Privacy policy
Dear customers and business partners,
The document you are reading now contains basic information about how we process your personal data. We appreciate that you share your personal information with us and are committed to protecting it to the maximum extent possible. We also try to be as transparent as possible with you, espacially about how we process your personal data.
In view of the new European Union legislation, this information memorandum has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 59/46/EC (GDPR)
In this memorandum, we have tried to present the information to you as clearly as possible, so we have chosen the format of the questions and answers we would like to provide. You will find the information in the following order:
- Who is the data controller?
- Who is the Data Protection Officer?
- What purpose do we need the personal data for?
- What are our legitimate interests?
- How was the personal data obtained?
- What categories of personal data are processed?
- What is the legal basis for the processing of personal data?
- Will we be transferring personal data to anyone else?
- Will we transfer personal data to a third country or international organisation?
- How long will we store the personal data?
- What are your rights in relation to the processing of personal data and how can you exercise them?
- Is personal data automatically evaluated?
This Information Memorandum sets out the basic information that we are required to provide as a data controller. If you would like to know the detailed data processing principles that we follow, you can find them on our website www.cartecgroup.dev
Should you have any questions regarding the processing of your personal data, please do not hesitate to contact us by e-mail at gdpr@cartecpraha.cz or by phone at +420 739 453 000. In all cases we can be contacted at our delivery addresses:
CarTec Liberec s.r.o., Obchodní 622, 460 01 Liberec 11
CarTec Olomouc s.r.o., Tovární 1297/1b, 779 00 Olomouc
CarTec Ostrava s.r.o., Vítkovická 3246/1A, 702 00 Ostrava – Moravská Ostrava
CarTec Praha s.r.o., Průběžná 80, 100 00 Prague 10
What are cookies?
Cookies are text files containing small amounts of information that are downloaded to your computer, mobile or other device when you visit a website. Then, each time you visit the website again, the cookies are sent back to the original website or to another website that recognises cookies. Cookies are useful because they allow websites to recognise a user’s device.
Persistent cookies
These cookies remain on the user’s device for the period of time specified in the cookie. They are activated whenever the user visits the website that created the cookie.
Session cookies
These cookies allow website operators to link individual user activities as they browse the website. They are activated when the browser window is opened and deactivated when the browser window is closed. Session cookies are temporary and all such files are deleted when the browser is closed.
Cookies have various functions, such as making searching between websites more efficient, remembering your preferences and generally enhancing the user experience. They can also ensure that the ads you see online are relevant to your interests and preferences.
Further information about cookies is available at www.allaboutcookies.org www.youronlinechoices.eu.
Cookies used on the www.cartecgroup.dev
A list of all types of cookies used on the website:
Necessary cookies
These cookies are strictly necessary for the functioning of the website and the user’s consent to these cookies is not required. Without these cookies, some functions of the website will not be possible.
Performance cookies
These cookies collect anonymous information about the pages you visit. By opening the website, you consent to the placement of these cookies on your device. These cookies collect information about how a visitor uses the website, for example which pages they visit most often and whether they receive error messages from the website. These cookies do not collect identifying information about the user, all information is aggregated and therefore anonymous. These cookies are only used to improve the functioning of the website.
Functional cookies
These cookies remember your choices and improve your user experience when using the website. By opening the website, you consent to the placement of these cookies on your device.
Functionality cookies allow the website to remember your choices (e.g. your username, language or the area where you are located) and thus enhance the functionality of the website to better suit you. These cookies can also remember changes in font size, font and other parts of the website as customized by the user. They also enable the use of services requested by the user, such as watching videos, posting comments on blogs, etc. The information collected through these cookies may be anonymous and does not track your activities when you visit other websites.
Targeted or advertising cookies
These cookies collect information about your search habits and target advertising messages relevant to your interests and your personality accordingly.
These cookies are used to better target advertising to users. They are also used to limit the number of advertising messages to a single user and make advertising campaigns more effective. These cookies are generally placed on websites by third parties with the consent of the website operator. The cookies remember that the user has visited the site and then share this information with other entities. Very often, these cookies are then linked to the functionality of the site provided by another entity.
