Statement on the personal data processing regarding the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals in accordance with the personal data processing and the education of data subjects ("GDPR")

1. Personal Data Administrator: GRAPECARE LTD with a registered office at C13PP Coventry, SHERIFFS ORCHAD THE APEX 2, the United Kingdom, Registration Number 07501204, doing business in the Czech Republic through a branch of the foreign legal entity GRAPECARE LTD, an organizational unit with a registered office at Opletalova 1535/4, 110 00 Prague, Registration Number 24245470, hereby informs you in accordance with Article 12 of GDPR about the processing of your personal data and your rights.

2. Scope of personal data processing

Personal data are processed to the extent that the respective data subject has provided them to the personal data administrator in connection with the conclusion of a contractual or other legal relationship with the personal data administrator, or which the personal data administrator has collected in their own manner and processes them in accordance with applicable law or to fulfill the legal obligations of the personal data administrator.

3. Sources of personal data

• directly from the data subjects (e-mails, a phone number, websites, a contact form on the web, business cards, etc.)

• publicly accessible registers, lists and records (e.g. a business register, trade register, land registry, etc.) for the purpose of creating accounting documents and checking the accuracy of information

4. Categories of personal data which are the subjects of processing

• address and identification data for unambiguous and unmistakable identification of the data subject (e.g. name, surname, title, identification number, date of birth, permanent residence address, registration number, etc.) and data enabling contact with the data subject (contact details – e.g. contact address, phone number, email address and similar information)

• descriptive data (e.g. bank details)

• other information necessary for the contract

• data provided beyond the framework of applicable laws processed within the data subject's consent (processing of photographs, use of personal data for the purpose of personnel management, for the purpose of sending commercial messages or information messages, etc.)

5. Data subject categories

• administrator client

• administrator employee

• service provider

• another person who is contractually bound to the administrator

• job applicant

6. Categories of the personal data recipients

The administrator does not intend to transfer personal data to a third country outside the EU, the administrator has the right to entrust the processing of personal data to a processor who has entered into a processing agreement with the administrator and provides sufficient safeguards to protect your personal data. Otherwise, the data subjects will be fully informed of this transfer. Thus, the recipient categories are:

• financial institutions

• public institutions

• processor

• state and other bodies within the framework of the fulfillment of legal obligations stipulated by relevant legal regulations

7. Purpose of personal data processing

• purposes within the data subject's consent

• negotiations on a contractual relationship

• performance of the contract

• protection of the rights of the administrator,recipients or other persons concerned

• archiving based on law

• applicants selection for vacancies

• compliance with legal obligations by the administrator

• protecting the vital interests of the data subject

• transfer of commercial communications or other information in case of legitimate interests of the administrator

8. Method of processing and protection of personal data

Processing of personal data is done by the administrator. The processing is carried out at its premises, branches and the administrator's office by the authorized employees of the administrator, eventually, processor. Processing is done in compliance with all security policies for managing and processing personal information. For this purpose, the controller has adopted technical, organizational and legal measures to ensure the protection of personal data, measures to prevent unauthorized or accidental access to personal data, their alteration, destruction or loss, unauthorized transmission, unauthorized processing and other cases of misuse of personal data. All persons to whom personal data may be disclosed respect the right of data subjects to protect privacy and freedoms and are required to comply with applicable privacy laws.

9. Processing of personal data

In accordance with the deadlines set out in the relevant contracts and agreements, time limits prescribed for handling in case of legitimate interests of the administrator or a third party, the relevant legal regulations are the time necessary to ensure the rights and obligations arising from both – the contractual relationship and the relevant legal regulations.

10. Lessons learned

The administrator processes data with the consent of the data subject, except for cases where the processing of personal data does not require the consent of the data subject, i.e. when there is another legal basis for the purpose of processing. In accordance with Article 6 (1) of the GDPR, the administrator may process the following data without the consent of the data subject:

• processing is necessary for the performance of a contract the data subject signs or participate orfor the implementation of pre-contractual measures at the request of the data subject,

• processing is necessary to fulfill the legal obligation applicable to the administrator,

• processing is necessary to protect the vital interests of the data subject or other private individuals,

• processing is necessary for the performance of a task fulfilled in the public interest or in the exercise of public authority entrusted to the administrator,

• processing is necessary for the purposes of the legitimate interests of the relevant administrator or third party, except where the interests or fundamental rights and freedoms of the data subject, requiring the protection of personal data, prevail over those interests.


11. Rights of data subjects

A. In accordance with Article 12 of the GDPR, the administrator shall, at the request of the data subject, inform the data subject of the right of access to personal data and the following information:

• purpose of the processing,

• category of personal data concerned,

• recipients or categories of recipients to whom personal data have been or will be made available,

• period of time by which personal data will be stored

• available information about the source of personal data

• if they are not obtained from the data subject, whether there is automated decision making, including profiling.


The Administrator is enable to request reasonable reimbursement for the provision of information not exceeding the costs necessary to provide the information, and for the second and each additional copy within the administrative costs associated with it.

B. Any data subject who discovers or believes that the administrator or processor is analysing his or her personal data that violate the privacy of the data subject or violate the law, in particular where personal data are imprecise the purpose of their processing may:

• ask the administrator for an explanation

• require the administrator to remove information or personal data. They may be blocked, corrected, added or deleted.

• if the data subject's request under paragraph A is found justified, the administrator will remove the incorrect information immediately.

• if the administrator does not comply with the data subject's request under paragraph A, the data subject has the right to contact the supervisory authority directly, i.e. the Office for Personal Data Protection.

• The procedure under paragraph A. does not preclude the data subject from addressing the supervisory authority directly.

C. The data subject has the right to revoke the consent to the processing of personal data, previously granted by the personal data administrator.


D. The data subject's rights are therefore: to exercise the right to rectify, to erase, to forget, to limit processing. Furthermore, the right to data portability which is technically or organisationally feasible.