top of page

GDPR protection

Privacy Policy

Our company uses the personal data of its clients, associates or business partners, visitors to our premises and persons with whom we have negotiated a contract. We do not take the protection of your personal data and your privacy lightly and do everything to ensure that they are sufficiently secured. We handle personal data in full accordance with applicable law.

In this document, we will explain what personal data we collect, for what purpose, how we use it, what we do to keep it safe, and what rights you can exercise against us.

Who are we? (i.e. personal data controller)
The controller of personal data is our company BM PLUS, sro, with its registered office at Palackého 401, 769 01 Holešov – Všetuly, Company ID: 49967029, entered in the Commercial Register kept by the Regional Court in Brno, Section C, Insert 13223.
All contacts for our company are listed at the end of this document.

What data do we collect?

Without consent

  1. Identification data – personal data used for your unambiguous and unmistakable identification, e.g. name, surname, title, date of birth, residential address, login details for our application or e-shop (login, password, etc.).

  2. Contact information – information that allows us to contact you, e.g. telephone number, email address, contact address.

  3. Data about purchases and our business cooperation, e.g. purchase history, payment details, bank details, payment card, etc.

  4. Data about entrances to our company premises.

  5. Photo.

  6. Camera recordings.

  7. Voice recording (if the call to our company's customer service center is recorded).

  8. Network identifiers in connection with the use of web services and applications - when using our websites, applications or e-shop, we use various technologies to collect and store information to identify your browser and device (cookies and similar technologies), we collect device data (e.g. IP address or other unique identifiers of your device, hardware model, operating system version, mobile network data, server logs, Internet Protocol address, date and time of your request), location data (IP address, GPS system, WI-FI access points or mobile network transmitter).

  9. Data on the use of your legal rights and records of their exercise towards our company.

  10. Other data, the processing of which is required by our company by the legal regulations of the Czech Republic or the European Union.

(A personal data controller is the entity that determines what personal data will be collected, why, and how it will be protected.)

With consent

Our company in some cases processes the above data or other data based on your consent. In such cases, the exact scope of the personal data processed is stated in the consent you have signed. In such cases, you always have the opportunity to withdraw this consent.

In accordance with applicable law, we collect and process personal data for a predetermined purpose and only to the extent necessary to fulfill this purpose.

For what purposes does our company use personal data?

Without consent

  1. For the purpose of fulfilling the contract that you have concluded with us. This contract states what data we must process in order to be able to fulfill everything that we have agreed upon and what the law imposes on us in connection with such a contract (e.g. the Accounting Act, the Tax Code, the Labor Code). This purpose and legal basis for processing also applies to the preparation of the contract, negotiations on the terms of the contract or the conduct of the tender procedure.

  2. For the purpose of fulfilling legal obligations (e.g. the Accounting Act, the Tax Code, the Labor Code, the VAT Act, the Act on Records and Archives Service, the Consumer Protection Act).

  3. For the purposes of customer relationship management and creating analytical models – in order to provide you with services according to your needs, conveniently and quickly, we also process data on purchases, requests or complaints, compare and analyze data on our company's products, create statistics and sales predictions, in order to protect our rights and legitimate interests. In these cases, we try to anonymize the data to the greatest extent possible. The legal basis for processing is the legitimate interest of our company.

  4. For security and risk management purposes – in cases where we are required to do so by law or in order to protect our legitimate interests, we process your personal data to the extent necessary to ensure security on our company premises, protect our property, prevent and detect fraudulent or harmful conduct, etc.

  5. For the purposes of exercising or defending our legal claims – if we are forced to enforce our rights or defend them in judicial or administrative proceedings, we will use the necessary personal data. The legal basis for processing is the legitimate interest of our company.

  6. For the purposes of internal administration of our company – our employees also process your personal data when fulfilling their employment-related obligations within the framework of our company’s established internal processes. The reason for this is, for example, the internal administration of our activities, the creation of reports on the activities of our company or individual employees, the effort to optimize internal processes or the need for employee training.

