Personal Data Protection

Data Protection Policy

Prague City Gallery, with its registered office at Staroměstské náměstí 605/13, 110 00 Prague 1, Business Identification No. (IČO) 00064416, an organization receiving contributions from the City of Prague (hereinafter referred to as “Prague City Gallery”), hereby declares that it processes all personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “GDPR”), and, where the GDPR allows, Act No. 101/2000 Coll. on the Protection of Personal Data, as amended (hereinafter referred to as the “Act”).

The Data Protection Policy is subject to change and may be updated depending on further developments in data protection legislation.

Personal data is processed by Prague City Gallery only in cases of legitimate interest of the institution and in other cases determined by legal regulations.

Basic concepts

Personal data

Personal data is any information about an identified or identifiable natural person (data subject). An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier (name, surname, number, network identifier) or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data

This is personal data which may discriminate against a natural person in society, or which is indicative of racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, or processing of genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning the health or sex life or sexual orientation of a natural person.

Data subject

The data subject is a natural person to whom the personal data relate and who is identifiable from his/her personal data or can be identified.

Personal data controller

The controller is a natural or legal person who determines the purposes and means of processing personal data and is primarily responsible for the processing. Unless otherwise specified in this Data Protection Policy or in the terms of a particular service, the controller of personal data is Prague City Gallery.

Personal data processor

A processor is a natural or legal person who, on the basis of instructions from the controller, processes personal data for the controller.

Processing of personal data

Processing is any operation or set of operations which are performed upon personal data or sets of personal data, whether or not by automated processes, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, restriction, erasure or destruction.

The purpose and processing of personal data in Prague City Gallery

The controller processes the personal data of the data subject for the following purposes:

  • performance of contractual obligations (Article 6(1)(b) GDPR);
  • fulfilling legal obligations (Article 6(1)(c) GDPR) arising from Act No. 20/1987 Coll., on State Heritage Care; Act No. 122/2000 Coll., on the Protection of Museum Collections; Act No. 89/2012 Coll., Civil Code; Act No. 262/2006 Coll., Labor Code; Act No. 499/2004 Coll., on Archives and Records Management and on Amendments to Certain Acts; Act No. 563/1991 Coll., on Accounting; Act No. 586/1992 Coll., on Income Taxes; Act No. 235/2004 Coll., on Value Added Tax; Act No. 589/1992 Coll., on Social Security Contributions; and Act No. 592/1992 Coll., on General Health Insurance Contributions;
  • legitimate interests (Article 6(1)(f) GDPR), in particular the protection of property and direct marketing.

Sharing of personal data

In certain cases, Prague City Gallery is obliged to share the personal data of natural persons or to submit it to public authorities. However, this is done solely on the basis of the legal obligation that Prague City Gallery has towards its founder and other public authorities. Furthermore, Prague City Gallery uses personal data to send newsletters. In the case of participation of the data subject in events organized by Prague City Gallery, photographs taken at these events may be on social networks – Facebook: Galerie hlavního města Prahy, Start Up; Instagram – ghmp.cz; and on the official website of Prague City Gallery – www.ghmp.cz; and www.startup.ghmp.cz on the youtube channel – GHMP. Photographs and video recordings (video recordings from openings and accompanying events, photographs) can also be provided to the media partners of Prague City Gallery.

Technical and organizational measures to secure personal data

Prague City Gallery strives to keep the data entrusted to it as secure as possible. For this reason, a number of technical and organizational measures have been put in place to protect personal data from unlawful processing, loss or destruction.

Prague City Gallery respects the principle of minimization of personal data, i.e., it only processes necessary information or the information that is provided to Prague City Gallery with consent beyond what is strictly necessary.

In some cases, personal data is transferred to third parties. To maximize the protection of personal data, vetted partners are selected which are assured to adhere to at least the same level of data protection as Prague City Gallery.

When transferring personal data to public authorities, the most appropriate and secure options offered by the relevant authority are always used.

Period of processing of personal data

Personal data is collected, stored and otherwise processed for no longer than the period of time required by applicable law. Personal data collected by CCTV systems will be processed for a period of 14 days from the date of acquisition.

Rights of data subjects

The data subject has the following rights in relation to the processing of his/her personal data:

The right to erasure of personal data

The data subject has the right to request that the controller erase his/her personal data. However, since the data subject is obliged to provide the controller with his/her personal data in particular for the fulfilment of legal obligations, the right to erasure applies exclusively to the personal data that the controller does not need for the fulfilment of the purpose.

The right to restriction of processing

The data subject has the right to restrict the processing of personal data if:

  • the data subject contests the accuracy of his/her personal data for the time necessary to verify the accuracy of the personal data; the data subject does not seek the erasure of his/her personal data, but requests the restriction of its use;
  • the controller does not need the personal data, but the data subject requests it for the establishment, exercise or defense of his/her legal claims, or the data subject objects to the processing, pending verification that the controller’s legitimate interests override those of the data subject.

The controller shall inform the data subject in advance of the lifting of the restriction on processing.

The right to object to processing

If the controller processes the data subject’s personal data for the purposes of the legitimate interest of the controller or of a third party (Article 6(1)(f) GDPR), or for the performance of a task carried out in the public interest for which the controller is responsible (Article 6(1)(e) GDPR), the data subject shall have the right to object to such processing. If the data subject objects, the controller shall not continue the processing for the said purpose until it demonstrates that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject, or that it is acting for the establishment, exercise or defense of its legal claims. If the data subject objects to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

The right to data portability

The data subject has the right to request that the controller of the data subject provide the personal data of the data subject that it manages or, where appropriate, to provide such personal data to a third party. The right only applies to personal data that the data subject has provided to the controller.

The right to lodge a complaint with the supervisory authority

The data subject has the right to lodge a complaint with a supervisory authority if he/she considers that the processing of his/her personal data infringes data protection legislation, in particular the GDPR. The supervisory authority in the Czech Republic is the Office for Personal Data Protection, located at Pplk. Sochora 27, 170 00 Prague 7. More information is available at www.uoou.cz.

Contact details for objecting to the processing of personal data, withdrawing consent to processing or requesting data transfer

The data subject may object to the processing of his/her personal data, withdraw his/her consent or change the scope of the processing at any time by any of the following means:

  • by e-mail ghmp@ghmp.cz
  • by sending a written notice to the following address: Galerie hl. m. Prahy, Staroměstské náměstí 605/13, 110 00 Praha 1.

Updates to the personal data protection policy

Our personal data protection policy is kept up-to-date and compliant with the law. Therefore, certain changes may occur. We therefore ask all visitors and partners of Prague City Gallery to pay due attention to this policy.

Data Protection Officer

Prague City Gallery has not appointed a Data Protection Officer (“DPO”) in accordance with the GDPR.