On May 25th 2018 a Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation - GDPR) (further in text as regulation). In relation to this, the Answer Institute s.r.o., company ID 06618278, with registered office at Purkyňova 649/127, 612 00 Brno – Medlánky, Czech Republic, registered in the Commercial register maintained by the Regional Court in Brno, file no. C 102990 (further in text as controller) adopted these Principles of Data Protection (further in text as principles) that enter into force and effect on 25th May 2018.
For the purpose of these principles:
Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. These principles apply to all relationships between the controller and data subjects which for the purpose of these principles are customers, potential customers, suppliers, potential suppliers of the controller and controller’s job applicants.
These principles shall apply to all data processing conducted by the controller unless agreed otherwise between the controller and data subject.
Controller hereby declares that he operates and holds all copyrights related to the software solution Lumeer.
Personal data collected by the controller
In regard with its activities the controller collects following data for the purpose as follows:
- Product Distribution
In regard with these activities the controller processes following personal data of its customers: name, surname, address or seat of registered office, phone number, email, eventually company ID and VAT ID. Such information are disclosed to the controller by the customer. The information are used for the purpose of granting a license to use Lumeer application, payment of a license fee by the data subject via paywall and to comply with legal obligations in regard to the business activity, e.g. to invoice, to keep records and withhold and pay taxes. These information can be also used for recovery of the customer’s debt, e.g. for the purpose of performance of the contract in legitimate interest of the controller.
- Data submitted to Lumeer by the subjects
These data are saved into Lumeer by the data subject via its encrypted user account. Controller processes these data in order to perform the contract only to the extent defined by the customer. Controller shall not actively access such saved data. The software solution Lumeer is saved in cloud provided to the controller by DigitalOcean, LLC.
- Supply of services by external suppliers
In regard with this activity the controller also uses services of external suppliers – natural persons. Therefore the controller processes data of its external suppliers if it is necessary for facilitation of supplier’s activity. Such data include: name, surname, date of birth, address or seat of registered office, phone number, email, bank account number, eventually company ID, VAT ID and a signature. Such information are obtained directly from the data subjects and processed to the necessary extent in order to perform the contract entered into between the supplier and controller and further, to comply with legal obligations in regard to the business activity e.g. to invoice, to keep records and withhold and pay taxes.
- Hiring of new employees and potential suppliers
In regard with this activity the controller processes personal data of job applicants and potential new suppliers to the extent in which the data subjects themselves provide such data to the controller while such data are processed in respect to controller’s legitimate interests.
- Sending of up-to-date information – newsletters
Subject to data subjects’ consent the controller shall send to the data subjects information on controller’s products and news – newsletters. Newsletters provide the customers with up-to-date information allowing them to use services provided by the controller in full. In regard with this activity the controller processes name, surname, and email of data subjects provided such data shall be processed throughout the time a valid consent is given. In this regard the controller uses services of MailChimp.
- Communication with customers
Controller also uses online chat to communicate with the data subjects. Controller’s legitimate interest includes providing the customers or potential customers who contact the controller by themselves with required information in shortest time possible. In this case the controller processes only data provided by the data subjects. In this regard the controller uses services of Drift.com. Further, controller communicates with the data subjects via contact form provided that a consent was given.
- Other activities
In regard with its business activity the controller shall process other personal data provided by the data subjects. Processing of such data can be performed only on legal grounds and to the extent necessary to meet the purpose to which such data were given by the data subject.
Personal data shall be saved by the controller to CRM system provided by HubSpot, Inc.
Without an explicit consent of the data subject the controller shall not use personal data for a purpose different from a purpose for which the personal data were collected.
The controller does not sell or lend personal data to third parties or provide such data in any way to third parties unless specified otherwise herein.
In regard with its business activity the controller cooperates with third parties – external service providers, in order to use necessary software, ensure compliance with legal obligations – especially record keeping, product development, sale and marketing. List of external service providers can be found here.
All the processors above provide sufficient guarantees of implementing proper technical and organizational provisions, so that the data processing complies with the laws and the rights of the data subjects are protected. Processor can also engage a third party processor provided that such processor complies with the same data protection conditions that the processor undertook to comply with in the contract with the controller.
Personal data may be transferred to third countries or to an international organization located out of the European Union area, i.e. to processors in the USA. All such transfers are necessary for performance of the contract entered into between the data subject and controller. All such third party processors are either members of the European Union or belong to the EU – USA Privacy shield, to be found at www.privacyshield.gov/list. Pursuant to Article 45 (9) the European Commission adopted a decision that deems the Privacy shield protection adequate. In this regard such data transfers do not require any special approval.
Terms and conditions of data processing of individual processors can be found here.
Rights of data subjects
In regard to data processing the data subjects have following rights:
- Right of access: The data subject shall obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. In this case the controller shall provide the data subject with such confirmation with no delay.
