Personal Data Processing Policy

We Protect Your Personal Data

Within the organisation Central Bohemian Innovation Center, Association, Registration No.: 042 28 235, Strakonická 3367, Smíchov, 150 00 Praha 5 (hereinafter “SIC“), we are committed to protecting the personal data you provide. The protection of your personal data is important to us. When processing personal data, we comply with the applicable legal framework, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “Regulation“), which entered into force on 25 May 2018, as well as Act No. 110/2019 Coll. on the processing of personal data (hereinafter “DPA“), which transposes the relevant European Union legislation, builds on the Regulation, and, in order to fulfil everyone’s right to privacy, governs the rights and obligations relating to the processing of personal data. In this document you will find information about why, when, how and what personal data SIC processes. You will also find here how to contact us if you have questions regarding the processing of your personal data, or how to request the correction of your personal data, for example. The Personal Data Processing Policy may be amended and updated under certain circumstances. We therefore recommend that, in your own interest, you monitor this document and ensure you always have current information about its contents.

We recommend that you read this information carefully. We have done everything to make it as clear as possible. Should anything remain unclear, we are happy to explain any term or section to you.

You Can Contact Us at Any Time

• in writing at the address Středočeské inovační centrum, spolek, Strakonická 3367, Smíchov, 150 00 Praha 5,
• by email at gdpr@s-ic.cz
• by phone at +420 601 551 931, or
• in person at our registered office.

Useful Terms

We would like to explain some basic terms relating to the protection of personal data. We believe this will help you to better understand why SIC follows the chosen approach when processing personal data. For the purposes of these policies:

personal data

means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

sensitive data

means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning health or a natural person’s sex life or sexual orientation;

processing of personal data

means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

restriction of processing

means the marking of stored personal data with the aim of limiting their processing in the future;

pseudonymisation

means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

filing system

means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

controller

means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

processor

means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

recipient

means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

third party

means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

consent of the data subject

means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

personal data breach

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

genetic data

means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person concerned;

biometric data

means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; and

supervisory authority

means the Office for Personal Data Protection of the Czech Republic.

Categories of Data Subjects

A data subject may in particular be:

• a customer of SIC, their employee or representative;
• a business partner of SIC, their employee or representative;
• another person who is in a contractual relationship with SIC;
• customers of SIC’s business partners;
• persons participating in competitions and events organised by SIC, or events in which SIC participates;
• visitors to SIC’s websites;
• an employee of SIC;
• a job applicant at SIC.

What Personal Data Do We Process?

We respect the principle of data minimisation. We only process personal data about you that we strictly need, or personal data that you provide to us with your consent beyond what is strictly necessary.

Below you will find the categories of personal data we process about you. A more specific scope of personal data processed for each purpose is set out in the following section “Why Do We Process Your Personal Data?”.

SIC processes the following categories of personal data:

• identification data: basic identification data (first name, surname, title); if you are self-employed, also registration number, registered address, VAT number;
• contact data: contact address, telephone number, email and other similar information;
• further data necessary for the performance of a contract: bank details;
• data processed on the basis of consent granted;
• transactional data and data on the use of our products and services: contract number or other contract identifier, information about the subject matter or performance of the contract, data on use of our services, transaction history;
• data arising from communication: data from the use of our websites;
• photographs in connection with the holding of educational events.

Why Do We Process Your Personal Data?

We process your personal data to the extent necessary for the relevant purpose – e.g. in order to be able to conclude and perform a specific contract with you. A number of legal regulations also impose an obligation on us to process data. For example, we must process many data items for archiving purposes. Some data we process because it is necessary for the protection of the rights and legitimate interests of SIC. Processing for this reason is, however, limited, and we carefully assess the existence of the legitimate interest. In all other cases, we process your data only with your consent.

Recruitment for Vacant Positions

For the purposes of recruitment for vacant positions at SIC, we collect your personal data through your CVs. We use this personal data for the purposes of the specific recruitment process and negotiations on the conclusion of a contract, and only for the duration of that recruitment process. Retention in the register of applicants after the conclusion of the specific recruitment process and subsequent communication in the event of a vacancy are subject to your consent.

Legal basis:

• negotiation for the conclusion of a contract,
• our legitimate interest,
• your consent.

