GDPR Compliance Policy

Exero Group s.r.o. (hereinafter referred to as "the Agency") is committed to protecting the personal data of its clients, employees, and business partners in compliance with the European Union's General Data Protection Regulation (GDPR). This policy outlines how the Agency collects, processes, stores, and protects personal data, ensuring transparency and accountability.

1. Scope

• All personal data processed by the Agency, regardless of the format.
• All employees, contractors, and third-party service providers of the Agency.
• All processing activities, including the collection, storage, use, and transfer of personal data.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on personal data, such as collection, storage, use, or deletion.
• Data Subject: The individual whose personal data is processed.
• Data Controller: The entity that determines the purposes and means of processing personal data.
• Data Processor: The entity that processes data on behalf of the Data Controller.

3. Principles of Data Protection

• Lawfulness, Fairness, and Transparency: Personal data is processed legally, fairly, and transparently.
• Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes.
• Data Minimization: Only the data necessary for the purposes of processing is collected.
• Accuracy: Personal data is kept accurate and up to date.
• Storage Limitation: Data is stored only as long as necessary.
• Integrity and Confidentiality: Data is processed securely to protect against unauthorized access, alteration, or destruction.

4. Legal Basis for Processing

• Consent has been provided by the data subject.
• Processing is necessary for the performance of a contract.
• Processing is required to comply with a legal obligation.
• Processing is necessary to protect the vital interests of a data subject or another person.
• Processing is in the legitimate interests of the Agency or a third party, provided it does not override the rights and freedoms of the data subject.

5. Data Subject Rights

• Right to Access: Data subjects can request access to their personal data.
• Right to Rectification: Data subjects can request corrections to inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Data subjects can request the deletion of their data under certain conditions.
• Right to Restriction: Data subjects can request the restriction of processing under certain conditions.
• Right to Data Portability: Data subjects can request the transfer of their data to another controller.
• Right to Object: Data subjects can object to processing based on legitimate interests or direct marketing.
• Right to Lodge a Complaint: Data subjects can lodge complaints with a supervisory authority.

6. Data Security Measures

• Encryption of data during transmission and storage.
• Regular audits and assessments of data processing activities.
• Secure access controls and authentication measures.
• Regular employee training on data protection best practices.

7. Data Breach Management

• Assess the nature and scope of the breach.
• Notify the supervisory authority within 72 hours if the breach poses a risk to data subjects' rights and freedoms.
• Inform affected data subjects without undue delay if the breach poses a high risk to their rights and freedoms.
• Document all breaches, regardless of severity.

8. Third Party Processors

• Conducting due diligence before engaging any processor.
• Entering into data processing agreements that outline GDPR compliance requirements.
• Monitoring processors to ensure continued compliance.

9. Data Retention

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Retention periods are clearly defined in the Agency's Data Retention Policy.

Contact Information

Data Protection Officer: dpo@exerogroup.cz