PRIVACY POLICY
Through this Privacy Policy (hereinafter referred to as the "Principles"), we inform the data subjects whose personal data we process about all processing activities and data privacy policy principles.
1. Responsible persons
Privacy Manager:
STUDENT AGENCY k.s., ID No. 253 17 075, with its registered office at náměstí Svobody 86/17, Brno-město, 602 00 Brno
and
RegioJet a.s., IČ: 283 33 187, with its registered office at náměstí Svobody 86/17, Brno-město, 602 00 Brno
and
ORBIX s.r.o., ID: 266 94 638, with its registered office at Revoluční 767/25, Staré Město, 110 00 Prague 1
as joint personal data administrators within the meaning of Article 26 of the GDPR (hereinafter referred to as "Companies", "we", "our" or "us")
Joint Administrators belong to the STUDENT AGENCY Holding and are mutually engaged in the processing of personal data.
Joint Administrators have entered into a contract with each other to regulate the rights and obligations under which STUDENT AGENCY k.s. STUDENT AGENCY k.s. is further responsible for the reporting obligation for the repair or deletion of personal data or the limitation of processing, the obligation to implement appropriate technical and organizational measures, record personal data processing and report any personal data breaches.
STUDENT AGENCY k.s. under the contract it acts as a central contact point for data subjects whose personal data are processed by joint managers. Each data subject may exercise his rights under the GDPR of each of the personal data administrators as well as to each of them, regardless of the terms and conditions set forth in the above contract.
administrator contact: phone: +420 800 100 300; E-mail: privacy@studentagency.cz
2. Basic Terms
GDPR:
Regulation (EC) No 2016/679 of the European Parliament and of the Council concerning the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/ES with effect from 25. 5. 2018.
Personal data:
Personal data concerning European Parliament and of the Council and Regulation (EC) No 2016/679 on the protection of individuals with regard to the processing of personal data and of repealing Directive 95/46/ES (hereinafter referred to as GDPR) shall mean any information relating to an identified or identifiable natural person (i.e. in regards to the Data Subject = You)
Special personal data:
Special personal data refers to personal data and information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the processing of biometric data in order to assist in the unique identification of individuals concerned or data concerning the health or sex life of the individual, disability, age or sexual orientation.
Data Subject= You:
Data Subject refers to identified or identifiable (natural) person as one who can be identified, directly or indirectly, in particular by reference to an identification factor such as name, identification number, location data, network identifier or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of natural person.
The processing of personal data:
For the purposes of Article 4(2) of GDPR, processing of personal data shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Controller:
For the purposes of Article 4(7) of GDPR “controller” shall mean the natural person or legal entities, public authority, agency or any other body which alone or jointly with others determine the purposes and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, this law can determine the concerned controller or the specific criteria for his nomination may be designated; Company included.
Processor:
The processor for the purposes of Article 4(8) of GDPR shall mean a natural person or legal entities public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; including some trading partners of the Company, which in under the direction and in compliance with the requirements of the Company, respectively its responsible employee, process personal data for the Company as the processor.
The supervisory authority:
Supervisory authority shall be an Authority for the protection of personal data in Slovakia (hereinafter referred to as „ÚOOÚ“).
Risk processing:
Risk processing shall mean the processing which likely represents the risk for rights and freedoms of the data subjects, the processing is not occasional nor does include the processing of special data or processing of data relating to criminal convictions and offenses described under Article 10 of GDPR.
3. Processed personal data
We are processing identification data (first name, surname, date of birth), contact data (address, e-mail, phone number), data included in job seekers’ resumes, accounting information (bank account number), order history, claims history. We are processing this data in compliance with GDPR and other legislation concerning personal data protection.
