This Group Data Protection Policy (“Data Protection Policy”) stipulates the rules for personal data protection in CPI Property Group (“CPIPG”) and its affiliated companies (“CPIPG companies”). It provides the rules of personal data protection, including related obligations of CPIPG companies. The Data Protection Policy reflects the data privacy rules required by the GDPR and other Member States’ national data privacy legislation.
The CPIPG companies take personal data protection seriously and handle personal data with sufficient carefulness and responsibility when performing their business activities. A personal data breach may result in serious legal and economic consequences for the CPIPG companies, their employees and data subjects. It may also cause damage to the CPIPG companies’ reputation. Through the implementation of the Data Protection Policy across the CPIPG companies, the risks of, and arising from, breaching data protection will be minimised.
This Data Protection Policy is binding for CPIPG companies and their employees. It relates to all personal data processing to which the GDPR and the Member States’ national legislation apply.
The following articles describe the procedures followed by CPIPG companies when processing personal data.
Furthermore, they provide a brief description of the split of the competencies and key roles in the CPIPG companies in the area of personal data processing.
CPIPG companies have taken and shall continue to take appropriate technical and organisational measures in order to ensure the protection of the personal data against misuse, loss and damage, and to treat them in accordance with the GDPR and the Member States’ national legislation in the area of data privacy. The data protection applies to the processing of the personal data of the CPIPG companies’ partners, employees, their family members, job applicants, customers and other individuals whose personal data are processed by CPIPG companies.
CPIPG companies respect the basic principles stipulated by the GDPR in the processing of personal data. The respective basic principles are listed below:
Personal data processing is always based on lawful bases, which include the consent to personal data processing, compliance with a legal obligation, the performance of a contract, the legitimate interest, the public interest or the protection of the interests of the data subject.
Special categories of personal data and personal data relating to criminal issues are especially sensitive and therefore a high degree of protection is applied. Any processing of special categories of personal data is consulted with the DPO.
CPIPG companies may only make personal data available to third parties (including a personal data transfer within the group) under certain conditions. Personal data may only be available to a third party acting as a processor based on a personal data processing agreement. Personal data may also be available to another third-party acting as a controller or a joint-controller based on relevant contractual agreements.
In case there are requirements for rectification or erasure of the personal data or for processing restrictions, under certain circumstances, CPIPG companies notify the relevant third parties to which the personal data were made available unless this is not feasible or requires an inadequate effort. CPIPG companies inform a data subject on the third parties to which the concerned personal data were disclosed, only if required to do so by the data subject.
Under certain conditions, CPIPG companies can also transfer personal data to third countries outside the EEA or the European Union or to international organisations. To assess legal conditions under which personal data may be transferred to third countries or to international organisations, CPIPG companies address the DPO for consultations.
CPIPG companies take all necessary steps to execute the rights of the data subjects stipulated by the GDPR. In respect of personal data processing, data subjects have the rights comprising the right of access to personal data, the right to rectification, processing restriction, portability or erasure of personal data, the right to object to the personal data processing and the right not to be a subject to a decision based exclusively on the automated personal data processing.
Data subjects can request the exercise of their rights via a written or oral request. In order to provide sufficient protection of the personal data processed by CPIPG companies and to prevent personal data misuse from taking place, CPIPG companies have introduced rules for the verification of the identity of the data subjects stated below.
To request the exercise of the particular right in writing, the data subjects shall fill in the request form available for download here. The data subjects’ signatures on the request form needs to be officially certified. Depending on local law, data subjects may be able to have their signature certified e.g. at a notary office, post office, attorney-at-law, consulate or municipal/regional authority. The signature has to be officially certified in a country where the request is submitted to the given CPIPG company in person at the particular CPIPG company’s registered seat, sent via mail using a postal services provider or verified electronic means (e.g. data boxes in the Czech Republic). Particularly when sending the request via mail using a postal service provider in the countries outside of the EEA or the European Union, data subjects may be contacted by the given CPIPG company in order to further verify the identity.
Data subjects may also request the exercise of their particular right in person at the given CPIPG company’s registered seat. Their identity will be verified by the particular CPIPG company’s designated employee (e.g. at a front desk), based on the submission of one of the following documents: personal ID card, passport or another official document with a photo sufficiently eligible to enable your clear identification.
