Privacy Policy
Copyright
The owner and operator of the website https://www.commis.cz/ is Commis Europe s.r.o., which, in accordance with Act No. 121/2000 Coll., the Copyright Act, is entitled to exercise proprietary rights to this website (hereinafter the “Operator”).
The Operator holds all copyright to all content placed by the Operator on the website [https://www.commis.cz/](https://www.commis.cz/), including the text, page design, technical drafts, graphics, all images on these pages, as well as the selection and arrangement of the files contained on this website.
The rights and obligations of the Operator and Users when using this website are governed by these Rules. These Rules apply to all persons who visit this website (hereinafter the “Users”). The User expresses their consent to these Rules by entering any of the Operator’s web pages or by using in any way any information placed on the Operator’s website.
The publication of any data or information on the website [https://www.commis.cz/](https://www.commis.cz/), with the exception of this document, does not constitute any legal act, unless explicitly stated otherwise in individual cases.
Personal Data Protection
See the Personal Data Protection Statement below.
Other Provisions
Cookies
“Cookies” are information that is transferred from a website to the User’s computer hard drive. Cookies allow the website to remember important information that will make further use of the website easier for the User.
Like most websites, the Operator’s site uses cookies. On the basis of anonymous data objects, for example, the Operator tracks the total number of visitors to this site.
If the User does not want to use cookies, or wishes to be notified by the web browser when cookies are used, they must select the appropriate option in their web browser settings. If the User blocks all cookies, they will not be able to use some functions of this website.
Changes in the Personal Data Protection Policy
The Operator reserves the right to change its personal data protection policy in any way and at any time, with the current version always available on this website.
User Conduct
When using this website, the User must not interfere with the security of this site, may not use the site to transfer harmful files, or attempt to access areas of the site that are not publicly available. The User is also obliged to respect the Operator’s copyright to this website.
Liability and Jurisdiction
Any risks that may arise for the User from using this website are borne entirely by the User, and the Operator assumes no responsibility for them. All disputes arising in connection with the use of this website shall be heard by the locally competent court in the Czech Republic and in accordance with the laws of the Czech Republic.
Provisions of these terms that for any reason become unenforceable shall be considered separable from the remaining provisions and shall not affect their validity and enforceability.
Notice to Users on the Use of Google Analytics
To better understand the visitors to our website, we use the Google Analytics service provided by Google, Inc. (hereinafter “Google”). For greater transparency, we would like to explain what this means for you, our visitors.
Google Analytics uses “cookies” (text files stored on your computer) that enable an analysis of how this website is used. The information generated by the cookie about your use of the site (including your IP address) will be transmitted to Google and stored on servers in the United States. All data obtained in this way will be processed anonymously. The data is intended solely for evaluating the use of the website. Anonymity is guaranteed by the fact that Google will not associate your IP address with any other data held by Google. No sensitive data such as e-mail, name, or phone number will be sent to Google.
You may refuse the use of cookies and thereby prevent the collection of data about you. You can do this by selecting the appropriate option in your browser settings. For some browsers, you can install an add-on – an opt-out plugin for the advertising cookie – which prevents your data from being sent to Google.
By using this website, you consent to the processing of information about your visit by Google in the manner and for the purposes set out above.
Personal Data Protection Statement
1. Introduction
We, Commis Europe s.r.o., with registered office at U Jednoty 133/15, 500 03 Hradec Králové, ID No.: 08108200, VAT No.: CZ08108200, have prepared this Personal Data Protection Statement for you in order to inform you how we collect, process, use, and protect your personal data and thereby help protect your privacy.
We handle your personal data in accordance with applicable legislation, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), Act No. 127/2005 Coll., on Electronic Communications, as amended, and Act No. 480/2004 Coll., on Certain Information Society Services, as amended.
At the same time, through this Personal Data Protection Statement, we would like to clarify the most important terms and processes we use to protect your personal data and answer questions you may have regarding the collection, processing, and storage of your personal data.
2. Supervision
We place great importance on complying with all prescribed and binding rules and security measures whenever we handle your personal data, and we therefore hope that situations in which you would be dissatisfied with our conduct towards you will not arise.
In cases where you might disagree with the manner in which we process your personal data, you may contact:
Office for Personal Data Protection
Address: Pplk. Sochora 27, 170 00 Prague 7
Tel.: 234 665 111
Web: [www.uoou.cz](http://www.uoou.cz)
3. Our Approach
We consider personal data protection to be crucial and pay great attention to it.
