1. On 25 May 2018, Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “the Regulation”) will come into force. MarketSoul s.r.o., company ID: 04714121, with registered office at Podlesí II 5609, 760 05 Zlín, registered in the Commercial Register maintained by the Regional Court in Brno, Section C, Insert 91516 /hereinafter referred to as the “Data Controller”/ has adopted the following Personal Data Protection Policy /hereinafter referred to as the “Policy”/, which shall come into force and effect on 25 May 2018.

   For the purposes of this document, “personal data” means any information relating to an identified or identifiable natural person to whom the personal data relates. It shall be deemed to be identified or identifiable if the natural person can be identified, directly or indirectly, in particular by reference to a number, code or one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. This policy applies to all relationships between the controller and data subjects, which for the purposes of this policy means, in particular, customers, potential customers, suppliers, potential suppliers of the controller and applicants for employment with the controller. This policy applies to all processing of personal data by the controller, unless otherwise agreed between the controller and the data subject for a particular case.

   Personal data collected by the controller

   In the course of its business activities, the controller collects the following personal data for the following purposes:

   Provision of services. Within the scope of this activity, the controller may process the personal data of its customers in the scope of name, surname, address or registered office, telephone number, e-mail address, bank account number, or identification number or tax identification number. This is information that is communicated to the controller by the customer. The controller may also process personal data of third parties communicated to it by the customer for the purpose of fulfilling contractual obligations towards the customer as a processor. The data is processed for the purpose of fulfilling contractual obligations to the customer and for the purpose of fulfilling legal obligations – i.e. in particular for invoicing, bookkeeping, tax and any fees. The information may also be used to recover a debt owed to the customer, i.e. for the purpose of fulfilling the contract and in the legitimate interest of the controller.

2. Delivery of services by external suppliers. The administrator may also use the services of external contractors – natural persons – in the course of its activities. In this context, the controller may process the personal data of external suppliers if this is necessary to enable the supplier to carry out its activities. This includes, in particular, name, surname, date of birth, address or registered office, telephone number, e-mail address, bank account number, identification number, tax identification number and signature. The information is obtained directly from the data subject and is processed to the extent necessary for the purpose of fulfilling the contract concluded between the supplier and the controller and for the purpose of fulfilling legal obligations in connection with the business activity, i.e. in particular for invoicing, bookkeeping, tax payments, fees. The data may also be used for the purpose of exercising the controller’s legitimate interests.
3. Recruiting new employees and potential customers and suppliers. As part of this activity, the Controller processes personal data of job applicants and potential new customers and suppliers to the extent that the data subjects themselves provide it to the Controller, where the Controller processes such data on the basis of its legitimate interest. The recruitment of new employees, customers and suppliers is necessary for the performance of its business activities.
4. Storage of user data. The Administrator allows customers to have their web pages, which may include personal data, stored on its server. This is only possible by agreement between the administrator and the customer. Otherwise, the customer’s web pages created are hosted by third parties chosen by the customer. In this case, the administrator assumes no liability for the hosting of the website as well as for the personal data contained on the customer’s website. The administrator does not access customer data stored on the server unless this is strictly necessary for the performance of the contract between the administrator and the customer. The administrator does not make any copies, extracts or copies of this data except for security backups. The administrator has sufficiently secured the server physically, organisationally and technically and has prevented unauthorised persons from accessing the server.
5. Other activities. The controller may also process other personal data communicated by the data subject in the course of its business activities. However, the processing may only take place if there is a legal basis for it and to the extent necessary to fulfil the purpose for which the personal data were provided by the data subject.

The controller maintains a list of contacts for employees, customers and suppliers, within which it processes personal data in the scope of name, surname, address, employer, e-mail address and telephone number. The purpose is to ensure effective communication with partners, which is a legitimate interest of the controller, and the data is processed for the duration of the cooperation. The controller only allows access to the CRM system to vetted persons who cooperate with the controller for the purpose of fulfilling the controller’s obligations and conducting the controller’s business.

Processors

The controller is not authorised to use personal data for any purpose other than that for which the personal data were collected without the express consent of the data subject.

The Controller shall not sell or rent personal data to third parties or otherwise disclose it to any third parties, except as otherwise provided below in this Policy.

In the course of its business activities, the Controller cooperates with third party external service providers for the purpose of using the necessary software, ensuring compliance with legal obligations – in particular, accounting, product sales and marketing. At the data subject’s request, the controller will send a list of processors to the data subject’s e-mail address.

All processors used shall provide sufficient guarantees to implement appropriate technical and organisational measures to ensure that the processing of personal data complies with the requirements of the applicable legislation and to safeguard the rights of data subjects. The processor may also involve another processor in the processing, provided that the processor complies with the same data protection measures as those committed to in the contract with the controller.

Some of the Controller’s processors come from the Czech Republic and are governed by Czech law when processing personal data. However, the processing of personal data by a processor may also involve the transfer of personal data abroad, including outside the European Union. All such transfers are necessary for the performance of the contract between the data subject and the controller. Most foreign processors are members of a European Union state or are registered in the so-called EU-US Privacy Shield, which can be verified at https://www.privacyshield.gov/list. The European Commission has issued an adequacy decision in relation to this shield, under the regime of Article 45(9) of the Regulation. In view of this, no specific authorisation is required for such transfers of personal data to a third country.

