Cognitio – scan s.r.o.
PERSONAL DATA PROTECTION RULES

Dear Sirs/Madams,
We take the liberty to inform you about the principles and procedures for the processing of personal data which takes place in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”).

Selected terms are defined in General Business Terms and Conditions for the Use of the Cognitio – scan System which are available here.

I. BASIC INFORMATION

Identification and contact details of the controller: Cognitio – scan s.r.o., Company ID No. 071 52 469, with its registered office at Koulka 2985/2a, 150 00 Praha 5, Czech Republic, contact address: Koulka 2985/2a, 150 00 Praha 5, Czech Republic, incorporated in the Companies Register kept by Municipal Court of Prague (hereinafter referred to as the “Provider”), e-mail contact: info@cognitio-scan.com .

Data protection officer: The Provider has not appointed a data protection officer.

Transfer of personal data to a third country or an international organisation: The Provider does not transfer personal data to third countries or international organisations.

Automated individual decision-making: The Provider does not carry out automated individual decision-making or profiling in accordance with Article 22 GDPR.

Information on the nature of the provision of data: Where personal data are processed for the purpose of compliance with legal obligations, the provision of data is a legal requirement. Where personal data are processed on the basis of the consent of the data subject, the provision of data is a contractual requirement.

Supervisory authority: The Office for Personal Data Protection (Úřad pro ochranu osobních údajů), with its registered office at Pplk. Sochora 27, 170 00 Prague 7, e-mail: posta@uoou.cz, tel.: 234 665 125, is the supervisory authority at the place where the Provider has its registered office.

II. PROVIDER AS A PERSONAL DATA CONTROLLER

The Provider acts as a personal data controller in relation to the personal data of Clients and other persons (Persons Interested in Cooperation, Customers) who visit or use the website Cognitio-scan.com.

Purpose of processing: The Provider processes particularly the following for the performance of a contract or for the compliance with legal obligaitons: first name, surname, name, date of birth, identification number, residence/registered office, telephone, e-mail, access details for Cognitio-Scan applications, job, sex, professional sector, profession, education, marital status.

The Provider further processes the data collected from Clients and other natural persons on the basis of their using the Application or visiting the website Cognitio-scan.com, which means data entered by the person concerned or identifiers collected in the use of the website Cognitio-scan.com (e.g. IP address).

Where the Provider intends to process personal data other than those specified in this Article or to process personal data for other purposes, it may do so only on the basis of a lawfully given consent to the processing of personal data. The consent to the processing of personal data is given by the data subject in a separate document.

Duration of the processing of data: The Provider processes personal data of its Clients for the duration of the provision of the service or for a maximum of 2 years from the termination of provision of services to those interested. Personal data processed for the compliance with obligations arising from specific legislation are processed by the Provider for the period laid down in the legislation. Where it is necessary to use personal data for the protection of the Provider's legitimate interests, the Provider processes them for the period necessary for the exercise of those rights.

Sources of personal data: The Provider collects personal data directly from data subjects within negotiations on the provision of services or in the provision of services. The Provider always informs data subjects about the personal data which the data subjects have to provide for the performance of the Contract.

III. PROVIDER AS A PERSONAL DATA PROCESSOR

The Provider provides the Client with a data space for the storage of data operated within the Application on the Provider's servers and in the hosting centre. The Client's data of may include personal data of natural persons. In relation to the personal data stored by the Client on the Provider's servers or in the hosting centre, the Provider acts as a personal data processor. The Client is a controller of the personal data.

Information to end users: The Application is intended inter alia for the use by companies or natural persona doing business in the position of a Client. The use of the Application may be subject to the principles and rules of the Client in question, where they exist. Where the Client processes personal data of natural persons using the Application, data subjects have to address any questions regarding the protection of personal data to the Client as the Client is in the position of a personal data controller. The Provider is not responsible for the principles of personal data protection or security procedures applied by the Client, which may differ from these Personal Data Protection Rules.

