GDPR

PRINCIPLES OF PROCESSING AND PROTECTION OF PERSONAL DATA

I. Introduction

These principles and procedures for processing personal data have been prepared for you by us, Louda Auto a.s., Company ID: 46358714, with registered office at No. 166, 290 01 Choťánky, to inform you about how we collect, process, use, and protect your personal data, thereby helping to protect your privacy.

All handling of your personal data is carried out in accordance with applicable legislation, particularly the Regulation of the European Parliament and Council (EU) 2016/679 on the protection of individuals in relation to the processing of personal data and on the free movement of such data (“GDPR”), Act No. 127/2005 Coll., on electronic communications, as amended, and Act No. 480/2004 Coll. on certain services of the information society, as amended.

At the same time, we would like to clarify through this document on the principles of processing and protection of personal data the most important concepts and processes that we use to protect your personal data and answer any questions you may have regarding the collection, processing, and storage of your personal data.

II. Supervision

We pride ourselves on adhering to all established and binding rules and security measures when handling your personal data, and we hope that there will be no situations where you would be dissatisfied with our actions towards you.

In cases where you do not agree with the way we process your personal data, you can contact:
Office for Personal Data Protection
Address: Pplk. Sochora 27, 170 00 Prague 7
Phone: 234 665 111
Website: www.uoou.cz

III. Our Approach

We consider the protection of personal data to be very fundamental and therefore pay great attention to it. You can be assured that we handle your personal data with due care and in accordance with applicable legal regulations, and we protect your personal data to the maximum extent possible corresponding to a high technical level.

To fully understand how we protect your personal data, we recommend that you carefully read this document.

When processing your personal data, we adhere to the following principles:

• Principle of Legality, which requires us to process your personal data always in accordance with legal regulations and based on at least one legal basis.
• Principle of Fairness and Transparency, which imposes an obligation to process your personal data openly and transparently and to provide you with information about how it is processed along with information about who your personal data will be made available to (for example, in the case that we store your personal data on data storage – clouds – outside the European Union and the European Economic Area). This also includes our obligation to inform you in cases of serious breaches of security or data leaks.
• Principle of Purpose Limitation, which allows us to collect your personal data only for clearly defined purposes.
• Principle of Data Minimization, which requires us to process only personal data that is necessary, relevant, and adequate in relation to the purpose of processing.
• Principle of Accuracy, which requires us to take all reasonable measures to ensure the regular updating or correction of your personal data.
• Principle of Storage Limitation, which requires us to retain your personal data only for as long as necessary for the specific purpose for which it is processed (for example, for the duration of the marketing consent granted, unless revoked before the expiration of this period). Once the processing period or purpose of processing has expired, we will delete or anonymize your personal data, meaning we will modify it so that it cannot be linked to you.
• Principle of Integrity and Confidentiality, non-repudiation, and availability, which requires us to secure and protect your personal data against unauthorized or unlawful processing, loss, or destruction. For these reasons, we take numerous technical and organizational measures to protect your personal data. At the same time, we ensure that only selected employees have access to your personal data.
• Principle of Accountability, which requires us to be able to demonstrate compliance with all the aforementioned conditions.

IV. Contacts for your inquiries

In case of any uncertainties regarding any part of this document, or if you have any questions or comments regarding the protection of your personal data, please do not hesitate to contact us: 
a) in person or in writing at the registered office address 
b) electronically at gdpr@louda.cz 

V. Personal Data

Personal data refers to information that allows us to identify you. This means information that can be specifically attributed to you. Personal data does not include anonymous or aggregated data, which cannot be unequivocally linked to you.

We categorize personal data into:

• Basic Data, which includes, for example, your first name, last name, date of birth, ID card number (or other document), email address, phone number, home address, etc.
• Special Categories of Personal Data consist of sensitive personal data, which are highly personal in nature, capturing, for example, information about your health status.

Basic data is further divided into individual categories, the overview of which can be found in Article 15 – Categories of Data.

VI. Legal Grounds for Processing Personal Data

We obtain your personal data from you and process it exclusively to the necessary extent and for the fulfillment of the relevant purpose. The provision of your personal data is voluntary, and in cases where its provision is based on consent, you can request the deletion of processed personal data under certain conditions – in more detail in Article 10 – Your Rights.

In some cases, such as the conclusion of a purchase contract for our goods or services, we need to obtain the necessary extent of personal data already at the time of your binding order for this goods or service. Without this data, we would not be able to meet your requests and conclude the relevant contract with you, particularly with regard to fulfilling our legislative obligations, but also with regard to protecting our legitimate interests.

