This personal data protection policy (hereinafter referred to as the Policy) sets forth the basic principles for the processing of the personal data of the consumers, customers, suppliers, business partners, employees and others individuals, and determines the main activities for processing of personal data and data protection measures for undertakings as well as related services/products, including but not limited to Visual Flow, operating under the direction and supervision of the IBA Group, a.s., the list of which is given in Annex 1 (hereinafter referred to as the IBA or the organization).
The purposes of this Policy are to ensure the protection of human rights and freedoms when processing the personal data, including privacy rights, personal and family secrecy, and to unify the organization’s rules for personal data processing with the requirements of the international law and the laws of the countries where the organization operates.
In its everyday business operations, IBA makes use of a variety of data about identifiable individuals, including data about:
While collecting and using this data, the organization is subject to a variety of legislation acts, controlling how such activities should be carried out and the safeguards that must be put in place to protect it.
IBA is committed to complying with the applicable laws and regulations related to Personal Data protection in the countries where the organization operates.
Policy is reviewed annually and in case if significant changes take place within the organization or in the relevant legislation.
The Policy is mandatory for all IBA’s employees, both staff and contractors, and all organizational units, including separate subdivisions. The Policy also applies to other persons if they are to participate in the personal data processing in the organization, as well as in cases of the transfer of personal data to them in the established order under relevant agreements and contracts.
The Policy applies to any personal data, regardless of the type of media on which they are recorded.
The Policy is a public document of the IBA and any persons can get acquainted with it.
The Policy is developed on the basis of and in accordance with the requirements:
If, as a result of changes in the legislation of the countries in which the IBA’s undertakings are registered, any requirements of this Policy conflict with the legislation of these countries, such requirements will become invalid and the laws of the countries in which the IBA’s undertakings are registered will be applied before the time of introducing changes and additions to the Policy.
The following terms are used in this document with the corresponding definitions:
Personal data means any information relating to an identified or identifiable natural person (‘data subject‘); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or, to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the personal data processing; where the purposes and means of such processing are determined by the law of the data subject location country, the controller or the specific criteria for its nomination may be provided for by the law of the data subject location country;
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Special categories of personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or data concerning a natural person’s sex life or sexual orientation, genetic data, biometric data for the purpose of uniquely identifying a natural person;
IBA’s undertakings means undertakings operating under the direction and supervision of the IBA Group, a.s. – their head office.
The organization is committed to observe the following principles with regard to personal data processing:
Personal data shall be:
(a) processed lawfully, fairly and transparently in relation to the data subject (‘the lawfulness, fairness and transparency principle’);
(b) collected for specified, explicit and legitimate purposes and shall not be further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘the purpose limitation principle’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘the data minimization principle’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, depending on the purposes for which it is processed, is erased or corrected without delay (‘the accuracy principle’);
(e) kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organizational measures to safeguard the rights and freedoms of the data subject (‘the storage limitation principle’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘the integrity and confidentiality principle’).
IBA is committed to comply with all of these principles, not only with the current processing of personal data, but also with the introduction of new methods and systems of processing.
In respect of its activities as a controller, the organization is ready to confirm compliance with the above principles to the supervisory authority upon request (‘the accountability principle’).
IBA determines the legal basis before the start of personal data processing as a controller.
If the organization as a controller processes a special category of personal data, or data related to criminal convictions and offenses, the organization identifies both a legal basis for general processing and separate conditions for processing these types of data.
IBA keeps reasonable, documented evidence of the legitimacy of the personal data processing, with respect to its activities as a controller, and makes the evidence available when it is necessary.
The organization processes the personal data as a processor only on the basis of documented instructions from the controller governed by a contract or other legal act that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller. In this case, the controller determines the lawfulness of the processing.
There are six available legal bases for general processing of personal data. There are ten separate conditions for special category data processing. The options are described in the following sections.
The organization will always obtain explicit consent from a data subject in order to collect and process their data, unless consent is not required in accordance with the law.
In the case of children under the age of 16 (a lower age may be allowed in specific countries), the consent of a parent or a legal guardian must be obtained.
While requesting for consent, IBA informs the data subjects about the organization’s identity, the nature and purpose of the processing, the list of personal data categories for processing, and explains the rights of individuals with regard to their personal data, including the right to withdraw consent. This information is provided in an intelligible and easily accessible form, using clear and plain language.
IBA requests separate consent for different purposes and types of processing, and does not use pre-ticked boxes or any other type of default consent in the consent requests.
When the collected and processed personal data is required to fulfil a contract with the data subject, explicit consent is not required. This will often be the case when the contract cannot be completed without the personal data in question, e.g. a delivery cannot be made without an address to deliver to.
