Privacy Policy

Carplastix Refinishing s.r.o. Privacy Policy

I. Introduction

We, Carplastix Refinishing s.r.o., CIN: 09257004, with our registered office at Poličany 59, 284 01 Kutná Hora, listed in the Commercial Register maintained by the Municipal Court in Prague under file reference C 333380 (hereinafter also referred to as ‘we’ or ‘Carplastix’), have prepared this policy and data protection rules in order to present to you the manner in which we collect, process, use and protect your personal data thus helping protect your privacy.

All operations involving your personal data are carried out in accordance with applicable law, in particular Act No. 110/2019 Coll., on the processing of personal data, Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (‘GDPR’), Act No. 127/2005 Coll., on electronic communications, as amended, and Act No. 480/2004 Coll., on certain information society services, as amended.

At the same time we would like to explain to you the most important concepts and processes we use to protect your personal data and answer any questions you may have regarding the collection, processing and storage of your personal data.

 

II. Oversight

We pride ourselves on following all established and binding rules and security measures in all operations involving your personal data and, as a result, we believe there will no events causing you to be dissatisfied with our behaviour towards you.

Yet, if you disagree with the way we process your personal data, you can contact:


Office for Personal Data Protection
address: Colonel. Sochora 27, 170 00 Prague 7
tel.: 234 665 111
web: www.uoou.cz

 

III. Our approach

We consider the protection of personal data to be very important and therefore pay a great deal of attention to it. As a result you can rest assured that your personal data is handled with due care and in accordance with applicable law, and that your personal data is protected to the maximum possible extent and at a high technical standard.

To fully understand how we protect your personal data, we recommend that you read this document carefully.

We adhere to the following principles when processing your personal data:

  • Lawfulness, which requires us to process your personal data in accordance with the law and rely, in doing so, on at least one legal basis.
  • Fairness and transparency, principles that requires us to process your personal data openly and transparently and provide you with information about how it will be processed, together with information like to whom your personal data will be disclosed (for example, if we store your personal data in data repositories (clouds) outside the European Union and the European Economic Area). This also includes our obligation to inform you in the event of a serious security breach or personal data leak.
  • Purpose limitation, a principle that only allows us to collect your personal data for a clearly defined purpose.
  • Data minimisation, a principle that requires us to only process the personal data that is necessary, relevant and proportionate in relation to the purpose of its processing.
  • Accuracy, a principle that requires us to take all reasonable steps to ensure that we regularly update or correct your personal data.
  • Storage limitation, a principle that requires us to only keep your personal data for the period necessary for the specific purpose for which it is processed (for example, for the period for which a marketing consent has been given, unless it has been withdrawn before the expiry of that period). As soon as the time period for processing or the purpose of processing has passed, we will erase or anonymise your personal data, i.e., modify it so that it cannot be linked to you.
  • Integrity and confidentiality, non-repudiation and availability, principles that requires us to secure and protect your personal data from unauthorised or unlawful processing, loss or destruction. For these reasons, we take numerous technical and organisational measures to protect your personal data. At the same time, we make sure that only selected employees have access to your personal data.
  • Accountability, a principle that requires us to be able to demonstrate compliance with all of the above conditions.

 

IV. Points of contact for your questions, responsible persons

If you have any concerns regarding any part of this document, or if you have any questions or comments about the protection of your privacy, please do not hesitate to contact us:

(a) in person or in writing at the address of the registered office
(b) electronically at gdpr@carplastic.cz

 

The responsible person role is always assumed by Carplastix’s executive officer or a person further authorised by them. 

 

V. Personal data

Personal data is information that makes it possible for you to be identified. As such, personal data is information that is specifically attributable to you. Anonymous or aggregated data, i.e., data that we cannot unambiguously link to you, does not constitute personal data.

We divide personal data into:

  • Basic data, such as your name, surname, date of birth, ID (or other document) number, email address, telephone number, home address, etc.
  • Special categories of personal data constitute sensitive personal data, i.e., information of a highly personal nature such as information about your health.

We further divide the basic data into individual categories; for a list of the categories see Article 15 – Data categories

 

VI. Legal grounds for processing personal data

We will only ever collect and process your personal data if it is necessary in order to fulfil the relevant purpose. Whether or not you will transmit your personal data to us is a matter of your voluntary decision, and insofar as the transfer is based on your consent, you can request the erasure of the personal data processed under certain conditions (see Article 10 Your rights for more details).

