INFORMATION MEMORANDUM ON THE PROCESSING OF PERSONAL DATA
The Information Memorandum on the Processing of Personal Data (Information Memorandum) that you are currently reading contains information about how we handle your personal data.
We, Prototypum s.r.o., with its registered office at U Panelárny 136, 273 43 Buštěhrad, identification number 048 21 866, registered in the Commercial Register maintained by the Municipal Court in Prague, file number C 254219 (the Company or we) are a company engaged in providing services in the field of industrial design, engineering, prototyping, 3D printing and other related activities (the Services) and the operator of an internet portal available at https://www.prototypum.com/ or htttps://prototypum.cz (the Portal).
Communicating legal information in an understandable way is a difficult discipline. For clarity and readability, we have divided this Information Memorandum into sections. If you follow the following steps, you will learn everything you need to know and not miss anything, while not wasting time reading passages that are not relevant to you.
- Please include yourself in one/some of the following categories and then read the relevant section(s) for you (you do not need to refer to the other sections).
- However, it is possible that more than one category and therefore more than one section may be relevant for you:
(a) Supplier (Section 2)
A supplier is any third party who supplies any goods or services to us.
(b) Client (section 3)
A Client is a person who uses our Services.
(c) Potential Client (Section 4)
A potential client is a visitor to the Portal or a person who contacts us on their own initiative or with whom we have a contractual or other legal relationship.
3. Finally, do not forget to read the final information, which is also the information applicable to all cases of processing of personal data, which can be found in section five.
1. GENERAL INFORMATION
1.1. The data controller
The controller is the person who, alone or jointly with others, determines the purposes for which and decides how personal data will be processed.
The data controller is Prototypum s.r.o., with a registered office at U Panelárny 136, 273 43 Buštěhrad, identification number 048 21 866, registered in the Commercial Register maintained by the Municipal Court in Prague, file number C 254219.
The administrator can be contacted by e-mail at jan.malina@prototypum.cz or by telephone at +420 775 660 090. The contact person of the administrator is Jan Malina, who can be contacted at the above address or telephone number.
1.2. Your rights
The controller does everything possible to ensure that the processing of your data is carried out properly and, above all, securely. You are guaranteed the rights described in this article, which you can exercise with the controller in writing, by email or by telephone at the contacts listed in article 1.1 above.
All communications and statements concerning the rights exercised by you are provided by the controller free of charge. However, if the request is manifestly unfounded or excessive, in particular, because it is repetitive, the controller is entitled to charge a reasonable fee taking into account the administrative costs involved in providing the information requested. In the event of a repeated request for copies of the personal data processed, the controller reserves the right to charge a reasonable fee for administrative costs for this reason.
The controller will provide you with a statement and, where appropriate, information on the measures taken as soon as possible and at the latest within one month. The controller is entitled to extend the time limit by two months if necessary and in view of the complexity and number of requests. The administrator will inform you of the extension, including the reasons for it.
(a) Right to information about the processing of your personal data and access to personal data
You are entitled to request information from the controller as to whether or not personal data are processed. If personal data are processed, you have the right to request information from the controller, in particular, about the identity and contact details of the controller, its representative and, where applicable, the data protection officer, the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, the authorised controllers, a list of your rights, the possibility of contacting the Data Protection Authority, the source of the personal data processed and automated decision-making and profiling.
You have the right to be provided with copies of the personal data processed. However, the right to obtain this copy must not adversely affect the rights and freedoms of others.
If the controller intends to further process your personal data for a purpose other than that for which it was collected, it will provide you with information about that other purpose and other relevant information before that further processing.
The information provided to you in exercising this right is already contained in this Information Memorandum, but this does not prevent you from requesting it again.
(b) Right to repair
If there has been a change on your part, for example, of your residence, telephone number or another fact that can be considered personal data, you have the right to request the controller to correct the personal data processed. In addition, you have the right to have incomplete personal data completed, including by providing an additional declaration.
(c) Right to erasure (Right to be forgotten)
You have the right to request that the controller erase your personal data. This includes, for example, situations, where the data processed, is no longer necessary for the purposes set out below. The controller deletes personal data automatically after the necessary period for processing has expired, but you can contact the controller at any time with your request. Your request will then be subject to an individual assessment (despite your right to erasure, the controller may have an obligation or legitimate interest to process your personal data) and you will be informed in detail about the processing.
d) Right to restriction of processing
You have the right to require the controller to restrict the processing of your personal data (i.e. to prevent its use but at the same time to prevent its complete destruction), but only in the following cases:
- you contest the accuracy of the personal data (the processing will then be limited to the time necessary to verify the accuracy);
- the processing is unlawful and you do not wish to have it erased;
- the controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of your legal claims;
- you object to the processing and verification is underway that the controller’s legitimate grounds for processing outweigh yours;
Even if the processing is restricted, the controller will still be able to process your personal data where necessary for the establishment, exercise or defence of its legal claims or for the protection of the rights of other natural or legal persons.
