Information on personal data processing for suppliers and suppliers’ employees
At our company, we make sure that we process all personal data of our suppliers and the public in accordance with the applicable legislation in this area.
This information on the processing of personal data, prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the „Regulation„), and also with regard to related regulations, explains what personal data about our suppliers and the public (hereinafter also referred to as „Data Subjects„) we collect in the course of our business and how we process and protect such data.
1) Who we are and our contact details
We are the company DRFG a.s., Company ID: 28264720, registered office at Vinařská 460/3, Pisárky, 603 00 Brno, registered in the Commercial Register maintained by the Regional Court in Brno, Section B, Insert 5448, and in relation to its suppliers and the public, we act as a personal data controller in the processing of their personal data.
2) What data we process
When using the services of our suppliers and when in contact with the public, we process various personal data, which can be broadly categorised as follows:
- Identification and billing data
Identification data includes in particular title, name, surname, permanent address, registered office address, correspondence address, Company ID number, VAT number, type of personal document and its number, signature;
- Contact details
Contact details include in particular telephone number, fax number, e-mail address;
- Movement data
Movement data includes data recorded about the entry and exit of Data Subjects from our premises;
- Data included in communications and obtained in the course of providing services
We primarily include any personal data provided by Data Subjects in the course of providing services or in communication with us as data included in communications and obtained in the course of providing services.
3) How we use the data
We collect and use the personal data of Data Subjects, i.e., the public, suppliers – natural persons, members of the statutory bodies of suppliers, authorised or contact persons of suppliers, recipients and senders of correspondence, in accordance with the applicable legal regulations for several purposes, in particular:
- Performance of the contract
We will use the personal identification, billing, contact and communication data for the performance of the contract concluded with the Data Subjects, in particular for the performance of our payment obligations and communication with the Data Subjects. The provision of data is a contractual requirement, without the provision of this data we are unable to perform a properly concluded contract.
- Compliance with legal obligations
We also process personal identification and billing data for the purpose of complying with legal obligations in the field of accounting and taxation. The provision of the data is a statutory requirement, without the provision of which we would be unable to perform our legal obligations properly.
- Archiving and securing communications
We will retain documents regarding contractual cooperation and communications with Data Subjects containing data from communications for the purpose of protecting our legitimate interests, in particular to prove our claims, for the duration of the contractual cooperation and for 3 years after its termination. This is not a contractual or legal requirement, but protection of our legitimate interests in order to substantiate past communications, contractual obligations and warranties.
Furthermore, in accordance with the Value Added Tax Act, we must keep tax documents from Data Subjects for 10 years from the end of the tax period in which the transaction took place. After this period, we are only entitled to process personal data for compatible purposes or for special purposes such as archiving or statistics.
- Protection of entry to our premises
We appreciate the interest of our suppliers and others to work with us and we always look forward to every meeting on our premises. We may process the identification and movement data of our visitors for the purpose of safe and smooth movement. We process this data for a maximum of 2 months after the last visit, based on our legitimate interests. The provision of personal data in this case is our legitimate interest in order to protect the company’s assets. Although it is not your responsibility to provide us with such data, failure to do so may result in your being refused access to our premises.
As a guarantee of compliance with our obligations, we have also ensured that personal data will only be used for the stated purpose or for a lawful and compatible purpose, and these rules apply to each of these purposes.
We also guarantee that no personal data is transferred to third countries outside the European Union or to international organisations as part of our processing.
We also declare that we do not carry out automated individual decision-making or profiling when processing personal data.
4) What data we share
We always only share Data Subjects‘ personal data with trusted partners in the way that the law allows us to do, and on the basis of appropriate contracts ensuring adequate protection of personal data.
- 4.1) Processors authorised by us
We work with partners who provide us with various services, such as accounting and tax services. These partners, in their capacity of personal data processors, must comply with strict confidentiality obligations in accordance with applicable law and/or the contracts we have entered into with them.
Our processors are mainly persons and companies that provide us with the operation of video surveillance and security systems, product delivery, maintenance services, legal services, debt collection, provision of technical and IT services and other advisory and consulting activities. An up-to-date list of recipients, including processors, is available on request from firstname.lastname@example.org.
- 4.2) Other recipients
We share personal data with legal entities and natural persons, government authorities and public institutions when we believe in good faith that access, use, retention and disclosure of such information is reasonably necessary for:
- compliance with a relevant legal regulation or an enforceable request from a public administration;
- enforcement of the relevant contractual terms and conditions, including investigation of possible breaches;
- protection against damage to the rights, property or safety of our company, our clients or the public as required or permitted by law.
We always ensure that we do not provide more data than is necessary to achieve the purpose of the processing.
