The controller of your personal data is Patentoid s.r.o., Id. No.: 04821645, a company with its registered office at Božkovská 671/33, Východní Předměstí, 326 00 Pilsen, Czech republic (hereinafter “PATENTOID”).
The objective of these Personal Data Processing Principles (hereinafter the “Principles”), intended for PATENTOID’s customers and issued by PATENTOID, is to inform the customers what personal data concerning themselves, as the data subjects, are being processed by PATENTOID as the controller; for how long and for what purposes PATENTOID will process these personal data; and to whom and for what reason PATENTOID may transfer these personal data; and also to inform the customers what rights they have in connection with the processing of their personal data.
These Principles pertain to processing of personal data of customers and, analogously, also of their representatives or contact persons, service users, persons interested in services and goods, and visitors to the websites operated by PATENTOID (hereinafter a “customer”), always within the scope of personal data corresponding to their respective position vis-à-vis PATENTOID.
These Principles are effective from 1. 10. 2020 and are issued in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (the “Regulation” or “GDPR”) with a view to complying with the duty borne by PATENTOID as the controller to provide information under Article 13 of the GDPR.
I. Categories of personal data
Personal data is any information relating to a natural person identifiable by PATENTOID. PATENTOID may process the following categories of personal data in relation to the provision of services and sale of goods.
A. Basic personal identification details and address
These data are necessary for the execution and performance of the contract. They include:
- academic degree
- name and surname
- business name
- date of birth
- Id. No., Tax Id. No.
- permanent residence address
- address of the registered office or place of business
- invoicing (billing) address
- identification details of the customer’s representative or contact person as specified by the customer
- bank details
B. Contact details
- contact telephone number
- contact e-mail address
C. Data processed on the basis of the customer’s consent
- data obtained from marketing surveys (processed with respect to customers of the PATENTOID services based on consent to personal data processing for commercial purposes)
- data on the use of services, products, benefits and bonuses and typical behaviour in the use of services (processed with respect to customers of the PATENTOID services based on consent to personal data processing for commercial purposes)
- contact details of persons other than PATENTOID customers (processed on the basis of consent to the receipt of marketing communications)
- records of the browsing behaviour on the websites operated by PATENTOID, obtained from cookies if cookies are enabled in the web browser (processed with a view to improving the functioning of the websites operated by PATENTOID and online advertising; moreover, if consent has been granted to personal data processing for commercial purposes, these data are processed together with other personal data for this purpose)
D. Data from communication between PATENTOID and the customer
These data are created in communication related to the provision of services and goods between PATENTOID and the customer. These are records of personal communication with the customer taking place on the PATENTOID premises or in other direct contact with the customer, written and electronic communication with the customer, and recordings of telephone calls, chat and video chat communication between the customer and PATENTOID.
II. Legal grounds for personal data processing
The scope of the data being processed depends on the purpose of the processing. For certain purposes, data may be processed directly on the basis of a contract, of PATENTOID’s legitimate interest or of the law (without consent), while for other purposes only on the basis of consent.
A. Processing on the grounds of performance of a contract, compliance with legal obligations and the legitimate interests of PATENTOID
The provision of personal data necessary for the performance of a contract, compliance with PATENTOID’s legal obligations and protection of the legitimate interests of PATENTOID is compulsory. It would not be possible to provide the services without the provision of personal data for these purposes. PATENTOID does not need consent to personal data processing for these purposes, but an objection may be raised against personal data processing for the purposes of PATENTOID’s legitimate interests. Processing on the grounds of performance of a contract and compliance with legal obligations cannot be rejected.
