Principles of personal data processing
Personal data controller and data subject
The personal data controller is STATECH s.r.o., Org. ID: 274 02 975, with registered office at Počapelská 346, 277 01 Dolní Beřkovice, registered in the Commercial Register at Prague Municipal Court, Section C, File 111021 (“controller”). The controller may be contacted in writing at the specified address or via email at firstname.lastname@example.org.
The data subject is a natural person who provides their personal data to the data controller based on a rental agreement, purchase agreement, service agreement or other agreement concluded with the controller or based on consent to process personal data when subscribing to the newsletter distributed by the controller. The data subject may also be a natural person whose personal data the data controller obtains from other lawful sources.
Scope of personal data processing
The controller processes personal data in the scope provided by the data subject or in the scope obtained from other lawful sources by the controller. This primarily involves their given name, surname, date of birth, place of residence, place of business, identification number, tax ID number, payment card number, email address, phone, signature, positioning data (GPS in vehicles owned by the controller), audio-visual records from the CCTV system and personal data obtained from cookies.
Purpose of personal data processing
The controller processes the personal data of the data subject for the purposes of delivering on the agreements concluded between the data subject and the controller (aerial work platform rentals, sales and service), to comply with legal obligations and for direct marketing purposes (offering the controller’s products and services), including sending commercial communications within the meaning of Act No. 480/2004 Coll. on Specific Information Society Services. The controller only distributes business correspondence when the data subject has subscribed to the newsletter or if the controller has obtained detailed electronic contact details for the data subject during the sale of its products or services. The data subject may easily unsubscribe from the newsletter by sending an email to email@example.com.
Determining the necessity of processing
The controller shall protect the privacy of the data subject’s data, and therefore only processes that personal data necessary for the defined purposes of processing.
Legal basis for processing personal data
The legal basis for processing for direct marketing purposes is consent from the data subject to the processing of their personal data (subscribing to the newsletter) or the legitimate interests of the controller (whereby electronic contact details are obtained in connection with the sale of the controller’s product or service under Act No. 480/2004 Coll.).
In other instances, the legal basis for processing is the performance of an agreement, to protect the legitimate interests of the controller (protect property, apply rights under an agreement within litigation, etc.) and to comply with legal obligations.
Period of personal data processing
If personal data is processed to perform an agreement, the controller shall process this personal data for the duration of the contractual relationship and for an additional 10-year period, given the length of the statute of limitations concerning compensation for damage or injury. If personal data is processed to comply with a legal obligation, the controller shall process this personal data for the period laid down in legislation. If personal data is processed based on consent from the data subject, the controller shall process this period data for a 10-year period, unless consent to such personal data processing is revoked at any time in such period. This has no prejudice on the controller’s obligation to process personal data for the period laid down in applicable legislation and in accordance therewith.
Revocation of consent to personal data processing
If the data subject provides the controller with consent to personal data processing, they may revoke such consent at any time and at no charge by sending an email to firstname.lastname@example.org. Revocation of consent has no prejudice against the lawfulness of processing based on consent issued before it is revoked. Revocation of consent has no impact on the personal data processed by the controller on a legal basis other than consent (i.e. processing to perform an agreement, legal obligations or other reasons specified in valid legislation).
Access to personal data
The controller has access to the personal data of data subjects, along with certain third parties, processors, who provide suitable guarantees and whose processing complies with the obligations under valid legislation and who ensure suitable protection of the rights of data subjects. Personal data processors include the operators of GPS devices installed on aerial work platforms owned by the controller (to protect the controller’s property, a legitimate interest) and companies focused on collecting receivables (collections agencies). Personal data processors may also be a company in a group of enterprises performing the same activities as the processor (disclosure within a group), whereby in such case this personal data shall only be disclosed within European Union member states. The processor shall not provide personal data to any third countries or international organisations (except for Google Analytics cookies, see below).
Proof of identity of the data subject
The processor may require that data subjects provide proof of their identity to restrict unauthorised access to personal data.
Rights of data subjects concerning personal data
Data subjects have the following rights with respect to personal data:
a) the right to revoke consent at any time;
b) the right to rectification of personal data;
c) the right to restrict processing of personal data;
d) the right to object to processing in certain cases;
e) the right to data portability;
f) the right to access personal data;
g) the right to be informed if personal data protection is compromised in specific cases;
h) the right to erasure (the right to be forgotten) in specific instances; and
i) other rights laid down in the Personal Data Protection Act, the Personal Data Processing Act and the GDPR (Regulation No 2016/679).
