1. Introduction
This document describes and summarises the fundamental principles for handling and processing the personal data of users of the Website available at the domain nadace-nina.cz (https://nadace-nina.cz) (hereinafter referred to as the "Website") and other profiles on social networks (Facebook, Instagram, etc.). The processing is governed by legal regulations, specifically Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "GDPR") and Act No. 110/2019 Coll., on the Processing of Personal Data, as later amended.
Reference to GDPR legislation (CS): https://www.mvcr.cz/gdpr/clanek/gdpr-web-legislativa-legislativa.aspx
We use your information and data exclusively in connection with our activities, especially in connection with the provision and acceptance of donations that you decide to use, and we do not disseminate or transfer them without your consent to anyone who is not entitled to them. In these principles, you will learn how and why we process your data, how it is protected and what rights you may exercise with regard to your data.
2. Data Controller: Who We Are and Why We Process Your Data
We are the owner and administrator of the Website, i.e. the web pages and systems running at the domain nadace-nina.cz and other applications related to the Website, and we further use various platforms and profiles for public communication, especially on social networks (hereinafter collectively referred to as the "System").
To be able to provide you with high-quality services, we must process a certain amount of data about the persons concerned by our activities. These individuals include, for example, donors, beneficiaries and users of the System and our services, employees, suppliers, contractual partners or others with whom we need to communicate and cooperate.
Legal regulations therefore designate us as the Controller – we must take care of the security of your data, fulfil various obligations during their processing and assist you in exercising your rights. If you have any questions or requests, please contact us:
Nadační fond Nina (Endowment Fund Nina)
Registered office at Amforová 1891/32, Stodůlky, 155 00 Prague 5
ID No.: 21122369
File reference: N 2419 maintained by the Municipal Court in Prague
Phone: +420 604 575 631
E-mail: info@nadace-nina.cz
Data Box ID: njx552k
(hereinafter referred to as "EFN" or the "Controller")
These principles reflect our values and approach in the field of personal data protection and serve as an assurance that:
- We comply with the requirements established by legal regulations on personal data protection, especially the principles of personal data processing in accordance with Article 5 of the GDPR.
- We protect the privacy of our clients, employees, partners and other persons.
- We process your data primarily so that we can carry out our activity and provide high-quality and reliable services. We process data only to the extent strictly necessary for the specified purpose.
The Controller has not appointed a Data Protection Officer, as it is not mandatory under legal regulations.
3. When We Collect or Otherwise Process Your Personal Data
We may obtain your data in various ways, primarily in the following situations:
- You use the services of our System.
- You enter into a specific contract (especially a donation contract) with us or otherwise cooperate with us.
- • You donate to our public-benefit activity.
- You receive a donation from us.
- The performance of contracts or fulfilment of rights and obligations associated with their termination, especially donation or loan agreements or agreements concerning other assistance.
- You request the issuance of a donation certificate for tax deduction purposes in accordance with legal regulations.
- Processing of the list of donors and its inclusion in EFN’s annual report.
- We inform the public, donors and beneficiaries about our activities, events and operations.
- You communicate with us via telephone, email, special forms or social networks and other platforms.
- You subscribe to our newsletter.
4. What Personal Data We Collect and Otherwise Process and For What Purpose
The types of data we process will differ depending on our specific activity or the type of relationship between you and EFN. Below is an overview of these activities and relationships, including the scope of processed data and the purposes for which the processing takes place.
EFN primarily processes the data obtained directly from donors or beneficiaries, for example, through forms displayed in the System, which data subjects provide in connection with granting or receiving a donation. Some of these data are necessary for the provision of our services, or rather, our activities. Specifically, this concerns the following personal data:
A / Accepting and Providing Donations in Line with the Purpose of EFN
In connection with the acceptance of gifts from donors supporting our activities and the provision of donations and assistance to subjects in accordance with the purpose of EFN, we must process certain of your data for these purposes.
