This Privacy Policy (the “Policy”) explains the scope, purposes and manner of personal data collection and processing by the International Association of Oil Transporters (Mezinárodní asociace přepravců ropy z.s.) (the “Association”), acting as a controller, when performing its respective activities.
More information
Term “GDPR” in this Policy means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
Identification and contact details of the controller:
Mezinárodní asociace přepravců ropy, z.s., Na Příkopě 859/22, 110 00 Prague 1, Czech Republic, registration number: 024 86 024, non-governmental and non-profit organization entered in the Commercial Register at the Municipal Court in Prague, Section L, File 26594,
email: iaotsecretariat@iaot.eu, web page: www.iaot.eu
The Association collects and processes personal data only for the purposes described herein and only to the extent appropriate and necessary for fulfilment of such purposes.
The Association stores the personal data only for as long as it is necessary for the performance of such purposes, or as it is otherwise legally obligated to do.
The Association greatly values the safety of personal data and has implemented appropriate technical and organizational measures in order to protect such data and to ensure a level of security appropriate to any relevant risks.
The first part of this Policy below provides structured details on the various manners and purposes of processing of personal data by the Association.
In the second part of this Policy further below, please note the information on third-country transfers of personal data (i.e. transfers of data to jurisdictions where legal protection of personal data is weaker or less enforceable), and the description of the rights of persons whose personal data are processed and how they can apply them vis-à-vis the Association or appropriate public authority.
This Policy was last updated on 1 July 2020. The Association continues to review its activities from the perspective of data protection, and may update this Policy in future if these activities change or are supplemented.
Data processing activities
The Association collects and processes your information for the following purposes (click on a specific purpose for detailed information on processing of personal data for such purpose):
Organisation of events and meetings
Brief description of the processing
The Association processes relevant personal data under this purpose as part of its activities relating to planning, organization and management of the meetings of Association members and observers, as well as any other promotional, educational and training events (e.g. to secure venue reservations, accommodation, transportation, relevant visa processes, etc.).
Whose personal data are being processed?
The data subjects are the current Association personnel, Association members’ personnel (current and past), Association observers’ personnel (current and past), other participants in Association events and, for the visa processes, parents of these individuals. For avoidance of doubt, these persons are further referred to as “data subjects”, as also used by the GDPR.
What is the scope of the processed personal data?
Processing includes:
- identification data (e.g. name and surname, date of birth, birth number, residency address, citizenship, signature),
- contact data (phone number, e-mail address),
- data connected with the employment (employer, company affiliation, position),
- other relevant data (credit card number, plane ticket number, passport information (number, place and date of issue, validity)).
What is the legal basis for the processing?
The processing is necessary for the purposes of legitimate interests pursued by the Association (Art. 6(1)(f) of the GDPR), in particular interest in:
- efficient and reliable planning, organisation and management of meetings of Association members and observers, as well as other promotional, educational and training events.
How are the personal data collected?
Personal data are collected directly from the data subjects or from the data subject’s organisation (an Association’s member or observer).
Who are the recipients / categories of recipients of the personal data (if any)?
Association members and observers, travel and accommodation agents, hotel management companies, public authorities (during visa application processes, etc.).
What is the period for which the personal data will be processed and stored (retention period)?
Personal data are stored throughout the period of their use for the above purpose.
Is the provision of personal data a statutory or contractual requirement or a requirement necessary to enter into a contract? What if the data subject refuses to provide such data?
No, there is no such obligation to provide such data.
The refusal to provide such data could however result in the Association not being able to reach out and invite the data subject, keep him/her informed of all relevant updates, plan and monitor the level of participation, or help to facilitate its participation in any way needed (by booking its accommodation, transportation, managing their visa processes).
Relations with members and observers
Brief description of the processing
The Association processes relevant personal data under this purpose when managing relations between its members and observers, administrating membership and observer status registrations and contact information, as well as when promoting and facilitating communication and information exchange among the Association’s members and observers.
Whose personal data are being processed?
The data subjects are the Association’s staff and current, past and prospective representatives of the Association’s members and observers.
For avoidance of doubt, these persons are further referred to as “data subjects”, as also used by the GDPR.
What is the scope of personal data?
Processing includes:
- identification data (name and surname),
- contact data (phone number, e-mail address),
- data connected with the employment (employer / company affiliation / position).
What is the legal basis for the processing?
