Language

PRINCIPLES OF PROTECTION AND PROCESSING OF PERSONAL DATA

What will you learn in this privacy policy?

In this privacy policy you will learn when and how we will process your personal data and what rights you have regarding your personal data. All in full compliance with the currently applicable legal regulations, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, hereinafter referred to as the “GDPR” and Act No. 110/2019 Coll., on the processing of personal data, as amended.
If you have any questions regarding the processing of personal data, please contact us at [email protected] .
Below you will find information about why, when, how and what personal data we process in our company and what rules for the protection of personal data we comply with in our company. You will also find here how to contact us if you have any questions regarding the processing of your personal data or how to, for example, correct your personal data. We strive to make our Policy understandable and clear for you. However, if anything needs to be explained, you will find our contact details below.
We recommend that you read the information provided in the Policy carefully and monitor its content on an ongoing basis, as the document may be updated.

Who manages your personal data?

The controller of your personal data is us, CLA Advisory sro, Company ID: 25626311, Tax ID: CZ25626311, with its registered office at Rohanské nábřeží 721/39, Karlín, 186 00 Prague. Entered in the Commercial Register kept by the Municipal Court in Prague, Section C, File 55945 (hereinafter referred to as “CLA” ).
The processing of your personal data may also be carried out by other processors, with whom we have carefully checked and concluded written agreements. The processing of your personal data may also be carried out by providers of processing programs, services and applications. Information on the use of specific applications can be found in the following section.

Basic concepts

Let us explain some basic terms related to personal data protection. We believe that this will help you to better understand and appreciate why CLA Czech Republic processes personal data in the way we do.
“Personal data” is any information about an identified or identifiable natural person; an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Data subject” is the natural person to whom personal data relate;
“Data controller” is the person who determines the purposes and means of the processing of personal data and is primarily responsible for the processing. Unless otherwise stated in these principles, the terms of a specific contract or in consent, CLA Czech Republic is the controller of personal data;
“Data processor” is the person who processes personal data on behalf of the controller;
“Processing” means any operation or set of operations which is performed upon personal data or upon sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Categories of data subjects

The data subject may be, in particular:

  •  a client of CLA Czech Republic, its employee or representative;
  •  a business partner of CLA Czech Republic, its employee or representative;
  •  another person who is in a contractual relationship with CLA Czech Republic;
  •  client or customer of a business partner of CLA Czech Republic;
  •  a person participating in competitions and events organized by CLA Czech Republic, or events in which CLA Czech Republic participates;
  •  visitor to the CLA Czech Republic website;
  •  employee of CLA Czech Republic;
  •  job applicant at CLA Czech Republic.

What personal data do we process?

We adhere to the principle of personal data minimization. We only process personal data about you that we absolutely need, or personal data that you provide to us with your consent beyond the scope of strictly necessary processing.
Below you will find out which categories of personal data we process about you. A more specific scope of personal data processed for individual purposes is provided in the following section “Why do we process your personal data?”.

CLA Czech Republic processes the following categories of personal data in relation to clients:

  • identification data: name, surname, title, company name, ID number, VAT number;
  • contact details: e-mail address, telephone number, address and other similar information;
  • cookies, IP address;
  • data processed on the basis of consent;
  • data resulting from communication: data from the use of our website.

Why do we process your personal data?

We process your personal data to the extent necessary for the relevant purpose – e.g. so that we can conclude and also implement a specific contract with you (e.g. a purchase contract, lease contract, employment contract, etc.). The obligation to process data is also stipulated by a number of legal regulations. For example, we must process much data for archiving purposes. We process some data because it is necessary to protect the rights and legally protected interests of CLA Czech Republic. However, processing for this reason is limited, and we carefully assess the existence of a legitimate interest. In other cases, we process your data only with your consent.

How long do we keep your personal data?