4. Categories of data subjects
a) Customers
b) Suppliers of goods and services
c) Potential customers and suppliers of goods and services
d) Job seekers
e) Web page visitors
f) Subscribers
5. The purpose of personal data processing
We are processing personal data for a clearly identified purpose:
Categories of data subjects | Purpose of personal data processing | Legal basis and processed personal data | Data processing period |
Our customers – NATIONAL bus and train transport | Performance and realization of customer contracts |
|
For this purpose, personal data may be processed for the duration of the contractual relationship. |
Our customers – INTERNATIONAL bus and train transport | Performance and realization of customer contracts |
|
For this purpose, personal data may be processed for the duration of the contractual relationship. |
Our customers – Aviation passenger transport mediation | Performance and realization of customer contracts |
|
For this purpose, personal data may be processed for the duration of the contractual relationship. |
Our customers – Sale and travel arrangements mediation | Performance and realization of customer contracts |
|
For this purpose, personal data may be processed for the duration of the contractual relationship. |
Our customers – Individual tourism services mediation | Performance and realization of customer contracts |
|
For this purpose, personal data may be processed for the duration of the contractual relationship. |
Our customers – Claims recovery in air transport operated by Click2Claim s.r.o mediation | Performance and realization of customer contracts |
|
For this purpose, personal data may be processed for the duration of the contractual relationship. |
Our customers – Insurance mediation | Performance and realization of customer contracts |
|
For this purpose, personal data may be processed for the duration of the contractual relationship. |
Our Customers – Residence permit administration mediation | Performance and execution of contracts with customers |
|
For this purpose, personal data may be processed for the duration of the contractual relationship. |
Our Customers – Language Study Stay Abroad | Performance and execution of contracts with customers |
|
For this purpose, personal data may be processed for the duration of the contractual relationship. |
Our Customers – Working Holiday mediation | Performance and execution of contracts with customers |
|
For this purpose, personal data may be processed for the duration of the contractual relationship. |
Our Customers – Parking mediation | Performance and execution of contracts with customers |
|
For this purpose, personal data may be processed for the duration of the contractual relationship. |
Our customers (in general) | Managing a client database for repeatable of services |
|
For this purpose, personal data may be processed for a period of 5 years, or until the withdrawal of consent. |
Our customers (in general) | Keeping statistics |
|
For this purpose, personal data may be processed for a period of 5 years, or until the withdrawal of consent. |
Our customers (in general) Sending information emails and satisfaction / dissatisfaction questionnaires Dissemination of business messages in the form of email newsletters containing an offer of goods or services and news | Claims arising from contractual relations after termination of the contract |
|
For this purpose, personal data may be processed for a period of four years after the termination of the contractual relationship and if administrative or judicial proceedings are initiated, then throughout the proceedings. |
Sending information emails and satisfaction / dissatisfaction questionnaires |
|
For this purpose, personal data may be processed for the duration of the contractual relationship and for a prolonged period after termination of the relationship | |
Dissemination of business messages in the form of email newsletters containing an offer of goods or services and news |
|
For this purpose, personal data may be processed for an indefinite period until the recipient withdraws from the subscription. |
|
Performance of our duties in accounting and taxation |
|
For this purpose, personal data may be processed for up to ten years from the end of the tax period in which the transaction took place. | |
Personal data listed in the telephone call record on customer care line for performance of the contract |
|
For this purpose, personal data may be processed for the duration of the contractual relationship. | |
Personal data listed in the telephone call record on customer care line for the purpose of enforcing any legal claims |
|
For this purpose, personal data may be processed for a period of four years after termination of the contract. | |
Personal data listed in the telephone call record on customer care line to improve service quality |
|
For this purpose, personal data may be processed for a period of one month since the telephone call was made. | |
Our suppliers, associates and creditors | Execution and implementation of contracts concluded with suppliers, external associates and creditors, recovery of receivables |
|
For this purpose, personal data may be processed for the duration of the contractual relationship. For this purpose, personal data may be processed for a period of four years from the termination of the contractual relationship, in case of the disputed proceedings throughout the proceedings. |
Claims arising from contractual relations after termination of the contract |
|
For this purpose, personal data may be processed for a period of four years from the termination of the contractual relationship, in case of the disputed proceedings throughout the proceedings. | |
Potential customers | Dissemination of business messages in the form of professional information and reports, marketing materials, service offers, invitations to professional events etc. |
|
For this purpose, personal data may be processed until the consent is withdrawn. For this purpose, personal data is processed for 6 months since cancellation of the selection process or admission of another selected candidate to the advertised position as an employee. |
Job seekers | Evaluating suitability of the job seeker for the employee selection process and re-addressing him/her in case the employment relationship with another selected candidate is terminated during their probationary period |
|
For this purpose, personal data is processed for 6 months since cancellation of the selection process or admission of another selected candidate to the advertised position as an employee. |
Possible proof of compliance with the prohibition of discrimination and equal treatment under the Employment Act in the employee’s selection procedure |
|
For this purpose, personal data may be processed for a period of three years from the end of the selection process, in case of an ongoing process throughout the process. | |
Web page visitors | Statistics prior to data anonymization, our goods and services ad serving |
|
For this purpose, personal data may be processed for a period of 2 years after the data has been provided. |
Sending a response to a web page visitor’s query |
|
For this purpose, personal data may be processed until the query from the contact form is resolved, however this period cannot exceed a time period of 30 days, or the time period in which your consent with processing is valid. | |
Subscribers | Regular sending of business and other types of communication via e-mail |
|
For this purpose, personal data may be processed until the consent is withdrawn. |
6. Data processing period
We preserve personal data only during the period necessary for their processing – see the table above. After the expiration of this period the personal data shall be preserved only for the purposes the State Statistical Service, for scientific purposes and for archiving purposes.
