DATA PROCESSING POLICY

ARTinii Production s.r.o., a company having its registered office at Hybernská 1034/5, Nové Město, 110 00 Prague 1, ID No.: 034 09759, as the service provider, and HAVEL & PARTNERS s.r.o., a law firm having its registered office at Na Florenci 2116/15, Nové Město, 110 00 Prague 1, ID No.: 264 54807, as a business partner participating in the services provided (hereinafter jointly referred to as the “Controller”), protect all the personal data they are processing as strictly confidential and treat such data in compliance with applicable personal data protection legislation, in particular the General Data Protection Regulation (EU) 2016/679 (GDPR). Your personal data’s safety is a priority for the Controller.

The Controller, within the meaning of Article 4(7) GDPR, is the controller of your personal data, which determines the purposes and means of the processing of your personal data and collects, retains and uses (and otherwise processes) your personal data in pursuance of its business activities (the individual purposes for which personal data are processed are specified in more detail below).

This Data Processing Policy applies to the processing of personal data:

i) for the provision of services to users of the www.certoo.eu website (the “Website”),

ii) for the purpose of sending commercial communications and ad targeting,

iii) of Website visitors.

This Data Processing Policy describes the purposes and methods of personal data processing, provides information on individual categories of the personal data we process, their recipients if any, data retention periods, and your rights in relation to the protection of personal data.

PURPOSES OF DATA PROCESSING

The Controller may process your personal data for the following purposes:

  1. Performance of a contract (including steps taken prior to entering into a contract);

  2. Compliance with legal obligations (in particular obligations imposed by accounting and tax legislation);

  3. Processing requests and notifications (e.g. those delivered by email);

  4. Protection of the legitimate interests of the Controller (such as to protect the Website and the Controller’s network against misuse);

  5. Sending commercial communications (newsletters) and advertisement targeting (especially on the Website).

PERSONAL DATA PROCESSED

The Controller is authorised to process the following personal data based on the purpose of the processing:

Data subject’s data

Purpose of the processing:

Name and surname

Performance of a contract; Compliance with legal obligations; Protection of the legitimate interests of the Controller; Processing requests and notifications; Sending commercial communications and advertisement targeting

Address

Performance of a contract; Compliance with legal obligations; Protection of the legitimate interests of the Controller; Processing requests and notifications

Email address

Performance of a contract; Compliance with legal obligations; Protection of the legitimate interests of the Controller; Processing requests and notifications; Sending commercial communications and advertisement targeting

Phone number

Performance of a contract; Compliance with legal obligations; Protection of the legitimate interests of the Controller

Identity card data (number, type, validity)

Performance of a contract; Compliance with legal obligations; Protection of the legitimate interests of the Controller; Processing requests and notifications

IP address and information obtained through cookies (see the Cookies Policy)

Advertisement targeting on the Website

Personal data are processed both manually and by automated means. Automated processing of personal data is performed for the purposes of performance of a contract, and in particular to safeguard the Controller’s internal processes, which are necessary to ensure the delivery of the service. Automated processing of personal data also takes place when consent was granted for sending marketing communications and for advertisement targeting.

PERSONAL DATA PROCESSING BASED ON THE CONSENT

By granting your consent to the Controller to the processing of your personal data for advertisement targeting, you acknowledge that the consent is granted voluntarily and may be revoked at any time by means of a link contained in an email message constituting a commercial communication.

RECIPIENTS OF PERSONAL DATA

The Controller will make your personal data available only to authorised personnel, or to individual data processors contracted by the Controller, or to other controllers where applicable. These may include, for example, processors or controllers participating in the delivery of the services, payments, or providing IT and/or cloud services; however, at all times strictly to the extent necessary to achieve the purposes of the processing and based on the relevant legal reason for the processing. An updated list of the recipients of personal data may be provided by the Controller upon request via email support@certoo.eu.

Social network buttons may be featured on our Website, mainly to enable interaction with social networks so as to make our Website more attractive to users. Connection with the relevant social network will only be established if you actively click on the relevant button. In such case, your web browser will start connecting you to the corresponding social media servers.

When transferring your personal data to third countries (i.e. countries outside the EU/EEA), the Controller ensures compliance with the requirements for the protection and safety of personal data as conditions under applicable data protection laws (in particular, adequate safety of the personal data).

In the cases stipulated by law, the Controller is authorised, or even obligated, to transfer certain personal data under applicable laws to law enforcement authorities and other public authorities.