If the personal data is required to be collected and processed in order to comply with the law, then explicit consent is not required. This may be the case for some data related to employment and taxation for example, and for many areas addressed by the public sector.
In the case when the personal data is required to protect the vital interests of the data subject or another individual, then this necessity may be used as the legal basis of the processing. As an example, this case may be applied to the aspects of social care, particularly in the public sector.
When the organization needs to perform a task that is believed to be in the public interest or presents itself as a part of the organization’s official duty, then the data subject’s consent will not be requested.
If the result of data processing or specific personal data are a part of the legitimate interests of the organization and are judged not to affect the rights and freedoms of the data subject in a significant way, then this may be defined as the legal reason for the processing.
IBA performs a legitimate interest assessment (LIA) to ensure compliance with the principle of proportionality.
Performing its role as a controller, the organization processes a special category of personal data only if it has identified one of the following conditions for processing:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where the law of the data subject location country does not provide the right of the data subject to cancel the prohibition on processing;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, provided that appropriate safeguards are ensured for the fundamental rights and interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or of another individual if the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) processing relates to personal data which is explicitly made public by the data subject;
(f) processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest, provided that suitable and specific safeguards are ensured for the fundamental rights and the interests of the data subject;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
(i) processing is necessary for the reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, provided that suitable and specific safeguards are ensured for the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes of the public interest, scientific or historical research purposes or statistical purposes, provided that suitable and specific safeguards are ensured for the fundamental rights and the interests of the data subject.
IBA processes personal data related to criminal convictions and offenses only under the control of an official authority, or when the law of the data subject location country permits processing, and only appropriate safeguards are provided for the rights and freedoms of data subjects.
The data subject has the following rights:
1. The right to be informed.
Individuals have the right to be informed about the collection and use of their personal data.
2. The right of access.
Individuals have the right to access their personal data.
3. The right of correction.
Individuals have the right to make inaccurate personal data corrected or completed, if they are incomplete.
4. The right of erasure (‘right to be forgotten’).
Individuals have the right to have their personal data erased.
5. The right to restrict processing.
Individuals have the right to request the restriction or suppression of their personal data processing.
6. The right of data portability.
Individuals have the right to obtain and reuse their personal data for their own purposes across different services.
7. The right to object.
Individuals have the right to object to the processing of their personal data.
8. Rights in relation to automated decision-making and profiling.
Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces a legal or similarly significant effect on them.
The organization supports each of these rights with appropriate procedures that allow the necessary steps to be taken within the timeframes specified in table 1.
Table 1 – Timescales for data subject requests.
|Data Subject Request||Timescale|
|The right to be informed||When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)|
|The right of access||One month|
|The right of correction||One month|
|The right of erasure||Without undue delay|
|The right to restrict processing||Without undue delay|
|The right of data portability||One month|
|The right to object||On receipt of objection|
|Rights in relation to automated decision-making and profiling.||Not specified|
IBA takes, or in some cases may take if necessary, a number of organizational and technical measures in its business activities to protect personal data from unauthorized or unlawful processing, as well as from accidental loss, destruction, damage or other illegal actions in respect of personal data. These measures include:
The organization adopts the principle of “data protection by design and default” and carries out appropriate technical and organizational measures to implement the data protection principles and safeguard individual rights.
In essence, “data protection by design” means that IBA has integrated data protection into systems, services, products and business practices, from the design stage right through the lifecycle. The organization only uses data processors that provide sufficient guarantees of their technical and organizational measures for data protection by design. The organization takes into account the data protection by design when it purchases products for use in its processing activities.
In fact, “data protection by default” means that IBA, in respect of its activities as a controller:
The organization takes into account the use of techniques such as pseudonymisation where applicable and appropriate.
IBA ensures that all relationships it enters into that involve the personal data processing are regulated by documented contracts that include the specific information and conditions required by the law.
Contracts of the organization include the following compulsory information:
Contracts of the organization include the following compulsory terms:
IBA as a controller only appoints processors who can provide “sufficient guarantees” that the requirements of the law of the data subjects’ location countries will be observed, and the rights of data subjects will be protected.
IBA transfers personal data to the third country or the international organization only if the requirements of the law of the data subjects’ location countries are fully observed, for example, if the transfer of personal data to that third country or international organization is authorized by the regulatory body without additional authorization by the supervisory authority, since there is an adequate level of protection that meets the requirements of the law, or if the organization receiving the personal data has provided appropriate safeguards that comply with the requirements of the law.
Before such transfer IBA makes sure, that, as a result, the level of protection of data subjects ensured by law will not be undermined, including the cases of onward transfers of personal data from the third country or an international organization to controllers, processors in the same or another third country or international organization.
Following such transfer, individuals’ rights must be enforceable and effective legal remedies for individuals must be available.