We will retain your personal data only for the period necessary to fulfill the purposes set out in this policy or to comply with statutory obligations.
Unless otherwise stated below, the maximum period for processing personal data that we at CLA Czech Republic apply to you is 10 years from the date on which the legal relationship between you and CLA Czech Republic ended, or 10 years from the end of the tax period in which the performance occurred. We are obliged to retain identification and transaction data under the Accounting Act, the Value Added Tax Act and other accounting and tax regulations. However, we also archive your personal data for a period of 10 years for our legitimate interests, in particular in the event that we have to present evidence in a lawsuit, taking into account statutory limitation periods under the Civil Code.
We retain data that we process with your consent for the period for which your consent is validly granted. If you have given us your consent to process your data for marketing purposes, we process your personal data for the duration of our contractual relationship and for 1 year after its termination. If you do not become our customer, i.e. the contractual relationship is not concluded, we process your data only for 1 year after granting your consent. For the avoidance of doubt, we retain the consent itself and the change or withdrawal of consent on the basis of our legitimate interests for the entire period of validity of the consent and 10 years after its expiry.

Are you obliged to provide us with personal data?

The provision of data that you provide to us with your consent is voluntary. We require the provision of other data because their processing is necessary for the conclusion or performance of a contract, the fulfillment of our legal obligations or the protection of our legitimate interests. If you do not provide us with such data, we cannot conclude the relevant contract with you or provide you with the relevant product or service.

Consent to the processing of personal data

If we ask you for your consent to process your personal data, the request for your consent, or the consent that we provide you to review and sign or otherwise agree to, will be clearly formulated and provide you with an adequate basis for decision-making. You can withdraw your consent at any time, using the contacts listed in the introduction and conclusion of this Policy or another way that you will be individually notified of.
We retain your personal data only for the period necessary to fulfill the purposes described in this Policy or the purposes of which you have been informed in another way. This means that once you have given us your consent to process your personal data, we will retain your data in accordance with your consent or until you withdraw your consent. However, even if you withdraw your consent, we may retain some of your personal data for the period necessary to comply with our legal obligations and for the purposes of our defense in any legal disputes.
We will not share your personal information with third parties for their marketing purposes unless we have obtained your consent for such purposes. If you have provided us with such consent but later no longer wish to receive marketing materials from a third party, please contact the relevant third party directly.

Where do we process your personal data?

We process your personal data only for clearly defined purposes, an overview of which can be found in this section of the website. This primarily applies to situations where you browse our web platform, fill out a non-binding inquiry form or subscribe to our newsletter. We will not process your personal data for any other purposes without your consent.

IP address and cookies

We cannot do without your IP address, otherwise we would not be able to show you our website. We also store your IP address together with the date of access to the website in the access log, for the sole purpose of the security of our website. Your IP address will be stored in the access log for 365 days, after which it is automatically deleted.

What are cookies?

Cookies are small data files that allow visited websites to remember the actions and settings of individual users that they have performed on them, so that this data does not have to be entered repeatedly. Cookies are stored on individual computers using a web browser. Cookies do not pose a danger, they are not used to obtain any personal data, but they are important for privacy protection. We do not use cookies to identify website users or to misuse login details. We use cookies in accordance with the Regulation.
For example, cookies allow us to recognize a user as an existing user or to adapt a given service to user preferences.
Another group is third-party cookies (e.g. Google Analytics for analyzing traffic to a specific website or certain services or cookies of advertising system operators that are operated on our website). These cookies are controlled by third parties and we do not have access to read or write this data.
Users of our website have the option to refuse the use of cookies. However, it is possible that in some cases it will not be possible to display a certain service or product of ours without using cookies. If your browser has cookies enabled, we will assume that you agree to our website’s use of standard cookies. If you wish to refuse the use of cookies, you can do so by offering a “cookie bar” on our website.

We use several types of cookies:

Essential cookies
These basic technical or functional cookies are necessary for the website to function properly and be secure.

Analytical cookies
We use several analytical tools to monitor how our website works:

  • Google Analytics for measuring web traffic;
  • HotJar to determine whether using our website is intuitive for visitors.

The Google Analytics cookie is stored for a maximum of two years from your last visit to our website, the HotJar cookie for one year from your last visit. We send only anonymous data to both tools, which cannot be linked to you in any way.

