Personal data processing and client privacy protection („Data processing policy“)

ASPEKT s.r.o., identification number (IČ): 63218810, with registered office at Dobrovského 2366, 580 01 Havlíčkův Brod, registered in the Commercial Register maintained by the County Court in Hradec Králové, Section C, File No. 7760, is a leading real estate agency providing full service in the sale, acquisition and lease of niche residential and commercial properties in attractive locations. We have been offering our services to clients for 25 years. We represent only the highest quality properties and offer merticulous, prompt and professional service, and therefore we pay attention to the quality of concluded contracts.

The objective of this DATA PROCESSING POLICY issued by ASPEKT s.r.o., is to provide Clients with information as to what personal data ASPEKT s.r.o., as a Controller, processes in regard to its Clients – natural persons in the provision of services consisting in brokering the sale or acquisition of real estate properties, lease of real estate properties, real estate management, and other services, and in regard to visits to websites operated by ASPEKT s.r.o., and in regard to contacts with potential Clients, for what purposes and for what duration of time ASPEKT s.r.o. processes such personal data in accordance with the valid legal regulations, to whom and on what grounds it may disclose or tranfer such data, as well as information on what rights natural persons have in connection with the processing of their personal data.

This Policy pertains to the processing of the personal data of the Clients of ASPEKT s.r.o. and also, in a corresponding manner, of their representatives or contact persons, potential Clients or persons interested in the services of ASPEKT s.r.o., and visitors to websites operated by ASPEKT s.r.o., this being, in each case, within the scope of personal data corresponding to their relationship with ASPEKT s.r.o.

Definitions

Personal Data (hereinafter „Data“) = any information relating to an identified or identifiable natural person; an identifiable natural person i sone who can be identified, directly or indirectly, in particular by reference to an identifiee, or to one or more factors specific to such person’s physical, physiological, genetic, mental, economic, cultural or social identity. This means that personal data also include data such as e-mail, address, telephone number, user name, profile photos, personal preferences, user-generated content, information pertaining to physical characteristics. They may also include unique numerical identification data such as the IP address of the user’s computer ort he MAC address of a device and cookie files.

Data Subject = a natural person to whom personal data pertain. Natural persons are also considered to include persons doing business on the basis of a trade licensing or other authorization.

Controller = the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller ort he specific criteria for its nomination may be provided for by Union or Member State law.

Processor/Recipient = a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Processing of Personal Data = any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Personal Data Breach = a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Consent of the Data Subject = any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Office = the Office for Personal Data Protection, with registered office at Pplk. Sochora 29, Praha 7, PSČ 170 00, www.uoou.cz

GDPR = Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Client = a natural person or legal person who has been reached out to by, or who has reach out to, ASPEKT s.r.o. for the purpose of the sending of an offer of services, requesting services, entering into an agreement, or who has already entered into such an agreement.

Data Privacy Officer („DPO“) = a data protection officer – the person responsible within ASPEKT s.r.o. for the processing of personal data

Personal Data Controller

ASPEKT s.r.o.

with registered office at Dobrovského 2366, 580 01 Havlíčkův Brod

identification number (IČ): 63218810

www.aspektreality.cz

(hereinafter „ASPEKT s.r.o.“ or the „Controller“)

as the Controller, is aware of the legal obligations pertaining to the processing of the Data of its Clients and the liability imposed upon it in this regard by the legal regulations of the Czech Republic and of the EU. This regulation provides the basic Framework for the manner and conditions of handling Clients‘ Data, of how to proceed in processing Data, and who to turn to in the performance of obligations arising under the Personal Data Protection Act (Act No. 101/2000 Coll.), the Information Society Services Act (Act No. 480/2004 Coll.), the GDPR, and this Data Processing Policy.

Data Privacy Officer (DPO) Contact

ASPEKT s.r.o.

