Lawful processing

As controllers of personal data, we are responsible for ensuring that allof our processing activities comply with legal requirements.

Lawful processing of personal data is important for us, and so is,naturally, the protection of these data. For this reason, we would like toassure you that we adhere to the following principles: 

  • lawfulness, fairness,     transparency – we process personal data fairly, lawfully and in a transparent manner;
  • purpose limitation – we process personal data for specified, explicit and legitimate purposes and not in a manner that is incompatible with those purposes; 
  • data minimisation – we process only relevant personal data that are limited to what is necessary in relation to the purposes for which they are processed;
  • accuracy – we process accurate personal data that are kept up to date; we take every necessary and reasonable step to ensure that personal data that are inaccurate having regard to the purposes for which they are processed, are erased or     rectified without delay;
  • storage limitation – we process personal data for no  longer than is necessary for the purposes for which they are processed;
  • integrity and confidentiality – we process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage,  using appropriate technical or organisational measures. 

Basic information 

Identification and contact information: GRiT, s.r.o., IČO 46963740,headquarters: Kopečná 231/10, 602 00 Brno, the company isregistered in the Register of Companies of the Regional Court inBrno, section C, entry 6560. 

If you have any questions regarding the protection of personal data atour company, you can address them to us at any time: +420541 212 199, e-mail contact:   

Personal data protection officer: We have not named a personal dataprotection officer as we are not required to do so as provided under Art.37 GDPR.

Supervisory authority: Supervisory authority is an independent publicauthority responsible for protecting personal data in each state.The supervisory authority responsible for the area ofthe headquarters of GRiT, s.r.o. is the Office for Personal DataProtection with its headquarters at Pplk. Sochora 27, 170 00 Praha 7,e-mail:, tel.: +420 234 665 125. 

GRiT, s.r.o. as a personal datacontroller 

We act as a personal data controller in relation to the personaldata of our clients and natural persons who visit our website.

Purpose of processing: For contractual purposes (inparticular concluding a contract, communication withthe client/supplier), or in order to implement measures adoptedprior to concluding the contract (negotiations prior toconcluding the contract), we process mainly: name, surname, companyidentification number (IČO), business address, e-mail, telephone number ofthe client/supplier, client/supplier representative, fax, written anddigital communication with the client.

In order to fulfill legal obligations (in particularbookkeeping, issuance and records of tax documents), we process mainly: name,surname, company identification number (IČO), tax identification number (DIČ),home/business address, bank account number.

We process the following data for the purpose of legitimateinterests : e-mail, telephone number (for sending commercialmessages), IP address or other forms of online identification (mainly forensuring the correct functioning of the website).

Should we wish to process any other type of personal data thanthe ones listed in this article, or for other purposes, we only havethe right to do so based on your lawfully given consent tothe processing of personal data. The data subject gives consent tothe processing of his or her personal data on a separatedocument. 

If you are younger than 15 years old and wish to disclose your personal data to us in order for us to process it for some purpose, please askyour legal guardian‘s permission prior to giving us your consent. Without sucha permission, you are not legally entitled to give us your personaldata. 

We do not process any personal data which could be classified as specialcategory (sensitive data) as referred to in Art. 9 GDPR. By the sametoken, we do not process personal data relating to criminal convictions andoffences as referred to in Art. 10 GDPR. 

Data processing period: We process personal data which are processed forthe purpose of fulfilling our obligations arising from specific legislationfor the period specified in those legal requirements. 

In the event of using those personal data for protecting ourlegitimate interests, we process the personal data for the periodthat is necessary for exercising those rights. If the personal data areprocessed based on consent, we only process them during the period forwhich the consent has been given.

GRiT, s.r.o. as a personal dataprocessor

As part of some of our products, we provide our clients with a dataspace for data storage. Our clients‘ data may include personal data of naturalpersons. In relation to the personal data placed by our clients onthe servers of GRiT, s.r.o., GRiT, s.r.o. acts as a personal dataprocessor. The controller of these personal data is the client.