  7. Sending commercial communications (direct marketing) – typically sending e-mails or telephone contacts with offers of similar products or services that we have already provided to you. We may send offers until you express your wish not to send you such offers. We will not pass on your data to any third parties for the purpose of sending offers (except for our subcontractors – processors who will carry out the processing for us). Also invitations to training courses, seminars, etc.

  8. Cookie files are used by our companies on their websites in order to improve the functioning of our websites, evaluate their traffic and optimize marketing activities. Cookies are small text files that are stored locally on your computer via the browser. Cookies do not serve or enable personal identification of website users, they only enable identification of the end device

With consent

With your consent, we may also process personal data for other purposes (e.g. marketing). In such cases, the purpose of collecting and further processing your personal data is precisely defined in your consent. In such cases, you always have the opportunity to withdraw this consent.

Use for a purpose other than that for which it was collected?

In some cases, our company may process personal data for a purpose other than the purpose for which the personal data was collected. This is the case, in particular, if we collect your data for the purpose of performing a contract or providing a service and:

  • the legal regulation subsequently dictates how long we must retain the data (e.g., according to the Accounting Act, we must archive invoices for the price of goods or services provided for 10 years, even if we no longer need the data for the purposes of fulfilling the contract);

  • subsequently, a dispute arises and our company must enforce its legal claims or defend its rights;

  • subsequently, in accordance with the provisions of Section 7 of Act 480/2004 Coll., we send commercial communications to customers or purchasers who have done business with our company in the past and have provided us with their address on that occasion.

From what sources does our company obtain personal data?

Directly from you when negotiating a contract or providing a service and subsequently during implementation.
From publicly available registers and records, in cases where we exercise our legitimate interests, in particular when recovering amounts owed, when selecting a suitable supplier, when verifying the existence of an entity or when verifying the timeliness of data.
From open or publicly available sources - e.g. a partner's website or advertisement - in the case of potential business partners in order to establish communication about possible business cooperation. Our company may store such basic data in its CRM system for the purpose of further contact.
For internal administrative purposes*, we share data with other entities incorporated into the MB PLUS holding.
From other entities, if expressly permitted by law (e.g. in the context of a lawsuit) or if you have given this other entity your explicit consent to transfer information about you.

Are you obliged to provide us with personal data?

If we process your data in connection with a contract you have concluded with us or a service we provide to you, you can voluntarily decide whether or not to conclude the contract or use the service. If a contract has been concluded or a service has been used, you are obliged to provide us with the information necessary to perform the contract or use the service. Without this information, we cannot provide you with the service or other performance.
If the reason for collecting and further processing your personal data is to comply with legal obligations or to protect our legitimate interests, then you are obliged to provide us with your personal data. We always ask for only the data necessary to fulfill the specified purpose.
If we process data based on your consent, then the provision of your personal data is completely voluntary.

How do we ensure the protection of your data?

In accordance with applicable law, our company secures the personal data it processes using all appropriate technical and organizational measures to ensure the highest possible level of protection, taking into account the nature, scope and purposes of the processing and the likely risks. We have security and control mechanisms in place to prevent unauthorized access or transfer of data, loss, destruction or other possible misuse.
Our employees are bound by a duty of confidentiality. If we pass on data to third parties, these parties are also bound by a legal or contractual duty of confidentiality.

To whom do we share your personal data?

1. Processors – most of the processing activities are carried out by our company using our own resources, in some cases we use the services of third parties (hereinafter referred to as “processors”). We try to select only such specialists who are sufficiently trustworthy and secure the personal data transferred. Processors have contractually undertaken to provide at least the same level of protection of the personal data transferred as that provided by our company. At the same time, we oblige processors to a duty of confidentiality. The processor is entitled to handle the transferred data exclusively for the purposes of performing the activity entrusted to them by our company. If we use cloud storage, these are located within the EU, thus ensuring the level of protection required by applicable law.

The processors are:

  • IT service, application and cloud storage providers

  • accounting service providers

  • archiving service providers

  • entities collecting our debts

  • marketing agencies

2. To companies within the BM PLUS holding – within the BM PLUS holding, we share some personal data of our business partners, customers or employees, primarily for the purpose of internal administration and reporting. However, the purpose may also be to facilitate the conclusion of contracts, the provision of performance or the resolution of certain matters.