Purpose of the processing and handling of data: The Provider does not carry out any operations with the Client's data, including personal data, except for their storage on the Provider's servers or in the hosting centre; in particular, the Provider does not interfere with the data, it does not alter, disclose or transfer the data to third parties (with the exception of their lawful disclosure to national authorities ) unless the parties agree otherwise. Storage of the personal data and the possibility to disclose the personal data to the Client are the only purposes of handling the personal data.

Type of personal data undergoing processing: The Provider will process personal data stored by the Client on the Provider's servers or in the hosting centre. The personal data will include particularly the first name, surname, name, date of birth, identification number, residence/registered office, telephone, e-mail, access details for Cognitio-Scan application, job, sex, professional sector, profession, education, marital status and other data provided by other subjects in the provision of services.

Categories of data subjects whose personal data will be processed: The Provider will process personal data stored by the Client on the Provider's servers or in the hosting centre. The personal data will usually include the details of business partners and employees of business partners.

Contractual rights and obligations between the Provider and the Client: in the control of personal data are governed by General Business Terms and Conditions for the Use of the Cognitio – scan System which are available here.

IV. RECIPIENTS OF PERSONAL DATA

The Provider does not transfer personal data to any other controllers.

Processors of personal data include:

Area of cooperation Identification of the processor
Cloud services Provider of cloud solutions
Webhosting services Provider of webhosting services
Dedicated server administrator Provider of dedicated services server

Processors may process personal data for the Provider solely on the basis of an agreement on the processing of personal data, i.e. an agreement including guarantees of organisational-technical security of the data and definition of the purpose of processing; the processors may not use the data for any other purposes.

The personal data may be, under certain conditions, disclosed to national authorities (courts, police, notaries, tax authorities etc. within the exercise of their statutory powers) or the Provider may directly provide the personal data to other entities in the extent laid down in a specific legislative act.

V. TECHNICAL SECURITY OF DATA

To secure Client's data against unauthorized or accidental disclosure, the Provider implements reasonable and appropriate technical and organisational measures which are kept up to date. Technical measures consist of the deployment of technologies preventing unauthorized third party access to the Client's data. Organisational measures are a set of rules of conduct of the Provider's employees and they form a part of the Provider's internal regulations which the Provider considers confidential for security reasons. Where the Provider's servers are located in a data centre operated by a third party, the Provider makes sure that the technical and organisational measures are implemented also with this provider.

The Provider places all data only on the servers located in the European Union or in countries ensuring the protection of personal data at a level equal to the protection provided by the law of the Czech Republic.

VI. PAYMENT GATEWAY

The Provider uses third party payment gateways for some types of payments (e.g. credit card payments). Where the Client uses a credit or debit card payment via PayPal or other payment method, payment card number or other sensitive data for the payment are in any case processed by the third party payment gateway. The Provider does not keep payment card numbers or other sensitive payment data and it has no access to them.

VII. RIGHTS OF THE DATA SUBJECTS

The data subject has:

  1. a) the right of access to personal data: The data subject has the right to obtain from the Provider confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: a) the purpose of the processing; b) the categories of personal data concerned; c) the recipients to whom the personal data have been or will be disclosed; d) the envisaged period for which the personal data will be stored; e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making, including profiling. The data subject is further entitled to obtain a copy of the personal data undergoing processing.
  2. b) the right to rectification of personal data: The data subject has the right to obtain from the Provider without undue delay the rectification of inaccurate personal data concerning him or her, or to have incomplete personal data completed.
  3. c) the right to erasure of personal data: The data subject has the right to obtain from the Provider the erasure of personal data concerning him or her without undue delay where: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing; c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing; d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Czech Republic law; f) the personal data have been collected in relation to the offer of information society services. The right to erasure shall not apply to the extent that processing is necessary for compliance with legal obligations, for the establishment, exercise or defence of legal claims and in other cases specified in GDPR.
  4. d) the right to restriction of processing: The data subject has the right to obtain from the Provider restriction of processing where one of the following applies: a) the accuracy of the personal data is contested by the data subject, for a period enabling the Provider to verify the accuracy of the personal data; b) the processing in unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the Provider no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; d) the data subject has objected to processing pending the verification whether the legitimate grounds of the Provider override those of the data subject.
  5. e) the right to object to processing: The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her and processed by the Provider on the basis of its legitimate interest. In this case, the Provider shall no longer process the personal data unless the Provider demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  6. f) the right to data portability: The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Provider, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the Provider, where: a) the processing is based on consent, and b) the processing is carried out by automated means. In exercising his or her right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
  7. g) the right to lodge a complaint with a supervisory authority: If the data subject considers that the Provider does not process the personal data legally, he or she has the right to lodge a complaint with a supervisory authority. The Office for Personal Data Protection (Úřad pro ochranu osobních údajů), with its registered office at Pplk. Sochora 27, 170 00 Prague 7, e-mail: posta@uoou.cz, tel.: 234 665 125, is the supervisory authority.
  8. h) the right to notification regarding rectification or erasure of personal data or restriction of processing: The Provider is obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Provider informs the data subject about those recipients if the data subject requests it.
  9. i) the right to be informed about a personal data breach: Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Provider will communicate the personal data breach to the data subject without undue delay.
  10. j) the right to withdraw consent to the processing of personal data: Where the Provider processes any personal data on the basis of consent, the data subject has the right to withdraw his or her consent at any time in writing by sending his or her disapproval of the processing of personal data to the following e-mail address: info@cognitio-scan.com.

VIII. COOKIE FILES

The Provider uses cookie files, small text files which identify users of the website Cognitio-scan.com and users of the web application running on subdomains to the domain cognitio-scan.com, and record user activities of the user. The text in a cookie file often consists of a chain of numbers and letters which uniquely identify the computer of the user but provide no specific personal data of the user.

The website Cognitio-scan.com automatically identifies the user's IP address. IP address is the number automatically assigned to the user's computer after connecting to the internet. All this information is recorded in a log file by the server which enables subsequent processing of the data.

Purpose of using cookies: The Provider uses cookie files and similar technologies for several purposes which include:

  • Login and verification. As soon as the Client uses My Personal Account to log in, an encrypted cookie file allowing to switch between website pages without having to log in repeatedly is stored in his or her device. The Client may also save his or her login details so that he or she does not have to log in each time when he or she returns to the website Cognitio-scan.com.
  • Security. The Provider uses cookie files to detect frauds and abuses of the website Cognitio-scan.com and the Application.
  • Analysis. The Provider uses cookie files and other identifiers to collect data on the use and performance of the website Cognitio-scan.com.

Third-party cookie files may be also placed at the website Cognitio-scan.com. This may be e.g. due to the fact that the Provider authorized a third party to carry out an analysis of the website. The Provider uses the following providers of services:

  • Google Analytics Service – Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  • Google Adwords Services – Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  • sKlik by Seznam – Seznam CZ, a.s., Prague 5 - Smíchov, Radlická 3294/10, post code 1500
  • Facebook remarketing by Facebook - Facebook, Inc., 1601 Willow Road, Menlo Park, CA 94025.

Cookie setting: Most web browsers accept cookie files automatically. Nevertheless, they provide controls which allow the blocking or removal of cookie files. Hence the users of the website Cognitio-scan.com are entitled to set their browser so that the use of cookies in their computers is prevented. Instructions for the blocking or removal of cookies files in browsers can be usually found in the principles of personal data protection or in the help documents of individual browsers.

IX. FINAL PROVISIONS

By entering into the Contract, the Client confirms that he or she is familiar with these Personal Data Protection Rules.

The Provider will update these Personal Data Protection Rules where necessary. The latest version of Personal Data Protection Rules will be always available at the website Cognitio-scan.com. Where there is a substantial change to these Personal Data Protection Rules regarding the ways of personal data handling, the Provider will inform the Client by publishing a visible notice or by sending a notice to the Client's e-mail address before the change is implemented. The Provider recommends regular checking of Personal Data Protection Rules when using the Application or the website Cognitio-scan.com.