Book your tickets

Privacy policy

QUIX EVENT, s.r.o. internal directive on personal data protection

Employer QUIX EVENT, s.r.o. 

with registered office at Zelený pruh 1560/99, Braník, 140 00 Prague 4 

ID 02723832 

the company registered in the Commercial Register maintained by the Municipal Court in Prague under No.
C 221305

 

  1. Purpose of the Directive
  1. The purpose of this Directive, as one of the organisational measures within the meaning of Article 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter also referred to as “GDPR“), is to lay down the rules for the processing of personal data by the employer and the data protection principles applicable to all information relating to an identified or identifiable data subject.
  2. This Directive further regulates the procedures in the event of a personal data breach within the meaning of Articles 33 and 34 of the GDPR.
  1. Definition of terms
    1. GDPR – Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
    2. Personal data – Any information about an identified or identifiable natural person (hereinafter referred to as “data subject“); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    3. Supervisory Authority – Office for Personal Data Protection, unless otherwise provided by law.
    4. Employer – QUIX EVENT, s.r.o.
    5. Data Subject – Any natural person, including self-employed persons.
  • Controller – A controller is a natural or legal person, public authority or other entity which alone or jointly with others determines the purposes and means of the processing of personal data.
  • Processor – A processor is a natural or legal person, public authority or other entity that processes personal data for the controller.
  1. Authorised person – Any person, including legal persons, who carries out activities for the employer in which they come into contact with the personal data of subjects, including the employer’s employees or members of the employer’s bodies. 
  2. Authorised person – An authorised person authorised by the employer to carry out specific activities related to the processing of personal data, in particular incident prevention, security of personal data processing, handling complaints and requests, systems administration and other activities. Who holds the position of authorised person at the employer will always be communicated to each authorised person, and if such authorised person is not specifically identified, the authorised person is the employer’s managing director.
  3. Employee – A natural person in an employment or other similar relationship with an employer.
  4. Client/customer (hereinafter referred to as “client“) – A person in a legal relationship with an employer, in relation to whom the employer is in the position of a supplier.
  5. Supplier – a person in a legal relationship with an employer, in relation to whom the employer is in the position of a customer.
  6. Processing of personal data – Any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated processes, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, restriction, erasure or destruction.

III. Principles of personal data processing

  1. This Directive shall apply to any authorised person in the performance of his duties.
  2. Personal data may be processed and stored provided that:
  • the processing is necessary for compliance with a legal obligation to which the controller is subject;
  • the processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures taken prior to the conclusion of the contract at the request of the data subject;
  • the processing is necessary to protect the vital interests of the data subject or another natural person;
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • the data subject has consented to the processing.
  1. Any processing of personal data must be carried out in a lawful, fair and transparent manner.
  2. Personal data may only be collected for specific, explicit and legitimate purposes and may not be further processed in a way that is incompatible with those purposes. 
  3. Personal data must only be processed proportionately and limited to what is necessary in relation to the purpose of the processing. 
  4. Personal data must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. 
  5. Personal data may be stored in a form which permits identification of the data subject only for the time necessary for the purposes for which they are processed. 
  6. When processing personal data, it is always necessary to properly ensure the security of personal data by means of technical and organisational measures to prevent unauthorised or unlawful processing, loss, destruction or damage to personal data. 
  7. Each Authorised Person shall be familiar with this Directive and shall affix his/her signature to the signature sheet as evidence that he/she has duly understood it and has no further questions.
  8. The employer shall keep a record of personal data processing activities.
  9. The Employer shall check the accuracy, completeness and timeliness of personal data of clients and suppliers and employees, always within a reasonable time according to the nature of the personal data concerned.
  10. With regard to the personal data of employees, the employer will process personal data for the duration of the employment contract or for the time necessary to fulfil the employer’s archiving obligations under applicable legislation, in particular Act No. 563/1991 Coll., on Accounting, Act No. 235/2004 Coll., on Value Added Tax, Act No. 582/1991 Coll., on the Organisation and Implementation of Social Security, Act No. 499/2004 Coll., on Archiving and File Service, Act No. 262/2006 Coll., on the Labour Code.
  11. In respect of personal data processed on the basis of the employer’s cooperation with suppliers or clients, personal data will be processed for the period necessary to settle all of the employer’s relationships with suppliers or clients and, where applicable, for a longer period if this is necessary to protect the employer’s legitimate interests arising from the relevant contracts, unless otherwise agreed between the employer and the parties concerned in the interests of data protection.
  12. When using personal data in the performance of their work tasks, employees are obliged to behave in such a way as to prevent a breach of security that leads to accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access to personal data transmitted, stored or otherwise processed.
  13. Every employee who processes data and personal data is responsible for the protection of data and personal data. The immediate supervisor of these employees is also responsible for their protection. The latter is obliged to carry out control activities and verify that personal data is handled in accordance with the GDPR and this Directive.
  14. The employer processes personal data in both electronic and paper form.
  15. The employer shall provide regular training to authorised persons on the principles of compliance with the GDPR every 12 months.
  1. Obligations of the Authorised Person
    1. The authorised person is obliged to process personal data in a correct and lawful manner in relation to the data subject. The authorised person may not pass on the information obtained to any other third party, neither in the Czech Republic nor abroad, without the employer’s instruction, i.e. he/she has a duty of confidentiality.
    2. When obtaining personal data from a data subject or another person, the authorised person is obliged to inform the authorised person who, on behalf of the employer, performs the duties of controller or processor in relation to the data subject, unless otherwise specified in this Directive.  
    3. Each authorised person may only process personal data for the purpose specified by the employer and only by the means specified by the employer.
    4. The authorised person is authorised to process personal data only in accordance with the employer’s instructions. The authorised person may only process personal data necessary for the performance of his/her duties towards the employer. For this purpose, the employer shall grant authorised persons access only to the necessary records of personal data.
    5. If the authorised person discovers that the personal data of any data subject is inaccurate, incomplete or out of date, he or she shall notify the authorised person.
    6. If the authorised person discovers that personal data are being processed for longer than is necessary for the purposes for which they are processed, he or she shall notify the authorised person.
    7. An authorised person working with personal data in paper form is obliged to secure it before leaving the workplace so that no unauthorised person has access to it.
  • An authorised person working with personal data in electronic form on a computer must always ensure that, in his or her absence, it is necessary to enter an access password for access to the data, which he or she must not disclose to a third party. The access password must be changed at regular intervals, at least once every 6 months.

 

  1. Rights of data subjects
  1. Each data subject is entitled to exercise his or her rights concerning the protection of his or her personal data with the controller. The controller is obliged to allow the data subject to exercise these rights. These rights are as follows: 
  • the right of access to personal data;
  • the right to rectification of personal data;
  • the right to erasure of personal data,
  • the right to limit the processing of personal data;
  • the right to object to processing;
  • the right to data portability;
  • the right not to be subject to automated decision-making, including profiling;
  • where applicable, the right to withdraw consent to the processing of personal data.
  1. An authorised person who has received in any form (in writing, by telephone, in person) a request or complaint from a natural person that concerns or could concern the protection of personal data, in particular requests within the meaning of Articles 15-22 GDPR, shall notify the authorised person of this fact.
  2. The data subject’s requests shall be handled by the data subject in accordance with the employer’s general instructions, but always in such a way that the data subject’s request is complied with without undue delay, at the latest within 1 month from the date of receipt of the request, and that the data subject is provided with all the information necessary to deal with his or her request and, if the request is not complied with, the reasons for the decision.
  3. Before responding to a request, the data subject shall be obliged to verify the identity of the requesting data subject and shall always do so in a reasonable manner that ensures sufficient identification of the data subject with regard to the form of the submission, the means of communication used and the content of the data subject’s request. 
  4. In the event of a data subject’s request for access to personal data, the competent authorised person shall provide the data subject with at least information as to whether or not the personal data concerning the data subject are processed and shall provide the data subject with an information clause in accordance with the GDPR.
  5. The information referred to in this Article shall be provided by the company to the data subject in the same form in which the data subject has requested the information.
  1. Reporting personal data breaches to the supervisory authority
  1. A personal data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access to personal data transmitted, stored or otherwise processed. This may include, but is not limited to, the theft or destruction of written information, the theft or destruction of electronic media, including PCs, or a hacking attack.
  2. An authorised person who discovers that a personal data breach has occurred must immediately inform the authorised person.
  3. Any personal data breach shall be reported by the employer, through its managing director, to the supervisory authority without undue delay after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  4. The notification to the supervisory authority under this Article shall at least include:
  • a description of the nature of the personal data breach in question, including, where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected;
  • a description of the likely consequences of a personal data breach;
  • a description of the measures that the employer has taken or proposed to take to address the personal data breach, including, where appropriate, measures to mitigate possible adverse effects.

If it is not possible to provide all of this information at the same time, it may be provided sequentially without undue delay.

  1. Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the employer shall notify the data subject of the breach without undue delay. 
  2. The employer, through the authorised person, shall document all personal data breaches, stating the facts relating to the breach, its effects and the corrective measures taken.

VII. Control of compliance with the Directive

  1. The employer shall supervise compliance with this Directive and generally binding legislation related to the GDPR.
  2. The managing director of the employer serves as the contact person of the authorized person in matters of security and protection of personal data. In the event of any doubt about the interpretation of this Directive or the scope and content of the legal obligations, the Managing Director of the employer shall provide a binding interpretation which the authorised persons are obliged to follow.

VII. FINAL PROVISIONS

  1. This directive is an integral part of the employer’s comprehensive set of internal regulations.
  2. This Directive was approved on 6 February 2019 and comes into force on the same date.

Prague, 6 February 2019

QUIX EVENT, s.r.o.
Miroslav Barták, Managing Director

Contact

If you have any further questions, please feel free to contact us.

QUIX EVENT, s.r.o.

Miro Barták
miro.bartak@quix.cz
+420 608 258 688
Liza Arivanyuk
liza.arivanyuk@quix.cz
+420 792 777 649

In the heart of every princess is a fairy tale that will come to life in our shared kingdom.

©2025 prstenprincezny.cz

Register or sign up