- Right to lodge a complaint: The data subject shall have a right to lodge a complaint with a supervisory authority regarding alleged violation of laws, the supervisory authority is The Office for Personal Data Protection, registered office at Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, www.uoou.cz.
- Right to rectification: The data subject shall request the controller to rectify inaccurate personal data concerning them.
- Right to erasure: The data subject shall have the right to obtain from the controller the erasure of personal data concerning them where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject objects to the processing and there are no overriding legitimate grounds for the processing; the personal data have been unlawfully processed; or the personal data have to be erased for compliance with a legal obligation laid down by applicable law to which the controller is subject.
- Right to restriction of processing: The data subject shall have the right to obtain from the controller restriction of processing if the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- Right to information: The data subject shall have the right to obtain from the controller information relating to him or her regarding rectification or erasure of personal data or restriction of processing carried out by the controller.
- Right to object: The data subject shall have the right to object at any time to processing of personal data concerning him or her which is based on compelling grounds for performance of a task carried out in the public interest or on compelling legitimate grounds in the interest of the controller.
- Right to data portability: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
If the personal data are processed on the grounds of a consent of the data subject, the data subject shall have the right to withdraw his or her consent at any time.
Subject to a request the controller shall inform the data subject on the measures taken by the controller to safeguard the rights of the data subjects.
The data subject shall exercise his or her rights by sending a written request to the controller to Answer Institute s.r.o., Reg. ID: 06618278, registered office at Purkyňova 649/127, 612 00 Brno – Medlánky, Czech Republic or by email to firstname.lastname@example.org.
ConfidentialityThe controller is aware of the confidentiality of the processed personal data. The controller shall keep confidential all processed data. The controller shall not disclose personal data to any third party unless provided otherwise herein. The controller shall process the personal data only through its employees who shall comply with the confidentiality provisions herein and with existing legal rules.
Technical and organizational measures
The controller shall ensure that no harm is caused to the rights of natural persons in relation to the data processing.
The controller adopted reasonable technical and organizational measures to ensure reasonable level of personal data protection in respect to the state of the art, investments to implementation, nature, scope, context and purpose of processing of data.
The controller hereby declares that all user accounts in Lumeer are encrypted and protected by password.
If a specific case of data protection security breach shall likely result in high risk to the rights and freedoms of natural persons, the controller shall without undue delay and not later than 72 hours notify the data subject. At the same time the controller shall notify the supervisory authority.
No automated individual decision making or profiling takes place when the personal data are processed.
The processing period shall depend on the category of personal data and purpose of the processing. Personal data are always processed for a strictly necessary period of time.
- Personal data related to the use of the Lumeer user account shall be processed for a period of time when the user account is active, i.e. until the user account including its content is deleted either by the data subject or the controller. Subject to legitimate interest of the controller, part of the personal data shall be stored for another 3 years in order to enable the controller to bear the burden of proof in prospective litigation.
- Personal data processed upon consent shall be processed until the consent is withdrawn by the data subject or until the consent expires or the purpose of processing is lost.
- Personal data of potential employees, customers and suppliers shall be stored at least 3 months from the day of the last action in regard to negotiation of potential cooperation. During this period the controller shall reach out to the data subjects with a new offer.
- Personal data processed for the purpose of fulfilment of legal obligations, especially to account, tax, etc. shall be deleted in times pursuant to the laws and internal laws of the controller; personal data disclosed by the data subject via online chat shall not be stored by the controller.
The software solution Lumeer offered to the customers by the controller offers a product analysis service by SmartLook provided by Smartsupp, s.r.o., Reg. ID 03668681, registered office at Milady Horakove 1957/13, 602 00 Brno – Černá Pole, Czech Republic, registered in the Commercial register maintained by the Regional Court in Brno, file no. C 86206. By using the Smartlook service the controller is not capable of obtaining specific data that would allow the controller to identify users, i.e. the controller is not capable to identify a specific data subject. This service is used in order to improve the product of the controller, especially to develop Lumeer which is in a legitimate interest of the controller.
Further, the controller uses Google Analytics service. Data collected by the Google Analytics service are used mainly for statistical purposes. The controller detects the number of users that visited the website of the controller. By this means the controller is not capable of getting concrete information identifying the users, i.e. the controller is not capable to identify a specific data subject.
The controller hereby declares that he uses Facebook and Twitter for advertising purposes. The presentation of the controller undertaken by the services above does not contain any personal data.
The controller is not obliged to appoint a Data Protection Officer and he did not freely decide to appoint one.
Update of Principles
The controller reserves a right to change the principles herein. The change shall be carried out by publishing thereof on controller’s website and effective within 30 days from publishing. The controller shall also send the new updated principles to all registered customers, suppliers and employees with no delay after they are adopted.
In case of any querstions or problems, please contact us at www.lumeer.io/contact.html.