If assets or their part are acquired by a third party, you acknowledge that we may, in connection with the transfer of the company, transfer the personal data and information we have collected to such third party. Of course, we will inform you about the change, as the case may be, of the data controller.

RETENTION OF PERSONAL DATA

We will process and retain your personal data for a period of time necessary to safeguard all the rights and obligations resulting from the relevant contract, and thereafter for a period for which the Controller, as a data controller, is required to retain personal data under generally binding applicable regulations, or for which you have granted us your consent with such processing. In other cases, the period of processing is based on, and must be proportionate to, the purpose of the processing, or is stipulated by applicable data protection laws.

We retain personal data, based on the purpose of their processing, for the time periods specified below:

Purpose of processing

Retention period

Performance of a contract

For the duration of the contract and for the relevant statutory period after termination of the contract

Compliance with legal obligations

For the period stipulated by applicable legal regulations

Protection of the legitimate interests of the Controller

For a maximum of 3 years from the commencement of the data processing activities, unless special legal regulations require otherwise, or unless it is necessary in justified cases to retain the data for a longer period in connection with a particular case

Processing your requests and notifications

For a period necessary to process the relevant request

Sending commercial communications

For the duration of the granted consent to the sending of commercial communications and targeted advertising, or until withdrawal of the consent, or in accordance with special legal regulations*

Steps taken prior to entering into a contract

For the duration of negotiations on the contract

* The Controller may process the e-mail addresses of registered users of the Website within the meaning of Section 7(3) of Act No. 480/2004 Sb., on Certain Information Society Services and Amending Certain Laws (the Information Society Service Act), as amended, for the purpose of distribution of commercial communications relating to their own products and/or services (e.g. in the form of a newsletter) in case the users did not decline such communication.

DATA SUBJECTS’ RIGHTS

As a data subject, you have the below-listed rights which result from applicable laws and which you may exercise at any time. Those rights include (i) the right of access to personal data, (ii) the right to rectification of inaccurate personal data, (iii) the right to erasure of personal data if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, or if it is established that the personal data have been unlawfully processed, (iv) the right to restriction of processing, (v) the right to data portability, and (vi) the right to object to the processing of personal data whereupon the processing of your personal data will be discontinued, unless compelling legitimate grounds for the processing demonstrably exist which override the interests, rights and freedoms of the data subject, in particular where such grounds include the exercise of legal claims. You also have the right to contact the Czech Office for Personal Data Protection www.uoou.cz to raise a complaint, as the case may be.

  1. Right of access to personal data: If you wish to know whether the Controller processes your personal data, you have the right to obtain information as to whether or not your personal data are being processed and, where that is the case, you also have the right to obtain access to your personal data.

  2. Right to rectification of inaccurate personal data: If you think that the Controller is processing personal data about you which are inaccurate or false, you have the right to request their rectification. The Controller will rectify the data without undue delay, always taking technological capacities into account.

  3. Right to erasure: If you request erasure, the Controller will erase your personal data if (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, (ii) the personal data have been unlawfully processed, (iii) you object to the processing and there are no overriding legitimate grounds for the processing of your personal data, or (iv) the legal obligation to process personal data no longer applies to the Controller.

  4. Right to restriction of processing: If you are interested in temporary restriction of processing rather than erasure, you may request restriction of processing of your personal data from the Controller.

  5. Right to data portability: If you wish the Controller to transfer to a third party the personal data it is processing about you on the basis of a contract or your consent, you may exercise your right to data portability. In the event the exercise of this right might adversely affect the rights and freedoms of others, the Controller will not be able to act on your request.

  6. Right to object: You have the right to object to the processing of personal data which are processed for the purpose of protection of the Controller’s legitimate interests. Unless the Controller demonstrates that compelling legitimate grounds for the processing exist which override your interests, rights and freedoms, the processing will be discontinued without undue delay upon your objection. If the substance of your objection is to prevent the sending of commercial communications and targeted advertisement to you, please use the link at the foot of the latest commercial communication (newsletter) you received from us to unsubscribe from receiving our commercial communications and to opt out from the processing of your personal data performed for this purpose.

Where requests to exercise the above rights are repetitive or manifestly unfounded, we may either charge a reasonable fee for the exercise of the relevant right, or refuse to act on the request. If this is the case, we will inform you accordingly.

To exercise your rights please contact us by email at support@certoo.eu or at the registered office of either Controller. The Controller reserves the right to reasonably verify the identity of the data subject exercising the aforesaid rights.

This Data Processing Policy has been in force since 1 of August 2021.