PRIVACY POLICY

CITY CARD USERS

This document provides you with information on how Dopravní podnik města Hradce Králové, a.s. (hereinafter referred to as "DT") obtains and processes your personal data in connection with the use of a contactless chip Municipal Card of which DT is the manufacturer and issuer. 

At the outset, please note that in order to use the transport services provided by DT, you can use the following issue options:

- transferable so-called FREE CARDS, on which no personal data are stated and in connection with its issuance or use of DT does not process any personal data;

- non-transferable so-called anonymous cards, on which the name, surname and photograph are stated, but the DT does not process and record any personal data.

When processing personal data, we are governed by legal regulations, in particular Regulation of the European Parliament and of the Council of the EU 2016/679 of 27.4.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "EU Regulation"), which comes into effect on 25.5.2018.

This document will be updated periodically when the need arises for updating. The updated version of the Personal Data Protection Policy of City Card Users (hereinafter referred to as the "Policy") is effective upon publication on the www.dpmhk.cz website.

We protect your personal data to the maximum extent possible, which corresponds to the technical level of available means. Strict internal rules apply in DT determining which employees may have access to your personal data and to what extent they may process it, while access rights are narrowed down to the necessary minimum.

We encourage you to read this information carefully. We have done our best to make them as understandable as possible. If something is still not clear to you, we will be happy to explain any concept or passage to you. If you have any questions, please contact the contact person listed in section 1.2. below.

1. CONTROLLER OF YOUR DATA

1.1. The controller of your personal data is:

Dopravní podnik města Hradce Králové, a.s ., IČO: 25267213, registered office: Pouchovská 153/52, Věkoše, 500 03 Hradec Králové, registered in the Commercial Register kept by the Regional Court in Hradec Králové, Section B, Insert 1625.

1.2. Contact person and Data Protection Officer: GDPR Hradec s.r.o.,

with registered office: Fráni Šrámka 1139, 500 02 Hradec Králové, IČ: 06708218, contact person: Mgr. Jitka Moníková, e-mail: info@gdprhradec.cz, tel.: +420 495 510 765.

1.3. The Controller collects your data, disposes of them and is responsible for their proper and lawful processing. You may exercise your rights against the controller in the manner set out below.

2. PROCESSED DATA, THEIR PURPOSE AND REASON

We process only such data so that we can provide you with quality services related to the issuance and use of the City Card. We process your personal data in the following processing methods and for the purposes listed below:

2.1. Conclusion of a contract on the issue of an electronic monetary instrument – PERSONAL CARDS

2.1.1. Among the BASIC (MANDATORY) identification data we process about you for the purposes of

conclusion of a Contract on the Issuance of an Electronic Monetary Instrument – City Card (hereinafter referred to as

"Agreement") means those that you provide to us in any of the following ways:

• by completing the Contract in person at DT distribution points, or
• by completing the Contract in the online form available on our website www.dpmhk.cz.

Specifically, we process the following types of personal data:

• name and surname (if the holder of the City Card is a child under 15 years of age, then also with the legal guardian),
• date of birth (if the holder of the City Card is a child under 15 years of age, then also with a legal guardian),
• Your handwritten signature
• photograph (only for the purpose of production of the City Card, subsequently deleted).

These data are part of each Contract and we need them for the possibility of its conclusion and issuance of a non-transferable City Card.

• E-mail is required as mandatory information only if you fill in the on-line application for the issuance of the City Card together with attaching a photo file and sending the payment (information about the date of picking up the City Card and the payment made is sent to the e-mail).

Reason (legal basis) why we process the data:

- performance of the concluded contract (we use this reason in accordance with Article 6 (1) (b) of the EU Regulation).

2.1.2. Among the ADDITIONAL (OPTIONAL) personal data that we process only if

You tell us when filling in the Agreement (in person or online), these include:

• e-mail and telephone number (if the holder of the City Card is a child under 15 years of age, then these data only regarding the legal guardian),

If you provide us with this data, we can provide you with more comfortable communication services, e.g. in the event of finding your card, when communicating regarding the collection of the City Card produced, etc. If you provide us with information about whether you are a student, we can award you the benefits that DT provides to these persons, i.e. discounts on fares.

