Purpose

This personal data protection policy (hereinafter referred to as the Policy) sets forth the basic principles for the processing of the personal data of the consumers, customers, suppliers, business partners, employees and others individuals, and determines the main activities for processing of personal data and data protection measures for undertakings operating under the direction and supervision of the IBA Group a.s.
The purposes of this Policy are to ensure the protection of human rights and freedoms when processing the personal data, including privacy rights, personal and family secrecy, and to unify the organization's rules for personal data processing with the requirements of the international law and the laws of the countries where the organization operates.
In its everyday business operations, IBA makes use of a variety of data about identifiable individuals, including data about:
- Current, past and prospective employees,
- Customers,
- Users of its websites,
- Other stakeholders.
While collecting and using this data, the organisation is subject to a variety of legislation acts, controlling how such activities should be carried out and the safeguards that must be put in place to protect it.
IBA is committed to complying with the applicable laws and regulations related to Personal Data protection in the countries where the organisation operates. Policy is reviewed annually and in case if significant changes take place within the organisation or in the relevant legislation.

Scope

The Policy is mandatory for all IBA's employees, both staff and contractors, and all organisational units, including separate subdivisions. The Policy also applies to other persons if they are to participate in the personal data processing in the organisation, as well as in cases of the transfer of personal data to them in the established order under an agreements and contracts. The Policy applies to any personal data, regardless of the type of media on which they are recorded.

Terms and Definition

In this document, the following terms are used with their respective definitions:

Biometric personal data – information that characterizes the physiological and biological features of a person, which is used for his unique identification (fingerprints of hands, palms, iris of the eye, facial characteristics and image, and others);

Blocking of personal data – termination of access to personal data without its deletion;

Genetic Personal Data – information relating to a person’s inherited or acquired genetic characteristics, which contains unique data on their physiology or health and can be identified, in particular, through the study of their biological sample;

Controller – see Operator;

Anonymization of personal data – actions that make it impossible without the use of additional information to determine the ownership of personal data by a particular subject of personal data;

Processing of personal data – any action (operation) or set of actions (operations) performed with personal data, including the collection, recording, systematization, storage, modification, use, grouping or combination, depersonalization, blocking, distribution, provision, deletion of personal data;

Processor – see Authorized person;

Operator – State body, legal entity, other organization, natural person, including individual entrepreneur (hereinafter, unless otherwise determined - natural person), independently or jointly with other specified persons organizing and (or) Performing the processing of personal data defining the purposes and means of processing personal data; in cases where the purpose and means of such processing are determined by the legislation of the country of the location of the data subject, the operator(s)or specific criteria for its determination may be established by the legislation of the country where the data subject is located;

Personal data – any information relating to an identified natural person or an identifiable natural person;

Provision of personal data – actions aimed at getting acquainted with the personal data of a certain person or circle of persons;

Dissemination of personal data – actions aimed at familiarization with the personal data of an indeterminate circle of persons;

Special categories of personal data (Special Personal Data) – personal data relating to race, ethnicity or nationality, political opinions, membership in trade unions, religious or other beliefs, health or sexual life, sexual orientation, administrative or criminal liability, and also biometric and genetic personal data;

The subject of personal data – is a natural person in respect of whom personal data are processed;

Deletion of personal data – actions, as a result of which it becomes impossible to restore personal data in information resources (systems) containing personal data, and (or) as a result of which material carriers of personal data are destroyed;

Authorized person – state body, legal person, other organization, natural person who, in accordance with the act of legislation, the decision of the state body that is the operator (controller) either by agreement with the operator or on behalf of the operator(s) or for the benefit of the operator;

IBA companies – companies operating under the direction and control of IBA Group a.s. - their head office

Principles Relating to Personal Data Processing

The organisation is committed to observe the following principles with regard to personal data processing:
Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject ('the lawfulness, fairness and transparency principle');
(b) collected tor specified, explicit and legitimate purposes and  shall not be further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes ('the purpose limitation principle');
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('the data minimisation principle');
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, depending on the purposes for which they are processed, are erased or corrected without delay ('the accuracy principle');
(e) kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject ('the storage limitation principle');
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('the integrity and confidentiality principle').

