Personal Data Processing Policy

This policy explains when, how, and why your personal data is processed, as well as how it is subsequently handled.

As an attorney, I process personal data in accordance with applicable laws and regulations, particularly EU Regulation 2016/679 (hereinafter “GDPR”) and Act No. 110/2019 Coll., on Personal Data Processing, while fully respecting attorney–client confidentiality.

For matters related to personal data protection, you may contact me by email at: GDPR@gerlelegal.cz

1. Data Controller

Mgr. Lukáš Gerle, LL.M., Attorney-at-Law

Company ID: 01053329

Registered office: Benešovská 1924/4, 101 00 Prague

Email: GDPR@gerlelegal.cz

2. What Data Do I Process?

In the course of our cooperation, I may process the following data:

Basic identification data:

• Name, surname, title
• Date of birth or personal identification number
• Permanent address or registered office
• Contact details (telephone, email)

Business details:

• Company ID, VAT number (for entrepreneurs)
• Information about the company and its statutory bodies

Data related to legal services:

• Information provided in connection with legal representation (including special categories of personal data under Article 9 GDPR, if necessary)
• Data regarding payments and invoicing
• Correspondence and other communications

Technical data connected with the use of my website:

• IP address
• Browser and device information
• Cookies

All data is processed strictly to the extent necessary for the relevant purpose.

3. Why Do I Process Your Data?

Your data is processed for the following purposes:

a) Provision of Legal Services
Legal Basis: Article 6(1)(b) GDPR – contract performance

Your personal data is used for the conclusion, performance, and termination of contracts for legal services, management of cases, and related communication. Without these data, I could not provide legal services.

b) Fulfilment of Legal Obligations
Legal Basis: Article 6(1)(c) GDPR – compliance with a legal obligation

The law imposes numerous obligations on me, such as accounting, issuing invoices and tax documents, proper management and retention of attorney files, as well as compliance with anti-money laundering (AML) regulations.

c) Protection of Legitimate Interests
Legal Basis: Article 6(1)(f) GDPR – legitimate interest

I may process your data to safeguard my legitimate interests, such as the pursuit of claims for provided services, archiving documentation for possible disputes, or ensuring IT security.

d) Communication and Client Care
Legal Basis: Article 6(1)(b) GDPR – contract performance (routine case communication); Article 6(1)(a) GDPR – consent (for marketing communications)

Your data is used for routine email and telephone communications. Occasionally, I may send information about my office or legal updates, but only with your explicit consent, which you may withdraw at any time.

4. Who Has Access to Your Data?

Data are processed solely by myself. In necessary cases, access may be granted to third parties such as:

• Accountants and tax advisors
• IT administrators and service providers (e.g., email hosting)
• Other attorneys or specialists (if necessary for providing legal services)
• Public authorities (e.g., courts), where required by law

All such parties are contractually or legally bound by confidentiality and the duty to protect your data.

Your data will not be transferred outside the EU, nor to any third parties without your consent, except where required by law.

5. How Long Is Your Data Retained?

Your data is retained:

• For the duration of the provision of legal services and performance of the contract
• Subsequently for 5 or up to 10 years for archiving purposes in accordance with the Act on Advocacy and other applicable laws
• Longer periods only where this is required to protect my legitimate interests (e.g., in the event of legal disputes) or by specific legal regulations
• Data for marketing purposes are retained only until you withdraw your consent
• Technical data from the website are stored for a maximum of 12 months

6. Your Rights

You have the right:

• To Access Your Data
  You may request information on what personal data I process about you, the purpose, recipients, and retention period. Upon request, I will provide a copy of the processed data.
• To Rectification
  You may request the correction of inaccurate or incomplete personal data that I process about you.
• To Erasure
  You may request the deletion of your personal data, for example, if it is no longer needed for the original purpose, if you withdraw your consent and no other legal basis exists, if the processing was unlawful, or if erasure is required by law.
  Note: This right is limited by the statutory obligation of attorneys to retain files for 10 years and the duty of confidentiality.
• To Restriction of Processing
  You may request that the processing of your personal data be restricted, for example, if you do not wish erasure but only temporary restriction, or if you have raised an objection and its review is pending.
• To Object
  You may object at any time to the processing of personal data for the protection of my legitimate interests. If no compelling legitimate grounds can be demonstrated, your personal data will no longer be processed following your objection.
• To Data Portability
  You have the right to obtain the personal data concerning you in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller, provided processing is based on your consent or contract performance and performed by automated means.
• To Request an Explanation
  If you suspect that the processing of your personal data infringes your personal or private life, or is unlawful, you may request an explanation.
• To Withdraw Consent
  If you have given consent to personal data processing (e.g., for receiving updates), you may withdraw it at any time. Withdrawal does not affect the legality of processing based on consent before its withdrawal.
• To Contact the Personal Data Protection Authority
  If you believe that your privacy rights have been violated, you may contact the competent supervisory authority: Office for Personal Data Protection ("the Office"), Pplk. Sochora 27, 170 00 Prague 7, Company ID: 70837627, email: posta@uoou.cz, tel.: + 420 234 665 800, Data Box ID: qkbaa2n. More information is available on the Office’s website: www.uoou.cz
• To Information About Automated Decision-Making
  No automated processing, decision-making or profiling as defined by Article 22 of the GDPR takes place. All decisions regarding the provision of legal services are made personally, based on expert assessment.

