PERSONAL DATA PROCESSING POLICY

Please Note The text of this policy is governed by the legislation in force in the Czech Republic. The translation below is for informational purposes only, the full, binding text in Czech language can be found here.

PERSONAL DATA PROCESSING POLICY:

in accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and the instructions to data subjects (“GDPR”)

Data Controller:

Lucie Chroustová

(hereinafter referred to as the “Controller”) hereby informs you about the processing of your personal data and your rights in accordance with Article 12 of the GDPR.

The controller has not appointed a data protection officer. If you have any questions about data protection, you can contact the controller: Hello@luciechroust.com

What personal data do we collect?

Personal data means any information about an identified or identifiable natural person; an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, surname, identification number, location data, network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

We collect personal data that you have provided to us in connection with the conclusion of a contractual or other legal relationship (partnership agreement, client agreement, subcontract) or that we have otherwise collected (based on your consent) and process it in accordance with applicable law or to comply with the legal obligations of the controller. The personal data we process about you will usually be obtained directly from you (as part of an order and contract) or in the context of organising the relevant event (typically your photographs).

If you provide us with personal data of third parties, it is your responsibility to inform the person concerned and to ensure that they agree to the following privacy policy

If personal data is processed on the basis of the consent provided, you have the right, except for the rights set out below, to withdraw your consent to processing at any time in writing or electronically to the address or email of the controller.

Categories of personal data:

Address and identification data used to uniquely and unmistakably identify the data subject (e.g. name, surname, permanent address, registration number, VAT number, place of business) and data enabling contact with the data subject in the performance of the contract (contact details – e.g. contact address, telephone number, e-mail address and other similar information),

descriptive data (e.g. bank connection and details of the ongoing performance, time of communication with the subscriber and IP address),

visual and audio-visual records (in particular, the likeness of the person photographed, the registration number of the vehicle photographed),

in the case of e-mail communication, the normal data related to such a message sent together with it are also stored in the e-mail communication interface.

Legal title and purpose of processing

We process the personal data you have provided in the booking form at www.luciechroust.com for the purpose of processing and processing your booking request (sending you an offer to conclude a contract). We process the personal data you have provided us with when concluding contracts (e.g. for the provision of photographic services, licensing, purchase, work contracts) for the purpose of concluding a contract and its performance in accordance with Article 6(1)(b) GDPR. The purpose of the processing is the implementation and recording of contractual cooperation and the assertion of any liability for defects, the recording of licence rights and obligations under licence agreements, as well as the fulfilment of the legal obligation under Act No. 563/1991 Coll., the Accounting Act.

We also process certain image and audio-visual records on the basis of a legitimate interest resulting from civil law authorization to further dispose of such personal data (e.g. consent to the use of likeness, news and artistic license).

How do we use your personal data?

We use the collected personal data mainly to ensure the fulfilment of contractual and legal obligations under concluded contracts and for legitimate interests in the publication of images and audio-visual images (if there is a civil law authorisation for such publication and further use).

We declare that we have taken appropriate technical and organizational measures to secure personal data and that only persons authorized by us, in particular employees who will work with personal data on the basis of their job position, have access to personal data. These persons are instructed on how to handle your personal data and the conditions for processing it.

We will only transfer personal data to third parties (processors) if necessary. These processors will be selected responsibly and will provide appropriate safeguards for the processing of personal data.

To ensure the above processing purposes, your personal data is processed in photographic systems (e.g. Adobe Lightroom, Adobe Photoshop, Adobe Premiere Pro.), cloud storage (Google Drive), encrypted WordPress interface, email communication interface. Personal data may also be processed to the extent necessary for the use of legal advice (lawyers), accounting and tax advisors, information system administrators, IT service providers and website administrators, carriers in the case of shipped goods, partners of the controller in the exercise of the rights and obligations of the partners.

To whom can your personal data be transferred?

Your personal data is not passed on to third parties except as set out below. As a data subject, you therefore acknowledge and consent to the transfer of your personal data to the extent necessary for the performance of our other obligations. Your personal data may be transferred to the following categories of recipients:

1) to our business partners, e.g. to exercise rights under licensing arrangements,

2) to public authorities on the basis of the law – personal data may be transferred to public authorities to the extent prescribed by law, in particular to tax authorities, control authorities or law enforcement authorities. In the event of a security incident, your personal data may be disclosed to law enforcement authorities and courts.

3) to external (sub)suppliers if this is necessary for the performance of a given contract or legal obligation; in the area of accounting, your billing data may be transferred to a so-called processor (accountant), and your personal data may be stored in cloud storage, in particular by email providers, shared storage (Google Drive) or social networks (Facebook and Instagram), web hosting providers (WordPress).

How long do we keep your personal data?

For the duration of the contractual relationship (entitlements or rights under the contractual relationship) and after the end of the contractual relationship, we retain your personal data in accordance with the statutory time limits under the Accounting Act. We will also process some personal data for the duration of the legitimate interest or until the consent to the processing of personal data is withdrawn. After the retention period has expired, we will delete the personal data.

Is your personal data transferred abroad (non-EU countries and international organisations)?

The only recipients of personal data in third countries are email and cloud service providers, social network operators and third parties in the case of cookies agreed by you.

Use of automated decision-making, including profiling

No automated decision-making, including profiling, is used in the processing of your personal data. Please note, however, that we use cookies from external advertising and analytics providers (Google Analytics, YouTube), which may collect various personal data based on the cookies you have agreed to, on the basis of which profiling of website visitors takes place in order to tailor the content of the website and offer advertisements to these customers.