IBA is committed to comply with all of these principles not only with the current processing of personal data, but also with the introduction of new methods and systems of processing.
In respect of its activities as a controller, the organisation is ready to confirm compliance with the above principles to the supervisory authority upon request ('the accountability principle').

Lawfulness of Processing

IBA determines the legal basis before the start of personal data processing as a controller.

If the organisation as a controller processes special category of personal data, or data related to criminal convictions and offenses, the organisation identifies both a legal basis for general processing and separate conditions for processing these types of data.

IBA keeps reasonable, documented evidence of the legitimacy of the personal data processing, with respect of its activities as a controller, and makes the evidence available when it is necessary.

The organisation processes the personal data as a processor only on the basis of documented instructions from the controller governed by a contract or other legal act that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller. In this case, the controller determines the lawfulness of the processing.

There are six available legal bases for general processing of personal data. There are ten separate conditions for special category data processing. The options are described in the following sections.

Consent

Performance of a Contract

When the collected and processed personal data are required to fulfil contract with the data subject, explicit consent is not required. This will often be the case when the contract cannot be completed without the personal data in question e.g., a delivery cannot be made without an address to deliver to.

Legal Obligation

Vital Interests of the Data Subject

Task Carried Out in the Public Interest

Legitimate Interests

Conditions for Special Category Data Processing

Performing its role of a controller the organisation processes special category of personal data only if it has identified one of the following conditions for processing:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where the law of the data subject location country does not provide the right of the data subject to cancel the prohibition on processing;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, provided that appropriate safeguards are ensured for the fundamental rights and interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or of another individual if the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) processing relates to personal data which are explicitly made public by the data subject;
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest provided that suitable and specific safeguards are ensured for the fundamental rights and the interests of the data subject;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
(i) processing is necessary for the reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, provided that suitable and specific safeguards are ensured for the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes of the public interest, scientific or historical research purposes or statistical purposes, provided that suitable and specific safeguards are ensured for the fundamental rights and the interests of the data subject.

IBA processes personal data related to criminal convictions and offenses only under the control of an official authority, or when the law of the data subject location country permits processing, and only appropriate safeguards are provided for the rights and freedoms of data subjects.

Rights of the Data Subject

The data subject has the following rights:

1. The right to be informed.
Individuals have the right to be informed about the collection and use of their personal data.
2. The right of access.
Individuals have the right to access their personal data.
3. The right of correction.
Individuals have the right to make inaccurate personal data corrected or completed, if they are incomplete.
4. The right of erasure (‘right to be forgotten’).
Individuals have the right to have their personal data erased.
5. The right to restrict processing.
Individuals have the right to request the restriction or suppression of their personal data processing.
6. The right of data portability.
Individuals have the right to obtain and reuse their personal data for their own purposes across different services.
7. The right to object.
Individuals have the right to object to the processing of their personal data.
8. Rights in relation to automated decision making and profiling.
Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effect on them.

The organisation supports each of these rights with appropriate procedures that allow the necessary steps to be taken within the timeframes specified in table 1.

Table 1 - Timescales for data subject requests.

Personal Data Protection in Business Activities of the Organisation

IBA takes, or in some cases may take if necessary, a number of organisational and technical measures in its business activities to protect personal data from unauthorised or unlawful processing, as well as from accidental loss, destruction, damage or other illegal actions in respect of personal data. These measures include:

- adopting and implementing regulatory documents for the processing and protection of personal data;
– taking a ‘data protection by design and default’ approach - putting appropriate data protection measures in place throughout the entire lifecycle of the processing operations;
- putting in place written contracts with processors which process personal data on behalf of the organization;
- providing appropriate safeguards during the transfer of personal data to third countries;
- documenting its processing activities;
- implementing appropriate security measures;
- recording and, where necessary, reporting personal data breaches;
- carrying out data protection impact assessments for uses of personal data that are likely to result in a high risk to individuals’ interests;
- appointing a data protection officer (where necessary);
- adhering to relevant codes of conduct and compliance with certification schemes (where possible).

