INFORMATION MEMORANDUM WITH THE PROCESSING OF PERSONAL DATA
Dear customers and business partners,
The document you are reading contains basic information about how we process your personal data. We appreciate you sharing your personal information with us and are committed to protecting it as much as possible. We also strive to be as transparent as possible with you, particularly about how we process your personal data.
In view of the new European Union legislation, this Information Memorandum has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27. April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/ 46/ EC (GDPR).
Who are you giving consent to?
You provide your personal data to the company (i.e. the data controller) SAFINA, a. s.You provide your personal data to the company (i.e. the data controller)
For what purpose do we need personal data?
We process your personal data to:
- to ensure the conclusion and subsequent performance of a contractual obligation between us and you, as well as to fulfil the legal obligations arising from such relationship;
- the protection of our legitimate interests, which are the proper performance of all our contractual obligations to you, the proper performance of all our legal obligations, direct marketing, the protection of our business and property and, last but not least, the protection of the environment and ensuring sustainable development. In order to ensure the greatest possible protection of your privacy, you have the right to object to your personal data being processed solely for the most necessary lawful reasons or to have your personal data blocked. You can read more about your rights related to the processing of personal data in Article 9 of this information memorandum.
How was the personal data obtained?
We obtain personal data directly from you, in particular from completed forms, communication with each other, contacts at trade fairs and other similar professional events or from concluded contracts. In addition, personal data may also come from publicly available sources, registers and records, such as the commercial or trade register, the debtors’ register, professional registers or, for example, the Land Registry. However, we will only process this personal data to pursue our legitimate interests or to comply with legal obligations. In addition, we may have obtained your personal data from third parties who are authorised to access and process your personal data to the extent and for the purpose for which they are authorised to process it.
What categories of personal data are processed?
We process the following categories of personal data to ensure your satisfaction with the proper performance of the obligation, to ensure compliance with legal obligations, to provide a personalized offer of goods and services of the controller and for the other purposes listed above:
- basic identification data – name, surname, residential address, date of birth and identification number;
- contact details – telephone number and e-mail address;
- information about your use of our products and services – this includes information about what products you have ordered from us and what products you are using now, including exact product specifications etc;
- information from mutual communication – information from emails, phone records or other contact forms;
- billing and transaction data – this includes information appearing on invoices, agreed billing terms and payments received;
- information from the CCTV system located at our headquarters.
What is the legal basis for processing personal data?
The lawfulness of the processing is determined by Article 6 para. 1 of the GDPR, according to which processing is lawful if it is necessary for the performance of a contract, for the fulfilment of a legal obligation of the controller or for the protection of the legitimate interests of the controller.
The legality of the processing is also based, for example, on Act No. 563/1991 Coll., on accounting, according to which invoicing data is processed and stored, Act No. 89/2012 Coll., the Civil Code, according to which the controller defends its legitimate interests, or Act No. 235/2004 Coll., on value added tax.
Will we be passing on personal data to anyone else?
Within the limits of the law, we must disclose personal data to public authorities, such as tax authorities, courts or law enforcement authorities. Personal data is also transferred to computer system administrators, camera system administrators and employment or marketing agencies. A list of these processors is available on request at firstname.lastname@example.org.
Will we transfer personal data to a third country or international organisation?
We will occasionally transfer personal data to entities outside of the European Union, both within and outside of our ownership structure. We will always do so while maintaining all security measures, we will require the same from the processor and we will comply with all international treaties, decisions of the European Union authorities and the current conditions for such transfers, which are observed and listed on the website of the Office for Personal Data Protection of the Czech Republic.
Currently, your personal data is transferred to the following entities which are not part of our ownership structure and which are located outside the European Union:
- The Rocket Science Group, LLC, located in the USA at 675 Ponce de Leon Ave NE, Suite 5000 Atlanta, GA 30308 USA, operating the MailChimp marketing platform. We transfer your personal data (namely your email address) to this company via the MailChimp marketing platform for the purpose of carrying out our marketing activities (e.g. sending commercial communications). You can find information about data security and other information about the processing of personal data within the MailChimp platform here: https://mailchimp.com/about/security/ and https://mailchimp.com/legal/data-processing-addendum/
How long will we store personal data?
Personal data will be processed and stored for at least the duration of the contract. Some personal data needed, for example. for tax and invoicing obligations will be kept for a longer period, as a rule 5 years starting from the year following the occurrence of the fact to be stored, in any case in the case of a statutory time limit only for the period specified directly by law.
Records from CCTV systems are kept for 14 days, after which they are overwritten with a new record.
After the above periods, the personal data will be securely and irretrievably destroyed so that it cannot be misused.
What are your rights in relation to the processing of personal data and how can you exercise them?
We do everything we can to ensure that your data is processed properly and, above all, securely. You are guaranteed the rights described in this article, which you can exercise with us.
How can you exercise your rights?
You can exercise your individual rights by sending an email to email@example.com or calling +420 241 024 111. You can also exercise your rights by sending a written request to our correspondence address Safina, a.s., Vídeňská 104, Vestec, 252 50.
We will provide you with all communications and statements regarding the rights you have exercised free of charge. However, if the request is manifestly unfounded or unreasonable, in particular because it is repetitive, we are entitled to charge a reasonable fee taking into account the administrative costs involved in providing the information requested. In the event of repeated requests for copies of the personal data processed, we reserve the right to charge a reasonable fee for administrative costs for this reason.
