INFORMATION MEMORANDUM WITH THE PROCESSING OF PERSONAL DATA
Dear customers and business partners,
this document contains basic information about how we process your personal data. We appreciate that you share your personal information with us and are prepared to protect it to the maximum extent possible. We also try to be as open as possible with you, especially about how we process your personal data.
Due to the new legislation of the European Union, this information memorandum was prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free movement of such data and on the repeal of the Directive 95/46/EC (hereinafter referred to as “GDPR”).
This information memorandum presents the basic information that we, as a personal data administrator, are obliged to provide. If you are interested in the detailed personal data processing principles that we follow, write to email@example.com.
1. Who is the controller of personal data?
The administrator is a person who alone or jointly with others determines the purposes and decides how personal data will be processed.
The administrator of your personal data shared with us is cc781905-5cde-3194-bb3b-136bad5cf58dIng. Tomáš Kratochvíl Hansmannova 1744/8, Brno 61300, ID number: 75389126, VAT number: CZ8307274547.
In case of any questions regarding the processing of your personal data, do not hesitate to contact the administrator at the e-mail address firstname.lastname@example.org.
2. Who is the person responsible for personal data protection?
The person responsible for the protection of personal data is experienced in the field of personal data protection and does everything to ensure that the processing takes place as it should, in particular in accordance with the relevant legal regulations. He is also the most qualified person for dealing with questions and requests regarding personal data.
The person responsible for the administrator is the person in the position of Club Manager, who can be contacted at the e-mail address email@example.com.
3. For what purpose do we need personal data?
The administrator processes personal data to:
a) ensuring the conclusion and subsequent fulfillment of the contractual obligation between the administrator and you (Article 6, paragraph 1, letter b) GDPR). Other legal obligations result from such a relationship, and the administrator must process personal data for this purpose as well (Article 6, paragraph 1, letter c) GDPR);
b) for marketing purposes, so that the administrator can best adapt the offer of its products and services and commercial communications regarding them to your needs, for this purpose the administrator obtains your unequivocal consent (Article 6, paragraph 1, letter a) of the GDPR;
c) protection of your other legitimate interests (Article 6, paragraph 1, letter f) GDPR).
Providing personal data to administrators is generally a legal and contractual requirement. Regarding the provision of personal data for marketing purposes, which does not constitute the fulfillment of a contractual and legal obligation of the administrator, your consent is required. If you do not give consent to the administrator to process personal data for marketing purposes, this does not mean that the administrator will refuse to provide you with its product or service based on the contract as a result.
4. What are our legitimate interests?
Personal data is also processed by the controller to protect its legitimate interests. The administrator’s legitimate interests are, in particular, the proper fulfillment of all contractual obligations of the administrator, the proper fulfillment of all legal obligations of the administrator, direct marketing, the protection of the administrator’s business and property, and last but not least, the protection of the environment and ensuring sustainable development.
In order to ensure the greatest possible protection of your privacy, you have the right to object to the processing of your personal data exclusively for the most necessary legal reasons or to the blocking of personal data. You can read more about your rights related to the processing of personal data in Article 11 of this information memorandum.
5. How was the personal data obtained?
The administrator obtained personal data directly from you, especially from completed forms, mutual communication or concluded contracts. In addition, personal data can also come from publicly available sources, registers and records, for example from the commercial register, the register of debtors, professional registers or, for example, the Land Registry. Furthermore, the administrator could obtain personal data from third parties who are authorized to access and process your personal data and with whom they cooperate, as well as from information from social networks and the Internet that you yourself have placed there.
6. What categories of personal data may be processed?
To ensure your satisfaction from the proper fulfillment of the obligation, to ensure the fulfillment of legal obligations, to ensure a personalized offer of goods and services of the administrator and for the other purposes listed above, the administrator processes the following categories of personal data:
a) basic identification data – name, surname, date of birth, residential address;
b) contact details – telephone number and e-mail address;
c) information about the use of the administrator’s products and services – this is data about which products you have contracted with the administrator and which you are using now, including product settings, etc.;
d) information from mutual communication – information from e-mails and text rights (SMS or MMS), from records of telephone calls or other contact forms;
e) invoicing and transaction data – this is mainly information appearing on invoices, on agreed invoicing terms and received payments;
f) geolocation information, i.e. information from the internet browser or mobile applications you use.
7. What is the legal basis for processing personal data?
The legality of processing is determined by Article 6, paragraph 1 of the GDPR, according to which processing is legal if it is necessary for the fulfillment of a contract, for the fulfillment of a legal obligation of the controller, for the protection of the legitimate interests of the controller, or the processing takes place on the basis of the consent you have given us.
The legality of the processing is further based, for example, on Act No. 563/1991 Coll., on accounting, according to which billing data is processed and stored, on Act No. 89/2012 Coll., the Civil Code, according to which the administrator defends his legitimate interests, or on the law No. 235/2004 Coll., on value added tax.
8. Will we pass on personal data to someone else?
We must provide personal data within the legal limits to state administration authorities, for example the tax administrator, courts, law enforcement authorities or capital market supervisory authorities. We will only pass them on to other persons in compliance with the law, or if you express your consent.
9. Will we transfer personal data to third countries or international organizations?
We will not transfer personal data to countries outside the European Union or the European Economic Area, or to any international organization.
10. How long will we store personal data?
Personal data will be processed and stored for at least the duration of the contract. Some personal data needed, e.g. for tax and invoicing obligations, will be kept for longer, usually 5 years starting from the year following the creation of the stored fact.
Personal data that are important for exercising the administrator’s legitimate interests will be kept for a maximum of 3 years from the end of the contractual relationship with the administrator.
