Phare is incorporated as ČAROVNIŠKE TEHNOLOGIJE, Nicolas Paul Beauvais s.p.
We at ČAROVNIŠKE TEHNOLOGIJE, Nicolas Paul Beauvais s.p. are committed to processing personal data securely and respecting privacy of the concerned individuals.
This Personal Data Protection Policy (the “Policy”) describes ČAROVNIŠKE TEHNOLOGIJE, Nicolas Paul Beauvais s.p. internal rules for personal data processing and protection. The Policy applies to ČAROVNIŠKE TEHNOLOGIJE, Nicolas Paul Beauvais s.p., including ČAROVNIŠKE TEHNOLOGIJE, Nicolas Paul Beauvais s.p. employees and contractors (“we”, “us”, “our”, “Phare”). The management of each entity is ultimately responsible for the implementation of this policy, as well as to ensure, at entity level, there are adequate and effective procedures in place for its implementation and ongoing monitoring of its adherence. For the purposes of this Policy, employees and contractors are jointly referred to as the “employees”.
Privacy Manager is an employee of Phare responsible for personal data protection compliance within Phare (the “Privacy Manager”). The Privacy Manager is in charge of performing the obligations imposed by this Policy and supervising other employees, who subject to this Policy, regarding their adherence to this Policy. The Privacy Manager must be involved in all projects at an early stage in order to take personal data protection aspects into account as early as the planning phase.
The designated Privacy Manager at ČAROVNIŠKE TEHNOLOGIJE, Nicolas Paul Beauvais s.p. is Nicolas Beauvais.
Competent Supervisory Authority: means a public authority that is responsible for regulating and supervising personal data protection with regards to activities of Phare.
Data Breach: means a breach of the security and/or confidentiality leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. This includes but is not limited to e-mails sent to an incorrect or disclosed list of recipients, an unlawful publication of the Personal Data, loss or theft of physical records, and unauthorized access to personal information.
Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines (make a decision) the purposes and means of the processing of Personal Data.
Data Processor: means a natural or legal person, public authority, agency or other body which processes the Personal Data on behalf of the data controller.
Data Protection Laws: mean any laws and legal rules on personal data use and protection applicable to the activities of Phare, including, but not limited to the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).
Data Subject Request (DSR): means any request from the Data Subject and concerning their personal data and/or data subject rights.
Data Subject: means a natural person, whose Personal Data we process. Data Subjects include but are not limited to users, website visitors, employees, contractors, and partners of Phare.
Personal Data: means any information relating to an identified or identifiable Data Subject; a Data Subject can be identified by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or the combination of factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject.
Processing: means any operation or set of operations which is performed by Phare on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Standard Contractual Clauses: means the European Commission Decision of February, 5 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU).
Third Party: means a natural or legal person, who accesses the Personal Data for further processing and is not an employee, member or corporate affiliate of Phare. This definition does not apply to natural persons, who provide services to Phare as contractors on a regular basis.
User: means a Data Subject who uses our services provided on Phare website.
Phare’s processing activities must be in line with the principles specified in this Section. The Privacy Manager must make sure that Phare’s compliance documentation, as well as data processing activities, are compliant with the data protection principles.
We must process the Personal Data in accordance with the following principles:
Lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency). We shall always have a legal ground for the processing (described in Section 3 of this Policy), collect the amount of data adequate to the purpose and legal grounds, and we make sure the Data Subjects are aware of the processing;
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation). We must not process the Personal Data for the purposes not specified in our compliance documentation without obtaining specific approval of the Privacy Manager;
Adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization). We always make sure the data we collect is not excessive and limited by the strict necessity;
Accurate and, where necessary, kept up to date (accuracy). We endeavor to delete inaccurate or false data about Data Subjects and make sure we update the data. Data Subjects can ask us for a correction of the Personal Data;
Kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed (storage period limitation). The storage periods must be limited as prescribed by Data Protection Laws and this Policy; and
Process in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures (confidentiality, integrity, and availability).
