PRIVACY PROTECTION PRINCIPLES
(hereinafter the Principles)
The goal of these Principles, issued by CZECH RENT A CAR s.r.o., Company Reg. No. 25110799, address: Prague, Táboritská 23 (hereinafter the Company), is to provide information about personal data processed by the Company (in the role of a processor) about a natural entity within the provision of its services, renting of vehicles, as well as during the visiting of its websites and other contact with potential customers. Furthermore, the goal of these Principles is to specify to what end such data is processed, for how long (in compliance with valid legal regulations), to whom and for what reasons can such data be transferred, and what are the rights of natural entities in relation to the processing of their personal data.
These Principles apply to the processing of personal data of Company customers as well as of their representatives and contact persons, users of the services provided by the Company, entities interested in the services of the Company and visitors of websites operated by the Company, always in the scope of personal data which correspond to their position towards the Company.
The Principles are in effect from 25 May 2018 and comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter GDPR).
I. CATEROGIES OF PERSONAL DATA
Personal data refers to any information which applies to a natural entity that the Company is capable of identifying. In relation to the provision of services, the Company can process the following categories of personal data.
Basic personal identification data and address data:
Such data are required for the conclusion and performance of agreements. These notably include: (i) academic title; (ii) name and surname; (iii) company name; (iv) personal ID number (or the date of birth if a personal ID number does not exist); (v) identification number and tax identification number; (vi) permanent residence, contact and correspondence address; (vii) address of headquarters; (viii) invoicing address; (ix) numbers of presented identification documents and their copies (all data not required for the provision of services are blacked out on the copies of documents); (x) identification data for a representative of the customer or contact person as designated by the customer; (xi) identification data of the entity that pays for the services, including address; (xii) bank account; (xiii) signature.
(i) phone number; (ii) email; (iii) address on social networks.
Information about subscribed services, utilization of services and solvency:
(i) type and specifications of the provided services; (ii) volume of provided services and their price; (iii) information about solvency; (iv) customer segment; (v) evaluation of customer’s behavior during the use of services.
Information obtained during communication between the Company and the customer:
This data is created during communication between the Company and a customer in relation to the provision of the Company’s services. In particular, these are transcripts of personal communication with customer during direct contact with the customer, electronic and written communication with customers and records of phone calls, chat and video-chat communication between the customer and the Company.
Camera recordings in Company premises:
In order to protect its justified interests, the Company has placed audiovisual recording devices (cameras) in all of its branch offices. The premises monitored by such cameras are always clearly marked.
Data processed based on your consent:
The processing of such data is not required for the performance of the agreement and/or legal obligations or the protection of the Company’s justified interests, but their processing allows the Company to improve its services, focus on what the customers are truly interested in, and potentially also inform customers of various suitable offers. These data are only processed if an explicit consent is provided and can only be processed while this consent remains in effect. In particular, this includes:
II. PURPOSES, LEGAL JUSTIFICATION AND DURATION OF PROCESSING OF PERSONAL DATA
The scope of the processed data depends on the purpose of their processing. For some purposes, it is possible to process data directly based on a contract, the justified interests of the Company or based on the law (without consent), while for other purposes a consent is required.
Processing due to the performance of a contract, meeting legal obligations and due to the justified interests of the Company:
The provision of personal data required for the performance of the contract, meeting the Company’s legal obligations and the protection of personal data is mandatory. Without the provision of personal data for this purpose, it would not be possible to provide the respective services. We do not require consent to process personal data for these purposes. Processing due to the performance of a contract and meeting of legal obligations cannot be refused.
This notably refers to the following individual purposes: (i) provision of services, payment transactions, provision of additional services (performance of a contract); (ii) billing for services (performance of a contract); (iii) meeting of legally stipulated tax obligations (meeting of legal obligations); (iv) purposes specified by special legal regulations in relation to criminal proceedings and the obligation to cooperate with state authorities (meeting of legal obligations); (v) operation of camera and monitoring systems in the Company’s premises for the purpose of preventing damage (justified interests of the Company); (vi) evaluation of customer behavior during the utilization of services and their solvency in order to prevent the occurrence of overdue claims, which can affect the decision of the Company regarding the conclusion of subsequent contracts with the customer, whereas such decisions are not automated (justified interests of the Company); (vii) collection of claims from the customer and other disputes with the customer (performance of a contract); (viii) recording and monitoring of calls with the customer support line (performance of a contract); (ix) processes related to the identification of a customer (performance of a contract); (x) securing of evidence for the potential defense of the Company’s rights (justified interests of the Company); (xi) records of debtors (justified interests of the Company).
Personal data used for these activities are processed in the scope necessary for such activities and for the period required to achieve the intended purpose or for the period specified in legal regulations. Afterwards, personal data shall be deleted or anonymized. Basic deadlines for the processing of personal data are provided below.
