Updated on June 6th 2021
In accordance with the provisions of Act No. 110/2019 Coll., On the processing of personal data and pursuant to Regulation No. 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter regulation), the business company Lumeer.io s.r.o., company ID 06618278, with its registered office at Purkyňova 649/127, 612 00 Brno – Medlánky, Czech Republic, registered in the Commercial register maintained by the Regional Court in Brno, file no. C 102990 (further in text as controller) adopted these Principles of Data Protection (further in text as principles) that enter into force and effect on June 6th 2021.
For the purpose of these principles:
Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. These principles apply to all relationships between the controller and data subjects which for the purpose of these principles are clients, potential clients, customers, potential customers, suppliers, potential suppliers of the controller and controller’s job applicants.
These principles shall apply to all data processing conducted by the controller unless agreed otherwise between the controller and data subject.
Controller hereby declares that he operates and holds all copyrights related to the software solution Lumeer.
Our company has a number of legal obligations regarding the processing of clients’ personal data, which we must comply with, especially with regard to the fulfillment of contractual obligations, the security of the use of our products or the exercise of public power. In this regard, we would not be able to provide our products and services at all without providing your personal data. We also process clients’ personal data beyond the scope of legal obligations, for the purpose of caring for you and our other clients, so that we can address you with a targeted offer of products and services. To do this, we need your consent. If you do not give your consent in these cases, the products or services provided by us may be limited or otherwise modified depending on the scope of data that we will be entitled to process. We inform each client about the scope of restrictions or modifications.
Unless expressly stated otherwise, all information provided here also applies to the processing of personal data of potential clients, i.e. persons with whom we have not yet entered into a contractual relationship, but are already in contact with them, or former clients.
Personal Data Processing Principles
When processing your personal data, we respect and respect the highest standards of personal data protection and in particular the following principles:
- We always process your personal data for a clearly and comprehensibly defined purpose, by specified means, in a specified manner, and only for the time necessary for the purposes of their processing; we process only accurate personal data of clients and we ensure that their processing corresponds to the specified purposes and is necessary for the fulfillment of these purposes;
- We protect and process your personal data in a way that ensures the highest possible security of this data and which prevents any unauthorized or accidental access to clients’ personal data, their change, destruction or loss, unauthorized transfers, their other unauthorized processing, as well as other misuse;
- We will always clearly inform you about the processing of your personal data and about your claims for accurate and complete information about the circumstances of this processing, as well as about your other related rights;
- We take appropriate technical and organizational measures to ensure a level of security commensurate with all possible risks; All persons who come into contact with clients’ personal data are obliged to observe confidentiality of information obtained in connection with the processing of such data.
Personal data collected by the controller
In regard with its activities the controller collects following data for the purpose as follows:
- Product Distribution
In regard with these activities the controller processes following personal data of its customers: name, surname, address or seat of registered office, phone number, email, eventually company ID and VAT ID. Such information are disclosed to the controller by the customer. The information are used for the purpose of granting a license to use Lumeer application, payment of a license fee by the data subject via paywall and to comply with legal obligations in regard to the business activity, e.g. to invoice, to keep records and withhold and pay taxes. These information can be also used for recovery of the customer’s debt, e.g. for the purpose of performance of the contract in legitimate interest of the controller.
- Supply of services by external suppliers
In regard with this activity the controller also uses services of external suppliers – natural persons. Therefore the controller processes data of its external suppliers if it is necessary for facilitation of supplier’s activity. Such data include: name, surname, date of birth, address or seat of registered office, phone number, email, bank account number, eventually company ID, VAT ID and a signature. Such information are obtained directly from the data subjects and processed to the necessary extent in order to perform the contract entered into between the supplier and controller and further, to comply with legal obligations in regard to the business activity e.g. to invoice, to keep records and withhold and pay taxes.
- Hiring of new employees and potential suppliers
In regard with this activity the controller processes personal data of job applicants and potential new suppliers to the extent in which the data subjects themselves provide such data to the controller while such data are processed in respect to controller’s legitimate interests.
- Sending of up-to-date information – newsletters
Subject to data subjects’ consent the controller shall send to the data subjects information on controller’s products and news – newsletters. Newsletters provide the customers with up-to-date information allowing them to use services provided by the controller in full. In regard with this activity the controller processes name, surname, and email of data subjects provided such data shall be processed throughout the time a valid consent is given. In this regard the controller uses services of MailerLite.
- Communication with customers
Controller also uses online chat to communicate with the data subjects. Controller’s legitimate interest includes providing the customers or potential customers who contact the controller by themselves with required information in shortest time possible. In this case the controller processes only data provided by the data subjects.
Further, controller communicates with the data subjects via contact form provided that a consent was given.
- Other activities
In regard with its business activity the controller shall process other personal data provided by the data subjects. Processing of such data can be performed only on legal grounds and to the extent necessary to meet the purpose to which such data were given by the data subject.
In addition, the controller also acts as a processor in the following cases:
- This is data that the data subject themself stores in the Lumeer software solution through their user account, which is encrypted. The controller processes this data for the purpose of fulfilling the contract, and only to the extent specified by the customer. The controller does not actively access such stored personal data. The Lumeer software solution is stored in cloud storage provided by administrators of DigitalOcean, LLC.
The client declares that they are aware of their legal obligations as a controller of personal data of their own users, clients, customers, employees, suppliers, etc. The method and processing of personal data of these entities within the Lumeer software solution is determined by the client. The controller does not bear any responsibility for the proper fulfillment of the client’s legal obligations as a controller of personal data.
Without an explicit consent of the data subject the controller shall not use personal data for a purpose different from a purpose for which the personal data were collected.
The controller does not sell or lend personal data to third parties or provide such data in any way to third parties unless specified otherwise herein.
