PERSONAL DATA PROCESSING PRINCIPLE

1. PERSONAL DATA CONTROLLER

1.1. The controller of personal data within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter referred to as "GDPR") is Aegis Law, advokátní kancelář, s.r.o., ID No. 118 56 521, with registered office at Jungmannova 26/15, Nové Město, 110 00 Prague 1, registered with the Municipal Court in Prague under file No. C 355446 (hereinafter referred to as the "Controller"). The Controller handles personal data in accordance with the GDPR and other regulations on personal data protection and processing, in particular Act No. 110/2019 Coll., on personal data protection.

1.2 The contact details of the Controller are:

Address: Jungmannova 26/15, Nové Město, 110 00 Praha 1
E-mail: office@aegislaw.cz
Phone: +420 732 417 283

1.3 The controller has not appointed a data protection officer.

2. PERSONAL DATA PROCESSED

2.1 The controller processes the following personal data of the following data subjects:

2.1.1 Clients, potential clients, and persons acting for clients:

• Identifying personal data of the data subject: name, surname and title, date of birth, permanent residence address, delivery address, nationality data, ID card number or other identification document, if applicable;
• Contact details: e-mail, telephone;
• Billing and payment data: company name, registered office, registration number, tax identification number, account number, information on services billed and paid for;
• Details of the client's legal claims and problems;
• Details of pending judicial or extrajudicial proceedings;
• Other data necessary for the fulfilment of legal obligations, in particular obligations arising from Act No. 253/2008 Coll., on certain measures against the legalization of the proceeds of crime and terrorist financing, as amended (hereinafter referred to as the "AML Act"); and
• Special categories of personal data: where necessary, we also process special categories of personal data or data relating to criminal decisions and criminal offences to a limited extent.

2.1.2 Opposing parties, witnesses, expert witnesses and others in connection with our clients' cases:

• In the context of representing the client and maintaining documentation, we may also process other personal data of third parties that are obtained in connection with the provision of legal services to the client.

2.1.3 Employees, former employees and jobseekers:

• Identifying personal data of the data subject: name, surname and title, date of birth, permanent residence address, delivery address, nationality data, ID card number or other identification document, if applicable;
• Contact details: e-mail, telephone;
• Details of education and qualifications;
• Details of career progression and previous employers;
• The record of the interview with the job applicant; and
• Data necessary to comply with legal obligations: in case of employees and former employees, we process data necessary to comply with legal obligations.

2.1.4 Cooperating attorneys and contractors:

• Identifying personal data of the data subject: name, surname and title, Czech Bar Association registration number;
• Contact details: e-mail, telephone;
• Invoicing and payment data: name of the natural person, place of business, VAT number, bank account, agreed amount and form of remuneration, payment of remuneration;
• Data necessary for compliance with legal obligations: identification data; and
• Data necessary for the fulfilment of contractual obligations: e-mail, bank connection.

2.1.5 Participants in educational events:

• Identifying personal data of the data subject: name, surname and title, address;
• Contact details: e-mail, telephone;
• Invoicing and payment data: company name, registered office, VAT number.

2.2 The controller processes personal data provided to it by the data subject, from publicly available sources or from third parties.

3. PURPOSE AND LEGAL BASIS FOR PROCESSING PERSONAL DATA

3.1 The controller processes personal data within the meaning of Art. 2 of this policy on the grounds of:

3.1.1 Performance of the subject matter of the contract within the meaning of Article 6(1)(b) GDPR:

• For clients, prospective clients and persons acting for clients, this is mainly for the provision of the service and related communications with the data subject and for the purpose of carrying out the administrative duties of the Controller; and
• For employees, former employees, contractors, cooperating attorneys and participants in educational events, this primarily involves fulfilling contractual obligations.

3.1.2 Compliance with legal obligations within the meaning of Article 6(1)(c) GDPR:

• For clients, this includes in particular the fulfilment of obligations imposed by (i) Act No. 85/1996 Coll., on Advocacy, as amended, (ii) the AML Act, (iii) tax and accounting regulations and (iv) other relevant legislation;
• In the case of suppliers, in particular compliance with obligations imposed by (i) tax and accounting regulations, and (ii) other relevant legislation; and
• For employees and former employees, this includes in particular the fulfilment of the obligations imposed by (i) Act No. 262/2006 Coll., the Labour Code, as amended, (ii) Act No. 586/1992 Coll., the Income Tax Act, as amended, (iii) Act No. 187/2006 Coll., the Sickness Insurance Act, as amended, (iv) Act No. 582/1991 Coll., on Social Security Insurance, as amended, (v) Act No. 589/1992 Coll., on Social Security Insurance and Contribution to State Employment Policy, as amended, (vi) Act No. 48/1997 Coll., on Public Health Insurance and on Amendments and Additions to Certain Related Acts, as amended, and (vii) other relevant legislation.

3.1.3 Legitimate interest within the meaning of Article 6(1)(f) GDPR:

• For clients and participants in educational events, this is in particular a legitimate interest to inform the data subject about legal news and upcoming educational events of the Controller; and

3.1.4 Consent within the meaning of Article 6(1)(a) GDPR:

• Jobseekers for the purpose of a possible future offer of employment for a suitable job;
• For data subjects within the meaning of Art. 2.1 of this Policy for the purpose of informing the data subject via newsletter about legal news and upcoming educational events of the Controller. The data subject may personalise the information sent or refuse the sending of any further communications in accordance with the procedure set out in Art. 8.1.7 of this Policy.