For customers who utilize services and assuming that these have met all of their obligations towards the Company, the Company is authorized to process their basic personal, identification, contact data as well as data about their used services and data arising from their communication with the Company, for a period of 4 years from the day of termination of their last contract with the Company.
In case of negotiations between the Company and a potential customer regarding the conclusion of a contract which did not lead to the conclusion of a contract, the Company is authorized to process the provided personal data for a period of 12 months from the end of such negotiations.
Invoices issued by the Company are, in compliance with § 35 of Act 235/2004, on VAT, archived for a period of 10 years from the day of their issue. Due to the necessity of being able to demonstrate the legal reason for the issue of invoices, customer contracts are also archived for a period of 10 years from the day of their termination.
Identification data required for the provision of services obtained from the customer’s identification documents are, in compliance with § 16 of Act 253/2008, on certain measures to prevent money laundering and the financing of terrorism, processed by the Company for a period of 10 years from the termination of the contract between the Company and the customer. In order to meet this legal obligation, the Company stores a copy of the ID cards including the data required for the provision of services for a period of 10 years from the day of the customer’s last use of a provided service, whereas other data not required for the provision of services are blacked out on the copies of such documents.
Camera recordings from the premises of the Company and surrounding areas are processed for at most 30 days from the day of recording.
Processing of the data of customers who utilize services and provide consent with processing for marketing and business purposes:
We process personal data for marketing and business purposes of customers who utilize services and provide the appropriate consent. Starting from 25 May 2018, the Company shall request a new consent for marketing and business purposes which shall be in effect after this date. The date of commencement of the consent with processing of personal data for marketing and business purposes is listed in the text of the appropriate consent.
If such a consent is provided, the Company shall process the customer’s personal data primarily for the creation of suitable offers of services by the Company or third parties and in relation to directly contacting the customer, by phone, in writing (including annexes to bills/statements), via all online advertising tools and via electronic communication using contact data or service numbers.
Providing consent for marketing and business purposes is voluntary and such consent can be withdrawn at any time. This consent remains in effect for the duration of the utilization of services and the following 4 years or until the customer withdraws it. All categories of data listed in article 1 hereof can be processed for marketing and business purposes if the customer provides consent (with the exception of the signature and copies of identification documents), until the Company is authorized to keep such data for the purposes of providing services, meeting its legal obligations and protecting its justified interests, however at most until the consent is withdrawn or until a period of 4 years has passed from the termination of the contract covering the services provided by the Company, unless the customer withdraws their consent before that.
Processing of the data of entities who provided consent with receiving marketing information
For entities that provided consent with receiving marketing information, the Company processes (based on the provided consent and for the duration of the provided consent) the contact information provided by the entity for the purpose of receiving marketing information and service offers. If the consent is provided via a website operated by the Company, then these contacts are processed together with the data obtained from the Company’s cookies located on the website where this consent was provided, but only if the entity allows cookies in their web browser.
Processing of cookies from the Company’s websites
III. SHARING OF PERSONAL DATA WITH OTHER PROCESSORS
Unless stipulated otherwise by law, as the processors of personal data we are only allowed to transfer personal data to other processors of personal data if we have a consent to do so from the entity who owns the data. The provision of this consent is voluntary.
IV. PERSONAL DATA RECIPIENT CATEGORIES
The Company utilizes specialized and professional services of other entities in order to meet its contractual obligations. If these suppliers process personal data provided by the Company, then they are considered to be processors of personal data and shall only process personal data in the scope of the instructions received from the Company; in particular, they are not allowed to use them for any other purposes. This notably includes the collection of debts, activities of experts, lawyers, auditors, IT system administrators, online advertising and/or business representation. Each such entity is carefully selected by the Company and each such entity has strict obligations to protect and secure the provided personal data. The list of processors is available at the Company’s branch offices.
Processors include companies who are based in the Czech Republic, in an EU member state, or so-called safe states. The transfers and processing of personal data outside of the EU always complies with valid legislature.
Within the meeting of their legal obligations, the Company transfers personal data to administrative bodies and offices as specified by valid legislature.
V. METHOD OF PROCESSING OF PERSONAL DATA
The company processes personal data both manually and automatically. The Company keeps records of all personal data processing activities, both manual and automatic.
VI. MARKETING MESSAGES
Marketing messages of the Company or third parties are clearly identified with an abbreviation (“MM” or possibly “OS”) or by other means in order to clearly indicate that this is a marketing message as per applicable legal regulations. It is always clear that the Company is the sender of such marketing messages. Marketing messages can be sent by the Company either to the contact addresses of customers based on the justified interests of the Company, but only until a customer expresses a wish to unsubscribe, or based on an explicit consent with the processing of personal data for marketing and business purposes. The sent marketing messages also include a contact that can be used to unsubscribe from such messages.
