Principles on the Processing and Protection of Personal Data

1. Information about the Company

1.1. The principles on the processing and protection of personal data in the company Aspena jazyková škola, s.r.o., ID: 255 948 77, with its registered office in Brno, Veveří, Gorkého 64/15, Postal Code 602 00, registered in the Commercial Register under File No. C 36646 kept by the Regional Court in Brno (hereinafter referred to as "the Company") governing the rules on the handling of personal data of the following natural persons (hereinafter referred to as the "Subjects"):
• visitors to the vyuka.aspena.cz website,
• Company employees,
• Company suppliers,
• job seekers and employees in the Company,
• possible third parties.

1.2. The Company is in the process of processing the personal data of natural persons in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation - the GDPR, also referred to as the "GDPR"); in accordance with other regulations in the field of personal data protection.

1.3. In the processing of personal data, the Company basically acts as an administrator that establishes the purposes and means for the personal data processing of natural persons or which are subject to certain processing operations of personal data imposed by the legislation.

1.4. The company acts as the processor of the personal data of natural persons when processing the personal data of natural persons for another administrator according to its instructions.

1.5. The Company is not obliged to appoint a Data Protection Officer.

1.6. Company contact information: Aspena jazyková škola, s.r.o., Gorkého 64/15, 602 00 Brno, email: gdpr@aspena.cz.

2. What principles do we follow when processing your personal data?

2.1. We process personal data legally in accordance with the GDPR, based on at least one of the legal titles.

2.2. We process personal data only for determined and legitimate purposes. We ensure that the personal data gathered for different purposes are kept separately and not used for other purposes.

2.3. We process personal data in an appropriate manner, always only to the extent necessary for the given purpose.

2.4. We retain personal data for the period strictly necessary to achieve the given purpose. Personal data that have exceeded the legal deadline for their retention and are no longer needed are safely disposed of or anonymised without undue delay.

2.5. We maintain the personal data accurately and update them if necessary. We have set up appropriate measures for correcting or deleting inaccurate personal data.

2.6. We process personal data in a correct and completely transparent manner. Personal data subjects, i.e. the natural persons whose personal data we obtain, are always properly informed in accordance with the GDPR Regulation, especially on who we are, for what purpose and from what legal title are we processing their personal data, how long we will retain it and what rights apply to their personal data.

2.7. We ensure that the personal data are properly protected against unauthorised or unlawful processing and against accidental loss, damage or destruction. We give access to personal data only to authorised persons and institutions.

3. What legal titles do we use when processing personal data?

We apply the following legal grounds (legal titles) when processing personal data:
• we meet a legal obligation that relates to the Company, or
• we fulfil a contract in which the Data Subject is a Contracting Party, or implement measures taken prior to the conclusion of a contract at the request of this Data Subject, or
• we implement the legitimate interests of the Company, or
• if any of the previous legal titles cannot be used, we ask for consent to the processing of personal data. Consent can be revoked at any time, but the withdrawal of consent does not function retroactively.

4. What personal data do we process and for what purpose do we process it?

In relation to the provision of our service and under the conditions and within the limits established by the applicable laws, mainly the GDPR and related legislation, this particularly includes the personal data of the following Subjects:

4.1. Personal data provided by prospective or existing customers of the Company usually includes the identification and contact details (e.g. name, surname, address, email address, telephone number, company ID, VAT number) and other traffic data (e.g. payment data, data for obtaining the fulfilment of the contract):
• for the purpose of concluding and subsequently fulfilling the contract with a customer,
• for the purpose of fulfilling the legal obligations according to the relevant legal regulations (mainly accounting, financial and tax matters),
• for the purpose of implementing the legitimate interests of the Company (mainly direct marketing, judicial and extra-judicial recovery of debts, etc.).

4.2. Personal data provided by prospective or existing suppliers of the Company usually includes the identification and contact details (e.g. name, surname, address, email address, telephone number, company ID, VAT number) and other traffic data (e.g. payment data, data for obtaining the fulfilment of the contract):
• for the purpose of concluding and subsequently fulfilling the contract with a supplier,
• for the purpose of fulfilling the legal obligations according to the relevant legal regulations (mainly accounting, financial and tax matters),
• for the purpose of implementing the legitimate interests of the Company (mainly direct marketing, judicial and extra-judicial recovery of debts, etc.).

4.3. The personal data provided by a job seeker in the Company usually includes the identification and contact details (e.g. name, surname, date of birth, ID, address, telephone number, email address) and other operational data necessary for the job position (e.g. education and experience, confirmation of fitness for work):

• for the purpose of implementing the recruitment procedure for the relevant job position,
• for the purpose of maintaining records of candidates for other positions in the Company for a limited time.

