Data processing notification for our contractors

Processing of personal data (and the role of controller)

One of the main objectives which the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation = GDPR) seeks is to achieve higher level of data subject´s protection and to give them possibility to obtain comprehensive information concerning processing of their personal data at any time, and, where appropriate, to defend themselves against incorrect and unjustified processing of their personal data (data subject´s right to acces to their personal data processed by the controller based on the principle of transparency). The contractors of the companies in HeidelbergCement Group belongs to the scope of data subjects concerned by their processing.

The companies in HeidelbergCement Group in the Czech Republic, that is to say

  • Českomoravský cement, a.s. (company seated at Mokrá 359, 664 04 Mokrá-Horákov, registered in the Commercial Register maintained by Regional Court in Brno (Krajský soud v Brně), Section B, Number 5528, ID No. (IČO): 26209578);
  • Českomoravský beton, a.s. (company seated at Beroun-Město 660, 266 01 Beroun, registered in the Commercial Register maintained by City Court in Prague (Městský soud v Praze), Section B, Number 7924, ID No. (IČO): 49551272);
  • Českomoravský štěrk, a.s. (company seated at Mokrá 359, 664 04 Mokrá-Horákov, registered in the Commercial Register maintained by Regional Court in Brno in Brno (Krajský soud v Brně), Section B, Number 2389, ID No. (IČO): 25502247);
  • TRANS-SERVIS spol. s r.o. (company seated at K cementárně 1261/25, Radotín, 153 00 Praha 5, registered in the Commercial Register maintained by City Court in Prague (Městský soud v Praze), Section C, Number 12356, ID No. (IČO): 46353097);
  • Global IT Center, s.r.o. (company seated at Škrobárenská 511/3, Trnitá, 617 00 Brno, registered in the Commercial Register maintained by Regional Court in Brno (Krajský soud v Brně), Section C, Number 99611, ID No. (IČO): 06025811);
  • DOBET, spol. s r.o. (company seated at Ostrožská Nová Ves, Nádražní 946, PSČ 68722, registered in the Commercial Register maintained by Regional Court in Brno (Krajský soud v Brně), Section C, Number 29062, ID No. (IČO): 25511602).

(hereinafter „Company“ or „Companies“) in the role of Controller/-s

have respect for privacy and data protection rights. The objective of this notification is to forward complete information on data processing to business partners, i. e. this is information on processing of personal data of contractors, either natural or legal persons, of Companies specified above. Only personal data of their employees as contact persons are concerned by processing in case of legal person due to the fact that legal person itself is not a data subject.   


The categories of personal data processed

Each Company process such personal data which are necessary for undertake and develop duly their business activities (it means first of all production, sale and distribution of construction materials, further concluding and performance of the contracts or providing services, particularly purchase of goods and services). Thus, the personal data processed for such business purposes are the data widely used in the course of trade. Personal data concerned are not only the personal data of contractual partners itself, if they are natural persons carrying on their business, but also personal data of their contact persons, i. e. their employees or authorised persons, which contractual partner communicated to the Company engaged in the business relationship (mainly if contractual partner has the status of legal person).

Each Company process personal data within the limits of the law if there are any obligations laid down by specific legislation or in the scope of their legitimate interest.

Processing includes in particular:

  • business name of the contractual partner, their name or surname where necessary (natural persons) or appropriate, ID No. (IČO), location of registered office or main place of business;
  • personal data concerning authorized persons in power of representation and contact persons, i. e. name, surname, eventually university degree, job position, telephone number, e-mail address, in case of electronic signature also IP address, envelope ID, etc.;
  • name of bank and number of bank account, if necessary to perform contractual relationship;
  • information concerning contractual relationship and its performance (information about collection and delivery of goods, payment of prices etc.);
  • further information that are necessary to assess the credibility of the business partner (e.g. information about a bankruptcy, information on whether the person is a subject to international trade sanctions, etc.).
  • photographs depicting violations of health and safety at work


Purposes of data processing

Company (Companies) process personal data of their contractual partners for the purpose of carrying out their business, primarily for sale and distribution of their products, goods and services, purchase of goods and services, concluding of the contracts with customers or suppliers and performance of contractual obligations. Provision of personal data for that purpose is entirely voluntary, but indispensable for conclusion and performance of specific contract. For the purpose performance of contractual obligations Company (Companies) process also personal data of certain contact persons of their business partners, i.e. their employees or persons in charge to act on their behalf in the course of trade (in particular persons authorized to takeover of goods or services or to order them).

