Directive for Processing Personal Data 247Gym
Constat s.r.o., Registration Number (IČO) 284 31 855, with its registered office at U smaltovny 1334/22, Holešovice, 170 00 Praha 7, registered in the commercial register maintained by the Municipal Court in Prague under the File No. C 141034 (“247Gym”)
1. General provisions
The aim of this directive is to regulate the procedure of authorized persons in the handling, processing and protection of personal data processed as part of 247Gym activities in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council ("Regulation") and other legal regulations governing the protection of personal data.
The principles stated here apply to all processing of personal data that occurs as part of 247Gym's activities. In particular, this concerns the processing of personal data of business partners, clients and employees of 247Gym (if any), processed by authorized persons of 247Gym, who represent 247Gym as the controller of this personal data during their processing.
Securing the protection of personal data is a high priority at 247Gym. Personal data is always handled within 247Gym in accordance with the Regulation and other legal regulations with the aim of ensuring their confidentiality and security. Personal data are always processed lawfully in the sense of Article 6 of the Regulation.
2. Definitions of main terms
Definition of terms under Article 4 of the Regulation
a) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
b) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
c) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
d) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
3. Nature of collecting and procesing of personal data
247Gym collects and processes personal data used for unambiguous and unmistakable identification of the subject (identification data) and personal data enabling contact with the subject (contact data). The scope of processed data may differ for individual groups of subjects according to the purpose of processing. For individual subjects, 247Gym processes only those data that are necessary to fulfil the purpose of their collection. 247Gym does not collect and process sensitive personal data, with the possible exception of data processed for the purpose of fulfilling the obligations and exercising the special rights of the controller or data subject in the field of labour law and law in the field of social security and social protection.
For the purposes of this directive, identification data means, in particular, name, surname, date of birth, place of residence, ID number, invoicing data and password and, where applicable, tax identification number and ID number. For the purposes of this directive, contact data means in particular the telephone number, e-mail address and IP address, cookie and other similar information.
4. Subjekty osobních údajů, zdroj osobních údajů a účel zpracování
247Gym collects and processes personal data of the following groups of entities:
- 247Gym employees and job applicants within 247Gym (if they are such)
247Gym collects and processes identification and contact data of its employees for personnel, labour law, tax, social security, health insurance and other purposes according to special legal regulations, for the duration of the employment relationship and for the time necessary to fulfil 247Gym's legal obligations as an employer. The legal reason for these forms of processing is the fulfilment of an employment or similar contract, or the processing is necessary for the fulfilment of a legal obligation applicable to the administrator for the purposes of his legitimate interests or for the purposes of fulfilling the obligations and exercising the special rights of the administrator or the data subject in the field of labour law and social law security and social protection (consent to processing is not required) - purpose "ADMIN". The data is obtained exclusively from the data subjects.
In the case of job applicants, 247Gym collects and processes identification and contact data necessary to evaluate the subject's application and other communications. In the case of data provided by an active action of the subject towards 247Gym (e.g. by sending a CV or motivation letter), the data subject by this action requests the implementation of a measure – evaluation of the CV – before concluding an employment or similar contract with 247Gym in the sense of Article 6 paragraph 1 letter b) Regulation (consent to processing is not required) - purpose "ADMIN". The data is obtained exclusively from the data subjects.
- business partners, clients of 247Gym
247Gym collects and processes identification and contact data of its business partners and clients primarily for the purpose of fulfilling its contractual obligations and exercising its contractual rights. The legal ground for this form of processing is the fulfilment of the contract concluded with these entities (consent to processing is not required) - the purpose of "SML", and also the legitimate interest of 247Gym as the administrator of personal data based on previous contact, communication and cooperation with these persons (consent to processing not required) - "COM" purpose. The data is obtained exclusively from the data subjects. 247Gym further collects and processes identification and contact data for the purposes of satisfaction verification, evaluation and marketing (based on consent) - "MKT" purpose.
If personal data is processed outside the Czech Republic, all legal regulations will be observed, and all obligations imposed by the relevant law will be fulfilled.
5. AUTHORIZED PERSONS AND THEIR OBLIGATIONS WHEN HANDLING PERSONAL DATA
The following persons are authorised to handle personal data:
- executive
- employees assigned to the positions of administrative and technical workers, accountants, PR managers
- external partners authorized by 247Gym
- providers of administrative, accounting and marketing services
The executive of 247Gym is responsible for the overall operation of 247Gym, including the rules stated in this directive.
The executive, and authorized employees and other authorized entities as a case may be, are obliged to handle personal data exclusively for the purpose of fulfilling their work duties, and only to the extent necessary to fulfil the purposes for which this data is processed. They are obliged to do so in accordance with the obligations established by the legal regulations of this directive and the instructions of the employer. They are obliged to protect personal data against change, destruction, loss, unauthorized transmission, other unauthorized processing, as well as other misuse. They are not authorized to make personal data available to third parties other than authorized persons.
The person entrusted with securing the protection of personal data stored on servers, on personal computers, including laptops, ensures that the data is protected in accordance with the current technical requirements for computer security.
If the authorized person is a person outside 247Gym or another person who uses third parties when performing tasks or providing services for 247Gym (the processor is not authorized to use these third parties during processing without the consent of 247Gym), 247Gym is obliged to fulfil all obligations arising from this directive transfer to these third parties and obligate them to fulfil obligations to protect personal data and provide sufficient guarantees of personal data protection in the sense of Article 28 of the Regulation.
247Gym and the relevant authorized persons are required to keep records of processing activities; updated records are maintained by the 247Gym executive.
