Personal data processing and protection principles

1.   Information about the company

1.1.   Principles of personal data processing and protection at Aspena, s.r.o., ID No.: 607 51 185, registered office in Brno, Veveří, Gorkého 64/15, Postal Code 602 00, registered in the Commercial Register under Insert No. C 19243, kept by the Regional Court in Brno (hereinafter referred to as the “Company”), regulating the rules for handling the personal data of the following natural persons (hereinafter also referred to as “Data Subjects”):

  • visitors to the www.aspena.cz website,
  • the Company's customers,
  • the Company's suppliers,
  • job applicants and employees at the Company,
  • possible third parties.

1.2.   The Company processes the personal data of natural persons in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation ‑ GDPR, hereinafter also referred to as the “GDPR”), or in accordance with other legislation in the field of personal data protection.

1.3.   The Company principally acts as the controller in the processing of personal data, who itself determines the purposes and means of processing the personal data of natural persons or on whom certain personal data processing operations are imposed by law.

1.4.   The Company acts as the processor of personal data of natural persons in the event that it processes the personal data of natural persons for another controller according to its instructions.

1.5.   The Company is not obliged to appoint a Data Protection Officer.

1.6.   Contact details of the Company: Aspena, s.r.o., Gorkého 64/15, 602 00 Brno, e‑mail: gdpr@aspena.cz.


2.   What principles do we abide by when processing your personal data?

2.1.   We process personal data in a lawful manner in accordance with the GDPR, based on at least one of the legal grounds.

2.2.   We only process personal data for specific and legitimate purposes. We ensure that personal data collected for different purposes are kept separate and are not used for other purposes without further notice.

2.3.   We process personal data in a proportionate manner, always only to the extent necessary for the given purpose.

2.4.   We only retain personal data for as long as is necessary to achieve the purpose. Personal data for which the legal retention period has expired and which we no longer need are securely destroyed or anonymised without undue delay.

2.5.   We keep personal data accurate and updated where necessary. We have set up appropriate measures to correct or delete inaccurate personal data.

2.6.   We process personal data correctly and in a completely transparent manner. We always properly inform the Data Subjects, i.e. natural persons whose personal data we obtain, in accordance with the GDPR, in particular about who we are, for what purpose and on what legal grounds we process personal data, how long we store them and what rights they can exercise in relation to their personal data.

2.7.   We appropriately secure personal data against unauthorised or unlawful processing and against accidental loss, damage or destruction. We only disclose personal data to authorised persons and institutions.


3.   What legal grounds do we use when processing personal data?

In particular, we use the following legal grounds when processing personal data:

  • fulfilling a legal obligation to which the Company is subject, or
  • performing a contract to which the Data Subject is a party, or taking pre‑contractual measures at the request of the Data Subject, or
  • pursuing a legitimate interest of the Company, or
  • if none of the previous legal grounds can be used, we will ask for consent to the processing of personal data. Consent may be withdrawn at any time, but withdrawal of consent is not retroactive.


4.   What personal data do we process and for what purpose?

In connection with the provision of our services, we process, under the conditions and within the limits set by the applicable legislation, in particular the GDPR and related legislation, the personal data of the following Data Subjects in particular:

4.1.   Personal data provided by potential or existing customers of the Company, usually in the scope of identification and contact data (e.g. name, surname, address, e‑mail address, telephone number, ID number, VAT number), other operational data (e.g. payment data, data obtained through the performance of the contract):

  • for the purpose of concluding and subsequently performing the contract with the customer,
  • for the purpose of fulfilling legal obligations under the relevant legislation (in particular accounting, financial and tax matters),
  • to pursue the Company's legitimate interests (in particular direct marketing, judicial and extrajudicial debt collection, etc.).

4.2.   Personal data provided by potential or existing suppliers of the Company, usually in the scope of identification and contact data (e.g. name, surname, address, e‑mail address, telephone number, ID number, VAT number), other operational data (e.g. payment data, data obtained through the performance of the contract):

  • for the purpose of concluding and subsequently performing the contract with the supplier,
  • for the purpose of fulfilling legal obligations under the relevant legislation (in particular accounting, financial and tax matters),
  • to pursue the Company's legitimate interests (in particular direct marketing, judicial and extrajudicial debt collection, etc.).

4.3.   Personal data provided by the job applicants with the Company, usually in the scope of identification and contact data (e.g. name, surname, date of birth, personal number, address, telephone number, e‑mail address), as well as other operational data necessary for the job (e.g. education and experience, confirmation of eligibility to work):

  • for the purpose of conducting a recruitment procedure for the relevant job,
  • for the purpose of keeping a register of applicants for other positions in the Company for a limited period of time.

