INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA
as per article 12 of Regulation (EU) no. 2016/679 of the European Parliament and of the Council of the 27th of April 2016, General Data Protection Regulation (hereinafter “GDPR”), the company:
International Study Programs, s.r.o.
Company Identification Number: 27166708
with its registered office International Study Programs, s.r.o., Pernerova 697/35, 186 00, Praha 8 - Karlín, Czech Republic
the company is listed in the Commercial Registry kept by the Municipal Court in Prague, section C, insert 101374
contact e-mail address: info@theglobalexec.com
(hereinafter referred to in this article as “the Administrator”)
hereby announces that it will process personal data related to the Personal Data Subject (hereinafter referred to in this article as “the Data Subject”), under the following conditions:
Purpose of personal data processing
a) maintenance of personal data in the Administrator’s records for the purpose of possible future collaboration,
b) sending e-mails with news about Administrator’s activities or advertising messages from the Administrator,
c) handover of the data to an advertising agency for the purpose of the performance of the aforementioned activity for the Administrator.
Legal basis of processing
Consent to the processing of personal data.
Processing of personal data by a third party
The personal data may be provided to an advertising agency selected by the Administrator for the purpose of direct marketing (e-mailing), which collaborates with the Administrator on the basis of a contract which contains the requisites as per the Regulation.
Period of personal data processing
The personal data of the subjects in all categories as per point no. 2 will always be deleted, without undue delay, upon the expiry of the statutory period for which the Administrator is obliged to store this data. If the personal data storage period is not legally stipulated, then the Administrator will delete or shred the personal data, without undue delay, after the purpose of its processing ceases to exist, if the Personal Data Subject does not consent to a longer period for the deletion of personal data.
Securing of personal data
a) Protection against unauthorised access to personal data
The recording equipment and documentary records are located on the Administrator’s lockable premises, or in lockable cabinets and drawers belonging to the Administrator’s employees or other co-workers. Only authorised persons have access to the room. Other persons only have access to the room while accompanied by authorised persons. As of this day, the Administrator uses the following IT systems, via which personal data is processed: Dynamics365
The software access to the personal data processing equipment is protected by a username and password. Only employees and co-workers who use personal data during the fulfilment of their obligations have access to personal data, and only to the extent necessary. The Administrator has issued a special internal directive on the handling of personal data.
b) Protection against the unauthorised reading, copying, transfer, modification and deletion of personal data
Access to personal data is protected by an access name and password.
The Administrator’s system records all access to individual personal data.
The transfer of personal data usually takes place using a password or other encryption.
The authorised persons have been trained whereby every subsequent training session will be entered into the Administrator’s records. Regular inspections of the system settings and compliance with the Administrator’s internal regulations are also performed.
The Administrator has issued a special internal directive on the handling of personal data.
c) Protection against natural events
With the exception of the measures as per section a) and fire precautions, no other measures have been implemented.
The Administrator has issued a special internal directive on the handling of personal data.
d) Protection against an external attack (e.g. Hacking attack)
The Administrator’s system is connected to the internet. Security measures have been implemented to protect against an attack from an external network in the form of a firewall, login name, password and HTTPS protocol, as well as measures taken by the web hosting provider. Other measures include regular system inspections by persons authorised by the Administrator.
The Administrator has issued a special internal directive on the handling of personal data.
e) Protection against the unauthorised use of access information (negligence)
Every access to the Administrator’s system is recorded whereby individual accesses can be compared (logs). The access passwords to the Administrator’s system are regularly changed.
The Administrator has issued a special internal directive on the handling of personal data.
f) Protection against ignorance
All authorised and entrusted persons have been properly instructed and will receive regular training. The instructions and training consist mainly of informing these persons about the functionality of the Administrator’s system, recording equipment and software (including updates), as well as the rights and obligations during the processing of personal data within the scope of the Regulation.
The Administrator maintains records of the training of authorised and entrusted persons.
g) Other measures
The Administrator has tested the functionality of the processes and processing of personal data, and its concord with the Regulation, on this day. Further testing will follow after three months and then every three months thereafter.
Measures as per article 32 paragraph 1 section a) to d) of the Regulation, in individual cases where it is desirable in the interest of adequate personal data protection.
Rights during personal data processing
The Data Subject confirms that they have been informed of their rights in connection with the processing of personal data in the intentions of the provisions of articles 13, 15-22 and 34 of the GDPR.
In particular, in relation to the processed personal data, the subject declares that they are aware of the following:
As per article 13 of the GDPR:
- I have the right to request access to My Personal Data (hereinafter “My Personal Data”) from the Administrator,
- I have the right to request the correction, deletion or restricted processing of My Personal Data, and to raise an objection against the processing, as well as the right to the transferability of the data,
- I have the right to file a complaint with a supervisory body. Thus, I am aware that I can also contact The Office for Personal Data Protection, registered office Pplk. Sochora 727/27, 170 00 Prague 7 - Holešovice, Czech Republic, directly with my suggestions in matters relating to personal data.
- The provision of My Personal Data to the Administrator may not be a statutory or contractual requirement, i.e. I may not be obliged to provide My Personal Data to the Administrator,
As per article 15 of the GDPR - right to access to My Personal Data:
- I have the right to obtain confirmation from the Administrator of whether My Personal Data is being processed or not and, if it is being processed, then I have the right to obtain access to My Personal Data and to the following information: a) purposes of the processing; b) categories of affected personal data; c) recipients or categories of recipients, with whom My Personal Data was or will be shared, particularly recipients in third countries or in international organisations; d) the planned period for which My Personal Data will be stored or, if it cannot be determined, the criteria used to stipulate this period; e) the existence of the right to request, from the Administrator, the correction, deletion or restricted processing of My Personal Data and/or raise an objection against this processing; f) the right to file a complaint with a supervisory body; g) all available information about the source of My Personal Data if it was not obtained directly from me; h) the fact that the automated decision-making, including profiling, set forth in article 22 paragraph 1 and 4 of the GDPR has occurred and, in these cases at least, meaningful information relating to the process used, as well as the significance and expected consequences for me of such processing.