VII. Information about the rights of entities owning the data in relation to the processing of personal data
Each entity that owns personal data has, assuming that it is an identifiable natural entity and demonstrates its identity to the Company, the following rights
Rights to access personal data (article 15 of the regulation)
Each entity is authorized to access its personal data, which includes both the right to receive from the Company (i) a confirmation of whether the Company processer personal data; (ii) information regarding the purpose of processing, the categories of affected personal data, recipients who were or will be given access to personal data, planned processing period, existence of the right to request from the processor a correction or deletion of personal data related to the entity or a restriction of its processing or make an objection towards its processing, the right to submit a complaint at the supervisory office, all available information about the source of personal data if they were not received from the owner of the data, whether automatic decision-making and/or profiling takes place based on the data, and regarding suitable guarantees if the data are transferred outside the EU; (iii) a copy of the personal data, assuming that this does not negatively affect the rights and freedoms or other entities.
In case of repeated requests, the Company will be authorized to charge an adequate fee for providing a copy of the personal data.
The right to receive a confirmation on the processing of personal data and to receive information can be applied by writing a letter/notice to the Company’s address.
The right to receive a copy of personal data can be applied by writing a letter/notice to the Company’s address, under the condition of demonstrating the authorization to receive such data.
Right to correct inaccurate data (article 16 of the regulation)
The owner of the data is authorized to request a correction of their personal data which processed by the Company (assuming they are inaccurate). The customer is also obliged to notify the Company of changes of their personal data and to demonstrate that such a change took place; at the same time, they are obliged to provide the Company with cooperation if it is discovered that their personal data processed by the Company are inaccurate. The Company will make such corrections without unnecessary delay, but always also in view of the given technical circumstances and possibilities. A request to make a correction of personal data can only be made at the Company’s headquarters, under the condition of demonstrating the authorization to do so.
Right to be forgotten (article 17 of the regulation)
The owner of data is authorized to require the deletion of their personal data, unless the Company demonstrates justified reasons for the processing of their personal data. If the owner of the data believes that their personal were not deleted, then they can contact us by writing a letter to the Company’s address.
Right to restrict processing (article 18 of the regulation)
The owner of data has the right to require the restriction of processing of their personal data if they dispute the accuracy of the processed personal data, the reasons for their processing or make an objection against their processing; the restriction of processing lasts until the resolution of the dispute and can be made by writing a letter to the Company’s headquarters.
Right to be notified of a correction, deletion or restriction of processing (article 19 of the regulation)
The owner of the data is authorized to receive a notification from the Company in case of a correction, deletion or restriction of processing of personal data. If their personal data are deleted or corrected, then the Company shall inform individual recipients, with the exception of cases where this is impossible or where it required inadequate effort. Based on a request of the owner of the data, the Company can provide information about these recipients. The request can be made by sending a letter to the Company’s headquarters.
Right to the transferability of personal data (article 20 of the regulation)
The owner of the data is authorized to the transferability of data related to them which they provided to the processor, in a structured, commonly used and machine-compatible format, and the right to require the Company to transfer such data to another administrator.
If the owner of data provides, in relation to a contract on the provision of services or based on a consent, the Company with personal data and the processing of such data is carried out automatically, then the owner of data is authorized to receive such data from the Company in a structured, commonly used and machine-compatible format. If technically feasible, the data can also be transferred to another administrator, assuming a representative of such an administrator is clearly specified and can be authorized.
If the application of this right could negative affect the rights and freedoms of third parties, then it is not possible to oblige to such a request. Requests/claims can be made at the Company’s headquarters after demonstrating that the request of justified.
Right to object to the processing of personal data (article 21 of the regulation)
The owner of the data is authorized to object to the processing of their personal data due to the justified interests of the Company.
If the Company does not demonstrate that there exists a serious justified reason for processing which takes precedence over the interests or rights and freedoms of the owner of the data, the Company shall terminate the processing of their data without unnecessary delay. Such objections can be sent via a letter to the Company’s address.
Right to revoke consent with the processing of personal data
The consent with the processing of personal data for marketing and business purposes can be revoked at any time after it was provided. The revocation needs to be made in an explicit, clear and intelligible expression of will, either by phone, at the Company’s headquarters or via email.
Consent with receiving marketing messages for a specific electronic contact can be revoked at any time at the Company’s headquarters, by phone or by clicking the appropriate unsubscribe link provided in the marketing messages.
The processing of data from cookies can be stopped by changing the configuration of web browsers.
Automated individual decision-making including profiling
The owner of the data is authorized to request the removal from any decision-making procedure based exclusively on automated processing, including processing, which could have legal effects for them or would otherwise significantly affect them. The company declares that they do not employ automated decision-making without human review which would have legal implications for the owners of the data.
Right to contact the Personal Data Protection Agency
The owner of the data has the right to contact the Personal Data Protection Agency (www.uoou.cz).
All legal relations arising from or in relation to the processing of personal data are governed by Czech law, regardless of where such data have been accessed or obtained. The resolution of any disputes arising in relation to the protection of privacy shall be made in Czech courts and with the application of Czech law.