PRIVACY AND DATA PROTECTION Q&A
1. Who will be the controller of your personal data?
Two heads are better than one, as the saying goes – we put them together (and then some) to establish the law firm šafránek & staňkovský s.r.o., ID No. 213 84 983, with its seat at Slezská 1357/1, Vinohrady, 120 00 Praha 2, entered in the Commercial Register kept by the Prague Municipal Court in Section C, File No. 401180 (i.e., in what follows, “we”), and it is this firm that acts as the so-called controller of your personal data. Within the context of our firm, the primary person in charge of your personal data and its protection is managing director Mgr. Jan Šafránek, advokát, ČAK license No. 10934.
2. What are some basic concepts you should know about?
The following information on the processing of personal data (“Privacy Policy”) lays out how and why we will be collecting and processing your personal data. We won’t say data processing isn’t enjoyable in and by itself, but let us admit that we primarily engage in this activity because it is necessary. You won’t have to fear that we’ll misuse your personal data in any way whatsoever, but for peace of mind (and also because we are required under the law to do so), we should inform you about your rights in connection with the collection and processing of your personal data.
In order to avoid any misunderstandings, let’s first make clear what “personal data” means. Personal data is any data which can be used to identify you or which can be attributed to you as a natural person. All other terms used in this Privacy Policy have the meaning assigned to them in Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) or, as the case may be, in Czech Act No. 110/2019 Coll., on the processing of personal data, as amended (an important piece of legislation in the shadow of GDPR which we nonetheless shouldn’t neglect).
This is why you shouldn’t reveal any of your personal data to us if you don’t want us to make use of it as described in this Privacy Policy.
For completeness’s sake, we would like you to know that we may (and, subject to the terms set out below, will) collect and use your personal data within the following contexts in particular:
–
the provision of legal services;
–
an existing relation between you and our clients;
–
your interest in a collaboration with us, and its subsequent implementation;
–
the protection of our legitimate interests;
–
your visit of our premises at Slezská 1357/1, Vinohrady, 120 00 Praha 2;
–
your visit and use of our website; and a
–
the distribution of offers and other promotional messages on our part.
Mind you, if you would like to know where to get the finest ice cream in Prague or Brno, we’d love to tell you in person!
3. What’s good to know about the collection of personal data?
Like a veritable data hog, our law firm collects personal data directly from you, from our clients as well as their counterparties and representatives, but also from third parties (e.g. public authorities), from your employer, your business partners, or from sources and databases in the public domain. In this respect, we may collect not only current but also historic data, including your full name, information contained in contracts and other documents, identifying particulars, information on organizations and places of employment at which you entertained a presence, or official roles and positions held by you. Francis Bacon is said to have coined the phrase Opportunity makes the thief, and while we have no nefarious intentions, in our role as the data controller we may indeed use the opportunity to collect personal data throughout your communication and other interaction with us or our clients. We may process your personal data in particular in connection with any previous contact we’ve had with you, whether in person or over the phone, via e-mail, or more generally online. Nothing’s older than yesterday’s news, and it is of course in our interest to always only process up-to-date, accurate data – with this in mind, please keep us abreast of any changes to the personal data you communicated to us or otherwise let us process, by sending an e-mail to jan@safranekastankovsky.cz or a letter via regular mail or courier to our firm’s address below.
If you are interested in working for our law firm (which is quite understandable, and a career move we can only recommend) and to this end provide us with your personal data (whether directly or through a third party), we can promise you that we will only ever use this personal data within the context of our internal recruitment / candidate selection process, will never pass it on to anyone else, and will not misuse it for any other purpose. With that said, please note that in absolutely exceptional cases, we may be asked for disclosure by public authorities (e.g. by law enforcement), in which case we will have to accommodate such demand.
4. What’s good to know about the processing of personal data?
Above all, you should know that we only ever process a subset of your personal data – i.e., only those bits whose processing is mandatory or which we need for our functioning relationship. In particular, these are:
–
general identifying data (e.g. names, academic and job titles, your relation to our firm, to a specific lawyer, or to our clients);
–
contact information (e.g. postal address, e-mail address, phone number, databox ID);
–
financial information (e.g. payment data, in particular bank account numbers, data needed to make payments, invoices, etc.);
–
information pertaining to the use of our website (see the information on cookies below);
–
data which you made available to us so that you’d be able to avail yourself of our legal services and/or strike up a collaboration with us; ,
–
personal data which we obtain from our clients or their legal representatives in the course of performing under the engagement letter;
–
video footage from our CCTV system; and
–
any other personal data which you may provide to us at your sole discretion for a specific purpose.
