OMEXOM GA Energo s.r.o. INFORMATION MEMORANDUM ON PERSONAL DATA PROCESSING AND PROTECTION

The purpose of this document is to provide data subjects with basic information on the personal data processing and protection principles that OMEXOM GA Energo s.r.o. complies with and has adopted in order to comply with Regulation 2016/679 of the European Parliament and of the Council (hereinafter the “GDPR”), effective from 25 May 2018, in particular Article 13 of the GDPR.

Our company has taken the necessary steps to enhance the security and confidentiality of the processed personal data and to comply with the prescribed obligations.

In compliance with the GDPR, our organization processes personal data according to the following principles:

1. Legality, fairness and transparency

We only carry out processing where there is a legitimate reason for doing so (e.g., a legal obligation, performance of a contract, protection of our interests, protection of a third party’s interests, or consent given by the data subject).

2. Purpose limitation

We only collect personal data for specific, explicit and legitimate purposes (see above).

3. Data minimisation

We only process personal data to the extent necessary to achieve the given purpose.

4. Accuracy

We only process current personal data.

5. Storage limitations

We only store personal data for as long as necessary under the terms of the GDPR and other applicable legislation.

6. Integrity & confidentiality

We have put in place appropriate technical and organisational measures to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure and access to transmitted, stored or otherwise processed personal data.

7. Responsibility

We can demonstrate compliance with the principles under points 1 to 6 above.

Information provided where personal data has been obtained from a data subject or their legal representatives.

Contact details of the data controller

Name of legal person: OMEXOM GA Energo s.r.o.

Identification number: 49196812

Registered office: Na střílně 1929/8, Plzeň

File number, registration in the Commercial Register: C 4355, Regional Court in Plzeň

Telephone number: 373 303 100

Official email of the legal person: info@gaenergo.cz

Data box ID: Ryt33bf

Contact email for queries about personal data processing: gdpr@gaenergo.cz

The majority of our personal data processing is performed to fulfil our legal obligations, in particular pursuant to Act No 500/2004, the Administrative Code, as amended, and Act No 499/2004, on archiving and filing services and on amendments to certain other laws. If we carry out processing of personal data for which the title (legal basis) is not:

a) processing necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract;
b) processing necessary for compliance with a legal obligation to which the controller is subject;
c) processing necessary in order to protect the vital interests of the data subject or of another natural person;

d) processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

e) processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party;

then it is processing of personal data for which we need your explicit, free, specific and informed consent. The provision of such consent is entirely voluntary and your consent may be withdrawn at any time, or other rights may be exercised which are precisely described in the written consent.

Applicants for employment are hereby informed that if they send a written or electronic application for employment or otherwise express an interest in working for our company, such application must be sent to the email or physical address of the controller, or made via the designated form on the controller’s website at www.gaenergo.cz.

By submitting an application, the applicant acknowledges that their personal data will be processed for the duration of the selection process for the job they applied for, typically meaning for 6 months.

The organisation has taken the necessary measures to ensure the security of the processed personal data in both physical and electronic form. These measures include, in particular, the establishment of internal rules for working with the information systems in question, ensuring that access to personal data is restricted to persons with the appropriate authorisation, making electronic records that make it possible to determine and verify when, by whom and for what reason personal data were recorded or otherwise processed, and preventing unauthorised access to data carriers. This is done in particular by setting passwords and access rights, using encryption, drawing up documentation on the technical and organisational measures taken, increasing security by installing locks, purchasing lockers, etc. A CCTV or similar system may be used as a result of the legitimate interest in the protection of property and people and, if installed, data subjects are informed of the specific conditions by an authorised person to the extent prescribed by law.

All employees and people with access to personal data as part of our company’s activities are properly trained and are aware of the rules of security and confidentiality when handling personal data.

We transfer personal data to third parties only in cases prescribed by law (mandatory reporting to state and local government authorities, insurance companies, tax authorities, etc.) or, to the extent necessary, to selected suppliers who provide certain services for us, such as accounting or IT management. We have clear contractual relationships with all such parties, and all suppliers are obliged to comply with the necessary rules for processing personal data within the scope and parameters required by the GDPR as part of the obligations of a processor pursuant to Article 28 of the GDPR.

The processing and retention periods of personal data are generally determined by legislative requirements, or on the basis of consent or until its withdrawal.

We do not transfer personal data abroad (to third countries).

Our company has a system in place for reporting potential security incidents. In the event of any data leakage, we act in accordance with the GDPR to minimize potential damage.

