation (EU) No. 2016/679, accounting, fulfilling obligations under tax regulations).

If we needed your consent for processing, you will be asked for such consent.

What data do we process, for how long and what are the sources?

For the above purposes we process in particular data on your activity on our website, IP address, date and time of access, basic geographical location, etc.

If we needed your consent we would also process data confirming that you provided us with such consent and how it was provided (storing information about how and when consent was given, including your IP address from which you ticked the relevant box) and when you withdrew it.

All personal data is processed only to the extent necessary to fulfil the above purposes and only for the period necessary to achieve the purposes we have defined, but no longer than the period set by the relevant legal regulations or in accordance with them. Personal data processed with consent is processed until the withdrawal of consent; thereafter the data may be processed if there is another legal reason for doing so (e.g. to document consent, for the possibility of defence against legal claims, etc.).

To determine the length of the processing period we use in particular the criteria of (i) the length of the limitation period, (ii) the likelihood of legal claims being made against our company, (iii) the expected period for detecting attacks on our network or other detections of security breaches, (iv) common market practice and recommendations of supervisory authorities, and (v) the likelihood and significance of pending risks.

If we need data from you that will directly identify you or that will allow us to contact you, we will explicitly ask for it.

The source of the personal data we process about you is in particular your activity on our website.

To whom can we make data about you available?

Fatra may make your personal data available to third parties only in cases where it is required or permitted by law, or with your consent, in particular:

  • providers of external services (typically programming or other supporting technical services, server services, services related to measuring traffic on our pages and adapting their content to user preferences),
  • operators of backup servers or operators of technologies used by Fatra, who process them for the purpose of ensuring the functionality of the pages,
  • on request or in the case of suspicion of unlawful conduct, personal data may also be passed to public administration bodies.

Are you obliged to provide us with the data?

You provide your personal data to Fatra voluntarily. If there were a legal obligation in some cases to provide us with the data, we will inform you of this fact.

Consent

If the legal ground for processing your personal data were consent, you can withdraw such consent at any time free of charge using the contact below. Withdrawal of consent does not affect the lawfulness of processing based on consent given before its withdrawal.

Right to object

The right to object is an important right of yours. It allows you to have processing carried out on the basis of our legitimate interest reviewed. This means that the processing itself is permissible, but on your side there are specific reasons why you do not wish processing to take place. In such a case Fatra will no longer process your personal data unless there are compelling legitimate grounds for processing that override your interests or rights and freedoms, or for the establishment, exercise or defence of legal claims. The possibility to object, however, does not apply to cases where we process the data necessary for contract performance or where its processing is required of us by law. The right to object is enshrined in Article 21 of the Regulation.

You can raise an objection to processing through the contact details given below or, ideally, by e-mail to osobní.udaje@fatra.cz. In the e-mail please describe the specific situation that leads you to conclude that Fatra should not process the data. We point out that even in the above-mentioned cases, parallel processing of personal data may also be ongoing for other purposes that justify Fatra continuing to process such data.

Cookies

To distinguish individual computers and individually configure some services, we use cookies or other similar network identifiers on our website. Cookies are small text files that our servers store on individual computers via a web browser. Cookies can be thought of as the memory of a website that recognises the user from the same computer on subsequent visits.

Cookies do not serve to obtain any sensitive personal data.

Standard web browsers support the management of cookies. For more detailed information please use the help of your browser. If your browser is configured to allow cookies, we will assume that you consent to the use of standard cookies by our servers.

6. RISKS AND RECOMMENDED PROCEDURES

Every processing of personal data carries certain risks. These may differ depending on the scope of the processed data and the way it is processed. Below we present some recommended procedures that may help you protect your data:

  • When you provide us with your data, always think about whether providing the data is necessary. In particular, you should carefully consider providing data concerning your personal life and aspects of it that are not related to the purposes for which you provide it, or data intended for publication (e.g. your comments under articles, etc.). If you feel that we are requiring too much data from you, contact us; we will check whether our request is reasonable.
  • If you provide us with personal data of third parties (your family members or other employees of your company, etc.), think about whether such transfer is necessary and required. If necessary, obtain the consent of such third parties.
  • If one of our colleagues asks you to provide data, do not hesitate to ask whether it is necessary and whether the purpose of processing cannot be achieved without these data.
  • Persons under 18 are particularly vulnerable. If the transfer of data concerns such persons, all circumstances must be considered with particular care. At the same time, it must be considered whether the consent of these persons or their legal representatives (e.g. parents) is required for the provision of such data. If you are a person under 18, where you have doubts about whether you are able to make the right decision, please discuss the entire matter with your parent or contact us separately.
  • If you log in using a password, always use a unique strong password that you will not use for other devices and access. Do not share or disclose your password to anyone, not even our employees. We will never require you to disclose your password, so be especially careful of various e-mail prompts asking for passwords, even if they are signed in the name of Fatra. These are likely fakes designed to extract and then misuse the password.
  • If you send us confidential data, try to use a secure communication method, e.g. password-protecting the file combined with encryption and passing the password by another communication channel.
  • If you feel that our company is not fulfilling all its obligations, that an unauthorised data leak has occurred or that someone is wrongfully impersonating one of our partners, please let us know as soon as possible, either electronically at our e-mail address osobní.udaje@fatra.cz, or by post to our address Fatra, a.s. with registered office at Napajedla, třída Tomáše Bati 1541, postcode 763 61.
  • We always try to keep this information up to date. Therefore, from time to time we will make adjustments to these rules. We will inform you separately of more substantial adjustments; nevertheless, it does not hurt to read these rules again from time to time.

HOW CAN YOU CONTACT US?

For any comments and questions about personal data protection and to contact us regarding the exercise of your statutory rights, you may use the following contacts:

Fatra, a.s., třída Tomáše Bati 1541, 763 61 Napajedla,

e-mail: osobní.udaje@fatra.cz

tel.: 577 501 111

Data box ID: nwid3rg

This information on personal data processing is valid and effective as of 25 May 2018.