pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27. 4. 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
This document sets out the principles and procedures for the processing of personal data and rights in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the Regulation), and Act No. 480/2004 Coll., on certain information society services, as amended.
Personal information: Any information about an identified or identifiable customer; an identifiable customer is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, network identifier, or to one or more specific elements of that natural person’s physical, physiological, genetic, psychological, economic, cultural or social identity;
Administrator: EBF s. r. o., Slovákova 387, 684 01 Slavkov u Brna, ID: 29210798, registered office: Slavkov u Brna (hereinafter referred to as the “controller”), the entity that determines the purpose and means of processing personal data, carries out the processing and is responsible for it. The Controller may authorise or entrust a processor with the processing of personal data, unless a specific law provides otherwise;
Processor: any entity that, on the basis of a specific law or on behalf of the Controller, processes personal data pursuant to the Act and the Regulation, on the basis of a concluded contract for the processing of personal data;
Data Subject (“Customer”): The natural person (including self-employed persons) to whom the personal data relates (e.g. a potential, existing or lost customer);
II. Principle of personal data processing
The controller processes personal data in accordance with the following principles of the Regulation:
The customer has the right to:
a) to access, rectify, erase or restrict the processing of personal data;
(b) object to such processing;
(c) lodge a complaint with the supervisory authority;
d) withdraw consent to the processing of personal data at any time with future effects;
(e) obtain confirmation from the controller as to whether or not his or her personal data are being processed;
(f) that the controller rectifies inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed;
(g) the controller to erase without undue delay the personal data (including the right to be forgotten) relating to the data subject and the controller is under an obligation to erase the personal data without undue delay on the grounds listed exhaustively in the Regulation: (a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) the customer withdraws consent to the processing of personal data and there is no other legal basis for the processing; (c) the customer objects to the processing and there are no overriding legitimate grounds for further processing; (d) the personal data have been unlawfully processed; (e) the personal data must be erased in order to comply with a legal obligation under Union or national legislation to which the controller is subject; (f) the personal data were collected in connection with the offer of information society services. Details and exceptions to the exercise of this right are regulated by the Regulation;
(h) for the controller to restrict processing, in any of the following cases: (a) the data subject contests the accuracy of the personal data for the period necessary to enable the controller to verify the accuracy of the personal data; (b) the processing is unlawful and the data subject refuses the erasure of the personal data and requests instead a restriction on their use; (c) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; (d) the data subject has objected to the processing until it is verified that the legitimate grounds of the controller override those of the data subject;
(i) the portability of personal data, i.e. to obtain personal data concerning him or her which he or she has provided to the controller in a structured, commonly used and machine-readable format and the right to transmit those data to another controller, without hindrance from the controller to whom the personal data have been provided, where: a) the processing is based on consent or on a contract, the processing is carried out by automated means;
j) object to the processing of personal data at any time. The controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests or rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims;
(k) not be the subject of any decision based solely on automated processing, including profiling, which has legal effects concerning him or her or similarly significantly affects him or her. Exceptions and details are set out in the Regulation.
Customer’s options for exercising the right of the Controller
A list of communication channels that can be used to receive and respond to a customer request:
The Controller obtains personal data of its customers mainly from the customers themselves in the context of contract negotiations, which determines the Performance and the Legitimate Interest. The Controller also obtains personal data on the basis of the Consent for the processing of personal data.
The Controller and its contractual processors process the following personal data or categories of personal data in accordance with the relevant legal title and purpose of processing:
A) Legitimate interest of the controller
The personal data will be processed for the purpose of identifying the parties and the performance of the contract, as well as for the purpose of recording the contract and the future possible exercise and defence of the rights and obligations of the parties. Such processing is allowed under Article 6(1) of the EC Treaty. 1 lit. (b) and (f) of the Regulation.
The personal data will be processed for the duration of the contractual relationship and furthermore, to the extent necessary, for 10 years after the termination of the contractual relationship, unless another legal regulation requires the retention of contractual documentation for a longer period.
The processing of personal data is carried out by the Controller, however, personal data may also be processed for the Controller by the following processors:
The controller processes the personal data of data subjects for the purposes of the contract concluded with the customer. The standard data are: name, surname, delivery or other contact address, business address, registration number, bank account number, e-mail, telephone number.
The processing period is defined by the duration of the customer’s contractual relationship with the controller.
Personal data are processed both automatically and manually and may be made available to the Controller’s employees if necessary for the performance of their job duties, to processors with whom the Controller has concluded a contract for the processing of personal data and, where applicable, to another person in accordance with the Act and the Regulation. The list of processors of personal data is in the List of processors.xls
The processing of personal data may be carried out for the Controller by processors exclusively on the basis of a contract for the processing of personal data, i.e. with guarantees of the organisational and technical security of the data and a definition of the purpose of the processing, whereby processors may not use the data for other purposes.
List of processors
| Company name | ID | Type of cooperation | Legal title | Purpose | Time |
| WordPress Corporate Office Headquarters Automattic, Inc. | 60 29th Street #343, San Francisco, California 94110-4929 USA | CMS Operator www.wordpress.com | Consent, legitimate interest | CMS administration | Until the consent is withdrawn, for the duration of the contractual relationship with the Controller |
| Google Czech Republic, s.r.o. | 27604977 | Google Analytics Operator | Consent, legitimate interest | Marketing | Until the consent is withdrawn, for the duration of the contractual relationship with the Controller |
| Facebook, Inc. | Facebook UK limited, 10 Brock Street, Regent’s place, London, NV1 3FG | Operator of the social network Facebook.com | Consent, legitimate interest | Direct marketing, contract fulfilment | Until the consent is withdrawn, for the duration of the contractual relationship with the Controller |
| Ivo Macek, DiS. | Lidická 44a, 602 00 Brno, ID: 72523131 | External consultant – web administration, marketing | Consent, legitimate interest, performance of the contract | Performance of the contract | For the duration of the contractual relationship with the Controller, No more than 5 years after the termination of the contractual relationship with the Controller |
The administrator works with the customer’s data in other processing systems and their protection is secured by unique usernames and passwords. Usernames and passwords are stored on the Administrator’s personal computer, which requires a username and password to access.
The processing of personal data may be carried out for the controller by processors exclusively on the basis of a contract for the processing of personal data, i.e. with guarantees of the organisational and technical security of the data and a definition of the purpose of the processing, whereby processors may not use the data for other purposes.
The controller shall cease handling the customer’s data after the termination of the contractual relationship, after the expiry of the period specified in the consent to the processing of personal data or after the legal grounds for archiving personal data have passed.
In the event of a data breach or data leak, the Controller shall immediately notify the Customer and the Office for Personal Data Protection within 24 hours.
In Brno on 21. May 2018