This document provides data subjects with information on the processing of personal data within the meaning of Articles 12(1), 13 and 14 of Regulation (EU) No. 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter the “GDPR”).
The controller of personal data is Tomaier Legal advokátní kancelář s.r.o., ID No. (IČO): 241 55 241, with its registered office at Černokostelecká 281/7, Strašnice, 100 00 Prague 10, registered in the Commercial Register maintained by the Municipal Court in Prague, section C, entry no. 183733 (hereinafter the “Controller”). The Controller hereby provides data subjects with information on the manner and scope of personal data processed by the Controller and further informs data subjects of their rights relating to the processing of personal data.
The Controller processes personal data in accordance with the applicable legislation of the Czech Republic and the European Union, particularly in accordance with the GDPR and Act No. 110/2019 Coll., on the Processing of personal data, as amended.
You can contact the Controller at office@tomaierlegal.cz or by phone at +420 325 708; alternatively, you can contact us directly or by correspondence at Černokostelecká 281/7, Strašnice, 100 00 Prague 10.
The Controller has appointed Mgr. Jan Tomaier to act as the Data Protection Officer (hereinafter the “DPO”).
Contact details of the DPO:
i) Email: jan.tomaier@tomaierlegal.cz
ii) Telephone: +420 602 432 930
iii) Data mailbox ID: 7t25jtf
Explanation of basic terms:
Who are the data subjects whose personal data we process and what personal data do we process?
The Controller mainly processes personal data of the following data subjects:
With regard to the categories of data subjects listed above, the Controller may process the following personal data:
1) Identification and contact data
Name, surname (including surname at birth), permanent residence / place of residence address, mailing address, email address, telephone number, fax number, academic title, date and place of birth, personal identification number (RČ), identification document (ID card, passport, etc.) number, identification number (IČO) and registered office address if the data subject is a sole trader, education, photograph (especially on an identity card), employment, characteristics of the data subject (previous experience, hobbies, etc.), professional license number, signature.
2) Information about legal proceedings
Proceedings file reference number, reference number of an official or court document, other information relating to any proceedings (judicial, arbitration, administrative, enforcement, etc.), including information about judgments and proceedings in criminal matters.
3) Communications records
The Controller keeps records of communications, particularly those made in text form via email and mobile devices.
4) Other personal data
Other personal data processed by the Controller include, but are not limited to, any data related to the invoicing of legal services and information obtained for AML purposes (business-related information, politically exposed persons, etc.).
For what purposes and on what legal basis does the Controller process personal data?
The Controller processes personal data based on the legal basis and for purposes related to the nature of the legal services the Controller provides. Therefore, the Controller primarily processes personal data on the basis of obligations arising from a contract concluded with a client or relating to the Controller’s legal obligations. If the data subject has not given their consent to the processing of personal data by the Controller, such consent is not required by the Controller. Consent may namely be required by the Controller where it cannot process personal data on the basis of a contract or law, i.e. particularly in the case of the Controller’s marketing activities.
Specific purposes for the processing of personal data:
1) Provision of legal services in general – the Controller processes personal data (including communication with clients) in connection with the provision of its legal services, primarily on the basis of a contract concluded with a client and, where applicable, also on the basis of the Controller’s obligations under the applicable legislation (e.g. AML legislation). The Controller keeps records in accordance with the obligation to keep such records imposed on the Controller by the applicable legislation (including professional rules).
2) Selection procedures for job applicants and candidates for cooperation – the legal basis for the processing of personal data of job applicants or candidates for cooperation with the Controller is the consent of data subject or obligations arising from a contract (or pre-contractual negotiations), as appropriate.
3) Processing of employees’ personal data – the legal basis for the processing of employees’ personal data is the performance of a contract and compliance with the Controller’s legal obligations.
4) Requirements of the applicable legislation – the Controller is required to process personal data subjects’ personal data in accordance with the applicable legislation and professional rules governing the practice of law, particularly for the purpose of archiving and obligations related to the prevention, detection, and investigation of criminal activity, namely money laundering and terrorist financing.
5) Marketing – the Controller may process personal data of data subjects for marketing purposes. In case of direct marketing, i.e. sending of commercial communications to clients, personal data shall be processed on the basis of the Controller’s legitimate interest. In case of indirect marketing, particularly with regard to any educational events organized by the Controller, personal data of participants shall be processed on the basis of the consent of data subject.
Processing of special categories of personal data
Special categories of personal data include data, which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Some personal data processed by the Controller fall into a special category of personal data.
1) Processing of special categories of clients’ personal data
When providing legal services, there may be situations where the Controller processes some categories of personal data that may be considered special categories of personal data within the meaning of Article 9(1) of the GDPR. Such data may namely be processed by the Controller with regard to the nature of the legal services provided.