Human Resources

SIC also processes the personal data of its employees. Information on the processing of employee personal data is set out in a separate document.

Contracts with Business Partners

For the purposes of concluding and performing contracts governing our cooperation with business partners, we may process basic identification and contact data of their employees or representatives.

Legal basis: conclusion and performance of a contract.

Dealings with Customers of SIC’s Business Partners and Contract Negotiations

The scope of personal data processed by SIC as a processor for the purposes of business partners as controllers arises from the requirements of business partners and the processing agreements concluded with them. This includes in particular: first name, surname, address, date of birth, signature, telephone number, email address.

The purposes for which SIC processes personal data include in particular: presenting contract proposals for conclusion, carrying out preparatory work leading to the conclusion of contracts, concluding contracts in the name and on behalf of the business partner, and managing the portfolio of contracts.

Legal basis: processing to fulfil the purposes of another controller.

Marketing and Customer Care

As part of marketing activities, commercial communications relating to SIC’s services may be sent in various forms, including by post, telephone, SMS, email, or social media. Processing for the purposes of direct marketing (e.g. sending emails to customers) may be considered processing carried out on the grounds of legitimate interest. Marketing activities on a larger scale are carried out on the basis of your consent.

In the case of registration for the purpose of receiving our newsletter, we process your email address on the basis of your consent for the purpose of sending information and news.

You may restrict marketing in writing or in person at our registered office or place of business. We would like to point out that if you restrict marketing, we may still use your contact details for purposes other than marketing.

Legal basis:

• your consent,
• our legitimate interests.

SIC Presentation and Media Communication

For the purposes of presenting SIC and media communication, SIC may organise or participate in various events at which photographs and videos are taken. These photographs and video recordings may subsequently be shared, for example, on social media, our websites, and potentially also on the pages of our partners and in other media. If you have objections to the processing of such photographic or video recordings by SIC, you may at any time raise an objection to such processing and we will take the necessary measures.

In the case of participation in events organised by SIC on the basis of your registration, we process your data on the basis of registration for participation in an event organised by SIC. You provide us with your personal data comprising first name, surname, email, and where applicable telephone number, the name of your employer, the sector in which you operate or your job title. In this case, we process your personal data on the basis of the performance of a contract, and where you provide us with consent to the taking of photographs, these are processed on the basis of your explicit and voluntary consent.

In the case of participation in events organised by SIC on the basis of ticket purchase, we process your personal data after submission of the ticket order. You provide us with your personal data comprising first name, surname, email, and where applicable telephone number, the name of your employer, the sector in which you operate or your job title, on the basis of the performance of a contract, fulfilment of legal obligations, and where you provide us with consent to the taking of photographs, these are processed on the basis of your explicit and voluntary consent. For events associated with ticket sales, these Personal Data Protection Policies are supplemented by the General Terms and Conditions for Ticket Sales.

Audiovisual recording in accordance with the legitimate interest of the controller without specific identification of the data subject. SIC is entitled to process audiovisual recordings or photographs from the course of its events. SIC hereby informs that at its events, such recordings may be made in which a specific data subject may be captured. However, every data subject has the right to raise objections to such processing.

Audiovisual recording with specific identification of the data subject. SIC processes such recordings on the basis of your explicit and voluntary consent. On the basis of such consent, SIC may capture your likeness. You thereby expressly consent to the capture of your image and personal expression and likeness also within the meaning of Section 84 et seq. of Act No. 89/2012 Coll., the Civil Code (hereinafter “CC”). Further use of such recordings and photographs may be in particular for marketing and communication purposes in relation to SIC’s activities and further organised events. Consent to such processing may be withdrawn at any time.

Where possible, we will inform you not only about the taking of photographs or video at the event, but also about where the photographs or video can be found (social media, websites, etc.). In the case where attendance is conditional on an invitation or registration, we will inform you in advance about the taking and use of photographs or video in this way.

Legal basis:

• performance of a contract,
• fulfilment of legal obligations,
• your consent,
• our legitimate interests.

In the case of educational events held by SIC, the processors may be UNIFER o.p.s., Registration No.: 024 46 987, and Comgate a.s., Registration No.: 279 24 505 (in the case of the Innoforum conference).

