Policy on the handling of clients' personal data
1 PERSONAL DATA POLICY
The purpose of this document is to inform the clients of První certifikační autorita, a.s. (hereinafter referred to as I.CA) about the protection of their personal data. I.CA considers this protection to be essential and therefore, in the course of its activities, it ensures, among other things, strict compliance with the relevant legislation. The handling of personal data is regularly verified during the compliance assessment of trust systems.
1.1 Controller of personal data of the company's clients
The personal data controller is První certifikační autorita, a. s., with its registered office at Podvinný mlýn 2178/6, 190 00 Prague 9. The company is registered in the Commercial Register kept at the Municipal Court in Prague, file number: section B, insert 7136, ID number is 26439395.
I.CA can be contacted in the following ways:
- by mail at the address of the company's registered office:
První certifikační autorita, a.s.
Podvinný mlýn 2178/6
190 00 Prague 9
Czech Republic - via the data box I.CA,
- by telephone at +420 284 081 940 or +420 284 081 965,
- by e-mail at info@ica.cz,
- in person at the registration authority's office at the company's registered office (working hours on Mondays
to Thursday from 8:00 to 15:30, Friday from 8:00 to 12:00.
You may also contact the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7 - Holešovice, telephone +420 234 665 111, e-mail posta@uoou.cz with a question, suggestion or complaint .
1.2 Types of personal data processed
The following personal data are processed for the purposes of trust services:
- name, surname, title,
- birth number or date of birth,
- initials,
- a numerical identifier supplied by the MLSA,
- gender,
- address of permanent residence (street, descriptive number, landmark number, city and postcode, country),
- e-mail address,
- primary identity document or secondary identity document (type and number),
- video recording or facial photograph (biometric data in the case of remote certificate issuance),
- photographs of the personal documents presented, when using the identity verification service for remote certificate issuance.
The personal data (mandatory or optional) provided in the certificate application depends on the type of certificate (see Chapter 7 of the relevant certification policy).
When visiting our website, all identification data (e.g. IP address) and other information (date, time, page viewed) is recorded for security reasons. We do not use Java Applets or Active X Controls.
Our site uses cookies. This data is used exclusively for statistical purposes and complete anonymity is guaranteed.
1.3 Purposes and lawfulness of the processing of personal data
The purpose of processing personal data of clients is to provide trust and qualified trust services. The data processed are clients' identification and contact data, data for the verification of their identity and, in the case of remote certification, their biometric data.
The lawfulness of the processing of personal data obtained from clients requesting the issuance of public key certificates is conditional on the fulfilment of the legal obligation applicable to I.CA in the case of qualified certificates and qualified trust services, and on the fulfilment of the contract to which the client and I.CA are parties in the case of non-qualified certificates and other services. The processing of the Client's biometric data requires the Client's explicit consent by law.
1.4 Failure to provide personal data
In the event of non-provision of personal data, it is not possible to access the trust services provided by I.CA, i.e. certificate issuance, time stamp issuance, verification of electronic signatures and seals.
1.5 Retention period of personal data
The deletion period for identification, contact and biometric data relating to trust services is ten years in accordance with the relevant legislation, and a further fifteen years for identity verification data.
1.6 Disclosure of personal data
The personal data contained in the certificates issued shall be made publicly available at http://www.ica.cz/Verejne-certifikaty. Certificates issued are issued except where the certificate holder has chosen not to make the certificate public. This option is available to all applicants for a certificate and is described in the certification policies (section 4.4.2).
Personal data of clients of the Qualified Electronic Time Stamp Service and Qualified Electronic Signature or Seal Verification Service are not routinely disclosed.
Personal data may be disclosed for judicial or administrative purposes, always in accordance with applicable data protection legislation.
1.7 Recipients of personal data
The recipients of the personal data are only those entities authorised under the relevant legislation and, in the event of the termination of the I.CA, alternative trust service providers or the supervisory authority.
1.8 Transfer of personal data
I.CA does not transfer personal data to third countries or international organisations.
1.9 Client's rights in relation to the protection of personal data
The rights of the client as a data subject are:
- to obtain access to and an extract of the personal data concerning him/her in the course of processing at I.CA,
- to request rectification if he/she discovers that the data held by I.CA is inaccurate, outdated or incomplete,
- request erasure, however, this right is limited by the legislation regulating the processing activities of the I.CA, i.e. personal data may not be erased in whole or in part, even though the right to erasure has been exercised,
- to request portability in a commonly used and machine-readable format,
- lodge a complaint with the supervisory authority (see chapter 1.1).
Note: The list is limited against the set stated in the legislation due to the condition of lawfulness of processing (e.g. processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority is not considered).