personal data protection

These Personal Data Protection Policies are prepared to inform the data subject about which personal data we collect, process, use, and how we protect personal data. In securing privacy and personal data protection, we act exclusively in accordance with applicable legislation, i.e., Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the Regulation) and other legal regulations governing this area.   1. Who is the personal data controller and what are the categories of data subjects whose personal data are processed? Data Controller: Company: Sophgena a.s. with registered office: Husitská 107/3, Žižkov, 130 00 Prague 3 Company ID: 17887283 registered in the Commercial Register maintained by the Municipal Court in Prague, Section B, Insert 27870 (hereinafter also the Controller). Categories of data subjects: a) contractual parties of the Controller within business relationships, b) employees of the Controller, c) service providers and persons working for the Controller based on another contractual relationship. Definitions of basic terms contained in these policies:

• Personal data – any information relating to an identified or identifiable data subject; a data subject is considered identified or identifiable if the data subject can be identified directly or indirectly;
• Data subject – a natural person to whom the personal data relate;
• Controller – an entity that determines the purposes and means of personal data processing, carries out processing and is responsible for it;
• Processor – any entity which processes personal data on the basis of a special law or authorization by the controller;
• Recipient – any entity to whom personal data are made accessible;
• Processing of personal data – any operation or set of operations which the controller or processor systematically carry out with personal data, either by automated means or otherwise; in particular, collection, storage on data carriers, making available, modification or alteration, retrieval, use, transmission, dissemination, publication, storage, exchange, sorting or combination, blocking, destruction. 