These include, in particular, the following basic individual purposes:
- negotiations on execution of a purchase or some other contract;
- execution of the contract, its administration and performance;
- compliance with statutory tax obligations;
- purposes laid down by special laws for the needs of criminal proceedings and for the performance of the duty to co-operate with the Police of the Czech Republic and other governmental authorities;
- processing of data on persons other than contracting parties, i.e. data subjects who are not a party to the concluded contract but are nevertheless specified in or linked with the contract (e.g. responsible persons, contact persons, avalists, guarantors);
- marketing activities provided that the customer can justifiably anticipate such processing in view of the circumstances. The customer has the right to object to such processing. If the customer raises an objection, his/her personal data will no longer be processed for these purposes;
- retention of communication – PATENTOID retains communication with the customer if its processing is necessary for the purposes of protecting the legitimate interests while pursuing the following objectives: performance of the contract and the ensuing obligations if the customer whose communication with PATENTOID is being retained is not a party to the contract. The recordings are stored and protected in a manner ensuring that they are not available to unauthorised persons, specifically with a partner entity – see the up-to-date list of PATENTOID partners here; at the same time, PATENTOID has adopted necessary measures preventing unauthorised handling of the personal data stored in this manner;
- proof of the customer’s will and validity of the legal act in case of a dispute (establishment, exercise or defence of legal claims);
- resolving queries, complaints and requests;
- development and support of PATENTOID’s own business activities within direct marketing;
- obtaining evidence in case of a need to defend PATENTOID’s rights, including business monitoring;
- compliance with legal obligations to which the controller is subject, especially for resolving complaints;
- processes related to customer identification;
- evaluation of the customer’s behaviour in the use of services and his/her payment morale for the purposes of avoiding any claims that could affect PATENTOID’s decision-making on the terms and conditions of further contracts with the customer, in cases where decision-making on execution or non-execution of another contract is not automated;
- enforcement of receivables from the customer and other customer disputes;
- compliance with further obligations imposed by other legal regulations, especially by Act No. 235/2004 Coll., on value added tax, Act No. 586/1992 Coll., on income taxes, and Act No. 563/1991 Coll., on accounting;
- provision of electronic communication services, payment transaction services and other services.
Personal data are processed for these individual purposes to the extent necessary for attaining these purposes and for the period necessary for attaining them or for the period directly specified by the legal regulations. Subsequently, the personal data are erased or anonymised. The basic periods of personal data processing are specified below.
The customer’s personal data are processed for the term of the executed contract and then during the limitation period applicable to any claim ensuing from the contract. After expiry of this period, PATENTOID will destroy the customer’s personal data unless it is authorised/obliged to further process these data on the basis of some other legal ground. The customer’s personal data will also be processed by the controller as long as any litigation is pending.
In case of negotiations between PATENTOID and a potential customer on execution of a contract that ultimately do not result in execution of the contract, PATENTOID may process the personal data provided (especially the customer’s e-mail address) for a period of two (2) years from the given negotiations.
Where required by the law, PATENTOID will archive documents containing the customer’s personal data for the prescribed period of time.
Invoices issued by PATENTOID are filed for a period of 10 years of their issue in conformity with Section 35 of Act No. 235/2004 Coll., on value added tax. In view of the need to document the legal grounds for issuing invoices, contracts are also filed for a period of 10 years from the date of termination of the contract.
B. Processing of PATENTOID customer data with consent for commercial purposes
All the categories of data set out in Article I. of these Principles (other than signature and copies of identity documents) may be processed for commercial purposes based on consent as long as PATENTOID is authorised to retain these data for the purposes of providing services, complying with legal obligations and protecting its legitimate interests, but not longer than until the consent is withdrawn.
PATENTOID processes the customer’s personal data with his/her consent for commercial purposes with a view to relevant targeting of advertisements for products and services of PATENTOID or third parties (i.e. partners specified by PATENTOID on its website at www.patentoid.com (hereinafter a “third party”); if this list of third parties changes, PATENTOID agrees to inform the customer of this change and, in that case, the customer may withdraw his/her consent, if any) at specific customers, and also for the actual dissemination of advertising for the products and services of PATENTOID or third parties by addressing the customer. The actual address is then made by telephone, in writing, via all means of online advertising or by means of sending electronic commercial communications using contact details and service numbers. If consent is granted to personal data processing for commercial purposes, the customers of PATENTOID are addressed both with advertisements for products and services of PATENTOID and with advertisements for third-party products and services. If customers are interested only in offers of PATENTOID’s products and services, they can monitor these offers through indirect marketing channels.
PATENTOID sends commercial communications with advertisements for products and services of PATENTOID or of third parties on behalf of PATENTOID as the sole disseminator and sender of the advertising communication, and in the case of advertisements for third-party products and services, PATENTOID does not transfer any personal data to third parties ordering the advertising. An up-to-date list of third parties whose offers are disseminated by PATENTOID (clients ordering advertising) is available here.
