Jan Nedvěd, M.A.
Business registration ID: 61301035
Registered office: Dušní 906/8, 110 00, Prague 1 – Old Town
Entrepreneur registered in the Trade Licensing Register at the Prague 1 Municipal
Authority E-mail: info@nedvedarchitekti.cz
Website: https://www.nedvedarchitekti.cz (hereinafter referred to as the “website“)

(hereinafter referred to as the “Controller“)

As part of its activities, it manages and processes the personal data of the subjects listed below. These personal data processing principles (hereinafter referred to as the “Principles“) inform data subjects about the circumstances of the processing of their personal data and about the rights they have in relation to this processing.

1. Data subjects, purposes, scope, duration and legal basis of processing

1.1 Person contacting the Controller

The Controller processes the personal data of persons who contact the Controller by email, telephone or via the contact form for the following purposes, to the following extent, on the following legal grounds and for the following periods:

Purpose: To respond to enquiries from the enquirer.
Scope of data: First name, surname, email address, telephone number.
Legal basis: Legitimate interest in providing a response.
Duration: As long as is necessary to respond to the enquiry.

1.2 Website visitors

The administrator processes cookies in relation to visitors to the website.

You can find out which specific cookies the Controller processes, for what purpose and for how long here.

2. Legal basis for processing

The controller processes personal data on the following legal grounds pursuant to Article 6(1) of the GDPR:

• Consent of the data subject – the data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Compliance with legal obligations – processing is necessary for compliance with a legal obligation to which the Controller is subject.
• Protection of vital interests – processing is necessary to protect the vital interests of the data subject or another natural person.
• Public interest – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
• Legitimate interest – processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

3. Voluntary provision of data

The data subject provides their personal data to the Controller voluntarily. Failure to provide personal data may affect the Controller’s ability to conclude a contract or provide the data subject with services that are based on the necessary knowledge of information about the data subject, including personal data.

4. Right to withdraw consent

If the processing of personal data is based on the consent of the data subject, the data subject may withdraw their consent to the processing at any time by sending an electronic message to info@nedvedarchitekti.cz or via the link provided in the commercial communication. The withdrawal of consent does not affect the processing of personal data carried out by the Controller on the basis of another legal title, in particular for the purpose of performing a contract, providing a service or processing that was based on consent until its withdrawal.

5. Personal data processors

Personal data processors:

• hosting service providers
• website software solution provider
• email service providers
• cloud storage providers
• accounting and invoicing service providers

Please note, however, that due to changes in the providers of certain services, it is not possible to list all current and future personal data processors by name. The above list of processors may therefore change over time.

The controller does not transfer personal data to a third country (outside the EU) or to an international organisation.

6. Method of processing personal data

The controller and, where applicable, its processors process personal data manually (in electronic form) and electronically by automated means.

7. Personal data security

The controller has taken appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in particular:

• securing the website using the encrypted HTTPS protocol
• restricting access to personal data to authorised persons only
• regular data backup
• contractual safeguarding of the obligations of personal data processors

The administrator continuously evaluates and updates the security measures taken.

8. Rights of data subjects

The data subject has the following rights:

a) Right of access to personal data

The data subject has the right to obtain confirmation from the Controller as to whether or not personal data concerning him or her are being processed, and if so, has the right to access such personal data and the following information:

1. purposes of personal data processing;
2. categories of personal data concerned;
3. recipients or categories of recipients to whom personal data have been or will be disclosed
4. the planned period for which the personal data will be stored, or, if this cannot be determined, the criteria used to determine this period;
5. the existence of the right to request from the Controller the rectification or erasure of personal data concerning the data subject or the restriction of their processing, or to object to such processing;
6. the right to lodge a complaint with a supervisory authority;
7. all available information on the source of personal data, if not obtained from the data subject.

The data subject also has the right to request a copy of the personal data being processed from the Controller, provided that this does not adversely affect the rights and freedoms of other persons. The Controller may charge a reasonable fee based on administrative costs for further copies requested by the data subject. If the data subject submits the request in electronic form, the information shall be provided in a commonly used electronic form, unless the data subject requests otherwise.

b) Right to rectification

The data subject has the right to have the Controller correct inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

c) Right to erasure (right to be forgotten)

The data subject has the right to have the Controller erase personal data concerning the data subject without undue delay, and the Controller has the obligation to erase personal data without undue delay if any of the following reasons apply:

1. personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
2. the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
3. the data subject raises legitimate objections to the processing of personal data;
4. personal data has been processed unlawfully;
5. personal data must be erased to comply with a legal obligation laid down in European Union or Czech Republic law;
6. personal data has been collected in connection with the provision of information society services on the basis of consent given by the child.

d) Right to restriction of processing

The data subject has the right to have the Controller restrict processing in any of the following cases:

1. the data subject disputes the accuracy of the personal data, for a period enabling the Controller to verify the accuracy of the personal data;
2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
3. The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.

e) Right to data portability

The data subject has the right to obtain personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another Controller without hindrance from the Controller, where:

1. processing is based on consent to the processing of personal data or involves the processing of personal data for the purposes of concluding and performing a contract with the data subject; and at the same time
2. processing is carried out automatically.

When exercising their right to data portability, data subjects have the right to have their personal data transferred directly from one controller to another, where technically feasible. The right to data portability shall not adversely affect the rights and freedoms of others.

f) Right to object

The data subject has the right to object to the processing of personal data. If the data subject raises a justified objection to processing for direct marketing or profiling purposes, personal data will no longer be processed for these purposes.

The objection will be assessed and the Data Controller will then inform you whether the objection has been upheld and the Data Controller will no longer process the data, or that the objection was not justified and processing will continue. Processing will be restricted until the objection is resolved.

g) Right not to be subject to automated decision-making

The data subject has the right not to be subject to any decision based solely on automated processing, including profiling (i.e. any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to the data subject), which produces legal effects concerning him or her or similarly significantly affects him or her. This right shall not apply if the automated decision is necessary for entering into or performing a contract between the data subject and the Controller or is based on the data subject’s explicit consent; in such cases, however, the data subject shall have the right to human intervention in the automated decision by the Controller, the right to express their opinion and the right to challenge the automated decision.

h) Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint against the processing of their personal data by the Controller with the supervisory authority, which for the Czech Republic is the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7.

9. Final provisions

The controller has not appointed a data protection officer.

The administrator is entitled to unilaterally amend these principles of personal data protection and processing.

This Privacy Policy shall take effect on 20. 1. 2026.