Warning to end users: Some of our products are meant for use withincompanies or by natural persons engaged in business. The use of some ofour products may be subject to the policies and rules of the clientif such policies exist. If the client processes personal data of naturalpersons using our product, data subjects must direct their questions regardingthe protection of their personal data to the client, for it isthe client who acts as a controller of personal data protection. Webear no responsibility for the principles of personal data protection orfor the security procedures used by the client which may differ fromthis information. 

Purpose of processing and data management: We do not perform any kinds ofoperations on our clients‘ data, including personal data, aside from savingthem on our servers. In particular, we do not interfere with the personaldata, modify them, make them public, or transfer them to third parties (withthe exception of granting access to them to state authorities in accordancewith the law), unless the parties agree otherwise. The onlypurpose of handling these personal data is their storage and the right ofaccess by the client. 

Type of personal data processed: Impossible to determine precisely, asdata are uploaded into the product by the client himself. Mostcommonly, it is name, surname, company identification number (IČO), taxidentification number (DIČ), business address, fax, e-mail, telephone, bankaccount number, occupation, profile picture. 

Categories of data subjects whose personal data shall be processed: Employees ofthe client and other natural persons with whom the client hasa contractual relationship.

Personal data processors

Personal data processors are: 

  • companies providing accounting and tax advisory services,
  • companies providing payroll accounting services,
  • collaborating programmers,
  • companies providing data extraction services, 
  • server providers.

Processors can process personal data for us solely based on a dataprocessing agreement, i.e., with guarantees of technical and organisationalmeasures to protect these data with a clearly defined purpose ofthe processing, wherein processors may not use the data for any otherpurposes. 

Under certain conditions, personal data can be disclosed to stateauthorities (courts, police, financial administration etc., withinthe scope of exercising their legal powers), or directly provided forother parties to the extent stipulated by specific legislation.

Technical data protection

In order to protect our clients‘ data against unauthorised or accidentaldisclosure, we implement adequate and appropriate technical and organisationalmeasures, which are updated regularly. The technical measures consist ofdeploying technology to prevent unauthorised access of third parties tothe clients‘ data. The organisational measures are codes of conductof our employees and are part of our internal regulations, which are, forsecurity reasons, considered confidential. If the servers are located ina data centre operated by a third party, we make sure thatthe provider also implements technical and organisational measures.

We store all data solely on servers located in the European Union orcountries which ensure personal data protection at the same level asthe protection stipulated by Czech legislation.

Data subject rights

You have the following rights relating to the protection of yourpersonal data. Should you wish to exercise any of these rights, please contactus by e-mail. 

For exercising these rights, exceptions might apply in some cases, so itmight not be possible to exercise them in all situations.

If your demand is deemed legitimate, we shall take the requiredmeasures without undue delay, within one month at the latest. In justifiedcases, we might extend this period by up to two more months.

Right of access to personal data (Art. 15 GDPR): You havethe right to obtain confirmation from  GRiT, s.r.o. as to whether ornot your personal data are being processed. If your data are processed by GRiT,s.r.o., you have the right to obtain access to these data andthe information listed in Art. 15 GDPR. By the same token, youhave the right to obtain a copy of the personal data undergoingprocessing. For any further copies, GRiT, s.r.o. may charge a reasonablefee based on administrative costs.

Right to rectification of personal data (Art. 16 GDPR): You havethe right to obtain from GRiT, s.r.o. without undue delaythe rectification of your inccurate personal data or the completionof incomplete personal data. 

Right to erasure of personal data (Art. 17 GDPR): You havethe right to obtain from GRiT, s.r.o. without undue delay the erasureof your personal data in the cases referred to in Art. 17 GDPR.The right to erasure shall not apply if the processing is necessaryfor compliance with legal obligations, for the establishment, exercise ofdefense of legal claims and in other cases referred to in GDPR. 