7. Personal data recipients and transfer of personal data outside the European Union
We may transfer your personal data in duly justified cases to other bodies (hereinafter referred to as „recipients”):
A transfer of personal data to these recipients might occur:
- Processors which process your personal data according to our guidelines and mutual relationships which are treated according to Article 28 of GDPR::
- Persons operating software used by us solely for the purpose of administration and technical support of these programs
- Persons providing services and goods to us through which they process your personal data for us
- Other legal entities in STUDENT AGENCY/RegioJet group
- Public authorities and other recipients if required by an applicable legal regulation
- Other recipients in case an unexpected event occurs requiring data sharing necessary for the protection of life, health, property or another public interest or if necessary for the protection of our rights, property or safety.
8. Principles applicable to the processing of personal data
Legality
We process your personal data according to applicable legal regulations, particularly GDPR.
Data subject's acceptance
We process data in a matter and a scope in accordance with your given consent if the consent is sufficient for processing.
Minimizing and limitations of personal data processing
We process the personal data only to the extent necessary to achieve the purpose of the data processing and for no longer than is necessary for the purposes for which the personal data are processed.
The accuracy of personal data processing
We process personal data with attention to their precision. We process updated personal data using all reasonable means.
Transparency
Through these Principles and the contact referred to them, you are able to get fully acquainted with the way your personal data are processed, their scope and their content.
Purpose Limitation
We process personal data only to the extent necessary for fulfillment of given purpose and in accordance with this purpose.
Security
We process personal data in a manner which ensures their proper security, including their protection through appropriate technical or organizational measures against unlawful or illegal activities and against loss, destruction or damage.
9. Automizer individual decision-making and profiling
There is no automizer individual decision-making, neither on the basis of profiling, during the personal data processing.
Automizer individual decision-making including profiling is commonly understood to mean any form or decision based on automizer processing of personal data, i. e. without human interference, involving among others some personal aspects applicable to a data subject, particularly for the purpose of analysis or estimation, respectively analysis or anticipating of aspects concerning their work performance, economic situation, medical condition, personal performances, interest, dependence, behavior, location or movement.
10. Your rights as a data subject
Right of access to personal data
You have the right to request an access to personal information about your person from us. In particular, you have the right to receive a confirmation from us whether personal data concerning you are being processed or are not being processed by us and to provide further information on the processed data and the processing method within the meaning of the relevant GDPR provisions (purpose of processing, personal data category, the duration of data saving, the existence of your right to request a correction, the deletion, the limitation of processing or the right to object, the source of personal data and the right to file a complaint). If you ask for it, we will provide you with a copy of the personal data we process about you free of charge. In case of a repeated request, we may charge a reasonable fee for providing a copy corresponding to the administrative costs of processing.
To access your personal data, please use the contact listed in this policy.
The right to withdraw consent to the processing of personal data if processing takes place on the basis of consent
You have the right at any time to withdraw consent to the processing of personal data processed by us on the basis of such consent.
You can revoke your consent through the contact listed in this policy.
Right to rectification, erasure or restriction
If you find that personal information about you is inaccurate, you may require us to correct this information without undue delay. If this is appropriate in the light of the specific circumstances of the case, you may also request the addition of the information we have about you.
You may request correction, limitation, or deletion of data through the contact listed in this policy.