The exercise of data subjects’ rights shall not affect the rights of the third parties. Should the requests submitted by data subjects be manifestly unfounded or excessive, in particular, because of the repetitive character, the CPIPG companies may require a reasonable fee, not exceeding the necessary costs of the provision of the above-stated information or arranging the exercising of the data subjects’ rights, for the purposes of responding to their request.
CPIPG companies ensure sufficient communication and cooperation in order to process all received requests in adequate time. CPIPG companies closely cooperate to provide the concerned data subject with a response within the statutory periods.
CPIPG companies and their statutory bodies are responsible for ensuring compliance with the GDPR and the relevant Member States’ national data privacy legislation.
The EU-based CPIPG companies listed in the appendix have appointed a DPO with the functional and organisational responsibility for compliance with the legal regulations and internal regulations of the CPIPG companies concerning the personal data protection.
The DPO can be contacted via e-mail at email@example.com or via post at the address Vladislavova 1390/17, 110 00 Praha 1, Czech Republic.
The non-EU CPIPG companies listed in the appendix have appointed an EU Representative with the functional and organisational responsibility for compliance with the legal regulations concerning personal data protection. The EU Representative is the company ORCO Hotel Riverside, s.r.o., based Na Poříčí 1047/26, Prague 1, the Czech Republic, registered with the Municipal Court in Prague under no. C 35957, identification number: 63073030. The EU Representative can be contacted via e-mail firstname.lastname@example.org or via post at the above address. More information about the EU Representative can be found here.
All data owners within the CPIPG companies and all employees are obliged to process the personal data in compliance with the CPIPG companies’ internal policies, the GDPR and other Member States’ national data privacy legislation.
The CPIPG companies report any alleged breach of the personal data security to the relevant DPO/EU Representative immediately, in any case no later than within 24 hours. If the breach of personal data meets the requirements for reporting to the respective supervisory authority and/or data subjects, the DPO/EU Representative fulfils this obligation within 72 hours from the personal data breach.
The CPIPG companies process personal data only for a necessary time. Personal data are erased or anonymised under the following circumstances:
The CPIPG companies put an emphasis on observing the necessary security measures during erasure or anonymisation.
CPIPG handles documents in accordance with GDPR. The rules for receiving, registering, circulating, storing and disposing of documents in CPIPG are set out in the current CPIPG retention guidelines.
At the end of the archiving period, the documents are discarded in accordance with the established shredding procedure, with a proof of record (approval of the document owner, approval of the relevant state regional archive, certificate of shredding).
The CPIPG companies may publish personal data in the Intranet, the Internet or any other media only with the consent of the concerned data subject unless there is another legal basis in specific cases.
In case that CPIPG companies obtain personal data relating to data subjects directly from these data subjects, these data subjects are provided with information on the processing of their personal data at the time of obtaining such personal data. If personal data are not obtained directly from the data subjects, processing information is provided to them subsequently, mostly in the first communication with the subject.
Information on the selected processing of personal data, in cases where processing information is not available to data subjects when the personal data are obtained, is available here: Information on Personal Data Processing.
An identified or identifiable individual whose personal data are processed; an identifiable individual is an individual who can be identified either directly or indirectly, predominantly with reference to a certain identifier, such as a name, identification number, location data, online identifier or one or more special elements of the physical, physiological, genetic, psychical, economic, cultural or social identity of the individual.
A natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of personal data processing.
A natural or legal person, public authority, agency or another body that processes personal data on behalf of the controller.
Any information on the identified or identifiable individual.
Personal data providing information on racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Personal data processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection Officer.
A natural or legal person established in the EU, designated in writing by the controller or processor under Article 27 of the GDPR, shall represent the controller or processor in the performance of the relevant obligations under the GDPR.
Information not relating to an identified or identifiable individual, including personal data anonymised so that the data subject is not or ceased to be identifiable.
Any legal entity or individual who is not the Company’s employee, except for data subjects.
Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
In case of any questions in relation to the GDPR requests kindly contact us by e-mail at email@example.com (DPO) / firstname.lastname@example.org (EU Representative). Please be reminded that email communication is not a 100% safe means of communication and its safety, source or delivery is not guaranteed.