3. To our business partners – if we entrust someone else with the performance of a certain activity that forms part of our services, it may be necessary to transfer personal data. Such entities themselves become the controller of your personal data (in particular, the carrier or Czech Post).

4. To our advisors – if necessary to protect the rights and interests of our company, we transfer personal data to the extent necessary for the successful exercise of a claim or defense of our rights to other persons (for example, a legal representative, insurance companies or insurance brokers, banks, courts, bailiffs, auctioneers).

5. To state authorities or other entities in cases where our company is required to do so by law (for example, state administration authorities, supervisory authorities, criminal prosecution authorities, courts, bailiffs, notaries, insolvency administrators).

6. With your consent or at your request, your personal data may be provided to other entities.

Companies in the holding company
The BM PLUS holding company includes the following companies:

  • BM PLUS, sro

  • HHS, sro

Storage period of your personal data

We process your personal data for the period necessary to fulfil the purpose for which it was collected or for another related purpose. If the legal regulation does not directly stipulate a specific period for which personal data must be processed, we consider that the purpose of processing lasts for the period during which legal claims are threatened from this processing activity (usually a ten-year limitation period) and one calendar year after the termination of all threatened legal claims, i.e. in the case of a contract, usually 11 years after the termination of the contractual relationship**.
For the purpose of sending commercial communications, our company will process your contact details until the partner expresses their objection to such sending. Even then, we will be entitled to process basic data about why we sent commercial communications for a reasonable period of time to prove the legitimacy of such sending.

** For example, when purchasing goods after the warranty period has expired, there is a statute of limitations during which the customer can make legal claims against our company. We will then retain your personal data for one year to ensure that no lawsuit has been filed against our company with a court or other authority on the last day of the period.

What are your rights and options?

1. Right to Information and Explanation

Our company is obliged to provide you with the information stated in this document in a concise, transparent, and comprehensible manner. If any provision of these policies is unclear or not fully understandable to you, please do not hesitate to contact us. The contact details of our company are provided at the end of this document. Our employees will be happy to provide you with an explanation or additional information.

2. Right to Withdraw Consent

In cases where we collect and process data on the basis of your consent, you have the right to withdraw this consent at any time. Giving consent is entirely voluntary. If you withdraw your consent, it does not affect processing activities already carried out at the time when the consent was validly given, nor those processing activities that our company is obliged to perform due to previously granted consent and already completed processing activities (for the purpose of complying with legal obligations or protecting our legitimate interests).
Withdrawal of consent is free of charge and can be done in writing at: grafik@bmplus.cz

3. Right of Access to Personal Data

You have the right to know which data about you we process. You may request information from us on whether or not your personal data is being processed by our company. If your personal data is processed, we will provide you with all related information as required by Article 15 of the GDPR, including a copy of the processed personal data.
The exercise of the right of access to personal data must not adversely affect the rights of other persons.

*** We will inform you about the categories of personal data we process, the purposes of processing, the categories of recipients to whom the personal data may be disclosed, the planned period of processing, the source of the data, information about your rights, and whether automated decision-making takes place.

4. Right to Object

If we process personal data for the purposes of our company’s or a third party’s legitimate interests, you have the right to object to such processing in cases where your specific situation justifies it – that is, where the processing itself is lawful, but you have specific reasons why you do not want it to take place.
Our company will have to review the processing in question. Such personal data will no longer be processed unless there are compelling legitimate grounds for processing that override your interest in privacy or other interests, rights, and freedoms, or if the processing is required for the establishment, exercise, or defense of our company’s legal claims.
If we process personal data for direct marketing purposes, you may object at any time to such processing of personal data. You can also exercise this right via technical tools (e.g., unsubscribe from commercial communications). Our company will then no longer process your personal data for direct marketing purposes, but it may still be processed for other purposes.
You can exercise your objection, as well as your other rights, via the contact details below. Please always state the specific situation that leads you to conclude that our company should not process your personal data.
The right to object, however, does not apply in all cases of processing and cannot be exercised where we process your data on a legal basis other than necessity for a legitimate purpose – e.g., necessity for contract performance or compliance with legal obligations.