Behavioural advertising targeting and online privacy
The Internet industry has developed a guide to behavioural targeting and online privacy, which you can read at www.youronlinechoices.eu. The guide explains the IAB’s self-regulatory scheme, allowing you to gain better control over the display of advertising on your device. Browser settings and cookie settings.
The Help tab in the bar of most browsers provides instructions on how to prevent your browser from accepting new cookies, how to receive notifications when new cookies are accepted and how to deactivate all cookies. You can also deactivate or completely delete similar data used by your browser as add-on modules, such as flash cookies, by changing the settings of the add-on module or by visiting the website of its manufacturer.
As cookies allow you to use some basic functions of the website, we recommend that you leave cookies enabled. For example, if you block or refuse certain cookies, you will not be able to use our products and services that require you to log in. If you leave cookies on, always remember to log out if you are using a shared computer.
1.WHO IS THE DATA CONTROLLER?
The controller is the person who, alone or jointly with others, determines the purposes for which and decides how personal data will be processed.
Companies are the controller of personal data:
CarTec Liberec, s.r.o.
with registered office in Liberec, Obchodní 622
ID: 27343723
File number: C 25296 registered at the Regional Court in Ústí nad Labem
CarTec Olomouc s.r.o.
with registered office in, Vítkovická 3246/1A
ID: 01486489
File number: C 55963 registered at the Regional Court in Ostravě
CarTec Ostrava s.r.o.
with registered office in Ostrava, Vítkovická 3246/1A
ID: 259136203
File number: C 27074 registered at the Regional in Ostravě
CarTec Praha s.r.o.
with registered office in Prague 10, Průběžná 80, Postal Code 100 00
ID: 496 14 801
File number: C 21094 registered at the Municipal Court in Prague
The administrator can be contacted by e-mail at gdpr@cartecpraha.cz or by phone at +420 739 453 000.
The representative of the administrator is Hana Jelínková.
2. WHAT PURPOSE DO WE NEED THE PERSONAL DATA FOR?
The controller processes personal data to:
(a) to ensure the conclusion and subsequent performance of a contractual obligation between the controller and you (Article 6(1)(b) GDPR). Such a relationship gives rise to other legal obligations and the controller must therefore also process personal data for this purpose (Article 6(1)(c) GDPR);
b) marketing purposes, in order for the controller to best tailor the offer of its products and services and commercial communications about them to your needs, for which purpose the controller obtains your unambiguous consent (Article 6(1)(a) GDPR;
c) the protection of its legitimate interests (Art. 6(1)(f) GDPR), which is, for example, the registration of drivers when hiring a replacement car, or demo rides.
Providing personal data to the controller is generally a legal and contractual requirement. With regard to the provision of personal data for marketing purposes, which does not constitute the fulfilment of a contractual and legal obligation of the controller, your consent is required. If you do not consent to the controller processing your personal data for marketing purposes, this does not mean that the controller will refuse to provide you with its product or service under the contract as a result.
3. What are our legitimate interests?
The controller also processes personal data to protect its legitimate interests. In particular, the legitimate interests of the controller are the proper performance of all contractual obligations of the controller, the proper performance of all legal obligations of the controller, direct marketing, the protection of the controller’s business and property and, last but not least, the protection of the environment and ensuring sustainable development.
In order to ensure that your privacy is protected as much as possible, you have the right to object to your personal data being processed solely for the most necessary lawful reasons or to have your personal data blocked. For more information on your rights related to the processing of personal data, please refer to Article 11 of this information memorandum.
4. How was the personal data obtained?
The controller obtained the personal data directly from you, in particular from completed forms, communications or contracts. In addition, personal data may also come from publicly available sources, registers and records, such as the commercial register, debtors’ register, professional registers or the Land Registry, for example. In addition, the controller may have obtained personal data from third parties who are authorised to access and process your personal data and with whom it cooperates, as well as from information from social networks and the Internet that you yourself have posted…
5. What categories of personal data are processed?
In order to ensure your satisfaction with the proper performance of the obligation, to ensure compliance with legal obligations, to provide a personalized offer of goods and services of the controller and for the other purposes listed above, the controller processes the following categories of personal data:
a. basic identification data – name, surname, date of birth, home address, birth number and identification number; We only process date of birth and birth number if you enter into a contract with our company and these data are necessary for the performance of the contract. For example, registration of the car at the traffic inspectorate.