2) Processing of special categories of employees’ personal data
The Controller namely processes the following special categories of personal data:
– Data on medical fitness (health) with regard to the performance of work
The Controller processes the above-mentioned special categories of personal data on the basis of Article 9(2)(b) and Article 10 of the GDPR, i.e. on the basis of legal authorization or to fulfill obligations and exercise special rights arising from directly applicable legislation, as appropriate.
Source of personal data, transfer of personal data, protection of processing, period of data processing, and use of automated individual decision-making
1) Where does the Controller collect the personal data it processes?
The personal data processed by the Controller are primarily collected from data subjects.
It is not very common for the Controller to obtain personal data indirectly, i.e. from sources other than data subject. However, the Controller may obtain personal data from another entity, particularly based on your consent or based on the Controller’s own practice of law.
2) Does the Controller provide personal data to other recipients?
The Controller primarily processes the personal data of data subjects within the scope of its independent activities; in this context, employees and cooperating attorneys only have access to personal data that are necessary for the provision of legal services in accordance with the principles of lawfulness and minimization of the processing of personal data.
Due to the provision of legal services by the Controller, the Controller is in some cases forced to share personal data with third parties; the personal data are only shared if the third parties guarantee a sufficient level of personal data protection. Therefore, under certain circumstances, the Controller shares the personal data of data subjects with the following third parties:
i) Public authorities and parties to proceedings (judicial, administrative, etc.)
In certain proceedings, clients’ personal data may be shared with third parties participating in such proceedings. Personal data are shared with public authorities, primarily on the basis of the Controller’s obligations under the applicable legislation.
ii) Cooperating attorneys, law firms, and other associates
The Controller may transfer the processed personal data to attorneys or law firms that cooperate with the Controller in providing legal services in a specific case or for a specific client. Personal data may also be shared with other associates, particularly external advisors (tax advisors) and translators.
iii) Service providers
The Controller may transfer some personal data to persons and entities that provide external services to the Controller, including, but not limited to, accounting services, audit services, expert services, IT services, document management and archiving services, security of premises intended for the provision of legal services, printing services, advertising and marketing services.
The personal data processed by the Controller are not transferred outside the European Union / European Economic Area or to any international organization.
3) How does the Controller ensure the protection of personal data during their processing?
The Controller has taken sufficient technical, security, and organizational measures. Personal data are protected against damage, unauthorized access or transfer, loss or destruction, and possible abuse.
4) How long are personal data retained by the Controller for processing purposes?
The specific periods, for which personal data are retained, vary depending on the categories of personal data and the purpose for which they are processed. Personal data are never processed for any longer than is necessary.
Therefore, due to the different retention periods for certain personal data in connection with the nature of the processing of personal data, we namely specify the following retention periods:
i) Client documentation shall be retained for at least 5 years, starting from the date of termination of the provision of legal services to which the file relates; however, no longer than the maximum statutory limitation period applicable to the case to which the file relates;
ii) Personal data for direct marketing purposes shall be retained for the duration of the contractual relationship with the client and for no more than 1 year after the termination of thereafter, where commercial communications are sent to the client in question;
iii) Accounting records shall be retained for a period of 5 years from the end of the accounting (reporting) period, to which they relate;
iv) In case the Controller provides clients with escrow services, the Controller is required to retain personal data obtained as part of such services for a period of 10 years. Similarly, the Controller is required to retain other personal data obtained about clients in connection with the provisions of other services specified in Act No. 253/2008 Coll., on Selected measures against legitimization of the proceeds of crime and the financing of terrorism, as amended;
v) In case the Controller performs an authorized conversion of a document (whether from paper to electronic form or vice versa), we are required to store the converted document for a period of 10 years from the date of conversion;
vi) In case the Controller is given consent to process personal data, the Controller shall only process such personal data for the duration of such consent;
vii) Personal data of job applicants or candidates for cooperation shall be processed for the necessary period of time. If the selection procedure is unsuccessful, such personal data shall be destroyed unless the data subject consents to further processing.
5) Use of automated individual decision-making
The Controller does not process personal data automatically, nor does the Controller use automated decision-making for its activities.
Rights of data subjects
Data subjects have certain rights that can be exercised by contacting the Controller in writing at the Controller’s address, by telephone, electronically to the data box, or in person after prior notification. Data subjects can also exercise their rights by contacting the DPO.
1) Right of access to personal data pursuant to Article 15 of the GDPR
Every data subject has the right to access personal data concerning them. The data subject has the right to request information on whether and to what extent their personal data are being processed. The Controller must provide the data subject with copies of the personal data being processed upon request.
The Controller may charge a reasonable fee based on administrative costs for copies made after the first copy provided at the request of the data subject. If the data subject submits the request in electronic form, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise.