You can therefore be sure that we handle your personal data with due care and in accordance with applicable legal regulations, and that we protect your personal data to the maximum possible extent corresponding to a high technical level.
To fully understand how we protect your personal data, we recommend that you carefully read this Personal Data Protection Statement.
When processing your personal data, we adhere to the following principles:
- The principle of lawfulness, which obliges us to process your personal data always in accordance with legal regulations and on the basis of at least one legal ground.
- The principle of fairness and transparency, which obliges us to process your personal data openly and transparently and to provide you with information about how your data is processed, including information about who will have access to your personal data. This also includes our obligation to inform you in the event of a serious breach of security or a personal data leak.
- The principle of purpose limitation, which allows us to collect your personal data only for a clearly defined purpose.
- The principle of data minimisation, which obliges us to process only such personal data that is necessary, relevant, and appropriate in relation to the purpose of its processing.
- The principle of accuracy, which obliges us to take all reasonable measures to ensure the regular updating or rectification of your personal data.
- The principle of storage limitation, which obliges us to store your personal data only for the period necessary for the specific purpose for which it is processed (for example, for the duration of a marketing consent, unless revoked earlier). Once the processing period or purpose expires, we will delete or anonymise your personal data, i.e. adjust it so that it cannot be linked to your person.
- The principle of integrity, confidentiality, non-repudiation, and availability, which obliges us to secure and protect your personal data against unauthorised or unlawful processing, loss, or destruction. For these reasons, we adopt numerous technical and organisational measures to protect your personal data. We also ensure that only selected employees have access to your personal data.
- The principle of accountability, which obliges us to be able to demonstrate compliance with all of the above conditions.
4. Contact for Your Questions or Concerns
If any part of this Statement is unclear or if you have any questions or comments regarding the protection of your personal data, please do not hesitate to contact the Data Protection Officer of Commis Europe s.r.o.: info@commis.cz, +420 771 141 660.
5. What Personal Data Is and Its Categories
Personal data is information that allows us to identify you. It is therefore any information that can be specifically linked to you as an individual.
Personal data does not include anonymous or aggregated data, i.e. data that cannot be clearly linked to you as a person.
We divide personal data into:
Basic data, such as your name, surname, date of birth, ID card number (or other identification document).
A special category of personal data is formed by sensitive personal data, which are highly personal details capturing, for example, information about your health.
We further divide basic data into specific categories, which are listed in section “15. Categories of Data”.
6. Legal Grounds for Processing Your Personal Data
We obtain your personal data and further handle it exclusively to the necessary extent and for the fulfilment of the relevant purpose. Providing your personal data is voluntary, and in cases where it is provided on the basis of consent, you may, under certain conditions, request the deletion of the processed personal data (see section “10. Your Rights” for more details).
In some cases, such as entering into a purchase contract for our goods or services, we need to obtain the necessary scope of personal data from you already at the time of your binding order for such goods or services. Without this data, we would not be able to meet your requirements and conclude the contract with you, especially with regard to fulfilling our legislative obligations, as well as protecting our legitimate interests.
Below we list the legally defined grounds on which we are authorised to process your personal data.
The main legal grounds for processing your personal data include:
Consent – you grant us consent for one or more specific purposes (for example, for sending commercial communications).
When obtaining your consent to the processing of your personal data, we follow these rules:
- we always obtain consents to the processing of your personal data separately; granting consent will therefore not form part of a contract or other agreement,
- the text of the consent will always be understandable,
- consent will only be granted based on your active action; no boxes will be pre-ticked on your behalf,
- you will grant consent separately for each purpose of processing.
Performance of a contract – we need your personal data here for the purpose of entering into a contractual relationship and subsequently fulfilling it, or also prior to the conclusion of the contract (for example, an order preceding the conclusion of a purchase contract).
Compliance with a legal obligation – we need your personal data for processing in order to fulfil our legal obligations as a controller.
Legitimate interest – the processing of your personal data is necessary for the purposes of our legitimate interests, except in cases where your interests or your fundamental rights and freedoms override those interests.
More marginally, the following legal grounds may also apply:
Protection of vital interests of the data subject – processing your personal data would be necessary for the protection of your or another natural person’s vital interests.