We will provide you with a statement and, where appropriate, information on the measures taken as soon as possible and within one month at the latest. We are entitled to extend the deadline by two months if necessary, taking into account the complexity and number of applications. We will inform you about the extension including the reasons.
Right to information about the processing of your personal data
You are entitled to request information from us as to whether or not personal data is processed. If personal data are processed, you have the right to request information from us in particular about the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients of personal data, the authorised controllers, a list of your rights, the possibility of contacting the Data Protection Authority, the source of the personal data processed and automated decision-making and profiling.
The information provided to you in exercising this right is already contained in this memorandum, but this does not prevent you from requesting it again.
Right of access to personal data
You are entitled to request information from us as to whether or not your personal data is processed and, if so, you have access to information about the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients, the period of storage of the personal data, information about your rights (rights to request from the controller rectification or erasure, restriction of processing, to object to such processing), the right to lodge a complaint with the Data Protection Authority, information on the source of the personal data, information on whether automated decision-making and profiling takes place and information concerning the procedure used as well as the significance and foreseeable consequences of such processing for you, information and safeguards in case of transfer of personal data to a third country or an international organisation. You have the right to be provided with copies of the personal data processed. However, the right to obtain such a copy shall not adversely affect the rights and freedoms of other persons.
Right to repair
If there has been a change on your part, for example, of your residence, telephone number or other fact that can be considered personal data, you have the right to request us to correct the personal data processed. In addition, you have the right to have incomplete personal data completed, including by providing an additional declaration.
Right to erasure (right to be forgotten)
In certain specified cases, you have the right to request that we delete your personal data. Such cases include, for example, that the processed data is no longer necessary for the aforementioned purposes. After the period of necessity, we will delete your personal data automatically, but you can contact us at any time with your request. Your request is then subject to an individual assessment (despite your right to erasure, we may have an obligation or legitimate interest to retain your personal data) and you will be informed in detail about the processing of your request.
Right to restriction of processing
We process your personal data only to the extent strictly necessary. However, if you feel that e.g. we go beyond the purposes set out above for which we process your personal data, you may request that your personal data be processed solely for the most necessary lawful purposes or that your personal data be blocked. Your application is then subject to an individual assessment and you will be informed in detail about the processing of your application.
Right to data portability
If you wish us to disclose your personal data to another controller, respectively. to another company, we will transfer your personal data in the appropriate format to the entity designated by you, unless we are prevented from doing so by any legal or other significant impediment.
Right to object and automated individual decision-making
If you become aware or believe that we are processing personal data in violation of the protection of your private and personal life or in violation of the law (provided that the personal data is processed by the controller on the basis of public or legitimate interest, or is processed for direct marketing purposes, including profiling, or for statistical purposes, or for purposes of scientific or historical interest), you may contact us and ask for an explanation or rectification of the defect. You have the right not to be subject to automated decision-making (including profiling).
Right to lodge a complaint with the Office for Personal Data Protection
You may at any time contact the supervisory authority, the Office for Personal Data Protection, located at Pplk. Sochora 27, 170 00 Prague 7, website https://www.uoou.cz/.
Processing of personal data for marketing purposes
We may also process your personal data for the purpose of sending you commercial communications, newsletters or other marketing events (marketing purposes). In this case, all the general conditions regarding the processing of your personal data set out in this Information Memorandum above will apply, together with the following differences:
Legal basis for processing personal data
The processing of your personal data is carried out on the basis of your voluntary consent to the processing of personal data for the purpose of sending commercial communications and newsletters (Article 6(1)(a) of the GDPR), to the following extent:
Transfer of personal data to third parties
Your personal data may be transferred to third parties for the purpose of providing our marketing activities and sending commercial communications or newsletters. We will provide you with an up-to-date list of third parties to whom we may transfer your personal data upon your request to our email address firstname.lastname@example.org.
Your personal data may also be transferred to third countries outside the European Union for marketing purposes. Your personal information is currently transferred to The Rocket Science Group, LLC, located in the USA at 675 Ponce de Leon Ave NE, Suite 5000 Atlanta, GA 30308 USA, which operates the MailChimp marketing platform (see Section 7 of this Information Memorandum for details).
Your rights in relation to the processing of personal data for marketing purposes
As a data subject, you have the right to withdraw your consent to the processing of your personal data for the purpose of sending commercial communications or newsletters (marketing purposes) at any time, in addition to the rights set out in Articles 9 and 10 of this information memorandum. You can withdraw your consent to the processing of your personal data either electronically to our e-mail address email@example.com or in writing to our registered office.
Retention period of personal data
For the purpose of sending commercial communications and newsletters, we keep your personal data for the duration of your consent. If you withdraw your consent, we will delete your personal data used for marketing purposes without undue delay, but no later than 1 month from the date of withdrawal of your consent. However, this does not apply if there is another legal ground or purpose on the basis of which we are entitled to continue to process your personal data in accordance with the GDPR or other applicable law.
How can you contact us?
If you have any questions regarding the processing of your personal data, please do not hesitate to contact us, electronically or by phone at firstname.lastname@example.org or by phone at +420 241 024 111 In all cases, we can be contacted at our delivery address Safina, a.s., Vídeňská 104, Vestec, 252 50.