Personal data processed for marketing purposes will be kept for a maximum of 5 years from their acquisition.
Personal data will never be kept longer than the statutory maximum. After the archiving period has expired, personal data will be securely and irretrievably destroyed in such a way that it cannot be misused.
11. What are your rights related to the processing of personal data and how can you exercise them?
The administrator does everything to ensure that the processing of your data takes place properly and, above all, safely. You are guaranteed the rights described in this article, which you can exercise with the administrator.
How you can exercise your rights
You can exercise individual rights by sending a request to the person responsible for the protection of personal data, as stated above in Article 2.
All communications and statements regarding your rights are provided by the administrator free of charge. However, if the request would be clearly unfounded or unreasonable, especially because it would be repeated, the administrator is entitled to charge a reasonable fee taking into account the administrative costs associated with providing the requested information. In case of repeated application of the request to provide copies of processed personal data, the controller reserves the right to charge a reasonable fee for administrative costs for this reason.
The administrator will provide you with a statement and possibly information about the measures taken as soon as possible, but within one month at the latest. The administrator is entitled to extend the deadline by two months if necessary and taking into account the complexity and number of applications. The administrator will inform you about the extension, including the reasons.
The right to information about the processing of your personal data
You are entitled to request information from the administrator as to whether or not personal data is being processed. If personal data is processed, you have the right to request information from the controller, in particular, about the identity and contact details of the controller, his representative and, where applicable, the personal data protection officer, about the purposes of processing, about the categories of personal data concerned, about the recipients or categories of recipients of personal data, about authorized administrators, about the list of your rights, about the possibility to contact the Office for Personal Data Protection, about the source of processed personal data and about automated decision-making and profiling.
If the administrator intends to further process your personal data for a purpose other than that for which it was obtained, it will provide you with information about this other purpose and other relevant information before the said further processing.
The information provided to you in exercising this right is already contained in this memorandum, but this does not prevent you from requesting it again.
Right of access to personal data
You are entitled to request information from the controller as to whether your personal data is being processed or not and, if so, you have access to information about the purposes of processing, categories of personal data concerned, recipients or categories of recipients, the period of storage of personal data data, information about your rights (rights to request correction or deletion from the administrator, restriction of processing, object to this processing), about the right to file a complaint with the Office for Personal Data Protection, information about the source of personal data, information about whether automated decision-making is taking place and profiling and information regarding the procedure used, as well as the meaning and expected consequences of such processing for you, information and guarantees in the event of the transfer of personal data to a third country or international organization. You have the right to provide copies of processed personal data. However, the rights and freedoms of other persons may not be adversely affected by the right to obtain this copy.
Right to rectification
If, for example, there has been a change of residence, telephone number or other fact that can be considered personal data, you have the right to request from the administrator the correction of the processed personal data. In addition, you have the right to supplement incomplete personal data, including by providing an additional statement.
Right to erasure
In certain specified cases, you have the right to request that the administrator delete your personal data. Such cases include, for example, that the processed data are no longer needed for the aforementioned purposes. The administrator deletes personal data automatically after the expiry of the necessary period, but you can contact him at any time with your request. Your request is then subject to an individual assessment (despite your right to erasure, the administrator may have an obligation or legitimate interest to retain your personal data) and you will be informed in detail of its processing.
Right to restriction of processing
The administrator processes your personal data only to the extent strictly necessary. However, if you feel that the administrator is e.g. exceeding the above stated purposes for which it processes personal data, you can submit a request that your personal data be processed exclusively for the most necessary legal reasons or that personal data be blocked. Your request is then subject to an individual assessment and you will be informed in detail about its processing.
Right to data portability
If you wish the administrator to provide your personal data to another administrator, or to another company, the administrator will transfer your personal data in the appropriate format to the entity designated by you, if there are no legal or other significant obstacles preventing it from doing so.
Right to object and automated individual decision-making
If you find out or just believe that the administrator is processing personal data in violation of the protection of your private and personal life or in violation of legal regulations (provided that the personal data is processed by the administrator on the basis of public or legitimate interest, or is processed for purposes of direct marketing, including profiling, or for statistical purposes or for the purposes of scientific or historical significance), you can contact the administrator and ask him for an explanation or removal of the objectionable situation that has arisen.
You can also object directly to automated decision-making and profiling.
The right to file a complaint with the Office for Personal Data Protection
You can at any time contact the supervisory authority, namely the Office for the Protection of Personal Data, with headquarters in Plk. Sochora 27, 170 00 Prague 7, websitehttps://www.uoou.cz/.
Right to withdraw consent
You have the right to revoke your consent to the processing of personal data at any time, either by filling out the form/unchecking the box/sending a revocation to the administrator’s address or by using the link in the e-mail communication.
12. Are personal data automatically evaluated?
Personal data is automatically evaluated and can be used for profiling or automatic decision-making in the field of marketing activities of the administrator.
As a result of these administrator activities, your behavior on the website will be mapped and evaluated, which constitutes a certain interference with your right to privacy. At the same time, this evaluation contributes to the fact that only those advertising offers regarding the products and services of the administrator are sent to you, in which you might be interested in view of the results of the performed evaluation.
13. Camera systems
Camera systems with recording equipment are installed in the internal premises of the administrator’s residence for the purpose of protecting property, security and other protected interests of the administrator. Camera systems are not connected to any database operating with personal data. You are informed about the installation of the camera system in the form of a pictogram, which also includes the contact of the person operating the camera system.
Captured images are stored in recording devices for a maximum of 14 days. After this time, the recorded data is automatically overwritten with a new record.