b. contact details – telephone number and e-mail address;
c. information about your use of the controller’s products and services – this is information about what products you have arranged with the controller and what you are using now, including product settings etc;
d. information from your communications with each other – information from emails, telephone records or other contact forms;
e. billing and transaction information – this includes information appearing on invoices, billing terms agreed and payments received;
f. geolocation information – information from the web browser or mobile applications you use;
6. What is the legal basis for processing personal data?
The lawfulness of the processing is determined by Article 6(1) of the GDPR, according to which the processing is lawful if it is necessary for the performance of a contract, for the fulfilment of a legal obligation of the controller, for the protection of the legitimate interests of the controller or the processing is based on the consent you have given us.
The lawfulness of the processing is also based, for example, on Act No. 563/1991 Coll., on accounting, according to which invoicing data is processed and stored, Act No. 89/2012 Coll., Civil Code, according to which the controller defends its legitimate interests, or Act No. 235/2004 Coll., on value added tax.
7. WILL WE PASS ON PERSONAL DATA TO ANYONE ELSE?
Within the limits of the law, we must provide personal data to public authorities, such as tax authorities, courts, law enforcement authorities or capital market supervisory authorities, as well as to persons who will be involved in the performance of the contract and without whose cooperation the contract could not be performed, such as insurance companies, leasing companies, etc. with regard to the specific form of the contractual relationship. We will also transfer personal data to processors in the marketing sector with whom we have a processing contract.
We will only pass on personal data to other third parties if you are duly informed and consent to this.
We will pass on personal data to BMW Vetriebs GmbH, organizational unit of the Czech Republic and its subsidiaries if you give your explicit consent to this.
8. WILL WE TRANSFER PERSONAL DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANISATION?
We will not transfer personal data to countries outside the European Union or the European Economic Area or to any international organisation.
9. HOW LONG WILL WE STORE PERSONAL DATA?
Personal data will be processed and stored for at least the duration of the contract. Certain personal data required for e.g. tax and billing obligations will be kept for longer, usually 5 years starting from the year following the occurrence of the fact to be stored.
Personal data that are relevant for the exercise of the controller’s legitimate interests will be retained for a maximum of 6 years from the end of the contractual relationship with the controller.
Personal data processed for marketing purposes will be retained for a maximum of 3 years from the date of acquisition.
Personal data will never be kept longer than the statutory maximum. After the expiry of the archiving period, the personal data will be securely and irretrievably destroyed so that it cannot be misused.
10. WHAT ARE YOUR RIGHTS IN RELATION TO THE PROCESSING OF PERSONAL DATA AND HOW CAN YOU EXERCISE THEM?
The controller does everything possible to ensure that the processing of your data is carried out properly and, above all, securely. You are guaranteed the rights described in this article, which you can exercise with the controller.
11. How can you exercise your rights?
You can exercise your individual rights by sending an email to gdpr@cartecpraha.cz or by calling +420 739 453 000. You can also exercise your rights by sending a written request to our mailing addresses:
CarTec Liberec s.r.o.,Obchodní 622, 460 01 Liberec 11
CarTec Olomouc s.r.o., Tovární 1297/1b, 779 00 Olomouc
CarTec Ostrava s.r.o., Vítkovická 3246/1A, 702 00 Ostrava – Moravská Ostrava
CarTec Praha s.r.o., Průběžná 80, 100 00 Prague 10
All communications and statements regarding the rights you have exercised are provided by the controller free of charge. However, if the request is manifestly unfounded or excessive, in particular because it is repetitive, the controller shall be entitled to charge a reasonable fee taking into account the administrative costs involved in providing the information requested. In the event of a repeated request for copies of the personal data processed, the controller reserves the right to charge a reasonable fee for administrative costs for this reason.
The controller will provide you with a statement and, where appropriate, information on the measures taken as soon as possible and at the latest within one month. The controller is entitled to extend the time limit by two months if necessary and in view of the complexity and number of requests. The administrator will inform you of the extension, including the reasons for it.
