PERSONAL DATA PROCESSING AND PROTECTION POLICY
The aim of this Personal Data Processing and Protection Policy (hereinafter referred to as the “Policy”) is to provide the personal data subject with information on what personal data about natural persons is processed within the provision of services by the website operator, for what purposes and for how long the operator processes such personal data in accordance with applicable legal regulations, to whom and for what reason he is allowed to transfer it as well as to inform about what rights natural persons have in connection with their personal data processing. The policy comes in the effect as of 1 November 2022 and is issued in compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on natural persons protection with regard to the personal data processing and on the free movement of such data (hereinafter referred to as „GDPR“).
1. The Data Controller, contact details for the field of GDPR
The Company Vivi Pic s.r.o., Business ID 03602371, with its registered office at Čerčanská 1895/20a, Krč, 140 00 Praha 4, incorporated in the Companies Register maintained by the Municipal Court in Praha, section [•], insert [•] acts as the Data Controller (hereinafter referred to as “Data Controller”). Any questions regarding the personal data processing can be sent to the address of the registered office of the Data Controller via the following email address info@wemarry.io or to the phone number (+420) 608 003 789.
2. The scope of processing and categories of personal data subject to processing
Personal data are processed in the scope, in which the relevant data subject has provided them to the Data Controller in connection with the conclusion of a contractual or other legal relationship with the Data Controller, or which the Data Controller has otherwise collected and processed in accordance with applicable legal regulations or to fulfil the Data Controller's legal obligations. The Data Controller processes the following personal data categories:
a) name and surname, and degree, as the case may be,
b) name of the company,
c) Business ID, VAT ID,
d) permanent residence,
e) address of the registered office or place of business,
f) delivery address,
g) contact e-mail address,
h) contact phone number,
i) positions and/or functions within the company,
j) bank details,
k) profile photo,
l) biographical data,
m) details of the date and place of the wedding,
n) personal preferences,
o) records of behaviour on websites managed by the Data Controller obtained from cookies if cookies are enabled in the web browser.
3. Purpose of personal data processing
3.1 Processing due to the agreement performance, compliance with legal obligations and for legitimate interests of the Data Controller
The provision of personal data required for the performance of the Agreement, the fulfilment of the Data Controller's legal obligations and the protection of the Data Controller's legitimate interests is mandatory. Without the provision of personal data for these purposes, it would not be possible to provide the services. The Data Controller does not need the consent of the personal data subject to process personal data for these purposes.
Main partial purposes for the personal data processing in particular include:
a) processes related to the identification and possible contacting of the user (Agreement performance),
b) the provision of services (Agreement performance),
c) billing for services, issuance of tax documents (Agreement performance),
d) compliance with statutory tax obligations (compliance with legal obligations),
e) recovery of debts from the user and other customer disputes (legitimate interest),
f) registers of debtors (legitimate interest).
Personal data for these activities are processed to the extent necessary for the fulfilment of these activities and for the period necessary to achieve them or for the period directly provided for by legal regulations. Afterwards, personal data are deleted or anonymized. The basic time limits for personal data processing are set out below in Article 5 of the Policy.
3.2 Processing of customer data with their consent for marketing and commercial purposes
The Data Controller processes personal data with the consent of the data subject, for marketing and business purposes in order to create a suitable offer of products and services and in connection with addressing the customer, exclusively by electronic communication via the contact e-mail address. The provision of consent for marketing and commercial purposes is voluntary and may be withdrawn by the data subject at any time. This consent remains valid for the period of 5 years from the date of its granting or for the period of use of the Data Controller's services and for the following 5 years thereafter or until revoked by the data subject. All categories of data listed in Article 2 of this Policy may be processed for marketing and business purposes subject to the consent. In an event the data subject withdraws his/her consent, this does not affect the processing of his/her personal data by the Data Controller for other purposes and under other legal titles, in compliance with this Policy.
3.3 Processing of cookies from websites operated by the Data Controller
In an event the personal data subject has cookies enabled in his/her web browser, the Data Controller processes behavioural records about him/her from cookies placed on websites operated by the Data Controller for the purpose of ensuring better operation of the Data Controller's websites or for the purpose of the Data Controller's internet advertising. In an event of the granted consent with the personal data processing for marketing and business purposes, these data are processed together with other personal data for this purpose.
4. Method of personal data processing and protection
The personal data processing is carried out by the Data Controller. Processing is carried out at his premises and headquarters by individual authorised employees of the Data Controller or by the data processor. The processing is carried out by means of computer technology or, in the case of personal data in paper form, manually, in compliance with all security principles for the personal data control and processing. To this end, the Data Controller has adopted technical and organisational measures to ensure the personal data protection, in particular measures to prevent unauthorised or accidental access to personal data, their alteration, destruction or loss, unauthorised transfers, unauthorised processing and other personal data misuse. All entities, to whom personal data may be disclosed, shall respect the data subjects' right to personal data protection and shall comply with applicable personal data protection laws. The personal data processing by the Data Controller does not involve automated decision-making within the meaning of Article 22 GDPR.
