§ ACO Industries k.s., Id. No.: 481 19 458, with its registered office at Havlíčkova 260, 582 22 Přibyslav, registered with the Regional Court in Hradec Králové under File No. A 4005;
§ ACO Stavební prvky spol. s r.o., Id. No.: 259 80 009, with its registered office at Pávov 141, 586 01 Jihlava, registered with the Regional Court in Brno under File No. C 62464;
§ ACO Industries Tábor s.r.o., Id. No.: 260 33 976, with its registered office at Průmyslová 1158, 391 02 Sezimovo Ústí, registered with the Regional Court in České Budějovice under File No. C 10435;
§ ACO Marine s.r.o., Id. No.: 601 98 729, with its registered office in Prague 5 – Smíchov, at Nádražní 3158/72, Postal Code 15000, registered with the Municipal Court in Prague under File No. C 24872;
(all the above companies hereafter also as “we” or “us”), as the personal data controller, hereby inform you, as the users of our website, which comprises a reference to this Policy, customers, suppliers and visitors to the premises at one of our registered offices, and as visitors to events organised by us, of the collection of personal data described below and the principles of protecting your privacy.
§ what personal data of yours we will process;
§ for what purposes and in what manner we will process your personal data and the legal basis for their processing;
§ to whom your personal data may be transferred;
§ for what period of time we will process your personal data; and
§ what rights you have in relation to the protection of your personal data.
Should you need an explanation of any part of this document, advice or consultation regarding further processing of your personal data, you may contact us at any time by e-mail at firstname.lastname@example.org or at the address of the registered office of one of our companies. We have also appointed a DPO for our companies, whom you can also contact directly; the DPO is Datenschutz Nord, email@example.com. Furthermore, our companies have a Chief Information Security Officer, Markus Fiedeldei, +49 4331 354-420, Markus.Fiedeldei@aco.com, who is responsible for personal data protection within the ACO group.
EXTENT OF PERSONAL DATA PROCESSING
1. If you visit our website, which comprises a reference to this Policy, you might want to fill in certain forms, especially those regarding job vacancies in our corporate group.
2. If you contact us as candidates for a job in our group of companies (both via the website and in some other way), you will be asked to specify certain details on yourselves. We will further process the following personal data on yourselves:
§ name and surname;
§ e-mail address;
§ a curriculum vitae, which may comprise, in addition to the above, at least information on the education attained and your work experience, and on your further knowledge and expertise depending on the job you apply for; if you state further personal data in the curriculum, this represents your free decision to provide us with those data and we will therefore also process such data for the purposes of the selection procedure.
3. If you visit us at the registered office of one of our companies, you will be asked to specify certain data on yourselves and we will process the following personal data:
§ name and surname;
§ the company you are representing in your visit;
§ if you drive a vehicle onto the premises, information obtained from your driving licence and the vehicle’s licence plate number;
§ photograph (if you give us your consent);
§ a camera recording of your movement on our premises.
4. If you are our customer or supplier, you will be asked to specify certain information about yourselves, which we will further process. This includes the following personal data:
§ name and surname, date of birth or Id. No.;
§ the company being represented (business name);
§ address, telephone number and e-mail;
§ the position of the company representative;
§ bank account number;
§ further personal data as required to perform our mutual obligations.
5. If you participate in an event organised by us, you will be asked to specify certain information about yourselves, which we will further process. This includes the following personal data:
§ name and surname;
§ address, telephone number and e-mail;
§ the company being represented (business name);
§ the position of the company representative;
§ photograph or camera recording.
PURPOSE OF PROCESSING AND LEGAL BASIS FOR PROCESSING
1. If you apply for a job in our group of companies, we will process your personal data on the grounds of a legitimate interest, specifically our interest in filling job vacancies and your interest to find a job according to your wishes. The purpose of the processing is thus to find a suitable applicant for a job vacancy we advertise. We use the data you provide to contact you and advise you of the progress of the selection procedure. We will process your personal data only for the above-specified purpose and if you are interested in a specific job, we will process personal data only for the purposes of filling the given vacancy. We require the aforesaid data – without having them, we will not be able to include you in the selection procedure. These personal data will not be used for any purely automated decision-making, including profiling.