Right to restriction of processing (Art. 18 GDPR): You havethe right to obtain from GRiT, s.r.o. restriction of processing where oneof the following applies: a) you contest the accuracy ofthe personal data, for a period enabling GRiT, s.r.o. to verifythe accuracy of the personal data; b) the processing is unlawfuland you oppose the erasure of the personal data and requestthe restriction of their use instead; c) GRiT, s.r.o. no longer needsthe personal data for the purposes of the processing, but yourequire them for the establishment, exercise or defense of legal claims;d) you have objected to processing pending the verification whetherthe legitimate grounds of GRiT, s.r.o. override yours.

Notification obligation regarding rectification or erasure of personal dataor restriction of processing (Art. 19 GDPR) GRiT, s.r.o.shall communicate any rectification or erasure of personal data or restrictionof processing to each recipient to whom the personal data have beendisclosed, unless this proves impossible or involves disproportionate effort.GRiT, s.r.o. shall inform you about those recipients if you request it.

Right to data portability (Art. 20 GDPR): You shall havethe right to receive your personal data and to transmit those data toanother controller, where technically feasible.

Right to notification of a personal data breach (Art. 33 GDPR): Whenthe personal data breech is likely to result in a high risk to yourrights or freedoms, GRiT, s.r.o. shall communicate this breech to you withoutundue delay.

Right to lodge a complaint with a supervisory authority: If you consider thatGRiT, s.r.o. does not process your personal data in a lawful manner, youhave the right to lodge a complaint with a supervisoryauthority, whose contact information is listed above.

We will greatly appreciate if you address your concerns to us first. Wewill do everything in our power to rectify our error and process your data ina lawful manner.

Right to withdraw consent to the processing of personal data: Where GRiT, processing some of your personal data based on consent, you havethe right to withdraw your consent to the processing of personal dataat any time by sending your written withdrawal of consent tothe processing of personal data to our contact e-mail address. Withdrawalof consent does not affect the processing of personal data in cases inwhich consent is not required. 

Further information regarding your rights can be found on the websiteof The Office for Personal Data Protection. 

Automated individual decision-making andprofiling 

During the personal data processing, there is no automated individualdecision-making, including profiling.

Automated individual decision-making, including profiling, generally refersto any kind of decision which is based on automated processing of personaldata, ie without any human intervention, and which, among other things,consists of evaluating the personal aspects relating to a datasubject, in particular to analyse and estimate or predict aspects concerningthe data subject‘s performance at work, personal preferences, economicsituation, health, interests, behaviour, reliability, location ormovements. 

Legitimate interests 

Among others, we process your personal data for the purposes of ourinternal and legitimate needs. In relation to this, we hereby inform you thatsuch processing is conducted primarily for:

  • the protection of our rights and legally protected interests, legitimate recipients or other persons     concerned, e.g., for  debt collection; 
  • direct digital marketing – sending commercial messages;
  • security, website traffic analysis.


We would like to assure you that personal data processors with whom wecooperate as well as our employees have obligations of secrecy regarding personaldata and security measures which, if disclosed publicly, might compromisethe security of your personal data. 

Sending commercial messages, informationabout direct marketing

When sending commercial messages, we proceed in accordance with Act No. 480/2004Coll., about certain legal aspects of information society services, as amended.You can unsubscribe from receiving commercial messages using the logoutlink in each e-mail.

Right to object to processing (Art. 21 par. 1 GDPR): You havethe right to object at any time to processing of your personal data byGRiT, s.r.o. for the purpose of legitimate interests. In such a case,GRiT, s.r.o. shall no longer process your personal data unless they demonstratecompelling legitimate grounds for the processing which override yourinterests, rights and freedoms, or for the establishment, exercise ordefence of legal claims.

Right to object to processing for direct marketing purposes (Art.21 par. 2 GDPR): Where GRiT, s.r.o. processes your personal data for directmarketing purposes, you have the right to object at any time to suchprocessing. In such a case, GRiT, s.r.o. shall no longer processthe personal data for such purposes.