5. Period of personal data processing
The personal data processing takes place for the period of time necessary for the purposes, for which the data are processed, in accordance with the time limits specified in the particular agreements in the Data Controller's filing and shredding rules or in the relevant legal regulations. The period, for which personal data will be stored, is set as follows:
a) In case of service customers, the Data Controller is entitled to process their basic personal, identification, contact and service data and data from their communication with the Data Controller in the customer database for the period of 4 years from the date of termination of the last agreement with the Data Controller, provided they have complied with all their obligations towards him.
b) In case of negotiations between the Data Controller and a potential customer on the conclusion of an agreement, which has not been concluded in the end, the Data Controller is entitled to process the provided personal data for the period of 6 months from the end of the pre-contractual negotiations.
c) Tax documents issued by the Data Controller are archived in accordance with Section 35 of the Act No.235/2004 Coll., on value added tax for the period of 10 years from the end of the tax period, in which the performance took place. Due to the need to prove the legal reason for issuing invoices, customer contracts are also archived for 10 years from the date of the contract termination.
6. Categories of personal data recipients
In fulfilling his obligations and duties under the contracts, the Data Controller uses the professional and specialized services of other entities. Insofar as these contractors process personal data transmitted from the Data Controller, they have the status of personal data processors and only process personal data within the framework of instructions from the Data Controller and are not allowed to use them otherwise. These include payment gateway providers, attorneys, accountants, auditors, IT system administrators, Internet advertising providers or sales representatives. Each such an entity is carefully selected by the Data Controller and a personal data processing agreement is concluded with each of them, in which the strict obligations are set out on the part of the processor to protect and secure personal data.
7. Rights of data subjects
In accordance with the GDPR, the personal data subject is entitled to the following rights. As far as the rights in relation to the Data Controller are concerned, the data subject is entitled to exercise them at the contact addresses listed in Article 1 of this Policy.
7.1 Right of access to personal data
Pursuant to Article 15 of the GDPR, the data subject is entitled to access personal data, which includes the right to obtain confirmation from the Data Controller as to whether or not personal data concerning him or her are being processed and, if so, the right to obtain access to such personal data and to information about:
a) the purposes of the processing,
b) the categories of concerned personal data,
c) the recipients, to whom the personal data have been or will be disclosed,
d) the planned processing time,
e) the existence of the right to request from the Data Controller a correction or erasure of personal data concerning the data subject or the restriction of their processing or to object to such processing,
f) the right to file a complaint with the supervisory authority,
g) any available information about the source of the personal data, unless these are obtained from the data subject,
h) the fact that automated decision-making, including profiling, takes place,
i) appropriate guarantees when transferring data outside the EU.
Unless the rights and freedoms of other persons are adversely affected, the data subject also has the right to request a copy of the processed personal data. In an event of a repeated request, the Data Controller is entitled to charge a reasonable fee for a personal data copy.
7.2 Right to correction of inaccurate data
Pursuant to Article 16 GDPR, the data subject has the right to have inaccurate or incomplete personal data processed by the Data Controller corrected. The data subject is obliged to notify changes to his or her personal data and to provide evidence that such a change has occurred. At the same time, he is obliged to provide the Data Controller with assistance if it is found that the personal data processed about him are not accurate.
7.3 Right to erasure
Pursuant to Article 17 of the GDPR, the data subject has the right to erasure of personal data concerning him or her unless the Data Controller proves legitimate grounds for processing such personal data.
7.4 Right to restriction of processing
Pursuant to Article 18 of the GDPR, the data subject has the right, pending the resolution of the complaint, to restrict processing if he or she contests the accuracy of the personal data, the grounds for their processing or objects to processing. Where processing has been restricted, the personal data in question may, with the exception of storage, only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the EU or one of its Member States.
7.5 Notification obligation of the Data Controller regarding correction or erasure of personal data or restriction of processing
In an event of correction, erasure or restriction of the processing of personal data, the Data Controller is obliged under Article 19 GDPR to inform the individual recipients of personal data of this fact, except where this proves impossible or requires disproportionate effort. At the request of the data subject, the Data Controller shall provide the data subject with information about these recipients.
7.6 Right to personal data transferability
Pursuant to Article 20 of the GDPR, the data subject has the right to the transferability of the data concerning him or her that he or she has provided to the Data Controller in a structured, commonly used and machine-readable format, and the right to request the Data Controller to transfer such data to another data controller if the processing of personal data is based on the conclusion and performance of a contract or on the consent of the data subject and the processing is carried out by automated means. If the exercise of this right could adversely affect the rights and freedoms of third parties, such a request cannot be satisfied.
7.7 Right to object to the personal data processing
Pursuant to Article 21 GDPR, the data subject has the right to object to the processing of his or her personal data on the grounds of legitimate interest of the Data Controller. If the Data Controller fails to prove that there are compelling legitimate grounds for the processing, which override the interests or rights and freedoms of the data subject, the Data Controller shall terminate the processing immediately upon objection.
7.8 The right to withdraw consent to the personal data processing
Consent to the personal data processing for marketing and business purposes may be withdrawn at any time. The withdrawal must be made by an express, intelligible and definite expression of will. The processing of data from cookies can be prevented by adjusting your web browser settings.
7.9 Right to be informed of a personal data protection breach
Pursuant to Article 34 of the GDPR, the data subject has the right to be informed by the Data Controller without undue delay of a breach of personal data obtained by the Data Controller if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
7.10 Right to apply to the Office for Personal Data Protection
The data subject is entitled to contact the Office for Personal Data Protection (