We shall be able to demonstrate our compliance with Data Protection Laws (accountability principle). In particular, we must ensure and document all relevant procedures, efforts, internal and external consultations on personal data protection including:
The Privacy Manager must maintain Phare’s Records of processing activities, which is an accountability document that describes personal data processing activities of Phare, prepared in accordance with Art. 30 of the GDPR (the “Records of processing activities”). The Records of processing activities must maintain, at least, the following information about each processing activity:
Each processing activity must have one of the lawful grounds specified in this Section to process the Personal Data. If we do not have any of the described, we cannot collect or further process the Personal Data.
If Phare is intended to use personal data for other purposes than those specified in the Records of processing activities, the Privacy Manager must evaluate, determine, and, if necessary, collect/record the appropriate legal basis for it.
Consent. To process the personal data based on the consent, we must obtain the consent before the Processing and keep the evidence of the consent with the records of Data Subject’s Personal Data. The Privacy Manager must make sure that the consent collected from Data Subjects meet the requirements of Data Protection Laws and this Policy. In particular, the Privacy Manager must make sure that:
We have the right to use personal data in our ‘legitimate interests’. The interests can include the purposes that are justified by the nature of our business activities, such as the marketing analysis of personal data. For Phare to use legitimate interests as a legal ground for the processing, the Privacy Manager must make sure that:
If at least one of the above conditions is not met by Phare, the Privacy Manager must choose and propose a different legal ground for the processing, such as consent.
Legal Compliance and Public Interest. Besides the grounds specified afore, we might be requested by the laws of the European Union or laws of the EU Member State to process Personal Data of our Users. For example, we can be required to collect, analyze, and monitor the information of Users to comply with financial or labor laws.
Whenever we have such an obligation, we must make sure that:
Important: Where Phare has the law requirements of another country to process personal data, the Privacy Manager must propose using another legal ground for the processing under Data Protection Laws, such as legitimate interests or consent.
The employees must have access to the personal data on a “need-to-know” basis. The data can be accessed only if it is strictly necessary to perform one of the activities specified in the Records of processing activities. The employees and contractors shall have access to the Personal Data only if they have the necessary credentials for it.
Heads of the departments within Phare are responsible for their employees’ access and processing of personal data. The heads must maintain the list of employees that are entitled to access and process personal data. The Privacy Manager shall have the right to review the list and, where necessary, request the amendments to meet the requirements of this Policy.
Heads of the departments within Phare must ensure that the employees under their supervision are aware of the Data Protection Laws and comply with the rules set in this Policy. To make sure our employees are able to comply with the data protection requirements, we must provide them with adequate data protection training.
All employees accessing personal data shall keep strict confidentiality regarding the data they access. The employees that access personal data must use only those means (software, premises, etc.) for the processing that were prescribed by Phare. The data must not be disclosed or otherwise made available out of the management instructions.
The employees within their competence must assist Phare’s representatives, including the Privacy Manager, in any efforts regarding compliance with Data Protection Laws and/or this Policy.
When an employee detects or believes there is suspicious activity, data breach, non-compliance with Data Protection Laws and/or this Policy, or a DSR was not routed to the competent department within Phare, the employee must report such activity to the Privacy Manager.
Employees that are unsure about whether they can legitimately process or disclose Personal Data must seek advice from the Privacy Manager before taking any action.
Any occasional access to personal data for activities not specified in the Records of processing activities is prohibited. If there is a strict necessity for immediate access, the Privacy Manager must approve the access first.
Before sharing personal data with any person outside of Phare, the Privacy Manager must ensure that this Third Party has an adequate data protection level and provide sufficient data protection guarantees in accordance with Data Protection Laws, including, but not limited to the processorship requirements (Art. 28 of the GDPR) and international transfers compliance (Section 5 of the GDPR). Where necessary, the Privacy Manager must make sure that Phare enters into the appropriate data protection contract with the third party.