What does it mean when a data subject has the right to object?
Under Article 21 of the GDPR, a data subject has, inter alia, the right to object to the processing of their personal data if such processing is performed based on a legitimate interest, including processing for direct marketing purposes. Objections addressed to the controller shall be sent via email to: email@example.com. If a data subject raises an objection to processing for direct marketing purposes, the personal data controller shall no longer process such data in the given scope.
More information concerning such right is contained in Article 21 of the GDPR.
Obligation to provide personal data
The data subject provides its personal data on a completely voluntary basis. The data subject is under no obligation to provide such data. There is no threat of any penalty for not providing personal data. However, if a data subject chooses not to provide its personal data to the controller, no contract involving the controller and the data subject may be concluded or performed. It is completely within the competencies of the data subject to decide to enter any contractual relationship with the controller or not.
Personal data protection
All personal data is secured using standard procedures and technologies. However, it is not objectively possible to completely guarantee the security of personal data. Therefore, it is impossible to provide a 100% guarantee that no third party will gain access to such personal data, it cannot be copies, published, modified or destroyed by defeating the controller’s security measures. Within this context, the controller commits to regularly conduct vulnerability checks of the system and to ensure it has not been subject to attack, and to apply such security measures that may be reasonably demanded of the controller to prevent unauthorised access to the provided personal data and that provide sufficient protection given the current level of technology. All accepted security measures are regularly updated.
GPS on aerial work platforms and the Q.Drive application
GPS monitoring devices are installed on all aerial work platforms owned by the controller to monitor their movements and to protect the controller's property. Aerial work platform positioning data obtained from GPS devices are processed by the GPS system operator (processor), who provides suitable guarantees and the processing of which meets the conditions under valid legislation and secures suitable protection for the rights of data subjects. The data controller does not connect any aerial work platform positioning data to any identifiable natural persons (data subjects).
Monitoring of the controller’s site
The controller monitors its site and facility with a CCTV system that keeps temporary video recordings.
Information gathered from Google Analytics cookies used to analyse site traffic and remarketing purposes are sent to Google, which is headquartered in the USA (a third country). The transfer of personal data to these companies is based on standard contractual clauses. Google uses such information for the purposes of evaluating the use of websites and creating activity reports from such sites for the controller. The information is also used to provide other services related to activity on the site and the use of the Internet in general. Google may provide such information to third parties if required by law or if such third party processes this information for Google.
The Google Analytics service is an expansion of the related advertising functions provided by Google, specifically: Google Display Network impressions, remarketing (showing content network ads based on viewed products) and extended demographic reports (reporting anonymous demographic data).
If a data subject does not want to provide anonymous data on Internet usage to Google Analytics, they may use the plugin provided by Google. Data will no longer be transmitted once installed in your browser and activation. More information on the processing and use of data is provided in Google’s terms and conditions.
Standard browsers (Safari, Internet Explorer, Firefox, Google Chrome and others) support cookies. Data subjects may delete individual cookies manually, block cookies or prohibit their use or simply block or allow cookies for individual websites using their browser settings. Data subjects may also use the help or other features provided with their browsers for more information. If a data subject’s browser is configured to accept cookies, the controller will operate under the assumption that such consent is for the use of standard cookies from the controller’s server.
The controller will not associate the data obtained from cookies with any other data and shall handle this data in a way that does not allow specific persons to be identified.
The controller uses temporary cookies and persistent cookies on its websites. Temporary cookies are only stored on the given device until the browser is closed. Temporary cookies allow information to be saved when navigating from one site to another and eliminate the need to repeat the entry of certain data. Persistent cookies enable the identification of a data subject’s device on frequently visited websites and the modification of site content to match the user’s interests, but do not allow for the identification of a specific individual. The information obtained from cookies is stored in a completely unanimous manner and is not associated with any other data.
The following table shows how the controller uses the individual types of cookies:
|Publisher / Cookie name||Type||Retention||Description|
|Necessary for the functionality of the site||Temporary||Serves to improve site functionality (remembering the selected settings, etc.)|
|Analytical, marketing||Persistent||Used to distinguish individual users. The cookie is refreshed every time data is sent to Google Analytics.|