INFORMATION MEMORANDUM ON PERSONAL DATA PROCESSING

Dear customers and trade partners,

This document contains basic information about our processing of your personal data. We appreciate your sharing your personal data with us and we are ready to protect them as best as possible. We also seek to be very open in relation to you, in particular as regards the way in which we process your personal data. 
Because of the new EU legislation, this Information Memorandum has been drawn up in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
This Information Memorandum sets out the basic information that we are, as a personal data controller, obliged to provide. Should you be interested in the detailed principles of personal data processing, which we follow, you can find them in Personal Data Protection Principles available here.

1. Who is a personal data controller?

‘Controller’ means the person which, alone or jointly with others, determines the purposes and means of the processing of personal data.
The controller of your personal data shared with us is BALANCE CLUB BRUMLOVKA a.s., having its registered office at Praha 4 - Michle, Želetavská 1525/1, postcode 140 00, Company No. 274 45 810, incorporated in the companies register maintained by the Municipal Court in Prague under Ref. No. B 10678.
Should you have any questions concerning the processing of your personal data please do not hesitate to approach the controller via e-mail at gdpr@balanceclub.cz or over the telephone at +420 234 749 811. We can also be reached at our delivery address at Želetavská 1525/1, 140 00 Praha 4 in all cases.

2. Who is the person responsible for personal data protection?

The person responsible for personal data protection is a person experienced in personal data protection and is doing his or her best for the processing to run the way it should, in particular in compliance with the relevant legislation. This is also the most competent person to handle questions and requests concerning personal data.
At the controller, the responsible person is the one in the position as Head of Controlling & Asset Management, who can be approached via e-mail at gdpr@balanceclub.cz or over the telephone at +420 234 749 811.

3. For what purpose do we need personal data?

The controller processes personal data for the following purposes:

a) For entering into and subsequent performance of a contract between the controller and you (Article 6 (1) (b) GDPR). Additional legal obligations derive from such a relationship and the controller therefore also has to process Personal Data for this purpose as well (Article 6 (1) (c) GDPR);

b) For marketing purposes in order that the controller adjusts the offer of its products and services and commercial communications regarding the same to your needs as best as possible; for this purpose of processing, the controller is obtaining your explicit consent (Article 6 (1) (a) GDPR);

c) For the protection of its other legitimate interests (Article 6 (1) (f) GDPR).
The provision of personal data to the controller is, in general, a statutory and contractual requirement. Consent is required from you in respect of the provision of personal data for marketing purposes, which does not constitute the performance of the controller’s contractual and statutory obligation. Where you do not give the controller consent to personal data processing for marketing purposes, this does not mean that the controller should refuse to provide its product or service under a contract to you as a consequence thereof

4. What are our legitimate interests?

The controller also processes personal data for the purposes of protecting its legitimate interests. The controller’s legitimate interests include, without limitation, the due performance of all of the controller’s contractual obligations, the due performance of all of the controller’s statutory obligations, direct marketing, protection of the controller’s business and property, and, equally importantly, environmental protection and providing for sustainable development. 
In order to ensure the best possible protection of your privacy, you have the right to raise an objection demanding that your personal data be processed solely for the strictly necessary statutory reasons or that they be blocked. Please see Article 11 of this Information Memorandum for more information about the rights related to personal data processing.

5. How have the personal data been obtained? 

The controller has obtained personal data directly from you, in particular from filled in forms, mutual communications, or concluded contracts. In addition, personal data may also come from publicly accessible sources, registers and records such as the commercial register, the register of debtors, professions registers or the Land Registry. The controller may also have obtained personal data from third parties authorised to access and process your personal data, with which the controller cooperates, and also from information in social networks and the internet, which you yourself have posted there.

6. What personal data categories may be processed?

In order to ensure your satisfaction from the due performance of obligations, to ensure the performance of statutory obligations, to ensure a personalised offering of the controller’s goods and services, and for other purposes specified in the foregoing, the controller processes the following categories of personal data:

a) Basic identifiers: the first name and surname, date of birth, address of residence, Birth Registration Number, and [business] Registered No.;

b) Contact details: the telephone number and the e-mail address;

c) Information about the use of the controller’s products and services: this includes information about the products that you had agreed on with the controller and that you are using now, including the settings of products, etc.; 

d) Information from our mutual communication: information from e-mails and text messages (SMS and MMS), from recordings of telephone conversations or from other contact forms;

e) Invoicing and transaction data: these primarily include information appearing on invoices, that about the agreed invoicing terms, and that about received payments;

f) Geo-localisation information, i.e. information from the internet browser or mobile applications that you use.

7. What is the legal basis for personal data processing?

The lawfulness of processing relies on Article 6 (1) GDPR, under which processing shall be lawful if it is necessary for the performance of a contract, for compliance with a legal obligation to which the controller is subject, for the purposes of the legitimate interests pursued by the controller, or the processing takes place on the basis of consent that you have given us.
The lawfulness of processing also relies on Act No 563/1991 on accounting, under which invoicing data are processed and stored, Act No 89/2012, the Civil Code, under which the controller protects its legitimate interests, and Act No 235/2004 on value-added tax.

8. Will we transmit personal data to anybody else?

Within the statutory limits, we must disclose personal data to state administration bodies such as the tax administrator, courts, criminal justice authorities, and capital market supervisory bodies. We will transmit personal data to other persons only in compliance with the law or, where applicable, provided that you give your consent thereto. 

9. Will we transfer personal data to third countries or international organisations?
We will not transfer personal data to countries outside the European Union or the European Economic Area, or to any international organisation.