(e) Right to data portability
If you wish the controller to disclose your personal data to another controller or another company, the controller will transfer your personal data in the appropriate format to the entity designated by you, provided that no legal or other significant obstacles prevent it from doing so.
(f) Right to object and automated individual decision-making
If you become aware or believe that the controller is processing your personal data in breach of the protection of your private and personal life or in breach of the law (provided that the personal data is processed by the controller on the basis of public or legitimate interest, or is processed for direct marketing purposes, including profiling, or for statistical purposes or for purposes of scientific or historical interest), you may contact the controller and ask it to explain or rectify the deficiency.
You can also object directly to automated decision-making and profiling.
(g) Right to lodge a complaint with the Office for Personal Data Protection
You may at any time contact the supervisory authority, the Office for Personal Data Protection, located at Pplk. Sochora 27, 170 00 Prague 7, website https://www.uoou.cz/, with your complaint regarding the processing of personal data.
1.3. Transfer of personal data to third countries or international organisations
The controller will not transfer your personal data to international organisations. The Controller may transfer some personal data to countries outside the European Union or the European Economic Area through entities with which it cooperates.
Such transfers will only occur where the transfer meets the conditions for transfer set out in the applicable and effective data protection legislation, i.e. the level of protection required by such legislation is guaranteed, on the basis of:
(a) the decision of the European Commission (inter alia, European Commission Decision 2016/1250 of 12 July 2016 (Privacy Shield)) pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the level of protection provided by the EU-US Privacy Shield;
(b) appropriate safeguards:
-
Binding Corporate Rules
-
Standard Contractual Clauses
(c) any of the exceptions for specific situations under the relevant legislation where one of the two points above cannot be applied.
At the same time, we will either inform you individually by email of any such transfer or publish an update to this Information Memorandum on the processing of personal data.
To enhance transparency, we disclose that we cooperate with, among others, the following entities that may be located outside the European Union or the European Economic Area:
| Company name |
Subject of cooperation |
Privacy information |
Data centre location (if outside the EU and EEA) |
| Google, Inc. | Gmail, Google Analytics | https://policies.google.com/privacy?hl=en&gl=ZZ | USA, Chile, Taiwan, Singapur |
| Microsoft | Office 365 Business Premium | https://www.microsoft.com/en-us/trust-center/privacy |
1.4. Automated individual decision-making
Automated individual decision-making is a situation when the processing of personal data is carried out solely by automated means (without human intervention), i.e. by means of automated information systems, web-based programs and other software.
The controller will not make any decision based solely on automated individual processing which would have legal effects on the data subject or similarly significantly affect the data subject.
2. SUPPLIER
A supplier is any third party who supplies any goods or services to us.
This Information Memorandum shall apply to the processing of personal data of Suppliers who are natural persons, as well as the Suppliers’ employees, members of the Supplier’s bodies and/or other collaborating persons, where necessary to fulfil the purposes of the processing set out below.
2.1. Categories of personal data processed
We process the following categories of personal data of Suppliers:
(a) basic identification data – name and surname or business name, date of birth (if provided), address and identification number;
(b) contact details – telephone number and email address;
(c) information for mutual communication – information from emails, records of telephone calls or other contact forms;
(d) billing and transaction data – this includes information appearing on invoices, agreed billing terms and payments received; and
(e) any other information that we process in connection with the performance of a contract or legal obligation and for the purposes of our legitimate interests.
2.2. Legal basis and purposes of personal data
We do not need consent to process the Suppliers’ personal data, as the processing is directly permitted by law. The legal basis for the processing of Suppliers’ personal data is (a) the performance of our contractual obligations, (b) compliance with legal obligations and (c) the protection of our legitimate interests.
The provision of Suppliers’ personal data is a legal and contractual requirement and Suppliers are obliged to provide this information. Failure to provide it will prevent the contractual relationship with the Suppliers from being established.
We process Suppliers’ personal data on the basis of the above legal authorisations for the following purposes:
(a) contract negotiations between us and Suppliers;
for this purpose we process the following categories of personal data: basic identification data, contact data, information from mutual communications, billing and transaction data and any information we process in connection with the performance of the contract or legal obligations and for the purposes of our legitimate interests.
