PERSONAL DATA PROTECTION RULES
RULES
We understand that our customers, users of our applications or visitors to our website (hereinafter collectively referred to as “the Users“) value their
privacy. This document thus contains key information of what rules we adhere to when processing personal data.
All the processing of personal data performed by us is fully compliant with the Regulation 2016/679 of the European Parliament and of the Council issued 27th April 2016, on the protection of natural persons with regard to
the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR“) Note: In case that any conflict arises between the Czech language version of these personal data protection rules (“the Rules“) and any translation hereof, the Czech language version shall prevail.
BASIC INFORMATION
Identification and contact information of the Provider:
name: | Base Consulting s.r.o. |
CIN: | 05290473 |
seat: | Panská 854/2, Nové Město (Praha 1), 110 00 Praha |
contact e-mail: | office@base.cz |
contact phone: | +420 602 274 603 |
(hereinafter referred to as “the Provider“)
Data Protection Officer:
The Provider has not nominated a data protection officer as it is not mandated by the nature of its activities, in accordance with GDPR p. 37.
Transfer of personal data to a third country or to an international organisation:
The Provider does not transfer any personal data to any third country or international organisation in the meaning of GDPR p.44.
Automated manual decision-making, including profiling:
The Provider does not perform any automated manual decision-making or profiling.
Supervisory Authority:
The supervisory authority relevant for the Provider is Úřad pro ochranu osobních údajů (The Office for Personal Data Protection), with seat at Pplk. Sochora 27, 170 00 Praha 7, e-mail: posta@uoou.cz, tel.: 234 665 125.
Role of the Provider:
The Provider engages with the personal data in the capacity as both a Controller and a Processor
THE PROVIDER AS A CONTROLLER
The Provider acts in the capacity as a controller in relation to the personal data of the following persons: customers and website users.
What personal data does the Provider process, what purpose does the processing serve and on what legal basis is the processing performed?
Website visit. The Provider processes data collected from physical persons visiting the website of the Provider. During the visit, the Provider collects, processes and stores the following types of personal information: IP address. Moreover, the Provider processes the following information: browser type, cookies, time of visit, browsing behaviour and URL, from which the visitor arrived. This information is necessary to display the website correctly, to maintain website security and for other purposes described in the Rules. The Provider processes this information based on its legitimate interest or a given consent of the Users. More information with respect to cookies are outlined below.
For the purposes of contract performance (entering into contract, communication with customers) and compliance with legal obligations (accounting and tax obligations), the Provider processes inter alia the following personal information: name, surname, company name, company identification number, tax identification number, home address / seat,
phone, e-mail The Provider collects this personal information directly from Users during contractual process and fully discloses what personal information is needed for the purposes of contract performance. The provision of additional personal information is voluntary.
Customer care and technical support:
Users can ask questions or request technical support via the website.
Contact e-mail address or prepared input form serves for personal data input necessary for such communication (e-mail address and/or phone number, processed in line with GDPR p. 6 art.1 a) and b)). This information is used for the customer relationship management (contract performance), for addressing customer questions and providing technical support.
In case an individualized solution is required, User might be asked to submit additional necessary personal data for processing so that the Provider can give adequate level of support to this individual User. The personal data would most likely include: name, surname, company name, User account information, e-mail.
During communication with Users, the Provider adheres to the data minimalization rule in the only the data necessary for the request resolution are collected.
Moreover, the IP address is collected for the purposes of maintaining technical security and attack prevention.
Registration / User account: The website of the Provider allows the Users to register by entering personal data.
During registration, the following personal data is collected by the Provider: name, surname, e-mail. The Provider adheres to the data minimalization rule in that all necessary data fields are labelled as mandatory.
The registration is needed for User to utilize the application and to communicate with support.
In case the Provider aims to process additional personal data than listed in the Rules or aims to use them for a different purpose, it can only do so based on additional consent obtain from the User for such personal data processing.
The information with respect to processing of employee personal data is contained in a separate internal rule.
Special categories of personal data
The Provider does not act in capacity as controller in relation to any special categories of personal data of the Users as defined by GDPR p.9.
How long does the Provider process personal data?
Personal data are processed only for such period that there is a legal basis to store such information. Upon expiry of such basis, the data is erased.
Personal data processed for the purposes of Provider legal obligations fulfilment are processed for the period mandated by such legal obligations e.g. record keeping regulations, tax regulations. Once the effect of such obligations passes, the relevant personal data is erased.
Other personal data processing: Personal data processed for other purposes than outlined above are processed for the duration of contractual relationship with the customer and 1 year after the termination of such relationship.
THE PROVIDER AS A PROCESSOR
The Provider acts as a processor of personal data for other controllers.
Such controller of personal data is required to fully comply with the rules and requirements of GDPR regulation and other legislation governing personal data. The processor is not legally liable for any breach of duty of the controller with respect to such personal data.
What personal data does the Provider process in its capacity as personal data processor and for what purpose?
The Provider processes the following personal data: IP address, name, surname, e-mail
The purpose of the personal data processing is the legitimate interest pursued by the controller.
In case the Provider acts as a processor with respect to the special categories of personal data, the responsibility for the lawfulness of processing of such data in accordance with GDPR and member state regulation lies with the controller. The Provider reserves the right to erase personal data should it find that regulation to be violated by the controller. Before such erasure, the Provider will contact the controller with request for remedial action.
How long does the Provider process personal data?
The Provider processes personal data for the duration of contractual relationship with the cpntroller. Afterwards, all personal data is erased without undue delay. The Users can request an erasure of their personal data anytime during the duration of the contractual relationship. In case such request is submitted by User, the Provider will erase relevant personal data without undue delay.
RECIPIENTS OF PERSONAL DATA
The Provider does not process any personal data on behalf of any controllers
The Provider utilizes the following processors:
Processing type | Processed personal data | Processor name | Processor CIN | Processor seat |
webhosting | IP address | WEDOS Internet, a.s. | 28115708 | Masarykova 1230, Hluboká nad Vltavou, 373 41 |
data storage | Name, surname, e-mail | MICROSOFT s.r.o. | 47123737 | Vyskočilova 1561/4a, Michle, 140 00 Praha |
Personal data might also be processed by cookie providers listed further down in the Rules.
The processing of personal data can be performed by processors solely based on the basis of agreement for processing of personal data i.e. with guarantees of organisational and technical data security of the personal data , specified purpose for such processing and a prohibition to use such personal data for any other purpose.
Under certain conditions, personal data might be made available to public authorities (courts, police, notaries, tax bureau,..) or provided to other parties based on the exercise of public authority to the extend defined by special legislation.
PERSONAL DATA SECURITY
For the purposes of securing User personal data against unlawful access, the Provider utilizes suitable and adequate technical and organisational measures.
The Provider ensures that in case servers are placed in a third-party datacentre, similar technical and organisational measures are applied by such third party.
All data is stored only on servers located in the European Union or countries with similar standards for personal data protection as set by the Czech Republic legislation.
The Provider utilizes the following measures to secure data: firewall, encryption, Microsoft Azure security
USER RIGHTS
Every User has:
- The right of access: The User has the right to obtain confirmation from the Provider as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: a) the purposes of the processing, b) the categories of personal data concerned, c) the recipients to whom the personal data will be disclosed d) the envisaged period for which the personal data will be stored e) the existence of the right to request from Provider erasure of personal data or restriction of processing of personal data concerning the User or to object to such processing, f) the right to lodge a complaint with a supervisory authority, g) where the personal data are not collected from the User, any available information as to their source, h) the existence of automated decision-making, including profiling. The User has the right to obtain a copy of the processed personal data.
- Right to rectification: The User has the right to obtain from the Provider without undue delay the rectification of inaccurate personal data concerning him or her i.e. to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure: The User the right to obtain from the Provider the erasure of personal data concerning him or her without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the User withdraws consent on which the processing is based and there is no other legal ground for the processing; c) the User objects to the processing and there are no overriding legitimate grounds for the processing; d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law; f) the personal data have been collected in relation to the offer of information society services. Right to erasure will not apply in case the processing is necessary fulfilment of legal obligations, establishment, exercise and defence of legal claims or other cases stipulated by GDPR.
- Right to restriction of processing: The User has the right to obtain from the Provider restriction of processing where one of the following applies: a) the accuracy of the personal data is contested by the User, for a period enabling the Provider to verify the accuracy of the personal data; b) the processing is unlawful and the User opposes the erasure of the personal data and requests the restriction of their use instead; c) the Provider no longer needs the personal data for the purposes of the processing, but they are required by the User for the establishment, exercise or defence of legal claims; d) the User has objected to processing and verification is pending whether the legitimate grounds of the Provider override those of the User.
- Right to object: The User has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on legitimate interest. The Provider shall no longer process the personal data unless the Provider demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Users or for the establishment, exercise or defence of legal claims.
- Right of data portability: The User has the right to receive the personal data concerning him or her, which he or she has provided to the Provider, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, where: a) the processing is based on consent; b) processing is carried out by automated means. In exercising his or her right to data portability pursuant to paragraph 1, the User has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
- Right to lodge a complaint with a supervisory authority: If the User considers that the processing of personal data relating to him or her infringes on GDPR regulation, the User has the right to lodge a complaint with a supervisory authority, the contact info of which is listed above
- Notification obligation regarding rectification or erasure of personal data or restriction of processing: The Provider will communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Provider will inform the User about these recipients if the User requests it.
- Right to be informed of the risks of data breach: When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Provider shall communicate the personal data breach to the User without undue delay.
- Right to withdraw consent: If the processing of personal data by the Provider is based on given consent, the User has the right to withdraw his or her consent at any time by a written consent withdrawal with processing of personal information delivered via e-mail to info@adglue.io.
COOKIES
The Provider uses cookies, which are small text files identifying the website user and recording its activities on the website.
The contents of cookies frequently comprise of series of numbers and letter uniquely identifying the computer of the User, but do not contain any specific personal data about the User. Cookies file name typically contains the domain name, from which it was sent, time data and an alphanumerical identifier.
The website of the Provider automatically identifies the IP address of the User. This information is recorded in the activity log by the server, allowing for subsequent processing of such personal data. The provider also records information about browser requests: the time of requests, status and the amount of data transferred during the request, it also collects information about the used browser, operating system of the User a the version of both. Additionally, the information about a website from which the Provider website was reached is recorded. The IP address of User computer is stored only for the necessary period for which the website is being used. Afterwards, the information about the IP address is erased or anonymized by shortening.
COOKIE TYPES AND similar TECHNOLOGIES
Technical cookies and similar technologies: The Provider exercises its legitimate interest in utilizing technically necessary cookies to ensure proper function and operation of its website. The utilized cookies might be temporary or permanent. Permanent cookies stay on the User’s hard drive even after the browser is closed. Permanent cookies might be used by the browser on subsequent visits of the Provider’s website. Permanent cookies can be deleted. Temporary cookies are transient and are deleted once the browser is closed. This information is used by the Provider to operate and maintain the website, particularly for identifying and fixing errors, determining website utilization and performing changes and updates. For these use cases, the Provider has a legitimate interest to process personal data in accordance with GDPR p.6 art.1 f).
The User might opt to set up its browser to block cookies. The Provider warns that in such case however, some parts of the website will not function.
In a similar fashion and for the same purpose, the Provider utilizes Webstorage (as outlined in the table below).
ADDITIONAL COOKIES UTILIZED BY THE PROVIDER WITH USER’S CONSENT
Analytical cookies and similar technologies: These cookies help the Provider analyse, how the Users utilize the website. They are used to measure and improve the performance of the website. These cookies help determine, for example, how the User arrived at the website, whether directly, indirectly via browser search, via social network link, etc. The Provider also analyses, how long the User stays on the website and what links they click on.
The analytical cookies are setup on the User’s device only in case the User gives consent (in accordance with GDPR p.6 art.1 a)) to such usage during its first website visit. The consent for analytical cookies can be withdrawn at any time via the Detailed cookie setup menu.
In a similar fashion and for the same purpose, the Provider utilizes Webstorage (as outlined in the table below).
Advertising cookies and similar technologies: These cookies allow the showing of advertisements based on User’s preferences. They might be used e.g. for the purposes of User profiling by the Provider and subsequent showing of more relevant advertisement to the User.
The advertisement cookies are setup on the User’s device only in case the User gives consent (in accordance with GDPR p.6 art.1 a)) to such usage during its first website visit. The consent for advertisement cookies can be withdrawn at any time via the Detailed cookie setup menu. In case User does not give consent, the advertisements will not be aligned with its interests.
In a similar fashion and for the same purpose, the Provider utilizes Webstorage (as outlined in the table below).
If relevant, Other cookies and similar technologies are outlined in the table below.
For obtaining and management of User consent, the Provider utilizes CookiesLišta.cz platform from Soft Evolution s.r.o., CIN 46982230, Martinice 100, 594 01, Velké Meziříčí. This platform collects information about the device, browser information, anonymized IP address, time and date of the visit, URL address, route to a website and location data. This allows to inform the User about the Provider’s website and obtain User’s consent. The legal basis for personal data processing is given by GDPR p.6 art.1 c), where the Provider is obliged by law to provide proof of given consent in accordance with GDPR p.7 art.1. The personal data is erased once it is no longer required for protocolling and no legal basis for its storage exists. More information on the topic of personal data protection and the platform can be found at: https://www.cookieslista.cz.
The Provider’s website might contain third party cookies. The Provider currently utilizes the following cookies:
Processor | Cookies ID | Personal data | Purpose of processing | Legal basis | Expiration |
Technical cookies / similar technologies | |||||
Base Consulting s.r.o. | dcb_dsv | no | Version of consent with allowing cookies. | Legitimate interest | Local storage / 365 days |
Base Consulting s.r.o. | dcb_config | no | Configuration of consent with allowing cookies | Legitimate interest | Local storage / 365 days |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | cookiePreferences | no | Registers cookies preferences of user. | User consent | 2 years |
Analytical cookies / similar technologies | |||||
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | _ga | no | ID utilized for User identification | User consent | 2 years |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | _ga_ | no | ID utilized for User identification | User consent | 2 years |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | _gid | no | ID utilized for User identification for 24 hours after last activity | User consent | 24 hours |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | _gat | no | Utilized by Google Analytics for tracking number of requests when using Google Tag Manager | User consent | 1 minute |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | _dc_gtm_ | no | Utilized by Google Analytics for tracking number of requests | User consent | 1 minute |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | AMP_TOKEN | no | Contains the code of a token utilized for loading client ID from AMP Client ID service | User consent | 30 seconds to 1 year |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | _gat_gtag_ | no | Setup and collection of tracking data | User consent | 1 hour |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | _gac_ | no | Contains information related to User marketing campaigns shared with AdWords, Google Ads, if Google Ads and Google Analytics account are linked. | User consent | 90 days |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | __utma | no | ID utilized for user and session identification. | User consent | 2 years after last activity |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | __utmt | no | Utilized by Google Analytics for tracking number of requests | User consent | 10 minutes |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | __utmb | no | Utilizes to distinguish between new sessions and visits. The cookie is setup with GA.js library is loaded and no _utmb cookie yet exists. Cookie is updated every time the data is sent to Google Analytics server. | User consent | 30 minutes after last activity |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | __utmc | no | Utilized for older versions of Urchin Google Analytics, not for GA.js. Serves to distinguish between sessions and new visits at the end of the session. | User consent | End of session (browser) |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | __utmz | no | Contains information about the source of the visit or campaign, which led the user to the website. Cookie is setup when GA.js is loaded and is updated every time data is sent to Google Analytics server. | User consent | 6 months after last activity |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | __utmv | no | Collects custom information for website developers via _setCustomVar method in Google Analytics. Cookie contains new updates and news from Google Analytics server. | User consent | 2 years after last activity |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | __utmx | no | Utilized to determine whether the user participates in test A/B or multivariate test | User consent | 18 months |
Google LLC – 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | __utmxx | no | Utilized to determine the end date of test A/B or multivariate test, on which the user participates | User consent | 18 months |
COOKIES BROWSER SETUP
Majority of browsers accept cookies automatically. However, it is possible to utilize control measures to allow blocking and removal of cookies.
Instructions how to block and/or remove cookies can be typically found in the personal data protection rules or help documentation of the respective browser provider.
PROTOCOL SERVICES
User’s browser automatically reports certain information with every display of the Provider’s website. Servers automatically record certain information, which the browser sends with each website visit. This information is stored in server protocols (log files) and might include i.a. web request details, IP address, browser type, language of the browser, referring websites, URL, platform type, number of clicks, domain names, source website, number of displayed webpages, order of display of the webpages, time spent browsing the website, date and time of the request and a one or more cookie files able to uniquely identify User’s browser.
SOCIAL NETWORKS
The Provider is present on social networks to communicate with the existing and prospective customers and users and to inform them of its product offering and updates.
The Provider states that User uses the social network platforms at its own responsibility and risk. This pertains particularly to the utilization of interactive functions such as comments, sharing or liking. The Provider accepts no responsibility for the treatment of personal data processed via social networks and warns that such processing might take place outside the European Union and its regulation.
FINAL PROVISONS
In case of changes to the underlying legislation, the Provider is mandated to update the personal data protection rules stated in this document. The most current version of the Rules is always available on the Provider’s website. In case such changes occur, the Provider will notify the User of the proposed changes to the Rules before such changes take effect.