Websites and Further Communication

In general, you may visit SIC’s websites (www.s-ic.cz, www.innoforum.cz, www.meritcb.eu, www.startupnow.cz, www.pragueinnovationcircle.cz) without having to provide your identity or any other information about yourself. We may, however, process your IP address assigned to you by your internet service provider, your approximate location, the website from which you visit us, the websites you visit on our site, and also the date and duration of your visit. This information will allow us to improve the quality of our websites or our marketing services.

Legal basis: our legitimate interests.

Accounting and Taxes

We collect and process your identification and transactional data for the purpose of fulfilling our accounting and tax obligations to administrative authorities, as required by the Accounting Act, the Value Added Tax Act and other accounting and tax regulations.

Legal basis: fulfilment of obligations arising from legislation.

Exercise and Defence of Rights

In the event that we are required to enforce our claims through legal proceedings, or if we are parties to court proceedings that concern you, or if we are resolving a particular dispute with you out of court, or if you are able to provide important information for the resolution of a dispute, we will use, to the extent necessary, your identification data, data relating to the legal relationship with you, data relating to the performance of the contract, and any other data necessary for the protection of our rights.

Legal basis: our legitimate interests.

Beyond the above, any other personal data may be processed if you yourself voluntarily provide it to us. We reserve the right to destroy unsolicited personal data. In some cases, further processing of personal data may occur that goes beyond the purpose for which the personal data was originally obtained.

How Long Do We Retain Your Personal Data?

We will only retain your personal data for as long as is necessary to fulfil the purposes set out in these policies, or to comply with statutory obligations. The maximum period of personal data processing applied by SIC in relation to you is 10 years from the date on which the legal relationship between you and SIC was terminated, or 10 years from the end of the tax period in which the performance occurred. The obligation to retain identification and transactional data is imposed on us by the Accounting Act, the Value Added Tax Act and other accounting and tax regulations. We also archive your personal data for a period of 10 years on the grounds of our legitimate interests, particularly in the event that we would need to present evidence in legal proceedings, with regard to the statutory limitation periods under the Civil Code.

Data processed with your consent is retained for the period during which consent is validly granted. Where you have given us consent to process data for marketing purposes, we process your personal data for the duration of our contractual relationship and for a further 2 years after its termination. If you do not become our customer, i.e. no contractual relationship is entered into, we process your data for 5 years from the granting of consent. At the end of this period, we will ask you again to update your consent to the processing of your personal data. At any time during this period, you have the right to withdraw your consent or to change the scope of your consent by contacting us at the email address below. If you do not update your consent, the period for processing personal data expires or the basis for processing personal data ceases to exist, we will destroy the data. For the avoidance of doubt, consent itself and any change to or withdrawal of consent shall be retained on the grounds of our legitimate interests for the entire period of validity of the consent and for 10 years after it has ceased to be valid.

Data in contracts and invoices, the retention period for which is governed by the Accounting Act and other related legislation, is retained for the period specified by that legislation. Other personal data processed on the basis of statutory obligations is retained for the period required by the relevant legislation. If the period for processing personal data expires or the basis for processing personal data ceases to exist, we will destroy the data.

Are You Obliged to Provide Us with Personal Data?

The provision of data that you provide to us with your consent is voluntary. We require the provision of other data because their processing is necessary for the conclusion or performance of a contract, the fulfilment of our legal obligations, or the protection of our legitimate interests. If you do not provide us with such data, we cannot conclude the relevant contract with you or provide you with the relevant product or service.

Consent to the Processing of Personal Data

If we ask you for your consent to the processing of your personal data, the request for your consent, or the consent itself that we provide to you for review and signature or other confirmation, will be clearly formulated and will provide you with a reasonable basis for decision-making. You may withdraw your consent at any time through the contact details set out at the beginning and end of these policies, or through another means that will be communicated to you individually.

We only retain your personal data for the period necessary to fulfil the purposes described in these policies or the purposes of which you have been informed in another way. This means that once you give us your consent to the processing of your personal data, we will retain your data in accordance with your consent and/or until you withdraw your consent. Even in the event of withdrawal of your consent, however, we may retain some of your personal data for the period necessary to fulfil our statutory obligations and for the purposes of our defence in any legal proceedings. We will not share your personal data with third parties for their marketing purposes unless we have received your consent for these purposes. If you have given us such consent but later no longer wish to receive marketing materials from the third party, please contact the relevant third party directly.