Reason (legal basis) why we process the data:

- performance of the concluded contract (we use this reason in accordance with Article 6 (1) (b) of the EU Regulation).

2.1.3. When issuing a City Card and in connection with its activation, the following are further processed:

OPERATING DATA :

• the number of the Request/Agreement,
• the date of issue of the City Card and its validity,
• the number of the City Card issued,
• information about the value of the amount of money on the City Card,
• information about the bank account number in the case of on-line sending of the payment before the Municipal Card is issued, which serves exclusively for the purpose of identifying the received payment and does not use this information after the DT has been identified.

Reason (legal basis) why we process the data:

- performance of the concluded contract (we use this reason in accordance with Article 6 (1) (b) of the EU Regulation).

2.2. Conclusion of a contract for the issuance of an electronic monetary instrument – ANONYMOUS CARDS

2.2.1. When concluding a contract on the issuance of the so-called. We only need anonymous cards for the purpose of its production, which you fill in in the Contract on the Issuance of an Electronic Monetary Means – Anonymous City Cards:

• name and surname (to be stated on the card for the purpose of ticket inspection)
• a photo (to be displayed on the card for ticket inspection)
• date of birth (it will not be stated on the card, it serves only to verify the possibility of activating fare discounts for persons over 65 years of age).

2.2.2. As soon as the Anonymous Card is manufactured and physically handed over to the holder, the Contract for the Issuance of an Electronic Monetary Instrument – Anonymous City Card is shredded and no personal data on the Anonymous Card holder is processed in paper or electronic form.

Reason (legal basis) why we process the data:

- performance of the concluded contract (we use this reason in accordance with Article 6 (1) (b) of the EU Regulation).

2.3. Performance of the Contract – online top-up of the City Card

If you use the option to purchase season tickets and top up your electronic wallet through an online sale on www.dpmhk.cz, we process the following personal data about you:

• e-mail, for the purposes of:
  • sending a notification of the approaching expiry of the validity of the season ticket (if you actively choose this option),
  • sending information about the payment made,
  • sending information about the successful progress of the payment transaction,
  • sending a password to access the order history,
  • sending a generated new forgotten password,
  • sending information about the cancellation of a paid order
• City Card number for entry into the ordering system and for identification on the tax document,
• Order history
• order number and partial payment amount,
• Assigned password to access the order history.

These data are necessary for the proper functioning of the City Card on-line top-up service.

Reason (legal basis) why we process the data:

- performance of the concluded contract (we use this reason in accordance with Article 6 (1) (b) of the EU Regulation).

2.4. Performance of the Contract – processing of other personal data

2.4.1. Data from mutual communication

We also process data about our mutual communication related to the use of the City Card, such as when dealing with your comments or when handling complaints, etc. In this communication, we process the following personal data that you provide to us:

• name and surname,
• the address of the complainant,
• provided contact (e-mail or telephone),
• City Card number – if it is blocked, it is listed in the list of blocked cards.

These data are entered in the form: Receipt of a complaint or in the complaint form.

Reason (legal basis) why we process the data:

- when dealing with complaints and claims, these are acts related to the performance of the concluded contract (we use this reason in accordance with Article 6 (1) (b) of the EU Regulation);

- when blocking the card, these are also acts in which the DT exercises its contractual right arising from the terms and conditions, i.e. acts related to the performance of the concluded contract (we use this reason in accordance with Article 6 (1) (b) of the EU Regulation).

2.4.2. Accounting and Taxes

We collect your identification and transaction data (in particular on monetary payments made, on canceled payments, on any refunds in the case of justified complaints) for the purpose of fulfilling our accounting and tax obligations imposed on us by applicable legislation (in particular the Accounting Act, the Value Added Tax Act, the Payment System Act).

