You are here

Principles of personal data processing in CMI

Czech Metrology Institute hereby informs about the principles of processing of personal data within its organization and about the purposes and legal grounds on which it processes the personal data. It also provides information to persons whose personal data are processed (the data subject) about their rights in connection with the processing of personal data.

When processing personal data, the CMI proceeds according to the binding legal and internal regulations, with the emphasis on ensuring that access to personal data is always limited to authorized persons. Without the data subject's knowledge, personal data cannot be passed outside of the organization's structure, except in the cases of consent, and in cases where CMI's obligation stems from a legal regulation or is due to CMI's legitimate interest.

We ask you to read the below mentioned information on the principles of processing your personal data.

I. The controller of personal data

Czech Metrology Institute, ID: 00177016, registered office: Okružní 31, 638 00 Brno, the State Contributory Organization (hereinafter referred to as the "Controller") hereby informs about the purpose, scope, time and legal grounds of the processing of personal data of the data subjects, including access to them, and about the extent of the rights of the data subject related to the processing of personal data by the Controller.

II. Legislation, Definitions

The Controller processes personal data in accordance with the relevant legal regulations, i.e the Czech Personal Data Processing Act (No. 110/2019 Coll. - hereinafter "the Act") and with the Regulation of the European Parliament and of the Council No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – hereinafter “the Regulation”). For purposes of the following principles the Controller gives the following definitions arising from Regulation:

  • personal data – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
  • processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • pseudonymisation – the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
  • controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • recipient – a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;
  • consent of the data subject – any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • processor - a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • filing system – any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
  • erasure of personal data – physical destruction of medium of personal data, physical erasure of this medium or permanent exclusion from further processing;
  • restriction of processing – the marking of stored personal data with the aim of limiting their processing in the future;
  • personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  • supervisory authority – an independent public authority responsible for monitoring the application of data protection requirements;

III. Purpose, rangeand period of processing of personal data

The controller shall process the personal data of the data subjects only to the extent necessary for the fulfillment of the intended purpose and only for the time necessary to achieve it but at the latest for the period stipulated by the relevant legal and internal regulations and in accordance with them.

The basic purpose of the processing of personal data by the Controller are:

  • the performing of activities of Controller which result from its Deed of Foundation (especially in the field of metrology);
  • concluding rental contracts for premises that the Controller temporarily does not need temporarily for its activity;
  • the conclusion of contracts and realisation of the operational activities necessary to ensure the running of the organization;

The controller processes personal data in the following range:

  • identification data: title, first and last name, or name and surname of the contract person;
  • address data: delivery address, phone number, e-mail address;
  • other personal details: bank account number, if it is necessary also documents about education and qualification of the customer's employees (e.g. for the purpose of certification of professional staff in the field of metrology);
  • special categories of personal data: are not processed

IV. Legal grounds for processing of personal data

The controller processes personal data on the basis of the following grounds:

  • performance of the contract (Art. 6 par. 1 subpar. a) of the Regulation);
  • compliance with a legal obligation (Art. 6 par. 1 subpar. c) of the Regulation);
  • the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Art. 6 par. 1 subpar. e) of the Regulation);
  • legitimate interests (Art. 6 par. 1 subpar. f) of the Regulation);

V. Access to the personal data

The personal data shall be accessed only by the Controller and the persons who are related to him in an employment relationship or processors under contract with the Controller, and only for the specified purpose of processing. Access and handling of personal data processed by the Controller are subject to the internal rules of the Controller.

The Controller can make the personal data of data subjects available to the third parties only in cases where he is authorized or allowed for that by the law, otherwise only with the consent of the data subject.

Processors of the personal data are mainly suppliers and service providers related to the operation of the Controller.

VI. Rights of the data subject

Each data subject has the following rights under the Act and the Regulation:

  • right of access (Art. 15 Regulation) – data subject has the right to obtain a confirmation from the Controller that he is processing his or her personal data and, if so, has the right to access such personal data;
  • right to rectification, right to erasure, right to restriction of processing (Art. 16, 17, 18 Regulation) - data subject has the right to ask the Controller for correction or addition of incorrect (incomplete) personal data, to request to erasure of personal data if there is no reason to process it (or the reason has been dropped), or to request to restriction of processing of personal data;
  • right to lodge a complaint with a supervisory authority (Art. 77 Regulation) - subject shall have the right to lodge a complaint with a supervisory authority if he or she considers that the Regulation has been breached by the processing of his or her personal data. In the Czech Republic the supervisory authority is the office for Personal Data Protection.

VII. Contact details for data subjects

To exercise the above mentioned rights, every data subject may contact the Controller in this manner:

By phone at +420 545 555 149, by e-mail at poverenec@cmi.cz or in writing at the address: Czech Metrology Institute, Okruží 31, 638 00 Brno, Czech Republic.