Privacy Policy | GDPR

Statement of personal data processing according tu Regulation (EU) of the European Parliament and of the Council 2016/679 on the protection of natural persons with regard to the processing of personal data and instructions of data subjects (hereinafter referred to as “GDPR”)

I. Controller of personal data

  • Organization Institut pro testování a certifikaci, a. s. with seat třída Tomáše Bati 299, Louky, 763 02 Zlín, Czech Republic, lD Nr.: 47910381, VAT CZ47910381, has been registered from 13th April 1993 in Companies Register administered by the Regional Court in Brno, Section B, Insert No. 1002, (hereinafter referred to as “controller”), notifies you of Your personal data processing and of Your rights by this according to Article 12 of.

II. Extent of personal data processing

  • Personal data are processed in extent, how they have been provided by the appropriate data subject, namely in connection with conclusion of contractual or any other legal relationship with controller, or which have been gathered in another way and they are processed in compliance with valid legal regulations or to the fulfilment of legal duties of the controller.

III. Sources of personal data

  • directly from data subjects (registration and purchases through e-shop, e-mails, phone, chat, website, contact form on website, social networks, business cards, etc.)
  • distributor, business partner or representative
  • publicly available registers, lists and evidence (e.g. Companies Register, Trade Register, Land Registry, public phone book, etc.)

IV. Categories of personal data, which are subject-matter of processing

  • address and identification data being instrumental to unambiguous and unmistakable identification of data subject (e.g. name, surname, title, event. personal identification number, date of birth, address of permanent resistance, ID No., VAT reg. No) and data making possible the contact with data subject (contact data – e.g. contact address, phone No., fax No., e-mail address and other similar information)
  • descriptive data (e.g. bank details)
  • other data necessary for contract fulfilment
  • data provided above the appropriate legislation processed within the granted consent from side of data subject (processing of pictures, usage of personal data for purposes of personal management, etc.)

V. Categories of data subjects

  • client/customer of controller
  • employees of controller
  • transporter
  • service supplier
  • other person in contractual relationship to controller
  • job applicant

VI. Categories of personal data recipients

  • wholesalers
  • financial institutes
  • public institutes
  • processor
  • state or other bodies within the fulfilment of legal duties given by appropriate legal regulations
  • other recipients (e.g. reference of personal data abroad – EU countries)

VII. Purpose of personal data processing

  • purposes included within the consent of data subject
  • negotiations on contractual relationship
  • execution of contract
  • protection of rights of the controller, recipient or other injured persons (e.g. debt collection of the controller)
  • archival science conducted based on Act on selection procedure for available employment
  • fulfilment of obligations from side of controller
  • protection of data subject interest, which is essential for the life

VIII. Means of processing and of protection of personal data

  • Processing of personal data is carried out by the controller. Processing is carried out in his/her establishments, branches and registered seat of the controller by the particular authorized employees of the controller, event. by the processor. Processing is carried out by computer techniques, event. also manually at personal data in documented form on keeping all security principles for management and processing of personal data. For this purpose the controller has taken technical-organizational action for ensuring the protection of personal data, especially action not to happen the unauthorized or occasional approach to personal data, their change, destruction or damage, unauthorized transmission, to their unauthorized processing, as well as to other improper use of personal data. All subjects, to whom the personal data can be made available, respect the right of data subjects for protection of privacy and they are obliged to act upon valid legal regulations concerning to protection of personal data.

IX. Time of personal data processing

  • In complains with terms mentioned in appropriate contracts, in nomenclature and shredding rules of the controller or in appropriate legal regulations, it means the time must for ensuring of the rights and duties resulting as from contractual relationship as from appropriate legal regulations.

X. Instructions

Controller processes the data with consent of data subject with the exception of by the law provided cases, when the processing of personal data does not require the consent of data subject. In compliance with Article 6 par. 1 of GDPR the controller can process without consent of data subject these data:

  • the data subject has given the consent for one or more concrete purposes,
  • the processing is necessary for contract fulfilment, its contractual party is data subject, or for proceeding of taken actions before contract conclusion by request of this data subject,
  • the processing is necessary for fulfilment of legal duty, which is applied for the controller,
  • the processing is necessary for protection of data subject or other natural person interests, which are essential for life,
  • the processing is necessary for fulfilment of task performed in the public interest or during performance of public authority, for which the controller is authorized,
  • the processing is necessary for purposes of competent interest of the controller or third party, except the cases, when the interests or fundamental rights and freedoms of data subject requiring protection of personal data have the priority against those interests

XI. Right of data subjects

1. In compliance with Article 12 of GDPR the controller informs data subject by request of data subject about the right for approach to personal data and to following information:

  • purpose of processing,
  • category of injured personal data,
  • recipient of category of recipients, to whom the personal data have been or will be made available,
  • planned time, during which the personal data will be saved,
  • all accessible information on source of personal data,
  • if they are not gained from data subject, matter of facts, if the automatic decision making, including profiling, happens.
  • 2. Each data subject, who finds or suppose, that the controller or the processor do the processing of his/her personal data, which is in violation of protection of privacy and personal life of the data subject or in violation of the law, especially if the personal data are inaccurate with regard to purpose of their processing, can:
  • Require the controller for explanation.
  • Require the controller to remove such arisen/caused situation. Especially, it can be blocking, execution repairs, completing or deleting of personal data.
  • If the data subject application according to paragraph 1 is found as justified, the controller will without delay remove irregular situation.
  • If the controller does not grant the application of data subject according to paragraph 1, the data subject has the right to appeal directly to supervisory authority, i.e. The Office for Personal Data Protection.
  • Procedure according to paragraph 1 does not exclude the data subject to appeal with his/her suggestion directly to the supervisory authority.
  • The controller has the right to require adequate compensation for giving information, which does not exceed the costs needed for the information giving.

XII. Definitions

  • Data subject – identified or identifiable natural person. 
  • Identifiable natural person – natural person, who is possible directly or indirectly to identify, especially by the reference for the certain identifier, e.g. name, identification number, location/address data, network identifier or on one or more special elements physical, physiological, genetic, psychic, economic, cultural or social identity of this natural person.
  • Personal data – all information about identified or identifiable natural person. 
  • Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destructions.
  • Controller – a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the personal data processing. If the purposes and means of processing are determined by EU or Czech Republic, this law can determine injured controller or the specific criteria for its determination.
  • Processor – a natural person, legal person public authority, agency or other body, which processes personal data on behalf of controller.
  • Consent of the data subject – means any free, specific, informed and unambiguous indication of the data subject's wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to his/her personal data processing. 
  • Explicit consent – means confirmation of data subject permission to his/her personal data processing equipped with unique identification/indication of data subject made by data subject (signature, biometric signature/data, finger-print screen etc.).


Ing. Tomas Vesely

data protection officer (DPO)