Information on the processing of personal data

Personal data protection policy

We protect and handle your data in accordance with applicable law. We process it as a data controller in the performance of tasks arising from the Advocacy Act, as well as other related activities.

Data Controller: Herešová advokáti s.r.o. (hereinafter referred to as „we“)

CRN: 09773291

Registered office: U průhonu 1589/13a, Holešovice, 170 00 Prague 7


Contact e-mail:

What are the purposes and legal bases for processing your personal data?

We provide legal services on the basis of a legal services agreement, which is also the legal basis for the processing of your personal data. This includes, in particular, the processing of data in the context of negotiations preceding the conclusion of the legal services contract or processing in the performance of our obligations under the contract.

On this basis, we process your personal data and, if necessary in the context of our legitimate interests or the performance of our obligations, the data of other parties to the contractual relationship or otherwise affected persons (e.g. contractors/counterparties of clients).

We cannot offer or provide our services without processing this data. Therefore, consent is not required for data processing in this case. If you do not provide us with the necessary data, we cannot conclude a contract with you at all.

Legislation requires us to process personal data in some cases. These include processing for the following purposes:

– preservation and archiving of data according to legal requirements (accounting and tax regulations, archiving, etc.);

– compliance with legal obligations in tax, accounting or other administrative matters;

– fulfilling the obligations imposed on us by Act No. 85/1996 Coll., the Advocacy Act, as amended, and the professional regulations issued by the Czech Bar Association;

– the fulfilment of obligations under Act No. 253/2008 Coll., on certain measures against the legalization of the proceeds of crime and the financing of terrorism.

Processing for other related activities

Service providers

We work with service providers to operate our business. In this context, we process personal data provided or subsequently generated by providers (natural persons) and their representatives for the purpose of the proper performance of contracts and the fulfilment of related legal obligations (especially tax). The personal data of service providers and their representatives include their identification and contact details, CRN, VATIN, bank account numbers, if applicable, and details of the performance received and provided.

Job applicants

In connection with the search for new colleagues, we process personal data of job applicants obtained from their CVs and any further selection process for the purpose of communication, preparation of documents and possible conclusion of an employment contract with the applicant and the fulfilment of legal obligations as a future employer.

The processed personal data of job applicants include name, surname, date and place of birth, citizenship, permanent/transient residence, contact address, telephone number, email address, other personal data contained in their CVs (e.g. education, knowledge of foreign languages, professional knowledge and skills, previous employment, or photographs of the applicant).

Processing of personal data with the consent of the data subject

We do not currently process any personal data on the basis of your consent.

What data do we process?

In particular, we process data that we need for the proper performance of the legal profession, i.e. legal advice and directly for your representation in judicial, administrative and other proceedings before state authorities or in the out-of-court phase of a dispute.

We will most often process your identification, descriptive and contact data, as well as data obtained in connection with the provision of legal services that are necessary for this activity, transactional data (e.g. for making payments) and other data that you provide to us or that we obtain in the course of providing the services, including data that we generate in connection with our obligations by processing the data so collected.

Categories of data processed:

– identification data used to uniquely and unmistakably identify the data subject (e.g. name, surname, title, possibly birth number, date of birth, permanent address, CRN, VATIN);

– contact details (e.g. contact address, telephone number, fax number, e-mail address and other such information);
– descriptive and socio-demographic data (age, sex, marital status, number of children, citizenship, occupation, education, income and expenditure, etc.);

– data relating to services and products (e.g. type, number and use of products contracted);

– health data or other sensitive data (special category data) the processing of which is necessary for the exercise of your claim;

– data relating to our communications, including telephone communications and website usage;

– transactional data (all payments, disbursements of benefits, including relevant payment information).

Where do we get the data from?

We obtain personal data from:

– directly from the persons concerned in the conclusion and performance of the contract;

– from our own activities (especially information obtained from the provision of legal services);

– from other persons, e.g. from counterparties, witnesses, courts or other state authorities;

– from publicly available registers, lists, records or websites (e.g. insolvency register, commercial register, trade register, land register).

