FAQ

Information on the processing of personal data

Who is the controller and processor of personal data?

The joint administrator of personal data is the transport organizers, i.e. ROPID (Rytířská 10, 110 00 Prague 1, IČ: 60437359) and IDSK (Rytířská 10, 110 00, Praha 1, IČ: 5792291). The processor of personal data is the company Operátor ICT as (Dělnická 213/12, 170 00, Praha 7, IČ: 02795281) and individual carriers involved in the PID system (their current list is available at www.ropid.cz). For bank card data, the certified company Monet, as is under the PCI-DSS processor (Za Dvorem 505, 763 14, Zlín - Štípa).

How can I contact the Data Protection Officer?

E-mail: dpo-oict@operatorict.cz

By post: Office of the Data Protection Commissioner (DPO) The operator of ICT, a.s. Dělnická 213/12 170 00 Prague 7

What personal data do you process?

We attempt to keep only the necessary personal data about you, therefore we obtain personal data gradually and according to the conditions of the services you use with us. For a portable fare you need only your e-mail address (to secure your online account) and the number of the medium of your choice. For the purchase of a non-transferable fare, according to the requirements of the Tariff, the following is also required: name(s) and surname, date of birth, photograph in document quality (if it is not already printed on the chosen medium). To apply for discounts according to the Tariff, an appropriate confirmation of the right to the discount is required (ISIC card number, confirmation of material need, etc.) Optional personal details are title and telephone number. In the case of paper applications, a signature is required. The operation of the system may generate additional data about you; the data is referred to as dynamic personal data. Dynamic personal data is created in several situations: when using an identifier for inspection in traffic (approximate time and place of the inspection), when performing a traffic check (approximate time and place), when purchasing a fare (payment data), when entering a request at the Infoline, counter, etc. (other contact details), by logging in to the account (IP address, cookies), adding an identifier to the account (identifier numbers), these data are essential for the operation and functionality of the system and can be used only in: resolving complaints requiring evaluation of operational data, suspicions or solving the misuse of an identifier or coupon (anti-fraud), requests for handover of all OU under the GDPR regulation or suspension of processing, the requirement of law enforcement agencies and other authorized state institutions, solving unpredictable technical defects of MOS or OZ, for generating statistical and survey data from anonymized static and dynamic OÚ, while protecting the legal claims of the inspector and the customer MOS.

Is my personal information secure?

The security of your data is our number one priority. The security settings of the entire system are in accordance with all laws, including the new GDPR regulation. Bank card information is stored in a secure environment that is subject to the most stringent PCI DSS requirements.

What are the main principles of data protection?

Legality, correctness, transparency - the controller must process personal data on the basis of at least one legal reason and transparently vis-à-vis the data subject; purpose limitation - personal data must be collected for specific and legitimate purposes and not processed in an incompatible manner with those purposes; data minimization - personal data must be proportionate and relevant to the purpose for which they are processed; accuracy - personal data must be accurate; storage restrictions - personal data should be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed; integrity and confidentiality - technical and organizational security of personal data.

On what basis do you process personal data and for what purpose?

We process your personal data on the basis of Art. 6 par. 1 of the letter b) GDPR - processing is necessary for the performance of a contract, to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. We process your personal data for the purpose of operating a multi-channel transport inspection system for Prague and the Central Bohemian Region, in accordance with the requirements of the Tariff and Transport Conditions. There is no transfer of personal data to other countries. Your personal data will be anonymized 4 years after the end of the contract - cancellation of the account in MOS.

What are my personal data rights?

The data subject has the right to be informed about the processing of its personal data. This means the right to certain information about the processing of his personal data so that, in particular, the principle of transparency of processing is fulfilled. It is mainly information about the purpose of processing, the identity of the controller, his legitimate interests, the recipients of personal data. In this case, it is a passive right, as the activity must be carried out against the data subject by the controller in order to provide the required information set out in the general regulation of the data subject, i.e. made available. The full list of information provided by the controller, when collecting personal data, can be found in Articles 13 and 14 of the General Regulation. The General Regulation formally distinguishes between the provision of information in the event that personal data are obtained from the data subject, i.e. are not obtained from the data subject. The right to information is equivalent to the right to information on processing stipulated in § 8 of the current Act no. no. 110/2019 Coll., on the protection of personal data. Other rights of the data subject, which are often based on the activity (request) of the data subject, include: the right to access personal data, the right to rectification, i.e. additions, the right to deletion, the right to restrict processing, the right to data portability, the right to object, the right not to be the subject of automated individual decision-making with legal or similar effects, including profiling.