Principles of personal data processing

Information sheet about personal data protection and processing

In this document, we provide you information about your rights relating to personal data processing in the FINEP Group. While processing personal data, we comply with the legislation, in particular with the GDPR and Act on Personal Data Protection. Personal data processing always takes place in the scope of the given specific service or purpose of processing.

This document will be regularly updated.

We handle personal data with all due care and in compliance with the valid legislation. We provide the maximum possible level of protection for personal data using state-of-the-art equipment.

Strict rules apply in the FINEP Group determining which employee or department may be allowed access to personal data and which personal data they can process. We in principle do not pass on personal data outside the FINEP Group, with the exception of cases when we have consent to do so, when this obligation is imposed on us or in cases when the legislation or our legitimate interest allows us to do so (for example, in the case of suppliers or requests by the law enforcement authorities etc.).

We only process the personal data of children (i.e. people under the age of 18) if the child was initially represented by a parent or other guardian. The high standards of personal data protection which apply to personal data processing in our group also apply to children unchanged in scope. These standards are absolutely sufficient for processing the personal data of children. As parents or other guardians of the child, you are responsible for provision of data about the child being in compliance with their interests and for informing the child about processing of their personal data by us and their rights in a comprehensible manner.

We recommend that you read the information carefully. We have done our best to ensure that it is as easy-to-understand as possible. If despite this, anything is unclear, we will be happy to explain any terminology or passage to you. More details about personal data processing can be found at www.portfolio-restaurant.cz/personal-data-processing.

If you do not agree to the method in which we process your personal data, you can take the steps listed below to protect your rights.

Supervision of privacy and personal data is performed by:

The Office for Personal Data Protection
Address: Pplk. Sochora 27, 170 00 Prague 7
Tel.: 234 665 111 website: www.uoou.cz

Principles of personal data processing

Basic information about the administrator and the FINEP Group

FINEP HOLDING SE, with registered office at Havlíčkova 1030/1, Nové Město, 110 00 Prague 1, company ID number: 27927822, registered with the Municipal Court in Prague under file reference H 7 (hereinafter referred to only as “FINEP HOLDING”) is the joint administrator together with WELHAM, a.s. with registered office at Havlíčkova 1030/1, Nové Město, 110 00 Prague 1, company ID number: 27079601, registered with the Municipal Court in Prague under file reference 8559 B (hereinafter referred to only as “WELHAM”) within the framework of the holding, with which the data subject has entered into a contractual relationship (hereinafter referred to only as “Joint Administrators”).

The Joint Administrators of personal data hereby provide information about the method and scope of personal data processing, including the scope of rights of data subjects relating to processing of personal data by the Joint Administrators.

Purpose and scope of personal data processing

The Joint Administrators process personal data in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation) (hereinafter referred to only as the “GDPR”).

The Joint Administrators process personal data only for the determined purpose, in the scope determined below and for the period specified in the concluded contracts or in the respective legislation.

The Joint Administrators process personal data which is necessary for performance of contracts concluded between the administrator and data subject, for the purpose of implementation of the commercial relationship between the administrator and the data subject contained in the contract and for management of the relationship with the data subject. The administrator processes personal data on the basis of its legitimate interests, as well as on the basis of the legitimate interests of its partners and companies in the FINEP Group, if these interests are not outweighed by the interests, rights or freedoms of the data subject. The Joint Administrators also process personal data for analysis and improvement of the quality of their services, for market analysis and market research. The Joint Administrators will use personal data for creation of the relevant promotional campaigns and offers of the products and services of companies in the FINEP Group

Basic purpose of personal data processing

Purposes of personal data processing which personal data is designated for and legal basis for its processing:

• performance of contracts and provision of services
• ensuring operational activities
• accounting and tax purposes
• recovery of receivables
• meeting legal obligations
• direct marketing
• protection of property and people
• archiving kept by law.

Scope of personal data processing

The Joint Administrators process personal data in the scope in which it was provided to them by the data subject or which the administrator collected in another manner and which it processes in compliance with the valid legislation or for meeting of the legally determined obligations of the administrator. This in particular concerns the following categories of personal data:

• address and contact data, i.e. in particular name, surname, date of birth, personal ID number, address, place of birth, telephone number and other data,
• likeness,
• descriptive data, e.g. bank account number,
• other data arising from the specific contract or required by law,
• data provided above the framework of the respective acts processed within the framework of consent granted by the data subject (processing of photographs, use of personal data for the purpose of HR procedures, cookies etc.).

Rights of the data subject:

The Joint Administrators process personal data in a transparent, correct manner and in compliance with the GDPR. The data subject is entitled to access his/her data, to explanation and also has other rights if he/she believes that there is a problem with processing. The data subject may submit a complaint to the Office for Personal Data Protection.