International Transfers of Personal Data

IBA transfers personal data to the third country or the international organisation only if the requirements of the law of the data subjects' location countries are fully observed, for example, if the transfer of personal data to that third country or international organisation is authorised by the regulatory body without additional authorisation by the supervisory authority, since there is an adequate level of protection that meets the requirements of the law, or if the organisation receiving the personal data has provided appropriate safeguards that comply with the requirements of the law.

Before such transfer IBA makes sure, that, as a result, the level of protection of data subjects ensured by law will not be undermined, including the cases of onward transfers of personal data from the third country or an international organisation to controllers, processors in the same or another third country or international organisation.

Following such transfer, individuals’ rights must be enforceable and effective legal remedies for individuals must be available.

Personal Data Breaches

Compliance with codes of conduct and certification systems

Data Protection Officer (DPO)

Contracts Involving the Personal Data Processing

IBA ensures that all relationships it enters into that involve the personal data processing are regulated by documented contracts that include the specific information and conditions required by the law.
Contracts of the organisation include the following compulsory information:

- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the types of personal data and categories of data subjects;
- the obligations and rights of the controller.

Contracts of the organisation include the following compulsory terms:

- the processor must only act on the written instructions of the controller (unless required by law to act without such instructions);
- the processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- the processor must take appropriate measures to ensure the security of processing;
- the processor must only engage a sub-processor with the prior consent of the data controller and a written contract;
- the processor must assist the data controller to ensure that data subjects exercise their rights in accordance with the law of the data subject location country;
- the processor must assist the data controller in meeting its obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- the processor must delete or return all personal data to the controller as requested at the end of the contract;
- the processor should contribute to audits and inspections provide the controller with whatever information necessary to confirm the processor's compliance with his obligations, and notify the controller immediately if it is asked to do something infringing data protection legislation.

IBA as a controller only appoints processors who can provide "sufficient guarantees" that the requirements of the law of the data subjects' location countries will be observed, and the rights of data subjects will be protected.

Documenting Processing Activities

Data Protection Impact Assessment (DPIA)

Data Protection by Design and Default

The organisation adopts the principle of "data protection by design and default" and carries out appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights.

In essence, "data protection by design" means that IBA has integrated data protection into systems, services, products and business practices, from the design stage right through the lifecycle. The organisation only uses data processors that provide sufficient guarantees of their technical and organisational measures for data protection by design. The organisation takes into account the data protection by design when it purchases products for use in its processing activities.

In fact, 'data protection by default' means that IBA, in respect of its activities as a controller:

- specifies the minimum set of personal data required to achieve specific processing purposes before the processing starts;
- appropriately informs the data subjects;
- only processes the data necessary for processing purposes;
- does not process additional personal data until the data subject authorises to do so;
- ensures that personal data is not automatically available to others until the data subject allows it;
- ensures that personal data is automatically protected in any IT system, service, product and / or business practice, so that individuals should not have to take any specific actions to protect their privacy
- offers strong privacy defaults, user-friendly options and controls, and respect user preferences.

The organisation takes into account the use of techniques such as pseudonymisation where applicable and appropriate.

Implementing Appropriate Security Measures

Main Establishment and the Lead Supervisory Authority

IBA Group a.s. is the main establishment for the organisation and determines main decisions as to the purposes and means of processing performed by the organisation as a controller. Thus, the supervisory authority of IBA Group a.s. acts as a lead supervisory authority for cross-border processing performed by the organisation.

The DPO of the main establishment acts as a contact person for the lead supervisory authority on issues related to the personal data processing.