The Controller shall process the data subject’s request without undue delay and in any case within one month at the latest; in exceptional cases, the aforementioned period may be extended by two additional months, where this is necessary due to the complexity and number of requests. The data subject shall have the right to be informed of any extension of the period for the processing of their request, together with the reasons for such extension, whereas the data subject shall be informed of the extension of the period within one month of receipt of the request.
2) Right to rectification of personal data pursuant to Article of the GDPR
Every data subject has the right to rectification of the personal data concerning them, if such data are inaccurate or incomplete. This may include a change of address, name, place of residence, telephone number, etc.
Similarly, data subjects have the right to have their personal data completed, taking into account the purposes of the processing, including by providing a supplementary statement.
The Controller shall process the data subject’s request without undue delay and in any case within one month at the latest; in exceptional cases, the aforementioned period may be extended by two additional months, where this is necessary due to the complexity and number of requests. The data subject shall have the right to be informed of any extension of the period for the processing of their request, together with the reasons for such extension, whereas the data subject shall be informed of the extension of the period within one month of receipt of the request.
3) Right to erasure of personal data and right to restriction of processing of personal data pursuant to Article 17 and Article 18 of the GDPR
Every data subject has the right to erasure of the personal data concerning them, and the Controller shall erase such personal data without undue delay (even without request), if one of the following grounds applies:
– The personal data are no longer necessary in relation to the purposes, for which they were collected or otherwise processed;
– The data subject withdraws consent, on which the processing is based, and there is no other legal ground for the processing;
– The personal data have been unlawfully processed;
– The personal data have to be erased for compliance with a legal obligation in Union or Czech law;
However, the Controller shall not erase the personal data, where processing is necessary for its compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or if other conditions for an exception to the right to erasure under Article 17(3) of the GDPR are met, as appropriate.
The data subject shall also have the right to obtain from the Controller restriction of the processing of personal data (i.e. to suspend such processing for the period necessary), where one of the following applies:
– The accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
– The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
– The Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
– The data subject has objected to the processing of personal data, pending the verification whether the legitimate grounds of the Controller override those of the data subject.
In case the reasons for restricting the processing cease to exist, the Controller shall immediately lift the restrictions. The Controller shall inform the data subject in advance of the lifting of the restrictions.
The Controller shall process the data subject’s request without undue delay and in any case within one month at the latest; in exceptional cases, the aforementioned period may be extended by two additional months, where this is necessary due to the complexity and number of requests. The data subject shall have the right to be informed of any extension of the period for the processing of their request, together with the reasons for such extension, whereas the data subject shall be informed of the extension of the period within one month of receipt of the request.
4) Right to notification pursuant to Article 19 of the GDPR
The data subject has the right to request that the Controller inform the recipients of personal data that the disclosed personal data have been rectified, erased or that their processing has been restricted. The data subject has the right to be informed about these recipients of personal data.
5) Right to data portability pursuant to Article 20 of the GDPR
If personal data are processed on the basis of consent given by the data subject or on the basis of a contract and are also processed automatically, the data subject has the right to obtain such personal data in a structured, commonly used and machine-readable format, and the right to transfer such data to another controller without the Controller preventing this in any way.
6) Right to object to processing of personal data pursuant to Article 21 of the GDPR
Every data subject has the right to object to the processing of personal data concerning them on grounds relating to their particular situation, if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or if the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party or for direct marketing purposes, as appropriate.
When assessing an objection, the Controller must demonstrate that it has serious legitimate grounds for processing that override the interests and freedoms of the data subject – the so-called balancing test. In case the Controller demonstrates legitimate grounds for processing, it may continue the processing of personal data; in case the Controller fails to demonstrate legitimate grounds, it must cease the processing of personal data.
The Controller shall notify the data subject of the processing of their request without undue delay and in any case within one month at the latest; in exceptional cases, the aforementioned period may be extended by two additional months, where this is necessary due to the complexity and number of requests. The data subject shall always be informed of any such extension of the period for the processing of their request, together with the reasons for such extension, whereas the data subject shall be informed of the extension of the period within one month of receipt of the request.
7) Right to withdraw consent to the processing of personal data
The data subject may withdraw their consent to the processing of personal data at any time. Upon withdrawal of consent to the processing of personal data, the Controller may not process the personal data concerned, unless there is another legal basis for the processing of the personal data concerned.
Consent to the processing of personal data may be withdrawn in any form in which the data subject’s wish to withdraw their consent is clear.
8) Right to lodge a complaint with a supervisory authority (Office for Personal Data Protection)
The data subject shall always have the right to lodge a complaint with a supervisory authority – i.e. the Office for Personal Data Protection – if they believe that personal data is being processed contrary to the GDPR.
Complaints can be sent to the following address:
Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7
By email: posta@uoou.gov.cz
Via data mailbox: qkbaa2n (data mailbox ID)