Data Privacy Officer

Dobrovského 2366, 580 01 Havlíčkův Brod

identification number (IČ): 63218810

info@aspektreality.cz

Legal Framework, personal data processing principles

The basic legal Framework for the processing of personal data consists of the GDPR, the Personal Data Protection Act, the Information Society Services Act, and other related legal regulations.

The fundamental principle of Data processing is for it to be processed lawfully, fairly and in a transparent manner in relation to the data subject. Data are collecter for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is possible.

Data must be adequate, relevant and limited to what is necessary in relation to the purposes for ehich they are processed; accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organizational measures, in order to safeguard the rights and freedoms of the data subject. Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

As a Controller, we take appropriate measures in order to provide data subjects with all information pertaining to the acquisition, processing, erasure and security of personal data in a concise, transparent, comprehensible and easily accessible manner, using clear and simple language. We must fulfill these obligations, as the Controller, and we do so, among other things, through this Data Processing Policy.

What Data on Clients do we obtain, how do we obtain them, and how do we use them

ASPEKT s.r.o. can collect or acquire Date through our websites, forms, electronic or telephone contact, personal meeting or otherwise. At times, Data will be provided to ASPEKT s.r.o. by the Client directly, such as when contacting us by telephone, by e-mail or in person, at times we collect them as a Controller, such as through the use of cookie files, in order to ascertain how you use our websites, or we obtain them from other persons, e.g. from associated parties – real estate agents.

Automated decision-making, including profiling – may be used by the Controller in sending or displaying personalized messages or content. This is a specific method, which is any formo f automated processing of Data consisting of the use thereof personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s personal preferences, interests, economic situation, behavior, location, health, reliability, or movements. That means that the Controller can collect Data in various situations. The Controller can centralize and analyze such data in order to be able to assess and estimate the Client’s personal preferences and interests. On the basis of such an analysis, the Controller then sends or displays messages or content adapted to the interests and needs of the Client. If certain conditions are fulfilled, the Client has the right to object to the use of the Data for the purposes of profiling.

Data are collected by the Controller:

  • on the legal grounds as set out in Art. 6, paragraph 1 letter n) of GDPR, i.e. because the processing is necessary for the performance of a contract to which the Client is a contracting party, as the data subject, or for the implementation of measures taken prior to the execution of the agreement upon the Client’s request. The Data are provided obligatorily and the purpose of the processing of such Data is the execution and performance of a contractual relationship and related actions (communication with the Client in regard to services and real estate properties being offered, etc.). The source of the Data is the Client or a person authorized by the Client. If the Client does not provide the Data, an agreement cannot be entered into with him/her or negotiations held for the purpose of the execution of an agreement, or a service provided that the Client has requested (e.g. the sending of specific information regarding a real estate property, making an appointment for a meeting, visiting a real estate property, entering into an agreement with the Controller, or a third party (hereinafter „Performance of a Contract“)
  • on the legal grouns as set out in Art. 6 paragraph 1 letter f) of the GDPR, i.e. because the processing is necessary for the purposes of the Controller’s legitimate interests, so that the Controller may send the Client marketing and commercial messages – newsletters, targeted advertising, adapted recommendations, etc., all of which within the meaning of the Information Society Services Act. The Data are provided voluntarily on the basis of the Client’s consent. The source of the Data is the Client or a person authorized by the Client. If the Client does not provide the Data, commercial messages (newslettersú cannot be sent to the Client and the Client cannot properly use the Controller’s websites or applications either (hereinafter „Consent to CM and Cookies“)
  • on the legal grounds as set out in Art. 6 paragraph 1 letter c) of the GDPR, i.e. because the processing is necessary for the fulfillment of the Controller’s legal obligation, so that the Controller may fulfill legal requirements under special legal regulations (e.g. Act No. 326/1999 Coll., on the Residency of Foreigners within the Territory of the Czech Republic, Act No. 253/2008 Coll., on Certain Measures Against the Legalization of the Proceeds of Criminal Activity and the Financing of Terrorism, etc.). The Data are provided obligatorily and the purpose of the processing of such Data is the execution and performance of a contractual relationship and related actions (communication with the Client in regard to services and real properties being offered, etc.). The source of the Data is the Client or a person authorized by the Client. If the Client does not provide the Data, and agreement cannot be entered into with him/her or negotiations held for the purpose of the execution of an agreement, or a service provided that the Client has requested (e.g. the sending of specific information regarding a real estate property, making an appointment for a meeting, visiting a real estate property, entering into an agreement with the Controller, or a third party) (Hereinafter „Legal Obligation“)
  • on the legal grounds as set out in Art. 6 paragraph 1 letter c) of the GDPR, i.e. because the processing is necessary for the fulfillment of the Controller’s legal obligation, so that the Controller may fulfill legal requirements under special legal regulations (e.g. Act No. 326/1999 Coll., on the Residency of Foreigners within the Territory of the Czech Republic, Act No. 253/2008 Coll., on Certain Measures Against the Legalization of the Proceeds of Criminal Activity and the Financing of Terrorism, etc.). The Data are provided voluntarily and the purpose of the processing of such Data is the execution and performance of a contractual relationship and related actions (communication with the Client in regard to services and real estate properties being offered, etc.). The source of the Data is the Client or a person authorized by the Client. Even if the Client does not agree to the provision of the Data, an agreement can be entered into with the Client and negotiations can be held with the Client for the purpose of the execution of the agreement, or a sevice provided that the Client has requested (e.g. the sending of specific information regarding a real estate property, making an appointment for a meeting, visiting a real estate property, entering into an agreement with the Controller, or a third party) (hereinafter „Legal Obligation with Consent“)
  • on the legal grounds as set out in Art. 6 paragraph 1 letter f) of the GDPR, i.e. because the processing is necessary for the fulfillment of the Controller’s legitimate interests, so that the Controller may ensure the security of its platforms and services against misuse, better comprehend the Client and ensure the proper functioning of its websites, ensure the performance of the Controller’s contractual obligations, etc. The Data are provided obligatorily and the purpose of the processing of such Data is ensuring the security of the Controller’s websires and their protection against misuse, as well as better comprehension of the needs and wants of the Client, improved services and brand awareness, ensuring the proper functioning of CM, advertising, and the improvement and protection thereof through cookies and ensuring the fulfillment of the Controller’s contractual obligations in regard to third parties, particularly the owners of real estate properties, developers, etc. The source of the Data is the Client or a person authorized by the Client. If the Client does not provide the Data, this can affect our ability to provide the Client with our services (hereinafter „Legitimate Interests“).

Who has access to Data – Categories of Data Recipients

The Controller can share the Client’s Data in order to fulfill its legal obligations, to improve its services, o rif it receives the Client’s consent to such sharing.

Data can be processed in the Controller’s name only by trustworthy external processors/recipients. the Controller only provides such information to these external processors/recipients that they need in order to provide the service, and requires that they not use the Data for any other purpose. The Controller make severy effort to ensure that all of the thirs parties that it works with will store the Data in a duly secure manner. Services that require the processing of Data are provided to the Controller by, for example, contracted real estate agents, external IT service suppliers, such as providers of platforms with hosting services, administration and support of our databases, as well as of our software and applications that may contain Data (these services may sometimes include access to Data with the goal of performing the reqiured tasks), as well as owners of real estate properties, developers, persons conducting monitoring of social media, identity administration, evaluations and reviews, customer relationship management, web analysis and search engines, tools for the processing of content generated by the user, advertising, marketing and digital agencies for social media that supply advertising, marketing services and campaigns, analzyze their efectiveness and administer contacts with the Client.

List of Data Recipients

The Controller is obligated to disclose Data to third parties i fit has such an obligation for the purpose of fulfilling a statutory obligation, or for the protection of the rights, property, interests or safety of the Controller, its Clients, employees, external agents.

