WE ARE VGD
PRINCIPLES FOR THE PROTECTION AND PROCESSING OF PERSONAL DATA
If you have any questions in relation to the processing of personal data, please contact us at firstname.lastname@example.org.
Below you will find information on why, when, how and what personal data is processed in our company and what rules we follow to protect personal data in our company. You will also find a way to contact us if you have any questions about the processing of your personal data or how to correct your personal data, for example. We strive to make our Policy clear and understandable for you. However, if you need any clarification, you will find our contact details below.
We recommend that you read the information in the Policy carefully and keep it up to date as the document may be updated.
Who manages your personal data?
The controller of your personal data is us, VGD, s.r.o., with registered office at Bělehradská 314/18, Prague 4, 140 00, ID No. 256 26 311, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, Insert 55945 (hereinafter referred to as “VGD“).
The processing of your personal data may also be carried out by other processors that we have carefully examined and entered into written agreements with. Processing of your personal data may also be carried out by providers of processing programs, services and applications. Please see the following section for information on the use of specific applications.
Let us explain some basic concepts relating to data protection. We hope that this will give you a better understanding and appreciation of why we at VGD follow the chosen procedure when processing personal data.
“Personal data” is any information about an identified or identifiable natural person; an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Data subject” means the natural person to whom the personal data relate;
“Data controller” means the person who determines the purposes and means of the processing of personal data and is primarily responsible for the processing. Unless otherwise stated in this Policy, the terms of a particular contract or in the consent, the data controller is VGD;
“Data processor” means the person who processes personal data for the Data Controller;
“Processing” means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated processes, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, restriction, erasure or destruction.
Categories of data subjects
In particular, the data subject may be:
- VGD’s client, its employee or representative;
- VGD’s business partner, employee or representative;
- another person who is in a contractual relationship with VGD;
- client or customer of a VGD business partner;
- a person participating in competitions and events organised by VGD or events in which VGD participates;
- a visitor to the VGD website;
- an employee of VGD;
- a job applicant at VGD.
What personal data do we process?
We adhere to the principle of data minimization. We only process the personal data about you that we need or personal data that you provide us with your consent over and above the necessary processing.
Please see below to find out what categories of personal data we process about you. The more specific scope of personal data processed for each purpose is set out in the following section “Why do we process your personal data?”.
VGD processes the following categories of personal data in relation to clients:
- identification data: name, surname, title, company name, ID number, VAT number;
- contact details: e-mail address, telephone number, address and other similar information;
- cookies, IP address;
- data processed on the basis of consent;
- data resulting from communications: data resulting from the use of our website.
Why do we process your personal data?
We process your personal data to the extent necessary for the relevant purpose – e.g. so that we can conclude and implement a specific contract with you (e.g. a purchase contract, a rental contract, an employment contract, etc.). We are also obliged to process data under a number of legal regulations. For example, we must process many data for archiving purposes. We process some data because it is necessary to protect the rights and legally protected interests of VGD, s.r.o. However, processing for this reason is limited, and we carefully assess the existence of a legitimate interest. In other cases, we process your data only with your consent.
How long do we keep your personal data?
We will only retain your personal data for as long as necessary to fulfil the purposes set out in this policy or to comply with our legal obligations.
Unless otherwise stated below, the maximum period of processing of personal data that we at VGD claim against you is 10 years from the date on which the legal relationship between you and VGD was terminated, or 10 years from the end of the tax year in which the performance occurred. The obligation to retain identification and transaction data is imposed on us by the Accounting Act, the Value Added Tax Act and other accounting and tax regulations. However, we also store your personal data for a period of 10 years because of our legitimate interests, in particular in case we have to provide evidence in litigation, in view of the statutory limitation periods under the Civil Code.
We keep the data we process with your consent for as long as the consent is validly given. In the event that you have given us consent to process your data for marketing purposes, we process your personal data for the duration of our contractual relationship and for 1 year after its termination. If you do not become our customer, i.e. the contractual relationship is not concluded, we process your data only for 1 year after you have given your consent. For the avoidance of doubt, we retain the consent itself and the change or withdrawal of consent on the grounds of our legitimate interests for the entire period of validity of the consent and for 10 years after it has expired.
Are you obliged to provide us with personal data?
The transfer of the data you provide to us with your consent is voluntary. We require the transfer of other data because its processing is necessary for the conclusion or performance of a contract, the performance of our legal obligations or the protection of our legitimate interests. If you do not provide us with such data, we cannot enter into the relevant contract with you or provide you with the relevant product or service.