Who can we pass the data to?

Under the Advocacy Act, we are subject to a strict duty of confidentiality. Personal data may nevertheless be processed by other parties, in particular service providers necessary for our activities. To process your personal data, we use an online filing system from the operator SingleCase, which provides all the necessary and currently available means of security. We also use standard office software and tools.

We may disclose data to other persons in the course of our duties, for example to courts in the course of claims, to experts, to cooperating lawyers or to opposing parties in out-of-court proceedings.

Other recipients of data may include providers of postal services, both traditional and electronic.

In the event that we undergo a change and transfer our business or other activities, in whole or in part, to another person, personal data relating to those activities will be part of that transfer. This would also be the case if we were required by law to make such changes.


All persons who work with us and who come into contact with personal data in the course of their work or contractual duties are bound by confidentiality and observe sufficient standards of personal data security.

When can we transfer data abroad?

Your personal data may be transferred for processing within the EU and the European Economic Area (primarily to IT technology providers or other recipients listed above). In the event that personal data is transferred to countries outside the EU/EEA (e.g. a software provider based outside the EEA), we have adequate security and documented guarantees that it will be handled in accordance with the law. These safeguards are primarily so-called standard contractual clauses approved by the European Commission. Upon request, we will provide you with specific information about the transfer, including the content of these standard contractual clauses.

How do we work with the data?

We process both manually and automatically using various applications and software, especially those that help us to carry out our work and without which we would not be able to do so. We do not use automated decision-making.

How long do we keep the data?

The duration of retention and archiving of personal data depends on several factors, which apply depending on the specific situation in which the personal data is processed. Most often, personal data is processed for the duration and performance of contractual or non-contractual obligations. After the provision of legal services, personal data is further processed for the purpose of archiving obligations set out in the statutory regulations, or for the protection of our or your rights and interests (or those of third parties), for the period necessary to ensure or exercise them. The processing period is set by statutory archiving periods, objective limitation periods set by law (Civil Code) or by contract. The time limits may vary according to the type of obligation or right to which the data relate. In the case of certain documents, we are obliged to keep the data contained therein within the time limits set by generally binding legislation (in particular in the field of accounting, taxation, labour law or archiving under a special law).

Our document retention activities are also subject to special regulation, in particular:

– Act No. 85/1996 Coll., on Advocacy;

– Act No. 253/2008 Coll., on Certain Measures against the Legalization of Proceeds of Crime and the Financing of Terrorism;

– Resolution of the Board of Directors of the Czech Bar Association No. 9/1999 of the Bulletin of 8 November 1999, laying down certain details on the documentation kept by a lawyer when providing legal services and on keeping records of conversions made.

Pursuant to these regulations, we are obliged to keep the entire case file for a period of five years from the termination of the provision of legal services, or for 10 years when providing services consisting in escrow or representation in matters relating to real estate, securities, business shares, the settlement of loans, the establishment of a commercial company and the collection of payments, starting from the last meeting with the client.

What are your rights?

Right to information

Upon request, we will tell you whether we process your personal data and, if you request it, we will also provide you with information about the purposes, categories of data, recipients (categories), retention period (criteria), your rights, including the possibility to contact a supervisory authority, the sources of the data (if they do not come from you), automated individual decision-making and transfers to a third country or an international organisation (appropriate safeguards).

Right of access

In addition to information about processing, you have the right to a copy of the data that is processed about you.

Right to correction

You have the right to have your data corrected if it is found to be incorrect.

Right to erasure, right “to be forgotten”

You have the right to have your data erased unless there is another lawful ground for processing that we can use (including to protect our legitimate interests and rights).

Right to transferability

In the case of automated data provided by you and processed on the basis of the conclusion or performance of a contract, you have the right to receive it in a machine-readable format.

