Privacy Policy of News Subscription from SOTIO Biotech website

  • The data controller to whom I give my consent to the processing of my personal data is:

SOTIO Biotech a.s., a company organized and existing under the Czech Law, company registration no.: 10900004, registered office at: Jankovcova 1518/2, 17000 Prague 7, Czech Republic, registered by the Municipal Court in Prague, Czech Republic, Insert no:  B 26378 (hereinafter referred to as the “Controller”)

The Controller’s contact details: SOTIO Biotech a.s. - Communications Department, address: Jankovcova 1518/2,
170 00, Prague 7, Czech Republic, email:,

  • Controller’s data protection obligations are provided by:
  1. the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
    on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to only as the “GDPR“); and
  2. Act No. 110/2019 of the Collection of Laws of the Czech Republic, on the Processing of Personal Data,
    as amended (the “PDPA”).
  • Specification of My Personal Data to the processing of which I give my consent:

(hereinafter jointly referred to only as “My Personal Data“).

  1. Identification personal data – First name, Surname
  2. Contact details – E-mail address
  3. Other personal data – Identification of an employer (if business email is stated)
  • Period for which I grant my consent to the processing of My Personal Data:

3 years from the date this consent was granted – the “Agreed Period”.

  • Purposes of processing My Personal Data for which I grant my consent:

Keeping of the database of contact details of persons interested in the News (press releases and statements).      

  • The way of processing of My Personal Data to which I grant my consent:

My Personal Data may be processed only in electronic form. By granting my approval, I agree with putting My Personal Data into the Controller’s database containing information about persons interested in the News. I am aware
that the Controller and the Processor (as defined below in next par., the “Processor”) have access to this database
during the whole Agreed Period. I am also aware that the Controller’s database containing My Personal Data is placed
with a third party (the Processor).

  • My Personal Data will be transmitted to the Processor 

who will provide to the Controller the services of administration and management of technical and software equipment
on which My Personal Data will be stored, and they will also provide for the News distribution. Upon the date I am granting this consent, the Processor is ANDWEB s.r.o. registration no.: 29036798, registered office at: Dolní Břežany, Pražská 384, Post Code 25241, Czech Republic, registered by the Municipal Court in Prague, Czech Republic, Insert no:  
C 161782 (generally referred to as the “Processor”). The Processor’s data protection obligations are provided by the GDPR.

Certain Personal Data the Controller processes may be shared with state institutions or other third parties in the fulfilment of obligations complying with given legislation.

  • I am aware that the following persons may have access to My Personal Data:
  1. Communications Department employees of the Controller;
  2. Processor or persons working for the Processor, if their job is in the field of News distribution, administration and management of technical and software equipment on which My Personal Data is stored;


  • I am aware that the legal ground for the processing of My Personal Data
    by the Controller and Processor is my consent.


  • I am aware that the provision of My Personal Data to the Controller and the granting
    of this consent to the processing of My Personal Data is not my obligation, i.e.
    it is on a voluntary basis and subject to my consideration only.

  • I acknowledge having received information concerning security of My Personal Data,
    in particular that:
  1. The Controller and the Processor adopted effective security measures to prevent unauthorized or accidental access to and unauthorized change, destruction or loss or other unauthorized processing of My Personal Data;
  2. A “data processing agreement” was entered into between the Controller and the Processor, providing, among other things, what are the Processor’s data protection obligations;
  3. The Processor adopted a security guideline that sets out the responsibilities for the implementation
    of security measures;
  4. The Controller’s and Processor’s employees are obliged to keep confidential about the processed personal data;
  5. Only the following persons have access to My Personal Data: (i) PR employees of the Controller; (ii) persons working for the Controller and the Processor, who were charged by the Controller with the News distribution, administration and management of technical and software equipment on which My Personal Data is stored;
  6. The Controller adopted the data protection rules. The Controller determined the rules of access
    to My Personal Data and the rules of data confidentiality and security for its employees and Processor
    which all stakeholders are obliged to observe.
  • Principles and procedures of personal data processing

We would also like to inform you about principles and procedures during your personal data processing, in compliance with the provisions of Article 5 of the GDPR and PDPA.