Rights of data subjects

Data subjects have the following rights in relation to processing:

Right of access: the data subject may at any time request information from the controller about the processing of personal data concerning him or her. In such a case, the controller is obliged to provide the data subject with this information without delay;
The right to lodge a complaint: the data subject may lodge a complaint with a supervisory authority for an alleged violation of applicable law, the supervisory authority being the Office for Personal Data Protection, Pplk. Sochor 27, 170 00 Prague 7 /www.uoou.cz/;
Right to rectification: the data subject may request the rectification of inaccurate data concerning his/her person;

• Right to erasure: the data subject has the right to have personal data concerning him or her erased by the controller without delay if the personal data are no longer necessary for the purposes for which they were collected and processed, if an objection to the processing has been raised and if there are no overriding reasons for the processing; if the personal data have been unlawfully processed or if they must be erased in order to comply with a legal obligation of the controller established by applicable law;
  The right to restriction of processing: if the data subject contests the accuracy of the data processed, the controller is obliged to restrict the processing of the personal data concerned for the time necessary to enable the controller to verify the accuracy of the personal data;
• Right to information: the data subject shall have the right to be informed of any rectification or erasure of personal data or restriction of processing carried out by the controller which concerns him or her;
  Right to object: the data subject shall have the right to object at any time to processing of personal data concerning him or her which is carried out on grounds of necessity for the performance of a task carried out in the public interest or on grounds of necessity for processing for the purposes of the legitimate interest of the controller;
  The right to data portability: the data subject has the right to obtain the personal data concerning him or her which he or she has provided to the controller in a structured, commonly used and machine-readable format and to transmit them to another controller without hindrance from the existing controller.
• If personal data are processed on the basis of the data subject’s consent, the data subject is entitled to withdraw the consent at any time.

Upon request, the controller shall provide the data subject with information on the measures taken to fulfil the rights of data subjects.

The data subject may exercise his/her rights by sending a written request to the address of the controller’s registered office, i.e. MarketSoul s.r.o., ID No.: 04714121, with registered office at tř. Tomáše Bati 269 760 01 Zlín, or by e-mail to accountant@marketsoul.cz

accountant@marketsoul.cz

Confidentiality

The controller is aware of the confidentiality of the personal data processed. The controller is obliged to maintain the confidentiality of all personal data processed. The controller is not entitled to disclose personal data to any third party, unless otherwise provided for in this policy.

The controller shall only be entitled to process personal data through employees who are bound to confidentiality at least to the same extent as provided for in this Policy and applicable law.

Technical and organisational measures

During processing, the controller shall at all times take care to ensure that the rights of natural persons are not adversely affected in connection with the processing of personal data.

The controller shall take appropriate technical and organisational measures to ensure an adequate level of security of personal data, taking into account the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing.

Where a personal data breach is likely to result in a high risk to the rights of natural persons, the controller shall notify the data subject of the breach without undue delay and at the latest within 72 hours. At the same time, the controller shall notify the supervisory authority of the breach.

No automated decision-making, including profiling, shall be used in the processing of personal data by the controller.

Processing time

The processing period depends on the category of personal data as well as the purpose for which the personal data is processed. However, it is always the case that personal data are processed only for the time necessary

• personal data related to the performance of the contract will be retained for as long as the contract is in force. Part of the personal data may be retained for a further 3 years after the expiry of the contract or for 3 years after the expiry of the warranty period of the subject matter of the contract for reasons of legitimate interest of the controller so that the controller is able to bear the burden of proof in the event of any litigation. Where the document relates to value added tax, it may be processed for a period of 10 years in order to comply with the legal obligations of the administrator;
  personal data processed on the basis of consent to the processing of personal data will be processed by the controller until the data subject withdraws consent or until the consent ceases to be effective or until the purpose of the processing ceases to exist;
  the personal data of potential employees, customers and suppliers will be retained for a maximum period of 3 months from the date on which the negotiations on the establishment of possible cooperation are concluded. During this period, the controller is entitled to approach the subjects with a possible new offer;
  customer data stored on the server will be processed for the duration of the cooperation with the customer or until the customer instructs that the data should no longer be processed;
  personal data that are processed by the controller for the purpose of fulfilling legal obligations, i.e. in particular for the purpose of bookkeeping, tax and fee payment, etc. will be deleted within the time limits set by applicable law and the controller’s internal regulations.
• Further information
  The controller is not obliged to appoint a data protection officer and has not taken this step on its own initiative.

The controller further declares that it uses Facebook and Twitter for promotional purposes. However, the controller’s presentation through these services does not contain any personal data. The controller will only contact data subjects if they contact it themselves, and only to answer the question raised.

Product analytics

For the purpose of product analytics, the administrator also uses Google Analytics. The data obtained through this service is used mainly for statistical purposes. In this way, the administrator determines the number of users who have visited the administrator’s website. However, the controller does not have the possibility to obtain specific information enabling the identification of users in this way, i.e. it is not able to identify a specific data subject.

In addition, the administrator uses Google AdWords to reach potential customers. These persons are sent advertising messages on the website via the services specified above. These services use cookies for the purpose of displaying advertising on third-party websites. However, the controller does not have the possibility to obtain specific information enabling the identification of users in this way, i.e. it is not able to identify a specific data subject.

Update of the policy

The Controller reserves the right to change this privacy policy. The change will be made by posting on the Controller’s website and is effective within 30 days of the date of posting. In addition, the Controller undertakes to send all registered customers, suppliers and employees the new updated Privacy Policy without delay after it has been adopted by the Controller.