GDPR

Lawfulness of processing

As the data controller, we are responsible for ensuring that all our processing activities comply with legal requirements.

Lawful processing of personal data is important to us, and protecting it is a matter of course.

We would like to assure you that we adhere to the following principles in particular:

lawfulness, fairness, transparency – we process personal data in a fair, lawful, and transparent manner;

purpose limitation – we process personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes;

data minimization – we process only relevant personal data to the extent necessary in relation to the purpose for which it is processed;

accuracy – we process accurate and up-to-date personal data; we take all reasonable steps to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;

storage limitation – we process personal data for no longer than is necessary for the purposes for which it is processed;

integrity and confidentiality – we process personal data in a manner that ensures its proper security, including protection through appropriate technical or organizational measures against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Basic information

Identification and contact details: GRiT, s.r.o., Company ID (IČO) 46963740, with its registered office at Kopečná 231/10, Staré Brno, 602 00 Brno, a company registered in the Commercial Register maintained by the Regional Court in Brno, Section C, File 6560.

If you have any questions regarding personal data protection in our company, you can also contact us at any time via these channels:

phone: +420 541 212 199
email: gdpr@grit.cz

Data Protection Officer: We have not appointed a data protection officer, as we are not an obligated entity under Article 37 of the GDPR.

Supervisory authority: The supervisory authority is an independent public body responsible for the protection of personal data in a given state.

The supervisory authority for the registered office of GRiT, s.r.o. is:
The Office for Personal Data Protection, located at:
Pplk. Sochora 27, 170 00 Prague 7
email: posta@uoou.cz
tel.: +420 234 665 125.

GRiT, s.r.o. as the data controller

We act as the data controller regarding the personal data of our clients and individuals who visit our website.

Purpose of processing:
For the purpose of contract performance (primarily contract conclusion, communication with the customer/supplier), or to take measures prior to contract conclusion (negotiations before signing a contract), we process in particular: name, surname, company registration number, business address, email, customer/supplier phone number, customer/supplier representative, fax, and written and electronic communication with the customer.

For the purpose of fulfilling legal obligations (primarily bookkeeping, issuing and recording tax documents), we process in particular: name, surname, company registration number/VAT ID, residential/business address, and bank account number.

For reasons of legitimate interest, we process: email, phone number (for sending commercial communications), IP address, and potentially other online identifiers (primarily for the proper functionality of the website).

If we intend to process personal data other than that specified in this article, or for other purposes, we may only do so based on validly granted consent to the processing of personal data. Consent to the processing of personal data is granted by the data subject in a separate document.

If you are under 15 years of age and wish to provide us with your personal data for processing for any purpose, please ask your legal guardian for their consent before providing it to us. Without such approval, you are not authorized to provide us with your personal data.

We do not process any personal data that can be classified as a special category (so-called sensitive data) within the meaning of Article 9 of the GDPR. Furthermore, we do not process personal data relating to criminal convictions and offenses within the meaning of Article 10 of the GDPR.

Data retention period:
We process personal data required for the fulfillment of obligations arising from special legal regulations for the period stipulated by these regulations. In the event that personal data is needed to protect our legitimate interests, we process such data for the time necessary to exercise these rights. If personal data is processed based on consent, we process it only for the period for which consent is granted.

GRiT, s.r.o. as a personal data processor

Within some products, we provide clients with data storage space for the purpose of storing data operated within our offered product. Client data may also include the personal data of natural persons.
In relation to personal data that the client stores on GRiT, s.r.o. servers, GRiT, s.r.o. acts as a personal data processor. The controller of this personal data is the client.

Notice to end users:
Some of our products are intended for use in companies or by self-employed individuals, among others. The use of some of our products may be subject to the client's policies and rules, if such policies exist. If a client processes the personal data of natural persons using our product, data subjects must address any privacy-related inquiries to the client, as they act as the personal data controller. We are not responsible for the privacy policies or security practices used by the client, which may differ from this Information.

Purpose of processing and data handling:
We do not perform any operations with client data, including personal data, other than storing it on our servers; in particular, we do not interfere with, alter, disclose, or transfer it to third parties (except for disclosure to public authorities in accordance with the law), unless the contracting parties agree otherwise. The sole purpose of handling this personal data is its storage and availability to the client.

Type of personal data processed:
Cannot be precisely determined, as the customer uploads the data into the product themselves. Most commonly, this includes first name, surname, company registration number/VAT ID, business address, fax, email, telephone, bank details, job title, and profile picture.

Categories of data subjects whose personal data will be processed: The client's employees and other natural persons with whom the client has a contractual relationship.

Personal data processors

The personal data processors are:

  • companies providing accounting and tax advisory services,
  • a company providing payroll accounting,
  • collaborating programmers,
  • companies providing data mining services,
  • server providers.

Personal data may be processed on our behalf by processors exclusively on the basis of a data processing agreement, i.e., with guarantees of organizational and technical security of such data and a defined purpose of processing, whereby processors may not use the data for any other purposes.

Under certain conditions, personal data may be disclosed to public authorities (courts, police, tax authorities, etc., within the scope of their legal powers) or provided directly to other entities to the extent stipulated by special legislation.