The legal bases for the processing are the legitimate interests of the Association (Art. 6(1)(f) of the GDPR), particularly interests in:
- efficient management of Association’s relations with its members and observers, administration of membership and observer status registrations, contact information, and
- promotion and facilitation of communication and information exchange among the Association’s members and observers.
How are the personal data collected?
Personal data are collected directly from the data subjects or from the data subject’s organisation (an Association’s member/observer).
Who are the recipients/categories of recipients of the personal data (if any)?
Association members, Association observers.
What is the period for which the personal data will be processed and stored (retention period)?
Personal data are stored throughout the period of their use for the above purpose, and for an additional period of maximum 2 years.
Is the provision of personal data a statutory or contractual requirement or a requirement necessary to enter into a contract? What if the data subject refuses to provide such data?
No, there exists no obligation to provide such data.
The refusal to provide such data could however mean that the Association would not be able to create the relevant communication platforms and facilitate interactions among its members and observers. Also, inability to process personal data would prevent efficient communication of the Association staff with individual members and observers and their representatives.
External communication & marketing
Brief description of the processing
The Association processes relevant personal data under this purpose as part of the Association’s PR, e.g. when promoting the Association, its activities and its members in the relevant fields (transportation and storage of oil and oil products on an international, regional and national level), etc.
Whose personal data are being processed?
The data subjects are the Association personnel (current and past), Association members’ and observers’ representatives (current and past), and other participants in Association’s events.
For avoidance of doubt, these persons are further referred to as “data subjects”, as also used by the GDPR.
What is the scope of personal data?
Processing includes:
- identification data (name and surname, basic professional experience and competences),
- data connected with the employment (employer / company affiliation / position),
- other data necessary for the external communication and marketing (photographs / videos).
What is the legal basis for the processing?
The legal basis for the processing is the legitimate interest of the Association (Art. 6(1)(f) of the GDPR), particularly interests in:
- promotion of the Association and increasing awareness of the activities of the Association and its members in the relevant fields (transportation and storage of oil and oil products on an international, regional and national level).
How are the personal data collected?
Personal data are collected directly from the data subjects.
Who are the recipients/categories of recipients of the personal data (if any)?
Media companies, PR agencies, Association members, Association observers.
What is the period for which the personal data will be processed and stored (retention period)?
Personal data are stored throughout the period of their use for the above purpose, and for an additional period of maximum 2 years.
Is the provision of personal data a statutory or contractual requirement or a requirement necessary to enter into a contract? What if the data subject refuses to provide such data?
No, there exists no obligation to provide such data.
The refusal to provide such data could however mean that the communication and marketing of the Association would be unauthentic, incomplete and significantly less efficient. Also, messages conveyed would not benefit from the degree of professionality and experience of the relevant persons delivering them.
Governance
Brief description of the purpose
The Association processes relevant personal data under this purpose when carrying out activities relating to administration and management of its internal corporate structure and governance (e.g. minute-taking, organising, preparing and adopting resolutions at meetings of its bodies and committees, appointing and removing members to its bodies, carrying out registrations and filings, etc.).
Whose personal data are being processed?
The data subjects are the Association´s representatives (current, past and prospective), Association committees’ participants (current, past and prospective), Association members’ representatives (current and past), Association observers’ representatives (current, past), Legal counsel representatives, and persons verifying the documents and signatures (Notary public).
For avoidance of doubt, these persons are further referred to as “data subjects”, as also used by the GDPR.
What is the scope of personal data?
Processing includes:
- identification data (name and surname, basic professional experience and competences, residency address, citizenship, signature),
- contact details (phone number, e-mail address),
- data connected with the employment (employer, company affiliation, position)
What is the legal basis for the processing?
Primarily, processing under this purpose is necessary for the Association’s compliance with its legal obligations arising to it under applicable law (Art. 6(1)(c) of the GDPR), mainly under:
- Act of Czech Republic No. 89/2012 Coll. Civil code, as amended.
Complementary processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) of the GDPR):
- Creation and practicable administration of Association´s internal structure for its efficient and practicable management and operation.
How are the personal data collected?
Personal data are collected directly from the data subjects or from the data subject’s organization (an Association’s member/observer).
Who are the recipients/categories of recipients of the personal data (if any)?
Public registries, Association members, Association observers, and the Czech legal counsel organising all submissions and registry updates.
What is the period for which the personal data will be processed and stored (retention period)?
