This personal data processing and protection policy (the "Policy") outlines the basic principles governing CAPEXUS s.r.o., identification no.: 24131326, with its registered office at Nuselská 419/92, 140 00 Prague 4 – Michle, Czech Republic, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, Insert 181449 as the controller and CAPEXUS SK s.r.o., identification no.: 24131326, with its registered office at Green Point Offices, Blok F, Turčianska 2, 821 09 Bratislava, Slovakia, registered in the Commercial Register maintained by the Regional Court Bratislava I, Section: Sro, Insert 36180/B as the controller (the "Company") when obtaining and processing personal data. This Policy pursues the rights and obligations of the Company arising in particular from the following generally binding legal regulations:
- Regulation (EU) No 2016/679 of the European Parliament and of the Council, on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Regulation on the Protection of Personal Data) (the "GDPR");
- Act No. 480/2004 Coll., on Certain Information Society Services and on Amendments to Certain Acts, as amended (the "Act on Certain Information Society Services");
- and Act No. 127/2005 Coll., on Electronic Communications and on Amendment to Certain Related Acts (the Electronic Communications Act), as amended (the "Electronic Communications Act").
This Policy applies to cooperating persons in the context of business relationships, as well as to all persons visiting the Company's website www.capexus.com (the "Website"), regardless of whether they are in a contractual relationship with the Company or not.
What is personal data?
In accordance with the GDPR, personal data means any information about a designated or identifiable natural person (not a legal entity) (a "Data Subject"). In principle, therefore, it is any information that, whether alone or in combination with other information, can serve to identify a particular individual, regardless of whether the information is true and objectively measurable, or whether it is a mere estimation of human characteristics. In determining Personal Data, it is also irrelevant whether this data is recorded in writing or in the form of an audio or video record ("Personal Data").
What personal data does the Company process?
The processing of Personal Data involves the use of data, namely any operation or set of operations with personal data or personal data files carried out with or without the help of automated procedures (e.g. in an Excel table or on a sheet of paper), such as gathering, recording, structuring, storing, customizing or altering, searching, viewing, using, accessing, transmitting, spreading or otherwise disclosing, sorting or combining, restricting, erasing or destroying (e.g. shredding, discarding). In the case of the Company, it may be a matter of offering services or products, addressing clients, complying with obligations under a contract (order) or by law.
The Company collects (i.e. uses) the following Personal Data:
- Personal Data which the Data Subject himself/herself provides to the Company:
Such Personal Data may include, in particular, the data provided by the Data Subject in the completed contract, completed registration, order or other form or disclosed to the Company by e-mail, telephone, fax or other similar device. Personal Data may also be provided to the Company during competitions, when posting a product or service review on a website or social network account set up by the Company, booking a place for corporate events or training, or sending a general inquiry.
This involves primarily the following data:
- first name and surname
- company name (for legal entities, if they identify a natural person)
- job title / employment
- company category (client, supplier, architect, etc.)
- identification no., tax identification no. (natural persons)
- for statutory bodies of companies, also date of birth (for legal entities)
- address of permanent residence (only for employees)
- bank account information (if connected with a natural person)
- e-mail address (if identifying a natural person)
- telephone number
The categories of processed personal data are: identification data, contact data, financial data, professional data;
- and data which we obtain from the Data Subject due to their use of our services:
The Company may collect certain information about visitors to our Website necessary to ensure the proper and smooth operation of the Website. Such information includes data:
- about the internet protocol (IP) used to connect the Data Subject's computer to the internet
- registration data
- browser type and version;
- time zone settings;
- browser plug-in;
- data about the visit, including valid Uniform Resource Locator (URL), route to and from the Website (including date and time);
- products which the Data Subject displayed or searched for
- response times, errors during download
- duration of visits to certain pages, information about interactions during the visit to the site (such as scrolling, clicks, and mouse placement), or how the site was left
If the Company collects Personal Data and other data, it will use them to administer and improve the Website and to secure internal operations, including problem solving, data analysis, testing, research, statistical purposes, and thumbnail indexing. If you grant your consent, these Personal Data may then further be used to measure advertising performance and to provide relevant advertising.