3.2 There is no automated individual decision-making or profiling within the meaning of Article 22 GDPR.

4. RECIPIENTS OF PERSONAL DATA

4.1 The Controller only transfers personal data to processors with whom written contracts have been concluded in which the processors have committed themselves to protecting personal data and to complying with personal data security standards, but only to the extent necessary for the fulfilment of the individual purposes of the processing and on the basis of the corresponding legal title for the processing of personal data. These include:

• The company providing the Controller's accounting services;
• The company providing the Controller's payroll services;
• Microsoft, which operates the OneDrive cloud and provides other services related to Microsoft Office;
• The company that manages and operates the Controller's website; and
• Law enforcement authorities or other public authorities, in cases provided for by law, where the Controller is obliged to transfer certain personal data to the aforementioned authorities.

4.2 At the request of the data subject, his or her personal data may also be provided to other recipients, such as public authorities, forensic experts, translators, accountants, auditors or other law firms.

5. Transfer of Personal Data to a Third Country

5.1 The personal data of the data subject are not transferred to countries outside the European Economic Area.

6. Retention Period of Personal Data

6.1 The Controller processes personal data only for the time necessary to fulfil the purpose of processing, or for the time necessary to fulfil contractual obligations, to protect legitimate interests, for the time for which the Controller has a legal obligation to process personal data, or for the time until consent to process personal data is withdrawn.

6.2 The controller processes personal data of:

6.2.1 Clients, prospective clients, and persons acting for clients and any other personal data included in the client file:

• In principle for a period of 3 years from the date of termination of the provision of the relevant legal service;
• In the case of data obtained to comply with the obligations imposed by the AML Act, for a period of 10 years; or
• For as long as the data subject opts out of receiving further marketing communications.

6.2.2 Employees, former employees and applicants for employment:

• Processed for the purpose of fulfilling contractual obligations for a period of 3 years from the termination of the contractual relationship;
• Processed for the purpose of fulfilling legal obligations for the period of time for which the Controller has a legal obligation to process personal data.

6.2.3 Cooperating attorneys and suppliers:

• For the period necessary to fulfil the contractual obligations and for a period of 3 years after the termination of the contractual relationship; and
• For as long as the Controller has a legal obligation to process personal data.

6.2.4 Participants in educational events:

• For a period of 3 years from the date of the educational event.

6.2.5 Data subjects who consent to processing:

• For the duration of the consent or until the consent is withdrawn.

7. Security of Personal Data

7.1 The controller has taken all appropriate technical and organisational measures to ensure the security of the personal data provided by the data subject.

7.2 The controller declares that only persons authorised by it have access to the personal data.

8. Rights of Data Subjects

8.1 Data subjects have legal rights in relation to the processing of personal data, which they can exercise at any time. These include:

8.1.1 Right of access to personal data: Under the conditions set out in Article 15 of the GDPR, the data subject has the right to access his or her personal data (including information about its processing) held by the Controller, as well as the right to obtain one free copy of his or her personal data processed by the Controller (additional copies may already be subject to a fee);

8.1.2 Right to rectification of inaccurate and completion of incomplete personal data: Data subjects have the right to object to the inaccuracy or incompleteness of their personal data processed by the Controller. If it becomes apparent that the personal data is inaccurate, the data subject has the right to have the inaccurate data deleted, rectified or completed in an appropriate manner;

8.1.3 Right to erasure: Under certain conditions, the data subject has the right to request the erasure of his or her personal data ("right to be forgotten"), for example where he or she considers that the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, the personal data are inaccurate or the processing is unlawful;

8.1.4 The right to restrict the processing of personal data: Under certain conditions, the data subject has the right to request that the Controller restrict the processing of his or her personal data - for example, if he or she (i) challenges the accuracy of the personal data until the Controller has verified its accuracy or (ii) the processing is unlawful or (iii) objects to the processing, until the Controller has verified that its legitimate grounds override the interests of the data subject;

8.1.5 The right to data portability: The data subject has the right to receive the data he or she has provided to the Controller and which the Controller processes automatically, in a standard machine-readable format, in cases where the data processing is based on the data subject's consent;

8.1.6 Right to object to processing: When processing personal data of a data subject on the basis of legitimate interests, the data subject has the right to object to further processing of personal data;

8.1.7 The right to withdraw consent to processing: When processing personal data on the basis of consent, the data subject has the right to withdraw his or her consent to the processing of personal data at any time in writing (including electronically) to the address or email of the Controller specified in Art. 1.2 of this Policy or via a link sent in an email communication;

8.1.8 The right to lodge a complaint with the supervisory authority: The data subject has the right to lodge a complaint with the Office for Personal Data Protection (ÚOOÚ) if he or she believes that the Controller is in breach of its legal obligations in processing personal data.

Contact details of the ÚOOÚ:

Úřad pro ochranu osobních údajů
Pplk. Sochora 27
170 00 Praha 7

The Controller will respond to the data subject's request within the statutory time limit, usually within 1 month of receipt of the request. Should the Controller's response require a longer period of time in exceptional cases, it will inform the data subject accordingly.

8.2 The data subject may contact the Data Controller in connection with questions regarding personal data protection rights, including the right to access and rectify inaccurate data, or any other query or complaint regarding their processing, by mail or by email:

Aegis Law, advokátní kancelář, s.r.o.
Jungmannova 26/15
110 00 Praha 1
E-mail: office@aegislaw.cz

Effective date of the policy: from 1.6.2024