4.4. The scope and purpose of processing the personal data of the Company's employees are regulated separately.

4.5. Data provided by website visitors in the form of storing cookies, which include information about visits to the website and other visitor activity on the website. For this purpose, the Company uses Google Analytics with data anonymisation and is unable to identify individual website visitors. The information obtained is thus anonymous and does not concern the processing of the personal data subject to the GDPR.

4.6. The company does not process special categories of the personal data of customers or suppliers (sensitive data).

5. For how long will we process the personal data?

5.1. Personal data will only be processed for the period necessary for achieving the purpose for which it was obtained; for example, from the moment the customer provides the personal data under pre-contractual negotiations with the Company, for the duration of the contractual relationship up to the termination of the contractual obligations or until the fulfilment of the last of the legal grounds (legal titles) that authorise the processing of the Company.

5.2. Once the processing purpose has ceased, or the Company will have no legal reason for the further processing of the personal data, the personal data will be safely deleted and destroyed.

6. To whom can we submit personal data?

The Company reserves the right to provide personal data to the following:
• suppliers who, under a processing contract, provide the Company with accountancy, IT, personnel and marketing services,
• suppliers who, on the basis of a processing contract, provide the Company with services in the field of language education,
state authorities and other public administration authorities on the basis of a legal obligation to provide such personal data.

7. What are the rights regarding your personal data?

7.1. In accordance with the principle of transparency, you have the right to information about the processing of your personal data. The Company provides information on the processing of personal data without request in the form of information notifications for individual groups of Subjects, and this information obligation mainly includes data on who we are, for what purpose, the legal title and for how long will we process the personal data, the transfer of personal data and what rights you have in relation to your personal data. General information about the processing of personal data is also contained in these principles. For a complete enumeration of the information provided, refer to the provisions of Articles 13 and 14 of the GDPR.
7.2. You can apply in the form of a request regarding other rights according to the provisions of Articles 15-22 of the GDPR Regulation, namely:

The right to confirm whether or not your personal data are being processed by the Company and, if processed, you have the right to obtain access to your personal data including the provision of other information on their processing.
The right to the modification of incorrect personal data, considering the purposes of the processing, the right to supplement incomplete personal data, including the provision of an additional statement.
The right to delete personal data, if your personal data is no longer required for processing, if you have revoked your consent to the processing, if you have objected to the processing of your personal data, and there are no prevailing legitimate reasons for their processing.
Right to restricting the processing of personal data if you have objected to or denied the accuracy of your personal data for the period necessary to verify the accuracy of your personal data, if the Company no longer needs your personal data for the purpose of processing, but are required to identify, exercise or defend legal claims.
The right to portability of the automatically processed personal data obtained by the Company directly from you on the basis of your consent or the fulfilment of the contract, whereby the Company will pass on your personal data to you or to another administrator of your choice in a commonly used and machine-readable format.
Right to objection against the processing of your personal data if the processing is necessary for the performance of a task executed in the public interest or in the exercise of a public administration authority entrusted to the Company, the processing is necessary for the legitimate interests of the Company or a third party for direct marketing purposes or for scientific or historical research purposes or for statistical purposes.
The right not to be the subject of any decision based exclusively on automated processing, including profiling with legal effects for the Subject, otherwise you have the right to human intervention on the side of the Company (review by human decision), the right to express your opinion or the right to challenge the decision.

7.3. If the processing of your personal data is based on consent, you have the right to revoke your consent at any time in writing to the Company or electronically through the e-mail gdpr@aspena.cz. The revoking of consent is without prejudice to the lawfulness of the processing based on consent prior to its revoking.

7.4. Beyond the above-mentioned rights, you have the right to file a grievance with the relevant supervisory authority if you believe that the processing of personal data by the Company is not in compliance with the legislation. The Office of Personal Data Protection is the relevant supervisory authority in the Czech Republic.

8. How do we protect personal data?

8.1. The handling of personal data is in full compliance with the applicable laws, including the GDPR. The personal data of the Subjects are secured by the Company through ensured organisational and technical measures.

8.2. All personal data in paper form is stored in secured locations where only authorised persons needing to immediately dispose of the personal data for the purposes specified in these principles have access, and only to the extent necessary. Access to these personal data is protected through physical and electronic security.

8.3. All personal data in electronic form is stored in databases and systems accessible only to authorised persons who need to dispose of the personal data immediately for the purposes stated in this policy, and only to the extent necessary. Access to these personal data is protected by physical security and electronic means ensured by computer technology.

8.4. Employees and suppliers of the Company who process personal data are required to maintain confidentiality about the personal data of the Subjects and about security measures whose disclosure would jeopardise the security of the personal data. This confidentiality persists even after the termination of the obligatory relationship with the Company.

9. Any other questions?

In case of any questions in relation to the protection of your personal data and its processing in the Company, as well as the exercising of your rights, you can contact us through the e-mail gdpr@aspena.cz.

10. Validity

These principles on the processing and protection of personal data in the Company come into effect as of 25 May 2018.