These are the data that are listed on tax documents. Therefore, if a legal regulation obliges us to archive these documents, we also store your personal data, which must be stated on the documents.

Reason (legal basis) why we process the data:

- fulfillment of legal obligations (we use this reason in accordance with Article 6 (1) (c) of the EU Regulation).

2.4.3. Exercise (or defence) of rights

Should a dispute arise between the DT and you, we will process your personal data necessary to defend our legal claims in connection with the dispute until the end of the dispute. As a rule, in this context, we process the passenger's basic data, data on payments made, data from complaint proceedings, data from mutual communication, data on legal steps taken and its results.

Reason (legal basis) why we process the data:

- the processing is necessary for the legitimate interests of our company in defending our claims (we use this reason in accordance with Article 6 (1) (f) of the EU Regulation).

3. HOW LONG DO WE KEEP YOUR DATA?

DT processes personal data for the minimum period for which it is obliged to process personal data.

3.1. Personal data of passengers

We process passengers' personal data in our electronic database (and some documents such as the Contract, complaint protocol, acceptance of complaints, also in paper form) for the duration of the contractual relationship, which is the reason for the processing of such personal data. I.e. if the passenger or the DT does not terminate the Contract or there is no other reason for premature termination of the Contract (see Article X of the Terms and Conditions for the Issuance and Use of Contactless Chip City Cards), we will process your personal data until the expiry of the validity period of the City Card (see Article III of the Terms and Conditions for the Issuance and Use of Contactless Chip City Cards). You can find out the validity period from each proof of transactions (charging) or on self-service machines.

If the validity of the City Card is not extended by you, we will keep your personal data for a period of 6 months after its expiry (in a limited processing mode) in case you file a complaint. However, if unused funds are available on the City Card, we will store your personal data and keep the City Card for the possibility of collecting funds for a period of 3 years from its expiry. After the expiry of these deadlines (i.e.  6 months or 3 years),  the personal data will be deleted/anonymised in both paper and electronic form; However, not if we need them after this period for other purposes, e.g. to defend our claims (i.e. to resolve the dispute, e.g. due to a claim) or for other legal reasons (e.g. compliance with accounting and tax obligations, etc.).

If the Contract is terminated early, we will delete/anonymize personal data within 4 months of the early termination of the Contract, in both paper and electronic form; However, not if we need them after this period for other purposes, e.g. to defend our claims (i.e. to resolve the dispute, e.g. due to a claim) or for other legal reasons (e.g. compliance with accounting and tax obligations, etc.).

We will use the provided photograph for the issuance of the City Card only for the production of the City Card (usually processed within 1 working day) and then return the photo to you or, if it was provided online, it will be deleted within 1 working day of the production of the City Card.

If you apply for a City Card but it is not collected within 6 months, we will delete/anonymize the personal data provided .

3.2. Deletion of personal data on the PERSONAL CITY CARD

As a holder of a PERSONAL City Card, you are entitled to request the DT to completely delete the personal data recorded by the DT. As a result of such an application, personal data processed by DT in electronic and paper form in relation to the issued Personal City Card will be deleted/anonymised (after verifying the identity of the applicant, if necessary). In this case, the original card will be blocked and a new anonymous card will be issued.

Even if we do not receive any request for deletion, the history of executed orders is automatically deleted by DT every 2 years; this is without prejudice to the obligation of DT to keep tax documents on payments made for fares for the statutory period.

3.3. Other personal data

Tax documents (confirmation of purchase of the order) will be deleted within 1 month after 5 years from the monetary transaction, unless a longer period is required by law in a particular case.

The DT will delete/anonymise the personal data of the legal representative of a person under 15 years of age in relation to the represented person as soon as the reason for representation has ceased to exist (e.g. reaching the age of 15), or, if the purpose has not ceased to exist before, together with the deletion/anonymisation of the personal data of the City Card holder.

Should a dispute arise between the DT and you, we will process your personal data necessary to defend our legal claims in connection with the dispute until the end of the dispute.

4. SOURCES OF PERSONAL DATA

We only process personal data that we have received from you or obtained when communicating with you when using the City Card. We do not search for and process personal data about you from public sources.

5. RECIPIENTS OF PERSONAL DATA

In principle, we manage your personal data within the DT and do not pass them on to third parties unless it is absolutely necessary.

Such a need may arise in the case of external suppliers/service providers such as:

- provider providing service of the check-in system in Hradec Králové (EMTEST a.s. based in Slovakia),

- provider of the GoPay payment gateway (GOPAY s.r.o. with its registered office in the Czech Republic),

- operator of the e-shop for on-line topping of the City Card (company EM TEST ČR spol. s r.o. based in the Czech Republic),

- providers of legal services (in case of dispute), auditors (audit of accounting documents).

In such a case, written contractual relationships are concluded with these entities (if they have the status of personal data processors) that contractually ensure the security of the transferred personal data in accordance with the EU Regulation. In principle, the registered office of IT service providers is located within the EU and personal data is not transferred outside the EU.

Some state administration bodies are entitled to request ad hoc information about you (e.g. the Police of the Czech Republic, financial control authorities) in order to fulfil their legal obligations. We only provide data if the right to request such data is required by law.

6. WHAT ARE YOUR RIGHTS?

Right of access to personal data

You have the right to access all processed personal data. At your request, we will provide a copy of the processed personal data in a machine-readable format, or we will allow you to view the concluded Contract and other documents stored with it.

Right to rectification of personal data

You have the right to have changed personal data corrected (or incorrectly disclosed data for any other reason). We will correct the changed data (e.g. from a new identity document).

Right to erasure of personal data

You have the right to erasure of your personal data that we would process unlawfully.

Right to restrict the processing of personal data

You have the right to block your personal data under the conditions set out in Article 18 of the EU Regulation (especially if an objection is raised, there is a dispute about the legitimacy of data processing).

Right to data portability

You have the right to obtain from us providing you with automated personal data in a structured, commonly used and machine-readable format, or to transfer this data to another controller, if technically feasible.

Right to withdraw consent

If you have given us your consent to process your personal data for specified purposes, you have the right to withdraw this consent at any time. However, we do not require your consent in relation to the provision of services related to the use of the City Card.

Right not to be subject to automated decision-making

You have the right not to be subject to any decision based solely on automated processing, including profiling, that produces legal effects concerning you or significantly affects you. The DP does not carry out any such automated decision-making or profiling.

Right to object

You have the right to object if the processing is based on our legitimate interest (defence of legal claims).

Right to lodge a complaint

You have the right to address your complaint to the DT at any time, or to file a complaint with the Office for Personal Data Protection, address: registered office at Pplk. Sochora 27, 170 00 Prague 7 or to request judicial protection.

How to exercise rights

To exercise your rights listed above, please contact our Data Protection Officer: GDPR Hradec s.r.o., with its registered office: Fráni Šrámka 1139, 500 02 Hradec Králové, ID: 06708218, contact person: Mgr. Jitka Moníková, e-mail: info@gdprhradec.cz, tel.: +420 495 510 765 or you can exercise these rights in person when visiting DT. To exercise your rights, you can use the forms prepared by us located at www. dpmhk.cz in the section Personal Data Protection - here you will find a more detailed explanation of the conditions for exercising the right for each right.

We are obliged to inform you free of charge of the measures taken without undue delay and in any case within one month of receipt of the request. That period may be extended by a further two months, if necessary, taking into account the complexity and number of requests. If we do not comply with your request, we will inform you immediately (at the latest within one month) of the reasons for the non-compliance.

In some cases defined by legislation, we are not obliged to comply with the request in whole or in part. This will bethe case, in particular, if the request is manifestly unfounded or excessive, in particular because it is repeated. In such cases, we may: (i) impose a reasonable fee taking into account administrative costs or (ii) refuse to comply with the request.

If we receive a request but have reasonable doubts about the identity of the sender of the request, we may ask you to provide additional information necessary to confirm your identity.