1.      GENERAL PROVISIONS
1.1.        Subject of the Directive
This Directive regulates the rules and conditions of personal data processing as well as the procedures for their processing, storage and management by Montessori Institute Prague s.r.o., with its registered office at Prague 5, Košíře, Pod radnicí 152/3, Postal Code 150 00 (hereinafter referred to as the "Company"), including the rights of data subjects in accordance with Act No. 101/2000 Coll, on the protection of personal data, as amended (hereinafter referred to as the "Act"), and Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/45/EC (General Data Protection Regulation; hereinafter referred to as the "GDPR").

1.2.        Scope of the Directive
This Directive is binding on all employees of the Company, as well as on other persons who are in a different employment relationship with the Company on the basis of agreements outside the employment relationship or any other legal relationship.

1.3.        Definition of basic terms
Personal data is any information that relates to a specific natural person (data subject), whether it is identification and contact data (e.g. name, surname, date of birth, address of residence, birth number, ID number/ID number, telephone number, e-mail), location data, descriptive data telling about human physiology (e.g. Height, weight, shoe size), information from photographs and CCTV footage, socio-demographic data (age, gender, marital status, education, occupation, income and expenditure, number of children) or data on behaviour and preferences.

A special category of personal data is certain personal data that are particularly risky in terms of possible interference with the guaranteed rights and freedoms of natural persons, such as data on health status, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic or biometric data.

The data subject is any natural person whose personal data is processed.

Processing of personal data is any treatment of personal data, with or without the aid of automated processes, such as collection, recording, disclosure, storage, organisation, retrieval, alteration, use, dissemination, etc.

The controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data

A processor is a natural or legal person, public authority, agency or other body that processes personal data for the controller, if the controller authorises it to do so, and only to the extent and for the purposes specified by the controller; it is not excluded that one person may be both a controller (for example, in relation to its employees) and a processor (in relation to another controller).

The recipient is any entity to which the personal data are provided (it is not decisive whether directly by the controller or by a processor on the controller's instructions); in some cases, public authorities, which may obtain personal data in the context of a special investigation in accordance with the law, are not considered recipients. 

 

Consent of the data subject is a free, specific, informed and unambiguous expression of will by which the data subject gives his/her consent to the processing of his/her personal data by declaration or other manifest confirmation.

The supervisory authority in the Czech Republic under the GDPR is the Office for Personal Data Protection, based in Prague 7, Pplk. Sochor 27, Postal Code 170 00, telephone: +420 234 665 111, website: www.uoou.cz.

1.4.        Personal data processing principles
The GDPR as a whole is based on several general principles of processing and protection of personal data (mainly contained in Articles 5, 6, 25 and 32, as well as the principles of risk management and informational self-determination of data subjects). These principles are as follows:

The principle of lawfulness, fairness and transparency means that personal data must always be processed in a fair, lawful and transparent manner in relation to the data subject.

The principle of lawfulness requires that personal data be processed on the basis of legitimate grounds established by law (legal titles as defined in Article 6 of the GDPR), which are the necessity to comply with a legal obligation to which the controller is subject, the necessity for the performance of the controller's tasks carried out in the public interest or in the exercise of official authority, the necessity for the performance of a contract to which the data subject is a party or for the purpose of taking action at the request of the data subject prior to entering into a contract, the necessity for the purposes of legitimate interests or processing based on the data subject's consent.

The principle of transparency is linked to the fulfilment of information obligations towards the data subjects concerned as defined in Articles 12 to 14 of the GDPR.

The purpose limitation principle means that any processing of personal data must be in accordance with its lawful purpose. Personal data must be collected for specified, explicit and legitimate purposes and may not be further processed in a way that is incompatible with those purposes. A sufficiently specified purpose is, for example, "performance of a contract", "sending offers", "protection of legitimate interests - property of the controller" or "performance of a legal obligation". The purpose of the processing is expressly stated if it has been communicated to the data subjects. The legitimacy of the purpose means that the purpose of the processing is in accordance with the legal order as a whole, and therefore not only in accordance with the GDPR.

The data minimisation principle means that personal data may only be processed to the minimum extent, number of operations and number of records that are strictly necessary and required to fulfil the relevant processing purpose. Although this principle does not mean that there should be one and only one record, each controller must strive to ensure that personal data are not collected to an extent that exceeds the needs of the purpose, processed by redundant processes and operations, or reproduced in more records than necessary.

The principle of accuracy is reflected in the obligation to process only accurate, correct and up-to-date data. This means that at regular intervals (e.g. once every two years) personal data in the company's database should be updated, e.g. by asking employees to confirm the accuracy of their contact details or to correct them. The regularity of verifying the accuracy and updating personal data should be commensurate with the potential risk of harm.

