Internal corporate regulation

Internal corporate regulation DAGO, s.r.o. on the personal data protection 
I. Purpose of the internal regulation 
The purpose of this internal regulation is to adopt and implement appropriate technical and organizational measures to ensure the personal data protection in accordance with the paragraph 24 et seq. of the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
 
II. Definition 
For the purposes of this Internal Regulation: 
GDPR = EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), so called GDPR (General Data Protection Regulation). 
Personal data = any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, local data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 
Sensitive information = information about racial and ethnic origin, political opinions, religion or philosophical beliefs or labour unions membership, genetic data and health or sexual life or sexual orientation of the natural person; 
Employer = (description of an employer) 
Controller = employer, if nominated by a special law: determines the purpose and means of the personal data processing 
Processor = employer, if entitled by contract, authorization, commission or legal regulation to process personal data on behalf of another controller;  
Employee – employee who is in employment or similar relation with the employer;  
Responsible employee = employee responsible for the performance of work that involves handling personal data; 
Scope of the personal data processing = means the method of processing the personal data, retention period, the means of processing, the determination of categories of recipients, the reasons for processing and other data describing the personal data processing in the Key. The determination of the personal data processing scope also includes to determine, on what legal reason for processing the personal data are being processed, and in the case that such personal data has been collected from the data subject, whether collecting of personal data is legal or contractual requirement, or a requirement on the personal data to be a part of a contract and also instructing the data subject about the consequences of non-disclosing his / her personal data;     
Key = the Key to the personal data protection is a tool for defining the purpose of processing and the scope of personal data collection of the personal data available at www.oou.cloud;  
Authority = Personal Data Protection Authority 
Computer – a personal computer, tablet, telephone or another electronic device with a memory to store personal data.  

III. Scope of the internal regulation 
This internal regulation applies to all employees of the employer, who handle personal data whose controller or processor is the employer.   
This internal regulation applies all the time, unless GDPR provides otherwise.  

IV. Transparency of the personal data processing 
The controller processes personal data transparently so that anyone can get acquainted with the personal data processing performed by the controller. 
In the context of the transparency, the controller publishes Databases of information on processing personal data, all information on processing personal data classified according to the individual processing purposes on his websites or on www.oou.cloud in the Database section. 
This internal regulation will apply all the time, unless GDPR provides otherwise. 

V. Determining the purpose and the scope of the personal data processing  
1. The controller determines the purpose and the scope of the personal data processing through the Key. 
 
VI. Fulfilling obligations of the controller and the processor 
Obligation of the controller and the processor are being fulfilled by responsible employees, unless specified otherwise. 
When negotiating with the Authority, the employer is represented by the employer’s statutory body. 
A responsible employee prepares materials for the statutory organ for all negotiations with the Authority.   

VII. Responsibility of employees for processing the personal data   
1. The employer divide the responsibility for processing the personal data by individual employees so that the employee is entitled to acquaint with the personal data only to the extent necessary for the performance of the work of the employee responsible for processing such personal data. 
An employee is responsible for getting acquainted with the determined purpose and scope of processing the personal data involved within his / her work. 
Anb employee will get acquainted with the determined purpose and scope of processing personal data through relevant documents generated through the Key.  
Within the employees´ responsibility for processing personal data, employees mustn´t exceed the scope of the personal data processing determined by the controller through the Key.   

VIII. Retention of personal data 
Personal data is being retained only for the time necessary for processing.  This time is being determined through the Key.  
Documents and other material data carriers containing personal data must be kept only in lockable rooms. 
Documents and other material data carriers containing sensitive personal data must be kept only in lockable cabinets located in lockable rooms.   
Personal data may be retained in a computer only: if the access to files containing such personal data is protected by a passport, if the access to the computer containing the files with the personal data is protected by a password. 

IX. Obligations of employees when processing and securing the personal data 
An employee is obliged to process personal data only using the processing methods and to the extent specified by the controller. 
An employee fulfils the obligations of the controller and the processor through the Key, if it is possible to fulfil the relevant obligation through the Key. 
An employee is obliged to avoid unauthorized persons to get acquainted with the personal data. For this purpose, an employee is obliged, especially when leaving the workplace, to observe the so called clean desk rule – not leaving personal documents containing any personal data on the desk and to turn off his / her computer. 
An employee is obliged to maintain confidentiality about personal data and about the security measures whose disclosure would jeopardize the security of the personal data.  

X. Final provisions 
The personal data protection that has been carried out so far by the employer shall be brought into compliance with this regulation within one month after the date this regulation came into effect.   
This regulation becomes effective on 24th May 2018.

DAGO, s.r.o.
In Zdice 24th May 2018