5. Right to Rectification or Completion

If you believe that we are processing inaccurate data about you, you have the right to notify us and request a correction or completion.

6. Right to Erasure (the “Right to be Forgotten”)

You have the right to request that we erase your personal data if at least one of the following conditions is met:

  • the personal data is no longer necessary for the purposes for which it was collected or otherwise processed,

  • the data subject withdraws consent and no other legal ground for processing exists,

  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing,

  • the personal data has been processed unlawfully,

  • the personal data must be erased in order to comply with a legal obligation,

  • the personal data was collected in connection with the offer of information society services.

Our company, under Article 17(3) of the GDPR, is not obliged to erase the requested data if the processing is necessary:

  • for the establishment, exercise, or defense of our company’s legal claims,

  • for the exercise of the right to freedom of expression and information,

  • for compliance with a legal obligation imposed on our company by Czech or EU regulations,

  • for the performance of a task carried out in the public interest, if our company is entrusted with it,

  • for reasons of public interest in the area of public health in the processing for purposes of preventive or occupational medicine, etc.,

  • for archiving purposes in the public interest, for statistical purposes, or for scientific and historical research purposes, if erasure would seriously jeopardize the achievement of these objectives.

7. Right to Data Portability

Current legislation guarantees you the right to obtain from our company your personal data that you have provided to us, in a structured, commonly used, and machine-readable format. These data may be transferred to you or to another controller if you request it and if it is technically feasible. This right can be exercised if:

  • the reason for processing is your consent or the performance of a contract or service provided by our company, and

  • our company carries out the processing automatically.

The exercise of this right must not adversely affect the rights and freedoms of other persons. This right cannot be exercised if we process your personal data for the performance of a task carried out in the public interest, if our company has been entrusted with it.

8. How Do We Handle Your Objections and Requests?

If you contact our company with an objection or a request to exercise any of your statutory rights, we will inform you of the measures taken. If no measures are taken, we will also inform you and explain the reasons for our course of action. We will provide this information within one month of receiving your request. If necessary due to complexity or the number of requests, we may extend this period; in that case, we will notify you within one month of receiving your request, including the reasons for the delay. The period may be extended by a maximum of two additional months. We will do our best to provide you with information as soon as possible.

We will provide information about the measures taken in the same manner in which you requested them. All objections, requests, and our responses are made and provided free of charge. However, if your requests are repetitive or clearly disproportionate, we may charge a fee to cover the costs of providing the information or even refuse to comply with the request.

Our company can only comply with your requests or objections if it has no doubts about the identity of the person submitting them. We must ensure that rights are not abused by other persons and that your personal data is not unlawfully disclosed to a third party. For this reason, our company verifies the applicant’s identity either by requesting additional information confirming the applicant’s identity, or by requiring the submission of a request or objection with an officially verified signature. In the case of an oral request or objection made at our branch, we will require proof of your identity by presenting an identity card.

9. Right to Lodge a Complaint with a Supervisory Authority

If you disagree with the way we process your personal data or with our company’s approach, you may at any time lodge a complaint with the supervisory authority:

Office for Personal Data Protection
Pplk. Sochora 27, 170 00 Prague 7
Tel.: +420 234 665 111
E-mail: posta@uoou.cz
Web: www.uoou.cz

How Can You Contact Us?

We are obliged to verify the identity of the person exercising the above-mentioned rights in order to prevent misuse by another person and to ensure that your data is not passed on to someone else. For this reason, when submitting a personal request at our company’s branch, the applicant’s identity will be verified by presenting a valid identity card. In the case of an e-mail request, we will require the request to be sent from the e-mail address we have on record for you, and we may request additional information that can be matched with the information already available to us, to ensure that the data is not disclosed to someone else. If you cannot be securely identified in this way, we will have to ask you to send a written request with a notarized signature or personally present your identity card.

You may contact our company with your questions, requests, or objections in the following ways:

  • By post: BM PLUS, s.r.o., Palackého 501, 769 01 Holešov – Všetuly

  • By e-mail: grafik@bmplus.cz

  • By phone: +420 573 397 777

bottom of page