An employee can share personal data with third parties only if and to the extent that was directly prescribed by the manager and specified in the Records of processing activities.
If we are required to delete, change, or stop the processing of the Personal Data, we must ensure that the Third Parties, with whom we shared the Personal Data, will fulfill these obligations accordingly.
Whenever Phare is engaged as a data processor on behalf of another entity, the Privacy Manager must make sure Phare complies with the processorship obligation. In particular, the appropriate data processing agreement in accordance with the Data Protection Laws must be in place. The Privacy Manager must supervise the compliance with data processing instructions from the controller, including regarding the scope of processing activities, involvement of sub-processors, international transfers, storage, and further disposal of processed personal data. The personal data processed under the processor role must not be processed for any other purposes than specified in the relevant instructions, agreement or other legal act regulating the relationships with the controller.
If we have the employees, contractors, corporate affiliates, or Data Processors outside of the EEA, and we transfer Personal Data to them for the processing, the Privacy Manager must make sure Phare takes all necessary and appropriate safeguards in accordance with Data Protection Laws.
The Privacy Manager must assess the safeguards available and propose to the Phare’s management the appropriate safeguard for each international transfer. The following regimes apply to the transfers of Personal Data outside of the EU:
As a part of the information obligations, Phare must inform the Data Subjects that their Personal Data is being transferred to other countries, as well as provide them with the information about the safeguards used for the transfer. The information obligation is to be performed in accordance with Subsection 6.2.
In the exceptional cases (the “Derogation”), where we cannot apply the safeguards mentioned afore and we need to transfer Personal Data, we must take an explicit consent (active statement) from the Data Subject or it must be strictly necessary for the performance of the contract between us and the Data Subject, or other derogation conditions apply in accordance with the Data Protection Laws. The Privacy Manager must pre-approve any Derogation transfers and document the approved Derogations, as well as the rationale for them.
Privacy Manager is ultimately responsible for handing all DSR received by Phare. In the case of receiving any outstanding or unusual DSR, the employee must seek advice from the Privacy Manager before taking any action.
Customer Support within Phare is responsible for handling DSRs from Phare Users on a daily basis. The Human Resources department is responsible for handling the DSR from Phare employees.
All DSRs from the Users must be addressed at and answered from the following e-mail address: firstname.lastname@example.org. DSR from the employees can be addressed directly to the HR manager or at email@example.com.
The responsible employee must answer to the DSR within one (1) month from receiving the request. If complying with the DSR takes more than one month in time, the responsible employee must seek advice from the Privacy Manager and, where necessary, inform the Data Subject about the prolongation of the response term for up to two (2) additional months.
The responsible employee must analyze the received DSR for the following criteria:
Phare must notify each Data Subject about the collection and further processing of the Personal Data.
The information to be provided includes: the name and contact details of Phare; generic purposes of and the lawful basis for the data collection and further processing; categories of Personal Data collected; recipients/categories of recipients; retention periods; information about data subject rights, including the right to complain to the competent Supervisory Authority; the consequences of the cases where the data is necessary for the contract performance and the Data Subject does not provide the required data; details of the safeguards where personal data is transferred outside the EEA; and any third-party source of the personal data, without specification for the particular case (except if we receive the direct request from the Data Subject).
Phare must inform Data Subjects about data processing, including any new processing activity introduced at Phare within the following term:
The Data Subject must be provided only with those personal data records specified in the request. If the Data Subject requests access to all personal data concerning her or him, the employee must seek advice from the Privacy Manager first, to make sure all personal data of the Data Subject is mapped and provided.
A Data Subject has the right to:
The information we collect can be/become inaccurate or out-of-date (e.g., mistakes in nationality, date of birth, info on debts, economic activities). If we reveal that the Personal Data is inaccurate or the Data Subject requests us to do so, we must ensure that we correct all mistakes and update the relevant information.
The restriction of processing allows Data Subjects to temporarily stop the use of their information to prevent the possible harm caused by such use.