2. If you have visited us at the registered office of one of our companies, we process your personal data on the grounds of legitimate interest, specifically our interest in keeping records of visits, ensuring security and protection of property. A camera surveillance system is operated on our premises; this again is used only for the purposes of ensuring security and protection of property. The cameras are installed throughout the premises and, therefore, the relevant notice is not attached to each individual camera, but is rather displayed at the entrance to the premises. We will process all your aforesaid personal data only for the purposes specified above and they will only be used for the purposes of keeping records, and if a personal injury or damage to property occurs during your visit to the premises, to prove the injury or damage. Camera recordings will only be used in case of a personal injury or damage to property occurring during your visit to the premises. We require the above data – without having them, we will not be able to let you enter our premises.
Furthermore, if you visit us at the registered office of one of our companies, we may process your personal data based on consent to personal data processing granted by you with a view to taking your photograph. These photographs may be published in our printed materials (ACO journal and ACO news), which are distributed in our companies and may also be disseminated outside them. Furthermore, these photographs may be published on our website and on our social networks.
These personal data will not be used for any purely automated decision-making, including profiling.
3. If you are our suppliers or customers, we process your personal data especially on the grounds that they are necessary for the purposes of performance of the contract or fulfilment of statutory duties (especially tax and accounting obligations), or on the grounds of a legitimate interest (especially to improve our services and contact you with our offers). The purpose of the processing is thus to ensure smooth performance of our business relationship and further development of our co-operation. We can thus use your name, surname and e-mail address to send you commercial communications, i.e. to inform you of events, publications and services that we provide and which, in our opinion, could be of interest to you. We can further use your personal data for our internal needs, especially to monitor your satisfaction, optimise and improve our products and services, develop new products and reduce risks. We require the personal data for the purposes of performance of the contract and fulfilment of a statutory duty; if the data were not provided, this could be a reason not to conclude the contract or to discontinue further business co-operation. However, processing of your personal data for the purpose of sending commercial communications is not our contractual requirement and you can reject this at any time without prejudice to our other mutual relationships. It is sufficient to send us an e-mail with the relevant request at firstname.lastname@example.org or some other address from which you have received a commercial communication from us. These personal data will not be used for any purely automated decision-making, including profiling.
4. If you a visitor to an event we organise, we process your personal data on the grounds of a legitimate interest consisting in keeping records of visitors to the event and ensuring smooth course of the event. As we already stated above, photographs and camera recordings will be made to document the event; they will then be made available to you as visitors to the event and also serve for our promotional needs. We definitely do not intend to publish any photographs or video recordings that would show you in any demeaning or otherwise inappropriate situations. Should we nonetheless publish a photograph you consider demeaning or inappropriate, please do not hesitate to contact us at email@example.com and we will provide for a remedy as soon as possible. We can also use your name, surname and e-mail address to send you commercial communications, i.e. to inform you of events, publications and services that we provide and which, in our opinion, could be of interest to you. We require the above data – without having them, we might not let you participate in the event. However, processing of your personal data for the purpose of sending commercial communications is not our contractual requirement and you can reject this at any time without prejudice to our other mutual relationships. It is sufficient to send us an e-mail with the relevant request at firstname.lastname@example.org or some other address from which you have received a commercial communication from us. These personal data will not be used for any purely automated decision-making, including profiling.
WHO HAS ACCESS TO YOUR PERSONAL DATA
Your personal data may be processed for us, with a view to improving our services and arranging certain activities, by various processors who provide us with:
§ server, web, cloud or IT services;
§ accounting services;
§ legal services;
§ gatehouse services;
§ marketing services;
§ processors who provide other services to the company – consultations, audits and other external services
In view of occasional changes of service providers, it is not possible to identify all the data processors in this Policy. An up-to-date list of specific recipients of personal data will be submitted on request.
DURATION OF PERSONAL DATA PROCESSING
We will process your personal data for the period when we provide our services to you or perform our mutual contract; as long as we have a legitimate interest in processing the personal data; or for the period necessary to fulfil the archiving duties under the applicable legal regulations, such as the Accounting Act, the Archiving and Recordkeeping Acts and the Value Added Tax Act.