Marketing cookies
Thanks to marketing cookies, we can show you relevant advertising, but only after you give us your consent. Specifically, we use cookies from the advertising services Google Ads, Facebook Ads (Meta), Sklik on our website. Information about the functioning of these cookies can be found on the websites of individual providers.

Contact form Non-binding inquiry

You can ask us anything via the contact form or we can start discussing cooperation together. Within the contact form, we work with your name, company name, e-mail address and telephone number. We process this data only for the purpose of creating an offer of our services, negotiating an offer or answering your question, for a maximum of 12 months from the date of sending the form, unless you consent to further processing of your data.

Newsletter

We send our newsletter to our clients, employees and only to people who have registered on our website and have given their consent to receive commercial communications.
If you are interested in receiving news and subscribe to the newsletter, we will process your e-mail address.
We will process your personal data so that we can send you news, based on your consent, which you gave us when you registered.
We will process your e-mail without restrictions, unless you terminate it yourself.

Sources of personal data

Depending on the situation, we process data that we have received from you at CLA Czech Republic, as well as data from publicly available sources and registers, as well as data obtained from third parties (for example, our business partners). We fundamentally manage your personal data within CLA Czech Republic. If this is necessary to achieve any of the purposes listed above, especially if the external entity in the given area has the necessary professionalism and expert level, your data is processed by cooperating suppliers. If we entrust someone else with the performance of a certain activity forming part of our services, the relevant personal data may be processed. In some cases, these suppliers become the processor of personal data. The processor is authorized to handle data exclusively for the purposes of performing the activity for which it was authorized by the relevant controller. In such a case, your consent is not required for the purposes of performing the processing activity.

Possible recipients of personal data are in particular:

  • IT service providers, including cloud storage;
  • marketing agencies;
  • printing and postal service providers, including couriers.

Beyond the above, we transfer personal data outside CLA Czech Republic only if we have your consent or if required by law. Some public authorities (e.g. tax authorities) are entitled to request information about you.

Security

We strive to ensure that the data entrusted to you is as secure as possible. To this end, we have implemented a number of technical and organizational measures to protect your personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access, and any other unlawful forms of processing.
We limit access to your personal data only to those employees of CLA Czech Republic and suppliers of CLA Czech Republic who need this information for the purposes of processing it on our behalf and who are contractually obligated to maintain the security and confidentiality of your personal data.
As we have already mentioned, in certain cases we transfer, or are obligated to transfer, personal data to third parties. In such cases, we choose trusted partners with whom we have ensured that they will comply with at least the same level of personal data protection as we ensure in CLA Czech Republic. Our partners are obligated to the same obligations as us, through processing agreements.
When transferring personal data to administrative authorities, we always use the most appropriate and secure options offered by the relevant authority.
We use cloud storage, which is generally located within the EU and a high level of data security is always ensured.

Your rights related to the processing of personal data

In the event of exercising your rights to the personal data we process, we require your identification. We would like to point out that if we are unable to verify your identity electronically or if we have reasonable doubts about your identity, we will ask you to submit an identity document or other proof of identity. This is the only way to prevent us from providing your personal data to another person or from unauthorized modification of your personal data.

Right to information and access to personal data
We respect the principle of transparency in the processing of personal data. In accordance with this principle, we will always provide you with information about what personal data we process about you.
We will handle your requests in the shortest possible time, no more than one month.
In more complex cases, we are entitled to extend the period by up to two months.
If you request information about the processing of your personal data, we will provide you with information about the purpose of the processing of personal data, the personal data, or categories of personal data that are the subject of processing, including all available information about their source, recipient, or categories of recipients. You will also be informed of the planned period for which the personal data will be stored, or if it is not possible to determine it, the criteria used to determine this period, and the existence of the right to request correction or deletion of your personal data or restriction of their processing or to object to this processing, as well as the right to file a complaint with the supervisory authority.
You have the right to request from CLA Czech Republic a copy of the personal data processed, provided that this does not adversely affect the rights and freedoms of others. For further copies, we may charge a reasonable fee based on administrative costs at your request. If you submit your request in electronic form, we will provide you with the information in a commonly used electronic form, unless you request otherwise.