2. What personal data about data subjects are processed? Identification data – personal data used for the unambiguous identification of the data subject, i.e., name, surname, date of birth, permanent address, and for a supplier or customer – physical person entrepreneur also tax identification number and registered office.  Contact data – personal data enabling contact with the data subject within the fulfillment of contractual obligations (contact address, email address, telephone number, possibly payment data – bank account number). Health data of data subjects are processed to the extent necessary for the fulfillment of the concluded contract with the data subject and for providing services to the data subject, as the Controller is obliged or authorized to do so according to applicable legal regulations or the contractual relationship with the data subject or based on the explicit consent of the data subject. Other data arising from the specific contractual relationship or from the law, data provided beyond the relevant laws processed within the given consent from the data subject (processing of photographs, cookies files, video recordings of consultations with the client, etc.). Such consents are required from our side only in specific situations, in accordance with and with the requirements under the Regulation. 3. From which sources do we obtain personal data? We obtain personal data directly from the data subject, within business or employment relationships. Furthermore, we obtain personal data from third parties, primarily within the fulfillment of legal obligations in accordance with the Regulation, mainly from public sources respecting the purpose of personal data processing. At the same time, we obtain personal data during the fulfillment of contractual obligations (e.g., video recordings of consultations with the client). 4. How and for how long do we process personal data? We process personal data both automatically, in electronic information systems, and also in paper form. However, during the processing of personal data, no automated decision-making (i.e., without human intervention), including profiling, takes place. Personal data are protected at all times against unauthorized interference, loss, destruction, or misuse. All persons coming into contact with data are bound by confidentiality obligations. We retain personal data for the period necessary to ensure all rights and obligations arising from the contractual relationship, i.e., for the duration of possible claims arising from the concluded contract and further for the period we are obliged to retain them according to generally binding legal regulations. If no contractual relationship is concluded between the Controller and the data subject, but personal data are disclosed or provided by the data subject during pre-contractual negotiations, we will immediately cease processing personal data. 5. On what legal basis and for what purpose do we process personal data? Within negotiations for concluding a contract or for fulfilling a contract with the given data subject, personal data are processed in accordance with Art. 6(1)(b) of the Regulation, i.e., for the purpose of fulfilling this contract. These personal data are further processed after termination of these contractual relationships for the purpose of protecting our legitimate interests in accordance with Art. 6(1)(f) of the Regulation, especially for enforcing our rights and claims, for the duration of limitation periods related to these contracts. Personal data are also processed by us for the purpose of fulfilling legal obligations pursuant to Art. 6(1)(c) of the Regulation, e.g., for state authorities (tax administrators for tax administration, courts, executors, notaries) and for fulfilling legal obligations arising from special regulations. Furthermore, personal data may be processed for the purpose of direct marketing (i.e., sending offers of products, information about new products, if the data subject is interested in such information – i.e., does not express dissent). 6. Right to withdraw consent to personal data processing in case of processing based on consent If we process personal data based on the explicit consent of the data subject pursuant to Art. 6(1)(a) of the Regulation, the data subject has the right to withdraw this consent at any time, in whole or in part. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Consent can be withdrawn in the same way it was given or in writing at the address Sophgena a.s., Husitská 107/3, Žižkov, 130 00 Prague 3, via email info@sophgena.com, or by phone at: 734 55 22 55. From the day we are notified of the withdrawal of consent, we can only process personal data to the extent that another legal basis for processing applies, i.e., especially for fulfilling our legal obligations or for the protection of rights and legal claims, as described above. If providing such personal data is necessary for the fulfillment of the Contract, we hereby inform that upon withdrawal of consent we will no longer be able to provide our services under the Contract. 7. What are the statutory rights of the data subject regarding personal data processing Right of access to personal data: The data subject has the right to obtain from the Controller confirmation whether his personal data are processed, and if so, the right to access such personal data and the information specified in Art. 15 of the Regulation. Right to rectification or erasure, or restriction of processing: The data subject has the right (in cases specified by the Regulation) to request the Controller to rectify or complete inaccurate or incomplete personal data, request erasure of personal data if the reason for their processing has ceased or is not given, or request restriction of processing of personal data in connection with resolving the circumstances of personal data processing by the Controller. Right to object: The data subject has the right to object at any time to the processing of his personal data processed for the purposes of the legitimate interests of the Controller or other persons (according to the Regulation) for reasons related to his particular situation; legitimate interests under the Regulation may include especially cases of protecting the rights and legal claims of the Controller. Right to data portability: The data subject has the right (under the conditions specified in the Regulation) to receive his personal data from the Controller and transfer them to another personal data controller. Right to lodge a complaint with the supervisory authority: The data subject has the right to lodge a complaint with the supervisory authority if he believes that the processing of his personal data violates the Regulation. This supervisory authority is the Office for Personal Data Protection. If the right to process personal data is based on consent, the data subject may withdraw this consent at any time; e.g., marketing consent. Withdrawal of this consent does not affect the lawfulness of processing based on consent given before withdrawal. The data subject can exercise all his rights using the contact details provided below in point 8 of these Policies. We will inform the data subject without undue delay about the processing of his request and the measures taken (the Regulation gives us a deadline of 1 month from receipt of the request). 8. Where can the data subject exercise his rights or objections regarding personal data processing? Any objections to personal data processing, withdrawal of consent or change of its scope, or any exercise of rights can be done by the data subject in one of the following ways:

• in writing at address Sophgena a.s., Husitská 107/3, Žižkov, 130 00 Prague 3, 

• via email info@sophgena.com, 
• by phone at: 734 55 22 55.  

9. To whom do we provide personal data? We process personal data ourselves through our employees or authorized processors. In all cases, we ensure that all obligations arising from applicable legislation for us as controllers and our processors are observed and we ensure that the security of personal data transferred is not endangered or misused. Processors / recipients of personal data especially include:

• state authorities and other institutions within statutory obligations, especially state administration bodies, courts, tax administrators;
• contractual partners – laboratories or institutions involved in sample evaluation,
• service providers (notaries, web hosting companies, etc.),
• with your prior consent or instruction, personal data may be provided to other entities. 

10. When do we transfer personal data to third countries? Personal data processed by us are not transferred to third countries or any international organization. 11. Do we perform automated decision-making and profiling of personal data? No automated decision-making (i.e., without human intervention), including profiling, occurs in personal data processing. 12. How can you contact us? If you have any questions regarding personal data processing, you can contact us in writing, electronically or by phone using the contact details given in point 8 above.