Controller of personal data and data subject
The controller of personal data is Baby Nest z.s., ID No.: 07874731, with its registered office at Petra Bezruče 887/41, Praha 8, 182 00, registered in the register of associations maintained by the Municipal Court in Prague, section L, file 71533 (the controller). It is possible to contact the controller in writing at the aforementioned address or via e-mail at firstname.lastname@example.org.
The data subjects are natural persons who provided the controller with their personal data on the basis of an agreement on providing childcare services in the children’s group or any other agreement entered into with the controller or on the basis of a consent with processing of personal data for the purpose of taking audiovisual records. The data subjects are, therefore, mainly children and their legal guardians. The data subject can also be a natural person whose personal data are acquired by the controller from other sources (e.g. providers of services for the controller, visitors of controller’s website etc.).
Scope of processing of personal data
The controller processes the personal data in scope in which it is provided to the controller by the data subject or in scope in which the controller obtains the data from other legal sources. The processed personal data are:
name and surname,
business name of a natural person,
place of residence,
place of business,
date of birth,
the health insurance company of a child,
information on the child's state of health, including information about vaccination,
child attendance records,
invoicing and delivery address,
ID No. and tax ID No.,
personal data obtained from cookies.
Scope of processing of personal data
The controller processes the personal data of the data subject for the purpose of providing childcare services in the children’s group and the fulfilment of legal obligations according to valid legal regulation, especially the Act No. 247/2014 Coll., on providing childcare services in a children's group, as amended, or for the purpose of direct marketing (addressing existing or former customers with business offers of the controller pursuant to Act No. 480/2004 Coll.).
The business offers are sent by the controller only if the controller acquired the electronic contact of the data subject in connection with the sale of the controller’s products or services. The data subject has the possibility to unsubscribe in a simple manner and free of charge from the newsletter by sending an e-mail to email@example.com.
Evaluation of necessity of the processing
The controller pays attention to the privacy of the data subjects, and therefore, processes only personal data that are necessary for the intended processing purposes.
Legal basis of personal data processing
The legal basis of the processing of personal data is the fulfillment of an agreement, protection of the controller’s legitimate interests (protection of property, exercise of rights in court proceedings, direct marketing etc.) and fulfillment of legal obligation.
The legal basis for the processing of audiovisual records of children and their legal guardians is the consent to the processing of personal data.
Duration of processing of personal data
In case of processing of personal data for the purpose of performance of a contract the controller processes the personal data for the period of the duration of the relevant contractual relationship and subsequently for a further period of 10 years, taking into account the length of the limitation period for damages. In case of processing of personal data for the purpose of fulfilment of a legal obligation of the controller the controller processes the personal data for the period stipulated by legal regulation. In case the personal data are processed on the basis of a consent of the data subject the controller processes the personal data for the period of 10 years, unless the consent with processing of the personal data is withdrawn. This does not affect the obligation of the controller to process the personal data for the period determined by the relevant legal regulation or in compliance with it.
Personal data processed for marketing purposes based on a legitimate interest (obtaining an electronic contact in connection with the sale of the administrator's product or service pursuant to Act No. 480/2004 Coll.) are processed by the controller for the duration of the contractual relationship with the data subject and subsequently for 3 years; unless such processing has been challenged by the data subject.
Withdrawal of consent with processing of personal data
If the data subject granted the controller a consent with processing of his/her personal data, the data subject has the right to withdraw its voluntarily given consent with processing of personal data at any time and free of charge by sending an e-mail message to the e-mail address: firstname.lastname@example.org. The withdrawal of consent does not affect the lawfulness of the processing based on the consent given before its withdrawal. The withdrawal of the consent also does not affect the processing of personal data which is being done by the controller on another legal basis than a consent (e.g. in particular if the processing is necessary for the performance of a contract, fulfilment of a legal obligation or due to other reasons stated in the valid legal regulation).
Access to personal data
The personal data can be accessed by the controller and in some cases also by third parties – the recipients who provide appropriate guarantees and whose processing complies with the requirements of applicable laws and which ensures the proper protection of the data subject’s rights. The recipients of the personal data are providers of accounting / payroll services and systems, IT system administrators, marketing service providers and public authorities to whom the controller is obliged to provide personal data (e.g. tax authorities).
The controller does not transfer personal data to third countries outside the EU or to international organizations.
Proof of identity of data subjects
The controller is entitled to require a proof of identity of the data subjects in order to prevent unauthorized persons from accessing the personal data.
Rights of data subjects in relation to the personal data
In relation to the personal data, the data subject has, in particular, the following rights:
a) right to withdraw his/her consent anytime;
b) right to correct or amend his/her personal data;
c) right to request restriction of processing of the personal data;
d) right to object to or file a complaint against the processing in certain cases;
e) right to data portability;
f) right of access to the personal data;
g) right to be informed about the breach of security of the personal data in certain cases;
h) right to erasure (“right to be forgotten”) in certain cases; and
i) further rights stipulated in the Act on Personal Data Protection, the Act on Processing of Personal Data and in the General Data Protection Regulation No. 2016/679.
What does it mean that the data subject has the right to object to processing
According to the Article 21 of the General Data Protection Regulation No. 2016/679 the data subject has, among others, the right to object to the processing of the personal data if the controller processes the personal data on the basis of a legitimate interest, including the processing for the purposes of direct marketing. The objection shall be filed with the controller on the e-mail address: email@example.com. In case that the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed by the controller in this scope.
More information about this right can be found particularly in the Article 21 of the General Data Protection Regulation No. 2016/679.
Obligation to provide personal data
The personal data is provided by the data subject voluntarily. The data subject has no obligation to provide it. There are no sanctions pending to the data subject for not providing the personal data. However, if the data subject does not provide his/her personal data to the controller, it will not be possible to conclude and duly perform a contract between the controller and the data subject. Nevertheless, it is solely up to the data subject whether he/she wishes to enter into a contractual relationship with the controller or not.
Security of personal data
All personal data are secured by standard procedures and technologies. Personal data processed electronically are stored within the internal system and are accessible only to authorized users working with the personal data through devices secured by login and password. The controller uses a professional antivirus protection and firewall, which are regularly updated. The controller periodically checks the system for vulnerabilities and attacks, and uses security measures that can reasonably be required of the controller to prevent unauthorized access to the personal data provided and that provide sufficient security with respect to the state of the art. Personal data, which are processed in writing, are stored in the secure premises of the controller, to which only authorized persons have access. All security measures taken are regularly updated.
Even though, the controller secures the personal data by appropriate technological and organizational measures, it is not objectively possible to fully guarantee the security of the personal data. Therefore, it is also not possible to absolutely ensure that no third party may gain access to the personal data, that it cannot be copied, published, changed or destroyed by a breach of security measures of the controller. However, the controller ensures that it does everything possible to keep personal data secure and regularly checks for security breaches.
To ensure the functionality and security of the https://www.babynest-nursery.com website, the controller uses the so-called cookies that are stored on the data subject's device.
This Privacy Notice is effective as of 21.6.2019