The principle of limited storage means the obligation to keep personal data only for the time necessary to fulfil the purpose of the processing. This principle will be applied and fulfilled in the company's practice primarily by observing the prescribed archiving periods for documentation (financial, accounting, employee).

In particular, the principle of integrity and confidentiality is an obligation to ensure the secure processing of personal data. In assessing the appropriate level of security of the processing of personal data, account shall be taken in particular of the risks posed by the processing of personal data, in particular accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed. Appropriate technical and organisational measures are mentioned quite briefly in Article 32 of the GDPR.

 

2.      BASIC INFORMATION ON THE PROCESSING OF PERSONAL DATA

2.1.        Records of processing activities

1. Controller and Contact Information
The controller, Montessori Institute Prague s.r.o., is based at Pod radnicí 152/3, Prague 5, 150 00, Czech Republic. It is represented by Miroslava Vlčková as Managing Director, registered under ID: 254 34 110.

2. Purpose and Legal Basis of Data Processing

Employees: Processed based on employment contracts to fulfill obligations under the Labour Code and Employment Act.
Customers/Clients: Processed for the legitimate interests of contract fulfillment.
Suppliers: Processed for legitimate interests in fulfilling supplier contracts.
Visitors and Third Parties: Processed for property protection purposes.
3. Types of Personal Data Collected

Employees: Name, contact details, employment details, financial and health status, criminal records, and CCTV footage.
Customers/Clients: Name, contact details, banking information, legal records, and CCTV footage.
Suppliers: Similar to customer data, including contact and legal information.
Visitors and Third Parties: Name and CCTV footage.
4. Data Sources
Information is obtained from data subjects, public sources, administrative authorities, and CCTV.

5. Data Recipients
Data may be shared with courts, administrative authorities, service agencies for camera and IT maintenance, and internationally with the Association Montessori Internationale (AMI) in the Netherlands.

6. Data Retention and Destruction
Data is kept according to statutory retention periods or for set durations, with irreversible deletion for:

Employees: Shredded after statutory periods.
Customers/Clients and Suppliers: Stored for 10 years.
Visitors: Deleted after 1 year or 3 weeks (CCTV).
7. Data Update Process
Data is updated through data subjects, public sources, and administrative bodies.

8. Records and Processing Systems
Data is managed in systems such as Google Drive, Mipstation, Schoology, Active Campaign, and FAPI billing.

9. Data Security
The organization implements encryption for client communications, irreversible deletion in databases, and physical security for paper records. Data systems are regularly tested for security.

10. Data Access and Confidentiality
Data access is limited to authorized employees with confidentiality obligations. Training is provided at hiring and annually.

11. International Data Transfer
Data is transferred and accessible abroad.

This summary covers the main aspects of the data processing table under GDPR compliance. Let me know if you need further details or a specific section expanded.

12. Security of Data Destruction
The organization ensures that personal data is irreversibly destroyed within its database systems. Data deletion is not merely deactivation; it involves complete and irreversible destruction.

13. Data Subject Rights
The company has established procedures allowing data subjects to exercise their rights concerning their personal data. Requests can be submitted electronically or on paper and are processed within statutory deadlines.

14. Information for Data Subjects
Authorized data subjects are informed about:

The scope and purpose of data processing,
Processing methods,
Potential data recipients.
This information is provided through internal regulations, the company's website, and contracts, and is available upon data subject requests.

15. Technical and Organizational Security Measures
To prevent unauthorized access, misuse, or accidental loss of personal data, the company enforces several measures:

IT systems use password protection, encrypted backups, and role-based access control.
Physical records are stored in lockable cabinets with limited access.
The premises are secured with locks.
Regular IT system testing ensures continued security.
16. International Data Transfer and Access
Personal data may be transferred or accessed from abroad to accommodate organizational operations. This is conducted in accordance with GDPR requirements, ensuring data security during transfers.

17. Employee Training and Confidentiality Obligations
Employees handling personal data undergo confidentiality training at the start of employment and annually. Confidentiality clauses are included in employment contracts, binding employees to protect personal data.

This concludes the structured information from the table regarding the GDPR-compliant processing of personal data by Montessori Institute Prague s.r.o. Let me know if any specific points need further expansion.

2.1.        Dealing with requests and complaints from data subjects

For the purposes of compliance with the GDPR, the controller is obliged to ensure the smooth exercise of the rights of data subjects, for example on its website or in paper form available at the Company's Secretariat.