These primarily include:
- Identification data of the data subject (name and surname or company/name)
- Bank account number
- Email address
In the case of a donation confirmation, these further include:
- Date of birth
- National identification number (birth number), ID No./Tax ID No.
- Address of residence or registered office and entries in registers
The user often enters and provides the aforementioned data to us himself or herself. You may also fill in some voluntary fields, but always ensure that you do not provide any sensitive data or data you do not wish to disseminate.
Other indirect data:
- Cookies (for the purposes of offering relevant content just for you and facilitating navigation of the Website).
The Controller is not responsible for the accuracy of the personal data processed by the System which the user has entered into the System. In the event that the Controller demonstrably becomes aware of the inaccuracy or incompleteness of processed data provided by the user, it is obliged to correct, supplement or delete them in the prescribed manner.
B / Information about Our Activities and Subjects
- In order for you to have an overview of whom you can contact, we publish on the Website, with the consent of our employees or other partners, their data, which include especially photographs, names, telephone numbers, email addresses or other contact details.
- For the sake of transparency and for the purpose of informing the public, we publish and present reports and information about our activities on our Website and through various platforms and accounts (especially Facebook and Instagram, etc.).
C / Handling Inquiries and Communication with You
- You can contact us at any time by phone or email with a request or suggestion. We will be happy to help you resolve any issues and answer your questions. For this purpose, we need to process your contact details and, if necessary, your name, for as long as necessary to resolve your inquiry. We will not process your data for email marketing or sending offers unless you give us your explicit consent.
D / Sending Newsletters
- If you give us your consent, we may inform you about relevant news related to our activities by sending an email newsletter. You may, of course, withdraw your consent at any time.
5. What Is the Legal Basis for Processing Your Data
For our processing activities to be lawful, there must be a legal basis for each processing activity. We always process your personal data only to the extent necessary for the given purpose. From the perspective of the legality of processing, personal data can be divided into personal data that we can process without your consent and personal data that we cannot process without your consent. We can process personal data without your consent only for the purpose of:
A / Fulfilment of Legal Obligations
- This applies to cases of data processing that we must process in accordance with legal regulations and whose processing is necessary for fulfilling our statutory duty (e.g. based on the Accounting Act, Income Tax Act or Labour Code).
B / Performance of a Contract
- This is binding for all contractual relationships, whether formally captured by a written contract or only in the form of an oral agreement on any performance, or based on an order and invoice. This primarily concerns data processing from contracts concluded with you and data provided within the use of the System. These are cases of the conclusion of donation agreements or other contracts (e.g. loan agreements) for the purpose of accepting or providing donations. This primarily involves concluding contracts where the contractual parties are natural persons. It may also apply to contracts concluded with legal entities, if they contain personal data of the natural persons representing them or persons authorised to execute the contract.
C / Processing within Legitimate Interests
- The processing is in accordance with our legitimate interests, unless your rights override these interests. This applies if we determine that we absolutely need to obtain and process personal data to protect your serious interests. This includes, in particular, keeping records of donations, providing information about our activities, contacting you for the purpose of providing a contribution/donation, recruiting new employees, carrying out a specific project, etc. However, this must not lead to an excessive restriction of the data subjects' rights.
D / Protection of the Vital Interests of Data Subjects
- This is processing necessary for the protection of your vital interests or those of another person, which occurs only in exceptional cases (e.g. in the case of immediate humanitarian aid).
In other cases, we process data based on your consent. We process personal data in a way that ensures they are properly secured against unauthorised access, accidental loss, destruction or damage.
We primarily process personal data in our information systems, which must ensure adequate protection of that personal data. With regard to the nature, scope and purposes of processing in specific cases, we adopt technical and organisational measures to ensure your personal data are protected against destruction, loss or alteration, and against unauthorised access or disclosure. Specific individuals working with personal data are bound by a duty of confidentiality. We store personal data only for the necessary period and archive them for the periods required by legal regulations. After the reason for the processing no longer exists or the period of necessary processing expires, we delete or anonymise the relevant personal data.