5) Right of Data Subjects
The Data Subject has the right to decide, within the limits set, on the processing of their personal data. Any Data Subject whose personal data we process may exercise the rights set out below (i) in person at our registered office, (ii) electronically by email at: email@example.com, or (iii) in writing at Vinařská 460/3, Pisárky, 603 00 Brno. We will endeavour to respond as soon as possible, but we will always respond within one month at most of receiving a request from a particular Data Subject. If we have any doubts about the identity of the Data Subject, we may ask for additional verification of their identity.
In particular, the applicable legislation and the Regulation grant the Data Subjects:
- Right of access
The Data Subject has the right to request confirmation from us as to whether we are processing their personal data and, if so, to obtain a copy of such data and information under Article 15 of the Regulation. Where a large amount of data is involved, we may require the Data Subject to specify the request for the specific data we process about them.
- Right to rectification
In order to only process up-to-date personal data, we need Data Subjects to notify us of changes as soon as possible. In the event that we process incorrect or incomplete data, the Data Subject has the right to request correction or completion of such data.
- Right to erasure
If the conditions of Article 17 of the Regulation are met, the Data Subject may request the erasure of their personal data. They may request erasure if, for example, they have withdrawn their consent to processing, have successfully objected to our legitimate interest and there is no other legal basis for processing, or if we are processing their personal data unlawfully or the purpose for which we processed their personal data has ceased and we are not processing it for another compatible purpose. However, we will not delete personal data if it is necessary for the establishment, exercise or defence of legal claims or for the performance of a legal obligation.
- Right to restriction of processing
If the conditions of Article 18 of the Regulation are met, the Data Subject may request that we restrict the processing of their personal data. The restriction may be requested, for example, in the course of objecting to the correctness of the data processed or if the processing is unlawful and the Data Subject does not wish us to erase the data but needs the processing to be restricted for the period during which they exercise their rights. We continue to process personal data if there are grounds for the establishment, exercise or defence of legal claims.
- Right to data portability
If the processing is based on the Data Subject’s consent and/or is carried out for the purpose of performance of a contract concluded with the Data Subject and is also carried out by automated means, the Data Subject has the right to receive from us the personal data we have collected from them in a structured, commonly used and machine-readable format. If the Data Subject is interested and if it is technically feasible, we will transfer the Data Subject’s personal data directly to another controller.
- Right to object to processing
If we process the personal data of a Data Subject for the performance of a task carried out in the public interest or in the exercise of official authority vested in us, or if we carry out processing on the basis of our legitimate interests or the legitimate interests of a third party, the Data Subject has the right to object to such processing. On the basis of such an objection, we will restrict the processing of the personal data and, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms, or the establishment, exercise or defence of legal claims of the Data Subject, we will no longer process the personal data of the Data Subject and delete it. The Data Subject has the right to object at any time to the processing of their personal data for direct marketing purposes. We will not process personal data for this purpose after such objection has been raised.
- Right to lodge a complaint
If the Data Subject considers that we are processing their personal data in breach of the Regulation or other data protection regulations, they have the right to lodge a complaint with one of the competent supervisory authorities, in particular in the member state of residence, place of work or place of alleged infringement. The supervisory authority in the territory of the Czech Republic is the Office for Personal Data Protection with its registered office at Pplk. Sochora 27, Holešovice, 170 00 Prague 7, Czech Republic, website: www.uoou.cz, phone: +420 234 665 111.
- Right to withdraw consent
If the processing of personal data is based on the consent of the Data Subject, the Data Subject has the right to withdraw their consent at any time. Withdrawal of consent does not affect the processing already carried out.
6) Where we get personal data from
We obtain the personal data we process directly from Data Subjects.
We store personal data exclusively on our servers or with our trusted partners.
7) How long and where do we retain the data
We retain the personal data for different lengths of time depending on the reason for processing. In general, we use and retain personal data for:
- the duration of the business relationship with the supplier;
- for a further ten years of the end of the business relationship on the grounds of our legitimate interests, in particular for the exercise, demonstration and defence of our rights, interests, claims, but no longer than until we object to processing in which the rights and interests of the Data Subjects override our legitimate interests;
- 2 months of the date of its receipt in the case of data about visitors to our premises.
8) Changes to this information
We are entitled to change the wording of this information, in particular to incorporate legislative changes or changes to the purpose and means of processing. However, we will not restrict the rights of Data Subjects arising from this information or from applicable law. In the event that there are changes to the rules that may affect the rights of Data Subjects, we will notify them in an appropriate manner well in advance.
The following features of Google Adwords, Sklik and Facebook are used on the DRFG website (www.drfg.cz). Find out more information about Cookies here >
Another option to opt out of receiving cookies from third-party vendors is the Network Advertising Initiative’s opt-out page http://www.networkadvertising.org/choices/
The option to opt out of Google Analytics cookies is here https://tools.google.com/dlpage/gaoptout/