Electronic applications. If the data subject makes a request in electronic form, the controller shall provide the information in the electronic form commonly used, unless the data subject requests otherwise. The controller is always obliged to verify the identity of the person who has made the electronic request so that the information does not reach unauthorised persons (the method and level of verification should be appropriate to the context, scope and sensitivity of the information requested). Verification may be done e.g. by telephone or SMS, but exceptionally personal identification of the applicant may be required.

Deadline. The information must be provided by the Administrator without undue delay and in any event within one (1) month of receipt of the request. The time limit may be extended by two (2) months in exceptional cases, of which the data subject must be informed by the controller within one (1) month of receipt of the request, together with the reasons for the extension.

Fee. In principle, the information is provided free of charge. Only where requests made by the data subject are manifestly unfounded or unreasonable may the controller either impose a reasonable fee or refuse to comply with the request. Manifest unreasonableness shall be documented by the controller. Abuse cannot be understood a priori as an exercise of the data subject's rights.

2.2.1.  Right of access
Access to personal data means the right of the data subject to obtain information (confirmation) from the controller as to whether or not his or her personal data are processed and, if they are processed, the data subject has the right to obtain such personal data and the following information:

•         the identity and contact details of the controller and his representative, if any;

•         the purposes for which the personal data are processed and the legal basis for the processing;

•         the categories of personal data concerned,

•         the legitimate interests of the controller or of a third party, where the processing is based on Article 6(1)(a)(i) of Directive 95/46/EC.

(f) GDPR (i.e. if the processing is necessary for the purposes of the legitimate interests of the controller or a third party);

•         the recipients or categories of recipients to whom the personal data have been or will be disclosed;

•         the intended period for which the personal data will be stored;

•         the existence of the right to request from the controller access to, rectification or erasure of, or restriction of processing of, personal data and the right to object to processing;

•         the existence of the right to lodge a complaint with the supervisory authority;

•         any available information about the source of the personal data, unless obtained from the data subject, i.e. whether the provision of personal data is a legal or contractual requirement;

•         the fact that automated decision-making, including profiling, takes place.

If the controller does not process any data about the natural person, it shall provide information that the personal data of the applicant are not subject to personal data processing by the controller.

If the controller intends to further process the personal data for a purpose other than the purpose for which they were collected, the controller shall provide the data subject with information about that other purpose prior to that further processing and the relevant additional information as described above.

2.2.2.                 Right to erasure
The right to erasure is an obligation for the controller to erase the personal data it processes about the applicant if at least one condition is met:

 

•         the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

•         the data subject withdraws consent and there is no further legal basis for the processing;

•         the data subject objects to the processing and there are no overriding legitimate grounds for the processing;

•         personal data have been processed unlawfully;

•         personal data must be erased to comply with a legal obligation;

•         personal data has been collected in connection with the offer of information society services pursuant to Article 8(1) of the GDPR.

The above conditions do not apply if the processing of personal data is necessary:

a)      for the exercise of the right to freedom of expression and information;

b)      for compliance with a legal obligation requiring processing under EU or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c)      for reasons of public interest in the field of public health under the GDPR;

d)      for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes under the GDPR, where the right to erasure is likely to prevent or seriously jeopardise the achievement of the purposes of that processing

e)      for the establishment, exercise or defence of legal claims.

2.2.3.                 Right to portability
The right to data portability is the right of the data subject to obtain personal data concerning him or her which he or she has provided to the controller in a structured, commonly used and machine-readable format and to transmit those data to another controller where the processing of personal data is based on consent or on a contract and the processing is carried out electronically (cumulative conditions).

In exercising his or her right to data portability, the data subject applicant shall have the right to have personal data transmitted directly from one controller to another controller, where technically feasible.

This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

2.2.4.                 Right to rectification or completion
The data subject shall have the right to have inaccurate personal data concerning him or her rectified by the controller without undue delay. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed. If the controller considers that the personal data processed are accurate, he shall inform the applicant thereof, stating the reasons.

2.2.5.                 Right to restriction of processing
The data subject shall have the right to have the controller restrict the processing in any of the following cases:

a)      the data subject denies the accuracy of the personal data for the period necessary to allow the controller to verify the accuracy of the personal data;

b)      the processing is unlawful and the data subject refuses the erasure of the personal data and requests instead a restriction on its use;

c)      the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims;

d)      the data subject has objected to the processing until it is verified that the legitimate grounds of the controller override those of the data subject.

Where the processing of personal data has been restricted, such personal data may, with the exception of storage, be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or a Member State.

2.2.6.                 Right to object
If the processing is based on a legitimate interest of the controller or is carried out in the public interest or in the exercise of official authority, the data subject shall have the right to object to such processing at any time. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

The data subject also has the right to object to processing for direct marketing purposes, in which case the controller is obliged not to process the personal data concerned any further.