If necessary, we will provide you with clear and simple options to grant or withdraw consent to the processing at any tim.
6. Who Has Access to Your Data
ENF (its employees and cooperating entities) is the exclusive recipient of the personal data, specifically for the purpose of ensuring and providing services.
We do not sell or otherwise provide your personal data without your consent to unauthorised third parties, not even for marketing purposes. Providers of these services may only have access to your data to the extent necessary for the provision of the given service or the fulfilment of their obligation. This means that if we must entrust your data to another entity, it is only to the minimum extent necessary to ensure our proper functioning and does not compromise your rights or privacy.
Service providers and affiliated entities include:
- Providers of online tools for document management, sharing and storage, such as Google.
- Providers of online tools for tracking user interaction: Google Analytics.
- External service providers in the areas of accounting, audit, law, development and programming, and graphic design.
- Server infrastructure providers: rozhled.cz.
- Email service providers: Zoho Corporation Pvt. Ltd.
- Accounting software providers.
ENF may, in certain situations, transfer your personal data to third countries. This is primarily related to situations involving securing medical treatment and associated support. We may transfer personal data to third parties if required by law or in response to lawful requests from public authorities or upon a court order in litigation.
7. What Your Rights Are and How You May Exercise Them
To maintain control over your personal data, you can exercise a number of rights with the Controller, i.e. ENF. We will then do our utmost to accommodate your requests. The basic list of your rights is provided by Articles 15 to 22 and 34 of the GDPR and includes, in particular:
- The Right of Access to Personal Data (under the conditions of Art. 15 GDPR), i.e. the right to obtain confirmation as to whether or not personal data concerning you are being processed, and if so, the right to access such personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) the envisaged period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period; e) the existence of the right to request from the Controller the rectification or erasure of personal data concerning the data subject or restriction of processing, or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) any available information on the source of the personal data, if not collected from the data subject; h) the fact that automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR is taking place and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request in electronic form, the information shall be provided in a commonly used electronic form, unless otherwise requested by the data subject. - The Right to Rectification (under the conditions of Art. 16 GDPR), i.e. the right to have inaccurate personal data concerning you rectified by the Controller without undue delay. Taking into account the purposes of processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- The Right to Erasure ("the right to be forgotten") (under the conditions of Art. 17 GDPR), i.e. you have the right to have the Controller erase personal data concerning you without undue delay, and the Controller has the obligation to erase personal data without undue delay if one of the following reasons applies: a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing; c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing or the data subject objects to the processing; d) the personal data have been unlawfully processed; e) the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject; f) the personal data have been collected in relation to the offer of information society services.
- The Right to the Restriction of Processing (under the conditions of Art. 18 GDPR), i.e. you have the right to have the Controller restrict processing in any of the following cases: a) the data subject disputes the accuracy of the personal data, for a period enabling the Controller to verify the accuracy of the personal data; b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; d) the data subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the data subject. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
- The Right to Notification (under the conditions of Art. 19 GDPR), i.e. the Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the data subject of those recipients if the data subject requests it.
- The Right to Data Portability (under the conditions of Art. 20 GDPR), i.e. the data subject has the right to obtain personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided in cases where: a) the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR; and b) the processing is carried out by automated means. When exercising their right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one Controller to another, where technically feasible. The exercise of this right shall be without prejudice to Article 17 GDPR. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller. This right shall not adversely affect the rights and freedoms of others.
- The Right to Object (under the conditions of Art. 21 GDPR), i.e. the data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. In relation to the use of information society services, and without prejudice to Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
- The Right concerning Automated Individual Decision-Making, including Profiling (under the conditions of Art. 22 GDPR), i.e. the data subject has the right not to be subject to any decision based solely on automated processing, including profiling, which has legal effects on them or significantly affects them in a similar manner. The above does not apply if the decision: a) is necessary for entering into, or the performance of, a contract between the data subject and the data Controller; b) is authorised by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or c) is based on the data subject's explicit consent.
