General

  1. The controller of personal data pursuant to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as the “GDPR”) is Česká podnikatelská rada pro udržitelný rozvoj, z.s., ID No.: 22613081 (hereinafter referred to as the “Controller”). The Controller’s identity and contact information are as follows:
    Czech Business Council for Sustainable Development (Czech BCSD)
    Česká podnikatelská rada pro udržitelný rozvoj, z.s.
    adresa: Želetavská 1525/1, 140 00 Praha 4
    e-mail: duchanova@cbcsd.cz
    telefon: +420 602 525 836
  2. Personal data means any information relating to an identified or identifiable natural person; An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  3. The controller has not appointed a data protection officer.

Sources and categories of personal data processed

  1. The controller processes the personal data you have provided to it and/or personal data that the controller has obtained in connection with your participation in the controller’s activities (in particular, registration, participation in events, membership, or communication with the controller).
  2. The controller processes your identification and contact information, as well as the data necessary for the performance of the contractual relationship (e.g., membership, participation in events, or collaboration).
  3. The controller may also process your identification and contact information (limited to academic title, first name, last name, phone number, email address, and audiovisual recordings) that was not obtained directly from you, provided that the controller has a legitimate interest in doing so, particularly in connection with the organization of marketing and public events.

Legal basis and purpose of personal data processing

  1. The legal basis for the processing of personal data is
    • performance of the contract between you and the controller pursuant to Article 6(1)(b) of the GDPR,
    • the controller’s legitimate interest in providing information about the controller’s activities (in particular for sending informational messages, newsletters, and information about the controller’s activities) pursuant to Article 6(1)(f) of the GDPR,
    • your consent to the processing of your personal data for the purposes of direct marketing (in particular for sending informational messages and newsletters) pursuant to Article 6(1)(a) of the GDPR in conjunction with Section 7(2) of Act No. 480/2004 Coll., on Certain Information Society Services, in the event that no other contractual relationship has been established with the controller.
  2. The purpose of processing personal data is
    • organizing and facilitating the administrator’s activities, in particular registration for and participation in events, and managing membership or other contractual relationships between you and the administrator; providing personal data is a necessary requirement for carrying out these activities, and without it, these services cannot be provided
    • informing members, event participants, and other collaborators
    • sending out informational messages, newsletters, and information about the controller’s activities, as well as the controller’s communication and promotional activities.
  3. The controller does not engage in automated individual decision-making within the meaning of Article 22 of the GDPR.

Data retention period

  1. The controller retains personal data
    • for the period necessary to exercise the rights and fulfill the obligations arising from the contractual relationship between you and the controller and to assert claims arising from such contractual relationships (for a period of 5 years following the termination of the contractual relationship),
    • for as long as consent to the processing of personal data remains in effect, up to a maximum of 5 years, if personal data is processed on the basis of consent; after this period expires, the data may continue to be processed only if you have provided new consent,
    • For projects funded by the European Union, this period lasts for 10 years following the year in which the project is completed,
    • for a period of 10 years or more in connection with the fulfillment of legal obligations to retain such personal data (personal data on invoices, personal data on pay stubs, etc.)
  2. Once the retention period for personal data has expired, the controller will delete the personal data.

Recipients of personal data (the controller’s subcontractors)

  1. The controller does not intend to transfer personal data to a third country (a country outside the EU) or to an international organization.
  2. The recipients of personal data include, in particular:
    • the administrator’s staff
    • service providers offering:
      • data management and maintenance
      • IT services
      • accounting and tax services
    • other collaborators, such as instructors, consultants, or partners involved in the implementation of the administrator’s activities
  3. Processing of personal data with the data subject’s consent: The processing of personal data that is not required by law may only be carried out with the data subject’s consent. Whether to provide such consent is entirely up to the data subject.

Your rights

  1. Under the terms set forth in the GDPR, you have
    • under the terms set forth in the GDPR, you have
    • the right to rectification of personal data under Article 16 of the GDPR, or the right to restriction of processing under Article 18 of the GDPR
    • the right to erasure of personal data under Article 17 of the GDPR
    • the right to object to processing under Article 21 of the GDPR
    • the right to data portability under Article 20 of the GDPR
    • the right to withdraw consent to processing in writing or electronically to the address or email of the controller specified in Article I of these Terms and Conditions
  2. You also have the right to file a complaint with the Office for Personal Data Protection if you believe that your right to personal data protection has been violated.

Privacy Policy

  1. The controller declares that it has taken all appropriate technical and organizational measures to protect personal data.
  2. The controller has implemented technical measures to secure data storage systems and physical storage of personal data, in particular through the use of passwords and antivirus software.
  3. The controller declares that only persons authorized by it have access to personal data.

Final

  1. By submitting the registration form, signing up for an event, subscribing to the newsletter, or communicating with the data controller in any other way, you confirm that you have read and acknowledge the privacy policy.
  2. By submitting the registration form, signing up for an event, subscribing to the newsletter, or communicating with the data controller in any other way, you confirm that you have read and acknowledge the privacy policy.
  3. The controller is entitled to modify or update these privacy terms as appropriate. The current version will always be published on the controller’s website.
  4. The data subject has the right to file a complaint against the controller with the supervisory authority—the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7 (the Office’s website: uoou.cz).

These terms and conditions take effect on April 5, 2026.