How to Exercise Your Rights

To exercise your rights, contact me:

• By email: GDPR@gerlelegal.cz
• In writing: Benešovská 1924/4, 101 00 Prague
• In person: by prior arrangement

I will respond to your request within one month of receipt. In justified cases (especially for complex requests), this period may be extended by a further two months – you will be advised of any extension and its reasons.

There is no fee for providing information or performing actions related to your rights, unless your requests are manifestly unfounded or excessive, in which case I may refuse to comply.

A Data Protection Officer has not been appointed, as it is not required by law in my case. Should this change, the relevant contact details will be provided here.

7. Security

Your data is protected through organisational and technical measures preventing unauthorised access, alteration, destruction, or misuse, including:

Technical measures: data encryption, secure servers, regular backups, software updates

Organisational measures: restricted access to authorised persons only, staff training, procedures for reporting security incidents

Access to the data is restricted to persons subject to confidentiality obligations.

8. Security Incidents and Remedial Measures

• What Is a Security Incident?
  A security incident refers to accidental or intentional breaches of the security of your personal data – e.g., their destruction, loss, alteration, or unauthorised disclosure or access by third parties.
• How Do I Handle Security Incidents?
  

1) Reporting to the Office for Personal Data Protection
If a security incident occurs, I will report it without undue delay, and no later than 72 hours after becoming aware, to the Office for Personal Data Protection – but only if the incident may pose a risk to your rights and freedoms. If reporting cannot be done within 72 hours, the reason for the delay will be explained.

The report to the Office will include:

• Description of the incident, number of persons and data affected
• Contact details for further information (GDPR@gerlelegal.cz)
• The likely consequences of the incident
• Measures taken to address the situation and mitigate damage

2) Informing You as the Client
If the security incident poses a high risk to your rights and freedoms, I will notify you directly without undue delay.

What you will be informed about:

1. What occurred
2. How you may contact me for further information
3. The possible impact of the incident
4. Actions taken to resolve the situation and protect your data

When You May Not Need to Be Notified:

1. If your data was adequately protected (e.g., encrypted) and not compromised
2. If measures that effectively eliminated the high risk were taken
3. If individual notification is impractical – in which case public notification will be used

• Incident Records
  All security incidents will be carefully documented, regardless of whether they are reported to the Office. Records will include what happened, the consequences, and remedial actions taken.
• Preventive Measures
  To prevent security incidents, I implement the following measures:
  • Technical measures: data encryption, secure servers, regular backups, software updates
  • Organisational measures: restricted access, staff training, regular security inspections
• Procedure for Reporting Security Incidents
  If you suspect a security incident involving your personal data, contact me immediately:
  • Email: GDPR@gerlelegal.cz (fastest method)
  • In writing: Benešovská 1924/4, 101 00 Prague
• Please specify:
  • When you noticed the incident
  • What you believe occurred
  • Which data are concerned
  • Any suspected cause
• You will receive a prompt response and we will resolve the situation together.

9. Cookies and Website

On my website, I use various types of cookies – small text files stored by your browser during your visit, which help ensure proper website functionality and improve your user experience. Some cookies are essential, while others are used for analytics or advertising.

Types of Cookies Used:

• Necessary cookies: Essential for the website to function properly, enabling basic features such as secure navigation, access to secure areas, or saving your settings necessary for website operation. These cookies do not require your consent.
• Preference cookies: Allow the website to “remember” your choices (e.g., chosen language or region) for a certain period and adapt accordingly. They are used only with your consent.
• Statistical cookies: Collect anonymous information about how visitors use the website, helping to understand what works well and where improvements are needed. Used only with your consent.
• Marketing cookies: Serve to track visitors across websites in order to display relevant, personalised advertising. As I do not operate an advertising network, these cookies are used only exceptionally and only with your consent.
• Unclassified cookies: Currently being categorised into one of the above groups; these will be used only with your consent.

Detailed information about cookies is available in the Cookiebot Cookie Policy: https://www.cookiebot.com/en/privacy-policy/

10. Changes to This Policy

These principles may be updated in the event of changes to legal regulations or data processing methods. You will be informed of any significant changes through the website or by e-mail.

This Personal Data Processing Policy is effective as of 1 August 2025.