Right to be informed (Article 13 of the GDPR)This Policy will come into effect on 25.5.2018 and has been published in accordance with Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data in order to comply with the requirements to inform as specified in Article 13 of the GDPR. We first define the categories of personal data that we process, then the type of processing, and finally, inform you of your rights under the GDPR.
Categories of personal dataPersonal data: academic title, name and surname, company name, company ID, Tax ID, permanent address, address of Registered Office or place of business, invoicing address, bank details, signature, telephone number, e-mail, link to individual profile on social networks or other websites.
Purposes, legal grounds and period of personal data processingPersonal data may be processed:
- directly on the basis of a contract – if you are buying goods
- in the legitimate interest of Gravelli
- on a statutory basis (without consent)
- with consent
Processing on the grounds of contractual performance, compliance with legal obligations and legitimate interestsWe do not require consent to process personal data when personal data is necessary for the performance of a contract, to comply with legal obligations or to protect legitimate interests, or when services cannot be provided unless personal data is given. This governs, in particular, the following basic purposes:
- processes associated with customer identification (performance of contract);
- compliance with statutory tax obligations (performance of statutory obligations);
- purposes laid down in special laws applying to criminal proceedings and compliance with obligations to cooperate with the Police of the Czech Republic and other government agencies (performance of statutory obligations);
- the operation of camera and monitoring systems in premises for the purposes of preventing damage (legitimate interest);
- providing evidence where this is needed to protect rights (legitimate interest).
Processing based on consentFrom 25.5.2018, Gravelli will process customer data for commercial purposes primarily for distributing a newsletter – commercial information related to Gravelli products (product offers, etc.) – only with consent. Gravelli will store information about individuals who have given their consent concerning their typical behaviour when using its services and create and store anonymised behaviour analyses, including via cookies, where consent to the processing of personal data is dealt with separately on the Gravelli website. Consent for commercial purposes is granted on a voluntary basis, and the customer may withdraw it at any time. This consent remains in effect for the duration of the use of the services and the subsequent 4 years, or until it is withdrawn by the customer.
Method of processing personal dataPersonal data are processed either manually or automatically and stored in paper and in electronic form. Employees handling representative and collaborative models of personal data are bound by a confidentiality agreement whose validity is not limited by the termination of their employment relationship. Personal data recorded in documents in paper form are stored in rooms with security locks at Gravelli’s head office and the head office of its external accounting and tax services supplier with whom Gravelli has concluded a contract on personal data processing.
Recipients of personal dataGravelli works with different entities who perform certain tasks for it and contribute to its core business. These are primarily providers of administrative and technical support for Gravelli’s activities, including an IT Administrator, CRM Systems Administrator, Accountant, Corporate Lawyer and providers of other services (e.g., goods transporters), etc. Gravelli provides these individuals with personal data to the extent necessary for the given purpose. An agreement for personal data processing is concluded with each of these entities. A list of these entities may be provided in response to a written request sent to Gravelli’s head office or by email at email@example.com.
Information on the rights of data subjects in relation to personal data processing
Right of access (Article 15 of the GDPR)The data subject has the right to access his or her personal data, which governs the right to obtain from Gravelli:
- confirmation as to whether his or her personal data is being processed;
- information about the purposes of the processing;
- the categories of personal data concerned;
- the recipients to whom the personal data has been or will be disclosed;
- the envisaged period of processing;
- the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or the restriction of processing of personal data or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- any available information as to the source of personal data if the personal data was not collected from the data subject;
- the existence of automated decision-making, including profiling;
- appropriate safeguards where data is transferred outside the EU;
- the right to obtain a copy of the personal data, provided this does not adversely affect the rights and freedoms of others.