Information on processing of personal data by the attorney

Data Controller:

The data controller according to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "GDPR") is Josef Weigl, attorney at law, Czech Bar Association No. 13471, with registered office at Nové Dvory 90, 262 03, ID: 70279636, email: josef.weigl(AND)lawyers-cz.com, data box ID: bawfwi7, tel. +420 774 402 002 (hereinafter referred to as the "Controller").

Personal data pursuant to Article 4(1) of the GDPR means any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The Controller has not appointed a data protection officer.

The legal basis for processing personal data is as follows:

  • fulfilment of the Contract on Provision of Legal Services concluded between the Controller (attorney) and the data subject (hereinafter referred to as the "Agreement") and the implementation of measures taken before the conclusion of the Agreement at the request of the data subject, see Article 6(1)(b) of the GDPR, and/or
  • compliance with a legal obligation applicable to the Controller, see Article 6(1)(c) of the GDPR (e.g. anti-money laundering laws, income tax law, accounting law, appointment as a proxy ex offo),
  • legitimate interests of the Controller (enforcement of the Controller's rights based on the Agreement, defence of the Controller's rights in relation to the Agreement), see Article 6(1)(f) of the GDPR.              
  • protection of legitimate interest of third parties (clients) in accordance with regulations on advocacy (litigation between the data subject and the client, see Article 6(1)(f) of the GDPR.              

The Controller is obliged to process these personal data in accordance with legal regulations, especially Act No. 85/1996 Coll., on Advocacy, as amended, and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as amended.

The Administrator, as an Attorney, is a obliged person pursuant to Act No. 253/2008 Coll., on certain measures against the legalization of proceeds from crime and the financing of terrorism, as amended (hereinafter referred to as the "AML"), and pursuant to AML, is obliged to implement measures pursuant to AML and other regulations, including, inter alia, identification and verification of the client. For this purpose, he is obliged to collect and store the client's personal data and make copies of documents submitted for identification and copies of documents obtained as part of the verification of the client.

The Controller processes personal data always based on at least one legal reason (title) mentioned above. In the case of processing personal data of statutory and other representatives of data subjects, the reason specified in last point above serves as this title.

When processing personal data that were not obtained from the data subject, the source of such data is a publicly available source, especially a public registry or a public list (e.g. commercial register, trade register, land registry).

The purpose of processing personal data is as follows:

  • provision of legal services according to the Agreement, and/or
  • provision of legal services on the bases of ex offo appointment, and/or
  • preparing a service offer by the Administrator based on the data subject's request, and/or
  • preparing a response by the Administrator to the data subject's inquiry, and/or
  • fulfilling the legal obligations of the Administrator (e.g. anti-money laudering, accounting and payroll obligations), and/or
  • enforcing the rights of the Administrator from the Agreement or in relation hereto, and/or
  • defending the rights of the Administrator in connection with the Agreement or in relation hereto,
  • protection of client's rights.

Processing of personal data does not involve automated decision-making or profiling.

Nature of processed personal data:

name, surname, date of birth, ID number, VAT number, permanent or other residence, registered office, marital status and family situation, financial situation, bank account No., correspondence address, telephone, email, and any other contact details, information on current/completed/threatening judicial/execution/administrative proceedings, information on criminal proceedings and criminal cases and other data that the client (data subject) communicates to the attorney 

In the case of fulfilling the Administrator's obligations under the AML and other regulations against the legalization of criminal activity, the name and surname, personal identification number, and if not assigned, the date of birth and gender, as well as the place of birth, permanent or other residence and citizenship; and in the case of a natural person doing business, also their business name, distinguishing addition or other designation, registered office and identification number of the person. If justified by the risk assessment pursuant to Section 21a of AML, in addition to the information specified in the previous sentence, other identification data may be obtained, such as in particular the telephone number, e-mail delivery address, employment or employer data.

The data subject is not obliged to provide their personal data to the Administrator, neither on a contractual nor a legal basis. However, providing personal data is a necessary requirement for the conclusion of the Agreement, and therefore, without providing them, the Agreement cannot be concluded.

Recipients of the personal data are:

  • public bodies (e.g. courts, executors, administrative bodies),
  • Czech Bar Association (Id. No.: 66000777, having its registered office at Národní 118/16, Nové Město, 110 00 Prague 1) as a supervisory body in case of fullfilment of the Administrator's obligations pursuant to AML and other anti-money laundering regulations,
  • Financial Analysis Office in case of fullfilment of the Administrator's obligations pursuant to AML and other anti-money laundering regulations,
  • providers of maintenance of the Controller's information systems,
  • other recipients as needed and/or instructed by the client.

