Processing of personal data (GDPR)
Requests pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR") may only be made if they relate to a data subject. Data relating to other persons or deceased persons cannot be requested. Requests for access to archives, including requests for searches, are subject to the procedures laid down in Act No 499/2004 Coll. and Decree No 645/2004 Coll. and in some cases are subject to a fee.
See Research Rules
Archival records stored at the Institute are exempt from the right to be forgotten, in accordance with Article 17(3)(d), and therefore no data may be removed (erased) from them at the initiative of the data subject. Permanent storage for archival purposes is not contrary to the GDPR.
When making a request under the GDPR, the data subject shall provide data which uniquely identifies him or her so that the data cannot be provided to the wrong person. Since the GDPR does not provide for the identification of the applicant, the Institute requests this information in the usual structure, i.e. name, surname, date of birth, address of residence or domicile, or address for service if different from the address of residence or domicile.
Responses under the GDPR (in particular under Articles 15-21) shall be sent by the Institute exclusively by data mailbox, if the applicant has one, or by a postal service provider, into the applicant's own hands.
Information to be provided where personal data are obtained from the data subject pursuant to Article 13 of the GDPR
Article 13(1)(a) GDPR
Controller: Masaryk Institute and Archives of the CAS, v. v. i., Gabčíkova 2362/10, Prague 8, 182 00, e-mail: firstname.lastname@example.org, mailbox ID: cgsns2j
Article 13(1)(b) GDPR
Purposes of processing and legal basis for processing - see annex
Article 13(1)(c) GDPR
The Institute does not process personal data pursuant to Article 6(1)(a) of the GDPR.
Article 13(1)(d) GDPR
Recipient or categories of recipients - see annex
Article 13(1)(e) GDPR
The Institute does not transfer and does not intend to transfer personal data to a third country or an international organisation.
Article 13(2)(a) GDPR
Period for which personal data will be stored - see Annex. The period for which documents (and the data contained in documents) are stored is based on the Institute's filing and shredding plan.
Article 13(2)(b) GDPR
The data subject has the right under Article 15 GDPR to request the Institute to inform him or her whether it processes personal data relating to that data subject. The data subject has the right under Article 16 GDPR to request the Institute to correct inaccurate personal data relating to him or her. The data subject has the right to have personal data erased pursuant to Article 17 GDPR. However, the right to erasure cannot be exercised in respect of processing for archiving purposes. Pursuant to Article 17(3)(d) of the GDPR, erasure of personal data is not carried out in archive files stored at the Masaryk Institute and the Archives of the CAS. The data subject has the right to have the Institute restrict the processing of the data subject's personal data in the cases listed in Article 18 of the GDPR. The data subject has the right under Article 20 of the GDPR to obtain personal data concerning him or her which he or she has provided to the controller in a structured, commonly used and machine-readable format and the right to transmit such data to another controller if the processing is carried out on the basis of consent, contract and by automated means. Pursuant to Article 21, the data subject shall have the right to object at any time to processing of personal data concerning him or her which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. However, the Institute points out that it manages data in most cases on the basis of a legal mandate and in the public interest. We refer in detail to the records of processing activities under Article 30 GDPR (see annex).
Article 13(2)(c) GDPR
Where the processing of personal data of a data subject is based on the data subject's consent to the processing of his or her personal data, the data subject may withdraw the consent at any time. The withdrawal shall not affect the lawfulness of the processing based on the consent given before the withdrawal.
Article 13(2)(d) GDPR
The data subject has the right to lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection. Address: email@example.com, mailbox: qkbaa2n.
Article 13(2)(e) GDPR
Whether the provision of personal data is a legal or contractual requirement - see Annex.
Article 13(2)(f) GDPR
The Institute does not engage in automated decision-making or profiling.
Information provided where personal data is not obtained from the data subject in accordance with Article 14 GDPR
The Institute, with the exception of the receipt of documents selected and recorded as archival material in accordance with the procedures under Act No 499/2004 Coll., on archiving and filing services, does not obtain personal data from third parties (personal data not obtained directly from the data subject by the controller). In accordance with Article 14(5)(b) of the GDPR, the Institute does not provide information to the data subject about the personal data of the data subject held by the Institute, unless they have been obtained from the data subject and are contained in archives. Archival files enjoy exemptions from the right to erasure under Article 17(3)(d) and other derogations and safeguards for the processing of personal data under Article 89 GDPR.
Additional information for e-shop users
Dear customers, at this point we would like to inform you how and by whom your personal data is processed, in the context of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Who is the controller of your data?
The controller of your personal data is the Masaryk Institute and Archives of the CAS (hereinafter referred to as MÚA), v. v. i., Gabčíkova 2362/10, Prague 8, 182 00, e-mail: firstname.lastname@example.org, mailbox ID: cgsns2j.
What type of personal data do we process?
MÚA processes your identification data such as name, surname, street and descriptive number, city, postcode, company name, identification number, if applicable, for the purpose of concluding and fulfilling the purchase contract (sending the goods you have selected to your address).
We also process your contact data such as contact address, telephone number, e-mail address in order to communicate with you and to inform you in a timely manner about all facts related to the order of your goods.
We also process your personal data if you are a registered user of our website.
Given the contractual nature of the relationship between MÚA and users of the MÚA e-shop, the provision of personal data is entirely voluntary. However, if you do not provide us with this personal data, we will not be able to conclude a purchase contract with you.
How do we handle your personal data?
The personal data of individuals is never sold, exchanged, transferred or disclosed to third parties without their consent, except for legal exceptions (Police of the Czech Republic, administrative authorities). Access to personal data is only granted to associates who need it to perform their activities (e.g. billing, sending orders, etc.).
How long do we keep your personal data?
We keep your personal data only for the time necessary and archive it according to the legal time limits imposed by law. Once the legal reason is lost, we delete the relevant personal data. We only retain personal data that we process with the consent of the customer for the duration of the purpose for which the consent was given.
What are your rights?
You have the right to access your personal data, to have it corrected if it is inaccurate or invalid, to have your personal data erased if the conditions set out in Article 17 of the GDPR are met, to restrict its processing and to have it portable.
The right of access, rectification, restriction of processing is implemented through the administration of the e-shop, where the customer updates the relevant data himself in the account settings. The erasure or transfer of personal data can be requested by sending an e-mail to email@example.com.
If you feel that your personal data is being handled unlawfully, you can contact the Office for Personal Data Protection, located at Pplk. Sochora 27, Prague 7, 170 00, e-mail: firstname.lastname@example.org.