Lawful processing

As controllers of personal data, we are responsible for ensuring that all of our processing activities comply with legal requirements.

Lawful processing of personal data is important for us, and so is, naturally, the protection of these data. For this reason, we would like to assure you that we adhere to the following principles: 

Basic information 

Identification and contact information: GRiT, s.r.o., IČO 46963740, headquarters: Kopečná 231/10, 602 00 Brno, the company is registered in the Register of Companies of the Regional Court in Brno, section C, entry 6560. 

If you have any questions regarding the protection of personal data at our company, you can address them to us at any time: +420 541 212 199, e-mail contact: gdpr@grit.eu.   

Personal data protection officer: We have not named a personal data protection officer as we are not required to do so as provided under Art. 37 GDPR.

Supervisory authority: Supervisory authority is an independent public authority responsible for protecting personal data in each state. The supervisory authority responsible for the area of the headquarters of GRiT, s.r.o. is the Office for Personal Data Protection with its headquarters at Pplk. Sochora 27, 170 00 Praha 7, e-mail: posta@uoou.cz, tel.: +420 234 665 125. 

GRiT, s.r.o. as a personal data controller 

We act as a personal data controller in relation to the personal data of our clients and natural persons who visit our website.

Purpose of processing: For contractual purposes (in particular concluding a contract, communication with the client/supplier), or in order to implement measures adopted prior to concluding the contract (negotiations prior to concluding the contract), we process mainly: name, surname, company identification number (IČO), business address, e-mail, telephone number of the client/supplier, client/supplier representative, fax, written and digital communication with the client.

In order to fulfill legal obligations (in particular bookkeeping, issuance and records of tax documents), we process mainly: name, surname, company identification number (IČO), tax identification number (DIČ), home/business address, bank account number.

We process the following data for the purpose of legitimate interests : e-mail, telephone number (for sending commercial messages), IP address or other forms of online identification (mainly for ensuring the correct functioning of the website).

Should we wish to process any other type of personal data than the ones listed in this article, or for other purposes, we only have the right to do so based on your lawfully given consent to the processing of personal data. The data subject gives consent to the processing of his or her personal data on a separate document. 

If you are younger than 15 years old and wish to disclose your  personal data to us in order for us to process it for some purpose, please ask your legal guardian‘s permission prior to giving us your consent. Without such a permission, you are not legally entitled to give us your personal data. 

We do not process any personal data which could be classified as special category (sensitive data) as referred to in Art. 9 GDPR. By the same token, we do not process personal data relating to criminal convictions and offences as referred to in Art. 10 GDPR. 

Data processing period: We process personal data which are processed for the purpose of fulfilling our obligations arising from specific legislation for the period specified in those legal requirements. 

In the event of using those personal data for protecting our legitimate interests, we process the personal data for the period that is necessary for exercising those rights. If the personal data are processed based on consent, we only process them during the period for which the consent has been given.

GRiT, s.r.o. as a personal data processor

As part of some of our products, we provide our clients with a data space for data storage. Our clients‘ data may include personal data of natural persons. In relation to the personal data placed by our clients on the servers of GRiT, s.r.o., GRiT, s.r.o. acts as a personal data processor. The controller of these personal data is the client.

Warning to end users: Some of our products are meant for use within companies or by natural persons engaged in business. The use of some of our products may be subject to the policies and rules of the client if such policies exist. If the client processes personal data of natural persons using our product, data subjects must direct their questions regarding the protection of their personal data to the client, for it is the client who acts as a controller of personal data protection. We bear no responsibility for the principles of personal data protection or for the security procedures used by the client which may differ from this information. 

Purpose of processing and data management: We do not perform any kinds of operations on our clients‘ data, including personal data, aside from saving them on our servers. In particular, we do not interfere with the personal data, modify them, make them public, or transfer them to third parties (with the exception of granting access to them to state authorities in accordance with the law), unless the parties agree otherwise. The only purpose of handling these personal data is their storage and the right of access by the client. 

Type of personal data processed: Impossible to determine precisely, as data are uploaded into the product by the client himself. Most commonly, it is name, surname, company identification number (IČO), tax identification number (DIČ), business address, fax, e-mail, telephone, bank account number, occupation, profile picture. 

Categories of data subjects whose personal data shall be processed: Employees of the client and other natural persons with whom the client has a contractual relationship.

Personal data processors

Personal data processors are: 

Processors can process personal data for us solely based on a data processing agreement, i.e., with guarantees of technical and organisational measures to protect these data with a clearly defined purpose of the processing, wherein processors may not use the data for any other purposes. 

Under certain conditions, personal data can be disclosed to state authorities (courts, police, financial administration etc., within the scope of exercising their legal powers), or directly provided for other parties to the extent stipulated by specific legislation.

