Integrated Transport System of the South Moravian Region

E-SHOP

PRIVACY POLICY - INFORMATION ON PERSONAL DATA PROCESSING

Controller

KORDIS JMK, a.s.
Company ID: 26298465
registered in the Commercial Register at the Regional Court in Brno, Section B, Insert 6753

The controller processes personal data in accordance with European Union law, especially Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"), as well as the legal regulations of the Czech Republic.

Contact Information of the Controller

Address: Nové sady 946/30, 602 00 Brno
Phone: +420 543 426 651
E-mail: info@kordis-jmk.cz
Data Box: gwpghss

Data Protection Officer

Name: Ing. David Zahradnický (United Registrar of Systems Czech s.r.o.)
Phone: +420 721 077 806
E-mail: david.zahradnicky@dazmedia.cz

Purpose of Personal Data Processing

The controller collects and processes personal data of individuals to the extent necessary for:

  • fulfilling obligations imposed by special laws,
  • ensuring activities related to the business subject,
  • negotiating contractual relationships,
  • fulfilling contracts concluded with the data subject,
  • offering trade or services to data subjects,
  • shareholder agenda of the company,
  • ensuring property protection and workplace safety.

The controller processes personal data only to the extent necessary to ensure compliance with legal and contractual obligations and to protect legitimate interests. The processed data is kept as accurate and up-to-date as possible (in cooperation with data subjects). Personal data processed is not transferred to third countries.

Main Areas of Personal Data Processing

  • Personal data of users of the IDS JMK POSEIDON application for the purpose of transportation control by third parties. These third parties are not provided with personal data; data is displayed after presenting an electronic travel document of a specific passenger. Stored data includes: login name, password, first and last name, phone number, email, details of purchased tickets, and information on the inspection location.
  • Personal data of individuals who created accounts through web services (e-shop) for obtaining IDS JMK electronic tickets. These personal data are shared between service operators and the controller for transportation control and ticket ownership verification purposes. Stored data includes: login name, password, first and last name, phone number, email, address, date of birth, ID photo, ticket details, and inspection location.
  • Personal data related to transportation control performed by the controller. Primarily, this pertains to passengers without a valid ticket. Stored data includes: first and last name, date of birth, address, ID number, and inspection date and location.
  • Personal data of job applicants. The controller uses this data solely for specific employee selection processes and destroys it immediately after the recruitment process ends.
  • Personal data of individuals requesting commercial communications via email. Data is stored based on consent, including: name and email address. Consent can be withdrawn at any time. The controller does not share these emails with any other entities.
  • Personal data related to handling inquiries, complaints, and suggestions. Data subjects may submit requests by providing contact details.
  • Camera recordings of entries to the controller’s premises and the passenger facilities in Modřice. Data subjects are informed about the camera system through signs at visible locations near entry points.
  • Audio recordings of IDS JMK infoline phone calls. Data subjects are informed about monitoring before starting a call with an operator.

Sources of Personal Data

The controller obtains personal data from the following sources:

  • directly from individuals during negotiations on contractual relationships,
  • from publicly accessible registers, lists, and records (e.g., Commercial Register, Trade Register, Land Registry, public telephone directories, etc.),
  • from other entities if required by special regulations,
  • from other entities if the individual has given their consent,
  • from other entities for legitimate interest protection purposes,
  • directly from individuals during recruitment processes for new employees and external collaborators,
  • from camera systems, as informed through signs and icons at the entry to monitored areas.

Processors and Recipients

The controller processes personal data electronically and/or in paper form. Electronic documents are processed manually and automatically in electronic information systems.

Data protection is ensured by the controller both technically and organizationally, in compliance with applicable legislation.

Personal data may also be provided to other entities upon request if they have a legal basis, especially law enforcement authorities, courts, and administrative bodies.

Rights Related to Personal Data Processing

Right to Withdraw Consent

The data subject has the right to withdraw their consent to the processing of personal data at any time. Withdrawal must be made in writing and signed, sent to the controller. Withdrawal does not affect the lawfulness of data processing carried out based on valid consent before its withdrawal.

Right of Access

The data subject has the right to obtain confirmation from the controller on whether their personal data is being processed and access the processed data and the following information:

  • purposes of processing,
  • categories of personal data concerned,
  • recipients or categories of recipients,
  • planned retention period or criteria for determining this period,
  • existence of rights to rectification, erasure, or restriction of data processing,
  • right to lodge a complaint with a supervisory authority,
  • source of personal data, if not obtained from the data subject,
  • automated decision-making, including profiling, the procedure used, and the significance and potential consequences.

The controller provides the data subject with a copy of the processed personal data. Additional copies may incur a reasonable administrative fee.

Right to Rectification

The data subject has the right to have inaccurate personal data rectified without undue delay. Considering the purposes of processing, the data subject also has the right to complete incomplete data, including providing an additional statement.

Right to Erasure ("Right to be Forgotten")

The data subject has the right to have their personal data erased without undue delay, provided one of the following applies:

  • Data is no longer necessary for the purposes it was collected or processed for;
  • The data subject withdraws their consent, and there is no other legal basis for processing;
  • The data subject objects to processing under Article 21(1) GDPR, and there are no overriding legitimate grounds for processing;
  • The data has been processed unlawfully;
  • The data must be erased to comply with a legal obligation;
  • The data was collected in relation to the offer of information society services.

The right to erasure does not apply in some cases, such as where processing is necessary to fulfill legal obligations or for the establishment, exercise, or defense of legal claims.

Right to Restriction of Processing

The data subject has the right to restrict processing if:

  • the accuracy of data is contested, for a period enabling verification,
  • processing is unlawful, and the data subject opposes erasure, requesting restriction instead,
  • the controller no longer needs the data, but it is required for legal claims,
  • the data subject objects to processing until it is verified whether legitimate grounds override their objections.

When processing is restricted, data may only be processed with consent, for legal claims, to protect another’s rights, or for reasons of public interest of the EU or a Member State.

Right to Object

The data subject has the right to object to processing for legitimate interests of the controller or third parties. The controller will stop processing unless compelling legitimate grounds are demonstrated.

Right to Data Portability

The data subject has the right to receive their personal data processed automatically based on consent in a structured, commonly used, machine-readable format and to transfer it to another controller. They may also request direct transfer where technically feasible.

Right to File a Complaint

Complaints about the controller’s activities or recipients of personal data can be filed in writing, by email, or by phone (see controller’s contact details), indicating it concerns a complaint. Complaints must be resolved within 30 days.

Data subjects can also contact the supervisory authority: the Office for Personal Data Protection (www.uoou.cz).

How to Exercise Your Rights

If a data subject believes their personal data is processed contrary to legislation, they may:

  • request an explanation from the controller,
  • demand the controller rectify the situation, especially by correction, supplementation, or deletion of data.

Effective Date: March 22, 2024