The protection of personal data is of key importance to the Supreme Audit Office (hereinafter “SAO”). This website provides information regarding why, when, and how the SAO processes personal data. You can also find contact information in case you have questions about processing your personal data or wish to have your personal data corrected.
We are committed to taking all measures to prevent misuse of personal data provided to us. We will process personal data only when there is a legal title for processing personal data. We strive to keep personal data as safe as possible. For that purpose, we have introduced a number of technical and organizational measures to protect personal data from unauthorized or unlawful processing and from unintentional loss, destruction, and/or damage.
The SAO is the body for independent auditing of public funds (learn more here https://www.nku.cz/en/about-us/status-and-powers/); from the viewpoint of personal data protection, it is the personal data controller and it processes personal data in accordance with the European Union law, i.e., Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter referred to as "GDPR") and the applicable law of the Czech Republic.
Auditing activities of SAO and lawfulness of personal data processing
The SAO is empowered by Art. 97 of the Constitution of the Czech Republic and by Act no. 166/1993 Coll., on the Supreme Audit Office, as amended, to carry out audits (https://www.nku.cz/en/audit/).
If personal data of a natural person are processed during the audit activities, the legal title for such processing is primarily the fulfillment of tasks performed in the public interest or in the exercise of public authority in compliance with Art. 6(1)(e) of the GDPR.
If the performance of auditing or other activities (e.g., operational activity) of the SAO is subject to a legal obligation within which the SAO is required to process certain personal data, the legal title for this processing is the fulfillment of the legal obligation under Art. (6)(1)(c) of the GDPR.
Another legal title used by the SAO mainly to regulate its circumstances is its legitimate interest and the consent of data subjects to the processing of personal data relating to them (further details about processing titles see here https://eur-lex.europa.eu/legal-content/CS/TXT/PDF/?uri=CELEX:32016R0679&from=CS).
Data subjects and their rights
As regards the data subjects, the SAO has the obligation to provide, in a brief, transparent, comprehensible and easily accessible manner, all the information the subjects are entitled to, regardless of whether obtained directly from a data subject or from another source. A data subject has the right to request access to personal data relating to him or her, the right to have these data corrected, and other rights under the GDPR.
However, some rights of the data subjects may be restricted due to other provisions of the GDPR or of the laws of the Czech Republic, e.g., compliance with the statutory obligation of confidentiality applicable to the SAO, which excludes the obligation to inform the data subject under Article 14(5)(d) of the GDPR.
The SAO provides information and all communications to the data subjects within the stipulated deadlines and free of charge. However, if the requests made by the data subject are evidently unfounded or inadequate, mainly because they are recurring, the SAO may impose a reasonable fee to cover the administrative costs incurred in providing the requested information or communication or in carrying out the required actions, or it may refuse to respond to the requests altogether.
If the data subject considers that the processing of personal data relating to him or her is in violation of the GDPR, the data subject has the right to lodge a complaint with the Data Protection Authority under Article 77 of the GDPR, or with the courts of the Czech Republic under Article 79 of the GDPR.
Scope of personal data processing
The SAO processes only data that are strictly necessary for the performance of its activities and have been obtained in accordance with the GDPR. These personal data are collected and processed by the SAO in accordance with the applicable legal title, only for the specified purpose, to the necessary extent, for a period no longer than necessary, and in a manner that ensures adequate security of such data.
Essential purposes of personal data processing
The SAO processes personal data of natural persons most commonly for the following purposes:
- collecting personal data of natural persons when performing audit activities, the SAO is empowered to perform within the exercise of public authority;
- keeping personnel records of employees for the purpose of fulfilling labour-law relations under the Labour Code and other regulations within the framework of the performance of contractual obligations,
- collecting personal data of employees in order to fulfill the SAO's obligations under the health and social insurance laws and tax laws as part of the SAO's statutory obligations;
- networking and access to networks for the SAO's employees and members of the management;
- SAO's other operational activities;
- keeping records of applicants for information as required by the law (e.g., Act no. 106/1999 Coll., on free access to information, as amended) and public notifiers (see below);
- keeping records of foreign natural persons within the framework of the SAO's international cooperation, e.g., organizing professional seminars or congresses.