The Company uses the following types of Cookies:
- a. First-party Cookies, which allow the basic operation and functionality of the Website and without which the content of the Website could not be displayed correctly;
- b. technical Cookies, which allow the use of the Website to be analysed (e.g. Google Analytics to analyse traffic on a specific website or service), Hotjar or cookies of the advertising system operators that are operated on our site;
- technical Cookies* online identifiers – e.g. from Facebook (Facebook pixel);
- advertising Cookies, which allow targeted advertising to be displayed, sharing of the Website on social networks or commenting on products and services.
Data Subjects can delete Cookies using their browser settings. It is also possible to set cookies to not save automatically. However, if the Data Subject blocks, disables or otherwise rejects some Cookies, the Website may not display properly or it may not be possible to use certain services or features of the Website.
Why do we process personal data?
The Company will process the abovementioned Personal Data for the purposes of:
- fulfilling business relationships (e.g. execution of orders, implementation of work, approval of documentation, selection of components, furniture, materials, etc.), with the legal basis being performance of a contract;
- keeping accounting records and complying with other legal obligations (employer, taxpayer, etc.) and protecting our rights (e.g. in the case of a lawsuit concerning our services), with the legal basis being compliance with the law or performance of a contract;
- enforcing receivables based on rights under a concluded contract;
- answering a query sent via a contact form, with the legal basis being our legitimate interest;
- improving the quality of our services and developing new ones, based on our legitimate interest;
- securing our systems and networks against external attacks or abuse by users, based on our legitimate interest;
- promoting our services through the following processing:displaying only ads based on your interests (including remarketing and behavioural advertising), all to a reasonable extent and with the consent of the Data Subject or, in less intrusive cases, on the basis of legitimate interest;
- conducting anonymous analyses and measurements to determine how our services are used;
- analysing Data Subject preferences and displaying content that reflects individual needs based on consent;
- obtaining prizes in contests organized by us and delivering them to the winners by virtue of the performance of a contractual obligation (contest terms & conditions);
- sending business communications, including offers of third-party products and services (it is possible to opt out of business communications in the settings of the service for which the user has registered for such communications, or by e-mail at firstname.lastname@example.org) and newsletters;
- providing a service, product or information you have shown interest in;
- if you are an existing customer, also providing information about other services or products similar to those that were the subject of a previous business relationship between the Data Subject and our company, based on our legitimate interest in the development of mutual business relationships – this legitimate interest follows from the Act on Certain Information Society Services;
- the Company will only send business communications and offers of products and services to new customers if you provide the Company with prior, unconditional, specific and unambiguous consent;
- assessing and evaluating job applications or CVs by virtue of using the data for concluding the contract;
Who will have access to the Personal Data?
Personal Data that the Company obtains from the Data Subject are processed solely by the Company, except third parties (the "Processors") that assist the Company in the performance of its contractual obligations by providing certain services (such as delivery service). The Company only transfers Personal Data to those Processors who provide a reasonable level of security for the Personal Data, and these Personal Data are processed solely on the basis of a personal data processing agreement to prevent unauthorized or accidental access to, or other misuse of, the Personal Data. All our partners are bound by a confidentiality obligation and must not use the data provided for any purpose other than that for which we have made it available to them. If they use the Personal Data for other purposes (and have the liability of a data controller), they can only do so if they have defined the respective legal title and purpose (e.g. in the case of lawyers / accountants / tax advisors in terms of professional activity and professional rules).