Public interest – processing your personal data is required to fulfil a task carried out in the public interest or in the exercise of official authority vested in us as a controller.
7. Reasons for Processing Personal Data
As already mentioned in section “6. Legal Grounds for Processing Your Personal Data”, each processing operation must be based on a legal ground.
Below are examples of situations in which we will most often request your personal data and the legal grounds for doing so:
- Ordering and purchase of goods or services – the legal ground will be the conclusion and performance of a contract, or actions taken prior to entering into a purchase contract.
- Service provision – the legal ground will be the conclusion and performance of a contract, or actions taken prior to entering into a service contract and providing the service.
- Provision of financing – the legal ground will be actions taken prior to entering into the relevant contract (for example, assessing creditworthiness) and performance of the contract for the purpose of financing the purchase of a product and the mutual rights and obligations arising from this contract.
- Arranging insurance – the legal ground will be the conclusion and performance of an insurance contract.
- Marketing purposes – the legal ground will be your consent for sending commercial communications.
- Storing cookies necessary for the functioning of the website – the legal ground will be our legitimate interest, since storing cookies is necessary for the proper functioning of the website.
8. Personal Data Protection
We care deeply about the protection of your personal data, and therefore we follow the technical and organisational measures below to ensure the security of your personal data. These measures include:
- Physical access control – we store all data in a way that protects access to it, meaning that the places where it is stored are secured by technical means.
- Controlled access – no one is allowed to enter any system storing personal data without entering the relevant password or using two-factor authentication, so only authorised persons can access the data.
- Transfer control – all handling of personal data during electronic transfer is protected so that unauthorised reading, copying, modification, or deletion cannot occur.
9. Your Rights
Personal data protection would not be complete if you had no rights in this area. Below you will find an overview of your rights associated with personal data protection, along with a practical explanation of how to exercise them:
Right to be informed about the processing of personal data
This right entitles you to obtain information about our full identification as the controller of your personal data, together with contact details as listed above. You are also entitled to know the legal ground for processing (for example, performance of a contract), the purpose (for example, a purchase contract for our goods), and information on the storage period of personal data. Before we begin processing your personal data, we will always inform you in advance of the legal ground and purpose of this processing.
Right of access to personal data
This right entitles you, upon your request, to obtain information from us as to whether we process your personal data and, if so, to what extent. At the same time, you have the right to request a copy of the processed personal data. If you so request, we are also obliged to inform you of the purpose of processing, the recipients of the processed personal data, and any other related information.
Right to rectification
This right allows you, for example, to ask us to change any of your personal data that we process if it has changed (such as a change of surname, address, etc.).
It is not our obligation as a controller to actively determine whether the personal data we collect about you is current, incorrect, or inaccurate; however, if you notify us of this, we are obliged to address your remark or request for rectification. Under the same conditions, you also have the right to ask us to complete incomplete personal data.
Right to erasure
This is also known as the “right to be forgotten” and requires us as a controller to delete your personal data in the following cases:
- the purpose of processing has ceased to exist (for example, termination of a contractual relationship),
- you withdraw your consent to the processing of personal data and no other reason for processing your personal data exists (for example, withdrawal of marketing consent, provided that you do not have a contractual relationship with us),
- you object to the processing of personal data (provided the objection is justified and no legal reason for processing your personal data exists),
- we are obliged to erase your data in accordance with applicable legislation (for example, destruction obligations under archiving rules).
Right to object
This right is similar to the right to withdraw consent and applies where personal data is processed on the basis of a legitimate interest (for example, to protect our property). You may also object if your personal data is processed for direct marketing purposes. In justified cases, after your objection is recognised, your personal data will be erased and no longer processed.
Right to data portability
If you request that we transfer your personal data to another controller, we are obliged to provide and transmit such data to them in a structured, commonly used, and machine-readable format. You may exercise this right only if the processing is based on consent or a contract and is carried out by automated means, i.e. exclusively by technical means based on a predetermined algorithm without any human intervention.
10. Who Is the Controller and Who Is the Processor and What Do They Do
Controller
In cases where you provide us with your personal data, for example when purchasing our goods or services, when communicating with us as part of our marketing campaigns, when asking us questions, or when lodging a complaint about goods or services, we act as the controller of your personal data.
As the controller, we determine the purpose and means of processing your personal data.