Phew! This Privacy Notice has been quite a regulatory ride already; bear with us as we need to complicate matters a bit more: with respect to the above-described purposes of processing, we will process the following categories of personal data in the following manner:
In connection with the provision of legal and/or other services, we will primarily process your general identifying particulars, contact and financial details, and all data needed to provide legal services or other services, as well as any information needed for the performance we owe under the engagement letter (or the contract on the provision of non-legal services). The legal basis for such processing are the performance of our contract and compliance with our legal duties.
With respect to any relationship as may exist between you and our client, we primarily process your general identifying particulars, contact details (where necessary), and other information as needed for us to be able to render legal services to our clients. The legal basis for such processing is the performance under a contract (i.e., the engagement letter), and our clients’ legitimate interest in pursuing and defending their legal claims. If we process your personal data in connection with the enforcement of private-law claims or in connection with the protection of personal rights and freedoms, then this qualifies as a so-called protected interest under the above-mentioned Act No. 110/2019 Coll.; as a rule, in those cases we are under no obligation to assess the compatibility of data processing with the given purpose.
We want to believe you haven’t been put off by all these details and are still interested in working with us (or for us)! If you contact us by e-mail, we will primarily process your general identifying particulars, your contact details, and (if you wish to become a member of our team), your CV and your list of qualifications. The legal basis for data processing is in this case the offer to enter into a contract (and potentially the performance under such contract).
So as to protect our legitimate interests, we need to ask you for your identifying particulars when establishing contact with us. The processing of such data is indispensable for us to discharge our professional duties under the Advocacy Act (Act No. 85/1996 Coll.) and under Act No. 253/2008 Coll., on certain measures against the legitimization of proceeds from crime and the financing of terrorism, based upon which we may also ask for certain additional information and data, especially if we are in the position of what is known as the obliged person. Whenever you visit our website – like, for instance, right now! – we may process the personal data we collected through the use of cookies (assuming that you allowed cookies on your device). If you give us explicit consent, we may send you offers and other marketing communication – in our case, this will often take the form of information on new developments in the law, and the occasional piece of good-natured fun. Provided that you are already a client of ours (if so – you’ve made an excellent choice!), we may send you such marketing communication unless you’ve made clear you don’t wish to receive such communication. You can at any time unsubscribe by sending us e-mail to the address below.
5. What’s good to know about the storage of personal data?
We will never process your personal data for longer than absolutely necessary for the given concrete purpose. For instance:
–
If we process your personal data for the purpose of performing under the contract (engagement letter) made with you, then we will process your personal data for the duration of that contract and for ten years after its termination (in case we and you find ourselves at odds and need to defend our respective rights and claims in court); or
–
If we process your personal data to comply with our statutory duties, we will engage in the processing for as long as prescribed by law; or
–
If we process your personal data based on our legitimate interest, we won’t process such personal data for more than three years; or
–
If we process your personal data based on your consent, then we may do so for as long as it takes to attain the intended purpose, but in any case only until you revoke your consent or, as the case may be, death (or another circumstance) do us part. In this respect, we should let you know, for good measure, that the revocation of your consent has no bearing on the lawfulness of any prior data processing up to that moment.
One more from the ‛What’s good to know’ category: What’s good to know about personal data transfers and sharing?
While we will never sell your data or otherwise make any of it available to other commercial entities, we are allowed to share it with third parties in the following cases: (a) you specifically consented to such disclosure; (b) we are obliged under the law or under the rules of our profession to do so (e.g. according to AML legislation); (c) disclosure is indispensable for or in connection with the purposes of litigation, or for exercising or protecting legal rights; (d) we are under obligation to transfer your personal data to newly established entities or third parties in the wake of organizational changes or of a transfer of (part of) an enterprise; (e) we need to communicate your personal data to our clients, your employer, your professional advisors, our partners, or anyone else who has a legitimate interest; (f) we provide third parties (such as the operators of web browsers or analytics) with anonymized statistical data on visits to our website and related information on our visitors.
We may also provide your personal data to certain reliable third parties (such as IT service providers, expert advisors, auditors, providers of supplementary services) in connection with the contracts we’ve concluded with them.
