Policy for protecting personal data

OKsystem a.s. is aware that through its activities it processes personal data which must be protected in accordance with valid laws and regulations comprising the laws of the Czech Republic, in particular Act No. 110/2019 Coll., on Processing of personal data, and related laws and regulations, and in particular the Civil Code, the Labour Code, and also pertinent EU regulation, including case law, related to terms and conditions for protection of personal data.

As early as 2018, OKsystem a.s. implemented all requirements of regulation 2016/679 of the European Parliament and of the Council (GDPR) and declared in its policy for protecting personal data that by the effective date of this regulation (i.e. 25 May 2018) it was prepared to uphold its obligations as a Controller, processor, or another person. In response to the coming into effect of a new Czech Act No. 110/2019 Coll. on 24 April 2019, all previous procedures and internal regulations are being reviewed with the objective of completing the adaptation process and to process personal data in accordance with all obligations.

OKsystem a.s. considers protection of personal data to be part of its corporate responsibility and the company’s risk management. In accordance with this approach, OKsystem a.s. always processes only such personal data as is necessary for the agreement and fulfilment of contractual obligations or fulfilment of legal requirements which must be performed in connection to a subject of the company’s business policy.

Upholding the principles of processing of personal data:

OKsystem a.s., as a Controller or processor, upholds all principles necessary for lawful processing of personal data by the following:

  1. in processing personal data, it applies the principles of lawfulness, fairness, and transparency in relation to the data subject;
  2. it collects and further processes personal data only for specified, explicit and legitimate purposes;
  3. it processes personal data with the intention that their extent is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. it upholds the principle of accuracy of data and has adopted appropriate measures for potential updating of personal data;
  5. the duration necessary for the processing of personal data is always defined (for example by law or regulation) or ensues from the course of the contractual relationship with the data subject; personal data is stored for a longer duration only if it is processed exclusively for archiving purposes in the public interest or other protected interests in the context of Section 6, para. 2 of Act No. 110/2019 Coll.;
  6. personal data is secured using all available technologies including technical and organizational measures for its protection so as to ensure its ongoing confidentiality, integrity, and accessibility, as well as the resilience of the system and processing services;
  7. employees of OKsystem a.s. are regularly trained with the objective preventively to protect personal data from unauthorized or unlawful processing and from random loss, destruction, or damage.

Lawfulness of processing personal data – basic condition of activities:

OKsystem a.s. processes personal data only under condition of lawful processing

These conditions comprise:

  1. Article 6, para. 1 a) of the GDPR – processing only with the consent of the data subject;
  2. Article 6, para. 1 b) of the GDPR – processing is necessary for the negotiation and performance of a contract to which the data subject is a party, because without the data subject’s personal data the contracts assumed by law could not be concluded, in particular with regard to labour relations;
  3. Article 6, para. 1 c) of the GDPR – processing is necessary for the fulfilment of legal obligations to which OKsystem a.s. is subject;
  4. Article 6, para. 1 e) of the GDPR – processing is necessary for the performance of a task carried out in the public interest vested in OKsystem by an authorized public authority;
  5. Article 6, para. 1 f) of the GDPR – processing is necessary for purposes of the legitimate interests pursued by OKsystem a.s.

Rights of the data subject – transparency and procedures:

Every individual who believes that OKsystem processes his or her personal data is entitled, in accordance with Article 15 of the GDPR, to request a confirmation at any time using an email about whether personal data related to him or her are being processed, and, if they are, to obtain access to this personal data and to the following information:

  1. Purpose(s) of processing and the legal basis for processing;
  2. Personal data categories;
  3. Name of the recipient or categories of recipients to which the personal data has been or will be made accessible;
  4. Duration for which the personal data will be processed, including its storage or criteria for defining this duration;
  5. Information on the source of external data, if it is not acquired from the data subject;
  6. Information on the existence of a right to request correction or erasure of personal data concerning the data subject in accordance with Articles 16 and 17 of the GDPR; right to limitation of its processing pursuant to Article 18 of the GDPR, or the right to object against this processing pursuant to Article 21 of the GDPR;
  7. Right to file a complaint against the procedure of OKsystem a.s. with the Office for Personal Data Protection;
  8. Information as to whether automated decision making, including profiling, is being performed by OKsystem a.s.

OKsystem will provide a response, and potentially information about measures it takes, as soon as possible, but no later than within one month’s time. In case of need concerning the complexity or the number of requests, it is authorized to extend this period by two months. The applicant will be informed of any such extension, including the reasons for the extension. In resolving such request, OKsystem a.s. intends also to utilize the new procedures defined in Sections 8 and 11 of Act No. 110/2019 Coll.

OKsystem a.s. provides all communication and responses relating to the applicable rights at no charge. If, however, a request is manifestly unfounded or inadequate, in particular if it is repeated, a fee when taking into account administrative costs related to the provision of the provided information will be charged. In case of doubt concerning the applicant’s identity, proof of identification will be required in order to prevent the personal data and information concerning a specific individual from reaching an unauthorized recipient. If the applicant refuses to identify himself or herself, he or she will not be provided the requested information.

OKsystem designated a data protection officer:

In Prague on 24 April 2019, updated 1 June 2023.