in accordance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”)
BLOCK CRS a.s., with its registered office at U Kasáren 727, 757 01 Valašské Meziříčí, ID No.: 073 33 366 (hereinafter referred to as the “Controller”), hereby informs you, in accordance with Articles 12 and 13 of the GDPR, of the processing of personal data of persons who are on the Controller’s establishment for the purpose of visiting or arranging the deliveries or taking delivery of goods and services, as well as for any other reason.
For contacting the Controller in matters relating to the processing of personal data and the exercise of data subjects’ rights under the GDPR, the following contacts can be used:
Contact person: Ing. Zdeňka Pokorná
Phone: +420 736 529 729
E-mail: pokorna@blockcrs.cz
1. Categories of personal data subjects
Data subjects are all persons present on the establishments of the Controller at the following addresses:
U Kasáren 727, 757 01 Valašské Meziříčí
Zašovská 264, Krásno nad Bečvou, 757 01 Valašské Meziříčí.
2. Categories of personal data:
- First name(s), surname(s), title(s)
- The number of the identity card, travel passport or other proof of identity
- Information about the employer or other entity on whose behalf the visit is undertaken
- Information on arrival/departure (date and time)
- Signature
3. Categories of recipients
Personal data will only be made available to authorised employees of the Controller who are obliged to maintain the confidentiality of such data and, if necessary, to public authorities.
The Controller also declares that it will not transfer personal data to third countries or any international organisation.
4. Purpose of processing
Personal data are processed for the purpose of protecting property and ensuring security in the establishments and individual premises of the Controller, or as evidence in criminal or misdemeanour proceedings. The processing of personal data is therefore performed in particular for the purpose of recording the arrivals and departures of persons to the Controller’s establishments, in order to ensure the security of persons and property within the Controller’s establishments. The processing of personal data by the Controller is necessary for the identification of persons on the Controller’s establishments and the fulfilment of legislative requirements by which the Controller is bound.
5. Legal grounds for processing and legitimate interests pursued by the Controller
The Controller processes personal data under the conditions set out in Article 6(1) of the GDPR for the purposes of the legitimate interests of the Controller or a third party. The processing of personal data for the purpose of the legitimate interest of the Controller or a third party consists in:
- The protection of the Controller’s property, including the protection of the health and property of persons on the Controller’s establishments,
- The protection of the rights and legitimate interests of the Controller and the data subject in civil, criminal and administrative proceedings.
6. Duration of personal data storage
The personal data of the subjects are processed by the Controller for a period of 1 year from the date the record was created or from the date of the last entry in the visitor book in which the personal data are recorded. Thereafter, the personal data are shredded in a controlled manner.
7. Method of processing and personal data protection
The Controller processes personal data, i.e. records of persons moving on the Controller’s establishments for the purpose of visiting or delivering or taking delivery of goods or services, or for any other reason. The processing is carried out in compliance with the data protection requirements for processing.
The processing is done manually. The following means may be used:
Visitors’ Book, Visitors’ Cards, Drive-in Permit Form.
Records may be provided to bodies responsible for criminal proceedings or administrative authorities as evidence in criminal or misdemeanour proceedings. In order to secure the processing of personal data and ensure the protection of personal data, the Controller and the processor have taken technical and organisational measures to minimise the risks associated with the processing, in particular the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of personal data or unauthorised access to personal data. The Controller does not intend to transfer personal data to a third country or an international organisation. On the basis of the personal data processed, there is carried out neither automated decision-making nor profiling.
Providing the data is not a legal or contractual requirement, but if you do not provide the data, you may not be admitted to the Controller’s establishments.
8. Data subject rights
The data subject has the following rights:
- of access to personal data pursuant to Art. 15 GDPR,
- to rectification of personal data pursuant to Art 16 GDPR,
- to erasure pursuant to Art. 17 GDPR,
- to restriction of processing pursuant to Art.18 GDPR,
- to have the Controller’s notification obligation fulfilled regarding rectification or erasure of personal data or restriction of processing pursuant to Art. 19 GDPR,
- to data portability pursuant to Art. 20 GDPR,
- to object pursuant to Art. 21 GDPR,
- not be the subject of any decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her pursuant to Art. 22 GDPR,
- to be notified of personal data protection breach by the Controller pursuant to Art. 34 GDPR,
- to file a complaint with a supervisory authority (The Office for Personal Data Protection).
In Valašské Meziříčí, on 1 January 2025