1.1 By entering their personal data, the user confirms that they understand the terms of personal data protection, express their consent with their wording and accept them in their entirety.
1.2 The provider is the controller of users’ personal data according to Article 4(7) of Regulation (EU) No. 2016/679 of the European Parliament and of the Council on the protection of natural persons in connection with the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (General Regulation on the Protection of Personal Data) (“GDPR”). The provider shall process personal data in accordance with legal regulations, in particular with the GDPR.
1.3 Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
1.4 When placing an order, personal data is required and necessary for the successful processing of the order (name and address, contact details). The purpose of processing personal data is to process the user’s order and exercise the rights and obligations arising from the contractual relationship between the provider and the user. The purpose of processing personal data is to send commercial messages and carry out other marketing activities. The legal reason for the processing of personal data is the performance of contract according to Article 6(1)b of the GDPR, fulfilment of the controller’s legal obligations according to Article 6(1)c GDPR and the legitimate interest of the provider pursuant to Article 6(1)f of the GDPR. The legitimate interest of the provider is the processing of personal data for the purposes of direct marketing.
1.5 The provider uses the services of subcontractors, especially mailing service providers (personal data are stored in third countries) and web hosting providers for the fulfilment of the license agreement. Subcontractors are being vetted in terms of secure processing of personal data. The web hosting provider and subcontractor have entered into an agreement on the processing of personal data, according to which the subcontractor is responsible for the proper security of the physical, hardware and software perimeter, and therefore bears direct responsibility towards the user for any breach or violation of personal data protection.
1.6 The provider stores the user’s personal data for the period necessary to exercise the rights and obligations arising from the contractual relationship between the provider and the user and to assert claims from these contractual relationships (for a period of 15 years from the termination of the contractual relationship). After this period expires, the data will be erased.
1.7 The user has the right to request from the provider access to their personal data according to Article 15 of the GDPR, rectification of personal data according to Article 16 of the GDPR, or restriction of processing according to Article 18 GDPR. The user has the right to erasure of their personal data according to Article 17(1)a and c to f GDPR. In addition, the user has the right to object to the processing according to Article 21 of the GDPR and the right to data portability according to Article 20 of the GDPR.
1.8 The user has the right to file a complaint with the Office for Personal Data Protection if they believe their right to privacy has been violated.
1.9 The user is not obliged to provide their personal data. However, the provision of personal data is a necessary requirement for the conclusion and performance of the contract and without providing personal data, it is not possible to conclude the contract or to fulfil it on the part of the provider.
1.10 The provider does not make automatic individual decisions in the sense of Article 22 of the GDPR.
1.11 Those interested in using the Provider’s services by filling out the contact form:
- agree to the use of their personal data for the purposes of electronic sending of business messages, advertising materials, direct sales, market research and direct product offers by the provider and third parties, but not more often than once a week, and, at the same time,
- declare that they do not consider the sending of information according to point 1.11.1 to be unsolicited advertising within the meaning of Act. No. 40/1995 Coll. as amended, because the user has expressed their consent with the sending of such information according to point 1.11.1 in connection with § 7 of Act. No. 480/2004 Coll.
- The user can revoke the consent according to this paragraph at any time by sending an email to email@example.com
1.12 The provider uses so-called cookies in order to improve the quality of services, personalise the offer, collect anonymous data as well as for analytical purposes. By using the website, the user agrees to the use of this technology.
II. Rights and obligations between the controller and the processor (processing contract)
2.1 The provider is a processor in relation to the users’ personal data in accordance with Article 28 of the GDPR. The user is the controller of this data.
2.2 This policy governs the mutual rights and obligations in the processing of personal data to which the provider has gained access within the performance of the license agreement concluded with the user on the date of creation of the user account by approving the general conditions on www.explika.cz (hereinafter referred to as the “license agreement”).
2.3 The provider shall process personal data for users to the extent and for the purpose specified in Articles 2.4 to 2.7 of this policy. The means of processing shall be automated. As part of the processing, the provider shall collect, store, block and dispose of personal data. The provider shall not be authorised to process personal data contrary to or beyond the scope established by this policy.