In this regard, the Company may hand over Personal Data to the following Processors:
- external contractors and suppliers for meeting the Company's contractual and statutory obligations;
implementation of subcontracts;
records of the history of business cases and building long-term relationships with clients (e.g. possibility of feedback on already implemented projects, etc.)
provision of postal and delivery services;
processing of wage and tax advisory;
website administrators, cloud storage providers for the Company;
- external suppliers for the purpose of implementing legitimate interest and/or purposes and processing for which we have been granted consent:
Facebook Ireland Ltd, located at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 and operating under the website facebook.com for online marketing purposes – Data Processing Agreement (Data Use Policy), GDPR (Policy);
*The newsletter is sent only to registered subscribers from the system of The Rocket Science Group under the trademark Mailchimp (www.mailchimp.com). CAPEXUS and The Rocket Science Group store the email address, first and last name of the subscriber, data on newsletter activity (open rate, click-through rate). We do not provide personal data to any third parties other than the administrator of The Rocket Science Group, we only use it for the purpose of sending out the newsletter. Those interested in subscribing to the email newsletter sign up themselves via the Mailchimp form in the footer of the website or from the Mailchimp forms. In this way, future newsletter subscribers give us their consent to receive the newsletter and to the processing of their personal data. Unsubscribing from the newsletter is possible at any time, the unsubscribe link is in the footer of each email.
The Company hands over Personal Data to third countries as part of its services under para. 2, and whereby The Rocket Science Group (Mailchimp) and Facebook Ireland Ltd are certified within the EU/US - rivacy Shield agreement falling under Article 45 GDPR.
Under certain precisely defined conditions stipulated by law, the Company is obliged to hand over certain Personal Data, for example, to the Czech Police or other bodies involved in criminal proceedings, including specialized departments (Organized Crime Unit, customs authorities, etc.) and other public authorities.
Means of protecting personal data
To protect and minimize the risk of unauthorized access to Personal Data, the Company has adopted organizational and technical measures.
These measures include:
- organizational restrictions limiting the range of persons authorized to come into contact with Personal Data; and
- technical security of the Company's servers and Website against unauthorized use.
Length of storage of Personal Data
The Company stores Personal Data for three years if there is no prior withdrawal of consent by the Data Subject. In the event of withdrawal of consent, the lawfulness of the use of the Personal Data in the period prior to its withdrawal is not affected.
For the preparation, conclusion and performance of the contract with the Company's customer, the Company uses the data for the time necessary to execute the order(s). Afterwards, the Company retains the data based on our legitimate interest in protecting our legal claims and for our internal records and controls for the duration of the limitation period of three years and one year after its expiry with respect to claims enforced after the end of the limitation period. In order to comply with legal obligations (in particular pursuant to Act No. 235/2004 Coll., on Value Added Tax and Act No. 563/1991 Coll., on Accounting), the Company shall use Personal Data for a maximum of 10 years for the respective order.
If Personal Data is handled on the basis of legitimate interest, the Personal Data are processed by the Company for a maximum of one year.
Once the legal reason has ceased to exist or the purpose for which the Personal Data is processed has been fulfilled, the Company will destroy the Personal Data and all their existing copies.
In the event of judicial, administrative or other proceedings, the Company shall process the Personal Data of the Data Subject, irrespective of legal title, to the extent necessary for the duration of such proceedings and for the remainder of the limitation period after its termination.
Rights of Data Subjects:
In connection with the processing of Personal Data by the Company, the Data Subjects have the following rights:
- the right to withdraw consent to the processing of Personal Data, if the processing is based on it;
- the right to request access to Personal Data and information about which Personal Data is processed by the Company;
- the right to correct inaccurate Personal Data, and to supplement incomplete Personal Data;
- the right to delete processed Personal Data;
- the right to limit the processing of Personal Data;
- the right to obtain the Personal Data you have provided to the Company in a structured, commonly used and machine-readable format, and the right to transfer these data to another person;
- the right to be informed about a Personal Data breach;
- the right to object to the processing of Personal Data, among others in cases of processing Personal Data in marketing by virtue of the Company's legitimate interest;
- the right to lodge a complaint with the supervisory authority, i.e. with the Office for Personal Data Protection, at Pplk. Sochora 27, 170 00 Prague 7, or by data box at qkbaa2n;
- other rights set out in the General Data Protection Regulation No. 2016/679 after its entry into force.
The above rights and any complaints may be filed with the Company as the data controller in writing at the address stated below or by e-mail to the e-mail address email@example.com.