Information for clients on personal data processing

This document provides information about what personal data is collected within Cloud4medical s.r.o., how it is handled, from what sources it is obtained, for what purposes it is used, to whom it is provided, where information about processed personal data can be obtained, and what measures have been taken to secure personal data.

I. Personal Data Controller

Cloud4medical s.r.o.
registered office: Na Horečkách 173, 747 64 Budišovice, Company ID: 08771243
company registered in the commercial register maintained by the Regional Court in Ostrava, Section C, File No. 80756
(hereinafter referred to as "controller")

II. Scope of Personal Data Processing

Personal data is processed to the extent necessary for fulfilling conditions arising from the contractual relationship, fulfilling legal obligations, and ensuring the legitimate interests of the controller.

III. Sources of Personal Data

• from data subjects based on a contract, inquiry, order, during negotiations by our employees about closing a deal or providing a service and their subsequent implementation or other legal purpose (e.g., emails, phone, business cards, websites)
• from a client or supplier as the controller of data subjects' data – their employees and customers
• publicly accessible registers, lists, and records (e.g., commercial register, trade register, land registry)

IV. Categories of Personal Data Subject to Processing

• Identification data serving to uniquely and unambiguously identify the data subject – natural persons (name, surname, permanent residence address and place of business, Company ID, Tax ID, Health Insurance Code)
• Data enabling contact with the data subject (contact address, phone number, fax number, email address)
• Billing data (bank details)
• Other data necessary for contract fulfillment – identification data (phone and email) of clients' and suppliers' employees, territorial workplace number of VZP, professional qualification data (mostly code 903)

V. Categories of Data Subjects

• Client
• End customer as a data subject
• Supplier (a processor within the meaning of GDPR is also a supplier)
• Other person in a contractual relationship with the controller

VI. Categories of Personal Data Recipients

• Financial institutions
• State and other authorities within the framework of fulfilling legal obligations established by relevant legal regulations
• External recipients in these categories: business partners and other companies that provide professional services for us or carry out business or other contractual activities
• The controller does not intend to transfer personal data of data subjects to a third country or international organization.

VII. Purpose of Personal Data Processing

• Purposes for which the data subject has given consent
• Negotiation of a contractual relationship
• Contract fulfillment
• Protection of the rights of the controller, recipient, or other affected persons (e.g., enforcement of controller's claims, court proceedings)
• Archiving maintained on the basis of law
• Fulfillment of legal obligations by the controller

VIII. Method of Processing and Protection of Personal Data

Personal data processing is performed by the controller. Processing is carried out in its premises, branches, and registered office by individual authorized employees of the controller and processor directly at their workplaces. Processing takes place through computer technology as well as in paper form (contracts, invoices, cash receipts) while observing all security principles for the management and processing of personal data. For this purpose, the controller has adopted technical and organizational measures to ensure the protection of personal data, especially such measures to prevent unauthorized or accidental access to personal data, their alteration, destruction, or loss, unauthorized transfers, their unauthorized processing, as well as other misuse of personal data. All entities to whom personal data may be made available respect the data subjects' right to privacy protection and are obliged to act in accordance with applicable legal regulations concerning personal data protection.

IX. Period for Which Personal Data is Processed

In accordance with the deadlines specified in relevant contracts, in the granted consent, in the controller's file and disposal regulations, or in relevant legal regulations, this is the period necessary to ensure rights and obligations arising both from the contractual relationship and from relevant legal regulations

X. Instruction

The controller processes personal data with the consent of the data subject (for one or more specific purposes) except in specified cases where such consent is not required.

In accordance with Article 6(1) GDPR, the controller may process data without the data subject's consent for these purposes:

• processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract
• processing is necessary for compliance with a legal obligation to which the controller is subject
• processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
• processing is necessary for the protection of vital interests of the data subject or another natural person
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Consent to the processing of personal data as the only legal basis for processing is based on the principle of voluntariness. This means that the data subject can withdraw it at any time.

XI. Rights of Data Subjects

The basic rights of data subjects include:

• right to information about the processing of personal data (PD)
• right of access to PD (right to obtain confirmation from the controller about PD processing, right to obtain a copy of processed PD)
• right to rectification
• right to erasure ("right to be forgotten")
• right to restriction of processing
• right to data portability
• right to object
• right not to be subject to automated decision-making

In accordance with Article 12 GDPR, the controller informs the data subject about:

• purpose of processing
• category of personal data concerned
• recipients to whom personal data have been or will be disclosed
• planned period for which personal data will be stored
• all available information about the sources of personal data, if not obtained from the data subject
• the fact whether automated decision-making, including profiling, takes place

Every data subject who finds out or believes that the controller or processor is processing their personal data in violation of the protection of their private and personal life has the right to:

• request an explanation from the controller,
• request that the controller remove such a situation – by rectification, supplementation, or erasure of personal data
• if the data subject's request under the paragraph is found to be justified, the controller will immediately remedy the situation
• if the controller does not comply with the data subject's request, the data subject has the right to contact the supervisory authority directly, i.e., the Office for Personal Data Protection
• the data subject has the possibility to contact the supervisory authority directly without requesting the controller. Contact details of the supervisory authority: Office for Personal Data Protection, registered office: Pplk. Sochora 27, 170 00 Prague 7, Data Box ID: qkbaa2n, email: official: [email protected], phone: landline: +420 234 665 111 (Switchboard), fax: +420 234 665 444

XII. Contact Details of the Controller

In all matters related to the processing of your personal data, whether it is a question, exercise of rights, filing a complaint, or anything else, you can contact the controller.

The controller can be contacted:

• in writing at the registered office address of the controller stated above
• in writing via email address: [email protected], [email protected]
• by phone at tel. no.: + 420 602257588
• contact details of the controller's representative, if designated: Mgr. Romana Ptáčková, email: [email protected]
• contact details of the data protection officer, if appointed: not appointed

This document will be updated at regular intervals.

Budišovice, January 1, 2023