PRIVACY POLICY

USERS OF THE HOPON MOBILE APPLICATION

 

This document provides you with information on how Dopravní podnik města Hradce Králové, a.s. (hereinafter referred to as the "DT") obtains and processes your personal data in connection with the use of the HopOn mobile application (hereinafter referred to as the "Application"), which is operated by DT.

When processing personal data, we are governed by legal regulations, in particular Regulation of the European Parliament and of the Council of the EU 2016/679 of 27.4.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "EU Regulation"), which comes into effect on 25.5.2018.

This document will be updated periodically when the need arises for updating. The updated version of the HopOn Mobile Application User Privacy Policy (hereinafter referred to as the "Policy") is effective upon publication on the www.dpmhk.cz website.

We protect your personal data to the maximum extent possible, which corresponds to the technical level of available means. Strict internal rules apply in DT determining which employees may have access to your personal data and to what extent they may process it, while access rights are narrowed down to the necessary minimum.

We encourage you to read this information carefully. We have done our best to make them as understandable as possible. If something is still not clear to you, we will be happy to explain any concept or passage to you. If you have any questions, please contact the contact person listed in section 1.2. below.

1. CONTROLLER OF YOUR DATA

1.1. The controller of your personal data is:

 

Dopravní podnik města Hradce Králové, a.s ., IČO: 25267213, registered office: Pouchovská 153/52, Věkoše, 500 03 Hradec Králové, registered in the Commercial Register kept by the Regional Court in Hradec Králové, Section B, Insert 1625.

1.2. Contact person and Data Protection Officer: GDPR Hradec s.r.o., with registered office: Fráni Šrámka 1139, 500 02 Hradec Králové, ID: 06708218, contact person: Mgr. Jitka Moníková, e-mail: info@gdprhradec.cz, tel.: +420 495 510 765.

1.3. The Controller collects your data, disposes of them and is responsible for their proper and lawful processing. You may exercise your rights against the controller in the manner set out below.

2. PROCESSED DATA, THEIR PURPOSE AND REASON

We process only such data to provide you with quality services related to the use of the Application. We process your personal data in the following processing methods and for the purposes listed below:

2.1. Conclusion of the contract

2.1.1. The BASIC (MANDATORY) identification data that we process about you for the purpose of concluding a contract between DT and you (as a passenger), the subject of which is the use of the Application by public transport passengers (hereinafter referred to as the "Agreement") include those that you provide to us in one of the following ways:

  • by filling in the Application

Specifically, we process the following types of personal data:

  • name and surname,
  • date of birth
  • photos (only for the purpose of registering the Application and reconciling the profile).

These data are part of each Contract and we need them to be able to conclude it and put the Application into operation.

Reason (legal basis) why we process the data:

- performance of the concluded contract (we use this reason in accordance with Article 6 (1) (b) of the EU Regulation).

2.1.2. During the operation of the Application, the following OPERATING DATA are further processed:

  • name
  • surname
  • date of birth
  • photo (will be displayed in the Application for the purpose of ticket inspection),
  • telephone number
  • order history, for the purpose of handling complaint claims,
  • email, for the purpose of sending payment information and related information.

Reason (legal basis) why we process the data:

- performance of the concluded contract (we use this reason in accordance with Article 6 (1) (b) of the EU Regulation).

2.2. Performance of the Contract – processing of other personal data

2.2.1. Data from mutual communication

We also process data about our mutual communication related to the use of the Application, such as when dealing with your comments or when handling complaints, etc. In this communication, we process the following personal data that you provide to us:

  • name and surname,
  • the address of the complainant,
  • provided contact (e-mail or telephone),
  • the phone number of the mobile phone on which the Application is installed.

These data are entered in the form: Receipt of a complaint or in the complaint form.

Reason (legal basis) why we process the data:

- when dealing with complaints and claims, these are acts related to the performance of the concluded contract (we use this reason in accordance with Article 6 (1) (b) of the EU Regulation);

2.2.2. Accounting and taxes

We collect your identification and transaction data (in particular on monetary payments made, on canceled payments, on any refunds in the case of justified complaints) for the purpose of fulfilling our accounting and tax obligations imposed on us by applicable legislation (in particular the Accounting Act, the Value Added Tax Act, the Payment System Act).

These are the data that are listed on tax documents. Therefore, if a legal regulation obliges us to archive these documents, we also store your personal data, which must be stated on the documents.

Reason (legal basis) why we process the data:

- fulfillment of legal obligations (we use this reason in accordance with Article 6 (1) (c) of the EU Regulation).

2.2.3. Exercise (or defence) of rights

Should a dispute arise between the DT and you, we will process your personal data necessary to defend our legal claims in connection with the dispute until the end of the dispute. As a rule, in this context, we process the passenger's basic data, data on payments made, data from complaint proceedings, data from mutual communication, data on legal steps taken and its results.

Reason (legal basis) why we process the data:

- the processing is necessary for the legitimate interests of our company in defending our claims (we use this reason in accordance with Article 6 (1) (f) of the EU Regulation).

3. HOW LONG DO WE KEEP YOUR DATA?

DT processes personal data for the minimum period for which it is obliged to process personal data.

3.1. Personal data of passengers

We process passengers' personal data in our electronic database (and some documents such as a complaint protocol, acceptance of a complaint, also in paper form) for the duration of the contractual relationship, which is the reason for the processing of such personal data.

We will use the provided photo for the purpose of registering the Application and for possible profile approval only for the purpose of registering the Application and for any profile approval (usually processed within 1 working day), and then delete/anonymize the provided photo within 3 working days.

3.2. Order history

The order history is automatically deleted/anonymized every 2 years; this is without prejudice to the obligation of DT to keep tax documents on payments made for fares for the statutory period.

3.3. Other personal data

Tax documents (confirmation of purchase of the order) will be deleted within 1 month after 5 years from the monetary transaction, unless a longer period is required by law in a particular case.

Should a dispute arise between the DT and you, we will process your personal data necessary to defend our legal claims in connection with the dispute until the end of the dispute.

4. SOURCES OF PERSONAL DATA

We only process personal data that we have received from you or obtained when communicating with you when using the Application.

We do not search for and process personal data about you from public sources.

5. RECIPIENTS OF PERSONAL DATA

In principle, we manage your personal data within the DT and do not pass them on to third parties unless it is absolutely necessary.

Such a need may arise in the case of external suppliers/service providers such as:

- provider providing the HopON mobile application service (UNIARC s.r.o. with its registered office),

- provider of the GoPay payment gateway (GOPAY s.r.o. with its registered office in the Czech Republic),

- providers of legal services (in case of dispute), auditors (audit of accounting documents).

In such a case, written contractual relationships are concluded with these entities (if they have the status of personal data processors) that contractually ensure the security of the transferred personal data in accordance with the EU Regulation. In principle, the registered office of IT service providers is located within the EU and personal data is not transferred outside the EU.

Some state administration bodies are entitled to request ad hoc information about you (e.g. the Police of the Czech Republic, financial control authorities) in order to fulfil their legal obligations. We only provide data if the right to request such data is required by law.

6. WHAT ARE YOUR RIGHTS?

Right of access to personal data

You have the right to access all processed personal data. At your request, we will provide a copy of the processed personal data in a machine-readable format, or we will allow you to view the concluded Contract and other documents stored with it.

Right to rectification of personal data

You have the right to have changed personal data corrected (or incorrectly disclosed data for any other reason). We will correct the changed data (e.g. from a new identity document).

Right to erasure of personal data

You have the right to erasure of your personal data that we would process unlawfully.

Right to restrict the processing of personal data

You have the right to block your personal data under the conditions set out in Article 18 of the EU Regulation (especially if an objection is raised, there is a dispute about the legitimacy of data processing).

Right to data portability

You have the right to obtain from us providing you with automated personal data in a structured, commonly used and machine-readable format, or to transfer this data to another controller, if technically feasible.

Right to withdraw consent

If you have given us your consent to process your personal data for specified purposes, you have the right to withdraw this consent at any time. However, we do not require your consent in relation to the provision of services related to the use of the App.

Right not to be subject to automated decision-making

You have the right not to be subject to any decision based solely on automated processing, including profiling, that produces legal effects concerning you or significantly affects you. The DP does not carry out any such automated decision-making or profiling.

Right to object

You have the right to object if the processing is based on our legitimate interest (defence of legal claims).

 

Right to lodge a complaint

You have the right to address your complaint to the DT at any time, or to file a complaint with the Office for Personal Data Protection, address: registered office at Pplk. Sochora 27, 170 00 Prague 7 or to request judicial protection.

How to exercise rights

To exercise your rights above, please contact our Data Protection Officer: GDPR Hradec s.r.o., with its registered office: Fráni Šrámka 1139, 500 02 Hradec Králové, ID: 06708218, contact person: Mgr. Jitka Moníková, e-mail: info@gdprhradec.cz, tel.: +420 495 510 765 or you can exercise these rights personally when visiting DT. To exercise your rights, you can use the forms prepared by us located at www. dpmhk.cz in the section Personal Data Protection - here you will find a more detailed explanation of the conditions for exercising the right for each right.

We are obliged to inform you free of charge of the measures taken without undue delay and in any case within one month of receipt of the request. That period may be extended by a further two months, if necessary, taking into account the complexity and number of requests. If we do not comply with your request, we will inform you immediately (at the latest within one month) of the reasons for the non-compliance.

In some cases defined by legislation, we are not obliged to comply with the request in whole or in part. This will be the case, in particular, where the request is manifestly unfounded or excessive, in particular because it is repeated. In such cases, we may: (i) impose a reasonable fee taking into account administrative costs or (ii) refuse to comply with the request.

If we receive a request but have reasonable doubts about the identity of the sender of the request, we may ask you to provide additional information necessary to confirm your identity.