Your personal data have been processed such that:

  • The processing is lawful, correct and transparent;
  • Personal data are only collected for definite and legitimate purposes and are not processed in a way incompatible with these purposes;
  • The processed personal data are always proportional and relevant in relation to the purpose
    for which they are processed;
  • The processed personal data are accurate;
  • Personal data are only stored in a form enabling the identification of the data subject for the period required for the given purposes for which they are processed;
  • Their integrity and confidentiality are always guaranteed.


  • Data security

The Controller has introduced and maintained reasonable technical and organizational measures, internal inspections
and processes of the information security in compliance with the best business practice corresponding to the possible risk
of a threat to you as a data subject. At the same time, the state of the technological development is taken into account with the aim of protecting your personal data against accidental loss, destruction, changes, unauthorized publication
or access. These measures include inter alia taking appropriate steps to ensure the responsibility of respective employees who have access to your data, employee training, regular backup, procedures for data recovery and incident control
and software protection of the equipment, on which data with personal data are stored.

  • Information about rights under GDPR

Under Article 7 (3) of the GDPR:

  • I have the right to withdraw my consent at any time by the methods listed below or by unsubscribing
    from the News in the email itself. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.


Under Article 13 and 14 of the GDPR:

  • I have the right to the provision of the information where personal data are collected from the data subject, but also if data were obtained from a third party. This obligation is fulfilled by this information on the Processing of Personal Data.

Under Article 15 of the GDPR – Right to access to My Personal Data:

  • I have the right to obtain from the Controller confirmation as to whether or not My Personal Data are being processed, and, if so, access to My Personal Data and the following information: a) the purposes
    of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom My Personal Data have been or will be disclosed, in particular recipients in third countries
    or international organizations; d) where possible, the planned period for which My Personal Data will be stored, or, if it is not possible to determine it, the criteria used to determine it; e) the existence of the right
    to request from the Controller rectification or erasure of My Personal Data or restriction of processing
    of My Personal Data or to object to such processing;
  • I have the right to lodge a complaint with a supervisory authority;
  • I have the right to obtain all available information as to the source of My Personal Data if not acquired directly from me; the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the procedure used,
    as well as the meaning and the expected consequences of such processing for me;
  • I have the right to be provided with a copy of My Personal Data processed by the Controller.
    The Controller may charge a reasonable fee for any further copies requested by me based on administrative costs. If I make the application in electronic form, the information shall be provided in a commonly used electronic form, unless otherwise requested by me.


Under Article 16 of the GDPR – Right to rectification of My Personal Data:

  • I have the right to rectification on the part of the Controller of inaccurate personal data concerning
    me without undue delay. Considering the processing purposes, I have the right to completion
    of incomplete personal data, even by providing a supplementary statement.


Under Article 17 of the GDPR – Right to erasure of My Personal Data:

  • I have the right to erasure on the part of the Controller of My Personal Data without undue delay
    for one of the following reasons:
  1. My Personal Data are no longer required for the purposes for which they have been collected or otherwise processed;
  2. I have withdrawn my consent to the processing of My Personal Data, and there is no other legal grounds
    for the processing;
  3. I have objected to the processing under Article 21, par. 1 of the GDPR, and there are no prevailing legitimate grounds for the processing, or I have objected to the processing under Article 21, par. 2 
    of the GDPR;
  4. My Personal Data have been unlawfully processed;
  5. My Personal Data have to be erased to comply with a legal obligation in the law of the European Union
    or a Member State to which the Controller is subject;


  • what is specified under clauses (a) through (e) of this paragraph will not apply if the processing
    of My Personal Data is necessary:
  1. for exercising the right to freedom of expression and information;
  2. for compliance with a legal obligation that requires processing by the law of the European Union
    or a Member State to which the Controller is subject or for the performance of a task carried out in the public interest or in the scope of a public authority if the Controller has been authorized by it;
  3. for reasons of public interest in the area of public health;
  4. for archiving purposes in the public interest, for the purpose of scientific or historical research purposes
    or statistical purposes in accordance with Article 89(1) of the GDPR; or
  5. for the establishment, exercise or defence of legal claims.