Technical Data Security

To secure client data against unauthorized or accidental access, we apply appropriate and suitable technical and organizational measures, which are continuously updated. Technical measures involve the deployment of technologies that prevent unauthorized third-party access to client data. Organizational measures consist of a set of conduct rules for our employees and are part of our internal regulations, which are considered confidential for security reasons. If servers are located in a data center operated by a third party, we ensure that these technical and organizational measures are also implemented by that provider.

We store all data exclusively on servers located in the European Union or in countries that ensure a level of personal data protection equivalent to that provided by the laws of the Czech Republic.

Data Subject Rights

You have the following rights regarding the protection of your personal data. If you wish to exercise any of these rights, please contact us via our contact email.

The exercise of these rights is subject to certain exceptions in some cases, and therefore it may not be possible to apply them in all situations.

If your request is found to be justified, we will take the required measures without undue delay, no later than within one month. In justified cases, we may extend this period by up to two additional months.

Right of access to personal data (Art. 15 GDPR): You have the right to obtain confirmation from GRiT, s.r.o. as to whether or not your personal data is being processed. If your personal data is being processed by GRiT, s.r.o., you have the right to access this personal data and the information specified in Art. 15 GDPR. You also have the right to obtain a copy of the personal data being processed. GRiT, s.r.o. may charge a reasonable fee for additional copies, taking into account administrative costs.

Right to rectification of personal data (Art. 16 GDPR): You have the right to have GRiT, s.r.o. rectify your inaccurate personal data or complete incomplete personal data without undue delay.

Right to erasure of personal data (Art. 17 GDPR): You have the right to have GRiT, s.r.o. erase your personal data without undue delay in the cases specified in Art. 17 GDPR. The right to erasure does not apply if the processing is necessary for compliance with legal obligations, for the establishment, exercise, or defense of legal claims, or in other cases stipulated by the GDPR.

Right to restriction of processing (Art. 18 GDPR): You have the right to have GRiT, s.r.o. restrict processing in any of the following cases: a) you contest the accuracy of the personal data, for a period enabling GRiT, s.r.o. to verify the accuracy; b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead; c) GRiT, s.r.o. no longer needs the personal data for the purposes of processing, but you require it for the establishment, exercise, or defense of legal claims; d) you have objected to processing, pending the verification of whether the legitimate grounds of GRiT, s.r.o. override your own.

Right to be informed regarding the rectification or erasure of personal data or restriction of processing (Art. 19 GDPR): GRiT, s.r.o. is obliged to notify individual recipients to whom personal data has been disclosed of any rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort. Upon your request, GRiT, s.r.o. will inform you about these recipients.

Right to data portability (Art. 20 GDPR): Where technically feasible, you have the right to obtain your personal data and transfer it to another controller.

Right to be informed in the event of a personal data breach (Art. 33 GDPR): If a personal data breach is likely to result in a high risk to your rights and freedoms, GRiT, s.r.o. will notify you of this breach without undue delay.

Right to lodge a complaint with a supervisory authority: If you believe that GRiT, s.r.o. is not processing your personal data in accordance with the law, you have the right to lodge a complaint with the supervisory authority whose contact details are provided above.

We would appreciate it if you would contact us first. We will do everything in our power to rectify any issues and ensure your personal data is processed in accordance with the law.

Right to withdraw consent for personal data processing: In cases where GRiT, s.r.o. processes any personal data based on your consent, you have the right to withdraw your consent for such processing at any time in writing by sending a notice of withdrawal to our contact email address. Withdrawing your consent does not affect the processing of personal data in cases where consent is not required.

Further information regarding your rights can be found on the website of the Office for Personal Data Protection.

Automated individual decision-making and profiling

There is no automated individual decision-making, including profiling, involved in the processing of your personal data.

Automated individual decision-making, including profiling, generally refers to any form of decision based on the automated processing of personal data—i.e., without human intervention—which involves, among other things, the evaluation of certain personal aspects relating to the data subject, particularly for the purpose of analyzing, estimating, or predicting aspects concerning their work performance, personal preferences, economic situation, health, interests, behavior, reliability, location, or movements.

Legitimate interests

We process personal data for our internal and legitimate needs, among other purposes. In this context, we inform you that such processing is primarily carried out for:

  • protection of our rights and legally protected interests, authorized recipients, or other relevant persons, e.g., for debt collection;
  • direct electronic marketing – sending commercial communications;
  • security, website traffic analysis.

Confidentiality

We assure you that the personal data processors we work with, as well as our employees, are obligated to maintain confidentiality regarding personal data and security measures, the disclosure of which would compromise the security of your personal data.

Sending commercial communications, information on direct marketing

We send commercial communications in accordance with Act No. 480/2004 Coll., on Certain Information Society Services, as amended. You can opt out of receiving commercial communications by using the unsubscribe link included in every email sent.

Right to object to processing (Art. 21(1) GDPR): You have the right to object at any time to the processing of your personal data that GRiT, s.r.o. processes based on legitimate interests. In such a case, GRiT, s.r.o. will no longer process your personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

Right to object to processing for direct marketing purposes (Art. 21(2) GDPR): If GRiT, s.r.o. processes your personal data for direct marketing purposes, you have the right to object to such processing at any time. In such a case, GRiT, s.r.o. will no longer process your personal data for these purposes.