Most common categories of personal data
The SAO most commonly processes the following categories of personal data:
- personal identification data, especially title, first name, surname, date of birth, identity card number, and/or personal identification number;
- address/contact personal data, especially permanent or temporary residence address, delivery or another contact address, telephone number, and/or email address;
- other descriptive personal data, such as job title, bank account number, marital status, completion of military service, existence of a lustration certificate, and other personal data arising from a particular contract or by operation of law.
Personal data sources
If the audited entities are natural persons, they are the source of personal data.
Significant sources of personal data are employees who provide the SAO, as their employer, with personal data relating to them in order to fulfill their contractual obligations (in particular those under the Labour Code), statutory obligations (in particular those under tax laws and social and health insurance laws) and in order to carry out their legitimate interests, such as those of a property owner, corporate fleet vehicle owner, or IT equipment owner.
Other sources of personal data include contractual partners who provide services or goods to the SAO within the supplier/customer relations (an overview of contractual partners can be found at https://www.nku.cz/cz/otevreny-urad/ - only czech), as well as information requestors authorized by law (e.g., Act No. 106/1999 Coll., on free access to information, as amended), and the public in relation to notifications regarding controlled areas and/or audited entities.
Furthermore, the SAO obtains personal data from public registers, state administration bodies, or based on special legal regulations.
Personal data recipients
The SAO processes personal data manually and automatically. Considering the wide scope of confidentiality obligation regarding facts related to control activities, the scope of recipients of personal data thus obtained is very limited. As regards the recipients of personal data of employees, the scope is defined by the Labour Code, or by other legislation. This is particularly the case for individual SAO departments, and, within the framework of legal obligations, this also includes administrative authorities such as the Czech Social Security Administration, Financial and Tax Administration, healthcare facilities, etc.
Transmitting data to other countries
The free movement of personal data within the EU countries must not be prohibited or restricted.
The SAO carries out the transfer of personal data in this area (GDPR also applies to Iceland, Norway, and Liechtenstein) with our partners established or operating here, using the legal title of performing a task in the public interest or in exercising the public authority or legal title of the SAO's legitimate interest. Possible use of personal data of foreign natural persons for the purposes of seminars or congresses organized by the SAO, especially their photographs or speeches, is done only with the consent of the person concerned.
Sending our employees to other countries for internships or missions is also conditional upon the existence of a legal title to process personal data, in this case the performance of contractual obligations, or the consent of such an employee.
As regards the transfer of personal data outside the European Union, this is done in accordance with Article 44 of the GDPR, which regulates the principle of an adequate level of protection in the receiving State, which is designated as such by a decision of the European Commission or otherwise. If there is no decision or other appropriate safeguards, the transfer is made with the explicit consent of the data subject.
More information about the cooperation of SAO is available here: https://www.nku.cz/en/about-us/international-cooperation/.
Responsibility for processing personal data
The SAO is responsible for lawful processing of personal data. The administrative body performing supervisory activity in the field of personal data processing in the Czech Republic is the Office for Personal Data Protection.
Data Protection Officer
In connection with the obligations arising from the GDPR, a Data Protection Officer (DPO) is appointed with effect from 25 May 2018. His/her task is to monitor the compliance of personal data processing by the SAO with the GDPR and, in cooperation with our employees, it is your contact person for any questions, comments, complaints, and privacy claims.
DPO contact details: poverenec.GDPR@nku.cz
You can also send any questions, comments, complaints, and privacy claims regarding the protection of personal data via this website. The respective form is being prepared for you.
Information leak notification
If you suspect that your or someone else’s personal data is being leaked, you can contact us at any time at https://www.nku.cz/en/contacts/.
We may change and update the personal data processing statement under certain circumstances. Therefore, we recommend that you visit this website regularly to ensure you have up-to-date information about its content at all times.