Privacy policy and processing of personal data

Principles of personal data processing

Categories and characteristics of personal data processing
Records v Řezníček & Co. s.r.o., law firm

1. Name and contact details of the controller and any joint administrator, deputy controller and personal data protection officer

[Art. 30 (1) (a) GDPR]

  • Administrator:
    • Řezníček & Co. s.r.o., law firm
    • Registered address: Krajinská 281/44, 370 01 České Budějovice
    • Registered in the Commercial Register maintained by the Regional Court in České Budějovice, sp. no. C 6339
  • Represented by:
    • JUDr. David Řezníček, LL.M., Ph.D., Managing Director
  • Contact:
2. Identification of the relevant processing of personal data

[Art. 30 (1) (b) GDPR]

  • Keeping client files — client agenda
  • Records of employees and external collaborators (+ work reports)
  • Performance of the role of Data Protection Officer
  • Operation of a law firm, tax and accounting needs (through an external contractor)
  • Online communication
3. Why (for what purpose) and on what legal basis are personal data processed?

[Art. 30 (1) (b) GDPR]

  • Clients: Contract for the provision of legal services with data subjects — performance of the contract and performance of legal obligations arising from the regulations governing the exercise of advocacy; contract for the performance of the duties of the Data Protection Officer — performance of the contract and the performance of legal obligations arising from the regulations governing the performance of the duties of the officer.
  • Third persons: Legitimate interest of the administrator — performance of the contract with the client; fulfilment of legal obligations arising from the regulations governing the exercise of advocacy and the performance of the duties of a delegate.
  • Staff: Employment contract, DPP, DPČ — fulfilment of obligations arising from contracts with employees and from the Labor Code and the Employment Act.
4. What personal data is processed?

[Art. 30 (1) (c) GDPR]

  • Clients: Name, address, date of birth, birth number, marital status and family situation, financial situation, bank account, data on ongoing court/terminated/imminent judicial/enforcement/administrative proceedings, data on possible criminal proceedings and criminal cases.
  • Third persons: Name, address, date of birth, birth number, marital status and family situation, financial situation, bank account, data on ongoing court/terminated/imminent judicial/enforcement/administrative proceedings, data on possible criminal proceedings and criminal cases.
  • Staff: Name, address, date of birth, bank account, working hours, marital status, education, photo.
5. From what sources is the personal data obtained?

[Art. 30 (1) (c) GDPR]

  • Clients: Data subjects, courts, administrative authorities.
  • Third persons: Clients, data subjects, courts and court files, administrative offices, witnesses, experts, public registers, publicly accessible information (e.g. internet, periodicals, press).
  • Staff: Data subjects.
6. Categories of recipients to whom personal data have been or will be disclosed

(including recipients in third countries or international organisations)

  • Accountant (separate).
  • We do not disclose personal data to recipients in third countries or within international organizations.
7. On what date and how is the personal data disposed of?

[Art. 30 (1) (f) GDPR]

Disposal is carried out according to our filing, archival and shredding rules.

Your personal data is processed and stored for the period strictly necessary to ensure all rights and obligations arising from the relevant contractual relationship and for the period during which the controller is obliged to keep the personal data in accordance with generally binding legal regulations, or for which you have given the controller consent to the processing. In other cases, the processing time results from the purpose of the processing, to which it must be reasonable, or is determined by the legislation on the protection of personal data.

  • For the purpose of performance of the contract: for the duration of the contractual relationship and for a period of 10 years from the termination of the contractual relationship.
  • For the purposes of fulfilling legal obligations: for a period established by the relevant legislation.
8. How is personal data updated?

[Art. 30 (1) (g) GDPR]

Information from data subjects (e.g. by receiving information from the client about the change of contact details, etc.), from third parties, or through public sources (Internet, public registers, etc.).

9th. Which documents and electronic records are processed?

(files, archives, IT systems, data storage) [Art. 30 (1) (g) GDPR]

  • To manage the client's agenda, we use a system called SingleCase.
  • Further, for the purpose of preparing working draft documents, we use shared disk of attorneys and paralegals; access to this disk is protected by a password unique to each user.
  • We use the system to manage the office Microsoft Outlook.
  • SingleCase is connected to the accounting system Well-being.

All three of these systems are standard products for law firms.

10. Is the AK environment regularly tested for safety (e.g. IT systems)?

Internal or external consultants? [Art. 30 (1) (g) GDPR]

Yes, by external consultants, at least once every 12 months.

11. How is data encryption security ensured during client communication?

[Art. 30 (1) (g) GDPR]

The transmission of sensitive information is subject to increased protection when processing such data. Special categories of personal data are subject to encryption or are transmitted personally during transmission or communication. The transfer of data on employees to an external accountant is carried out by personal transfer.

12. How is the security of data sharing with external parties ensured?

Do all external suppliers who process personal data have concluded contracts for the processing of personal data, providing adequate guarantees of protection? [Article 30 (1) (g) in conjunction with Article 28 GDPR]

Yes. We have concluded personal data processing agreements with the following suppliers:

  • Accountant (separate)
I'm 13. Is irreversible data destruction within the database system ensured?

[Art. 30 (1) (g) GDPR]

Yes, data is irreversibly disposed of at the end of its life cycle, not just deactivated.

14. Is there a procedure for determining the rights of data subjects and their exercise with respect to their data being processed?

Yes, we allow anyone to submit an electronic application through an email address recepce@reznicek.com or in paper form in person at the reception of our law firm. Applications are processed within the prescribed time limits. Subjects' rights may be restricted in some situations (e.g. non-disclosure of information to a counterparty, etc.).

15. Are authorised data subjects provided with prescribed information?

(in particular, the scope and purpose of the processing, the method of processing and to whom the data may be disclosed)

Yes, we provide information in the following form:

  • on our website,
  • in a contract with clients,
  • in responses to requests from data subjects.
I'm 16. Do the technical means deployed and the organisational measures applied prevent accidental or unauthorised access to personal data?

(their alteration, theft, misuse, destruction or loss) [Article 30 (1) (g) GDPR]

Yes, we apply the following measures in particular:

  • Only persons who work with the files or who are authorized or authorized to handle the files shall have access to the processed files.
  • The files are in a computer that is encrypted; the files in paper form are kept in cabinets separate from the rest of the documentation.
  • Access to the offices is secured by several doors equipped with locks.
  • The IT system is standard, tried and tested, used in a number of law firms. Access to the IT system is restricted according to the set management roles.
  • The IT system is regularly tested and maintained.
17. Is the processed personal data transferred abroad or can it be accessed from abroad?

[Art. 30 (1) (e) GDPR]

Yes, exceptionally. We use the Model Contractual Clauses of the European Commission.

18. Are workers who have access to personal data trained? Do they have an obligation of confidentiality?

[Art. 30 (1) (g) GDPR]

  • Yes, the training takes place at the start of the job and once every 18 months.
  • Yes, workers who are not solicitors or associate lawyers (that is, they do not have a legal duty of confidentiality) have a confidentiality obligation in their employment contracts.
  • We have contracts with external suppliers for the processing of personal data.
19. Rights of persons arising from the processing of personal data

Under the conditions set out in Art. 15 to 22 GDPR and Act No. 110/2019 Coll., on the processing of personal data, the data subject has the right to:

  • RIGHT OF ACCESS personal data processed by the Controller. This means that the data subject may request confirmation at any time whether the personal data relating to the data subject are processed and, if so, for what purposes, to what extent, to whom they are disclosed, how long they will be processed, whether he has the right to rectification, erasure, restriction of processing or object, from where the personal data were obtained, and whether the processing of personal data occurs automatically Decision-making, including profiling, if any. The data subject also has the right to obtain a copy of his or her personal data, the first being provided free of charge, and a reasonable payment of administrative costs may be required for the subsequent provision.
  • RIGHT TO RECTIFICATION personal data. This means that it is possible to request that personal data be corrected or supplemented if they are inaccurate, inaccurate or incomplete.
  • RIGHT TO ERASURE personal data processed by the Controller. If the purpose of processing has already passed, or if they are processed unlawfully by the Administrator. This means that personal data must be deleted if they are no longer needed for the purposes for which they were collected or otherwise processed, consent is withdrawn and there is no further reason for processing, there is an objection to processing and there is no overriding authority or grounds for processing, the processing is unlawful or it imposes a legal obligation.
  • THE RIGHT TO RESTRICTION processing of personal data. The data subject may request the restriction of the processing of his personal data until the disputed issues regarding the processing of personal data are resolved. In particular, if the accuracy of the personal data is denied, the processing is unlawful, but instead of deletion, the processing is required only to restrict, the personal data is no longer needed by the contracting party for the purposes of processing, or if an objection has been raised to the processing, the other party may only have the personal data stored and further processing is subject to consent, or on the fact that such data are needed for the establishment, exercise or defence of legal claims.
  • THE RIGHT TO PORTABILITY data. The data subject has the right to obtain his or her personal data which he has provided to the Controller with consent for processing or for the performance of the contract and which are processed in an automated manner, in a structured, commonly used and machine-readable format and, if technically feasible, to transmit such data to another controller.
  • THE RIGHT TO OBJECT against the processing of personal data. This means the possibility of filing a written or electronic objection to the processing of personal data. This can be applied either by written registered letter sent to the address of the Controller's registered office or by electronic means to the e-mail address: recepce@reznicek.com.

The protection of privacy and personal data is overseen by the Office for the Protection of Personal Data.