We will retain your personal data for the period necessary to provide our products and complete the required transactions or for other necessary purposes, such as compliance with our legal obligations, resolution of disputes and legal enforcement of our agreements. These needs may differ for various types of data in the context of various products and, therefore, the actual retention periods may differ significantly. The criteria on the basis of which the retention period will be determined include:
§ How long are personal data required to provide products and to ensure the operation of our companies? This includes activities such as maintaining and improving the performance of these products, maintaining security of our systems and maintaining the relevant business and financial records. This is a generally valid rule which, in most cases, forms the basis for determining the retention period.
§ Do you provide us with your data while assuming that we will retain them until you explicitly want them erased?
§ Are these personal data sensitive? If so, it is generally advisable to use a shortened data retention period.
§ Have we introduced and announced any specific retention period for a certain type of data? If so, we certainly will never exceed it.
§ Have you granted consent to extension of the data retention period? If so, we will retain the data in accordance with your consent.
§ Do any legal, contractual or similar obligations to retain data apply to us? For example, these might ensue from laws governing mandatory retention of data, a government order to retain data related to investigation or data that need to be retained for litigation purposes.
In view of the above criteria, which may differ over time (especially with regard to changes in legal regulations), we cannot determine the retention period generally in this Policy. However, if you address us with a request (e.g. via an e-mail message sent to email@example.com, we will advise you of the exact duration of processing of your personal data.
YOUR RIGHTS FOLLOWING FROM PERSONAL DATA PROCESSING
You have the following rights in relation to our processing of your personal data:
§ right of access to personal data;
§ right to rectification;
§ right to erasure (“right to be forgotten”);
§ right to restriction of data processing;
§ right to object to processing;
§ right to data portability;
§ right to file a complaint with respect to personal data processing.
Your rights are explained below so that you can get a better idea of their contents.
The right of access means that you can ask us at any time to confirm whether or not personal data concerning you are being processed and, if they are, for what purposes, to what extent and to whom they are disclosed, for how long we will process them, whether you have the right to rectification, erasure, restriction of processing or to object; from which source we obtained the personal data, and whether automated decision-making, including any profiling, occurs on the basis of processing of your personal data. You also have the right to obtain a copy of your personal data; the first copy will be provided free of charge, but we can claim reasonable reimbursement of administrative costs in the amount of CZK 100 for every further copy.
The right to rectification means that you may request us at any time to rectify or supplement your personal data if they are inaccurate or incomplete.
The right to restriction of processing means that until we resolve any disputable issues concerning the processing of your personal data, we must not process your personal data otherwise than by retaining them, and we may only use them with your consent or for the purpose of determining, exercising or defending legal claims.
The right to object means that you may object to the processing of your personal data that we process for the purposes of direct marketing or on the grounds of a legitimate interest. If you object to processing for the purposes of direct marketing, your personal data will no longer be processed for these purposes; in the case of an objection against processing on the grounds of a legitimate interest, the objection will be evaluated and we will subsequently inform you either that we have accepted the objection and will no longer process your data, or that the objection was not justified and the processing will continue. In any case, the processing will be restricted until the objection is resolved.
The right to portability means that you have the right to obtain personal data concerning you which are being processed by automated means and based on consent or contract, in a structured, commonly used and machine-readable format, and the right to claim that the data be transferred directly to another controller.
If you have any comments or complaints concerning the protection of your personal data, or you want to pose a question to the person responsible for data protection in our companies, or exercise any of your rights, please contact us using our e-mail address firstname.lastname@example.org. We will answer your questions or comments within one month.
Our activities are also supervised by the Office for Personal Data Protection; if you are dissatisfied, you can file a complaint with the Office. For more information, go to the Office’s website (www.uoou.cz).
REPORTING SECURITY INCIDENTS
In today’s world full of modern technologies, there is a risk, even if very small, that your personal data might leak or be misused or lost. Within our activities, we will do everything we can to ensure that such a security incident never occurs; in particular, we will train all our employees coming into contact with your personal data regularly on the topic of personal data protection, we will adopt and communicate to our employees internal corporate rules governing the protection of your personal data, and we will always use only the most suitable technical solutions to ensure our processing, such as data encryption, complex passwords and corresponding software.
However, should a security incident occur despite our best efforts and if this incident might lead to a high risk for your rights and freedoms, we will inform you without delay accordingly at the e-mail address you provided and publish such information on our website, including all necessary details.
AMENDMENTS TO THE POLICY