With a view to achieving the relevant targeting of its advertising offers and also for the needs of setting the business strategy, PATENTOID also creates and retains data on typical customer behaviour in the use of PATENTOID’s services and products, and creates and retains anonymised behaviour analyses, all that with regard to customers who grant this consent. All these activities are essential for addressing customers with suitable marketing offers.
Consent to processing for commercial purposes is voluntary. If this consent is not granted, this does not prejudice the customer’s legal rights; the only consequence is that the service bound to the provision of the consent cannot be provided. The customer may withdraw this consent at any time. This consent remains valid for the term of use of the PATENTOID products and services and then for a period of ten (10) years or until the customer withdraws it. If the customer withdraws his/her consent granted for commercial purposes, this will in no way prejudice the processing of his/her personal data by PATENTOID for other purposes and on the basis of other legal grounds, in accordance with these Principles.
If the customer enables other users to make use of the service, within the consent to personal data processing for commercial purposes, the customer confirms that he/she is authorised to grant consent regarding data pertaining to the users of the service.
C. Processing of data with regard to customers who have granted consent to receiving electronic marketing communications
In the case of customers who have granted consent to receiving electronic marketing communications, PATENTOID processes – with their consent and for the period specified in the consent – contact details that the customer provides to PATENTOID for the purposes of sending marketing offers of PATENTOID’s services and products. If this consent is granted via the websites operated by PATENTOID, data from PATENTOID cookies located on the website where this consent was granted are also processed together with these contact details, provided that the customer has cookies enabled in his/her web browser.
D. Processing of cookies from websites operated by PATENTOID
If the customer has cookies enabled in his/her browser, PATENTOID processes records on the customer’s behaviour using cookies located on the websites operated by PATENTOID, with a view to improving the operation of the PATENTOID’s websites and for the purposes of PATENTOID’s online advertising.
E. Processing of customer data for the purposes of sending application notifications
If the customer has a PATENTOID application generating application notifications installed on his/her device, and application notifications are enabled in the device with regard to the given application, these notifications will be made by PATENTOID. The contents of the application notifications depend on the type of the application.
III. Categories of personal data recipients
PATENTOID uses professional services of other entities in the performance of its obligations and duties under the contracts and in the operation of its business. If these suppliers process the customers’ personal data provided by PATENTOID, they have the position of personal data processors and process the personal data only based on instructions from PATENTOID. Each such entity is selected diligently with a view to ensuring its compliance with the legal prerequisites, and a personal data processing agreement is concluded with each thus-selected entity, comprising strict obligations to protect and secure personal data. A list of these processors is available here.
IV. Manner of personal data processing
PATENTOID processes personal data both manually and by automated means. PATENTOID keeps records of all activities in which personal data are processed.
V. Information on the rights of customers in relation to personal data processing from 1. 10. 2020 under the Regulation
If the customer is a natural person identifiable by PATENTOID and there is no doubt as to his/her identity, the customer has the rights specified below. In view of the need to verify the customer’s identity and justification of his/her request, these rights should be exercised in the manner specified with regard to the given right, rather than by contacting the data protection officer. The said rights may only be exercised in relation to personal data in respect of which there can be no doubt that they belong to the person making the request.
B. Right of access to personal data (Art. 15 of the Regulation)
Under Art. 15 of the GDPR, the customer has the right of access to personal data, which includes the following rights:
- to obtain confirmation as to whether or not personal data are being processed;
- to gain access to the data if PATENTOID processes them;
- obtain information on the purposes of processing; the categories of personal data concerned; the recipients to whom the personal data have been or will be disclosed; the envisaged period of processing; the existence of the right to request from the controller rectification or erasure of personal data concerning the customer or restriction of their processing, or to object to such processing; the right to lodge a complaint with a supervisory authority; any available information as to the source of the personal data, if not obtained from the customer; the existence of automated decision-making, including profiling; and appropriate safeguards in case of transfer of data outside the EU;
- to obtain a copy of the personal data unless the rights and freedoms of others are adversely affected thereby.
In case of a repeated request, PATENTOID may charge a reasonable fee for a copy of personal data.
C. Right to rectification of inaccurate data (Art. 16 of the Regulation)
Under Art. 16 of the GDPR, the customer has the right to rectification of inaccurate personal data that will be processed by PATENTOID in respect of the customer. The customer is also obliged to notify PATENTOID of any changes in his/her personal data and prove that the change has occurred. At the same time, the customer is obliged to provide PATENTOID with co-operation if it is ascertained that the personal data processed by PATENTOID in respect of the customer are not accurate. PATENTOID will rectify the data without undue delay, but always in view of the technical possibilities.
D. Right to erasure (Art. 17 of the Regulation)
Under Art. 17 of the GDPR, the customer has the right to erasure of personal data concerning him/her unless PATENTOID proves the existence of legitimate grounds for the processing of such personal data. PATENTOID has mechanisms in place to ensure semi-automatic anonymisation or erasure of personal data if they are no longer necessary for the purpose for which they were processed. The customer may request erasure in writing.
E. Right to restriction of processing (Art. 18 of the Regulation)
Under Art. 18 of the GDPR, the customer has the right to restriction of processing until his/her complaint is resolved if the customer contests the accuracy of personal data or the reasons for their processing, or if the customer objects to their processing; the restriction has to be claimed by means of a written request sent to the address of PATENTOID’s registered office.
F. Right to be notified of rectification, erasure or restriction of processing (Art. 19 of the Regulation)
Under Art. 19 of the GDPR, the customer has the right to be notified by PATENTOID in case of rectification or erasure of personal data or restriction of their processing. In case of rectification or erasure of personal data, PATENTOID will inform the individual recipients, unless this proves impossible or requires unreasonable efforts. Based on the customers’ request, PATENTOID may provide information on these recipients.
G. Right to data portability (Art. 20 of the Regulation)
Under Art. 20 of the GDPR, the customer has the right to request from PATENTOID personal data concerning him/her which have been provided to PATENTOID in connection with a contract or on the basis of consent and which are processed by automated means, in a structured, commonly used and machine-readable format, and also the right to request that these data be transferred to another controller if a person acting on behalf of the relevant controller is properly identified and if it is possible to authorise that person. The exercise of this right must not adversely affect the rights and freedoms of others.
H. Right to object to personal data processing (Art. 21 of the Regulation)
Under Art. 21 of the GDPR, the customer has the right to object to the processing of his/her personal data taking place on the grounds of PATENTOID’s legitimate interest.
If PATENTOID fails to prove that there exists a compelling legitimate ground for processing overriding the customer’s interests, rights and freedoms, PATENTOID will cease to process the data without undue delay on the basis of the objection. An objection has to be sent in writing to the address of PATENTOID’s registered office.
Right to withdraw consent to personal data processing (Art. 7 of the Regulation)
a) Consent to personal data processing for commercial purposes may be withdrawn at any time. The withdrawal must be made by means of an explicit, comprehensible and definite manifestation of will, by an e-mail message sent to PATENTOID’s address at [email protected].
b) Consent to receiving marketing communications granted with regard to a specific electronic contact may be withdrawn at any time by an e-mail message sent to PATENTOID’s address at [email protected] or in the manner specified in the commercial communication.
c) Processing of data obtained from cookies can be blocked in the browser settings.
d) Data processing for the purposes of application notifications can be blocked in the settings of the device.
I. Automated individual decision-making, including profiling (Art. 22 of the Regulation)
The customer has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her. PATENTOID states that it does not carry out automated decision-making without human intervention with legal effects for the customers.
J. Right to address the Office for Personal Data Protection (Art. 13 (2)(d) of the Regulation)
The customer has the right to address the Office for Personal Data Protection (www.uoou.cz).
Unless specified otherwise, requests or other exercise of the customers’ rights shall be made in writing and sent by e-mail to [email protected] or via a delivery service to the registered office of PATENTOID.
Please note that in connection with the exercise of the data subjects’ rights under Art. 15 to 22 of the GDPR, it is always necessary to verify the identity of the data subject and justification of his/her request, and it is therefore appropriate to always use the manner of exercise of each individual right as specified in these Principles, and not send specific requirements to the data protection officer’s contact details.
PATENTOID reserves the right to make changes to these Principles. An up-to-date version of these Principles is always published on the website at www.patentoid.com.
In Pilsen, on 1. 10. 2020