We have published this Personal Data Protection Policy for you, the regular and potential clients of VERTI s. r. o., Business ID No. (IČO): 03756581, registered office: Za Zastávkou 373, Dolní Měcholupy, 111 01 Praha 10, Business ID No. (IČO): 03756581, entered into the Commercial Register maintained by the Municipal Court in Prague, File No. C 237318 (hereinafter “VERTI” and referred to in the plural), in order to inform you of how we protect your personal data, in particular how we gather and use it and how we help protect your privacy.
We do our best to protect your privacy, so we make sure to handle your personal data in compliance with valid legislation, especially Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”), which comprehensively regulates personal data protection, and Act No. 480/2004, on certain services of an information society, as amended (“Act on Certain Services”), which regulates especially the issue of cookies and sending commercial messages.
What is personal data?
Personal data is any information that allows us to identify you or that identifies you directly as a natural person. It is information that can be attributed to you. Personal data does not include anonymous data that cannot be connected to you or that would require enormous effort to identify you.
Personal data is divided into the following groups:
- Basic data, which includes your first and last name, date of birth, address, IP address, etc.
- Special category of personal data, which includes data of a highly personal and sensitive nature, such as your sexual orientation, criminal record, racial or ethnic background, religious beliefs, medical information, etc.
Personal data controller and processor
The personal data controller is the entity that determines the purposes (what we intend to do – performance under a contract for delivering solutions with glass dividers and built-in structures for your interior) and means of processing personal data (we deliver you solutions, prepare documentation for you, issue you an invoice and/or send you informational newsletters). We are your personal data processor, for instance, when we are completing our own purposes – performing our contractual obligations. As controller, we are liable for upholding all obligations in connection with protecting your personal data.
You can contact us in writing at this address: SilentLab s.r.o., Business ID No. (IČ): 04545486, registered office: Za Zastávkou 373, Dolní Měcholupy, 111 01 Praha 10,
Email: marketing@silent-lab.cz
Phone: +420 733 126 627
The personal data processor is an entity that processes the personal data for us as controller, but does not determine the purposes or methods of processing. Typically these are external partners we use for sending out newsletters (commercial communications), for instance – see below. We always have a written agreement with processors (in electronic form as well) on personal data processing and make sure that they meet the requirements for personal data protection.
Personal data processing principles
We do everything we can to protect your privacy, which is why we take data protection extremely seriously. We are fully aware of our responsibility for your data. We handle your personal data with the appropriate care and in compliance with valid legal regulations in order to protect your data to the greatest possible degree.
In using (processing) your personal data we uphold the following principles:
Lawfulness, fairness and transparency
which requires that we always process your personal data in compliance with legal regulations for at least one of the valid reasons permitted by law. This also requires that we provide you with information on the methods of processing and the identities of those your personal data will be handed over to, and inform you of any serious data security breach or leak.
Restriction as to purpose
which requires that we collect your personal data for definite, explicitly stated and legitimate purposes and prohibits us from processing (using) said data in any manner not compliant with those purposes.
Data minimization
which requires that we only process appropriate and relevant personal data in relation to the purpose of processing.
Accuracy
which requires that we take any and all reasonable measures to ensure that your personal data is up-to-date and accurate and to correct or delete inaccurate data.
Restrictions on storage
which require that we store your personal data only for the period necessary to achieve the specific purpose. As soon as the purpose of processing no longer exists or the stipulated period has passed, we will delete or anonymize your personal data (i.e. edit to ensure that no one can connect it to you).
Integrity and confidentiality
which require us to use your personal data in a manner that ensures it is kept suitably secure and protected from unauthorized or unlawful processing, accidental loss, destruction or damage.
What is the purpose and legal grounds for personal data processing?
We obtain your personal data from you and process it only in the scope absolutely necessary with at least one of the legal grounds given in the law. We also always process your personal data for a definite, explicitly expressed and legitimate purpose. Processing personal data without such a clear purpose or in a manner not in compliance with that purpose is unacceptable.
Below we list the legal grounds defined in the law based on which we process your personal data.
Performance of contractual obligations
in these cases we process your personal data in order to enter into a contract and subsequent performance under that contract. This typically involves processing your personal data in connection with exercising the rights and upholding the obligations under the contract – delivering our products or work associated with our products. We may also obtain your data if you are a contact person for our partner, a customer who orders services/products from us, in which case you are usually an employee of our customer and contact person or representative acting on behalf of the client for the purposes of contractual performance.