For information on what cookies are, how they are used, what information they carry and how to set up their use, please visit: luciechroust.com/cookies

What are your rights and obligations?

You can exercise the following rights in accordance with the processing of personal data:

the right of access to personal data (Article 15 GDPR)

the right to rectification and completion (Art. 16 GDPR)

the right to erasure of personal data (Art. 17 GDPR)

the right to restriction of processing (Art. 18 GDPR)

The right to request the portability of your personal data (Art. 20 GDPR)

The right to object to processing (Art. 21 GDPR)

Rights relating to automated individual decision-making and profiling (Art. 22 GDPR)

the right to lodge a complaint with the supervisory authority (Art. 77 GDPR), which is the Data Protection Authority.

Right of access to personal data

You have the possibility to contact the controller and request confirmation of whether we are processing your personal data. If you receive information that we are processing your personal data, then you have the right to further request the following information:

the purposes of the processing;

the categories of personal data concerned;

the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

the intended period for which the personal data will be stored or, if this cannot be determined, the criteria used to determine this period;

the existence of the right to request the controller to rectify or erase personal data concerning the data subject or to restrict or object to processing;

the right to lodge a complaint with a supervisory authority;

any available information about the source of the personal data, unless it is obtained from the data subject;

the fact that automated decision-making, including profiling, takes place and, at least in these cases, meaningful information concerning the procedure used as well as the significance and foreseeable consequences of such processing for the data subject;

you have the right to be provided, free of charge, with a copy of the personal data processed relating to you; in the event of a repeated request, you may be charged a reasonable fee.

Right to rectification and completion

You have the right to have inaccurate personal data concerning you rectified by the controller without undue delay. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by providing an additional declaration.

Right to erasure of personal data (right to be forgotten)

If you exercise your right to erasure of your personal data, the controller is obliged to erase all your personal data. However, this request can only be granted if one of the following reasons is met:

Your personal data is no longer necessary for the purposes for which it was collected or processed;

you withdraw your consent where your personal data has been processed on the basis of that consent and there is no other legal basis for processing your personal data;

Your personal data is processed unlawfully;

your personal data must be erased in order to comply with an obligation imposed by European Union or Czech law; personal data has been collected in connection with the offer of information society services directly to a child without the conditions for this having been met.

However, your personal data will not be erased if:

it would be contrary to the exercise of the right to freedom of expression and information;

it would violate an obligation imposed on the controller by European Union or Czech law;

it is necessary for reasons of public interest in the field of public health;

it is necessary for archiving purposes in the public interest;

it is necessary in particular for scientific purposes and historical research;

it is necessary for the exercise of legal claims.

If the conditions for the erasure of your personal data are met, the controller is obliged to inform those controllers of whom it is aware that they process your personal data of your request and to inform them that you wish your personal data to be erased. However, this obligation can only be fulfilled where the available technology and reasonable costs allow it. The assessment is solely at the discretion of the controller.

If the conditions for erasure of your personal data are not met, the controller will inform you without undue delay, including the reasons why your right cannot be fulfilled.

Right to restriction of processing

You have the right to have the controller restrict processing in any of the following cases:
(a) you contest the accuracy of the personal data for the period necessary to enable the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and you refuse to erase the personal data and request instead a restriction on its use;
(c) the controller no longer needs the personal data for the purposes of the processing but you require them for the establishment, exercise or defence of legal claims;
(d) you have objected to the processing pursuant to Article 21(1), pending verification that the legitimate grounds of the controller outweigh your legitimate grounds.
Where processing has been restricted, such personal data, except for storage, may be processed only with your consent or for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State

If you have obtained a restriction on processing, you will be notified in advance by the controller that the restriction on processing will be lifted.

If the controller has disclosed your personal data to other recipients (third parties), the controller is obliged to notify them of any rectification, erasure or restriction of the processing of personal data that has been made in relation to your personal data. This obligation need not be fulfilled if it would be objectively impossible or would require disproportionate effort. If you request it, the controller will provide you with a list of recipients who have been notified in relation to your personal data.

Right to request the portability of your personal data

You have the right to obtain the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the controller to whom the personal data were provided, if:
(a) the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b) GDPR); and
(b) the processing is carried out by automated means.
In exercising your right to data portability, you have the right to have personal data transmitted directly from one controller to another controller, where technically feasible.

The exercise of this right is without prejudice to the right to erasure. This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The exercise of this right shall not adversely affect the rights and freedoms of other persons
Right to object to processing

You have the right to object, on grounds relating to your particular situation, to processing of personal data concerning you on the basis of Article 6(1)(e) or (f) of the GDPR, including profiling based on these provisions, at any time.

The controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests or rights and freedoms or for the establishment, exercise or defence of legal claims.

Where personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling, insofar as it relates to such direct marketing.

If you object to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

Rights relating to automated individual decision-making and profiling

You have the right to request that your personal data not be processed by automated means or by profiling. Automated processing is the processing of personal data by computer technology, without human intervention.

Profiling is a form of processing of your personal data that is also carried out by automated means and is used to evaluate certain aspects relating to you (e.g. evaluation of your personal preferences, shopping habits, etc.).

Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority, which in the Czech Republic is the Office for Personal Data Protection.

Final instructions

The controller has made you aware of these terms and conditions on the website of the contractor (controller) before you submit your personal data in the contact form.
The controller is entitled to change these terms and conditions. We will post the new version of the privacy policy on our website or send you a new version of this policy to the email address you have provided to us for this purpose.