4.4.    The scope and purposes of processing the personal data of the Company’s employees are regulated separately.

4.5.   Data provided by visitors to the website in the form of storing cookie files that contain information about the visitor's visit to the website and other activity on the website. For this purpose, the company uses Google Analytics with data anonymisation and is not able to identify individual visitors to the website. The information obtained is therefore anonymous and does not constitute personal data processing subject to the GDPR.

4.6.   The Company does not process special categories of personal data of customers or suppliers (sensitive data).


5.   How long will we process personal data?

5.1.   We will only process personal data for the period of time necessary to achieve the purpose for which it was obtained ‑ for example, from the moment of the provision of personal data by the customer in the context of pre‑contractual arrangements with the Company, for the duration of the contractual relationship until the termination of the contractual obligations, or until the expiration of the last of the legal ground that entitled the Company to process the data.

5.2.   Once the purpose of the processing ceases to exist or the Company has no legal grounds for further processing of the personal data, the personal data will be securely erased and destroyed.


6.   Who can we transfer personal data to?

The Company reserves the right to provide personal data to:

  • suppliers who provide accounting, IT, HR and marketing services to the Company under a processing contract,
  • suppliers who provide translation, interpretation and graphic processing services to the Company under a processing contract,
  • state authorities and other public authorities on the basis of a legal obligation to provide such personal data.


7.   What rights do you have to your personal data?

7.1.   In accordance with the principle of transparency, you have the right to information about the processing of your personal data. The Company provides information on the processing of personal data without request in the form of information notices for individual groups of Data Subjects. This information obligation includes in particular information on who we are, for what purpose, on what legal grounds and for how long we will process personal data, to whom we intend to transfer personal data and what rights you can exercise in relation to your personal data. General information on personal data processing activities is also contained in this policy. For a full list of the information to be provided, see Art. 13 and 14 of the GDPR.

7.2.   Other rights under Art. 15 to 22 of the GDPR can be applied by request, namely:

  • The right to confirm whether or not your personal data are being processed by the Company and, if so, to obtain access to your personal data, including the provision of further information about their processing.
  • The right to rectification of inaccurate personal data or, where appropriate, taking into account the purposes of the processing, the right to supplement incomplete personal data, including by providing an additional declaration.
  • The right to erasure of personal data if your personal data are no longer required for the purpose of processing, you have withdrawn your consent to processing, you have objected to the processing of your personal data and there are no overriding legitimate grounds for processing.
  • The right to restrict the processing of personal data if you have objected to or contest the accuracy of the personal data for the time necessary to verify the accuracy of the personal data, or if the Company no longer needs your personal data for the purpose of processing, but you require them for the establishment, exercise or defence of legal claims.
  • The right to portability of automated personal data obtained by the Company directly from you on the basis of consent or performance of a contract, where the Company will transfer the personal data to you or to another controller of your choice in a commonly used and machine‑readable format.
  • The right to object to the processing of your personal data if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company, the processing is necessary for the purposes of the legitimate interests of the Company or a third party, for direct marketing purposes or for scientific or historical research purposes or for statistical purposes.
  • The right not to be subject to any decision based solely on automated processing, including profiling with legal effects for the Data Subject; otherwise you have the right to human intervention by the Company (human review of the decision), the right to express your opinion or the right to challenge the decision.

7.3.   If the processing of personal data is based on consent, you have the right to withdraw your consent at any time in writing to the Company or electronically by e‑mail to gdpr@aspena.cz. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.

7.4.   In addition to the above rights, you have the right to lodge a complaint with the relevant supervisory authority if you believe that the processing of personal data by the Company is in breach of the law. The competent supervisory authority in the Czech Republic is the Office for Personal Data Protection.


8.   How do we protect personal data?

8.1.   The handling of personal data is carried out in full compliance with applicable laws, including the GDPR. The personal data of Data Subjects are secured by the Company through the defined organisational and technical measures.

8.2.   All personal data in documentary form are stored in locked locations, accessible only by authorised persons who need to handle the personal data immediately for the purposes set out in this policy, and only to the extent necessary. Access to these personal data is protected by physical and electronic security means.

8.3.   All personal data in electronic form are stored in databases and systems that can only be accessed by authorised persons who have an immediate need to handle the personal data for the purposes set out in this policy and only to the extent necessary. Access to these personal data is protected by physical and electronic means of computer security.

8.4.   Employees and contractors of the Company who process personal data are obliged to maintain confidentiality about the personal data of the Data Subjects and about security measures, the disclosure of which would compromise the security of personal data. This confidentiality shall continue after the termination of the contractual relationship with the Company.


9.   Do you have any other questions?

If you have any questions regarding the protection of your personal data and their processing by the Company, and in order to exercise your rights, you can contact us at gdpr@aspena.cz.


10.   Efficacy

This Personal Data Processing and Protection Policy comes into effect at the Company on 25 May 2018.