Right to deletion of personal data
You have the right to request us to erase without undue delay the personal data processed by us that concern you in the following cases:
- If you withdraw your consent to the processing of personal data, and there is no other legitimate reason for our processing to prevail over our right of deletion;
- if you object to the processing of personal data (see below);
- Your personal information is no longer needed for purposes for which we have collected or otherwise processed it;
- personal data were unlawfully processed by us;
- personal information was gathered in connection with the provision of information society services to a person below the age of 18;
- Personal data must be cleared to comply with the legal obligation set forth in European Union law or the Czech law applicable to us.
You may request a deletion in these cases through the contact listed in this policy.
The right to request the deletion of personal data is not given in a situation where processing is necessary
- to exercise the right to freedom of expression and information;
- to fulfill our legal obligations;
- for public interest reasons in the field of public health;
- for purposes of archiving in the public interest, for purposes of scientific or historical research or for statistical purposes, where the deletion of data would be likely to disable or seriously threaten the achievement of the objectives of such processing;
- for determining, exercising or defending legal claims.
You can find out whether there are reasons you cannot apply for the right of cancellation through the contact listed above. .
The right to limit the processing of personal data
You have the right to limit the processing of your personal data in the following cases:
- you deny the accuracy of personal information. In this case, the limitation is valid for the time required to verify the accuracy of personal data.
- the processing of personal data is illegal and you do not want to delete your personal information, instead you only want to limit their use.
- we no longer need your personal information for the purposes for which we processed it, but you are required to identify, exercise or defend your legal claims;
- you object to processing (see below). In this case, the limitation applies for a period until it is verified that the legitimate reasons on our side outweigh your legitimate reasons.
In the period of limited processing of personal data, we may process your personal data (with the exception of its storage) only with your consent or for the purpose of determining, enforcing or defending our legal rights, for the protection of the rights of another natural or legal person or for reasons of major interest of th European Union or a Member State. As noted above, you can request processing restrictions through the contact listed in this policy.
Right to object to processing
You have the right to object to the processing of your personal data in the following cases:
- If personal data are processed on the ground that processing is necessary to fulfill a public interest task or in the exercise of public authority to which we are entrusted or for the purposes of our legitimate interests and you object to the processing, further processing is not possible unless we can demonstrate serious legitimate processing grounds that outweigh your interests, rights and freedoms, or determine, exercise or defend our legal rights.
- If personal data is processed for direct marketing purposes and you object to processing, we will no longer process personal data for these purposes.
- If your personal data is processed for purposes of scientific or historical research or for statistical purposes, we will not process it further unless processing is necessary to fulfill a task carried out for reasons of public interest.
You can submit the objection via the contact listed in this policy.
Right to data portability
In case that we process your personal data with your consent or because it is necessary to fulfill a contract between us, you have the right to obtain from us the personal data you are referring to and you have provided us in a structured, commonly used and machine-readable format, if personal data are processed by us in the manner. You have the right to pass this data to another data administrator or to demand from us to provide this information directly to another data administrators if this is technically feasible.
Contact the contact listed in this policy to obtain your personal information.
The right not to be subject to any decision based exclusively on automated processing, including profiling
We do not currently use personal data for automated decision making. Otherwise, you have the right not to be the subject of any decision based solely on automated processing, including profiling, which has any legal effects for you or you have a significant impact on you.
This does not apply if:
- automated decision-making is allowed by legal regulation;
- automated decision making is necessary to conclude or perform a contract between us;
- your explicit consent to automated decision-making has been granted.
The right to obtain information about a breach of security of your personal data
If it is likely that a breach of our security will be a high risk for your rights and freedoms, we will notify you of this violation without undue delay. If appropriate technical or organizational measures have been used to process your personal data, such as making the data incomprehensible for the unauthorized person, or to ensure by additional measures that the high risk does not occur, we are not obliged to transmit the information on violation.
Right to file a complaint with the Supervisory Authority
If you believe that the processing of your personal data is in violation of the obligations set forth in the GDPR, you have the right to file a complaint with the Supervisory Authority. The Supervisory Authority in the Czech Republic is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů)
Úřad pro ochranu osobních údajů Pplk. Sochora 27 170 00 Praha 7 telefon: 234 665 111 E-mail: posta@uoou.cz Datová schránka: qkbaa2n www.uoou.cz |
This Privacy Policy is valid from May 25, 2018.