Under Article 18 of the GDPR – Right to restriction of processing of My Personal Data:

  • I have the right to obtain from the Controller restriction of processing where one of the following applies:
  1. If I contest the accuracy of My Personal Data for a period enabling the Controller to verify the accuracy
    of My Personal Data;
  2. If the processing is unlawful and I oppose the erasure of My Personal Data and request the restriction
    of their use instead;
  3. If the Controller no longer needs My Personal Data for processing purposes, but I would require them
    for the establishment, exercise or defence of legal claims;
  4. I have objected to processing under Article 21, par. 1 of the GDPR pending the verification whether
    the legitimate grounds of the Controller prevail over mine.


  • If the processing has been restricted under clauses a) through d) of this paragraph, My Personal Data,
    with the exception of storage, may only be processed with my consent or for the establishment, exercise
    or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.


Under Article 19 of the GDPR – Notification obligation regarding rectification or erasure of My Personal Data or restriction of their processing:

  • The Controller advises individual recipients to whom My Personal Data have been disclosed of any rectification or erasure of My Personal Data or processing restrictions of, unless this proves impossible
    or involves unreasonable effort. The Controller informs me about these recipients only if I request it.


Under Article 20 of the GDPR – Right to data portability:

  • I have the right to obtain the personal data concerning me, which I have provided to the Controller,
    in a structured, commonly used and machine-readable format and I have the right to transmit those data
    to another controller without hindrance from the Controller, provided that the processing is carried out
    by automated means. In exercising my right to data portability under the previous sentence, I have

the right to have My Personal Data transmitted directly from the Controller to another controller, where technically feasible.



Under Article 21 of the GDPR – Right to object:

  • I have the right to object, on grounds relating to my particular situation, at any time to the processing
    of My Personal Data under Art. 6(1)(f) of the GDPR – the Controller’s legitimate interest, including profiling based on those provisions. The Controller will no longer process My Personal Data unless the Controller demonstrates compelling legitimate grounds for the processing that outweigh my interests, rights
    and freedoms or for the establishment, exercise or defence of legal claims.
  • I can exercise my right to object by automated means using technical specifications.

Under Article 22 of the GDPR – Automated individual decision-making, including profiling:

  • I have the right not to be subject to a decision based solely on automated processing, including profiling,
    which produces legal impacts on me or similarly affects me in a material way. This does not apply if the decision:
  1. is necessary to enter into, or perform, a contract between me and the Controller;
  2. is permitted by the law of the European Union or a Member State to which the Controller is subject
    and which also determines suitable measures to safeguard my rights and freedoms and legitimate interests;
  3. is based on my express consent.

Under Article 34 of the GDPR – Communication of a personal data breach

  • If it is likely that a specific instance of a security breach of My Personal Data will result in a considerable threat
    to my rights and freedoms, the Controller is required to report the breach to me without undue delay.

However, the reporting referred to in this paragraph is not required if any of the following conditions are met:

  1. the Controller has introduced appropriate technical and organizational measures, and these measures
    have been applied to the personal data affected by the personal data breach, in particular measures
    that render the personal data unintelligible to anyone who is not authorized to access them, such as encryption;
  2. the Controller has taken subsequent measures that ensure that no considerable threat to the rights
    and freedoms referred to in the first paragraph of this article is likely to materialize;
  3. It would involve unreasonable effort. In this case, you will be advised in an equally effective manner
    by a public notice or similar means.
  • Information on how the rights are exercised

A person interested in the News may exercise his/her rights directly with the Controller at the above-mentioned address:

  • electronically via email .

If a request is filed electronically, the Controller will provide the information also electronically, unless required otherwise by the person interested in the News. In case of a request filed electronically, the Controller must verify the identity
of the person who filed the request to prevent the disclosure of information to unauthorized persons. To verify the identity, the Controller will contact the person interested in the News. The Controller provides a copy of the processed personal data for free. A request filed repeatedly by the same person interested in the News will be considered an obviously unreasonable request. In such a case, the Controller may either charge a reasonable fee to process the request
or deny the request.

The scope of exercise and realization of some of the above-mentioned rights depends on the type and nature
of the specific personal data processing.