For the purpose of this notice, an Operator is considered to be any entity belonging to the same concern as CIMEX INVEST s.r.o., reg. no.: 27159868, reg. address: Praha 4, Na Pankráci 1062/58, 140 00, Czech Republic, registered in the Register of Companies administered by the Municipal Court in Prague under file no. C 159592.
For the purpose of this advice, a Customer is considered to be a person dealing with the Operator.
According to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR”), “personal data” means any information about an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
The purpose and scope of personal data processing
If a Customer and an Operator enter into a contract, the Operator processes the Customer’s personal data within the contractual relation for the following purposes:
1) Contract performance
This data processing is necessary for the performance of the contract. If the Customer does not agree to provide their personal data for this purpose, the contract cannot be concluded. For this purpose, the Customer’s identification data included in the contract, or the Customer’s contact information, as well as information related to the subject matter of the contract (e.g. product or service identification, payment method, including payment details, such as bank account number from which the payment has been sent, etc.) shall be processed within the necessary scope. This scope of personal data may be processed by the Operator for the purpose of protecting its rights in the event of a dispute with the Customer.
2) Marketing use of personal data
Pursuant to section 7(3) of Act no. 480/2004 Sb., on Certain Information Society Services, as amended, the Operator is entitled to use the Customer’s electronic address and telephone number for the purpose of commercial communication regarding the Operator’s products or services similar to those already provided to the Customer. Similarly, it is the Operator’s legitimate interest to process personal data, including name, surname and address/contact, based on a previous contact with the Customer for the purpose of direct marketing. In both cases, the processing may be performed until the Customer expresses their disapproval of or objects to the processing pursuant to Article 21(2) of the GDPR.
The Customer may consent to the processing of their personal data collected by the Operator during the contractual relationship or knowingly provided by the Customer for the purpose of personalised marketing. This data processing is voluntary and not providing consent to it does not affect the conclusion of the contract in any way. Consent is provided for the time of the contractual relationship or until the relationship is revoked. Consent may be withdrawn at any time, for example, by using the forms on kontakt.cimex.cz/.
3) Using statutory registers
The Operator is entitled by the law to share and use certain information on the Customer. That is done by using a register administered by another entity which is a personal data processor. This register lists information on contractual relationships between the Operator and the Customer, i.e. information on provided services, the total amount of loans, and the consumer’s payment habits. The Operator may enter/obtain information on the Customer into/from the register.
Data controller and processor
For the processing of personal data, the Operator may use other entities belonging to the concern as Operators, or any third persons with whom the Operator has entered into a contract on personal data processing. A data processor is also considered to be a recipient of personal data.
Recipients of personal data
The Operator shall transfer the Customer’s personal data to other entities (i.e. other than those specified above) only if they require access to the data based on the law (investigating, prosecuting and adjudicating bodies and other inspecting authorities authorised by the law to access information), or if it is necessary for the protection of the Operator’s rights (at court).
The Customer’s rights
As a data subject, the Customer has all the rights provided by the GDPR and by other legal regulations.
In particular, the Customer has the right to ask the Operator for information on the processing of their personal data for all the aforementioned purposes (see Article 15 of the GDPR). The Operator must provide the Customer, without undue delay, with at least the information about the purpose of the processing, about the personal data or their categories that are processed, about the recipients or categories of recipients who have been provided access to the data, and information about the nature of automated processing if the data are used for making decisions about the Customer’s rights.
If the Customer believes that the Operator uses their personal data in breach of the law, they have the right to object under Article 21 of the GDPR. The Customer may also exercise their right to obtain from the controller the rectification, erasure and restriction of processing of the data, or the right to data portability.
In any case, if the Customer believes that the processing of their personal data is unauthorised (especially if the Operator has not responded to the Customer’s request for information or for data rectification, or if the Customer does not agree to the Operators statement), they may lodge a complaint with the supervisory body, the Office for Personal Data Protection (https://www.uoou.cz/).