Data processing period:

The Administrator processes personal data only for the time necessary for the relevant processing purposes and in any case in accordance with applicable legal regulations regulating permitted or required retention periods for personal data or limitation or preclusive periods for legal actions. This period is always the longest period that is relevant in the specific case.

If the Agreement is concluded, the Administrator will process personal data for the duration of the contractual relationship and until the expiration of all limitation and preclusive periods extended in case of the initiation of a dispute about the duration of the dispute, including the duration of proceedings on remedies, including extraordinary remedies and proceedings on constitutional complaints.

If the Agreement is not concluded, the Administrator will process personal data until the completion of negotiations about the Agreement.

Personal data processed by the Administrator for the purpose of preparing a response from the Administrator to a query from the data subject will be processed by the Administrator until the final resolution of the query.

Personal data processed for the fulfilment of obligations of the Administrator arising from special legal regulations will be processed by the Administrator for the period specified in these legal regulations.

The Administrator, as an obliged person, collects and stores personal data and documents on transactions related to the obligation of identification and control under the anti-money laundering regulations for 10 years after the transaction outside the business relationship or the termination of the business relationship. The 10-year period pursuant to the previous sentence begins on the first day of the calendar month following the calendar month in which the last transaction known to the Administrator, as an obliged person, was carried out.

Rights of data subjects (individuals whose data are processed):

  • the right to transparent information, communication, and procedures for exercising his rights, in an intelligible and easily accessible form,
  • the right to information about processed personal data, obtained from the data subject and otherwise not from the data subject,
  • the right to access personal data - the data subject has the right to obtain information from the controller about whether and to what extent and in what manner his data are processed,
  • the right to rectification - inaccurate or incomplete personal data shall be corrected or completed upon the data subject's request, based on information from other sources, and shall be regularly updated,
  • the right to erasure (right to be forgotten) - the data subject has the right to have their data erased upon request, if the exceptions to this right are not met,
  • the right to restriction of processing - the data subject has the right to restrict the processing of their data upon request, if the exceptions to this right are not met,
  • the right to be informed about rectification or erasure of personal data or restriction of processing,
  • the right to data portability - the controller does not process personal data in an automated manner, and therefore cannot and is not obliged to ensure this right, i) the right to object (to the processing of personal data),
  • the right to object (to the processing of personal data),
  • the right not to be subject to a decision based solely on automated processing, including profiling - the controller does not make such decisions or profiling,
  • the right to withdraw consent to the processing of their data at any time, if the processing is based on this consent and there is no other legal basis for their processing; consent must be voluntary, free (e.g. its granting must not be a condition for concluding a contract with the data subject) and if it is part of another document, such as a contract, it must be clearly distinguishable and understandable,
  • the right to lodge a complaint with the controller or the supervisory authority (Office for Personal Data Protection, contact details: Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, ID: 70837627, email address: This email address is being protected from spambots. You need JavaScript enabled to view it., data box ID: qkbaa2; or to file for judicial protection against the decision of the supervisory authority (submit an administrative lawsuit),
  • the right to receive notification from the controller without undue delay of a personal data breach if the breach is likely to result in a high risk to the rights and freedoms of individuals (data subjects).

The above-mentioned rights of data subjects are restricted/modified by exemptions under the relevant articles of the GDPR, in particular by legal professional privilege and provisions of other legal regulations.

More information about the rights of data subjects is available on the website of the Office for Personal Data Protection (https://www.uoou.gov.cz).   

A template for exercising the rights of data subjects will be sent to you at your request to the controller at its email address listed above.

Information on processing of personal data by the mediator

Data Controller:

The data controller according to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "GDPR") is Veronika Weigl, registered mediator, listed in the list of mediators kept by the Ministry of Justice of the Czech Republic, Czech Bar Association No. 12322, with registered office at Nové Dvory 90, 262 03, ID: 70279636, email: veronika.weigl(AND)lawyers-cz.com, data box ID: dbjikcw, tel. +420 775 21 51 61 (hereinafter referred to as the "Controller").

Personal data pursuant to Article 4(1) of the GDPR means any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The Controller has not appointed a data protection officer.

The legal basis for processing personal data is as follows:

  • fulfilment of the Mediation Agreement concluded between the Controller (mediator) and the data subject (hereinafter referred to as the "Agreement") and the implementation of measures taken before the conclusion of the Agreement at the request of the data subject, see Article 6(1)(b) of the GDPR, and/or
  • compliance with a legal obligation applicable to the Controller, see Article 6(1)(c) of the GDPR (e.g. income tax law, accounting law, regulations for the first meeting with the mediator by the court), and/or
  • legitimate interests of the Controller (enforcement of the Controller's rights in relation to her mediator activities towards the data subject, defence of the Controller's rights in relation to her mediator activities), see Article 6(1)(f) of the GDPR.              
  • The Controller is obliged to process these personal data in accordance with legal regulations, especially Act No. 202/2012 Coll., on Mediation, as amended, and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as amended.