 

2.3.        Consents of data subjects to the processing of personal data
The processing of personal data may generally be carried out with the consent of the data subject. The request for consent must be specifically formulated and must be accompanied by information on the purpose and means of the processing of personal data, with whom the personal data will be shared, how it will be secured and what rights the data subject has in relation to his or her data.

Consent may be withdrawn at any time by the data subject. Consents must be recorded internally, and this recording must be systematic and transparent (indicating the period of time for which personal data are processed on the basis of consent).

The processing of personal data by the Company in accordance with this Directive is carried out without the use of the data subjects' consent to the processing of their personal data on the basis of other legal grounds, in particular as performance under contract and compliance with legal obligations.

2.4.        Security Incident Reporting
Any personal data breach shall be reported by the controller without undue delay and, where possible, within 72 hours after becoming aware of it, he or she shall report it to the supervisory authority, unless the infringement is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not made within 72 hours, the reasons for the delay shall be given at the same time.

The notification must include at least:

a)      a description of the nature of the personal data breach in question, including (if possible) the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected;

b)      the name and contact details of a place where further information can be provided;

c)      a description of the likely consequences of a personal data breach;

d)      a description of the measures taken or proposed to be taken by the controller to address the personal data breach in question, including, where appropriate, measures to mitigate possible adverse effects.

The controller shall document all personal data breaches, specifying the facts relating to the breach, its effects and the corrective measures taken.

In the event that there are risks to the rights and freedoms of the data subjects concerned, the controller is obliged to notify these incidents to the data subjects without delay. In the notification, the controller shall describe, in clear and plain language, the nature of the personal data breach, including information on the action taken or proposed.

The obligation to notify the data subject shall not apply if any of the following conditions are met:

a)      the controller has put in place appropriate technical and organisational safeguards and those safeguards have been applied to the personal data affected by the personal data breach, in particular those which render the data incomprehensible to anyone not authorised to have access to it, such as encryption;

b)      the controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of data subjects is no longer likely to occur;

c)      it would require disproportionate effort - in such a case, data subjects must be informed in the same way by means of a public notice or similar measure.

3.      OTHER PROVISIONS

3.1.        Disclosure of personal data; transfer of personal data abroad
Personal data may be disclosed or communicated to the statutory body of the controller or persons authorised by the controller. In certain circumstances, in addition to the controller or authorised persons, personal data may be disclosed to law enforcement authorities (Police of the Czech Republic, public prosecutor's office), courts or other state or local government authorities dealing with offences on the basis of statutory rules, or to the controller's or data subject's insurance company in the case of the need to assert legal claims. Each transfer of data shall be instructed by the controller and a record shall be kept of each such transfer.

Any transfer of personal data subject to processing or intended for processing after transfer to a third country or international organisation may only take place if the controller complies with the conditions set out in Chapter V of the GDPR.

3.2.        Duty of confidentiality
The controller is obliged to maintain the confidentiality of personal data obtained from data subjects. The obligation of confidentiality shall cease if it is necessary for the performance of the tasks of law enforcement authorities in criminal proceedings, administrative and misdemeanour proceedings and in other legal matters. In such a case, the obligation of confidentiality shall cease only in relation to those authorities.

The controller may not use the personal data obtained for any purpose other than those set out in this Directive, nor may it disclose or make available to others, except in accordance with Article III, paragraph 3.1 of this Directive. The obligation of confidentiality also applies to other persons who, in the course of their activities, come into contact with personal data. The obligation of confidentiality shall continue after the termination of the controller's duties or after the termination of the employment relationship.

3.3.        Legal protection and liability
Any data subject has the right (without prejudice to any other administrative or judicial remedy) to lodge a complaint with the supervisory authority if he or she considers that the processing of his or her personal data infringes the GDPR.

Anyone who has suffered material or non-material damage as a result of a breach of the GDPR is entitled to receive compensation from the controller or processor for the damage suffered.

The controller shall be liable for the damage caused by processing that violates the GDPR, unless it proves that it is not in any way responsible for the event that led to the damage.

3.4.        Final provisions
In other matters not addressed by this Directive, the relevant provisions of Act No. 101/2000 Coll., on the protection of personal data, as amended, Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/45/EC (General Data Protection Regulation) and other legislation governing the protection of personal data shall apply.

The operator undertakes to make this directive demonstrably known to all persons concerned (in particular employees).

The original of this Directive shall be deposited with our internal server

This Directive shall enter into force and take effect on 1. 10.  2024.