In some cases, such as entering into a contract for the purchase of our goods or services, we need to obtain the necessary personal data from you at the time of placing your enquiry or order for those goods or services. Without the data we would not be able to comply with your requests and conclude the contract in question with you, especially with regard to the fulfilment of our statutory duties, but also with regard to the protection of our legitimate interests.

Below are the legal grounds defined by applicable law based on which we are entitled to process your personal data.

The main grounds for the processing of your personal data include:

  • Consent – you give us your consent for one or more specific purpose (for example, to send you commercial communications and newsletters). To obtain consent for the processing of your personal data, we adhere to the following rules: (i) we will always obtain the consent to the processing of your personal data from you separately, so the consent will not be part of the text of the contract or another arrangement, (ii) the text of the consent will always be clear, (iii) the granting of the consent will always require you taking an active action, so no fields will be pre-filled in for you, (iv) you will give your consent separately for each purpose of processing.
  • Contract performance – we need your personal data in this context for the purpose of entering into a contractual relationship and subsequent performance of the contract, and possibly even before entering into a contract (for example, an enquiry or order prior to entering into a contract).
  • Complying with a legal obligation – we need to process your personal data in this context in order to comply with our legal obligations as a controller.
  • Legitimate interest – the processing of your personal data would be necessary on account of our legitimate interests, except where those interests are overridden by your interests or your fundamental rights and freedoms.

Rather marginally, the following legal grounds may apply to the processing your personal data:

  • Protection of data subjects’ interests – processing of your personal data may be necessary to protect the vital interests of you or another natural person.
  • Public interest – we are required to process your personal data in order to carry out a task carried out in the public interest or in the exercise of official authority vested in us as a controller.

 

VII. Method of processing personal data

The controller and, where applicable, their processors shall process the personal data manually (in paper and electronic form) and electronically by automated means.

 

VIII. Grounds for processing personal data

We need to be able to base any processing of your personal data on a legal basis.

Therefore, examples of the situations where we will most often request your personal data and the purpose for which we will do so are as follows:

  • Purchase of goods or services – the legal basis will be the conclusion and performance of the contract or any performance prior to the conclusion of the purchase contract.
  • Marketing purposes – the legal basis will be the consent granted to the sending of newsletters and commercial communications. For some commercial communications, our legitimate interests may be involved and the consent may not be necessary (e.g. mass recall events, changes to terms and conditions, etc.)
  • Storage of cookies necessary for the functioning of the website – for essential cookies, the legal basis will be be our legitimate interest, as the storage of the cookies is necessary for the proper functioning of the website. For other categories of cookies, the processing will be based on your consent.

 

 

IX. Personal data protection

Your privacy is very important to us, and so we have put in place the necessary technical and organisational measures to ensure the security of your personal data so that it does not fall into the hands of unauthorised persons.  

X. Your rights

Of course, the protection of your privacy would be incomplete if you did not have rights in relation to your personal data. Please find a list of your privacy protection rights, together with a practical explanation of how they are exercised below:

  • Right to information on the processing of your personal data
    You are entitled to information concerning our full identification as the controller of your personal data. At the same time, you have the right to know the legal basis of the processing (for example, contract performance), the purpose (for example, contracts for the purchase of our goods or services) or information about the retention period of your personal data.
  • Right of access to personal data
    You have the right to obtain from us, upon your request, information as to whether or not we process your personal data and, if so, to what extent. If you so request, we are also required to provide you with information on the purpose of the processing, the recipient of the personal data processed or other related information.
  • Right to rectification
    You have the right to demand that we rectify any of your personal data that we process if there has been a change to it (for example, a change of surname, change of address, etc.). It is not our duty as a data controller to actively ascertain whether or not the data we collect concerning you is up-to-date, correct or accurate, however, if you bring this to our attention, it is our duty to deal with your comment or request its rectification. Provided the same conditions are met, you also have the right to demand that we complement your personal data.
  • Right to erasure
    Also known as the ‘right to be forgotten’, this right of yours means we, as the data controller, are required to erase your personal data in the following cases:
    • the purpose of the processing has ceased to apply,
    • you have withdrawn your consent to the processing of your personal data and there is no other basis for processing your personal data (for example, withdrawal of a marketing consent provided that you do not have a contractual relationship with us),
    • you object to the processing of your personal data (provided the objection is valid and there is no legal basis for processing your personal data),
    • we are required to delete your data in accordance with applicable law (for example, as a result of a statutory duty to erase the information).
  • Right to object
    This is similar to the right to withdraw consent and the right applies where we process your personal data on the basis of our legitimate interest (for example, to protect our property). You can also object to the processing if your personal data is processed for direct marketing purposes. Where justified, your personal data will be erased after your objection has been acknowledged and we will refrain from its further processing.
  • Right to data portability
    If you ask us to transfer your personal data to another data controller, it is our obligation to provide and transmit the data to that data controller in a structured, commonly used and machine-readable format. You can only exercise the right to data portability if the processing is based on consent or contract and, at the same time, involves automated processing, i.e., processing that is carried out exclusively by technical means on the basis of a predetermined algorithm and without any human intervention.
  • The right not to be subject to a decision based solely on automated processing of automated decision-making
    This means that if the processing of your personal data is to form the basis of a decision, typically, as an example, when assessing your creditworthiness before granting a loan, you have the right to request that your personal data be assessed by a human.

 

XI. Controller, processor

As a data controller, we determine the purpose and means of processing your personal data.

Processing denotes any operation or set of operations involving personal data, such as collecting, processing, organising, structuring, etc.

As a controller of your personal data, we are also responsible for complying with all duties and principles related to the protection of your personal data, especially for ensuring sufficient security of the data. If there is a breach of security of your personal data, which of course we will do our best to avoid, we are required to notify the Office for Personal Data Protection within 72 hours.

However, if a security breach with respect to your personal data poses a significant risk, we are required to notify you, provided that we have your up-to-date contact details.

The processor is the person to whom we, as the controller, transfer your personal data and who further handles it in accordance with the instructions given by us. To make sure that your personal data is handled in accordance with applicable law and is provided with sufficient security, we enter into a personal data processing agreement with the processor.

 

XII. Transfer of personal data abroad

We only transfer personal data abroad where necessary to ensure the cross-border transport of goods.

 

XIII. Data subject

You are only a data subject as a natural person. Consequently, privacy law does not apply to legal persons, typically companies, cooperatives, associations, etc.

If you want to know when and under what conditions you can know the scope of the personal data we process about you, or if you want to have your personal data we process erased, please read Article X. Your rights, which explains the specific processes and the conditions that apply to them.

 

XIV. Glossary

Sensitive data – data of a special nature, such as health information or biometric data that makes it possible to identify a specific person (currently referred to as ‘special categories of personal data’ under applicable law).

Cookie – a short text file that is sent to the browser by the visited website. Cookies make it possible for the website to record information about your visit, such as your preferred language and other settings. This can make your next site visit easier and more productive. Cookies are important. Without them, browsing the website would be much more difficult.

Legitimate interest – the interest of the controller or of a third party, for example, where the data subject is the controller’s customer, except where the interests of the data subject or their fundamental rights and freedoms take precedence over such legitimate interest.

Personal data – information about a specific, identifiable person.

Recipient – the person to whom the data is transmitted.

Service – means any of the services we offer to you.

Controller – The person who determines the purpose and means of processing personal data; the controller may delegate the processing to a data processor.

Data subject – a living person to whom the personal data relates.

Purpose – the purpose for which the controller uses your personal data.

Goods – is the product you are buying from us.

Processing – an activity the controller or processor carries out with personal data.

Processor – a person who processes personal data for the controller.

 

XV. Categories of data

Below you will find the different general categories of personal data and a breakdown of the specific data we include under them; this does not mean that we will require all of this data from you.

Identification data: first name, surname, maiden name, salutation, academic degrees before/after the name, gender, language, place of residence, place of permanent residence, date and place of birth, date of death, nationality/citizenship, personal identifier (assigned by the company), type of document, diplomatic passport number, ID card number, CIN, TIN, social security number, driver’s licence number, passport number, validity or proof of ID, date and place of issuance of a proof of ID, proof of ID photo, application login, date of record creation/erasure, employee number, employer, job title, journalist accreditation number, signature.

Contact details: mailing address, workplace address, telephone number, fax number, email address, data box, social media contact details.