The Controller processes personal data always based on at least one legal reason (title) mentioned above. In the case of processing personal data of statutory and other representatives of data subjects, the reason specified in last point above serves as this title.

When processing personal data that were not obtained from the data subject, the source of such data is a publicly available source, especially a public registry or a public list (e.g. commercial register, trade register, land registry).

The purpose of processing personal data is as follows:

  • providing services of a registered mediator according to the Contract, and/or
  • conducting the first meeting with the mediator as ordered by the court, and/or
  • preparing a service offer by the Administrator based on the data subject's request, and/or
  • preparing a response by the Administrator to the data subject's inquiry, and/or
  • fulfilling the legal obligations of the Administrator (e.g. accounting and payroll obligations), and/or
  • enforcing the rights of the Administrator in connection with its mediator activities, and/or
  • defending the rights of the Administrator in connection with its mediator activities.

Processing of personal data does not involve automated decision-making or profiling.

Nature of processed personal data:

  • name, surname, date of birth, ID number, VAT number, residence, correspondence address, registered office, telephone, email, and any other contact details
  • additional information that the data subject provides to the Administrator

The data subject is not obliged to provide their personal data to the Administrator, neither on a contractual nor a legal basis. However, providing personal data is a necessary requirement for the conclusion of the Contract, and therefore, without providing them, the Contract cannot be concluded.

Recipients of the personal data are:

  • courts,
  • providers of maintenance of the Controller's information systems,
  • other recipients as needed and/or instructed by the data subject.

Data processing period:

The Administrator processes personal data only for the time necessary for the relevant processing purposes and in any case in accordance with applicable legal regulations regulating permitted or required retention periods for personal data or limitation or preclusive periods for legal actions. This period is always the longest period that is relevant in the specific case.

If a Contract is concluded, the Administrator will process personal data for the duration of the contractual relationship and until the expiration of all limitation and preclusive periods extended in case of the initiation of a dispute about the duration of the dispute, including the duration of proceedings on remedies, including extraordinary remedies and proceedings on constitutional complaints.

If a Contract is not concluded, the Administrator will process personal data until the completion of negotiations about the Contract.

Personal data processed by the Administrator for the purpose of preparing a response from the Administrator to a query from the data subject will be processed by the Administrator until the final resolution of the query.

Personal data processed for the fulfilment of obligations of the Administrator arising from special legal regulations will be processed by the Administrator for the period specified in these legal regulations.

Rights of data subjects (individuals whose data are processed):

  • the right to transparent information, communication, and procedures for exercising his rights, in an intelligible and easily accessible form,
  • the right to information about processed personal data, obtained from the data subject and otherwise not from the data subject,
  • the right to access personal data - the data subject has the right to obtain information from the controller about whether and to what extent and in what manner his data are processed,
  • the right to rectification - inaccurate or incomplete personal data shall be corrected or completed upon the data subject's request, based on information from other sources, and shall be regularly updated,
  • the right to erasure (right to be forgotten) - the data subject has the right to have their data erased upon request, if the exceptions to this right are not met,
  • the right to restriction of processing - the data subject has the right to restrict the processing of their data upon request, if the exceptions to this right are not met,
  • the right to be informed about rectification or erasure of personal data or restriction of processing,
  • the right to data portability - the controller does not process personal data in an automated manner, and therefore cannot and is not obliged to ensure this right, i) the right to object (to the processing of personal data),
  • the right to object (to the processing of personal data),
  • the right not to be subject to a decision based solely on automated processing, including profiling - the controller does not make such decisions or profiling,
  • the right to withdraw consent to the processing of their data at any time, if the processing is based on this consent and there is no other legal basis for their processing; consent must be voluntary, free (e.g. its granting must not be a condition for concluding a contract with the data subject) and if it is part of another document, such as a contract, it must be clearly distinguishable and understandable,
  • the right to lodge a complaint with the controller or the supervisory authority (Office for Personal Data Protection, contact details: Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, ID: 70837627, email address: This email address is being protected from spambots. You need JavaScript enabled to view it., data box ID: qkbaa2; or to file for judicial protection against the decision of the supervisory authority (submit an administrative lawsuit),
  • the right to receive notification from the controller without undue delay of a personal data breach if the breach is likely to result in a high risk to the rights and freedoms of individuals (data subjects).

The above-mentioned rights of data subjects are restricted/modified by exemptions under the relevant articles of the GDPR, in particular by legal professional privilege and provisions of other legal regulations.

More information about the rights of data subjects is available on the website of the Office for Personal Data Protection (https://www.uoou.gov.cz). 

A template for exercising the rights of data subjects will be sent to you at your request to the controller at its email address listed above.