Processing is any operation or set of operations performed on personal data, such as their collection, handling, organisation, structuring, etc.
As the controller of your personal data, we are also responsible for compliance with all obligations and principles related to personal data protection, especially for ensuring sufficient security. In the event of a personal data breach, which we naturally strive to prevent, we are obliged to notify the Office for Personal Data Protection within 72 hours.
If the breach of your personal data security presents a high risk, we are also obliged to notify you, provided we have up-to-date contact details for you.
A processor is a person to whom we, as the controller, transfer your personal data and who further handles it in accordance with our instructions. These are, for example, our business partners, typically external marketing agencies that send you commercial and marketing communications on our behalf.
To ensure that your personal data is handled in accordance with applicable legislation and provided adequate security, we have concluded a written personal data processing agreement with each processor.
11. Rules for Sharing Your Personal Data with Third Parties
We divide the rules under which we share your personal data with processors into two basic categories.
The first category covers the sharing of personal data within the European Union and the European Economic Area; the second category addresses sharing with third countries outside the European Union and European Economic Area and with international organisations.
In order to share your personal data with a processor within the European Union and European Economic Area, we ensure that:
- personal data is shared for a specific purpose (for example, preparation of a marketing campaign),
- only a clearly defined and necessary scope of personal data is shared,
- sharing is carried out on the basis of a properly concluded personal data processing agreement,
- sharing is implemented via a secure channel (encryption, pseudonymisation, etc.).
In the case of sharing your personal data with third countries outside the European Union and European Economic Area and with international organisations, we will do so exclusively on the basis of standard contractual clauses, i.e. model contracts issued by the European Commission, and only with entities located in countries that, according to the European Commission, ensure an adequate level of personal data protection. The third countries with which your personal data may be shared will most often be the People’s Republic of China, the Republic of India, and the Russian Federation.
12. When You Are a Data Subject
You are a data subject solely as a natural person; the legal regulation of personal data protection therefore does not apply to legal entities, such as companies, cooperatives, associations, etc.
Based on these legal grounds, we can classify you into two basic groups. We regard the first group as our customers; you become one if we process your personal data for the purpose of entering into and performing contracts for the purchase and use of our goods and services.
We refer to the second group of data subjects whose personal data we process as third parties; you belong to this group, for example, when you grant us marketing consent or use our website without simultaneously being our customer. If you want to know when and under what conditions you may learn the scope of personal data we process about you, or if you wish to have your processed personal data erased, please read section “9. Your Rights”, which explains the individual procedures and their conditions.
13. Glossary of Terms
Sensitive data
Data of a special nature, such as information about your health or biometric data enabling the identification of a person (currently referred to in legislation as “special categories of personal data”).
Cookies
A short text file that a visited website sends to your browser. It allows the website to record information about your visit, such as your preferred language and other settings. This can make your next visit to the site easier and more productive. Cookies are important; without them, browsing the web would be much more difficult.
Legitimate interest
The interest of the controller or a third party, for example in a situation where the data subject is a customer of the controller, except in cases where the interests or fundamental rights and freedoms of the data subject override such interests.
Personal data
Information about a specific, identifiable person.
Recipient
A person to whom data is transferred.
Service
Any service we offer you, including our products, services offered online, and their support.
Controller
A person who determines the purpose and means of personal data processing; the controller may authorise a processor to process personal data.
Data subject
A living individual to whom personal data relates.
Purpose
The reason for which the controller uses your personal data.
Goods
A product that you purchase from us, typically, for example, a vehicle, but also, for instance, an application for your mobile phone.
Processing
Any operation performed on personal data by the controller or processor.
Processor
A person who processes personal data on behalf of the controller.
14. Categories of Data
Below you will find individual categories of personal data and a breakdown of specific data included in each category.
Identification data: name, surname, maiden name, salutation, title before/after name, gender, language, residence, permanent residence, date and place of birth, date of death, citizenship/nationality, personal identifier (assigned by the company), type of document, diplomatic passport number, ID card number, company ID number, VAT number, social security number, driving licence number, passport number, document validity, date and place of document issue, photograph from ID document, application login, date of creation/deletion of record, employee number, employer, job position, press accreditation number, signature.
Contact details: mailing address, work address, telephone number, fax, e-mail address, data box, contact details within social media.