As a controller, IBA maintains records of the following categories to document its processing activities:
As a processor, IBA maintains records of the following categories to document its processing activities:
IBA’s undertakings employing fewer than 250 persons do not keep records of processing activities unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of personal data or personal data relating to criminal convictions and offenses.
The records are kept in writing. The records are kept up to date and reflect current processing activities.
The organization makes the records available to the supervisory authority upon request.
IBA has identified and regularly updates the security threats to personal data, performs risk analysis related to the personal data processing, documents findings and uses them to assess the appropriate level of security that needs to be put in place.
The security threat to personal data means a factor that creates the danger of unauthorized, including accidental, processing of personal data, as well as the accidental or intentional loss, destruction or damage to personal data.
IBA has allocated responsibility for information security to certain employees and teams and provided them with the appropriate resources and authority. Employees who are authorized by the organization to process personal data, before starting to work with personal data, undertake responsibility to comply with confidentiality and other requirements of the Policy.
IBA’s undertakings have an information security rules and take the necessary steps to implement it. Where required, IBA’s undertakings adopt additional regulatory documents and ensure that controls are in place to enforce them.
IBA regularly reviews its information security regulatory documents and, if necessary, improves them. IBA conducts regular testing and reviews of its information security measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.
IBA’s undertakings keep records of assets involved in the personal data processing (applications, systems, personnel, and media).
IBA uses encryption and/or pseudonymisation, where it is appropriate to do so.
IBA’s undertakings mandatory use cryptographic security means if personal data is transmitted through open communication channels.
IBA’s undertakings have proper backup processes so that they can restore integrity and access to personal data in the event of any incidents, as soon as reasonably possible.
IBA’s undertakings make sure that any data processor they are using also implements appropriate technical and organizational measures.
IBA’s undertakings provide the necessary physical security measures to protect premises, equipment and information from unauthorized access.
IBA has defined business continuity arrangements that protect and recover any personal data the organization holds.
IBA conducts appropriate initial and refresher training for personnel involved in data processing on data protection issues and, including, inter alia, personal data processing duties, employees responsibility for personal data protection, rules and restrictions for employees to use the systems and services (for example, to avoid virus infection or spam).
The organization has prepared a response plan for addressing any personal data breaches that may occur. IBA has allocated responsibility for managing breaches to certain employees and teams. The organization’s employees know how to escalate a security incident to the proper responsible person or team in IBA to determine whether a breach has occurred.
IBA adopted a process to notify the supervisory authority of a breach within 72 hours after becoming aware of it, even if there are still no details. The organization adopted a process to inform without undue delay the affected individuals about a breach, when it is likely to result in a high risk to their rights and freedoms. The organization’s Data Protection Officers supervise the process of notifying the data subjects and supervisory authorities of the personal data breaches.
IBA documents all breaches, even if not all of them are in need to be reported.
As a controller, IBA does a DPIA when personal data processing is likely to result in a high risk to individuals.
The organization considers expediency of fulfillment of a DPIA in any major project involving the personal data processing carried out as the controller. If IBA decides not to carry out a DPIA, it will document the reasons.
If the organization identifies a high risk that it cannot mitigate, it should consult the supervisory authority before starting the processing.
IBA is not required to appoint a DPO, since it is not a public authority or body, does not perform large-scale monitoring, and does not process special categories of personal data on a large scale, but it has decided to do so voluntarily. The organization understands that the same duties and responsibilities apply as with the mandatory appointment of DPO. IBA appoints the DPO at the head office and, if necessary, at some undertakings of the organization.
IBA tasked its DPOs to monitor compliance with data protection laws and organization’s data protection regulatory documents, awareness raising, employees training and the related audits. IBA timely involves its DPOs on all issues relating to the personal data protection.
The organization’s DPOs inform and advise the employees of the organization who carry out the personal data processing on their obligations under the data protection legislation.
The DPO of the head office reports directly to the top management of the organization. The DPOs of other IBA’s undertakings cooperate with the DPO of the head office and report to the management of their enterprises and the top management of the organization. All organization’s DPOs are given the required independence to perform their tasks.
The organization’s DPOs are easily accessible as the contact points for our employees, individuals and supervisory authorities. IBA published the contact details of its DPOs and communicated them to the supervisory authority.
Professional associations and representative bodies may prepare codes of conduct covering topics such as fair and transparent processing, the legitimate interests pursued by controllers, pseudonymisation and the exercise of human rights, etc.
In addition, supervisory authorities or accredited certification bodies may issue certificates of compliance with the legislative requirements of data processing activities.
Compliance with the code of conduct and obtaining a certificate are voluntary, but the organization sees them as an excellent way to monitor and demonstrate compliance with the requirements for the personal data protection.