- I have the right to be provided with a copy of My Personal Data which is processed by the Administrator. For additional copies, the Administrator may charge me a reasonable fee on the basis of administrative costs. If I submit the request in electronic form then the information will be provided in such an electronic form that is normally used, unless I ask for it to be provided in a different manner.
As per article 16 of the GDPR – right to the correction of My Personal Data:
- I have the right to have the Administrator correct inaccurate personal data which relates to me, without undue delay. With regard to the purposes of the processing, I have the right to have incomplete personal data supplemented via the provision of an additional declaration.
As per article 17 of the GDPR – right to the deletion of My Personal Data:
- I have the right to have the Administrator delete My Personal Data without undue delay, if one of the following reasons is given: a) My Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed; b) I revoked this consent to the processing of My Personal Data and there is no other legal reason for the processing; c) I raised objections against the processing as per article 21 paragraph 1 of the GDPR, and there are no predominant legitimate reasons for the processing or I raised objections against the processing as per article 21 paragraph 2 of the GDPR; d) My Personal Data was processed illegally; e) My Personal Data must be deleted in order to fulfil the legal obligations stipulated in the law of the European Union or a Member State thereof, which relate to the Administrator. What is set forth under point h) will not be applied if the processing of My Personal Data is essential: a) for the exercise of the right to freedom of speech and information; b) for the fulfilment of a legal obligation which requires the processing as per the law of the European Union or a Member State thereof, which relates to the Administrator, or for the fulfilment of a task performed in the public interest or during the exercise of public authority, if the Administrator was entrusted with it; c) for reasons of public interest in the area of public health; d) for archiving purposes which are in the public interest, for the purposes of scientific or historical research or for statistical purposes in accordance with article 89 paragraph 1 of the GDPR; e) for the determination, exercise or defence of legal claims.
As per article 18 of the GDPR - right to the restricted processing of My Personal Data:
- I have the right to have the Administrator restrict the processing in any of the following cases; a) if I denied the accuracy of My Personal Data, for the period necessary for the Administrator to verify the accuracy of My Personal Data; b) the processing is illegal, and I would refuse the deletion of My Personal Data and request a restriction of its use instead or it; c) the Administrator no longer requires My Personal Data for processing purposes, but I would require it for the determination, exercise or defence of legal claims; d) I would raise an objection against the processing as per article 21 paragraph 1 of the GDPR, until it can be verified whether the Administrator’s legitimate reasons prevail over my legitimate reasons.
- If the processing is restricted as per point j) above then, with the exception of its storage, My Personal Data may only be processed with my consent, or for the determination, exercise or defence of legal claims, for the defence of the rights of another natural or legal person, or for reasons of an important public interest of the European Union or a Member State thereof.
As per article 19 of the GDPR - reporting obligation regarding the correction or deletion of My Personal Data, or restricted processing:
- The Administrator notifies the individual recipients to whom My Personal Data was made available of all corrections, deletions or restricted processing of My Personal Data, with the exception of cases where it is shown to be impossible or requires excessive effort. The Administrator only informs me about these recipients if I ask them to do so.
As per article 20 of the GDPR – right to the transferability of data
- Under the conditions of the aforementioned provision, I have the right to obtain personal data which relates to me and which I provided to the Administrator, in a structured, commonly used and machine-readable format, and the right to share this data with another administrator, without the Administrator to whom the personal data was provided preventing me from doing so.
As per article 21 of the GDPR – right to raise an objection:
- Based on reasons relating to my specific situation, I have the right to raise an objection against the processing of My Personal Data at any time, on the basis of article 6 paragraph 1 section f) of the GDPR, including profiling based on these provisions. The Administrator will no longer process My Personal Data if they do not demonstrate serious legitimate reasons for the processing, which prevail over my interests, rights and freedoms, or for the determination, exercise or defence of legal claims.
- I can exercise my right to raise an objection by automated means using technical specifications.
As per article 22 of the GDPR - automated individual decision-making, including profiling:
- I have the right not to be the subject of any decision based exclusively on automated processing, including profiling, which has legal consequences for me or which significantly affects me in a similar manner. This does not apply if the decision is: a) essential for the conclusion or fulfilment of a contract between me and the Administrator; b) permitted by the law of the European Union or a Member State thereof which relates to the Administrator and which also stipulates appropriate measures which protect my rights, freedoms and legitimate interests; c) based on my explicit consent.
As per article 34 of the GDPR – reporting of personal data security breaches
- If it is likely that a certain case whereby the security of My Personal Data is breached will result in a great risk to my rights and freedoms, then the Administrator is obliged to notify me of this breach, without undue delay.
- However, the notification as per the previous point q) is not required if any of the following conditions if fulfilled: a) the Administrator has implemented the appropriate technical and organisational protective measures, and these measures were used, particularly those which make My Personal Data incomprehensible for anyone who is not authorised to access it, such as for example encryption; b) the Administrator has implemented the following measures which ensure that the great risk to my rights and freedoms as per point q) above will probably not manifest itself; c) it would require excessive effort