I.CA RemoteSign Data Handling Policy
První certifikační autorita, a.s., ID No.: 26439395, with registered office at Podvinný mlýn 2178/6, Libeň, 190 00 Prague 9, registered in the Commercial Register maintained by the Municipal Court in Prague, file no. B 7136 (hereinafter referred to as the "Company"), is the provider of the I.CA RemoteSign service.
I.CA RemoteSign is a service that enables the creation of electronic signatures on mobile devices (mobile phones and tablets). The user has always a mobile application based on the I.CA RemoteSign application, which is used to receive requests for the creation of electronic signatures on documents sent by the user (hereinafter referred to as the "signed document").
The Company hereby informs the user of the I.CA RemoteSign application that all communication between the user's mobile device and the I.CA RemoteSign service is encrypted with a specially designed protocol and the data transmitted to the I.CA RemoteSign system does not contain Signed Documents and the Company does not have any access to the contents of such documents and is not the sender of the Signed Documents.
In the case of the use of I.CA RemoteSign, the data controller of the personal data of the users of I.CA RemoteSign is the sender of the signed document. Thus, in case of any questions regarding the processing of personal data, users are advised to contact the respective data controllers.
The Company further declares that in some cases it may act as a personal data controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (hereinafter referred to as "GDPR"), collecting and processing the personal data of its clients, whereby the said processing generally takes place when providing the service of a certification authority (i.e. when securing the relevant certificate). The Company declares that it handles the personal data of its clients in accordance with the GDPR and Czech data protection legislation. The Company considers this protection to be essential and therefore ensures strict compliance with the relevant legislation in its activities. To this end, the Company refers clients to the relevant policies on the processing of clients' personal data.
1. Categories of data
The I.CA RemoteSign application may in some cases have access to the following categories of data:
- first name, last name, title,
- birth date or birth number,
- a numeric identifier supplied by the MLSA,
- residential address (street, street number, postal code, landmark number, city and zip code, state),
- e-mail address,
- primary identity document
2. Legal bases (titles) of access to data
In the event that the Company accesses the data of users of the I.CA RemoteSign application, the legal basis for access to such data is the execution of a contract or agreement between the Company and the user, or in some cases the user's consent.
The legal basis for the processing of personal identification data of clients is the Company's legitimate interest in ensuring the protection of its rights and legally protected interests (e.g. when making claims before courts, insurance companies, etc.).
The legal basis for the Company's processing of certain client personal data is the Company's compliance with its legal obligations under the law, including accounting and tax obligations.
3. Purposes of the processing of personal data
The purpose of processing personal data of clients is to provide trust and qualified trust services. The data processed are clients' identification, contact and identity verification data.
In particular, the Company processes personal data for the following purposes:
- client management, including records of services provided
- processing the services provided to clients by the Company
- data processing for research purposes, including interaction with clients
- administration of remuneration for the performance of services
- processing data for the purpose of fulfilling legal obligations
- conducting internal investigations to ensure compliance with legal and regulatory requirements
- answering questions or requests for information from clients
- processing complaints and information relating to services provided
4. Retention period of personal data
The Company retains clients' personal data in a format that allows the identification of a specific client only for the period necessary to fulfil the purpose of processing, in some cases a retention period of up to 10 years is required by law.
The Company further states that the period of deletion of identification and contact data relating to trust services is ten years in accordance with the relevant legislation, with a further fifteen years for identity verification data.
Other personal data processed for the performance of the contract are processed for the duration of the contractual relationship and for three years after its termination, for the purpose of any claims arising from that relationship.
Personal data processed for the performance of legal obligations shall be processed for the period of time provided for by the relevant generally binding legislation.
Personal data processed on the basis of the Company's legitimate interests are processed only for the duration of the purpose in question, but no longer than 3 years.
Personal data may be disclosed for judicial or administrative purposes, always in accordance with the applicable data protection legislation.
5. Recipients of personal data
The recipients of the personal data are only the entities authorised under the relevant legislation and, in the event of the termination of the Company's activities, the substitute trust service providers or the supervisory authority.
Personal data may be disclosed for judicial or administrative purposes, always in accordance with the applicable data protection legislation.
The personal data contained in the certificates issued are published at http://www.ica.cz/Verejne-certifikaty. Certificates issued are issued except where the certificate holder has chosen not to make the certificate public. This option is available to all applicants for a certificate and is described in the certification policies (section 4.4.2). Personal data of clients of the qualified electronic time stamp service and the qualified electronic signature or seal verification service are not normally disclosed.
6. Transfer of personal data
The Company does not transfer personal data to third countries or international organisations.
7. Client's rights in relation to the protection of personal data
The Company hereby informs the Clients of the following rights that they can exercise as data subjects under the GDPR:
a. Right of access
The Client has the right to obtain confirmation from the Company as to whether or not the personal data concerning him/her is being processed and, if so, to obtain access to such personal data, as well as information on the conditions of processing (e.g. purposes of processing, categories of personal data, recipients, expected retention period, etc.).
b. Right to rectification
The Client has the right to have the Company correct inaccurate or incomplete personal data concerning him/her without undue delay, regardless of the reason for the inaccuracy or incompleteness.
c. Right to erasure
The Client shall have the right to request that the Company cease processing and erase certain personal data relating to the Client without undue delay and the Company shall be obliged to erase certain personal data without undue delay if one of the grounds set out in the GDPR applies.
d. Right to restriction of processing
The Client has the right to request restriction of the processing of personal data under the conditions set out in the GDPR, in particular in case of doubts about the correctness of the processing.
e. Right to data portability
The Client has the right to obtain the personal data concerning him/her that he/she has provided to the Company in a structured, commonly used and machine-readable format and to transmit such data to another controller or for his/her own purposes, without hindrance from the Company. This right applies to personal data whose legal basis for processing is the performance of a contract and which is processed by automated means.
f. Right to object
The Client shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her where the personal data are processed on the legal basis of a legitimate interest of the Company or the performance of a task carried out in the public interest.
g. The right to lodge a complaint with a supervisory authority
The Client has the right to lodge a complaint with a supervisory authority if he/she believes that the Company is processing his/her personal data in breach of the GDPR or other legal provisions.
You may also contact the Office for Personal Data Protection, Pplk. Sochora 27, Holešovice, 170 00 Prague 7, telephone +420 234 665 111, non-electronic mail posta@uoou.cz with a question, suggestion or complaint.
In case of questions or to exercise your rights, you can contact the company in the following ways:
- by post at the Company's registered office:
První certifikační autorita, a.s.
Podvinný mlýn 2178/6
190 00 Prague 9
Czech Republic
- by telephone, email and the Company's mailbox
by telephone at +420 284 081 940 or +420 284 081 965,
by e-mail to info@ica.cz
by data box ID DS: a69fvfb
- in person at the office of the Registration Authority at the registered office of the Company
(working hours Monday to Thursday from 8:00 to 15:30, Friday from 8:00 to 12:00.)