Period of retention
For preparing, entering into and performing under the contract by you, as our customer or employee of our customer that gave us your personal data, we use that data for the period necessary to complete the contract. After this period is complete we continue storing the data on the basis of our legitimate interest for the purpose of protecting the legal claims and our internal records and inspection, for the three-year statute of limitations and one year afterwards with regard to claims made at the end of the statute of limitations. In the event of judicial, administrative or other proceedings, we process your personal data in the scope necessary for the entire duration of such proceedings and the remainder of the statute of limitations after it is complete. Our legitimate interests in this case are protecting legal claims and check that our services are being duly provided. For the purposes of performing legal obligations, we use personal data for no more than 10 years after the relevant contract.
Legitimate interest
in these cases we process your personal data because it is necessary for the purposes of our legitimate interest, for instance promoting our brand and the products we develop/offer or for sales support. However, this does not apply if your interest or your fundamental rights and freedoms outweigh our legitimate interest.
Contact form
Our legitimate interest exists, for instance, if you write to us with a question on our website contact form, where you enter (i.e. you are the source of the personal data): your first and last name, email, phone number (identifying and contact information, in which case it is your personal data, message – if it concerns you individually, then it may also constitute personal data. We have a legitimate interest in storing this data for responding to you for the purpose of sales support for our products. Your questions including personal data arrive in our inbox (processing) and we then respond and answer your questions, and if we continue working together, we use your data for the purposes of entering into a contract with you (order) and on the basis of the order, once made.
Period of retention
If we do not continue working together after you write to us, we can retain your records from our email system for two years after our last communication.
Sending marketing communications
If you are a former/current customer of ours, we have a legitimate interest in sending you commercial communications by email concerning services or products similar to those that were the subject of our previous contractual relationship. This legitimate interest is grounded in the Act on Certain Services.
Period of retention
Two years after our last order from you, we will stop sending you commercial communications and your personal data consisting of contact information (first and last name, company, email) will be deleted from our database for sending commercial communications, so you will no longer receive our commercial communications. You can also unsubscribe from commercial communications in every email we send out (this will result in your erasure from our database), which will apply for this purpose and for processing related only to sending those communications.
If you make an order with us and purchase our products, we save your identifying and contact information and information on your orders on the basis of our legitimate interest (without your consent) for the purposes of protecting legal claims and our internal records and inspection. Our legitimate interests in this case are protecting legal claims and check that our services are being duly provided.
Consent
in these cases we process your personal data on the basis of the consent you provided. Your consent is always granted for each purpose separately and always includes a clear statement of the scope, purpose and period for which the personal data is processed. This consent always involves your active participation, so you need to click a box or similar to grant consent. You have the right to revoke the consent at any time once granted. The consent cannot be contingent upon the provision of any service. In the case of the contact form, granting consent to receive marketing communications is not subject to answering the question posed through the contact form.
We formulate consents e.g. for sending out newsletters so that they are granted to us as well as Verti s.r.o. and CONTREA s.r.o. (in conjunction with SilentLab s.r.o. also the “Sister Companies”), which have a shared interest with us in promoting solutions involving glass dividers, acoustic solutions, and custom-made office furniture (the “Shared Purpose”). In this regard our shared purpose is promoting the brands and products of the Sister Companies.
What are your rights?
EU law recognizes the following rights that you have as data subject:
Right to information on personal data processing
this right allows you to obtain information concerning us as controller of your personal data. You are also entitled to know the legal basis for processing, the purpose (such as contractual performance, using personal data on the basis of consent) and period of saving the personal data. Before we begin processing your personal data, we will always inform you of the legal basis and purpose of such processing.
Right to access personal data
You have the right to have us confirm whether we are using (processing) your personal data and more detailed information on that data and how it is processed. You can also receive a copy of the personal data being processed from us.
Right to correction
You have the right to correct any inaccurate personal data and, depending on the purposes of processing, also to add missing personal data. Please keep in mind that as controller we are not required to actively verify that your personal data is correct and complete. Your right to correction exists so that you can ensure your data is up-to-date.
Right to erasure
You have the “right to be forgotten”, which means that in certain cases we are required to destroy your personal data. This is the case if your personal data is no longer necessary for the purposes for which it was being processed, or if you recall the consent you previously granted us to process your personal data and we have no other legal grounds for processing it (our legitimate interest no longer exists), or if you successfully object to the personal data processing (e.g. you do not want to receive our newsletter), or if we are required to do so by law.