In regard with its business activity the controller cooperates with third parties – external service providers, in order to use necessary software, ensure compliance with legal obligations – especially record keeping, product development, sale and marketing. List of external service providers can be found here.
All the processors above provide sufficient guarantees of implementing proper technical and organizational provisions, so that the data processing complies with the laws and the rights of the data subjects are protected. Processor can also engage a third party processor provided that such processor complies with the same data protection conditions that the processor undertook to comply with in the contract with the controller.
Your personal data is processed on the territory of the Czech Republic and on the territory of other states of the European Union and which share the same standards of personal data protection as the Czech Republic. Neither our company nor the entities involved in the processing of clients ‘personal data transfer clients’ personal data to countries outside the European Union.
Terms and conditions of data processing of individual processors can be found here.
Rights of data subjects
In regard to data processing the data subjects have following rights:
- Right of access: The data subject shall obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. In this case the controller shall provide the data subject with such confirmation with no delay.
- Right to lodge a complaint: The data subject shall have a right to lodge a complaint with a supervisory authority regarding alleged violation of laws, the supervisory authority is The Office for Personal Data Protection, registered office at Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, www.uoou.cz.
- Right to rectification: The data subject shall request the controller to rectify inaccurate personal data concerning them.
- Right to erasure: The data subject shall have the right to obtain from the controller the erasure of personal data concerning them where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject objects to the processing and there are no overriding legitimate grounds for the processing; the personal data have been unlawfully processed; or the personal data have to be erased for compliance with a legal obligation laid down by applicable law to which the controller is subject.
- Right to restriction of processing: The data subject shall have the right to obtain from the controller restriction of processing if the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- Right to information: The data subject shall have the right to obtain from the controller information relating to him or her regarding rectification or erasure of personal data or restriction of processing carried out by the controller.
- Right to object: The data subject shall have the right to object at any time to processing of personal data concerning him or her which is based on compelling grounds for performance of a task carried out in the public interest or on compelling legitimate grounds in the interest of the controller.
- Right to data portability: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
If the personal data are processed on the grounds of a consent of the data subject, the data subject shall have the right to withdraw his or her consent at any time.
Subject to a request the controller shall inform the data subject on the measures taken by the controller to safeguard the rights of the data subjects.
The data subject shall exercise his or her rights by sending a written request to the controller to Lumeer.io s.r.o., Reg. ID: 06618278, registered office at Purkyňova 649/127, 612 00 Brno – Medlánky, Czech Republic or by email to firstname.lastname@example.org.
The controller is aware of the confidentiality of the processed personal data. The controller shall keep confidential all processed data. The controller shall not disclose personal data to any third party unless provided otherwise herein. The controller shall process the personal data only through its employees who shall comply with the confidentiality provisions herein and with existing legal rules.
Technical and organizational measures
The controller shall ensure that no harm is caused to the rights of natural persons in relation to the data processing.
The controller adopted reasonable technical and organizational measures to ensure reasonable level of personal data protection in respect to the state of the art, investments to implementation, nature, scope, context and purpose of processing of data.
The controller hereby declares that all user accounts in Lumeer are encrypted and protected by password.
If a specific case of data protection security breach shall likely result in high risk to the rights and freedoms of natural persons, the controller shall without undue delay and not later than 72 hours notify the data subject. At the same time the controller shall notify the supervisory authority.
No automated individual decision making or profiling takes place when the personal data are processed.
The processing period shall depend on the category of personal data and purpose of the processing. Personal data are always processed for a strictly necessary period of time.
- Personal data related to the use of the Lumeer user account shall be processed for a period of time when the user account is active, i.e. until the user account including its content is deleted either by the data subject or the controller. Subject to legitimate interest of the controller, part of the personal data shall be stored for another 3 years in order to enable the controller to bear the burden of proof in prospective litigation.
- Personal data processed upon consent shall be processed until the consent is withdrawn by the data subject or until the consent expires or the purpose of processing is lost.
- Personal data of potential employees, customers and suppliers shall be stored at least 3 months from the day of the last action in regard to negotiation of potential cooperation. During this period the controller shall reach out to the data subjects with a new offer.
- Personal data processed for the purpose of fulfilment of legal obligations, especially to account, tax, etc. shall be deleted in times pursuant to the laws and internal laws of the controller; personal data disclosed by the data subject via online chat shall not be stored by the controller.
The software solution Lumeer offered to the customers by the controller offers a product analysis service by SmartLook provided by Smartsupp, s.r.o., Reg. ID 03668681, registered office at Milady Horakove 1957/13, 602 00 Brno – Černá Pole, Czech Republic, registered in the Commercial register maintained by the Regional Court in Brno, file no. C 86206. By using the Smartlook service the controller is not capable of obtaining specific data that would allow the controller to identify users, i.e. the controller is not capable to identify a specific data subject. This service is used in order to improve the product of the controller, especially to develop Lumeer which is in a legitimate interest of the controller.
Further, the controller uses Google Analytics service. Data collected by the Google Analytics service are used mainly for statistical purposes. The controller detects the number of users that visited the website of the controller. By this means the controller is not capable of getting concrete information identifying the users, i.e. the controller is not capable to identify a specific data subject.
The controller hereby declares that he uses Facebook and Twitter for advertising purposes. The presentation of the controller undertaken by the services above does not contain any personal data.
The controller is not obliged to appoint a Data Protection Officer and he did not freely decide to appoint one.
Update of Principles
The controller reserves a right to change the principles herein. The change shall be carried out by publishing thereof on controller’s website and effective within 30 days from publishing. The controller shall also send the new updated principles to all registered customers, suppliers and employees with no delay after they are adopted.
In case of any questions or problems, please contact us at www.lumeer.io/contact/.