The trading company Gravelli, s.r.o., with its Registered Office at Pod Harfou 3/3, 190 00 Prague 9 (hereinafter “Gravelli”), on the basis of Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation, hereinafter “GDPR”), is required to provide information on the type of personal data of natural persons it processes as a controller when providing services, selling goods and providing access to websites, the purposes for which and how this personal data is processed in accordance with the applicable law, to whom and reason for which it may be transferred, and also to inform the natural persons of their rights in relation to the processing of their personal data.
Right to be informed (Article 13 of the GDPR)
This Policy will come into effect on 25.5.2018 and has been published in accordance with Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data in order to comply with the requirements to inform as specified in Article 13 of the GDPR.
We first define the categories of personal data that we process, then the type of processing, and finally, inform you of your rights under the GDPR.
Categories of personal data
Personal data: academic title, name and surname, company name, company ID, Tax ID, permanent address, address of Registered Office or place of business, invoicing address, bank details, signature, telephone number, e-mail, link to individual profile on social networks or other websites.
Purposes, legal grounds and period of personal data processing
Personal data may be processed:
- directly on the basis of a contract – if you are buying goods
- in the legitimate interest of Gravelli
- on a statutory basis (without consent)
- with consent
Processing on the grounds of contractual performance, compliance with legal obligations and legitimate interests
We do not require consent to process personal data when personal data is necessary for the performance of a contract, to comply with legal obligations or to protect legitimate interests, or when services cannot be provided unless personal data is given.
This governs, in particular, the following basic purposes:
- processes associated with customer identification (performance of contract);
- compliance with statutory tax obligations (performance of statutory obligations);
- purposes laid down in special laws applying to criminal proceedings and compliance with obligations to cooperate with the Police of the Czech Republic and other government agencies (performance of statutory obligations);
- the operation of camera and monitoring systems in premises for the purposes of preventing damage (legitimate interest);
- providing evidence where this is needed to protect rights (legitimate interest).
With regard to these activities, personal data are processed to the extent necessary to perform the activities and for the period necessary for their completion, or for the period prescribed by law. These data are subsequently erased or anonymised.
In accordance with Act No. 235/2004 Coll., on value-added tax, invoices issued by Gravelli are archived for a period of 10 years after their issue. Due to the need to demonstrate legal grounds for issuing invoices, background material for invoicing containing personal data (e.g., contracts) is also archived for a period of 10 years from the date of termination of the contract.
In cases involving negotiations between Gravelli and a potential client to enter into a contract which is not concluded with a signature, Gravelli will process the personal data provided for a period of 3 months from the end of these negotiations.
Processing based on consent
From 25.5.2018, Gravelli will process customer data for commercial purposes primarily for distributing a newsletter – commercial information related to Gravelli products (product offers, etc.) – only with consent. Gravelli will store information about individuals who have given their consent concerning their typical behaviour when using its services and create and store anonymised behaviour analyses, including via cookies, where consent to the processing of personal data is dealt with separately on the Gravelli website. Consent for commercial purposes is granted on a voluntary basis, and the customer may withdraw it at any time. This consent remains in effect for the duration of the use of the services and the subsequent 4 years, or until it is withdrawn by the customer.
Method of processing personal data
Personal data are processed either manually or automatically and stored in paper and in electronic form.
Employees handling representative and collaborative models of personal data are bound by a confidentiality agreement whose validity is not limited by the termination of their employment relationship.
Personal data recorded in documents in paper form are stored in rooms with security locks at Gravelli’s head office and the head office of its external accounting and tax services supplier with whom Gravelli has concluded a contract on personal data processing.
Recipients of personal data
Gravelli works with different entities who perform certain tasks for it and contribute to its core business. These are primarily providers of administrative and technical support for Gravelli’s activities, including an IT Administrator, CRM Systems Administrator, Accountant, Corporate Lawyer and providers of other services (e.g., goods transporters), etc. Gravelli provides these individuals with personal data to the extent necessary for the given purpose. An agreement for personal data processing is concluded with each of these entities. A list of these entities may be provided in response to a written request sent to Gravelli’s head office or by email at firstname.lastname@example.org.
Information on the rights of data subjects in relation to personal data processing
Right of access (Article 15 of the GDPR)
The data subject has the right to access his or her personal data, which governs the right to obtain from Gravelli:
- confirmation as to whether his or her personal data is being processed;
- information about the purposes of the processing;
- the categories of personal data concerned;
- the recipients to whom the personal data has been or will be disclosed;
- the envisaged period of processing;
- the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or the restriction of processing of personal data or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- any available information as to the source of personal data if the personal data was not collected from the data subject;
- the existence of automated decision-making, including profiling;
- appropriate safeguards where data is transferred outside the EU;
- the right to obtain a copy of the personal data, provided this does not adversely affect the rights and freedoms of others.
The right to confirmation that personal data are being processed and to be informed may be applied to in writing to Gravelli’s head office or by email at email@example.com.
Right to rectification (Article 16 of the GDPR)
The data subject has the right to rectify any inaccurate personal data processed by Gravelli. It is the data subject’s responsibility to update data or may be done through collaboration. Rectification must be made without undue delay, in the time required for its processing. A request for rectification of personal data may be sent by email at firstname.lastname@example.org.
Right to erasure (Article 17 of the GDPR)
The data subject has the right to erasure of his or her personal data, unless Gravelli demonstrates legitimate reasons for processing such data. Should the data subject believe that his or her personal data have not been erased, he or she may appeal in writing to Gravelli’s head office or by email at email@example.com.
Right to restriction of processing (Article 18 of the GDPR)
The data subject has the right to request restriction of processing until the complaint related to the processing of his or her personal data has been resolved. Any objection or complaint must be submitted in writing to Gravelli’s head office or by email at firstname.lastname@example.org.
Notification obligation regarding rectification or erasure of personal data or restriction of processing (Article 19 of the GDPR)
The data subject has the right to be notified of the rectification or erasure of personal data or restrictions on its processing. If any personal data are rectified or erased, individual recipients must be notified, unless it is not possible based on the personal data available. We can provide information about these recipients in response to a request from a data subject.
Right to data portability (Article 20 of the GDPR)
The data subject has the right to receive the personal data concerning him or her which he or she has provided to a controller in a structured, commonly used and machine-readable format and the right to request that these data be forwarded to another controller. If it is technically feasible, the data may also be forwarded to a designated controller if this designation is legitimately performed by a person acting on behalf of the relevant controller and if it is authorised. If the exercise of this right would adversely affect the rights and freedoms of others, the request will not be granted. The request may be submitted in writing by sending the application to Gravelli’s head office.
Right to object to personal data processing (Article 21 of the GDPR)
The data subject has the right to object to the processing of his or her personal data on the grounds of Gravelli’s legitimate interests. If Gravelli is unable to demonstrate compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject, the processing objected to must be terminated without undue delay. An objection may be sent in writing to Gravelli’s head office or by email at email@example.com.
Automated decision-making and profiling
Gravelli hereby declares that it does not conduct automated decision-making producing legal effects concerning data subjects without the influence of human judgement, nor does it create a database of automated profiles.
Appeal and delegation
Gravelli has no delegated official for personal data given the small amount of such processing.
Consent to personal data processing for commercial purposes may be withdrawn at any time. An appeal must be made by express and comprehensible expression of will at the email address firstname.lastname@example.org or by written request to Gravelli’s head office.
The data subject has the right to submit complaints concerning the processing of his or her personal data to the Office for Personal Data Protection (www.uoou.cz).