Personal Data Processing Terms
(pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council – “GDPR”)
Personal data controller
company ID: 24721123
with registered office at Londýnská 730/59, 120 00 Prague 2 – Vinohrady
(hereinafter referred to as the “Controller”)
I. INTRODUCTORY PROVISIONS
- In accordance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter referred to as the “GDPR”), these personal data processing terms (hereinafter referred to as the “Terms”) govern mutual rights and obligations in the event that the Controller processes personal data provided by a third party (hereinafter referred to as the “Guest”) on the basis of the Guest’s registration for an event organized by the Attendu application user (hereinafter referred to as the “User”).
- The Controller declares that it is entitled to process the transmitted personal data of the Guest for the User and that it complies with all requirements of the applicable legislation and these Terms throughout the processing. In the event that the Controller gets reasonable doubts about its future ability to meet these requirements, the Controller is obliged to immediately remedy the situation and inform the User and the Guest without delay.
- The Guest declares that he/she agrees
- with the processing of their personal data by the Controller, which they provide based on the registration of the Guest for an event organized by the User of the Attendu application, and
- with the transfer of personal data to the User in connection with the event organized by the User of the Attendu application.
II. RIGHTS AND OBLIGATIONS
- The Controller is entitled to process personal data provided by the Guest only on the basis of the registration of the Guest for an event organized by the User.
- The Controller is obliged to comply with these Terms when processing personal data.
- The Controller is obliged to keep confidential all information received from the Guest, personal data as well as the security measures. The Controller is obliged to ensure that the persons authorized to process personal data are bound by confidentiality obligation.
- The Controller is entitled to involve another processor in the processing of personal data. The Controller is also obliged to oblige another processor to fulfil its obligations under these Terms. The Controller is responsible for another processor’s compliance with the obligations as if the Controller had carried out the processing of personal data itself.
- As soon as the purpose of the personal data processing no longer exists or the period for which the Controller was to process the personal data expires, the Controller will no longer process the personal data of the Guest and will delete all personal data without delay and will also delete all existing copies, unless their further storage is required by the applicable law.
- The legal basis for processing is the performance of the contract with the User and the Guest’s acceptance of these Terms when registering for an event organized by the User of the Attendu application.
- Recipients of personal data:
- Public authorities (e.g. courts, administrative bodies).
- Legal, accounting and tax services providers.
- User organizing events through the Attendu application.
- Duration of processing of personal data. Personal data will be processed during the period of validity of the Guest’s consent, and after the end of the User’s event will be handled according to the applicable legislation, in particular Act No. 499/2004 Coll. (Act on archiving and file service and on amendments to certain acts) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- Rights of the Guest
- The right to access personal data means that the Guest has the right to obtain information from the Controller about whether it processes his/her personal data and, if so, what the data is and how it is processed. The Guest also has the right to have the Controller correct inaccurate personal data concerning him/her without undue delay upon request. The Guest has the right to complete incomplete personal data at any time.
- The right to obtain the erasure of personal data constitutes the obligation of the Controller to destroy personal data processed about the Guest, but provided that the conditions for its destruction are met and the Guest requests the erasure.
- The right to restriction means that the Guest has the right to obtain from the Controller restriction of the processing of his/her personal data in certain cases. The Guest has the right to object at any time to processing that is based on the legitimate interests of the Controller or a third party or is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- The right to data portability gives the Guest the opportunity to obtain the personal data, which he/she has provided to the Controller, in a common and machine-readable format. He/she may subsequently transfer this data to another controller or, if technically feasible, request that the controllers transfer it among themselves.
- If the Guest is in any way dissatisfied with the processing of his/her personal data carried out by the Controller, he/she may lodge a complaint directly with him/her or contact the Office for Personal Data Protection.
III. SECURITY AND TECHNICAL MEASURES OF THE CONTROLLER
- The Controller undertakes to take such technical, personnel and other necessary measures to prevent unauthorized or accidental access to personal data, its modification, destruction or loss, unauthorized transfers, its other unauthorized processing, or other misuse of personal data.
- The Controller undertakes to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the nature, scope, context and purposes of the processing, as well as risks of varying likelihood and severity to the rights and freedoms of natural persons.
- Such appropriate measures include, in particular, pseudonymization and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability of and access to personal data in a timely manner in the event of physical or technical incidents, a process of regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures in place to ensure the security of processing.
- In assessing the appropriate level of security, the Controller shall take into account in particular the risks posed by the processing, in particular accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed.
- The Controller shall in particular:
- familiarize persons authorized to process personal data with these Terms and regularly monitor their compliance,
- ensure that information systems for automated processing of personal data may only be used by authorized persons,
- ensure adequate measures to prevent unauthorized access to data carriers containing personal data, e.g. through mechanical locks,
- when transferring personal data, ensure that personal data are only transferred in such a way as to prevent an unauthorized person from gaining access to such data.
IV. EFFECT AND AMENDMENTS OF THE TERMS
- These Terms become effective on 1 September 2023.
- The Controller is entitled to amend the Terms or issue new terms replacing these Terms.