This right applies when the Data Subject:
In the case of receiving the restriction request, we must not process Personal Data in question for any other purpose than storing it or for legal compliance purposes until the circumstances of restriction cease to exist.
For the activities that require consent, the Data Subject can revoke their consent at any time. If the Data Subject revokes the consent, we must record the changes and must not process the Personal Data for consent-based purposes. The withdrawal of consent does not affect the lawfulness of the processing done before the withdrawal.
If we process the information in our legitimate interests, e.g., for direct marketing emails or for our marketing research purposes, the Data Subject can object against the processing.
In the case of receiving the objection request case, we must consider Data Subject’s request and, where we do not have compelling interests, stop the processing for the specified purposes. If the personal data is still to be processed for other purposes, the Privacy Manager must make sure that the database has a record that the data cannot be further processed for the objected activities.
The objection request can be refused only if the personal data in question is used for scientific/historical research or statistical purposes and was appropriately protected, i.e. by anonymization or pseudonymization techniques.
The Data Subjects have the right to request us to erase their Personal Data if one of the following conditions are met:
Conditions, under which we have the right to refuse the erasure:
Only those personal data records must be deleted that were specified in the request. If the Data Subject requests the deletion of all personal data concerning her or him, the employee must seek advice from the Privacy Manager first, to make sure all the data about the Data Subject is mapped and can be deleted.
If the User still has an account with us and requests the erasure of information necessary for maintaining the account, we must inform the User that the erasure will affect user experience or can lead to the closure of the account.
Data Subjects can ask us to transfer all the Personal Data and/or its part in a machine-readable format to a third party. This right applies in two cases:
To determine whether one of the p.6.9.1 conditions are met, the employee must seek advice from the Privacy Manager and check the applicable legal basis in the Records of processing activities. If the answer is negative, the request can be refused by Phare, and the Privacy Manager must decide whether to comply with the request on a voluntary basis.
To comply with the request, the responsible employee must consolidate requested Personal Data and send the data in the format we are usually working with to the requested organization. The Data Subject must provide the necessary contact details of the organization.
Notification to Privacy Manager
Before introducing any new activity that involves the processing of personal data, an employee responsible for its implementation must inform the Privacy Manager.
Upon receiving information about a new activity, Privacy Manager must:
To make sure that our current or prospective processing activities do not/will not violate the Data Subjects’ rights, Phare must, where required by Data Protection Laws, conduct the Data Processing Impact Assessment (DPIA), a risk-based assessment of the processing and search for the measures to mitigate the risks. The Privacy Manager must make sure the DPIA is conducted in accordance with this Section.
The Privacy Manager, where necessary, involving the competent employees and/or external advisors, must conduct a DPIA if at least one of the following conditions are met:
The assessment shall contain at least the following details:
Where the DPIA did not provide how to effectively address the risks, the Privacy Manager must initiate the consultation with the competent Supervisory Authority to receive help with searching for the solution. In this case, Phare must not conduct the activity before the Supervisory Authority approves the processing activity in question.
The Privacy Manager must make sure that Phare clearly defined the data storage periods and/or criteria for determining the storage periods for each processing activity it has. The periods for each processing activity must be specified in the Records of processing activities.
Each department within Phare must comply with the data storage periods in accordance with the retention schedule provided in Records of processing activities. The Privacy Manager must supervise each department and make sure they comply with this requirement.
After the storage period ends, the personal data must be removed from the disposal of the department responsible for the processing or, in cases where the data is not needed for any other purposes, destroyed completely, including from back-up copies and other media.
Whenever the storage period for a processing activity has ended, but the personal data processed is necessary for other processing purposes, the department manager must make sure that the personal data is not used for the ceased processing activity, and the responsible employees do not have the access to it unless required for any other activity.
