GDPR Compliance Policy for Exero Group s.r.o.

Effective Date: November 22, 2024
Exero Group s.r.o. (hereinafter referred to as "the Agency") is committed to protecting the personal data of its clients, employees, and business partners in compliance with the European Union’s General Data Protection Regulation (GDPR). This policy outlines how the Agency collects, processes, stores, and protects personal data, ensuring transparency and accountability.

1. Scope
This GDPR compliance policy applies to:
All personal data processed by the Agency, regardless of the format.All employees, contractors, and third-party service providers of the Agency.All processing activities, including the collection, storage, use, and transfer of personal data.

2. Definitions
Personal Data: Any information relating to an identified or identifiable natural person.Processing: Any operation performed on personal data, such as collection, storage, use, or deletion.Data Subject: The individual whose personal data is processed.Data Controller: The entity that determines the purposes and means of processing personal data.Data Processor: The entity that processes data on behalf of the Data Controller.

3. Principles of Data Protection
The Agency adheres to the following GDPR principles:
Lawfulness, Fairness, and Transparency: Personal data is processed legally, fairly, and transparently.Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in an incompatible manner.Data Minimization: Only the data necessary for the purposes of processing is collected.Accuracy: Personal data is kept accurate and up to date.Storage Limitation: Data is stored only as long as necessary for the purposes it was collected.Integrity and Confidentiality: Data is processed securely to protect against unauthorized or unlawful access, alteration, or destruction.

4. Legal Basis for Processing
The Agency processes personal data only when at least one of the following conditions applies:
Consent has been provided by the data subject.Processing is necessary for the performance of a contract.Processing is required to comply with a legal obligation.Processing is necessary to protect the vital interests of a data subject or another person.Processing is in the legitimate interests of the Agency or a third party, provided it does not override the rights and freedoms of the data subject.

5. Data Subject Rights
The Agency respects and upholds the following rights of data subjects:
Right to Access: Data subjects can request access to their personal data.Right to Rectification: Data subjects can request corrections to inaccurate or incomplete data.Right to Erasure ("Right to be Forgotten"): Data subjects can request the deletion of their data under certain conditions.Right to Restriction: Data subjects can request the restriction of processing under certain conditions.Right to Data Portability: Data subjects can request the transfer of their data to another controller.Right to Object: Data subjects can object to processing based on legitimate interests or direct marketing.Right to Lodge a Complaint: Data subjects can lodge complaints with a supervisory authority.

6. Data Security Measures
The Agency implements robust security measures to protect personal data, including:
Encryption of data during transmission and storage.Regular audits and assessments of data processing activities.Secure access controls and authentication measures.Regular employee training on data protection best practices.

7. Data Breach Management
In the event of a data breach, the Agency will:
Assess the nature and scope of the breach.Notify the supervisory authority within 72 hours if the breach poses a risk to data subjects’ rights and freedoms.Inform affected data subjects without undue delay if the breach poses a high risk to their rights and freedoms.Document all breaches, regardless of severity.
8. Third Party Processors
The Agency ensures that third-party processors comply with GDPR by:
Conducting due diligence before engaging any processor.Entering into data processing agreements that outline GDPR compliance requirements.Monitoring processors to ensure continued compliance.
9. Data Retention
Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Retention periods are clearly defined in the Agency’s Data Retention Policy.
Contact Information:
Data Protection Officer email: zc.puorgorexe%40opd