Consent to the processing of personal data
If we ask for your consent to process your personal data, the request for your consent, or the consent we provide to you to review and sign or otherwise agree to, will be clearly worded and will provide you with a reasonable basis for making decisions. You may withdraw your consent at any time by contacting us using the contact details set out in the introduction and conclusion of this Policy or by any other means that you are individually notified of.
We will only retain your personal information for as long as necessary to fulfill the purposes described in this Policy or the purposes of which you have been informed by other means. This means that once you have given us consent to process your personal data, we will retain your data in accordance with your consent or until you withdraw your consent. However, even if you withdraw your consent, we may retain some of your personal data for as long as necessary to comply with our legal obligations
and for the purpose of defending us in any legal proceedings.
We will not share your personal data with third parties for their marketing purposes unless we have received your consent for these purposes. In the event that you have provided such consent but later no longer wish to receive marketing materials from the third party, please contact the relevant third party directly.
Where do we work with your personal data?
We only process your personal data for clearly defined purposes, an overview of which can be found in this section of the website. These are mainly situations when you browse our web platform, fill out a non-binding enquiry form or subscribe to our newsletter. We will not process your personal data for any other purposes without your consent.
IP address and cookies
We cannot do without your IP address, otherwise we would not be able to show you our website. We also store your IP address together with the date of access to the website in an access log, for the sole purpose of the security of our website. Your IP address will be stored in the access log for 365 days, after which it is automatically deleted.
What are cookies?
For example, cookies allow us to recognize a user as an existing user or to customize a given service to a user’s preferences.
Another group consists of third-party cookies (e.g. Google Analytics to analyse traffic to a specific website or service or cookies from operators of advertising systems that are operated on our website). These cookies are controlled by third parties and we do not have access to read or write this data.
We use several types of cookies:
These basic technical or functional cookies are needed for the website to function properly and be secure.
We use several analytics tools to monitor how our website is performing:
- Google Analytics for measuring web traffic
- HotJar to see if our website is intuitive for visitors to use
The Google Analytics cookie is stored for a maximum of two years from your last visit to our website, the HotJar cookie for one year from your last visit. We only send anonymous data to both tools, which cannot be linked to you in any way.
Contact form Non-binding inquiry
You can ask us anything via the contact form or we can start discussing cooperation together. Within the contact form we work with your name, company name, email address and phone number. We only process this data for the purpose of creating an offer of our services, negotiating an offer or responding to your enquiry, for a maximum of 12 months after you submit the form, unless you consent to further processing of your data.
We send our newsletter to our clients, employees and only to people who have subscribed to it on our website and thus consented to receiving commercial communications.
If you are interested in receiving the newsletter and you subscribe to the newsletter, we will process your email address.
We will process your personal data in order to be able to send you newsletters based on your consent that you have given us with your registration.
We will process your email without restriction unless you terminate it yourself.
Sources of personal data
Depending on the situation, we process the data we have received from you at VGD, as well as data from publicly available sources and registers and data obtained from third parties (for example, our business partners). As a matter of principle, we manage your personal data within VGD. If this is necessary to achieve one of the purposes mentioned above, in particular if the external body has the necessary professionalism and expertise in the area, your data is processed by the cooperating suppliers. If we entrust someone else to carry out an activity forming part of our services, this may involve the processing of relevant personal data. In some cases, these contractors become the processor of the personal data. The processor is only entitled to handle the data for the purposes of carrying out the activity for which it has been authorised by the relevant controller. In this case, your consent is not required for the purposes of the processing activity.
Possible recipients of personal data include:
- IT service providers, including cloud storage;
- marketing agencies;
- providers of printing and mailing services, including couriers.
Beyond the above, we only transfer personal data outside of VGD, s.r.o. if we have your consent or if required by law. Some public authorities (e.g. tax authorities) are entitled to request information about you.
Your rights related to the processing of personal data
In order to exercise your rights with regard to the personal data we process, we require your identification. Please note that if we are unable to verify your identity electronically or if we have reasonable doubt about your identity, we will ask you to provide proof of identity or other proof of identity. This is the only way to ensure that we do not disclose your personal data to another person or make unauthorised modifications to your personal data.
Right to information and access to personal data
We respect the principle of transparency in the processing of personal data. In accordance with this principle, we will always provide you with information about what personal data we process.
We will process your request as quickly as possible, up to a maximum of one month.
In more complex cases, we are entitled to extend the time limit by up to two months.