Technical data protection

In order to protect our clients‘ data against unauthorised or accidental disclosure, we implement adequate and appropriate technical and organisational measures, which are updated regularly. The technical measures consist of deploying technology to prevent unauthorised access of third parties to the clients‘ data. The organisational measures are codes of conduct of our employees and are part of our internal regulations, which are, for security reasons, considered confidential. If the servers are located in a data centre operated by a third party, we make sure that the provider also implements technical and organisational measures.

We store all data solely on servers located in the European Union or countries which ensure personal data protection at the same level as the protection stipulated by Czech legislation.

Data subject rights

You have the following rights relating to the protection of your personal data. Should you wish to exercise any of these rights, please contact us by e-mail. 

For exercising these rights, exceptions might apply in some cases, so it might not be possible to exercise them in all situations.

If your demand is deemed legitimate, we shall take the required measures without undue delay, within one month at the latest. In justified cases, we might extend this period by up to two more months.

Right of access to personal data (Art. 15 GDPR): You have the right to obtain confirmation from  GRiT, s.r.o. as to whether or not your personal data are being processed. If your data are processed by GRiT, s.r.o., you have the right to obtain access to these data and the information listed in Art. 15 GDPR. By the same token, you have the right to obtain a copy of the personal data undergoing processing. For any further copies, GRiT, s.r.o. may charge a reasonable fee based on administrative costs.

Right to rectification of personal data (Art. 16 GDPR): You have the right to obtain from GRiT, s.r.o. without undue delay the rectification of your inccurate personal data or the completion of incomplete personal data. 

Right to erasure of personal data (Art. 17 GDPR): You have the right to obtain from GRiT, s.r.o. without undue delay the erasure of your personal data in the cases referred to in Art. 17 GDPR. The right to erasure shall not apply if the processing is necessary for compliance with legal obligations, for the establishment, exercise of defense of legal claims and in other cases referred to in GDPR. 

Right to restriction of processing (Art. 18 GDPR): You have the right to obtain from GRiT, s.r.o. restriction of processing where one of the following applies: a) you contest the accuracy of the personal data, for a period enabling GRiT, s.r.o. to verify the accuracy of the personal data; b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; c) GRiT, s.r.o. no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims; d) you have objected to processing pending the verification whether the legitimate grounds of GRiT, s.r.o. override yours.

Notification obligation regarding rectification or erasure of personal data or restriction of processing (Art. 19 GDPR) GRiT, s.r.o. shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. GRiT, s.r.o. shall inform you about those recipients if you request it.

Right to data portability (Art. 20 GDPR): You shall have the right to receive your personal data and to transmit those data to another controller, where technically feasible.

Right to notification of a personal data breach (Art. 33 GDPR): When the personal data breech is likely to result in a high risk to your rights or freedoms, GRiT, s.r.o. shall communicate this breech to you without undue delay.

Right to lodge a complaint with a supervisory authority: If you consider that GRiT, s.r.o. does not process your personal data in a lawful manner, you have the right to lodge a complaint with a supervisory authority, whose contact information is listed above.

We will greatly appreciate if you address your concerns to us first. We will do everything in our power to rectify our error and process your data in a lawful manner.

Right to withdraw consent to the processing of personal data: Where GRiT, s.r.o. is processing some of your personal data based on consent, you have the right to withdraw your consent to the processing of personal data at any time by sending your written withdrawal of consent to the processing of personal data to our contact e-mail address. Withdrawal of consent does not affect the processing of personal data in cases in which consent is not required. 

Further information regarding your rights can be found on the website of The Office for Personal Data Protection. 

Automated individual decision-making and profiling 

During the personal data processing, there is no automated individual decision-making, including profiling.

Automated individual decision-making, including profiling, generally refers to any kind of decision which is based on automated processing of personal data, ie without any human intervention, and which, among other things, consists of evaluating the personal aspects relating to a data subject, in particular to analyse and estimate or predict aspects concerning the data subject‘s performance at work, personal preferences, economic situation, health, interests, behaviour, reliability, location or movements. 

Legitimate interests 

Among others, we process your personal data for the purposes of our internal and legitimate needs. In relation to this, we hereby inform you that such processing is conducted primarily for:

Secrecy

We would like to assure you that personal data processors with whom we cooperate as well as our employees have obligations of secrecy regarding personal data and security measures which, if disclosed publicly, might compromise the security of your personal data. 

Sending commercial messages, information about direct marketing

When sending commercial messages, we proceed in accordance with Act No. 480/2004 Coll., about certain legal aspects of information society services, as amended. You can unsubscribe from receiving commercial messages using the logout link in each e-mail.

Right to object to processing (Art. 21 par. 1 GDPR): You have the right to object at any time to processing of your personal data by GRiT, s.r.o. for the purpose of legitimate interests. In such a case, GRiT, s.r.o. shall no longer process your personal data unless they demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Right to object to processing for direct marketing purposes (Art. 21 par. 2 GDPR): Where GRiT, s.r.o. processes your personal data for direct marketing purposes, you have the right to object at any time to such processing. In such a case, GRiT, s.r.o. shall no longer process the personal data for such purposes.