PERSONAL DATA PROTECTION RULES

RULES

We understand that our customers, users of our applications or visitors to our website (hereinafter collectively referred to as “the Users“) value their
privacy. This document thus contains key information of what rules we adhere to when processing personal data.

All the processing of personal data performed by us is fully compliant with the Regulation 2016/679 of the European Parliament and of the Council issued 27th April 2016, on the protection of natural persons with regard to
the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR“) Note: In case that any conflict arises between the Czech language version of these personal data protection rules (“the Rules“) and any translation hereof, the Czech language version shall prevail.

BASIC INFORMATION

Identification and contact information of the Provider:

name:Base Consulting s.r.o.
CIN:05290473
seat:Panská 854/2, Nové Město (Praha 1), 110 00 Praha
contact e-mail:office@base.cz
contact phone:+420 602 274 603

(hereinafter referred to as “the Provider“)

Data Protection Officer:

The Provider has not nominated a data protection officer as it is not mandated by the nature of its activities, in accordance with GDPR p. 37.

Transfer of personal data to a third country or to an international organisation:

The Provider does not transfer any personal data to any third country or international organisation in the meaning of GDPR p.44.

Automated manual decision-making, including profiling:

The Provider does not perform any automated manual decision-making or profiling.

Supervisory Authority:

The supervisory authority relevant for the Provider is Úřad pro ochranu osobních údajů (The Office for Personal Data Protection), with seat at Pplk. Sochora 27, 170 00 Praha 7, e-mail: posta@uoou.cz, tel.: 234 665 125.

Role of the Provider:

The Provider engages with the personal data in the capacity as both a Controller and a Processor

THE PROVIDER AS A CONTROLLER

The Provider acts in the capacity as a controller in relation to the personal data of the following persons: customers and website users.

What personal data does the Provider process, what purpose does the processing serve and on what legal basis is the processing performed?

Website visit. The Provider processes data collected from physical persons visiting the website of the Provider. During the visit, the Provider collects, processes and stores the following types of personal information: IP address. Moreover, the Provider processes the following information: browser type, cookies, time of visit, browsing behaviour and URL, from which the visitor arrived. This information is necessary to display the website correctly, to maintain website security and for other purposes described in the Rules. The Provider processes this information based on its legitimate interest or a given consent of the Users. More information with respect to cookies are outlined below.

For the purposes of contract performance (entering into contract, communication with customers) and compliance with legal obligations (accounting and tax obligations), the Provider processes inter alia the following personal information: name, surname, company name, company identification number, tax identification number, home address / seat,
phone, e-mail The Provider collects this personal information directly from Users during contractual process and fully discloses what personal information is needed for the purposes of contract performance. The provision of additional personal information is voluntary.

Customer care and technical support:

Users can ask questions or request technical support via the website.

Contact e-mail address or prepared input form serves for personal data input necessary for such communication (e-mail address and/or phone number, processed in line with GDPR p. 6 art.1 a) and b)). This information is used for the customer relationship management (contract performance), for addressing customer questions and providing technical support.

In case an individualized solution is required, User might be asked to submit additional necessary personal data for processing so that the Provider can give adequate level of support to this individual User. The personal data would most likely include: name, surname, company name, User account information, e-mail.

During communication with Users, the Provider adheres to the data minimalization rule in the only the data necessary for the request resolution are collected.

Moreover, the IP address is collected for the purposes of maintaining technical security and attack prevention.

Registration / User account: The website of the Provider allows the Users to register by entering personal data.

During registration, the following personal data is collected by the Provider: name, surname, e-mail. The Provider adheres to the data minimalization rule in that all necessary data fields are labelled as mandatory.

The registration is needed for User to utilize the application and to communicate with support.

In case the Provider aims to process additional personal data than listed in the Rules or aims to use them for a different purpose, it can only do so based on additional consent obtain from the User for  such personal data processing.

The information with respect to processing of employee personal data is contained in a separate internal rule.

Special categories of personal data

The Provider does not act in capacity as controller in relation to any special categories of personal data of the Users as defined by GDPR p.9.

How long does the Provider process personal data?

Personal data are processed only for such period that there is a legal basis to store such information. Upon expiry of such basis, the data is erased.

Personal data processed for the purposes of Provider legal obligations fulfilment are processed for the period mandated by such legal obligations e.g. record keeping regulations, tax regulations.  Once the effect of such obligations passes, the relevant personal data is erased.

Other personal data processing: Personal data processed for other purposes than outlined above are processed for the duration of contractual relationship with the customer and 1 year after the termination of such relationship.

THE PROVIDER AS A PROCESSOR

The Provider acts as a processor of personal data for other controllers.

Such controller of personal data is required to fully comply with the rules and requirements of GDPR regulation and other legislation governing personal data. The processor is not legally liable for any breach of duty of the controller with respect to such personal data.

What personal data does the Provider process in its capacity as personal data processor and for what purpose?

The Provider processes the following personal data: IP address, name, surname, e-mail

The purpose of the personal data processing is the legitimate interest pursued by the controller.

In case the Provider acts as a processor with respect to the special categories of personal data, the responsibility for the lawfulness of processing of such data in accordance with GDPR and member state regulation lies with the controller. The Provider reserves the right to erase personal data should it find that regulation to be violated by the controller. Before such erasure, the Provider will contact the controller with request for remedial action.

How long does the Provider process personal data?

The Provider processes personal data for the duration of contractual relationship with the cpntroller. Afterwards, all personal data is erased without undue delay. The Users can request an erasure of their personal data anytime during the duration of the contractual relationship. In case such request is submitted by User, the Provider will erase relevant personal data without undue delay.

RECIPIENTS OF PERSONAL DATA

The Provider does not process any personal data on behalf of any controllers

The Provider utilizes the following processors:

Processing typeProcessed personal dataProcessor nameProcessor CINProcessor seat
webhostingIP addressWEDOS Internet, a.s.28115708Masarykova 1230, Hluboká nad Vltavou, 373 41
data storageName, surname, e-mailMICROSOFT s.r.o.47123737Vyskočilova 1561/4a, Michle, 140 00 Praha

Personal data might also be processed by cookie providers listed further down in the Rules.

The processing of personal data can be performed by processors solely based on the basis of agreement for processing of personal data i.e. with guarantees of organisational and technical data security of the personal data , specified purpose for such processing and a prohibition to use such personal data for any other purpose.

Under certain conditions, personal data might be made available to public authorities (courts, police, notaries, tax bureau,..) or provided to other parties based on the exercise of public authority to the extend defined by special legislation.

PERSONAL DATA SECURITY

For the purposes of securing User personal data against unlawful access, the Provider utilizes suitable and adequate technical and organisational measures.

The Provider ensures that in case servers are placed in a third-party datacentre, similar technical and organisational measures are applied by such third party.

All data is stored only on servers located in the European Union or countries with similar standards for personal data protection as set by the Czech Republic legislation.

The Provider utilizes the following measures to secure data: firewall, encryption, Microsoft Azure security

USER RIGHTS

Every User has:

COOKIES

The Provider uses cookies, which are small text files identifying the website user and recording its activities on the website.

The contents of cookies frequently comprise of series of numbers and letter uniquely identifying the computer of the User, but do not contain any specific personal data about the User. Cookies file name typically contains the domain name, from which it was sent, time data and an alphanumerical identifier.

The website of the Provider automatically identifies the IP address of the User. This information is recorded in the activity log by the server, allowing for subsequent processing of such personal data. The provider also records information about browser requests: the time of requests, status and the amount of data transferred during the request, it also collects information about the used browser, operating system of the User a the version of both. Additionally, the information about a website from which the Provider website was reached is recorded. The IP address of User computer is stored only for the necessary period for which the website is being used. Afterwards, the information about the IP address is erased or anonymized by shortening.

COOKIE TYPES AND similar TECHNOLOGIES

Technical cookies and similar technologies: The Provider exercises its legitimate interest in utilizing technically necessary cookies to ensure proper function and operation of its website. The utilized cookies might be temporary or permanent. Permanent cookies stay on the User’s hard drive even after the browser is closed. Permanent cookies might be used by the browser on subsequent visits of the Provider’s website. Permanent cookies can be deleted. Temporary cookies are transient and are deleted once the browser is closed. This information is used by the Provider to operate and maintain the website, particularly for identifying and fixing errors, determining website utilization and performing changes and updates. For these use cases, the Provider has a legitimate interest to process personal data in accordance with GDPR p.6 art.1 f).

The User might opt to set up its browser to block cookies. The Provider warns that in such case however, some parts of the website will not function.

In a similar fashion and for the same purpose, the Provider utilizes Webstorage (as outlined in the table below).

ADDITIONAL COOKIES UTILIZED BY THE PROVIDER WITH USER’S CONSENT

Analytical cookies and similar technologies: These cookies help the Provider analyse, how the Users utilize the website. They are used to measure and improve the performance of the website. These cookies help determine, for example, how the User arrived at the website, whether directly, indirectly via browser search, via social network link, etc. The Provider also analyses, how long the User stays on the website and what links they click on.

The analytical cookies are setup on the User’s device only in case the User gives consent (in accordance with GDPR p.6 art.1 a)) to such usage during its first website visit. The consent for analytical cookies can be withdrawn at any time via the Detailed cookie setup menu.

In a similar fashion and for the same purpose, the Provider utilizes Webstorage (as outlined in the table below).

Advertising cookies and similar technologies: These cookies allow the showing of advertisements based on User’s preferences. They might be used e.g. for the purposes of User profiling by the Provider and subsequent showing of more relevant advertisement to the User.

The advertisement cookies are setup on the User’s device only in case the User gives consent (in accordance with GDPR p.6 art.1 a)) to such usage during its first website visit. The consent for advertisement cookies can be withdrawn at any time via the Detailed cookie setup menu. In case User does not give consent, the advertisements will not be aligned with its interests.

In a similar fashion and for the same purpose, the Provider utilizes Webstorage (as outlined in the table below).

If relevant, Other cookies and similar technologies are outlined in the table below.

For obtaining and management of User consent, the Provider utilizes CookiesLišta.cz platform from Soft Evolution s.r.o., CIN 46982230, Martinice 100, 594 01, Velké Meziříčí. This platform collects information about the device, browser information, anonymized IP address, time and date of the visit, URL address, route to a website and location data. This allows to inform the User about the Provider’s website and obtain User’s consent. The legal basis for personal data processing is given by GDPR p.6 art.1 c), where the Provider is obliged by law to provide proof of given consent in accordance with GDPR p.7 art.1. The personal data is erased once it is no longer required for protocolling and no legal basis for its storage exists.  More information on the topic of personal data protection and the platform can be found at: https://www.cookieslista.cz.

The Provider’s website might contain third party cookies. The Provider currently utilizes the following cookies:

ProcessorCookies IDPersonal dataPurpose of processingLegal basisExpiration
Technical cookies / similar technologies
Base Consulting s.r.o.dcb_dsvnoVersion of consent with allowing cookies.Legitimate interestLocal storage / 365 days
Base Consulting s.r.o.dcb_confignoConfiguration of consent with allowing cookiesLegitimate interestLocal storage / 365 days
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United StatescookiePreferencesnoRegisters cookies preferences of user.User consent2 years
Analytical cookies / similar technologies
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States_ganoID utilized for User identificationUser consent2 years
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States_ga_noID utilized for User identificationUser consent2 years
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States_gidnoID utilized for User identification for 24 hours after last activityUser consent24 hours
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States_gatnoUtilized by Google Analytics for tracking number of requests when using Google Tag ManagerUser consent1 minute
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States_dc_gtm_noUtilized by Google Analytics for tracking number of requestsUser consent1 minute
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United StatesAMP_TOKENnoContains the code of a token utilized for loading client ID from AMP Client ID serviceUser consent30 seconds to 1 year
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States_gat_gtag_noSetup and collection of tracking dataUser consent1 hour
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States_gac_noContains information related to User marketing campaigns shared with AdWords, Google Ads, if Google Ads and Google Analytics account are linked.User consent90 days
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States__utmanoID utilized for user and session identification.User consent2 years after last activity
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States__utmtnoUtilized by Google Analytics for tracking number of requestsUser consent10 minutes
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States__utmbnoUtilizes to distinguish between new sessions and visits. The cookie is setup with GA.js library is loaded and no _utmb cookie yet exists. Cookie is updated every time the data is sent to Google Analytics server.User consent30 minutes after last activity
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States__utmcnoUtilized for older versions of Urchin Google Analytics, not for GA.js. Serves to distinguish between sessions and new visits at the end of the session.User consentEnd of session (browser)
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States__utmznoContains information about the source of the visit or campaign, which led the user to the website. Cookie is setup when GA.js is loaded and is updated every time data is sent to Google Analytics server.User consent6 months after last activity
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States__utmvnoCollects custom information for website developers via  _setCustomVar method in Google Analytics. Cookie contains new updates and news from Google Analytics server.User consent2 years after last activity
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States__utmxnoUtilized to determine whether the user participates in test A/B or multivariate testUser consent18 months
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States__utmxxnoUtilized to determine the end date of test A/B or multivariate test, on which the user participatesUser consent18 months

COOKIES BROWSER SETUP

Majority of browsers accept cookies automatically. However, it is possible to utilize control measures to allow blocking and removal of cookies.

Instructions how to block and/or remove cookies can be typically found in the personal data protection rules or help documentation of the respective browser provider.

PROTOCOL SERVICES

User’s browser automatically reports certain information with every display of the Provider’s website. Servers automatically record certain information, which the browser sends with each website visit. This information is stored in server protocols (log files) and might include i.a. web request details, IP address, browser type, language of the browser, referring websites, URL, platform type, number of clicks, domain names, source website, number of displayed webpages, order of display of the webpages, time spent browsing the website, date and time of the request and a one or more cookie files able to uniquely identify User’s browser.

SOCIAL NETWORKS

The Provider is present on social networks to communicate with the existing and prospective customers and users and to inform them of its product offering and updates.

The Provider states that User uses the social network platforms at its own responsibility and risk. This pertains particularly to the utilization of interactive functions such as comments, sharing or liking. The Provider accepts no responsibility for the treatment of personal data processed via social networks and warns that such processing might take place outside the European Union and its regulation.

FINAL PROVISONS

In case of changes to the underlying legislation, the Provider is mandated to update the personal data protection rules stated in this document. The most current version of the Rules is always available on the Provider’s website. In case such changes occur, the Provider will notify the User of the proposed changes to the Rules before such changes take effect.

Last update: 2. 3. 2022