- Notification of a Personal Data Breach to the Data Subject (under the conditions of Art. 34 GDPR), i.e. if a particular personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the breach to the data subject without undue delay. In the communication to the data subject, the Controller shall describe the nature of the personal data breach and provide at least the information and measures referred to in Article 33(3)(b), (c) and (d) GDPR. Notification of the data subject shall not be required if any of the following conditions are met: a) the Controller has implemented appropriate technical and organisational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption; b) the Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; c) it would involve disproportionate effort. In such a case, data subjects must be informed in an equally effective manner by means of a public communication or similar measure. If the Controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after assessing the likelihood that the breach will result in a high risk, require the Controller to do so or may decide that one of the conditions under which notification is not required is met.
- The Right to lodge a complaint with a supervisory authority (i.e. the Office for Personal Data Protection).
- The Right to withdraw consent to the processing of personal data, if the processing is based on such consent.
We will do everything to help you exercise your rights and resolve any questions, requests or complaints. You can contact us through the Controller, ENF, preferably electronically at our email address: info@nadace-nina.cz, or by other means listed in Section 2 of these principles. Email is the most efficient way to resolve your requests. In your message, please specify how we can help you or what we can do for you. Please always send the email from the address you normally use in connection with our services and activities to ensure your data do not fall into the wrong hands.
We would be happy if you try to resolve everything with us first. Your satisfaction is important to us and we are happy to help you. If, despite this, you are not satisfied with how your request was handled, you have the right to contact the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, email: posta@uoou.cz, Data Box ID: qkbaa2n.
8. Cookies
To better tailor our services to your requirements, our System or the Website, uses cookies – small files stored on your disk that record data related to browsing our pages. Within your browser settings, you can manually delete, block or completely disable the use of individual cookies, or block or allow them only for individual websites. Please note, however, that changing cookie settings may adversely affect some functions of our Website and some pages may behave unpredictably.
Generally, cookies, or temporary files stored in the browser, can be divided into two types. Those that are stored only for a short period and serve to facilitate the use of the Website. These temporary cookies allow information to be retained when moving from one webpage to another, eliminating the need to repeatedly enter certain data.
The second type of cookie is stored for a longer period (e.g. several weeks to months). These cookies help to identify your computer upon repeated visits to our Website. However, they do not allow us to identify you as a specific person.
Long-term cookies allow us to better personalise our pages and offer you relevant content or advertising. The collected data is completely anonymous and we cannot link it to any other data. Information from cookies can therefore be used primarily for the statistical evaluation of visitor behaviour and similar purposes.
Such processing is possible based on the following legal grounds:
- For necessary technical cookies, the legitimate interest of the Controller, consisting of the operation of the Website.
- For statistical cookies, your consent is required for processing. Consent is given through your browser settings for the duration specified for individual cookies. Consent or refusal to collect cookie data for the stated purposes can be withdrawn at any time.
We therefore distinguish the following processing purposes:
A / Necessary Technical Cookies
- Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
B / Statistical Cookies
- Statistical cookies help website owners understand how visitors use the website. They collect and report information anonymously.
The collected statistical cookies are processed by the service provider Google Analytics - Google Inc., based at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google handles cookies in accordance with its contractual terms, which can be found on their websites: - https://policies.google.com/technologies/cookies?hl=en
- https://policies.google.com/privacy/update?hl=en
The use of cookies can be set up using your internet browser. Most browsers automatically accept cookies by default. The rejection of cookies or the use of only certain cookies can be set via your web browser.
Information about browsers and how to set preferences for cookies can be found on the websites of individual browsers (e.g. Chrome - https://support.google.com/accounts/answer/61416?hl=cs).
An effective tool for managing cookies is also available at http://www.youronlinechoices.com/cz/ or https://jakzablokovatcookies.cz/gdpr-v-prohlizeci.