Right to object

This applies to cases of processing for reasons of public interest pursued by the controller or for his own legitimate interest, including direct marketing. You have the right to object to such processing and the controller is obliged to assess such processing for compliance with all rules under the regulations. In the case of direct marketing, the controller will always stop such processing upon objection.

Right to withdraw consent

In the case of processing based on your consent, you can withdraw your consent at any time.

Right to restriction

You have the right to restrict the processing of your data if you contest the accuracy of the data (until we have verified its accuracy), the data is not necessary for the purposes of the processing but you require processing for the establishment, exercise or defence of legal claims, you have objected to the processing (until it is verified that our legitimate grounds outweigh your legitimate interests), the processing of the data was unlawful and you require a restriction on the processing of the data instead of erasure.

Right to apply to the supervisory authority, court

You can lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection ( or the court.

How can you exercise your rights?

You can exercise your rights at any time by sending a written request to our registered office or to Our law firm reserves the right to reasonably verify the identity of the data subject who exercises the above rights.

This document is effective as of January 1, 2021 and may be updated periodically. The current version of the document can always be found on the law firm’s website.



I would be happy to assist you in the areas of insurance, civil, corporate law, and GDPR issues. I can also offer my experience in providing legal support for foundations or charitable funds.


Ráda Vám pomohu v oblasti pojistného, občanského, korporátního práva i problematiky GDPR. Rovněž mohu nabídnout své zkušenosti v oblasti právní podpory nadace či nadačních fondů.


Kateřina Stiborová

I am a trainee lawyer with experience in commercial and civil law and in public procurement and its administration. Currently, I specialize mainly in financial products, AML issues and corporate law. I am fluent in English.


I am a lawyer and I can advise you in particular on real estate transfers, lease law, corporate law, matrimonial regimes and probate proceedings. I am fluent in English.


I am a lawyer with experience in criminal, administrative and constitutional law. Currently, I specialize mainly in the regulation of personal data under GDPR and ePrivacy. I am fluent in English.


I am a lawyer and I focus on the regulation of personal data and information technology under GDPR, ePrivacy and other regulations in the EU and worldwide. I am fluent in English.


Lenka Sýkorová
I am a lawyer specialising in insurance law and insurance distribution, commercial law and civil law with a focus on personal injury compensation and litigation. I am fluent in English and German.


Monika Herešová

I am a lawyer with 20 years of experience specializing in insurance, financial and pension products. I also advise on areas of commercial law including project finance. I am fluent in English.


Jsem právník junior a specializuji se na obchodní právo a právo obchodních korporací. Mluvím plynně anglicky.


Jsem advokátkou se zkušenostmi v oblasti trestního, správního a ústavního práva. V současné době se specializuji zejména na regulaci osobních údajů podle GDPR a ePrivacy. Mluvím plynně anglicky.


Jsem advokátka a poradím Vám zejména s převody nemovitostí, nájemním právem, v oblasti zákona o obchodních korporacích, ve věcech manželského majetkového práva a v řízení o pozůstalosti. Mluvím plynně anglicky. 


Kateřina Stiborová

Jsem advokátní koncipient se zkušenostmi v oblasti obchodního a občanského práva a dále v oblasti zadávání veřejných zakázek a jejich administraci. V současné době se specializuji zejména na finanční produkty, AML problematiku a korporátní právo. Mluvím plynně anglicky.


Jsem advokátem a zabývám se zejména regulací osobních údajů a informačních technologií podle GDPR, ePrivacy a dalších předpisů v EU a ve světě. Mluvím plynně anglicky.


Lenka Sýkorová

Jsem advokátkou se specializací na pojistné právo a distribuci pojištění, na obchodní právo a občanské právo se zaměřením na náhradu újmy a řešení soudních sporů.  Mluvím plynně anglicky a německy.


Monika Herešová

Jsem advokátkou s 20letou zkušeností se specializací na pojistné, finanční a penzijní produkty. Poskytuji též poradenství v oblastech obchodního práva včetně financování projektů.  Mluvím plynně anglicky.