12. Right to information about the processing of your personal data
You are entitled to request information from the controller as to whether or not personal data are processed. If personal data are processed, you have the right to request information from the controller, in particular, about the identity and contact details of the controller, its representative and, where applicable, the data protection officer, the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, the authorised controllers, a list of your rights, the possibility of contacting the Data Protection Authority, the source of the personal data processed and automated decision-making and profiling.
If the controller intends to further process your personal data for a purpose other than that for which it was collected, it will provide you with information about that other purpose and other relevant information prior to that further processing.
The information provided to you in exercising this right is already contained in this memorandum, but this does not prevent you from requesting it again.
13. Right of access to personal data
You are entitled to request information from the controller as to whether or not your personal data are processed and, if so, to access information on the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients, the period of storage of the personal data, information on your rights (rights to request the controller to rectify or erase, restrict processing, object to such processing), the right to lodge a complaint with the Data Protection Authority, information on the source of the personal data, information on whether automated decision-making and profiling takes place and information concerning the procedure used as well as the significance and foreseeable consequences of such processing for you, information and safeguards in case of transfer of personal data to a third country or an international organisation. You have the right to be provided with copies of the personal data processed. However, the right to obtain this copy must not adversely affect the rights and freedoms of others.
14. Right to repair
If there has been a change on your part, for example, of your residence, telephone number or other fact that can be considered personal data, you have the right to request the controller to correct the personal data processed. In addition, you have the right to have incomplete personal data completed, including by providing an additional declaration.
15. Right to erasure (right to be forgotten)
In certain specified cases, you have the right to request that the controller erase – anonymise – your personal data. These cases include, for example, that the data processed is no longer necessary for the purposes mentioned above. The controller deletes personal data automatically after the period of necessity has expired, but you can contact the controller at any time with your request. Your request will then be subject to an individual assessment (despite your right to erasure, the controller may have an obligation or legitimate interest to retain your personal data) and you will be informed in detail about the processing.
16. Right to restriction of processing
The controller processes your personal data only to the extent strictly necessary. However, if you feel that the controller, for example, exceeds the purposes for which the personal data are processed as set out above, you can request that your personal data be processed solely for the strictly necessary legitimate purposes or that the personal data be blocked. Your request will then be subject to an individual assessment and you will be informed in detail about the processing.
17. Right to data portability
If you wish the controller to provide your personal data to another controller or another company, the controller will transfer your personal data in an appropriate format to the entity you have designated, unless prevented by any legal or other significant obstacles.
18. Right to object and automated individual decision-making
If you become aware or believe that the controller is processing your personal data in breach of the protection of your private and personal life or in breach of the law (provided that the personal data are processed by the controller on the basis of a public or legitimate interest, or for direct marketing purposes, including profiling, or for statistical purposes or purposes of scientific or historical interest), you may contact the controller and ask it to clarify or rectify the situation.
You can also object directly to automated decision-making and profiling.
19. Right to lodge a complaint with the Office for Personal Data Protection
You may at any time contact the supervisory authority, the Office for Personal Data Protection, located at Pplk. Sochora 27, 170 00 Prague 7, website https://www.uoou.cz/, with your suggestion or complaint regarding the processing of personal data.
20. Right to withdraw consent
You have the right to withdraw your consent to the processing of personal data at any time, either by filling in the form/checking the box/sending the withdrawal to the address of the controller’s registered office or by using the link in the e-mail communication.
21. IS PERSONAL DATA AUTOMATICALLY EVALUATED?
Personal data is automatically evaluated and may be used for profiling in the marketing activities of the controller. In doing so, the controller uses the following methods:
(a) analysis of your activities on the controller’s website;
b) analysis based on the data provided and past contracts.
As a result of these activities of the controller, your behaviour on the website will be mapped and evaluated, which constitutes a certain interference with your right to privacy. At the same time, however, this evaluation contributes to ensuring that you are only sent advertising offers for the controller’s products and services that may be of interest to you in light of the results of the evaluation.
Document issued on 15th May 2018.
Validity – without limitation.