Privacy policy

pursuant to Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”), Act No. 110/2019 Coll., on Personal Data Processing, as amended, and related legislation

INTRODUCTORY STATEMENT

Dear Sir or Madam,

The partners of the law firm PRŮCHOVÁ & PELÁN, Mgr. Jana Průchová, Attorney at Law, and
Mgr. Marek Pelán, Attorney at Law, hereby provide you, through this Privacy Policy, with
detailed information on the rights and obligations arising from the GDPR in relation to the protection of your personal data, as well as information on how personal data are handled and processed, in particular for what purposes. We also wish to inform you of your rights in the area of personal data protection and the ways in which these rights may be exercised.

Thank you for your trust.

On behalf of the Law Firm PRŮCHOVÁ & PELÁN

Mgr. Jana Průchová, Attorney at Law

Mgr. Marek Pelán, Attorney at Law.

1. INTRODUCTION

1.1. The purpose of this Privacy Policy (“Policy”) is to provide a detailed explanation of the conditions under which personal data are processed by the data controller, the law firm PRŮCHOVÁ & PELÁN, namely Mgr. Jana Průchová, Attorney at Law, Company ID: 032 66 753, registered office at Drtinova 467/2a, 150 00 Prague 5, Czech Republic and Mgr. Marek Pelán, Attorney at Law, Company ID: 119 41 626, registered office at Drtinova 467/2a, 150 00 Prague 5, Czech Republic (jointly “the Controlle”), in the course of providing legal services and operating the website www.pruchovapelan.cz ( “the Law Firm´s Activities”).

Data controller hereby determines the purposes and means of the processing of personal data within the scope of the Law Firm´s Activities. The Controller has not appointed a Data Protection Officer.

1.2. WHEN WE PROCESS PERSONAL DATA

Personal data are processed only to the extent necessary for the Law Firm’s Activities, in particular where:

  • you are our client or a prospective client,
  • you contact us via a web contact form, telephone or email,
  • you visit our website,
  • you attend professional events, seminars or consultations organized by us,
  • you subscribe to our newsletters or have granted us marketing consent,
  • you apply for employment or other forms of cooperation,
  • you act as an opposing party in legal or judicial proceedings.

2. PERSONAL DATA

2.1. In the course of the Law Firm’s Activities, personal data of clients or prospective clients (including website visitors or persons contacting the Controller) who are natural persons are processed, including self-employed individuals (jointly the “Data Subject”). Personal data mean any information relating to an identified or identifiable natural person. Personal data therefore include any information that identifies or may reasonably be used to identify you (the “Personal Data”).

2.2. Special Categories of Personal Data :

2.2.1. In the provision of legal services, it may be necessary to process special categories of Personal Data within the meaning of Article 9 GDPR, in particular data relating to health, family circumstances or social situation, where required by the nature of a specific case. The legal basis for such processing is Article 9(2)(f) GDPR, as the processing is necessary for the establishment, exercise or defense of legal claims.

2.2.2. In justified cases, Personal Data relating to criminal convictions and offences within the meaning of Article 10 GDPR may also be processed, such as extracts from criminal records or documentation from criminal proceedings. Such processing is lawful under Czech law, in particular pursuant to Act No. 85/1996 Coll., on the Legal Profession (“Act on the Legal Profession”), and Act No. 253/2008 Coll., on Certain Measures against Money Laundering and Terrorist Financing (“AML Act”).

3. PURPOSES AND LEGAL BASES OF PROCESSING

3.1. Website Contact Forms

If you contact us via a website contact form, we process your identification and contact details, as well as the content of your message, on the basis of our legitimate interest in handling and responding to your enquiry. Such Personal Data are retained only for the period necessary to respond to the enquiry and subsequently for a period of 1 year for the purposes of any follow-up communication. Where the enquiry relates to the conclusion of a contract, the processing is based on pre-contractual steps.

3.2. The Legal Bases for Processing of Personal Data are:

  • performance of a contract – Article 6(1)(b) GDPR,
  • compliance with a legal obligation – Article 6(1)(c) GDPR,
  • legitimate interest – Article 6(1)(f) GDPR,
  • consent – Article 6(1)(a) GDPR.

3.3. Purposes of Processing are:

  • performance of the Law Firm’s Activities, in particular the provision of legal services to the client pursuant to Act on the Legal Profession, and the exercise of rights and obligations arising from the contractual relationship between you and the Controller (whether concluded orally or in writing); for the proper performance of the Law Firm’s Activities, the processing of Personal Data necessary for the successful provision of services and performance of the contract, as well as for the issuance of accounting documents, unilateral termination of a contract, revocation or termination of a power of attorney, handling of complaints, and for the fulfilment of statutory obligations arising in particular from Act No. 563/1991 Coll., on Accounting, as amended, and AML Act; without the provision of such Personal Data, it is not possible to conclude a contract or to perform it on the part of the Controller;
  • sending of commercial communications and other marketing activities based on your consent pursuant to Article 6(1)(a) GDPR or within the framework of direct marketing based on the Controller’s legitimate interest pursuant to Article 6(1)(f) GDPR;
  • participation in professional events and seminars and the taking of photographs or short recordings. Where the Controller organizes or participates in professional events, photographs or short recordings documenting the course of the event may be taken on the basis of the Controller’s legitimate interest and used for the promotion of the Law Firm’s Activities, in particular on the website or in professional publications. Active use of such materials is limited to a period of 3 years from the date of the event. If you do not wish to be captured in such materials, you may notify us at any time during the event or exercise your right to object to the processing;
  • compliance with the Controller’s legal obligations, in particular in relation to accounting, or for the conduct of judicial or other legal proceedings.

3.4. Where it is necessary to process Personal Data for purposes other than those set out above, such processing shall be carried out only on the basis of your additional consent.

3.5. You may withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.

3.6. The Controller is also bound by strict professional confidentiality obligations pursuant to Act on the Legal Profession.

4. Applicants for Employment or Cooperation

4.1. When you submit a CV or an offer of cooperation to the Controller, your identification data, professional profile and contact details are processed for the purpose of taking steps prior to the conclusion of a contract. Such Personal Data are retained for the duration of the recruitment or selection process and for a period of 1 month following its completion. Where you grant your consent to further retention, the Personal Data may be retained for a maximum period of 3 years for the purpose of potential future cooperation.

5. Website Visitors and Cookies

5.1. The website uses technical (strictly necessary) cookies to ensure its proper functionality, which may be used without your consent. Analytical or marketing cookies are used only on the basis of your consent provided via the cookie banner. You may withdraw such consent at any time through the cookie settings available at the bottom of the website.

6. Transfer of Personal Data to Third Parties

6.1. Personal Data are processed by the Controller by automated and manual means, either directly by the Controller, its employees, or by persons acting as processors. Processing is also carried out using information technology systems.

6.2. Personal Data are disclosed to third parties only where necessary for the provision of legal services, fulfilment of legal obligations, or on the basis of your consent.

6.3. Recipients of Personal Data may include persons:

  • involved in the execution of payments under contractual arrangements,
  • state authorities and public bodies,
  • employees and cooperating persons bound by confidentiality obligations (in particular pursuant to the Act on the Legal Profession), as well as bailiffs or notaries,
  • accountants and tax advisors,
  • providers of marketing services, within the scope of these Policy.

6.4. In order to ensure the provision of high-quality services, the Controller may also use external partners and advisors (such as accountants or legal consultants). In such cases, certain Personal Data may be transferred. External suppliers act either as independent controllers or as processors and are bound by contractual obligations to comply with strict data protection standards. For such processing, consent is not required while it is permitted directly by applicable law. The Controller carefully selects its suppliers based on strict criteria.

6.5. Personal Data may also be disclosed to public authorities authorized to obtain such data under applicable legislation (typically tax authorities). Any processing by such authorities must comply with applicable data protection rules and with statutory professional confidentiality obligations pursuant to the Act on the Legal Profession.

6.6. Personal Data relating to the provision of legal services are protected by attorney-client confidentiality pursuant to the Act on the Legal Profession and may not be disclosed to third parties unless expressly permitted by law.

6.7. Personal Data are not transferred to countries outside the European Union unless such transfer is required by law, a decision of a public authority, or the performance of the Law Firm’s Activities.

6.8. Where online meetings are agreed upon, via Microsoft Teams or Google Meet, Personal Data of participants (such as name, email address, voice and, where applicable, video) are processed by the providers of these services. Such services may involve transfers of Personal Data outside the European Union, typically to the United States. Both Microsoft and Google apply Standard Contractual Clauses adopted by the European Commission and additional safeguards to ensure an adequate level of protection for cross-border data transfers. If you do not wish to use online communication tools, an alternative form of communication will always be offered.

7. Data Retention Periods

7.1. In accordance with the principle of storage limitation, Personal Data are processed only for as long as necessary to fulfil the purpose and legal basis of processing, or for the period required by law or agreed by you as the Data Subject.

7.2. Personal Data processed for the performance of a contract are retained for a period of 5 to 10 years, depending on the type of service, with regard to regulations governing the practice of law.

7.3. Client files are retained for a period of 5 years after the termination of legal services, in accordance with Professional Regulation of the Czech Bar Association No. 1/1997.

7.4. Legitimate interest as a legal basis for processing is applied where legal services have been provided within the last 5 years.

7.5. Personal Data processed on the basis of consent are retained only for the duration of such consent.

7.6. Personal Data necessary for compliance with statutory obligations are processed for the period prescribed by law, regardless of consent (e.g. accounting records for at least 10 years).

7.7. For the purposes of client identification and control pursuant to AML Act, identification and related data are retained for a period of 10 years from the end of the business relationship or execution of a transaction, in accordance with Art. 16 of AML Act.

7.8. Where the Controller provides escrow of funds, documents or other property, Personal Data necessary for the administration of the escrow and for the fulfilment of obligations pursuant to Act on the Legal Profession, are processed. Documents relating to the administration of property in escrow are retained for a period of 10 years from the termination of the escrow.

7.9. In cases where the Controller performs a declaration of authenticity of a signature, data relating to such declaration are recorded and retained in the register of declarations of authenticity of signatures for the period during which the register has not been fully exhausted, or until the obligation arises to transfer the register to the Czech Bar Association.

7.10. Personal Data used for the purposes of direct communication are retained for a maximum period of 3 years from the date of the last contact, or until the Data Subject objects to the further sending of communications.

8. Security of Personal Data

8.1. The Controller ensures the protection of Personal Data by implementing appropriate technical and organizational measures, including:

  • secure storage of physical documentation in locked cabinets and premises,
  • access to Personal Data limited to authorized persons only,
  • use of a professional information system compliant with GDPR requirements, including individual user accounts, prevention of unauthorized copying of data, regular password changes, and other security measures.

9. Rights of Data Subjects

9.1. Following the provision of Personal Data, you have the following rights pursuant to the GDPR:

i. Right to information and access to Personal Data processed by the Controller

You have the right to obtain confirmation as to whether or not Personal Data concerning you are being processed and, where that is the case, to access such Personal Data and information about the purposes of processing, the categories of Personal Data concerned, the recipients or categories of recipients to whom the Personal Data have been or will be disclosed, the envisaged retention period, the source of the Personal Data, and your related rights. This Privacy Policy is primarily intended to provide you with such information; however, the Controller is prepared to provide confirmation or clarification in relation to any specific aspect upon request.

ii. Right to rectification or completion of inaccurate or incomplete Personal Data

If you think that the Personal Data processed by the Controller are inaccurate or incomplete, you have the right to request that such Personal Data be rectified or completed without undue delay.

iii. Right to object

You have the right to object to the processing of your Personal Data only where such processing is carried out in the public interest, on the basis of the Controller’s legitimate interest, or for the purposes of direct marketing. In such cases, you may object at any time. Following an objection, the Controller shall no longer process the Personal Data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, in particular where the Personal Data are required for the establishment, exercise or defense of legal claims. Where an objection is raised against processing for direct marketing purposes, the Personal Data shall no longer be processed for such purposes without delay.

iv. Right to erasure of Personal Data (“right to be forgotten”)

In certain circumstances, you have the right to request the erasure of your Personal Data. As a rule, the Controller will erase Personal Data where they are no longer necessary for the purposes for which they were processed and where there is no other legal basis for their processing. Personal Data will also be erased where processing was based on consent and such consent has been withdrawn. Consent may be withdrawn by email at office@pruchovapelan.cz or in writing at Drtinova 467/2a, 150 00 Prague 5, Czech Republic. Please note that even where grounds for erasure exist, this does not automatically result in the immediate deletion of all Personal Data. The right to erasure does not apply where processing is still necessary for compliance with legal obligations, for archiving purposes in the public interest, scientific or historical research or statistical purposes, or for the establishment, exercise or defense of legal claims.

v. Right to restriction of processing

In certain cases, you have the right to request the restriction of processing of your Personal Data. Restriction of processing means that the relevant Personal Data will be marked and, with the exception of storage, will no longer be processed for a specified period.

This right applies where:

  • you contest the accuracy of the Personal Data, for the period necessary to verify their accuracy,
  • the processing is unlawful (for example, exceeds the scope of Personal Data which the Controller is authorized to process), but you request the restriction of processing instead of erasure, for instance because you anticipate that you will provide such Personal Data to the Controller again in the future,
  • the Controller no longer needs the Personal Data for the purposes of processing, but you require them for the establishment, exercise or defense of legal claims,
  • you have objected to processing pursuant to paragraph iii above, pending the verification of whether the legitimate grounds of the Controller override your rights.

Where processing has been restricted, Personal Data may be processed only with your consent, or for the establishment, exercise or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest.

vi. Right to lodge a complaint with a supervisory authority

If you believe that the processing of your Personal Data infringes applicable data protection laws, you have the right to lodge a complaint with the supervisory authority, in particular with the Office for Personal Data Protection of the Czech Republic (Úřad pro ochranu osobních údajů), available at www.uoou.cz.

vii. Right to data portability

You have the right to receive the Personal Data concerning you, which you have provided to the Controller, in a structured, commonly used and machine-readable format, and have the right to transmit those Personal Data to another controller without hindrance from the Controller, where:

  • the processing is based on consent or on a contract, and
  • the processing is carried out by automated means.

The right to data portability does not apply to Personal Data obtained through the Controller’s own activities.

viii. Automated decision-making and profiling

The Controller does not use any form of automated individual decision-making, including profiling, which would produce legal effects concerning Data Subjects or similarly significantly affect them.

9.2. The above rights may be exercised in person at the Controller’s registered office, by postal mail, or by email at office@pruchovapelan.cz. The Controller shall respond to such requests without undue delay and in any event no later than within one month of receipt. In complex cases or where a high number of requests are submitted, this period may be extended by a further two months, of which you will be duly informed.

10. Final Provisions

10.1. The Controller welcomes any questions you may have. Personal data protection is taken seriously, with an emphasis on a clear, transparent and fair approach.

10.2. This Policy was issued on 1 November 2021 and is effective as of that date.

10.3. In the event of any material changes to this Policy, you will be duly informed.

10.4. This Policy is published at: https://www.pruchovapelan.cz/