The Joint Administrators hereby inform data subjects about their rights, these being as follows:

• the right to know the purpose of personal data processing,
• the right to know the categories of personal data in question,
• the right to know the recipient or categories of recipients of personal data,
• the right to know the period over which personal data will be stored,
• the right to request of the administrator correction or deletion of personal data or restriction of its processing and the right to raise objection to this processing,
• the right to submit a complaint to the supervisory authority,
• the right to all available information about sources of personal data if not obtained from the personal data subject,
• the right to withdraw consent to personal data processing at any time if personal data is processed on the basis of consent given,
• information as to whether automated decision-making occurs, including profiling,
• the right to be informed if the Joint Administrators intend to process the data provided for a different purpose than that which it was collected for,
• the right to refuse recording or monitoring of telephone calls with employees of the FINEP Group.

The data subject is entitled to not provide his/her personal data to the Joint Administrators. If provision of this personal data is obligatory (by law or on a contractual basis), the Joint Administrators hereby warn the data subject that they will not be able to provide him/her services.

Administrators and recipients of personal data:

Processors and recipients of personal data which is administered by the Joint Administrators are:

• companies in the FINEP Group,
• suppliers and service providers,
• financial institutions and banks,
• governmental and other authorities within the framework of meeting legally determined obligations.

Definition of the share of individual responsibilities of the Joint Administrators

The Joint Administrators have entered into an agreement in compliance with the provisions of art. 26 GDPR, on the basis of which they have mutually defined their responsibilities for meeting the obligations determined by the GDPR.

FINEP HOLDING meets the following obligations for both administrators:

• communication with the supervisory authority
• provision of information to data subjects about their rights, relating in particular to:
  • the identity of and contact details for the administrator,
  • the purpose of processing,
  • the legitimate interests of the administrator, if processing of personal data is necessary for the purposes of the legitimate interests of the administrator or a third party,
  • the existence of the right to submit a complaint to the supervisory authority about the period over which personal data will be stored,
  • the existence of the right to withdraw consent to personal data processing at any time,
  • information whether provision of personal data is a legal or contractual requirement and whether the data subject is obliged to provide personal data and also information about the consequences of failing to provide it.
  • information as to whether automated decision-making occurs, including profiling,
• conclusion of contracts with individual processors

The other administrator (the company with which the data subject entered into a contractual relationship) meets the following obligations for both administrators:

• provision of information to data subjects about their rights, relating in particular to
  • the existence of the right to request of the administrator access to personal data relating to the data subject,
  • the right to correction
  • the right to deletion
  • the right to restriction of processing
  • the right to raise objection
• handling of the above-mentioned rights of data subjects

The Joint Administrators hereby inform the data subject that he/she is entitled to exercise his/her rights in accordance with the GDPR with each of the administrators and towards each of them.

Handover of personal data to third countries

The Joint Administrators may hand over personal data to third countries outside of the European Economic Area, e.g. to the USA and Switzerland. If personal data is handed over to countries outside of the European Economic Area or to countries which do not have the appropriate level of protection in line with the valid legislation, in particular the GDPR and other EU regulations and national regulations on personal data protection, this handover shall be performed on the basis of an exception relating to the specific situation, or the Joint Administrators shall ensure that the appropriate guarantees are provided to ensure personal data protection in compliance with the GDPR, i.e. in particular in compliance with art. 42 para. 2 of the GDPR.

Camera system

The premises of the Joint Administrators are monitored by a camera system, a fact which visitors to the business premises are notified of. The purpose of personal data processing is monitoring of the defined premises. Processing takes place in accordance with art. 6 para. 1 f) of the GDPR, when the consent of the data subject is not necessary as processing is necessary for the purposes of the legitimate interests of the Joint Administrators or third parties and to ensure protection of the interests and basic rights and freedoms of the data subjects. The legitimate interests of the Joint Administrators and third parties are protection of the property of WELHAM, protection of the interests of FINEP Holding and protection of persons present on the monitored premises, checking the course of accidents at the workplace, the creation of damage, checking circumstances of theft of items from the workplace and intruders breaking into the WELHAM building.

Records from the camera system are stored for a period of 14 days and are then overwritten in an automatic loop. No audio recordings are made and no software is used for comparison of certain biometric characteristics of data subjects (e.g. characteristic movement or gait of data subjects).

What are “cookies”?

“Cookies” are small data files used as unique identifiers. Each cookie file is unique to your web browser. The cookie file contains anonymous information and is sent from the server of the website you are looking at to your computer or mobile telephone. It will be saved on your device and only that server will be able to search for or load the content of that cookie file. Cookie files which are sent may be sent back to the website servers with updated data while you browse the website. Cookies are used by the vast majority of websites to ensure their operation.