Psychological characteristics: any information about character/personality/disposition/mood.

Physical characteristics: any physical characteristics (hair colour, eye colour, height, weight, etc.).

Risk profiles: cyber risk, AML risk, anti-fraud risk, CFT risk, embargo risk, PEP, other security risk.

Data on the family and other persons: marriage, partnership, marital status from, number of children, household information, child’s name and surname, child’s date of birth, information on other person (kinship and other relationships).

Descriptors: social status (student/employed/unemployed/no income), job title and experience, skills, education, qualifications, lifestyle, habits, leisure and travel, membership in, e.g., charities or volunteer organisations, information about the area where the data subject lives, housing information, milestones in the subjects’ lives (moving, obtaining a driving licence), health insurer’s code, firearms licence (yes/no), left/right handed, EHIC card number, preferred dealer, copy of proof of incapacity for work, segmentation.

Copy of a personal document or other public document: copy of the ID card, copy of passport, copy of ZTP (severe health disability), ZTP-P (severe health disability requiring special assistance) passes, copy of driver’s licence, copy of diplomatic passport, copy of technical licence, birth number.

Indication of race or ethnic origin: racial or ethnic origin.

Political views: political views.

Information on religion or philosophical beliefs: religion or philosophical conviction.

Information on union membership: union membership.

Genetic data: genetic data.

Biometric data: biometric data (e.g. signature, photograph, fingerprint).

Data relating to criminal convictions and offences or related security measures: data relating to criminal convictions and offences or related security measures.

Health data: physical health, mental health, risk situations and risk behaviour, severe health disability, severe health disability requiring special assistance, blood type, health care data, data on sex life or sexual orientation.

Wages and similar data: wage/fee, wage compensation, average earnings, bonuses/benefit draw-downs, wage deductions, wage sending method, expenses, private account number, consumption of internal resources, insurance, taxes and levies, taxpayer’s declaration, tax returns and documents, information on employees’ assets.

CVs, cover letters and selection records: CVs, cover letters, records and results of selection procedures.

Details of work activity: job title, cost centre, supervisor, working hours & public holidays, holiday, sick leave, maternity/parental leave, career breaks, attendance, events, calendar, home office, teleworking, travel information and other changes in employment status, daily schedule/time sheets, equipment and other entrusted valuables, ICT assets, hours worked, training completed, access rights, accident logbook, performance of work activity for a third party, donations received and provided.

Evaluation and related communication: feedback from employees, survey responses, complaints/concerns/suggestions/requests/questions and their handling, service requests, evaluation records, internal sanctions, self-assessment, personal goals and KPIs.

Other employee identification and contact data: employee card number, access rights/ID2/user id, work email accounts, work phone numbers, IT system passwords, access/logins to internal IT systems – VPN connection, data on employees from the group.

Transaction details: bank account number, debit/credit card number, authorisations/powers of attorney, transaction date, transaction amount.

Transaction history: transactions and contracts including related information, offers/requests for trading opportunities, subject, date, place of transaction, reminders, group trading information.

Business profile: business profile derived from analytical modelling, VIP and similar designations, intention to purchase a car (when, what, what financing), interest in test drives, solvency.

Internal audit and investigation data: internal investigation records, whistleblowing cases, internal system logs, logs related to Internet usage/traffic, logs related to email usage/traffic, logs related to telecommunication usage/traffic.

CCTV footage: CCTV footage.

Entrance device records: entrance device records.

Data on campus movement: information in the visitors’ book.

Photos/videos: photos, videos.

Voice recordings: voice recordings.

Communications, interactions and profiles derived from the following data: chat (instant messaging), conversations, email communications, surfing/clicking/searching and listening/viewing behaviour or behaviour relating to the Internet/emails/media/apps, information obtained through feedback/surveys/comments/suggestions/complaints in relation to the controller, agreement/disagreement to the type or form of communication.

Product technical data: VIN, licence plate number, information on the use of items (e.g. vehicles), information on the ownership of vehicles, information on servicing visits, technical descriptions of items (e.g. vehicle colour).

Location data: GPS- or beacon-based location data, location data derived from other operations (e.g. card payments at merchant premises).

Network identifiers: Mac address, IP address, device fingerprint, cookies or similar browser technology information.

Data on the course of studies: class, major, grades, student evaluation, experience.