Information for personal data subjects

Information from the Controller for personal data subjects regarding the processing of personal data obtained from personal data subjects in order to fulfil contractual and statutory obligations

according to Article 12 of Regulation No 2016/679 of the European Parliament and of the Council of 27 April 2016,

the General Data Protection Regulation (hereinafter referred to as the “Regulation”), maintained by the subject:


2MAD s.r.o., Company Number 07160135, having its registered office at Vosmíkových 1683/15, 180 00 Praha 8 – Libeň, entered in the Commercial Register maintained at the Metropolitan Court in Prague, file C 295131, managing directors Ing. arch. Jiří Müller and Ing. Pavel Nechanický, contact e-mail: (hereinafter referred to as the” Controller”)

The Controller provides you with the following information in accordance with the Regulation.

1. Contact details to data protection officer

The Controller did not appoint a data protection officer, since the Controller is under no obligation to do so.

2. Description of the categories of data subjects which the Controller processes about you, categories of personal data, and the purposes of their processing

Categories of personal data which the Controller processes about you when fulfilling contractual and statutory obligations:

  • The data required for accounting, namely first name and surname or trade name, date of birth or Company Number, where appropriate Taxpayer Identification Number, place of residence, or registered office.

  • The data required to perform the contract entered into with you, the scope of which the Controller will inform you off at the beginning of or in the course of the provision of the service provided (personal data subject).

The purpose of personal data processing: performance of the contract, accounting, and fulfilment of the statutory obligations of the Controller within the bounds of its business activity as an architectural/engineering/construction company. The Controller informs the client (personal data subject) that the provision of personal data is entirely voluntary; however, without the provision of personal data to the required extent and of the required accuracy, it is not possible to provide the service in the required quality, or at all.

The legal basis of personal data processing: fulfilling the obligations accepted in the contract entered into with the data subject and fulfilment of the obligations laid down by law.

3. Description of categories of recipients to whom your personal data may be disclosed or transferred, including third-country recipients or international organisations

If required for the fulfilment of contractual and statutory obligations, all personal data may be provided:

  1. to the Controller’s employees and subcontractors, who are bound to confidentiality to the same extent as the Controller;

  2. to public authorities that decide on the rights and obligations of the data subject;

  3. to third parties, if required for the performance of the contract entered into with the data subject, this to the required extent;

  4. to the providers of delivery services;

  5. to the providers of accounting services.

All those specified under letters a), d), and e) cooperate with the Controller based on a contractual relationship and are under obligation to ensure the protection of personal data under that contractual relationship.

Personal data shall not be provided to third-country recipients or international organisations unless the nature of the service requires as such. Should the nature of the service require, the Controller shall agree specific measures for the protection of personal data with the client.

4. Information about your rights

  1. The Controller shall provide you, on request, with information about measures taken according to Article 15 through 22 of the Regulation, and shall do so without undue delay, in all cases within one month of receiving the request to do so.

  2. In particular, you have the right to request of the Controller access to the personal data that it processes about you, to their rectification in the case of inaccuracy, to their erasure (the right to be forgotten), to the restriction of processing, and to lodge an objection to processing – therefore, to lodge an objection to personal data processing at any time, without you being required to give a reason. In particular, you have the right to receive confirmation from the Controller as to whether the personal data which concern you are or are not being processed. The rights specified are exercised by delivering a letter or an e-mail to the Controller’s address, as specified above. As far as personal data obtained for the fulfilment of statutory and contractual obligations are concerned, the Controller points out that it is not possible to, or it is difficult to, provide the service that you have requested unless you provide it with contact data.

  3. You may receive the personal data which concern you and which you have provided to the Controller in structured, commonly-used, and machine-readable format, and have the right to transfer those data to another controller without the Controller obstructing you from doing do. The rights specified are exercised by delivering a letter or an e-mail to the Controller’s address, as specified above.

  4. You may lodge a complaint against the approach of the Controller with the supervisory authority.

  5. The Controller does not undertake any automated decision-making, or profiling.

5. Information on planned time limits for the erasure of individual categories of personal data

Your personal data, processed in line with statutory and contractual obligations, will invariably be erased without undue delay after the passing of the period of time, laid down by the law and professional rules, for which the Controller is under obligation to retain those data (in particular, the time limit for archiving accounting documents and files).

6. Description of technical and organisational measures which the Controller has taken to protect your personal data

1. Protection from unauthorised access to personal data

                The Controller has secured access to recording equipment and to documentary records primarily as follows: recording equipment and documentary records are located in a lockable room at the Controller. Only authorised persons have access to the room. Other persons only have access to the room in the accompaniment of authorised persons. Software access to recording equipment is protected by username and password.

2. Protection against unauthorised reading, copying, transfer, modification, and erasure of personal data

                Access to personal data is protected by a username and password. Authorised persons undergo training, whereby each further training session is recorded in writing. Regular inspections are also carried out of the system settings and of adherence to the Controller’s internal regulations.

3. Protection against outside attack

                The Controller’s system is connected to the Internet. Measures have been taken against attack from the outside network in the form of firewall protection, securing with username and password, and the measures of the web-hosting service provider. The Controller also regularly checks of the system by the Controller of authorised persons.

4. Protection against unauthorised use of access data (negligence)

                Passwords to the Controller’s system are regularly changed.

5. Protection against ignorance

                All authorised persons have been properly instructed and are regularly trained. Instruction and training primarily consists of informing those persons of the functionality of the Controller’s system, of recording equipment, and of software (including updates), and of the rights and obligations involved in processing personal data according to the Regulation.