Cookie files may be set by the websites you visit (“our cookies”) or may be set by an organisation which is not the owner of the website you are browsing (“third-party cookies”). They may for example be set by another website which launches content on the website you are browsing or by an independent analytics company. The websites you visit may also include content inserted from other websites and these websites may also set their own cookies. Websites may use the advertising network of a third party for provision of targeted advertising. These cookies may have the option of monitoring your browsing of various websites.

Classification of cookies

Cookies can be divided according to who places them on the website for you, i.e. into:

• First-party cookies - their validity is limited to the domain of the website you are browsing. These cookies are regarded as safer.
• Third-party cookies - these are placed with the aid of a script from a different domain. The user can thus be tracked across domains. These are frequently used for evaluation of the effectiveness of advertising channels.

This website uses two types of cookies:

Short-term session cookies - session cookies are saved only temporarily during the browsing session and are deleted from your device once the browser is closed.

Long-term persistent cookies - This type of cookie is saved on your computer for a fixed period of time depending on your browser settings and cookie settings (usually a month, year or longer) and these cookies are not deleted once the browser is closed. Persistent cookies are used to identify you from one browsing session to another, for example for saving your preferences, so these will be remembered for your next visit. You can remove them manually.

How do we use cookies?

We use cookie files to improve your user experience by allowing the website to identify you, either for the duration of your visit (using session cookies) or for repeated visits (using third-party cookies). The cookies which we use may:

• be necessary for your movement around the site or provision of certain basic functions; or
• improve the function of our website, for example by saving your preferences. They record your choices (for example, your user name or selected language) and allow us to provide a personalised environment; or
• help us to improve the performance of our website allowing us to offer you a better user experience. The information provided using these cookies is anonymous and helps us to understand how our visitors use our website allowing us to improve presentation of our content. These services are generally provided by independent companies for measurement and research, so these cookies may be third-party cookies.

If we didn’t use cookies, our website would regard you as a new visitor every time you open a new page of our website - for example, if you enter your login details and move to another page, it would not recognise you and you could not stay logged in.

We need to use cookies to preserve the effectiveness of our website and to provide you a user-friendly environment. This is why it is not possible to block cookies individually and by continuing to browse our website and to use our online services, you consent to us placing these cookie files in your device.

Our website also uses cookies for behaviourally-targeted advertising which allows us to modify advertising and to ensure that it is relevant to you, this being on the basis of the areas you browse on our website and the geographical location of your IP address. These cookies are placed by the advertising networks of third parties with our consent.

What we use cookies for

We use the following cookies on our website:

• Technical - first-party, short-term. These ensure the basic technical functioning of the website, i.e. login, remembering settings and use of services etc.
• Statistical and diagnostic (e.g. Google Analytics) - first-party, long-term. These are used for generation of anonymous statistics about use of the website.
• Advertising - first-party and third-party. These are used for behaviourally-targeted advertising by interest. If adverts really have to be displayed (as the main revenue for the website and creation of its content) the user/reader should at least be shown offers which really might be of interest to them.

What to do if you don’t want to use cookie files

Consent to placing of cookie files is voluntary. If you so wish, you can block some or all cookie files or delete cookies which have already been set. Full details regarding management of cookies and options for blocking them in various types of web browsers can be found at wwww.aboutcookies.org, or

• https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies (for the Internet Explorer browser); or
• https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (for the Mozzilla/Firefox browser);
• https://support.google.com/chrome/answer/95647?visit_id=0-636535873837482984-3731587686&hl=en&rd=1 (for the Chrome browser);
• https://help.opera.com/en/latest/ (for the Opera browser);
• https://support.apple.com/en-gb/guide/safari/sfri11471/mac (for the Safari browser).

You must however realise that if you block or delete cookies sent from our website which are absolutely essential or which ensure functioning or performance, it may be impossible to use the website.

You can display the types of cookies used on our website and thus gain information on how to change the cookies settings or how to block the cookies used on our website.

Third-party websites

If you use the websites of our partners, a cookie file may be set by the websites you have visited. We do not operate these websites and thus have no control over distribution of these cookies. More information about these cookies can be found on the website of the respective third party.

WELHAM uses the following cookie files.

All of the above-mentioned cookies are used only for the purpose specified in this table.

Contact details

If you have any queries or if you would like to exercise your rights determined by the GDPR, the Joint Administrators hereby provide their contact details which the data subject can use to contact them.

E-mail:

gdpr@portfolio-restaurant.cz