10. For how long will we store personal data?

Personal data will be processed and stored at least throughout the duration of the contract. Some personal data required, for example, for tax and invoicing obligations will be retained for a longer time, usually for five years beginning the year following the occurrence of the stored fact.
The personal data that are important for the controller to pursue its legitimate interests will be stored for no more than three years from the end of the contractual relationship with the controller. 
The personal data that are processed for marketing purposes will be stored for no more than five years from the acquisition thereof. 
Personal data will never be stored for a longer time than the maximum laid down in the law. Following the end of the archiving period, personal data will be destroyed securely and irrecoverably to prevent abuse thereof. 

11. What are your rights related to personal data processing and how can you exercise them?

The controller makes its best effort to ensure that the processing of your data is performed as due and, primarily, securely. You are guaranteed the rights described in this Article, which you can exercise in relation to the controller.

Manner of exercising your rights
You can exercise the various rights through a request sent to the person responsible for personal data protection as specified in Article 2 above.
The controller shall provide all communications and comments on the rights that you exercise free of charge. However, where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may charge a reasonable fee taking into account the administrative costs of providing the requested information. In the case of repeated requests for the provision of copies of the personal data undergoing processing the controller reserves the right to charge a reasonable fee based on administrative costs for this reason. 

The controller shall provide an opinion and any information on action taken on a request to you without undue delay and in any event within one month. The controller may extend this period by further two months where necessary, taking into account the complexity and number of the requests. The controller shall inform you of any such extension together with the reasons for the delay.

Right to be informed about the processing of your personal data

You have the right to obtain from the controller confirmation as to whether or not personal data are processed. Where that is the case, you have the right to obtain from the controller information about, without limitation, the identity and the contact details of the controller and the controller’s representative and, where applicable the data protection officer, the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipient of the personal data, the controller’s legitimate interests, a list of your rights, the opportunity to resort to The Office for Personal Data Protection, the source of the personal data undergoing processing, and any automated decision-making and profiling.
Where the controller intends to further process your personal data for a purpose other than that for which the personal data were obtained, the controller shall provide you prior to that further processing with information on that other purpose and with any relevant further information.
The information provided to you as part of the exercise of this right is already contained herein, but this does not prevent you from requesting it again. 

Right to access to personal data

You have the right to obtain from the controller confirmation as to whether or not your personal data are undergoing processing, and, where that is the case, access to information about the purposes of processing, the categories of personal data concerned, the recipients or categories of recipient, the period for which the personal data will be stored, your rights (the right to request from the controller rectification or erasure or restriction of processing or to object to such processing), the right to lodge a complaint with The Office for Personal Data Protection, information as to the source of personal data, information about the existence of automated decision-making, including profiling, information about the logic involved, as well as the significance and the envisaged consequences of such processing for you, and information and safeguards where personal data are transferred to a third country or to an international organisation. You have the right to obtain copies of the personal data undergoing processing. However, the right to obtain such copy shall not adversely affect the rights and freedoms of others.

Right to rectification

In the event of a change on your part, such as change of the address of residence, telephone number or other fact that can be regarded as an item of personal data, you have the right to obtain from the controller the rectification of the personal data undergoing processing. In addition, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure

In certain specified cases, you have the right to obtain from the controller the erasure of your personal data. Examples of such cases include the fact that the data being processed are no longer necessary for the above-mentioned purposes. The controller shall erase personal data automatically following the end of the period of necessity, but you can request erasure from the controller at any time. Your request shall then be subjected to an individual assessment (despite your right to erasure, the controller may have the obligation or legitimate interest to retain your personal data) and you shall receive detailed information about the handling thereof.

Right to restriction of processing 

The controller shall process your personal data only in the strictly necessary extent. However, should you feel that, for example, the controller is overstepping the above-mentioned purposes for which it is processing the personal data you can request that your personal data be processed solely for the most necessary statutory reasons or that the personal data be blocked. Your request shall then be subjected to an individual assessment and you will receive detailed information about the handling thereof.

Right to data portability

Should you want the controller to provide your personal data to another controller, i.e. another company, the controller shall transmit the personal data in an adequate format to the entity designated by you, unless the controller is prevented from doing so by any statutory or other material obstacles. 

Right to object and automated individual decision-making

Should you find or only believe that the controller is processing personal data contrary to the protection of your private and personal life or contrary to legislation (providing that the controller is processing personal data on the basis of a public or legitimate interest or for direct marketing purposes, including profiling, or for statistical purposes or for scientific or historical research purposes) you can request the controller to provide an explanation or to remedy the defective situation. 
You can also object directly to automated decision-making and profiling.

Right to lodge a complaint with The Office for Personal Data Protection

You can lodge suggestions or complaints in regard to personal data processing at any time with the supervisory authority, namely The Office for Personal Data Protection, with its registered office at Pplk. Sochora 27, 170 00 Praha 7, website https://www.uoou.cz/

Right to withdraw consent
You have the right to withdraw consent that you gave to personal data processing at any time by filling in a form/ticking a box/sending the withdrawal to the address of the controller’s registered office, or through a link in e-mail communication.

12. Are personal data automatically evaluated? 
Personal data are automatically evaluated and may be used for profiling or automated decision-making in the area of the controller’s marketing activities.
On account of these activities of the controller, your conduct on the website will be monitored and evaluated, which constitutes a certain interference with your right to privacy. At the same time, however, this evaluation helps to send you only such advertising offers regarding the controller’s products and services, in which you may be interested in view of the results of such evaluation.

13. Camera systems
Outside and inside the controller’s registered office, camera systems with recording devices have been installed for the purpose of protecting property, safety and other protected interests of the controller. Camera systems are not connected to any database operating with personal data. The existence of the installed camera system is brought to your attention using a pictogram, which also shows the contact details for the person operating the camera system.The camera shootings are stored in recording devices for no more than five days. Thereupon the recorded data are automatically replaced with new recordings.