If you request information about the processing of your personal data, we will provide you with information about the purpose of the processing of personal data, the personal data or categories of personal data that are the subject of the processing, including any available information about the source, recipient or categories of recipients. You will also be informed of the intended period for which the personal data will be stored or, if this cannot be determined, the criteria used to determine this period, and the existence of the right to request the rectification or erasure of your personal data or the restriction of its processing or to object to such processing, as well as the right to lodge a complaint with a supervisory authority.
You have the right to request from VGD a copy of the personal data processed, provided that the rights and freedoms of others are not adversely affected. We may charge a reasonable fee based on administrative costs for additional copies at your request. If you make a request electronically, we will provide you with the information in the electronic form that is commonly used unless you request otherwise.
Right to correction
When processing your personal data, we strive to ensure its accuracy and timeliness. We will endeavour to delete or correct inaccurate or incomplete personal data. If you find that any of the personal data we process about you is incorrect or out of date, you can bring this to our attention. You have the right to have VGD correct inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed.
Any rectification will also be communicated to the recipients to whom the personal data has been provided, except where this is impossible or requires disproportionate effort.
Withdrawal of consent to the processing of personal data
Further processing of your personal data, which is carried out on the basis of your consent to the processing of personal data, can be prevented at any time. Simply withdraw your consent to such processing.
Right to erasure (right to “be forgotten”)
You can also exercise your right to be forgotten. You have the right to have VGD delete personal data relating to you without undue delay and VGD is obliged to delete personal data without undue delay if one of the following reasons applies:
- the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
- you withdraw the consent on the basis of which the personal data was processed and there is no other legal basis for the processing;
- personal data have been unlawfully processed;
- the personal data must be erased to comply with a legal obligation under European Union law or the Czech Republic.
In this case, we will delete all your personal data that we process. The exceptions are where the processing is carried out under a legal obligation or for our legitimate interest in the exercise and defence of legal claims.
The deletion will also be notified to the recipients to whom the personal data was provided, except in the following cases,
where this is impossible or requires disproportionate effort.
Right to restriction of processing
You have the right to have VGD restrict processing in any of the following cases:
- you deny the accuracy of the personal data for the time necessary for VGD to verify the accuracy of the personal data;
- the processing is unlawful and you refuse the erasure of your personal data and instead request a restriction on its use;
- VGD no longer needs the personal data for processing purposes, but you require it for the establishment, exercise or defence of legal claims;
- an objection to processing has been raised, pending verification that the legitimate interests of VGD outweigh your grounds for objection.
Any restrictions will also be notified to the recipients to whom the personal data have been disclosed, except where this is impossible or requires disproportionate effort.
Right to portability of personal data
You have the right to obtain personal data relating to you that you have provided to VGD in a structured, commonly used and machine-readable format and the right to transfer that data to another controller, without hindrance from VGD, if:
- the processing is based on consent to the processing of personal data or the processing of personal data for the purposes of concluding and performing a contract; and
- processing is automated.
In exercising your right to data portability, you have the right to have your personal data transferred by VGD directly to another controller, if technically feasible. The right to data portability must not adversely affect the rights and freedoms of other persons.
The right not to be subject to automated decisions, including profiling
You have the right not to be the subject of any decision based solely on automated processing, including profiling (i.e. any form of automated processing of personal data consisting in their use to evaluate certain personal aspects relating to you), which has legal effects concerning you or similarly significantly affects you. This right does not apply where the automated decision is necessary for entering into or performance of a contract or is based on your explicit consent; however, in these cases you have the right to human intervention in the automated decision, the right to express your views and the right to challenge the automated decision.
Right to object
If personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for this marketing. If you object to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
If personal data is processed on the basis of legitimate interests of VGD, you have the right to object at any time to the processing of personal data concerning you for these legitimate interests.
This objection must be substantiated by you in order for us to be able to assess it properly. Your objection and the reasons for it will then be assessed and weighed against VGD’s legitimate interests. If your reasons outweigh the legitimate interests of VGD, s.r.o., the processing of your personal data will be restricted or your personal data will be deleted.
Right to lodge a complaint with the supervisory authority
You have the right to file a complaint against the processing of your personal data with the supervisory authority, which is the Office for Personal Data Protection, located at Pplk. Sochor 27, 170 00 Prague 7.
You can contact us at email@example.com or in person at Bělehradská 314/18, Prague 4.
This Personal Data Protection and Processing Policy shall come into force on 1 October 2023.