A responsible approach
We take our role with the utmost responsibility and therefore ensuring that our products comply with constantly updated legislation is important to us. This compliance is guaranteed not only in the Data Protection Agreement, which is part of our contractual documentation, but also in all the terms and conditions for logging in to our online services, in the way your data and personal data are stored and, in particular, in the way we access your data and personal data.
In addition, we regularly train in new IT project management methodologies and services, which we incorporate into our internal procedures. We are constantly deepening our certified procedural and contractual documentation, which keeps us abreast of the latest trends in compliance.
General Data Protection Regulation
The abbreviation GDPR stands for Regulation (EU) No 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation, which unifies the rules for the protection of personal data in the European Union. With a delay of more than a year, the Adaptation Act No 110/2019 Coll., on the processing of personal data, was adopted and published in the Collection of Laws, which regulates the areas of national legislation, thus adapting the European Regulation to the Czech legal order.
New legal regime
GDPR has not brought anything revolutionary to the Czech Republic, as the existing legislation was very strict by European standards. For us, as a digital service provider, most of the requirements imposed by the GDPR already applied on the basis of cyber law, such as Act No. 181/2014 Coll., on Cyber Security and Act No. 480/2004 Coll., on Certain Information Society Services.
GDPR and the cloud
The GDPR, together with the adaptive national regulations, which are significantly influenced by the harmonisation activities of the European Union, constitute the general legal framework for the handling of personal data of natural persons. This legal system, which protects the personal data of individuals, places increased demands on the procedural and technical security of digital services. Our customers’ business often involves advanced data analysis or management of vast amounts of personal and other data in their information systems. As a cloud service provider, it is unthinkable for us to further monetize our customers’ data, e.g. by selling them to a third party or by data analysis, as is often the case in other IT sectors.
Relationship between the controller and the processor of personal data
As a data controller, we determine what customer data we need to provide the service and how we will process it to provide the service and our internal needs. You can find out more about how we process personal data as a data controller in our Data Processing Statement below. As a processor of personal data, we assume some of the obligations of customers who act as data controllers in relation to third parties.
Our role in GDPR compliance
As a contracted cloud service provider, we provide a professional level of security for customer data. Thanks to the most modern technologies, our services are provided at a level corresponding to the current state of the art, which customers are obliged to ensure as data controllers. Data processed in the cloud can be encrypted from the customer and at the level of disk arrays can be randomly stored in data blocks or objects according to the selected storage type, thus reducing the risk of their possible misuse and it is possible to set different policies for access and retention of data.
At the same time, we allow customers to decide and have an overview of which data centre and in which country the data is stored, which is often not even possible with foreign competitors. Thanks to virtualization and advanced backup technologies, we are able to guarantee constant control, high availability, recoverability, portability and guaranteed deletion of data. In accordance with GDPR requirements, we have also ensured complete contractual confirmation of compliance of all processes with our suppliers.
Data Protection Officer
Given that we provide cloud services for the processing of large amounts of data, which may (and probably do) include large amounts of personal data, we have created the position of a qualified data protection officer. The Data Protection Officer supervises the processing of personal data both as a controller and as a processor.
They can be contacted at the following e‑mail address: security@geetoo.com.
Regulation of cyber security
As a digital service provider, we are subject to strict public regulation. We are subject not only to the Cybersecurity Act, but also to the Act on Certain Digital Society Services and the Electronic Communications Act. In the context of cyber security, we are registered by the CTU and NUCIB as a subcontractor of critical infrastructure and we are allowed to operate our technologies even in the event of emergency situations such as a blanket ban.
In practice, this means more pressure from regulators to increase the security of all networks and information systems on which the modern economy is built. To this end, digital service providers are required by law to take appropriate steps to manage security risks and to report serious security breaches to national competent authorities.
Cybersecurity Act
The aim of Act No. 181/2014 Coll., on Cyber Security, and implementing Decree No. 82/2018 Coll., is to achieve a high common level of security of networks and information systems, especially after the transposition of Directive 2016/1148 of the European Parliament and of the Council of the EU (EU NIS).
Cybersecurity and data protection
The requirements of Act No. 181/2014 Coll., on Cyber Security, and the implementing Decree No. 82/2018 Coll. do not only apply to the processing of personal data, but to the processing and storage of all data.
Within the meaning of Section 2(l)(3) of Act No. 181/2014 Coll., on Cyber Security, we are a digital service provider and therefore, pursuant to Section 4(2) and (3) of this Act, we are required to have appropriate and adequate security measures in place for the electronic communications networks and information systems that we use in connection with the provision of our services to our customers, and these security measures take into account information security, cyber security incident management, business continuity management, monitoring, auditing, testing and compliance with international regulations.
These are therefore very similar requirements to those imposed on the Data Controller by Article 32 of the GDPR. Also in the case of Act No. 181/2014 Coll., on Cyber Security and the implementing Decree No. 82/2018 Coll., we have incorporated the required obligations into the procedural documentation of the ISO/IEC 9001:2016 quality management system and the ISO/IEC 27001:2014, ISO/IEC 27017:2017 and ISO/IEC 27018:2017 information security management system, which, thanks to regular audits, guarantees the appropriate level of all established internal processes.