The Controller can also disclose Data i fit has the Client’s consent to do so o rif the law allows it to do so. The Controller does not offer or sell Data. Collected Data will not be shared with any third party, with the exception of the above.

Where we store Data

The Data that we collect in regard to the Client are stored and processed only within the territory of the EU, or within the territory of states that have undertaken to comply with EU standards for the processing and security of personal data (USA). Outside of the EU, personal data are processed or stored only with processors/recipients who are certified according to the EU – U.S.Privacy Shiel – these being Google LLC and Dropbox, Inc.

How long do we store Data

The Client’s Data are stored for as long as this is necessary in order to fulfill the purpose for which the Controller received the same, in order to comply with the Client’s needs, or in order to full its legal obligations.

In order to determine the duration of Data storage, the following criteria shall apply:

  • if the Client is interested in a real estate property being offered by the Controller or has entered into an agreement with the Controller – the Data in the Client’s Contact Form are stored for a duration of 6 months from the acquisition thereof, Data in electronic form are stored for a duration of 10 years from the acquisition thereof, or from the termination of the contractual relationship with te Client, unless legal regulations provide a longer period of time,
  • if the Client has eneterd into an agreement with the Controller on the short-term lease of a real estate property – Data in paper form will be disposed of within 1 month of the termination of the contractual relationship, Data in electronic form are stored for a period of 18 months from the termination of the contractual relationship with the Client, unless legal regulations provide a longer period of time,
  • if the Client is interested in being sent CM, Data are stored for a period of 10 years from their acquisition, - if the Client contacts us with an enquiry or request for us to contact him/her, Data are stored for a period of time as necessary for the processing of the enquiry and further for a period of 10 years from the last interaction, if the Client creates an account, the Controller stores the Data until the Client requests for erasure, or for a period of 10 years from the last aktivity on the Client’s account,
  • if the Client consented to being sent direct marketing messages, Data are stored until the Client cancels the subscription thereof or requests for the Controller to erase them, or for a period of 10 years from the last interaction,
  • if cookies are located on the Client’s device, Data are stored for the period of time as necessary in order to achieve the purpose thereof, according to the type of cookie,
  • if the Controller copies the Client’s citizenship card/passport and is thereby fulfilling legal requirements according to special legal regulations (e.g. Act No. 326/1999 Coll., on the Residency of Foreigners within the Territory of the Czech Republic, Act No. 253/2008 Coll., on Certain MEasures Against the Legalization of the Proceeds of Criminal aCtivity and the Financing of Terrorism, etc.), Data are stored dor a period of 10 years from their acquisition, or from the termination of the contractual relationship with the Client ort he realization of the transaction, unless legal regulations provide a longer period of time,
  • if the Controller is fulfilling legal requirements according to special legal regulations (e.g. Act No. 326/1999 Coll., on the Residency of Foreigners within the Territory of the Czech Republic, Act No. 253/2008 Coll., on Certain MEasures Against the Legalization of the Proceeds of Criminal aCtivity and the Financing of Terrorism, etc.), Data are stored for a period of 10 years from their acquisition, or from the termination of the contractual relationship with the Client ort he realization of the transaction, unless legal regulations provide a longer period of time.

The Controller may store some Data in order to fulfill its legal obligations, and to be able to duly protect its legitimate interests, or for statistical purposes or historical research purposes.

If the purpose of the storage of Data has been fulfilled and the duration of their storage has elapsed, the Data are erased from the Controller’s systems and records or anonymized, so that the identification of the Client is no longer possible.

How are Data secured

The Controller makes every effort to duly protext the Data, from the moment of their acquisition until the moment of their erasure, pseudonymization or anonymization. The Controller stores and processes Data in a secured manner in accordance with the level of standards within the given sector and has taken all reasonable security measures, though the use of conscientiously adjusted internal processes and security policies, so that no misuse of Data or unauthorized acess to Data can occur. The Controller has contractually ensured that every authorized and trustworthy processor handles Data in this same manner.