Right to object
You have this right if we are processing your personal data to perform a task in the public interest or while exercising public authority (although we do not do either) or on the basis of our legitimate interest (we do use this). In such a case we do not continue processing your data unless we prove serious and legitimate reasons for processing that outweigh your interests or rights and freedoms, or for determining, performing and/or defending our legal claims (if for instance we have to defend ourselves in court). You can also raise an objection if we process your personal data for the purposes of direct marketing (e.g. in the form of sending out newsletters). In such a case we stop processing your data for that purpose immediately.
Right to data to data transferability
You have the right to receive your personal data in a structured, commonly used and machine-readable format, and to hand this personal data over to another controller. You have this right only if the processing of your personal data is based on consent or contract, or if it is performed in automated form (e.g. by a computer program).
Right to restrict processing (use)
You have the right to require us to restrict the processing of your personal data in certain cases, as follows:
- if you deny the accuracy of the personal data, then for the period necessary for us to verify its accuracy;
- if we no longer need your personal data for the purposes of processing, but you need it to determine, exercise or defend legal claims;
- if the processing is unlawful, but you request that we restrict processing instead of erasing your data completely;
- if you object to the processing of your personal data before it is verified whether our legitimate reasons outweigh your legitimate reasons.
In the event of restricting the processing of your personal data we can only process them (with the exception of storing) with your express consent, or in order to determine, exercise or defend legal claims, or in order to protect the rights of another natural person or legal entity, or for an important public interest of the European Union or one of its member states.
Right not to be subject to decisions based exclusively on automated processing
in other words, this right means that any decisions concerning you (legally or factually) must be made with human involvement and not automatically by a computer program, for example. If your Profile access is cut off, it must be done by a person based on the Terms and Conditions, not by a computer program.
Exercising rights in relation to the Sister Companies
With regard to the fact that the Consents are granted to the Sister Companies, which act as joint controllers, we have agreed that we, SilentLab s.r.o., bear full liability for when you exercise any and all of your rights. However, this does not exclude your ability to exercise your rights with any of the Sister Companies.
Recipients of your personal data
The recipient of personal data is an entity to whom we provide your personal data for a particular reason. The recipient performs part of our activities that we have outsourced to them. We use the following categories of recipients (as processors) of your personal data as part of our activities (with our liability as controller):
- Marketing services in connection with sending the newsletter via Mailchimp – The Rocket Science Group, service provider terms and conditions available here https://mailchimp.com/legal/forms/data-processing-agreement/];
- Email and cloud services – Google Suite, provided by Google LLC, with its registered office at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States of America, service provider terms and conditions available here [https://policies.google.com/privacy?hl=cs, https://gsuite.google.com/terms/mcc_terms.html];
- Database environment for our website – WEDOS Internet, a.s., with its registered office at Masarykova 1230, 373 41 Hluboká nad Vltavou [https://hosting.wedos.com/cldata/39/zasady-zpracovani-osobnich-udaju.pdf];
When handing over data to our processors as set forth above, we may send your data to countries outside the European Economic Area that do not secure the same level of personal data protection. We only hand data over in the manner if the relevant processor commits to uphold the standard contractual clause issued by the European Commission and available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:385:0074:0084:CS:PDF or is bound by international agreement (e.g. EU – U.S. Privacy Shield).
We also hand data over when performing our legal obligations to public authorities, and we are entitled to hand your personal data over to the relevant judicial authority in order to defend legal claims.
Personal data security
Protecting your personal data is important to us, so we keep data secure using the appropriate technical and organizational measures. Only persons authorized by us have access to your personal data.
If the situation arises (although we are sure it will not) where the security of your personal data is breached and your rights and freedoms are at risk (i.e. if someone steals encrypted data, they will not be able to decrypt it and there may be no real risk involved), we are required to inform the Personal Data Protection Office within 72 hours. If a security breach involving your personal data occurs and poses a great risk to you, we are also required to inform you, if we have your current contact information.
Final provisions
We are entitled to change or add to this policy at any time. The current version of this policy is always available on our website.
If you do not agree with the way we handle your personal data, you can contact the:
Personal Data Protection Office
Pplk. Sochora 27, 170 00 Praha 7,
Tel.: 234 665 111,
Website: www.uoou.cz.
This policy is effective as of 25. 5. 2018.