Below, we list the legally defined grounds on which we are entitled to process your personal data. 
The main grounds for processing your personal data include:

• Consent – you grant us consent for one or more specific purposes (for example, for the purpose of sending marketing communications and newsletters). To obtain consent for the processing of your personal data, we adhere to the following rules: i) consents for the processing of your personal data will always be collected separately, thus granting consent will not be part of the text of the contract or other agreement, ii) the text of the consent will always be understandable, iii) consent will only be granted upon your active action, meaning no fields will be pre-filled on your behalf, iv) you will grant consent separately for each purpose of processing.
• Contract Fulfillment – we need your personal data here for the purpose of establishing a contractual relationship and subsequent fulfillment thereof, or also prior to the conclusion of the contract (for example, an order preceding the conclusion of a purchase contract).
• Compliance with Legal Obligations – we need your personal data here for the purpose of processing it to fulfill our legislative obligations as a data controller.
• Legitimate Interest – processing your personal data would be necessary for the purposes of our legitimate interests, except in cases where your interests or your fundamental rights and freedoms take precedence over these interests.

Rather marginally, the following grounds for processing your personal data may apply:

• Protection of Data Subjects' Interests – processing your personal data would be necessary for the protection of vital interests of you or another natural person.
• Public Interest – we are obliged to process your personal data to fulfill our task carried out in the public interest, or in the exercise of public authority, which we will be entrusted with as a data controller.

VII. Method of Processing Personal Data

The data controller and, if applicable, its processors process personal data manually (in printed and electronic form) and electronically by automated means.

VIII. Reasons for Processing Personal Data

It is necessary for us to base each processing of your personal data on a legal ground.

Below, we provide examples of situations in which we will most frequently request your personal data and the grounds for which we will do so:

• Ordering and Purchasing a Personal Vehicle – the legal ground will be the conclusion and fulfillment of the contract, or fulfillment prior to the conclusion of the purchase contract.
• Service Services – the legal ground will be the conclusion and fulfillment of the contract, or fulfillment prior to the conclusion of the service contract and the provision of the service.
• Providing Financing – the legal ground will be fulfillment prior to the conclusion of the relevant contract (for example, assessing creditworthiness) and fulfillment of the contract for the purpose of financing the purchase of a personal vehicle and the mutual rights and obligations arising from this contract.
• Arranging Insurance – the legal ground will be the conclusion and fulfillment of the insurance contract.
• Downloading and Using a Mobile Application – the legal ground will be the conclusion of the contract and fulfillment of the contract regarding the use of the application.
• Marketing Purposes – the legal ground will be granting consent for the purpose of sending newsletters and marketing communications. In certain cases, marketing communications may be based on our legitimate interest, where consent is not required (e.g., mass recall actions, changes in business terms, etc.)
• Storing Cookies Necessary for the Functioning of the Website – the legal ground will be our legitimate interest, as storing cookies is necessary for the proper functioning of the website.

IX. Protection of Personal Data

We care deeply about the protection of your personal data, which is why we adhere to the technical and organizational measures outlined below to ensure the security of your personal data. These measures include:

• Physical Access Control – we store all data in a way that protects access to it, meaning that the locations where it is stored are secured with technical means, and outside of working hours, the Administrator's premises are electronically secured and connected to a central monitoring station.
• Controlled Access – we do not allow anyone to enter any system storing personal data without entering the appropriate password or undergoing further verification, so only authorized persons can access the data.
• Access Control – we have implemented measures that prevent unauthorized reading, copying, modification, deletion from the system, or any other handling of the data.

X. Your Rights

The protection of personal data would not be complete if you did not have your rights regarding their protection. Below you will find a list of your rights related to the protection of personal data along with a practical explanation of their use:

• Right to Information on the Processing of Personal Data 
  This entitles you to obtain information regarding our full identification as the administrator of your personal data. You are also entitled to know the legal basis for processing (for example, fulfilling a contract), the purpose (for example, a contract for the purchase of our goods), or information about the retention period of personal data. Always before we start processing your personal data, we will provide you with customer information regarding the handling of personal data and basic information about your rights. This information will be provided to you during your personal visit in paper form or, in appropriate cases, via email.
• Right of Access to Personal Data 
  This entitles you to request information from us about whether we are processing your personal data and, if so, to what extent. If you request it, we are also obliged to inform you of the purpose of processing, the recipients of the processed personal data, and any other related information.
• Right to Rectification
  This allows you to request that we change any of your personal data that we process if there has been a change (for example, a change of surname, change of address, etc.). It is not our obligation as the personal data administrator to actively verify whether the personal data we collect about you is current, incorrect, or inaccurate; however, if you alert us to this fact, it is our duty to address your comment or request for rectification. Under the same conditions, you also have the right to request the completion of personal data.
• Right to Erasure
  Also known as the "right to be forgotten," it requires us as the personal data administrator to delete your personal data in the following cases:
  • the purpose of processing has ceased,
  • you withdraw your consent to the processing of personal data and there is no other reason for processing your personal data (for example, withdrawal of marketing consent provided that you do not have a contractual relationship with us),
  • you raise an objection to the processing of personal data (provided that it is valid and there is no legal basis for processing your personal data),
  • in accordance with applicable legislation, we are required to delete your data (for example, a retention obligation).
• Right to Object 
  This is similar to the right to withdraw consent and applies when personal data is processed based on legitimate interest (for example, for the purpose of protecting our property). You can also object if your personal data is processed for direct marketing purposes. In justified cases, your personal data will be deleted upon recognition of your objection, and we will no longer process it.
• Right to Data Portability 
  If you request the transfer of your personal data to another administrator, we are obliged to provide and transfer this data in a structured, commonly used, and machine-readable format. You can exercise this right only if the processing is based on consent or a contract and is automated processing, meaning processing that occurs exclusively through technical means based on a predetermined algorithm and without any human intervention.
• Right Not to Be Subject to Decisions Based Solely on Automated Processing 
  This means that if the processing of your personal data is to be the basis for any decision, typically for assessing your creditworthiness before granting a loan, you have the right to request that your personal data be assessed by a human.

XI. Administrator, Processor

As the administrator of personal data, we determine the purpose and means of processing your personal data.

Processing is any operation or set of operations performed on personal data, such as collection, processing, organization, structuring, etc.

As the administrator of your personal data, we are also responsible for complying with all obligations and principles related to the protection of personal data, primarily for their adequate protection. In the event of a breach of the security of your personal data, which we strive to prevent, we are obliged to report this fact to the Office for Personal Data Protection within 72 hours.

However, if the breach of the security of your personal data poses a significant risk, we are also obliged to notify you, provided that we have your current contact information available.

The processor is the person to whom we, as the administrator, transfer your personal data and who handles it in accordance with the instructions we provide.

To ensure that your personal data is handled in accordance with applicable legislation and is provided with adequate security, we have entered into a written contract for the processing of personal data with the processor.

XII. Transfer of Personal Data Abroad

We do not transfer personal data abroad.

XIII. Data Subject

You are exclusively a natural person as the data subject; the legal regulation of personal data protection does not apply to legal entities, typically business companies, cooperatives, associations, etc.

If you would like to know when and under what conditions you can know the extent of the personal data we process about you, or if you would like to have your personal data that we process deleted, please read Article X - Your Rights, where the individual procedures and their conditions are explained.

XIV. Glossary of Terms

Sensitive Data - data that has a special nature, such as information about your health or biometric data that allows for the identification of a person (currently referred to by legislation as "special categories of personal data").

Cookies - a short text file that the visited website sends to the browser. It allows the website to record information about your visit, such as your preferred language and other settings. Your next visit to the site can thus be easier and more productive. Cookies are important. Without them, browsing the web would be much more complicated.

Legitimate Interest - the interest of the administrator or a third party, for example, in a situation where the data subject is a customer of the administrator, except in cases where the interests of the data subject or their fundamental rights and freedoms take precedence over these interests.

Personal Data - information about a specific, identifiable person.

Recipient - the person to whom the data is transferred.

Service - means any of the services we offer you.

Administrator - the person who determines the purpose and means of processing personal data; the administrator may assign processing to a processor.

Data Subject - a living person to whom the personal data relates.

Purpose - the reason for which the administrator uses your personal data.

Goods - is a product that you purchase from us, typically this will include, for example, a car, but also accessories or supplementary products.

Processing - an activity that the administrator or processor performs with personal data.

Processor - the person who processes personal data for the administrator.

Category XV. Data

Below you will find individual categories of personal data and a breakdown of specific data that we categorize under them, which does not mean that we will require all of this data from you.

Identification Data: first name, last name, maiden name, salutation, title before/after the name, gender, language, residence, place of permanent residence, date and place of birth, date of death, nationality, personal identifier (assigned by the company), type of document, diplomatic passport number, ID card number, company registration number, tax identification number, social security number, driver's license number, passport number, document validity, date and place of issue of the document, identity card photo, application login, date of record creation/cancellation, employee number, employer, job position, journalist accreditation number, signature.