The right to access your personal data.

a) You have the right to ask the controller to inform you whether it is processing your personal data.

b) You have the right to ask the controller for access to the processed personal data by providing you with a copy of the processed personal data and information about the processing of those data.

c) You have the right to ask the controller to provide you with a copy of the processed personal data.

If you request access to the processed personal data in the form of a copy of the processed personal data, the company will issue a copy of the processed personal data, as a rule, within 30 days of receipt of the request. The controller will provide the data subject with a copy of the processed personal data, if the personal data of the data subject is processed, as a rule no later than 30 days after receipt of the request.

The controller will inform you of:

the purposes of the processing;

the categories of processed personal data;

the categories of recipients to whom the personal data have been or will be disclosed;

the period for which the personal data will be stored by the controller;

the right to request rectification, erasure, and restriction of processing of personal data, the right to object to processing;

and the right to lodge a complaint with a supervisory authority.

The data controller will provide information in the following form:

in writing upon unambiguous proof of the identity of the data subject;

in electronic form upon unambiguous proof of the identity of the data subject;

orally, upon unambiguous proof of identity, however no data or information may be provided by telephone.

The controller will, where possible and where the rights and freedoms of others will not be adversely affected, provide copies of the processed personal data.

Such copies will be provided under the following conditions:

The first copy or a copy after a longer period of time will be provided after a change in the personal data, or after a change in the processing of the personal data.

The controller will respond to your request in writing within 1 month, with the possibility of an extension for a further 2 months under the terms of the GDPR.

The right to rectification of an error that may occur in the processing of your personal data.

You have the right to request the rectification of inaccurate data or the completion of incomplete personal data. The controller will respond to your request within 1 month (with the possibility of an extension of a further 2 months under the terms of the GDPR) of receipt of your request. The controller will respond to you in writing. The controller will inform you whether and how it has corrected or completed your personal data.

The right to erasure of certain personal data (the right to “be forgotten”).

In general, you have the right to ask the controller to erase some of your personal data and not to keep it any longer—this is the so-called right to be forgotten. Where the controller is exercising public authority (making a decision in an administrative procedure) and fulfilling its legal obligations, the controller will not erase the personal data even if you request it.

However, if you submit a request for erasure, the controller will respond to your request in writing within 1 month (with a possible extension of 2 months) of receipt of your request The controller will inform you why the controller has not granted your request for erasure or to what extent the controller has erased the data.

The right to erasure does not apply in the following cases:

If the processing is necessary:

for the exercise of the right to freedom of expression and information;

for compliance with a legal obligation which requires processing under European Union or Member State law to which the controller is subject, for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;

for reasons of public interest in the field of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) of the GDPR;

for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, where the right referred to in paragraph 1 would likely prevent or seriously jeopardise the achievement of the purposes of that processing;

for the establishment, exercise or defence of legal claims.

The right to restrict the processing of your personal data.

If you request restriction of the processing of your personal data and provide a reason for your request, the controller will mark such personal data. The controller will store the marked personal data but may not otherwise process it further (subject to exceptions prescribed by law).

Cases in which you have the right to have the controller restrict the processing of your personal data:

If you think that your personal data are not accurate.

If the processing of your personal data is unlawful, however you wish to request a restriction on the processing of your personal data instead of erasure.

If the controller no longer needs to process the personal data, however you wish the personal data to be restricted because it is necessary for the establishment, exercise and defence of your legal claims.

Where the controller processes your personal data on the basis of a legitimate interest, in the performance of a task carried out in the public interest, or in the exercise of official authority. You object to the processing of your personal data.

The controller will respond to your request within 1 month (extendable by a further 2 months under the terms of the GDPR) of receipt of your request. The controller will respond to you in writing. The controller will inform you whether and how it has restricted your personal data.

The right to object to the processing of your personal data.

If you have given your consent to the processing of your personal data, you have the right to withdraw your consent at any time. However, this does not affect the lawfulness of the processing of personal data based on the consent given before its withdrawal. This means that the processing of your personal data is perfectly lawful until you withdraw your consent.

The right to lodge a complaint with a supervisory authority.

You have the right to lodge a complaint with our organisation, which we will address in cooperation with our Data Protection Officer or with the supervisory authority, i.e., the Office for Personal Data Protection, Pplk. Sochor 27, 170 00 Prague 7, tel. +420 234 665 111.

Approved by the management of the company in Plzeň on 24 May 2018