Personal data protection
Would you like to know how your personal details are protected by us? You can find all necessary information here.
We are fully aware of the importance of protection of personal data currently safeguarded under the Act No. 101/2000 Coll., on personal data protection, and other legal regulations, including the Act No. 29/2000 Coll., on postal services. In the past year, we have therefore started implementing the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Regulation on Personal Data Protection, or “GDPR”), which will enter into force on 25 May 2018.
For basic information on the GDPR, please visit the Office for Personal Data Protection’s website at https://www.uoou.cz/gdpr-obecne-nbsp-narizeni/ds-3938/p1=3938.
We hold a number of certificates for various activities, see https://www.ceskaposta.cz/o-ceske-poste/profil/certifikaty-iso. Our certification according to ČSN ISO/IEC 27001:2014 proves that we have adopted the necessary security measures to protect sensitive information, which means not only personal data but also customer information as a whole. The adopted security measures are being continuously assessed in the light of possible new security threats in order to identify and ensure an appropriate level of personal data protection.
Privacy is important to us both when we act in the capacity of a personal data controller, i.e. when we provide our own services and determine the reasons and methods for personal data processing, and in the capacity of a personal data processor involved in the processing of personal details provided to us by other entities. This applies especially to banks, savings banks and insurance companies that chose us for the processing of address details because we are able to comply with the most stringent conditions imposed by them on personal data protection.
New obligations under the GDPR
Although the basic rules and principles of personal data protection remain in place under the current legislation, the GDPR sets out a number of new requirements that are to be implemented.
Rights of data subjects
With effect from 25 May 2018, this website will include all information on the possibilities of exercising your rights under the GDPR, including the instructions form, so that it is easy for you to use them.
All basic information on the processing of personal data is always a part of the contract you have entered into with us. Certain information regarded as insufficient under the new GDPR will be modified. Information on personal data processing will also be included in the Postal Terms and Conditions. As of the date of applicability of the GDPR, we will fulfil all obligations placed by the GDPR on data controllers.
Records of processing activities
We have been already fulfilling the registration obligation set by the Office for the Protection of Personal Data for obligatorily reported processing activities. With effect from 25 May 2018, when this public registration obligation is lifted, all the processes necessary to maintain the records to the extent required by the GDPR will be implemented both for the circumstances where we act in the capacity of a controller and for the circumstances where we act in the capacity of a personal data processor.
Assessment of the impact on personal data protection
We have implemented into our already introduced safety standards processes for the application of the GDPR requirements in order to ensure that the impact of any intended personal data processing operations is assessed prior to the use of any new technologies with respect to the nature, scope, context and purposes of processing that could result in a high risk to the rights and freedoms of individuals.
Reporting personal data security breaches to the Office for Personal Data Protection
Any personal data security breach that the controller learns about must be reported to the Office for Personal Data Protection, unless the controller can document that the given incident of personal data security breach is unlikely to result into a risk to rights and freedoms.
Notification of personal data security breaches to data subjects
The controller is obliged to notify the affected data subject, i.e. the affected client, only if the incident could result into a high risk to the rights and freedoms of this client or a group of clients.
Designation of data protection officer
At the latest on the date of application of the GDPR, we will designate our data protection officer who will be provided with appropriate powers and involved in all matters related to personal data protection.