1. INTRODUCTION

This document (hereinafter the “Rules”) provides customers, suppliers and business partners (hereinafter the “Data Subject”) of ŽALUZIE NEVA s.r.o., Háj 370, 798 12 Kralice na Hané, Company ID No 26301270, registered at the registration court in Brno, file record C 42544 (hereinafter the “Controller”) with information about the procedure for processing their personal data and the related rights according toArticle 12 of Regulation (EU) of the European Parliament and of the Council 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”).

Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

A Data Protection Officer was not designated by the Controller

2. DATA CONTROLLER

The Controller is entitled to submit the personal data to subjects with which it has signed a personal data processing agreement and those that will process the data for the Controller as its processors. According to this, the Controller is entitled to submit the personal data of the Data Subject to the following subjects, or categories of subjects:

The personal data of the Data Subject may also be provided to the following recipients/categories of recipients:

3. PERSONAL DATA PROCESSING CATEGORIES

The Controller is authorised to process mainly the following personal data of the Data Subjects:

4. PERSONAL DATA PROCESSING PURPOSES

The Controller processes the personal data of the Data Subjects for the following purposes:

5. PERSONAL DATA PROCESSING PERIOD

The personal data shall be processed only for the processing period essential for the processing purpose. With regard to the above-stated:

At the latest by the end of the calendar quarter following the expiry of the above-stated processing period, the given personal data whose processing purpose has ended will be discarded (by shredding or other method, which shall ensure that unauthorised persons will not be able to access these data) or anonymised.

6. PERSONAL DATA PROCESSING PROCEDURE

Personal data processing is performed by the Controller. Processing is done in the plants, branches and headquarters of the Controller by its designated employees, or Processors. The processing of Personal Data is done by computer or manually in the case of documentary personal data, while respecting all the security policies for control and processing of personal data. For this purpose, the Controller adopted technical and organisational measures to ensure the security of the personal data, particularly measures to prevent the unauthorised or accidental access to personal data, their change, destruction or loss, unauthorised transfers, unauthorised processing, as well as other abuse of personal data. All subjects that may be provided with access to personal data respect the right of the Data Subjects to the protection of privacy and are obligated to act according to the applicable legislation on the protection of personal data. Neither the automation of individual decision-making or profiling shall be done on the basis of data provided. The personal data of the Data Subjects will not be provided to third countries (i.e. countries outside the EU and EEA).

7. RIGHT TO CONSENT TO PERSONAL DATA PROCESSING

In connection with the processing of their personal data, the Data Subjects have many rights, including the right to request the Controller

If a Data Subject ascertains or assumes that the processing of their personal data infringes upon the protection of their private or personal life or violates legislation, the Data Subject has the right to contact the Controller with a request for an explanation and/or remedy of such state. The application must be made in writing by letter or e-mail sent to the Controller’s contact address: info@neva.eu.

If the application of the Data Subject shall be found to be justified, the Controller shall immediately remedy the faulty situation. This does not affect the option of the Data Subject to directly contact the supervisory authority, which is the Office for Protection of Personal Data (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, +420 234 665 555, www.uoou.cz.

8. CONCLUSION

These rules shall apply to data subjects unless a third party and the Controller agree otherwise. The Controller reserves the right to amend these personal data processing conditions in whatever form and at any time, whereas the current version shall always be posted on the web site www.neva.eu/gdpr.