(b) the performance of legal obligations arising for us from the contractual relationship with the Supplier;
for this purpose, we process the following categories of personal data: basic identification data, contact data, information from mutual communications, billing and transaction data and any information that we process in connection with the performance of the contract or legal obligations and for the purposes of our legitimate interests.
(c) the fulfilment of notification obligations to public authorities and the fulfilment of archiving obligations (for example, under the Accounting Act);
for this purpose, we process the following categories of personal data: basic identification data, contact data, information from mutual communications, billing and transaction data and any information that we process in connection with the performance of a contract or legal obligation and for the purposes of our legitimate interests.
(d) to ensure the communication between us and the Suppliers;
for this purpose, we process the following categories of personal data: basic identification data, contact data, information from mutual communications and any information we process in connection with the performance of the contract or legal obligations and for the purposes of our legitimate interests.
(e) the defence of our legal claims in judicial, extrajudicial and enforcement proceedings (legitimate interest is to prevent damage to us);
for this purpose, we process any information that we process in connection with the performance of a contract or legal obligation and for the purposes of our legitimate interests.
2.3. Method of obtaining personal data
We obtain the Suppliers’ personal data directly from the Suppliers, in particular from completed forms, mutual communication or concluded contracts. We may also obtain personal data from third parties who are authorised to access and process Suppliers’ personal data and with whom we cooperate, and from publicly available sources or social or business internet portals.
2.4. Recipients of personal data
Suppliers’ personal data may be transferred to third parties if necessary to achieve any of the purposes set out above. The list of our Suppliers changes over time and may also be partially protected by trade secrets, however, we disclose to you at least the categories of potential recipients.
As part of our business, we use a number of external entities that we engage to perform certain activities that form part of our Services to ensure that we operate as efficiently as possible. As part of this outsourcing, the processing of Suppliers’ personal data may also be carried out on the basis of legal requirements (we, therefore, do not need the Suppliers’ consent for this processing). Our Suppliers thus become processors, but are only entitled to handle the Suppliers’ personal data for the purposes of the activities they perform for us. These include, for example, IT service providers, external accountants, external planners, designers and engineers, document and records management providers, etc.
2.5. Retention period of personal data
Personal data will be processed and stored for no longer than the duration of the contract and business relationship between us and the Supplier. Furthermore, for a period of 3 years after the end of this relationship, unless otherwise specified below.
Personal data processed for the purpose of defending our legal claims in judicial, extrajudicial and enforcement proceedings will be processed for a period of 15 years from the end of the business relationship between us and the Supplier, which corresponds to the longest possible limitation period provided for by law.
Personal data processed on the basis of the performance of our legal obligations under accounting, tax and other relevant legislation shall be retained for the period specified therein; for example, we retain Suppliers’ personal data relating to accounting matters for 5 years from the end of the business relationship and we retain Suppliers’ personal data relating to tax matters for 10 years from the end of the relevant tax period.
Personal data that is relevant to the exercise of our legitimate interests will be retained for no longer than the duration of the contract and business relationship between us and the Supplier. In addition, for a period of 3 years from the end of this relationship.
2.6. Special rights of the Supplier
The Supplier may object to processing carried out by us on the basis of our legitimate interests. The procedure for exercising this objection can be found in Article 1.2 (f) of Section 1.
3. CLIENT
The Client is the person who uses our Services.
This Information Memorandum shall apply to the processing of personal data of Clients who are natural persons, as well as employees of Clients, members of the Clients’ bodies and/or other persons cooperating with the Clients, insofar as it is necessary to fulfil the purposes of the processing set out below.
3.1. Categories of personal data processed
We process the following categories of personal data of Clients:
(a) basic identification data – name and surname or business name, date of birth (if provided), address and identification number;
(b) contact details – telephone number and email address;
(c) information from mutual communication – information from emails, telephone records or other contact forms;
(d) billing and transaction data – this includes information appearing on invoices, agreed billing terms and payments received; and
(e) any other information that we process in connection with the performance of a contract or legal obligation and for the purposes of our legitimate interests.
3.2. Legal basis and purposes for processing personal data
We do not need consent to process Clients’ personal data, as the processing is directly permitted by law. The legal basis for the processing of Client Personal Data is (a) the performance of our contractual obligations, (b) compliance with legal obligations, and (c) the protection of our legitimate interests.
The provision of Clients’ personal data is a legal and contractual requirement and Clients are obliged to provide this information. Failure to provide it will prevent the Client from receiving our services.
We process Clients’ personal data based on the above legal authorisations for the following purposes:
(a) to negotiate a contract for the provision of our Services;
For this purpose, we process the following categories of personal data: basic identification data, contact data, information from mutual communications, billing and transaction data and any information that we process in connection with the performance of the contract or legal obligations and for the purposes of our legitimate interests.
(b) the performance of obligations under Service Contracts entered into with Clients;
for this purpose, we process the following categories of personal data: basic identification data, contact data, information from mutual communications, billing and transaction data and any information we process in connection with the performance of the contract or legal obligations and for the purposes of our legitimate interests.
(c) the performance of legal obligations arising for us from our contractual relationship with the Client;
for this purpose, we process the following categories of personal data: basic identification data, contact data, information from mutual communications, billing and transaction data and any information that we process in connection with the performance of the contract or legal obligations and for the purposes of our legitimate interests.
(d) compliance with reporting obligations to public authorities and archiving obligations (e.g. under the Accounting Act);
for this purpose, we process the following categories of personal data: basic identification data, contact data, information from mutual communications, billing and transaction data and any information that we process in connection with the performance of a contract or legal obligation and for the purposes of our legitimate interests
(e) to ensure the communication between us and the Clients;
for this purpose we process the following categories of personal data: basic identification data, contact data, information from mutual communications and any information we process in connection with the performance of a contract or legal obligation and for the purposes of our legitimate interests.
(f) the defence of our legal claims in judicial, extrajudicial and enforcement proceedings (legitimate interest is to prevent damage to us);
for this purpose, we process any information that we process in connection with the performance of a contract or legal obligation and for the purposes of our legitimate interests.
3.3. Method of obtaining personal data
We obtain Clients’ personal data directly from Clients, in particular from completed forms or communication with each other. In addition, we may obtain personal data from third parties who are authorised to access and process Clients’ personal data and with whom we cooperate, and from publicly available sources or social or business internet portals.
3.4. Recipients of personal data
Clients’ personal data may be transferred to third parties where necessary to achieve any of the purposes set out above. The list of our suppliers changes over time and may also be partially protected by trade secrets, however, we disclose to you at least the categories of potential recipients.
As part of our business, we use a number of external entities that we engage to perform certain activities that form part of our Services to ensure that we operate as efficiently as possible. As part of this outsourcing, we may also process Clients’ personal data on the basis of legal requirements (so we do not need Clients’ consent for this processing). Our suppliers thus become processors, but are only entitled to handle Clients’ personal data for the purposes of the activities they perform for us. In particular, these are IT service providers, external accountants, external planners, designers and engineers, document and records management providers, etc.
3.5. Retention period of personal data
Personal data will be processed and stored for a maximum period of time for the duration of the contract and business relationship between us and the Client. In addition, for a period of 3 years from the end of this relationship, unless otherwise specified below.
Personal data processed for the purpose of defending our legal claims in judicial, extrajudicial and enforcement proceedings will be processed for a period of 15 years from the end of the business relationship between us and the Client, which corresponds to the longest possible limitation period provided for by law.
Personal data processed pursuant to our obligation to comply with our legal obligations under accounting, tax and other relevant legislation will be retained for the period of time specified therein; for example, we will retain Clients’ personal data relating to accounting matters for 5 years from the end of the business relationship and we will retain Clients’ personal data relating to tax matters for 10 years from the end of the relevant tax period.
Personal data that is relevant to the exercise of our legitimate interests will be retained for no longer than the duration of the contract and business relationship between us and the Client. In addition, for a period of 3 years from the end of this relationship.
3.6. Special rights of the Client
The Client may object to processing carried out by us on the basis of our legitimate interests. The procedure for exercising this objection can be found in Article 1.2 (f) Section 1.
4. POTENTIAL CLIENT
A Potential Client is a visitor to the Portal or a person who contacts us on their own initiative or with whom we have a contractual or other legal relationship.
4. 1. Categories of personal data processed
We process the following categories of personal data of Potential Clients:
(a) identifying information – name, surname, if provided to us by the Potential Client;
(b) contact information – email address, postal address, telephone number) if provided to us by the Potential Client;
(c) information from personal, telephone and electronic communications between the Company and the Potential Client, if any;
d) geolocation information – information from the web browser or mobile applications used by the Potential Client when visiting the Portal); and
e) cookies, which we use primarily to provide a better user experience and personalized content on our website. We also use cookies for promotional purposes, to analyse behaviour on the Website or when communicating with third parties. You can modify your cookie settings directly in your browser and you give us implicit consent to this category of personal data just by setting your browser settings.