Right to rectification
When processing your personal data, we strive to ensure their accuracy and up-to-dateness. We will try to delete or correct inaccurate or incomplete personal data. If you find that some of the personal data we process about you is incorrect or out of date, you can notify us. You have the right to have CLA Czech Republic correct inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed.
Any corrections will also be communicated to the recipients to whom the personal data were provided, except where this proves impossible or involves disproportionate effort.

Withdrawal of consent to the processing of personal data
You can prevent further processing of your personal data based on your consent to the processing of personal data at any time by withdrawing your consent to such processing.

Right to erasure (right to be forgotten)
You can also exercise your right to be forgotten. You have the right to have CLA Czech Republic erase personal data concerning you without undue delay, and CLA Czech Republic is obliged to erase personal data without undue delay if one of the following reasons applies:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • you withdraw the consent on the basis of which the personal data was processed and there is no other legal ground for the processing;
  • the personal data has been processed unlawfully;
  • personal data must be erased to comply with a legal obligation set out in European Union or Czech Republic law.

In such a case, we will delete all of your personal data that we process. The exception is cases where the processing is carried out due to a legal obligation or due to our legitimate interest in exercising and defending legal claims.
The deletion will also be notified to the recipients to whom the personal data were provided, except in cases
where this is impossible or requires disproportionate effort.

Right to restriction of processing
You have the right to request that CLA Czech Republic restrict processing in any of the following cases:

  • you dispute the accuracy of the personal data for the period necessary for CLA Czech Republic to verify the accuracy of the personal data;
  • the processing is unlawful and you refuse the erasure of your personal data and instead request the restriction of their use;
  • CLA Czech Republic no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defense of legal claims;
  • an objection to processing has been raised, pending verification of whether the legitimate interests of CLA Czech Republic outweigh your reasons for the objection.

Any restrictions will also be communicated to the recipients to whom the personal data have been disclosed, except where this is impossible or involves disproportionate effort.

Right to data portability
You have the right to receive the personal data concerning you, which you have provided to CLA Czech Republic, in a structured, commonly used and machine-readable format and the right to transmit these data to another controller without hindrance from CLA Czech Republic, where:

  • the processing is based on consent to the processing of personal data or it concerns the processing of personal data for the purposes of concluding and performing a contract;
  • and at the same time the processing is carried out automatically.

When exercising your right to data portability, you have the right to have your personal data transmitted by CLA Czech Republic directly to another controller, where technically feasible. The right to data portability must not adversely affect the rights and freedoms of other persons.

Right not to be subject to automated decision-making, including profiling
You have the right not to be subject to any decision based solely on automated processing, including profiling (i.e. any form of automated processing of personal data consisting of its use to evaluate certain personal aspects relating to you), which produces legal effects concerning you or similarly significantly affects you. This right does not apply if the automated decision is necessary for entering into or performing a contract or is based on your explicit consent; in such cases, however, you have the right to human intervention in the automated decision, the right to express your opinion and the right to contest the automated decision.

Right to object
If personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing. If you object to the processing for direct marketing purposes, your personal data will no longer be processed for such purposes.
If personal data are processed on the basis of the legitimate interests of CLA Czech Republic, you have the right to object at any time to the processing of personal data concerning you for such legitimate interests.
You must justify this objection so that we can assess it properly. Your objection and the reasons for it will then be assessed and compared with the legitimate interests of CLA Czech Republic. If your reasons outweigh the legitimate interests of CLA Czech Republic, the processing of your personal data will be restricted or your personal data will be erased.

Right to lodge a complaint with the supervisory authority
You have the right to lodge a complaint against the processing of your personal data with the supervisory authority, which is the Office for Personal Data Protection, registered office at Pplk. Sochora 27, 170 00 Prague 7.

You can contact us with the above requirements at [email protected] or in person at Rohanské nábřeží 721/39, Prague 8 – Karlín.

These Personal Data Protection and Processing Principles come into effect on January 1, 2025.