2.4 The provider shall process personal data for users to the following extent:
regular personal data,
special categories of data according to Article 9 of the GDPR, which the user obtained in connection with their own business activity.
2.5 The provider shall process personal data for users in order to process the queries and requests of clients sent through the contact form.
2.6 Personal data can only be processed at the workplaces of the provider or its subcontractors in accordance with Article 2.8 of this policy and in the territory of the European Union.
2.7 The provider shall process the personal data of the User's clients for the User for the period necessary to exercise the rights and obligations arising from the contractual relationship between the provider and the user and from the asserting of claims from these contractual relationships (for a period of 15 years from the termination of the contractual relationship).
2.8 The user consents to the involvement of a subcontractor as an additional processor according to Article 28 (2) of the GDPR, namely the application hosting provider. The user also grants the provider general permission to involve another personal data processor in the processing, but the provider must inform the user in writing of all intended changes regarding the acceptance of other processors or their replacement and provide the user with the opportunity to object to these changes. The provider must impose the same personal data protection obligations on its subcontractors who act as processors of personal data as set out in this policy.
2.9 The provider undertakes that the processing of personal data shall be secured in particular in the following way:
- Personal data shall be processed in accordance with legal regulations and on the basis of the user’s instructions, i.e. for the performance of all activities required for the provision of the web platform.
- The provider shall introduce technical and organisational measures aimed at ensuring the protection of processed personal data in such a way that unauthorised or accidental access to the data, its change, destruction or loss, unauthorised transmission, other forms of unauthorised processing, as well as other misuse of the data cannot occur and that all obligations of the personal data processor resulting from legal regulations are guaranteed continuously, in terms of organisation and personnel, for the duration of data processing.
- The adopted technical and organisational measures correspond to the degree of risk. The provider uses these measures to ensure the continuous confidentiality, integrity, availability and resilience of processing systems and services, and to restore the availability of personal data and access to it in a timely manner in the event of physical or technical incidents.
- The provider hereby declares that the protection of personal data is subject to the provider's internal security regulations.
- Only persons authorised by the provider and its subcontractors according to Article 2.8 of this policy shall have access to personal data under the
- conditions and within the scope set by the provider, and each such person shall access personal data using a unique identifier.
- Authorised persons of the provider who process personal data in accordance with this policy are obliged to maintain the confidentiality of personal data and security measures, the disclosure of which would endanger its security. The provider shall ensure a demonstrable commitment to this obligation. The provider shall ensure that this obligation shall continue to be in place for the provider and the authorised persons even after the end of the employment or other legal relationship with the provider.
- The provider shall assist the user through appropriate technical and organisational measures, if possible, to fulfil the user's obligation to respond to requests for the exercise of data subject rights set forth in the GDPR; as well as in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the provider.
- After completion of the performance that is connected with the processing, according to Article 2.7 of this policy, the provider is obliged to delete all personal data or return it to the user, unless there is an obligation to store personal data based on a special law.
- The provider will provide the user with all the information necessary to demonstrate that the obligations under this contract and the GDPR have been fulfilled, audits will be enabled, including inspections carried out by the user or another auditor authorised by the user.
2.10 The user shall immediately report all facts known to them that could adversely affect the proper and timely fulfilment of obligations arising from this policy and to provide the provider with the cooperation necessary for the fulfilment arising from this policy.
III. Final provisions
3.1 This policy shall become invalid upon expiry of the period specified in Article 1.6 and Article 2.7 hereof.
3.2 The user agrees to this policy by ticking the consent box in the online form. By ticking the consent box, the user expresses that they have read this policy, agree with their contents and accept them in their entirety.
3.3 The provider is entitled to change this policy. The provider is obliged to publish a new version of the conditions on their website without undue delay, or send the new version to the user’s e-mail address.
3.4 Contact details of the Provider in matters relating to this policy: +420 606 024 200, firstname.lastname@example.org
3.5 Relationships not expressly regulated by this policy shall be governed by the GDPR and the law of the Czech Republic, in particular Act No. 89/2012 Coll., Civil Code, as amended.
This policy becomes effective on 24 June 2022.