We process all these categories of personal data, if we have them, for all the purposes for which the Potential Client has given us his/her consent or from the communication, if any, that has taken place or as a result of a visit to the Portal, through which we may have access to the information referred to in points (d) and (e) above.
4.2. Legal basis and purpose for processing personal data
We do not need consent to process the personal data of Potential Clients if they are disclosed or provided to us by Potential Clients in the course of our communication with each other at the initiative of a Potential Client or in the context of a contractual or other legal relationship, as the processing of such data is directly permitted by law. The legal basis for processing such personal data of Potential Clients is (a) the contractual or other legal relationship with the Potential Client, (b) compliance with legal obligations, and (c) the protection of our legitimate interests.
In relation to the personal data referred to in clause 4.1 above, unless the processing is based on the legal grounds listed in the paragraph above of this clause 4.2, the legal basis for processing this personal data is your consent. You express this by sending your personal data as referred to in Article 4.1 above to our e-mail address or by providing it by telephone. You may withdraw the consent given at any time.
If you are only a visitor to the web interface of the Portal and we have no contractual or other legal relationship with you, then we may only process the personal data referred to in (d) and (e) of Article 4.1 above (as we do not have access to any other data), and we need your consent (which you provide via your web browser settings) to process such personal data as it is not for the performance of our contractual or legal obligations. The legal basis is therefore only your consent, which you provide through your web browser settings, which you can change or cancel at any time (and this is done through your web browser settings).
If you sign up for newsletters and other information about our activities on the Portal, we will process your personal data for the following marketing purposes:
(a) sending newsletters via email, up to a maximum of once a week.;
(b) sending you information about events organised by the Company by e-mail;
(c) sending commercial communications, in particular, offering goods and Services provided by the Company via e-mail;
(d) conducting market research surveys;
(e) automated processing for the purpose of analysing a Potential Client’s personal data in order to develop targeted advertising relevant to the Potential Client’s needs;
(f) marketing processing, analysis and profiling in order to tailor the offer of goods and Services to the needs of the Potential Client and to improve the quality of the Services; and
(g) the organisation and evaluation of various types of competitions or surveys with or without the possibility of winning a prize,
we need your consent where we are not in a contractual or other legal relationship with each other. Providing this consent is not a legal or contractual requirement, so if you do not give us consent to process your personal data for marketing purposes, it does not mean that we will refuse to provide you with our Services as a result.
In order to process the Personal Data of Potential Clients on the basis of the consent given for marketing purposes above, the Potential Client is always free to choose from the individual purposes under a) to g) above. The scope of the processing purposes is then specified for each Potential Client in the consent given by them.
4.3. Method of obtaining personal data
We obtain the Personal Data of Potential directly from Potential Clients, in particular from completed forms, visits to the Portal, contractual or other legal relationships, and communications with each other.
4.4. Recipients of personal data
Personal Data Potential Clients may be transferred to third parties where necessary to achieve any of the purposes set out above. Our list of suppliers changes over time and may also be partially protected by trade secrets, however, we disclose to you at least the categories of potential recipients.
As part of our business, we use a number of external entities that we commission to perform certain activities that form part of our services to ensure that we operate as efficiently as possible. As part of this outsourcing, we may also process the personal data of Potential Clients on the basis of legal requirements (we do not therefore need the consent of Potential Clients for this processing). Our suppliers thus become processors, but are only entitled to handle the personal data of Potential Clients for the purposes of the activities they perform for us. These include, for example, IT service providers, external accountants, external planners, designers and engineers, document and records management providers, etc.
4.5. Retention period of personal data
Personal Data will be processed and stored for a maximum period of time during the mutual communication or contractual or other legal relationship between the Potential Client and the Company and for a period of 1 year after its termination.
4.6. Special rights of Potential Client
The Potential Client may object to the processing we carry out on the basis of our legitimate interests. The procedure for raising this objection can be found in Section 1.2 (f).
In the case of processing based on consent given by the Potential Client, the Potential Client has the right to withdraw the consent given for the processing of personal data at any time.
5. FINAL INFORMATION
This Information Memorandum has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC and Act No. 110/2019 Coll. on the processing of personal data, as amended
If you have any questions regarding the processing of your personal data, please do not hesitate to contact us by email at jan.malina@prototypum.cz or by phone at +420 775 660 090. In all cases, we can be contacted at our delivery address U Panelárny 136, 273 43 Buštěhrad.
This Information Memorandum is valid from 1st January 2020.