Company (Companies) further process personal data for the purposes of their legitimate interests, for example for monitoring payment behavior of their customers.

Another purpose of data processing could be eventually marketing. In such case Company (Companies) process personal data mostly on basis of previous explicit consent of data subject concerned (e.g. for taking photos), except for having another legal title for that processing.


Legal basis of processing

All business activities containing data processing are carried out exclusively based on at least one of the legal titles as follows:

  • for compliance with a legal obligation [Art. 6 (1) (c) GDPR];
  • for performance of the contracts [Art. 6 (1) (b) GDPR];
  • for the purposes of the legitimate interests pursued by the Controller [Art. 6 (1) (f) GDPR], eventually
  • based on previous freely given consent to processing personal data given by data subject which may be withdrawn at any time, either in writing or by e-mail (contact details see below) [Art. 6 (1) (a) GDPR].


Sources of personal data collection and subsequent transmission of the data obtained (and the role of processor)

Personal data are obtained for above mentioned purposes directly from business partners in the course of trade or from publicly available sources such as public registers (e.g. Commercial Register, Trade Register or Insolvency Register) and other databases (e.g. Land Register) or websites.

While processing personal data transmission of them in certain situation is needed. Where necessary, Company transfers personal data in minimum extent to their duly appointed Processor, based on contract for the provision of services and amending written data processing agreement entitled to realize specific processing of personal data.

Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients within the meaning of GDPR.In specific cases, the Company may obtain personal data from its suppliers (e.g. Bisnode Česká republika, a.s. and CRIF - Czech Credit Bureau, a. s.). You can read their privacy policy here: and


Period of data processing and safety policy

Company (Companies) process personal data for the entire duration of contractual relations and until such time as all obligations arising under this contract - or related with - have been met. Personal data concerned are stored for a period of time which is necessary for protection of legitimate interests of Company in question. Where processing is based on the consent, the period of processing is governed by this consent given by data subject in question (free given and informed consent).

Companies adopted internal rules for processing of personal data and their employees who works with the data was duly informed about these rules. High level of IT security is also ensured.


Your rights

Respect to privacy, lawfulness of data processing and proper protection of personal data forms an integral part of internal policies of all above mentioned Companies. In relation to processing of their personal data all the data subjects enjoys the rights conferred as follows:

  • to have access to his/her personal data – to obtain from Company which is the Controller confirmation as to whether or not the data concerning him/her being processed (the identity and the contact details of the Controller and, where applicable, of the Controller's representative or Data Protection Officer, the categories of personal data concerned where personal data have not been obtained directly from the data subject, the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, the period for which the personal data will be stored, the recipients or categories of recipients of the personal data, if any, including the Controller intends to transfer personal data to a recipient in a third country or international organization);
  • to withdraw the consent – consent to the processing of personal data could be partially or fully withdrawn at any time with future effect (it shall be as easy to withdraw as to give consent);
  • to contest the accuracy of his/her personal data -  personal data should be corrected if they are processed incompletely or inaccurately (restriction of the processing is needed temporarily until Company as the Controller is able to verify all personal data concerned);
  • to erasure his/her personal data (i.e. to be „forgotten“) – where the processing is found out unlawful, data subject is entitled to object to further processing of personal data concerned and Company is obliged to delete it;
  • to transmit his/her personal data to another controller – based on request of data subject Company is obliged to transmit personal data which was obtained directly from him/her in a structured, commonly used and machine-readable format to another Controller;
  • to lodge a complaint with a supervisory authority (The Office for Personal Data Protection) – if data subject considers that processing of personal data relating to him/her infringes GDPR and his/her rights.


Contact details

If you have any questions regarding this information or if you wish to contact any of the Companies referred above in connection with processing your personal data, whether you merely want to ask or exercise any of your rights, please, do not hesitate to use this e-mail address: