Personal data protection
Our company uses, in its activities, personal data of its clients, collaborators or business partners, visitors of our premises as well as persons with whom we negotiated about the conclusion of a contract. We do not underestimate the protection of your personal data and your privacy and we make every effort so that they are secured sufficiently. We handle personal data entirely in compliance with legal regulation in force.
We will clarify in this document which personal data we collect, for which purpose, how we use them, what we do so that they are safe and which rights you can exercise towards us
Who we are? (i. e. personal data controller)
Our company BM PLUS, s.r.o., with its registered office at: Palackého 501, 769 01 Holešov – Všetuly, Company ID-No.: 49967029, entered in the Companies Register kept by the Regional Court in Brno, Section C, Insert 13223, is the personal data controller.
At the end of this document, you will find all contacts to our company.
Which data do we collect?
- 1. Identification data – personal data serving for your clear and unmistakable identification, e. g. name, surname, degree, date of birth, residence address, registration data for your application or e-shop (login, password, etc.).
- 2. Contact data – data enabling to contact you, e. g. phone number, e-mail, contact address.
- 3. Data concerning purchases and our business cooperation, e. g. the history of purchases, payment data, banking information, payment card, etc.
- 4. Data concerning entries into our company´s premises.
- 5. Photos.
- 6. Camera recordings.
- 7. Voice recording (if a call to our company´s customer center is recorded).
- 8.Data collected about devices in relation to the use of web services and applications – when using our websites, applications or e-shop, we use various technologies to identify your browser and device (cookies files and similar technologies) to collect and save information, we collect data about devices (e. g. IP address or other unique identifiers of your device, hardware model, operational system version, mobile network data, server protocols, internet protocol address, date and time of your requirement), data about position (IP address, GPS system, access points of the WI-FI network or mobile network transmitter),
- 9. Data concerning the use of your lawful rights and records about their exercising in relation to our company.
- 10. Other data of which processing is imposed on our company by a legal regulation of the Czech Republic or the European Union.
1 The personal data controller means the entity that determines which personal data and why he will collect and how he will protect them.
Our company processes the above data or also other data based on your consent in certain cases. In such cases, the accurate scope of the personal data to be processed is specified in the consent that you have signed. In such cases, you have always the possibility to withdraw your consent.
For what purposes does our company use the personal data?
In compliance with legal regulation in force, we collect and process personal data for a purpose determined in advance and only in the extent required to meet such a purpose.
- 1. For the purposes of the performance of the contract that you have concluded with us. It follows from that contact which data we have to process in order to be able to fulfill everything that we have agreed and what the law (e. g. Accountancy Act, tax rules, Labor Code) imposes on us in relation to such contract). Such purpose and lawful reason of processing applies also to the preparation of the contract, negotiations about the conditions of the contract or organizing a tendering procedure.
- 2. For the purposes of meeting lawful obligations (e. g. Accountancy Act, tax rules, Labor Code, VAT Act, Act on filing and archiving service, Act on consumer protection).
- 3. For the purposes of managing relationships with customers and creating analytic models – so that we can provide you services according to your needs, comfortably and quickly, we process also data about purchases, about requirements or complaints, we compare and analyze data about our company´s products, we create statistics and sales forecasts for the reason of protecting our rights and justified interests. In such cases, we make every effort to anonymize the data as much as possible. The legitimate reason of processing is our company´s justified interest.
- 4. For the purposes of safety and risk management – in cases when a legal relation imposes an obligation on us or for the reason of protecting our justified interests, we process your personal data in necessary extent for the purpose of securing safety within our company´s premises, the protection of our property, preventing and detecting deceptive or harmful actions, etc.
- 5. For the purposes of exercising or defending our legal claims – if we are made to exercise our rights or to defend them in a court or administrative proceedings, we use necessary personal data. The legitimate reason of processing is our company´s justified interest.
- 6. For the purposes of our company´s internal administration – our employees process your personal data also when performing their employment-legal obligations as a part of our company´s defined internal processes. The reason is, for example, the internal administration of our activity, preparing reports on the activities of our company or individual employees, efforts to optimize internal processes or the need to train employees.
- 7. Sending commercial communications (direct marketing) – typically, sending e-mails or phone contacts with the offers of similar products or services that we have already provided to you. We can send you offers until you express your wish that we do not send you such offers anymore. We will not transfer your data for the purpose of sending offers to any third parties (except for our subcontractors – processors that will do the processing for us). In addition, invitations to trainings, seminars, etc.
- 8. For the purpose of improving the functioning of its websites, the evaluation of their turnout and for the purpose of optimizing marketing activities, BM PLUS. s r.o. uses cookie files at its websites. The cookie files are small text files that are saved by means of a browser locally in a computer by means of which the website is displayed. The cookie files do not serve for or enable the personal identification of website users. In case that the website visitor does not consent to collecting cookie files, he/she can prevent their collection by changing the settings of his/her browser.
We can process personal data also for other purposes with your consent (e. g. marketing).
In such cases, the purpose of collection and further handling personal data is exactly defined in your consent. In such cases, you have always the possibility to withdraw your consent.
Use for another purpose than for which they have been colected?
In certain cases, our company can process personal data for another purpose than the purposes for which the personal data have been collected. It is the case, in particular, if we collect your data for the purposes of the performance of the contract or the provision of a service and:
- a legal regulation obliges us consequently for how long we have to save the data (e. g. in compliance with the Accountancy Act, we have to archive invoices for price for the provided goods or service for the period of 10 years even if we do not these data for the purpose of the performance of the contract anymore);
- consequently, a dispute arises and our company has to enforce its legal claims or to protect its rights;
- consequently, in compliance with the provisions of Section 7 of Act 480/2004 Coll., we send a commercial communication to customers or purchasers that traded with our company in past and they have communicated us their address on this occasion.
From what resources does our company obtain personal data?
Directly from you during the negotiation about the conclusion of a contract or the provision of a service and consequently during the implementation.
From registers and records accessible to the public in cases in which we exercise our justified interests, in particular, when collecting sums due, when selecting a suitable supplier, when verifying the existence of an entity or when verifying that data are up-to-date.
From open or publicly accessible sources – e. g. the partner´s website or advertisement – in case of prospective business partners for the purpose of establishing communication about possible business cooperation. Our company can save such basic data in its CRM system for the purpose of a future contact.
We mutually transfer data with other entities incorporated within the BM PLUS Holding for internal administrative purposes .
From other entities if a legal regulation explicitly allows it (e. g. in the course of a judicial dispute) or if you have given to that other entity your explicit consent to transfer information about you.
2 Within the BM PLUS Holding, we transfer certain personal data of our business partners, customers or employees, in particular, for the purpose of internal administration and reporting. However, the purpose can be also the facilitation of the conclusion of contracts, the provision of performances or the solution of certain affairs.
Are you obliged to transfer us your personal data?
If we process data in relation to a contract that you have concluded with us or a service that we provide to you, you can decide voluntarily whether you conclude the contract or you take advantage of the service, or not. If the contract has been concluded or the service has been used, then you are obliged to transfer us information required for the performance of the contract or the use of the service. We cannot provide you a service or other performance without such information.
If the meeting of legal obligations or the protection of our justified interests is a reason to collect or to further process your personal data, then you are obliged to provide us your personal information. We always request only data required to meet the defined purpose.
If we process data based on your consent, then the transfer of your personal data is completely voluntary.
In which way we secure the protection of your data?
Our company, in compliance with effective legal regulations, secures personal data that it handles by means of all suitable technical and organizational measures in order to secure the highest possible level of protection considering the character, extent and purposes of processing and probable risks. We have introduced safety and controlling mechanisms in the effort to prevent unauthorized access or transfer of data, their loss, destruction or other possible abuse.
Our employees are obliged to maintain confidentiality. If we transfer data to third entities, then also these entities are obliged to maintain statutory or contracting confidentiality.
To whom do we transfer your personal data?
- 1. Processors – our company carries out most of processing activities itself; we take advantage of third parties´ services in certain cases (hereinafter referred to as the “processors”). We try to choose only such specialists that are sufficiently trustworthy and that secure the personal data transferred. The processors agreed contractually to provide at least the same level of the protection of personal data transferred as our company provides. At the same time, we oblige our processors to maintain confidentiality. The processor is entitled to handle the data transferred exclusively for the purpose of the performance of the activity with which our company charged him. If we take advantage of cloud repositories, they are located within the EU and, consequently, the level of protection required by effective legal regulations is secured.
The processors are:
- providers of IT services, applications and cloud repositories
- providers of accounting services
- providers of archiving services
- entities collecting our claims marketing agencies
- 2. Companies within the BM PLUS Holding – within the BM PLUS Holding, we transfer certain personal data of our business partners, customers or employees, in particular, for the purpose of internal administration and reporting. However, the purpose can be also the facilitation of the conclusion of contracts, the provision of performances or the solution of certain affairs.
- 3. Our business partners – if we charge somebody else to perform a certain activity that is a part of our services, the transfer of personal data can be required. Such entities themselves become the administrators of your personal data (carriers or Česká pošta in particular).
- 4. Our advisors – if it is necessary for the protection of our company´s rights and interests, we transfer personal data to other entities (e. g. to a legal representative, insurance companies or an insurance broker, a bank, courts, court distrainors, auctioneers) in the extent required for successful exercising a claim or protecting our rights.
- 5. State authorities or other entities, in cases when our company is obliged to do so with a legal regulation (e. g. state administration bodies, supervisory bodies, prosecuting authorities, courts, distrainors, notaries, trustees in bankruptcy).
- 6. Your personal data can be provided also to other entities with your consent or by your order.
Companies in the holding
The following companies belong to the BM PLUS Holding:
- BM PLUS, s.r.o.
- HHS, s.r.o.
Duration of your personal data storage
We process your personal data for the period required to meet the purpose for which they have been collected or following another purpose. If a legal regulation does not directly stipulates a specific period during which personal data have to be processed, we consider that the purpose of processing continues for the period when the exercise of legal claims from this activity is imminent (usually a ten-year limitation period) and one more calendar year after all imminent legal claims terminate, i. e. in case of a contract, 11 years after the contracting relationship terminates.3
Our company will process your contact data for the purposes of sending commercial communications for the period until the partner disagrees with such mailing. However, even afterwards we will be entitled to process basic information about the reasons why we were sending such commercial communications for a reasonable period to prove the justification of such mailing.
3 E. g. a limitation period continues, in case of the purchase of goods, after the expiration of the warranty period during which the customer can exercise legal claims. Afterwards we keep the personal data for the period of one year in order to be sure that no complaint was lodged before the court or another authority against our company even on the last day of the period.
What are your rights and possibilities?
1. Right for information and explanation
Our company is obliged to provide you information specified in this document briefly, transparently and comprehensibly. If any provision of these principles is not clear to you or it is not completely understandable for you, don´t hesitate to address us. You find contacts to our company in the end of this document. Our employees will be willing to provide you explanation or additional information.
2. Right to withdraw your consent
In cases when we collect and process data based on your consent granted you are entitled to withdraw that consent anytime. Granting the consent is completely voluntary. If you withdraw your consent, it has influence neither on the processing activities that took place at a time when the data were effectively provided nor on the processing activities that our company is obliged to make for a reason of an earlier granted consent and the already completed processing activities (for the reason of observing legal obligations or the protection of our justified interests).
The withdrawal of the consent is free of charge and you can make so in writing to e-mail firstname.lastname@example.org
3. Right to access the personal data
You are entitled to have the overview about the data that we process about you. Consequently, you can request information from us whether your personal data are processed by our company, or not. In case that we process your personal information, we will provide you any and all related information in the extent required by Article 15 of the GDPR Regulation, including a copy of the personal data processed.4
The implementation of the right of access the personal data shall be without prejudice to the rights of other persons.
4. Right to object
If we process personal data for the purposes of the justified interests of our company or a third party, you are entitled to object against such processing in cases when it is justified by your specific situation – i. e. in case when the processing itself is admissible but there are specific reasons at your part why you do not wish the processing to take place despite of that.
Our company will have to review the processing that takes place. It will not process such personal data anymore unless there are material justified reasons for processing that prevail over your interest for the protection of your privacy or other interests, rights and freedoms or unless the processing is carried out in order to stipulate, exercise or defend our company´s legal claims.
If we process personal data for the purposes of direct marketing, you can object to such processing of personal data anytime. You can exercise such right also by means of technical tools (unsubscribing from the deliveries of commercial communications). Afterwards, our company will not process your personal data for the purposes of direct marketing, however, they can continue to be processed for other purposes.
You can exercise your objection, as well as your other rights, at the below contacts. Will you always describe your specific situation based on which you conclude that our company should not process data about you.
However, the possibility to object is not applicable to all cases of processing; it cannot be claimed in case when we process your data based on another legal basis than the necessity for a justified purpose – e. g. for the reason of necessity for the performance of the contract or the fulfillment of statutory obligations.
4 We will communicate you the categories of personal data that we process, the purposes of processing, the categories of recipients to whom personal data can be made available, the planned duration of data processing, information about the source of these data, information about your rights and information whether automated decision-making takes place.
5. Right for correction or completion, if applicable
If you consider that we process inaccurate data about you, you are entitled to notify us about it and to request correction or completion.
6. Right for deletion (so-called right “to be forgotten”)
7. Right for the portability of data
5 Points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR Regulation
6 In accordance with Article 89(1) of the GDPR Regulation
8. How do we attend to your objections and requests?
If you address our company with an objection or a request for exercising any of your statutory rights, we will inform you about the measures taken. If we do not take any measure, we will inform you about this fact as well and explain you the reasons of our actions. We will provide you this information not later than one month as of the receipt of the request. If it is necessary to extend such period due to the complexity and the number of requests, we will notify you about it also not later than one month as of the delivery of the request along with the reasons of postponement. We will extend the period for not more than two more months. We will make our best in order to provide you information about measures taken as soon as possible.
We will provide you information about measures taken in the same way as you requested them. Any and all objections and requests and our responses are made and provided free of charge. However, if your requests keep repeating or are apparently unreasonable, we can request the compensation of costs related to the provision of information or we can even refuse to comply with a request.
Our company can comply with your requests or objections only if it has no doubts as regards the identity of the person that submits the request or objection. We have to make sure that the rights are not abused by other persons and your personal data are not transferred to another person without authorization. Therefore, our company verifies the requester´s identity by demanding additional information by means of which the requester´s identity is confirmed to us or the submission of a request or objection with an officially authenticated signature. In case of verbal exercising a request or an objection at our branch, we will request that your identity is proved by presenting an ID-document.
9. Right to lodge a complaint with a supervisory body
If you do not agree with the manner in which we process your personal data or disagree with our company´s attitude, you can address the following supervisory body with your complaint anytime:
Úřad pro ochranu osobních údajů (Office for Personal Data Protection)
Pplk. Sochora 27, 170 00 Prague 7
Phone: +420 234 665 111
How can you contact us?
We are obliged to verify the identity of the person that exercises the above rights in order to prevent the abuse by another person and prevent that we transfer any and all data about you to another person. Therefore, the requester´s identity will be verified, in case of a personal request exercised at our company´s branch, by presenting a valid ID-document. In case of an e-mail request, we will insist that the request is delivered from an e-mail that we have recorded for you and we will request the provision of other information that we could relate to the information that we have already at disposal in order to be sure that we do not transfer data to somebody else. If it is not possible to identify you safely in this way, we will be made to request from you that you send us a request in writing with an officially authenticated signature or you present us your ID-card in person.
You can address our company with your questions, requests or objections in the following ways:
- By mail: BM PLUS, s.r.o., Palackého 501, 769 01 Holešov – Všetuly
- By e-mail: email@example.com
- By phone: +420 573 397 777