Personal data are stored throughout the period of their use for the above purpose, and for an additional period of maximum 2 years.
Is the provision of personal data a statutory or contractual requirement or a requirement necessary to enter into a contract? What if the data subject refuses to provide such data?
In most situations there exists no statutory nor contractual obligation to provide such data.
The refusal to provide such data could, however result in unauthentic or incorrect documentation (e.g. anonymized minutes from meetings) which could create considerable obstacles in the efficient administration of the Association´s internal structure.
Employer’s duties
Brief description of the purpose
The Association processes relevant personal data under this purpose as part of its recruitment process, preparation and conclusion of employment contracts and subsequently when fulfilling its employer duties and obligations (e.g. payroll processes, etc.).
Whose personal data are being processed?
The data subjects are the Association´s employees (current, past and prospective).
For avoidance of doubt, these persons are further referred to as “data subjects”, as also used by the GDPR.
What is the scope of personal data?
Processing includes:
- identification data (name and surname, date of birth, birth number, basic professional experience and competences, passport information (number, place and date of issue, validity, signature),
- health data (basic medical information),
- contact details (residency address, citizenship, phone number, e-mail address),
- other relevant data connected with employment (bank account number, salary amount, presence/absence information, other payroll and mandatory tax and insurance duties information, may also include basic medical information).
What is the legal basis for the processing?
Primarily, processing under this purpose is necessary for the Association’s compliance with its legal obligations arising to it under applicable law (Art. 6(1)(c) of the GDPR), mainly under:
- Act of Czech Republic No. 262/2006 Coll., the Labour Code, as amended
- Act of Czech Republic No. 48/1997 Coll. on Public Health Insurance, as amended
- Act of Czech Republic No. 582/1991 Coll. on the organization and implementation of social security, as amended and
- Act of Czech Republic No. 280/2009 Coll., the Tax Code, as amended.
- Efficient and reliable recruitment process.
How are the personal data collected?
Personal data are collected directly from the data subjects.
Who are the recipients/categories of recipients of the personal data (if any)?
Public authorities (labour office, tax office, other), Social & health insurance company, Tax or accounting advisers.
What is the period for which the personal data will be processed and stored (retention period)?
Personal data are stored throughout the period of their use for the above purpose, or such longer additional period as may be required under applicable laws, e.g.:
- for tax purposes and health insurance purposes - maximum of 10 years after the date of their collection;
- for social insurance purposes - maximum of 6 years after the date of their collection;
- for employment purposes and pension insurance purposes - maximum of 30 years after the date of their collection.
Is the provision of personal data a statutory or contractual requirement or a requirement necessary to enter into a contract? What if the data subject refuses to provide such data?
When entering into an employment contract with the Association, the provision of personal data is necessary to enter into such contract. Its refusal would prevent the data subject to enter into his/her employment contract with the Association.
In the recruitment phase, the provision is voluntary. If the data subject refuses to provide such data, his or her application may be excluded.
Other compliance (IT, data protection, public enquiries)
Brief description of the purpose
Under this purpose, the Association processes relevant personal data as part of its compliance processes, mainly in the field of IT and data protection, and cooperation with public authorities as and when required.
Whose personal data are being processed?
The data subjects are the Association personnel, webpage visitors, data subjects making claims or requests under GDPR (if any), and the personnel from public authorities making enquiries (if any).
For avoidance of doubt, these persons are further referred to as “data subjects”, as also used by the GDPR.
What is the scope of personal data?
Processing includes:
- identification data (name and surname, ID card number),
- contact details (residency address, citizenship, phone number, e-mail address),
- data connected with employment (employer, company affiliation, position),
- other relevant data in the area of compliance (IP address, IP logs, any other personal data which may be subject-matter of a data subject´s claim or request (if any)).
What is the legal basis for the processing?
Primarily, processing under this purpose is necessary for the Association’s compliance with its legal obligations arising to it under applicable law (Art. 6(1)(c) of the GDPR), mainly under:
- the GDPR; and
- Act of Czech Republic No. 110/2019 Coll., on personal data processing, as amended.
Complementary processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) of the GDPR):
- IT compliance: Adequate administration and security of the Association’s IT infrastructure and systems,
- GDPR compliance: Efficient and compliant handling of personal data requests, claims and performance of other data subjects’ rights,
- Public enquiries: Compliance with enquiries of public authorities and efficient cooperation with public authorities.