Psychological characteristics: any information about nature/personality/mood/mental state.
Physical characteristics: any physical characteristics (hair colour, eye colour, height, weight, etc.).
Risk profiles: cyber risk, AML risk, anti-fraud risk, CFT risk, embargo risk, PEP, other security risk.
Data about family and other persons: marriage, partnership, marital status since, number of children, information about household, child’s name and surname, child’s date of birth, information about another person (relationship and other ties).
Descriptive data: social status (student/employee/self-employed/unemployed), job position and experience, skills, education, qualifications, lifestyle, habits, leisure and travel, membership in e.g. charitable or volunteer organisations, information about the area where the data subject lives, housing information, significant life events (moving, obtaining a driving licence), health insurance company code, firearms licence (yes/no), left-handed/right-handed, EHIC card number, preferred dealer, copy of sick leave certificate, segmentation.
Copy of ID or other public document: copy of ID card, copy of passport, copy of disability card (ZTP, ZTP/P), copy of driving licence, copy of diplomatic passport, copy of vehicle registration certificate, birth number.
Data on race or ethnic origin: racial or ethnic origin.
Political opinions: political opinions.
Data on religious or philosophical beliefs: religious beliefs or philosophical convictions.
Data on trade union membership: trade union membership.
Genetic data: genetic data.
Biometric data: biometric data (signature, photograph).
Data relating to criminal convictions and offences or related security measures: data relating to criminal convictions and offences or related security measures.
Health data: physical health, mental health, risk situations and risk behaviour, disability (ZTP, ZTP/P), blood group, data on healthcare, data on sex life or sexual orientation.
Salary and similar data: salary/remuneration, wage compensation, average earnings, bonuses/use of benefits, wage deductions, method of wage payment, expenses, private account number, consumption of internal resources, insurance, taxes and contributions, taxpayer declaration, tax returns and supporting documents, data on employee’s property.
CVs, cover letters, and recruitment records: CV, cover letter, recruitment records and results.
Data on job performance: job position, cost centre, supervisor, working hours & public holidays, vacation, sick leave, maternity/parental leave, career interruptions, attendance, events, calendar, home office, teleworking, information on business trips and other changes in employment relationship, daily schedules/timesheets, assigned devices and other valuables, ICT property, number of hours worked, completed training, access rights, accident logbook, performance of work for a third party, gifts received and given.
Evaluations and related communication: feedback from employees, survey responses, complaints/suggestions/proposals/requests/enquiries and their resolution, service requests, evaluation records, internal sanctions, self-evaluations, personal goals and KPIs.
Other identification and contact data of the employee: employee card number, access rights/ID2/user ID, work e-mail accounts, work telephone number, passwords within internal IT systems, access/logs to internal IT systems – VPN connection, data on employees within the group.
Transaction data: bank account number, debit/credit card number, authorisations/powers of attorney, date of transaction, transaction amount.
Trading history: transactions and contracts including related information, offers/requests for business opportunities, subject, date, place of transaction, reminders, information on trading within the group.
Business profile: business profile derived from analytical modelling, VIP designation and similar, intention to purchase a vehicle (when, which, financing), interest in a test drive, solvency.
Data on internal control and investigations: records of internal investigations, whistleblowing cases, internal system logs, logs relating to the use of the internet/traffic, logs relating to the use of e-mail services/traffic, logs relating to the use of telecommunications means/traffic.
CCTV footage: CCTV recordings.
Access control records: access device records.
Data on movement within premises: data in the visitors’ log.
Photos/video: photographs, video.
Voice recordings: voice recordings.
Communication, interactions, and profiles derived from these data: chat (instant messaging), conversations, e-mail communication, behaviour or browsing/clicking/searching and listening/viewing related to the internet/e-mails/media/applications, information obtained through feedback/surveys/comments/suggestions/complaints in relation to the controller, consent/disagreement with type or form of communication.
Technical product data: VIN, licence plate number, information about how the item (e.g. vehicle) is used, information on ownership of the vehicle, information on service visits, technical description of the item (e.g. vehicle colour).
Location data: location data based on GPS, beacon technology, location data derived from other operations (e.g. card payment at a merchant’s premises).
Network identifiers: MAC address, IP address, device fingerprint, cookies or similar technology, browser information.
Data on the course of study: class, field of study, grades, student evaluation, internships.