The rules specified in Subsection 8.1 have the following exceptions:
Data retention periods can be prolonged, but no longer than 60 days, in the case that the data deletion will interrupt or harm our ongoing business. The Privacy Manager must approve any unforeseen prolongation;
Some information is technically impossible or disproportionally difficult to delete. For example, deletion of the information may lead to breach of system integrity, or it is impossible to delete the information from the backup copies. In such a case, the information can be further stored, subject to the approval by the Privacy Manager and making respective amendments to the Records of processing activities; and
The Personal Data can be further processed for any purposes (e.g., marketing) if we fully anonymize these data after the retention period is expired. This means that all personal identifiers and connections to them will be deleted from the data. To consider Personal Data anonymous, it must be impossible to reidentify the Data Subject from the data set.
Each department within Phare shall take all appropriate technical and organizational measures that protect against unauthorized, unlawful, and/or accidental access, destruction, modification, blocking, copying, distribution, as well as from other illegal actions of unauthorized persons regarding the personal data under their responsibility.
The employee responsible for the supervision after the security of personal data within Phare shall be System Administrator. This person implements the guidelines and other specifications on data protection and information security in his area of responsibility. He/she advises Phare management on the planning and implementation of information security in Phare, and must be involved in all projects at an early stage in order to take security-related aspects into account as early as the planning phase.
In case of revealing the Data Breach, CEO of Phare shall urgently form the Data Breach Response Team (the “Response Team”), which will handle the Data Breach, notify the appropriate persons, and mitigate its risks.
The Response Team must be а multi-disciplinary group headed by CEO of Phare and comprised of the Privacy Manager, privacy laws specialist (whether internal or external), and knowledgeable and skilled information security specialists within Phare or outsourcing professionals, if necessary. The team must ensure that all employees and engaged contractors/processors adhere to this Policy and provide an immediate, effective, and skillful response to any suspected/alleged or actual Data Breach affecting Phare.
The potential members of the Response Team must be prepared to respond to а Data Breach. The Response Team shall perform all the responsibilities of Phare mentioned in this Policy. The duties of the Response Team are:
The Response Team shall perform its duties until all the necessary measures required by this Policy are taken.
Phare shall inform the Competent Supervisory Authority about the Data Breach without undue delay and, where it is possible, not later than 72 hours after having become aware of the Data Breach.
The Competent Supervisory Authority shall be determined by the residence of the Data Subjects, whose information was involved in the Data Breach. If the Data Breach concerns the Personal Data of Data Subjects from more than one country, Phare shall inform all Competent Supervisory Authorities.
To address the notification to the authority, the Response Team should use Annex 1 to this Policy. Annex 1 contains all the necessary contact information of the EU supervisory authorities. If the Data Breach concerns Data Subjects from other than the EU countries, the Response Team shall ask a competent privacy specialist for advice.
The notification to the Competent Supervisory Authority shall contain, at least, following information:
To file a notification, the Response Team should use Phare’s Data Breach Notification Form to the Supervisory Authority.
When the Data Breach is likely to result in a high risk to the rights and freedoms of Data Subjects (e.g., stealing of funds, assets, proprietary information), we must also communicate the Data Breach to the concerned Data Subjects without undue delay. The Privacy Manager must determine if there is a high risk based on the risk factors specified in Subsection 7.2.3 of this Policy.
The notification shall contain the following information:
The notification to the Data Subjects should be carried out by the email letter or, where it is impossible to use the email, by other available means of communication.
We do not have to send the notification to the Data Subjects if any of the following conditions are met:
In the case we apply one of the exemptions, we must document the circumstances, reason for not informing, and actions taken to meet one of the exemptions.
In the case a Data Breach concerns the Personal Data shared with us or processed by us on behalf of a Third Party, we must also notify the Third Party about it within 24 hours. If we process the Personal Data as a Data Processor, the notification of the Third Party does not exempt us from the duty to mitigate the Data Breach consequences, but we must not inform the Competent Supervisory Authority and Data Subjects.
In case of receiving the notification about the Data Breach from the Data Processor or other Third Parties that have access to the Personal Data, CEO of Phare shall, in accordance with this Section: