Personal Data Processing Policy

We appreciate that you have provided us with your personal data and we hereby undertake to protect them to the maximum extent. All personal data provided are considered strictly confidential and are treated in accordance with applicable legislation and legally binding documents at the EU and national level, in particular the Regulation of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also known as the GDPR (General Data Protection Regulation) (hereinafter the “GDPR”). In this Personal Data Processing Policy, we would like to inform you about what personal data we process, to what extent and for what purpose, as well as about your rights in connection with the protection of personal data.

  1. Basic terms
  2. Personal data processed by the controller
  3. Purposes of processing your personal data
  4. Personal data processing policy
  5. Recipients and processors of personal data
  6. Transfer of personal data to third countries
  7. The period for which your personal data is processed
  8. Your rights in relation to the protection of personal data
  9. Security of personal data


  • Personal data means all information about a natural person on the basis of which this person can be identified, such as name, surname, date of birth, contact details, etc. (hereinafter the “personal data”).
  • Sensitive data means personal data indicating national, ethnic or racial origin, political opinions, including membership of political parties, religion, health status, etc.
  • Health data are those personal data which indicate the health of the data subject, both physical and mental (hereinafter the “health data”).
  • Biometric data are personal data that relate to the physical or physiological features of the data subject or features of their behaviour that allow or confirm a unique identification of the data subject, such as a facial image (hereinafter the “biometric data”).
  • The subject of personal data processing means the natural person whose personal data are processed (hereinafter the “data subject”).
  • Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure (hereinafter the “processing of personal data”).
  • The personal data controller is the person who processes the personal data of the subjects, i.e. Stomatologie Ujec, s.r.o. ID No: 08311030, with its registered office at Starý Brázdim 40, 250 63 Brázdim (hereinafter the “controller”).
  • The processor is a legal or natural person who processes personal data on behalf of the controller.
  • Profiling means the process whereby the controller automatically processes personal data for the purpose of evaluating a natural person, e.g. for the purpose of analysis and evaluation of their work performance, health condition or reliability (hereinafter the “profiling”).
  • Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person (hereinafter “pseudonymisation”).


  • The controller processes the following categories of personal data: name, surname, date of birth, birth number (personal ID number), residence, telephone number, email address.
  • The controller processes the following categories of sensitive data: medical records, body measurements, insurance company, nationality.


  • The controller approaches the processing of personal data restrictively and always considers whether it is possible to prevent the processing completely.
  • All processing of personal data may only be carried out in accordance with these principles and applicable law.
  • The controller processes personal data for statutory reasons:
  • (a) processing is necessary for the performance of a contract concluded between the controller and the data subject,
  • (b) processing is necessary for fulfilling the legal obligations of the controller,
  • (c) processing is necessary for the legitimate interests of the controller,
  • (d) the data subject has consented to processing personal data for one or more specific purposes,
  • (e) processing is necessary to protect the vital interests of the data subject.


  • When processing personal data, the administrator observes the following rules:
  • Principle of legitimacy
  • The controller is entitled to process personal data if they have a reason specified in Article 3.3, or if the data subject has given their explicit consent to the processing, and if the controller does so in accordance with legal regulations.
  • Principle of proportionality
  • The principle of proportionality must be respected when processing personal data. The method of processing personal data is proportional, especially if the required purpose cannot be achieved in any other way.
  • Principle of transparency
  • The controller must process personal data in the most transparent way possible. To this end, they communicate to data subjects which personal data will be processed, how they will be processed, whether they will be passed on to third parties and when records of this data will be destroyed. The controller communicates these facts to the data subjects through this document.
  • Principle of integrity and confidentiality
  • Personal data is processed in a way that ensures adequate security of personal data so that it cannot be misused, subjected to unauthorised processing, accidentally lost, destroyed or damaged.
  • Limited storage principle
  • Personal data is kept only for the necessary time, after which it must be destroyed.


  • Only the administrator and the processors expressly authorised by them have access to personal data.
  • The controller may authorise a third party to process personal data as a processor, who must, however, ensure appropriate technical and organisational measures. In the event that the controller intends to involve another processor in the processing, they will always pay attention to the appropriate selection of processors and to compliance with the obligations set out in the GDPR.
  • Everyone who has access to personal data must be trained in the privacy of such data and is without exception bound by a duty of confidentiality.
  • With the consent of the data subject or at their order, personal data may be provided to other subjects.


  • The controller undertakes not to transfer personal data of data subjects to third countries outside the European Union.


  • The controller processes personal data depending on the purpose for the entire duration of any contractual relationship between the controller and the data subject or until the data subject’s consent to the processing of personal data is revoked.
  • After the termination of the contractual relationship between the controller and the data subject, the controller processes personal data for the period stipulated by legal regulations to fulfil the statutory obligations, especially those imposed by Decree No 98/2012 on medical documentation, which provides for the period for which it is necessary to keep the medical documentation of the patient (data subject), as well as legal regulations in relation to accounting and tax obligations, which also define the archiving period for which documents containing personal data (e.g. proving the provision of health care) must be archived.
  • After the end of the period for retention of personal data under this article, personal data will be destroyed, which is done in the following ways:
  • - shredding of original documents or their copies or their anonymisation
  • - deletion of electronic databases or their anonymisation
  • - permanent exclusion of personal data from further processing.


  • In relation to the protection of personal data, the data subject has the following rights:
  • Right to erasure
  • The data subject has the right to have their data completely erased if their personal data are no longer needed for the purposes of processing; if they revoke consent to the processing of personal data; if they object to the processing of personal data; or if the personal data were obtained illegally.
  • Right to rectification
  • The data subject has the right to have the controller rectify inaccurate personal data concerning them, without undue delay. In connection with this right, the data subject is obliged to inform the controller of any changes concerning the processed personal data.
  • Right of access to personal data
  • The data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning them are processed. The data subject may at any time request information from the controller about the processing of personal data.
  • Right to data portability
  • If the processing is automated or if the data are processed with the consent of the data subject, the data subject has the right to request an overview of the personal data processed about them by the controller in a structured, commonly used and machine-readable format and to transfer these data to another controller. If technically feasible, the data may be passed directly by the controller to the other controller.
  • Right to withdraw consent to the processing of personal data
  • If the data subject has given the controller consent to the processing of personal data for purposes requiring such consent, the data subject has the right to withdraw this consent in writing at any time. Processing that took place before the consent was withdrawn is legal.
  • Right to object to the processing of personal data
  • The data subject has the right at any time to object to the way their personal data are processed if their data are processed because their processing is necessary for the satisfaction of the controller or a third party or if the processing takes place in the exercise of official authority.
  • Right to lodge a complaint with a supervisory authority
  • If the data subject finds or considers that the controller is processing personal data in a manner contrary to the GDPR, they have the right to lodge a complaint with a supervisory authority, i.e. the Office for Personal Data Protection.


  • All documents and papers containing personal data are stored in the lockable premises of the administrator, to which third parties do not have access.
  • Personal data that are stored electronically are protected against access by third parties and possible misuse by passwords. Physical media containing electronic information are protected against unauthorised access by third parties and personal data stored on the media are also protected by anti-virus protection and a system of backup copies. Backups are protected against misuse in the same way as the original data carriers.
  • The controller shall ensure technical, organisational, personnel and other appropriate measures within the meaning of the GDPR to be able to demonstrate at any time that the processing of personal data is carried out in accordance with the GDPR so as to prevent the possibility of unauthorised or accidental access to personal data and data carriers containing such data, prevent their change, destruction or loss, unauthorised transfer, their other unauthorised processing, as well as other misuse.
  • In the event of unauthorised access by third parties or misuse of personal data, and where a specific breach of personal data security is likely to result in a high risk to the rights and freedoms of individuals, the controller shall immediately inform the data subject, namely: by notifying the controller of the known email address of the data subject (if not known to the address of the last known residence of the data subject) and informing them of the remedial action he has taken. The controller shall draw up a record of each incident and inform the Office for Personal Data Protection in accordance with the GDPR.

This Personal Data Processing Policy shall enter into force and effect on 25 May 2018.