6. Security of processed personal data
Documents and digital recording media that contain personal data must be secured in the lockable premises of 247Gym, or in other places where it is possible to ensure their protection. This also applies to copies of documents containing personal data.
Data containing personal data that are stored on computers must be appropriately secured against free access by unauthorized persons, against change, destruction, loss, unauthorized transmission, other unauthorized processing, as well as other misuse of personal data.
All shared documents are provided via cloud providers and data specifically with Microsoft Azure SQL. Data is encrypted both in transit and after storage. Encryption is used both on the data source and on the backup disks. Access to folders with personal data is allowed only to a limited and precisely determined number of people based on a personalized key (name and password, fingerprint, etc.). It is not permissible for an authorized person to share their passwords with other people and to leave their computer in unattended login mode. Furthermore, it is also prohibited for an authorized person to work with personal data on a computer to which an unspecified third party has access (e.g. remote access to the 247Gym system from unsecured home computers).
Authorized persons are responsible for fulfilling the obligations set out above, according to the scope of their authorizations arising from the employment contract, the employer's instructions or other contractual obligations towards 247Gym.
All employees and other providers are obliged to maintain the confidentiality of personal data and security measures, the disclosure of which would endanger the security of personal data. The obligation of confidentiality continues even after the end of the employment contract or other relationship, without a time limit.
If any of the authorized persons within 247Gym discovers information about a breach of personal data security (loss, leakage, increased risk, etc.), they are obliged to immediately inform the relevant 247Gym employee or 247Gym executive. 247Gym is then obliged, if possible, to inform the supervisory authority (Office for Personal Data Protection) about the incident within 72 hours. This obligation of 247Gym does not arise if it turns out to be unlikely that the breach would result in a violation of the rights and freedom of natural persons. In the event that the consequence of the breach is a high risk of impact on the rights and freedoms of the data subject, the administrator is obliged to inform the data subject of the event as well.
7. Methods of processing personal data
- general terms
247Gym is obliged to do everything to ensure that only up-to-date and accurate data are collected, to the extent necessary to ensure the purpose of their processing. If the subject withdraws consent to the processing of personal data, the documents containing his personal data must be shredded, and if the data is in electronic form, the relevant records must be deleted; this does not apply in the case of documents or records that must be further archived in accordance with special regulations or the data must be further stored for the purpose of determining, exercising or defending legal claims.
- written form
Personal data of employees is contained in employment contracts. Personal data of business partners and clients are included in the relevant contracts or orders. The personal data of job applicants may also be included in written form if the applicant for a position in 247Gym has sent their documents, i.e. CV, motivation letter or other documents, in written form.
The physical carriers of personal data mentioned above are kept in a lockable place, to which only a limited circle of authorized persons has access.
- electronic form
Personal data of business partners and clients are usually processed only in electronic form. Personal data originally obtained from written sources and listed in the previous section are also processed in electronic form.
8. Authorization of data subject
With the exception of the cases mentioned, when the legal ground for the processing is other than consent to the processing of data from their subjects (consent to the processing is not required), 247Gym processes personal data exclusively with the consent of their subjects. In this sense, the subjects of personal data are entitled to withdraw their consent at any time.
247Gym provides the subjects of personal data with all information (instructions) about the purpose, methods and other characteristics of processing that are required by law. This information is also available from the executive of 247Gym.
Other rights of the subject of personal data based on the Regulation:
- Right of access to personal data: The data subject has the right to obtain from 247Gym confirmation as to whether it is processing his/her personal data and, if so, the right to access such personal data.
- Right to correction and erasure, or restriction of processing: The data subject has the right (in the cases specified by the Regulation) to ask 247Gym to correct or supplement incorrect or incomplete personal data, request the deletion of personal data if he/she has disappeared or there is no reason for their processing, or request the restriction of personal data management in connection with the resolution of the circumstances of personal data processing at 247Gym.
- The right to object: The data subject has, for reasons relating to his specific situation, the right to object at any time to 247Gym against the processing of his/her personal data processed for the purposes of the legitimate interests of 247Gym or other persons (according to the Regulation), legitimate interests according to the Regulation can in particular be cases of rights protection and legal claims 247Gym.
- The right to data portability: The data subject has (under the conditions set out in the Regulation) the right to obtain his/her personal data from 247Gym and transfer it to another personal data controller.
- Data subject may exercise his/her rights arising from the processing of personal data at any time by contacting 247Gym at the postal address listed above or by e-mail at info@247gym.cz.
- The right to file a complaint with the supervisory authority: In any matter related to the processing of personal data, if the data subject believes that the processing of his/her personal data has violated the Regulation, has the right to file a complaint with the supervisory authority. For subjects residing in the Czech Republic, the Office for the Protection of Personal Data, based in Prague, Pplk. Sochora 27, 170 00 Prague 7, e-mail: posta@uoou.cz, phone: +420 234 665 111.
9. Implementation AND CONTROL OF COMPLIANCE WITH THE PROVISIONS OF THis DIRECTIVE AND ITS REVISION
This directive has been adopted by the 247Gym executive within his authority and the rules set forth herein are binding on all 247Gym employees and other persons listed herein.
The authorized persons shall ensure the control of the fulfilment of the obligations arising from the provisions of this directive for the handling of personal data within the limits of their competence. Violation of employee obligations arising from this directive is considered a serious breach of work discipline and may be grounds for termination of employment.
The directive is revised when necessary, but at least once a year. The executive of 247Gym is responsible for revising and incorporating changes.
This directive is drawn up in Czech and English; in case of discrepancies, the Czech version shall prevail.
This directive becomes valid and effective on January 1, 2024.