As follows from the technical nature of the functioning of data transimission on the Internet, the Controller cannot ensure the security of the Client’s Data being transmitted to the Controller’s websites. Therefore, the securing of any information transmitted in such manner is beyond the Controller’s technical capabilities.

Client’s Rights and Options

  • The Client has the right to be provided with clear and plainly comprehensible information by the Controller as to the manner in which the Controller uses the Data and what the Client’s rights are in regard to the Data. The Controller does this through this Data Processing Policy.
  • The Client has the right of access to the Data that the Controller has available in regard to him/her (with certain exceptions). For this purpose, the Controller’s contact information is provided above.
  • The Controller is entitled to chargé a reaonable fee to cover the administrative costs associated with the provision of requested information.
  • The Controller is entitled to not reacts to requests that are manifestly unfonded, purposeless or repetitive.
  • The Client has the right for his/her Data to be rectified if they are incorrect or outdated, or for them to be supplemented if they are incomplete. For this purpose, the Controllor’s contact information is provided above.
  • In some cases, the Client has the right for his/her Data to be erased. This right can be utilized if this is not in breach of the Controller’s legal grounds or legitimate interests. For this purpose, the Controller’s contact information is provided above.
  • The Client has the right, at any time, to unsubscribe from receiving direct marketing messages, by clicking on the relevant link in the CM (opt-out). In order to stop profiling, the Client can contact the Controller. For this purpose, the Controller’s contact infotmation is provided above.
  • The Client can withdraw his/her consent to the processing of Data at any time (this only pertains to those Data that are processed on the basis of such a consent). The lawfulness of the processing of Data prior to the withdrawal of consent is not affected thereby. In order to withdraw consent, the Client can contact the Controller. For this purpose, the Controller’s contact information is provided above.
  • The Client can oppose, at any time, the processing of Data on the basis of legitimate interests. In order to oppose the processing of Data on the basis of legitimate interests, the Client can contact the Controller. For this purpose, the Controller’s contact infromation os provided above.
  • If the Client believes that the Controller’s actions in connection with the handling of Data are in breach of the GDPR, the Client has the right to contact the Office for Personal Data Protection and lodge a complaint against such an alleged breach in the Controller’s actions. Prior to lodging any complaint with the Office for Personal Data Protection, please do not hesitate to contact us at the contact information set out above.
  • The Client has the right to move, copy or tranfer Data from the Controller’s database to another database. The right only applies to Data that the Client has provided for the purpose of the performance of a contract or on the basis of consent and the processing of which is conducted by automated means. For information on portability, the Client can contact the Controller. For this purpose, the Controller’s contract information is provided above.
  • The Client has the right to request a restriction in the processing of his/her Data by the Processor. This right means that the Controller can store Data, but will not proces or use them any further. This right can be utilized in the event that a) the Client id denying the accuracy of the Data, for the period of time necessary in order for the Controller to verify the accuracy of the Data, b) processing is unlawful and the Client opposes the erasure of the Data and instead requests the restriction of the use thereof, or c) the Controller no longer needs the Data for the purposes of processing, but the Client requires them for the establishment, exercise or defense of legal claims, or d) the Client objects to processing on the basis of the Controller’s legitimate interests, until it is verified whether the Controller’s legitimate grounds. To utilize the right to the restriction of processing, the Client can contact the Controller. For this purpose, the Controller’s contact information is provided above.
  • The Client has the right to deactivate cookies. Internet browsers are usually programmed in such a way that they allow cookies, but the Client can change this setting in the internet browser’s settings. Blocking cookies can prevent the proper functionality of a website. Further information on cookies at http://www.aboutcookies.org/.

This Data Processing Policy is effective from 1 July 2021 and has been issued in accordance with the GDPR.