Contact Data: correspondence address, workplace address, phone number, fax, email address, data box, social media contact information.

Psychological Characteristics: any information about nature/personality/mood.

Physical Characteristics: any physical characteristics (hair color, eye color, height, weight, etc.).

Risk Profiles: cyber risk, AML risk, anti-fraud risk, CFT risk, embargo risk, PEP, other security risks.

Family and Other Persons' Data: marriage, partnership, marital status, number of children, household information, child's first and last name, child's date of birth, information about another person (relationship and other connections).

Descriptive Data: social status (student/employee/self-employed/unemployed), job functions and experience, skills, education, qualifications, lifestyle, habits, leisure and travel, membership in charitable or voluntary organizations, information about the area where the data subject lives, housing information, significant life events of the subjects (moving, obtaining a driver's license), health insurance code, firearms license (yes/no), left-handed/right-handed, EHIC card number, preferred dealer, copy of sick leave document, segmentation.

Copy of Personal Document or Other Public Document: copy of ID card, copy of passport, copy of disability card, copy of driver's license, copy of diplomatic passport, copy of technical certificate, personal identification number.

Data on Race or Ethnic Origin: racial or ethnic origin.

Political Opinions: political opinions.

Data on Religious Beliefs or Philosophical Convictions: religious beliefs or philosophical convictions.

Trade Union Membership Data: trade union membership.

Genetic Data: genetic data.

Biometric Data: biometric data (e.g., signature, photo, fingerprint).

Data Related to Criminal Judgments and Offenses or Related Security Measures: data related to criminal judgments and offenses or related security measures.

Health Data: physical health, mental health, risk situations and risk behavior, disability, blood type, healthcare data, data about sexual life or sexual orientation.

Salary and Similar Data: salary/remuneration, wage compensation, average earnings, bonuses/benefit utilization, wage deductions, method of wage payment, expenses, private account number, consumption of internal resources, insurance, taxes and contributions, taxpayer declaration, tax returns and documents, employee asset data.

Resumes, Cover Letters, and Records from Selection Procedures: CV, cover letter, records and results from selection procedures.

Data on Work Performance: job position, cost center, supervisor, working hours & public holidays, vacation, sick leave, maternity/paternity leave, career break, attendance, events, calendar, home office, teleworking, information about business trips and other changes in employment, daily program/timesheets, assigned devices and other values, ICT assets, number of hours worked, completed training, access rights, accident book, work performance for a third party, received and given gifts.

Evaluations and Related Communication: feedback from employees, responses in surveys, complaints/suggestions/proposals/requests/inquiries and their resolution, service requests, evaluation records, internal sanctions, self-assessment, personal goals and KPIs.

Other Identification and Contact Data of Employees: employee card number, access rights/ID2/user id, work email accounts, work phone number, passwords within internal IT systems, access/logs to internal IT systems - VPN connection, employee data from the group.

Transactional Data: bank account number, debit/credit card number, authorizations/powers of attorney, transaction date, transaction amount.

Trading History: transactions and contracts including related information, offers/demands for business opportunities, subject, date, place of transaction, reminders, information about group trading.

Business Profile: business profile derived from analytical modeling, VIP designation and similar, intention to purchase a vehicle (when, what, financing), interest in a test drive, solvency.

Data on Internal Control and Investigations: records from internal investigations, whistleblowing cases, internal system logs, logs related to internet usage/traffic, logs related to email services usage/traffic, logs related to telecommunications usage/traffic.

Camera System Records: records from camera systems.

Records from Entry Devices: records from entry devices.

Data on Movement in the Premises: data in the visitor book.

Photographs / Video: photographs, video.

Voice Records: voice records.

Communication, Interaction, and Profiles Derived from These Data: chat (instant messaging), conversations, email communication, behavior or browsing/clicking/searching and listening/viewing related to the internet/emails/media/apps, information obtained through feedback/surveys/comments/suggestions/complaints related to the administrator, consent/disagreement with the type or form of communication.

Technical Data about the Product: VIN, license plate, information about the use of the item (e.g., vehicle), vehicle ownership data, information about service visits, technical description of the item (e.g., vehicle color).

Location Data: location data based on GPS, beacon technology, location data derived from other operations (e.g., card payments at a merchant's premises).

Network Identifiers: MAC address, IP address, device fingerprint, cookies or similar technology browser information.

Data on Study Progress: class, field, grades, student evaluation, internship.