How are the personal data collected?
Personal data are collected directly from the data subjects.
Who are the recipients/categories of recipients of the personal data (if any)?
Public authorities making enquiries, Professional advisers (IT support, legal counsel, tax or accounting advisers, etc.), Data subjects or other persons addressing the Association with claims or requests.
Personal data may, in exceptional circumstances, be provided to law enforcement authorities, relevant authorities in the field of administrative offences or, if necessary, to relevant insurance companies for their investigation of damage events and handling of claims.
What is the period for which the personal data will be processed and stored (retention period)?
Personal data are stored throughout the period of their use for the above purpose, or such longer additional period as may be required under applicable laws (as the case may be).
Is the provision of personal data a statutory or contractual requirement or a requirement necessary to enter into a contract? What if the data subject refuses to provide such data?
Most of the time there exists a statutory obligation to provide such data.
Where such provision is voluntary, the refusal to provide such data could result in the Association not being able to fully comply with applicable regulations and standards within the IT and GDPR compliance. Refusal to provide such data could also constitute an obstacle in complying with any requests by public authorities.
Management of suppliers
Brief description of the purpose
The Association processes relevant personal data under this purpose when administering and managing Association’s suppliers and their contracts, ordering goods and services from them, etc.
Whose personal data are being processed?
The data subjects are the Association personnel, the Association suppliers’ contact persons and other representatives.
For avoidance of doubt, these persons are further referred to as “data subjects”, as also used by the GDPR.
What is the scope of personal data?
Processing includes:
- identification data (name and surname),
- contact details (phone number, e-mail address),
- data connected with the employment (employer, company affiliation, position).
What is the legal basis for the processing?
The legal basis is the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) of the GDPR).
Complementary processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f) of the GDPR):
- Efficient administration and management of Associations’ suppliers and their contracts with the Association,
- Efficient procurement of goods and services by the Association.
How are the personal data collected?
The personal data are collected directly from the data subjects.
Who are the recipients/categories of recipients of the personal data (if any)?
There are no recipients outside of the Association.
What is the period for which the personal data will be processed and stored (retention period)?
Personal data are stored throughout the period of their use for the above purpose, and for an additional period until all claims are extinguished, or such longer additional period as may be required under applicable laws (e.g. as part of financial or accounting information).
Is the provision of personal data a statutory or contractual requirement or a requirement necessary to enter into a contract? What if the data subject refuses to provide such data?
The provision of personal data is in most cases necessary to conclude the relevant supply contract.
The refusal to provide such data would make the administration and management of Association’s suppliers and their contracts with the Association almost impossible, and at times would also prevent the supplier from concluding its contract.
Archive
Brief description of the purpose
Under this purpose, the Association processes relevant personal data when storing it in a secure storage as part of its archiving activities aimed to preserve and keep safe documents and other information containing personal data. These documents and information include e.g. contracts, communication, employment documentation, as well as Association’s corporate and governance documents and information (e.g. records from meetings, resolutions other relevant documentation).
Whose personal data are being processed?
The data subjects are Association´s personnel (current and past), Association members’ personnel (current and past), Association observers’ personnel (current and past), Association events´ participants, parents of the identified personnel and events´ participants (visa purposes), Association representatives (current, past and prospective), Association committees’ participants (current, past and prospective), Association members’ representatives (current and past), Association observers’ representatives (current, past), Association employee (current, past and prospective), Association suppliers’ contact persons and other representatives, legal counsel representatives, webpage visitors, data subjects making claims or requests under GDPR (if any), personnel from public authorities making enquiries (if any), and/or, persons verifying the documents and signatures (Notary public).
For avoidance of doubt, these persons are further referred to as “data subjects”, as also used by the GDPR.
What is the scope of personal data?
Processing includes:
- identification data (name and surname, date of birth, birth number, basic professional experience and competences, passport information (number, place and date of issue, validity),
- health data (basic medical information),
- contact details (residency address, citizenship, phone number, e-mail address),
- data related to employment (bank account number, salary amount presence/absence information, other payroll and mandatory tax and insurance duties information, signature), data related to compliance (IP address, IP logs, any other personal data which may be subject-matter of a data subject´s claim or request (if any))
What is the legal basis for the processing?