Now, if someone makes us an offer that is too generous to refuse, we will gladly transfer your personal data… Just kidding, just kidding! As we’ve mentioned previously, we will never sell your personal data to anyone. Sadly, it may happen that we must provide your personal data to government agencies, the courts, or law enforcement (for free!). However, in such an event, we can promise that (unless we are prohibited from doing so by law or legal order) we will make every reasonable effort to notify you beforehand of any such mandatory transfer, and that we will leave no stone unturned to make sure that the scope of personal data thus revealed is as small as possible.
7. Could it happen that your personal data is being transmitted abroad?
It could – but only in absolutely exceptional cases, and then only if it is necessary for the provision of legal services to you, whereas any such data transmission is as a rule limited to the EU/EEA. If it should ever become necessary to transfer your personal data to a country outside the EU/EEA, we will only do so after a careful assessment of all related issues and potential risks; in such a case, we will timely notify you and keep you in the loop.
8. Will we share your personal data with anyone else?
As a rule and for the most part, no, we won’t. It may however be the case that our accountants or tax advisors may need some of your personal data, or individual attorneys, law firms, or other advisors and experts with whom we are engaged in a long-standing professional collaboration.
9. What kind of security measures are in place with respect to the processing of your personal data?
Let us assure you that we regularly review existing security measures and add new ones as needed, so as to ensure that your personal data (whether in digital or physical form) is stored safely and protected from unauthorized access, tampering, or disclosure. Our IT security policy is bolstered by a host of security standards, processes, and practices. Data is stored on premises with restricted and recorded access, or in electronic databases that are secured by managed access rights (login and password). Whenever we draw upon the services of data storage providers (including the operators of registers and archiving services), we insist that they conform to the relevant industry standards for information security. All our partners, employees, and service providers with access to confidential information are sworn to secrecy and must adhere to the principles of safe and responsible conduct, both online and offline.
Exchanging information over the internet is never entirely secure. Unless you let us know beforehand that you require certain specific security measures to be taken with respect to concrete data submitted by you to us, we will use standard e-mail and standard online communication services for the transfer of such data.
Last but not least, we should mention that prevention is extremely important when it comes to data security. The members of our team are upright citizens, god-fearing animal lovers, and card-carrying boy scouts, which is why we can promise that none of them will ever play online games or visit shady websites on any of the information technology or cell phones which we use to provide legal services.
10. What about a cookie?
the same name which web servers will store in your browser or on your end-use device when you visit a website. We’ll be honest and say that this is about the extent of our IT expertise in this particular area; for more information on cookies, we therefore refer you to our cookie policy which can be found
here.
11. Do you have any rights in respect of data processing?
Of course you do – quite a few! Under the above-referenced GDPR and local (domestic) privacy laws, you enjoy the following rights:
You may ask us for formal confirmation that we have been processing your personal data, for a copy of your personal data in our possession, and/or for the rectification of errors in your personal data. Under certain circumstances laid out in the GDPR, you may demand that we erase your personal data, or raise an objection against the processing of your personal data (e.g. when we process your data for the purposes of our legitimate interests). If we process your personal data based on your consent, note that you may revoke such consent at any time. Under certain circumstances, you moreover have the right to restrict the processing of your personal data, or to demand that we transmit your personal data to you or to specific third parties (data portability). Please contact us via e-mail (or snail mail) (using the addresses set out below) if you wish to exercise any of these rights of yours.
However, we need to draw your attention to the fact that, given the specific character of the legal profession and of the kind of data processing which it entails, we may be unable to accommodate certain requests in spite of trying our best, especially if your request concerns a specific legal claim which we have been defending.
12. Is this Privacy Policy cast in stone?
Far from it. We regularly review and update our policies so as to reflect the facts on the ground and the latest applicable legislation.
13. Are you an employee or associate of ours?
If so, we want you to know that all the information on the processing of personal data of staff and collaborating experts can be found in a separate document, available for inspection on the premises of our firm – but you probably knew this already.
14. Contact details and additional information
E-mail address: jan@safranekastankovsky.cz
Postal address: šafránek & staňkovský s.r.o., Mgr. Jan Šafránek, advokát, Slezská 1357/1, Vinohrady, 120 00 Praha 2.
If you have any doubt as to whether we have been properly discharging our duties concerning the processing of your personal data, you may escalate the matter and file a complaint with the competent supervisory authority, which in our case is the Czech Data Protection Office: Úřad pro ochranu osobních údajů, with its seat at Pplk. Sochora 27, 170 00 Praha 7, Czech Republic, e-mail address: posta@uoou.cz, website: https://www.uoou.cz.