Sources of Personal Data

Depending on the situation, we process data received from you at SIC, as well as data from publicly available sources and registers, and data obtained from third parties (such as our business partners).

Disclosure and Transfer of Personal Data

We generally manage your personal data within SIC. Where this is necessary to achieve one of the purposes set out above, particularly where an external party has the necessary professionalism and expertise in the given field, your data is processed by collaborating suppliers. If we engage another party to carry out a certain activity that forms part of our services, the processing of the relevant personal data may occur in the course of that activity. In some cases, these suppliers become processors of personal data. A processor is entitled to handle data exclusively for the purposes of the activity for which they were engaged by the relevant controller. In such a case, your consent is not required for the purposes of carrying out the processing activity.

Possible recipients of personal data include in particular:

• financial institutions;
• insurance companies;
• administrative authorities in the framework of fulfilment of statutory obligations imposed by the relevant legislation;
• our business partners;
• IT service providers;
• lawyers;
• auditors;
• providers of printing and postal services, including couriers.

Beyond the above, we transfer personal data outside SIC only where we have your consent or where required by legislation. Certain public administrative authorities are entitled to request information about you.

Security

We strive to ensure that the data entrusted to us is kept as secure as possible. To this end, we have implemented a range of technical and organisational measures to protect your personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access, and any other unlawful forms of processing.

We restrict access to your personal data to only those employees of SIC and suppliers of SIC who need that information for the purposes of processing it on our behalf and who are contractually bound to maintain the security and confidentiality of your personal data.

As already mentioned, in certain cases we transfer, or are required to transfer, personal data to third parties. In such cases, we choose trusted partners who we have ensured will maintain at least the same level of personal data protection as we provide at SIC. When transferring personal data to administrative authorities, we always use the most appropriate and most secure option offered by the relevant authority.

Automated Processing of Personal Data and Profiling

No automated processing or profiling takes place in the course of SIC’s activities.

Transfer of Personal Data to Third Parties

We do not sell, exchange or transfer personal data to third parties without a legal basis. We only transfer your personal data to trusted third parties who assist us in operating our websites or carrying out our business activities, provided the parties agree that this information is confidential.

Our authorised employees have access to your personal data. For specific processing operations that we cannot carry out internally, we use the services and applications of processors who also ensure compliance with GDPR and personal data protection regulations.

These are providers of the following platforms:

• Ecomail,
• Facebook,
• Google,
• Comgate, SimpleShop,
• MS Clarity.

As a recipient of the Smart Accelerator project co-financed by European Union funds, we are required to provide registration data for events (first name, surname, company/institution) in paper form also to the Ministry of Education, Youth and Sports of the Czech Republic; however, these are confidential (under the regime of so-called public-law processing of personal data).

Websites

You may visit SIC’s websites without having to provide your identity or any other information about yourself. We may, however, process your IP address, your approximate location, and also collect information regarding the use of our websites. This information will allow us to improve the quality of our websites or our marketing services.

What Are Cookies?

Cookies are small text files that websites store on your computer or mobile device when you begin to use them. They are used to remember your preferences and actions taken on those sites (e.g. login credentials, language, font size and other display preferences). This means you do not need to re-enter this data for a certain period of time.

Why Does SIC Use Cookies and Other Tracking Technologies?

Cookies and other tracking technologies may be used on our websites and applications in various ways, for example for the operation of the website, traffic analysis, or for advertising purposes. We use cookies and other tracking technologies primarily in order to be able to improve and enhance the efficiency of our services.

More Information About Cookies, Disabling Cookies

More information about what cookies are, how they work, how to manage or delete them, can be found on the website www.allaboutcookies.org. For specific information about cookies used on SIC’s websites, please see the table below.

In the settings of certain internet browsers (Internet Explorer, Safari, Chrome), it is possible to disable cookies and other tracking technologies. Further options for managing cookies are available on the website www.youronlinechoices.com/cz/vase-volby.

Should you decide to disable certain cookies, this may result in limited functionality or the ability to use the services offered through our website.

List of cookies used on this website