Primarily, processing under this purpose is necessary for the Association’s compliance with its legal obligations arising to it under applicable law (Art. 6(1)(c) of the GDPR), mainly under:
- relevant Acts of Czech Republic and European regulation (the GDPR) listed in descriptions of other purposes of processing which include archiving obligations.
Complementary processing is necessary for the purposes of the legitimate interest pursued by the controller (Art. 6(1)(f) of the GDPR):
- secure storage and preservation of relevant information.
How are the personal data collected?
The personal data are collected directly from the data subjects.
Who are the recipients/categories of recipients of the personal data (if any)?
There are no recipients outside of the Association.
What is the period for which the personal data will be processed and stored (retention period)?
Personal data are stored for a maximum period of 10 years from the transfer of the relevant document or information (containing such personal data) to the archive, or such longer period as may be required under applicable laws (e.g. employment laws on archiving employees’ files).
Is the provision of personal data a statutory or contractual requirement or a requirement necessary to enter into a contract? What if the data subject refuses to provide such data?
The data processed under the purpose of archiving have already been processed for other purposes (the implications from these purposes apply).
Information on transfers of personal data to third countries
A “third country” designation used in this Policy refers to a country which is not subject to the GDPR and has not adopted any local laws or similar regulation that would guarantee GDPR-equivalent protection of personal data.
Some of the Association members and observers reside in third countries and some of the events and meetings of Association members and observers take place in these third countries. Consequently, the Association is transferring certain personal data processed by it to such third countries.
More information
In particular, this occurs when the Association processes personal data for the purposes of Organisation of events and meetings, Relations with members and observers, External communication & marketing and Governance. Each of these processing activities is described in more detail in the previous part of this Policy. In these cases, personal data is either provided to the Association member(s) or observer(s) located in such third country (“third-country member” or “third-country observer”), or to another party or person other than Association’s members and observers related in some other way to the event (e.g. local hotel accommodating event participants, public authorities processing visa applications for event participants, media companies, PR agencies, etc.) (“other third-country recipient”).
All third-country members and third-country observers are bound by a specific contract executed by them and the Association which puts in place all appropriate safeguards to ensure that personal data transferred to such third-country members and third-country observers is secure and data subjects can enforce their rights in connection with processing of such personal data as if these members and observers were subject to the GDPR. Please contact us at iaotsecretariat@iaot.eu if you wish to obtain more information on such adopted safeguards or a copy of such contract between the Association and relevant members and observers.
The Association transfers personal data to other third-country recipients (see their description above) only if the relevant data subject (i.e. the person such personal data relates to) provided her/his consent to such transfer.
Data subject’s rights
Data subjects have the following rights in relation to the processing of personal data:
- right to request information about whether the Association is processing such personal data
- right to request a copy of such personal data processed by the Association
- right to rectification of personal data
- right to erasure of personal data (“right to be forgotten”)
- right to restriction of processing of personal data
- right to object to the processing of personal data
- right to transfer of personal data (i.e. their provision in a transferable format and their eventual transfer to a person designated by the data subject)
Further information on the rights mentioned above will be made available via email after sending a request to: iaotsecretariat@iaot.eu.
Guidance for data subjects on how to exercise their rights vis-à-vis the Association
Data subjects can exercise their rights towards the Association at any time electronically, by sending their request by email to: iaotsecretariat@iaot.eu.
In order to verify the identity of the data subject the Association may ask for the relevant identity document of the inquiring data subject. This is done in order to verify that the person exercising the rights of a data subject actually is or may act on behalf of such data subject.
Right to file an official complaint
If a data subject has any concerns about the Association’s use of his/her personal data, he/she can contact the Association by sending an email to: iaotsecretariat@iaot.eu
In addition to the above-mentioned rights, data subjects may also file a direct complaint regarding the Association’s processing and protection of personal data to the Office for Personal Data Protection of the Czech Republic (Úřad pro ochranu osobních údajů).
Contact details of this authority and further instructions for filing of such request are published on their web page at: https://www.uoou.cz.
Cookies information
Certain parts of the site www.iaot.eu may use “cookies”. These are small text files stored on the visitor’s computer. These files are generally used by the server, which can then identify the user who has visited the site. Cookies make it possible to monitor behaviour and afterwards, for example, improve offers to that particular visitor. Cookies are not programs that can damage the visitor’s computer. Most web browsers allow you to disable the use of cookies. Web pages requiring cookies may not always work correctly, however, if they are not accepted.