Privacy Policy
- 1 1. Introduction
- 2 2. Supervision
- 3 3. Our Approach
- 4 4. Contact for your questions or other inquiry
- 5 5. Personal data and their categorisation
- 6 6. Legal basis for processing your personal data
- 7 7. Methods of personal data processing
- 8 8. Reasons for personal data processing.
- 9 9. Personal Data Protection
- 10 10. Your Rights
- 11 11. Who is the controller and the processor and what they do
- 12 12. Rules for sharing your personal data with third parties
- 13 13. When you are a data subject
- 14 14. Glossary
- 15 15. Categories of personal data
1. Introduction
This privacy policy statement of LazyCompany s.r.o., with its registered office at Javorová 413, 250 73 Radonice, Czech Republic, corporate ID: 098 79 773, recorded in the Commercial Register held by the Municipal Court in Prague under section C file no. C 343965, was prepared to inform about how we collect, process, use and protect your personal data and consequently help protect your privacy.
We handle all your personal data in line with the applicable legislation, primarily Regulation (EU) 2016/679 of the European Parliament and of the Council, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – “GDPR”), Act No. 127/2005 Coll., on Electronic Communications, as amended, and Act No. 480/2004 Coll., on Certain Information Society Services, as amended.
Concurrently, we would like to use this Personal Data Protection Statement to clarify the most important terms and processes that we use for the protection of your personal data and answer the questions that you may have in connection with the collection, processing and storing of your personal data.
2. Supervision
We make every effort to adhere to all stipulated and binding rules and safety measures when handling your personal data; for this reason, we believe that no situations will occur that could possibly make you unhappy about our behaviour towards you.
If you do not agree with the manner used by us to process your personal data, you can contact:
Office for Personal Data Protection
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, +420 234 665 111, www.uoou.cz
3. Our Approach
We see personal data protection as essential and we pay considerable attention to it.
You can thus be assured that we handle your personal data with due care and in line with applicable legal regulations and we protect your personal data in the maximum possible scope corresponding to the state-of-the-art technical level.
To fully understand how we protect your personal data, we recommend that you carefully read this Personal Data Protection Statement.
In processing your personal data, we adhere to the following principles:
Principle of lawfulness which requires us to process your personal data always in line with legal regulations and pursuant to no fewer than one legal basis.
Principle of fairness and transparency that requires us to process your personal data in an open and transparent manner and provide you with information on the manner of their processing and information to whom your personal data will be disclosed (for example if your personal data are stored on data storage sites – clouds – outside of the European Union and the European Economic Area). This additionally involves our obligation to inform you of cases of serious security breaches or personal data leaks.
Principle of purpose limitation which allows us to collect your personal data only with a clearly defined purpose.
Principle of data minimisation which requires us to process only personal data that are necessary, relevant and adequate in relation to the purpose of their use.
Principle of accuracy which requires us to adopt all reasonable measures allowing us to regularly update or rectify your personal data.
Principle of storage limitation which requires us to store your personal data only for the period that is necessary for the specific purpose for which they are processed (for example over the period for which a marketing consent was granted, if it was not withdrawn before the expiration of this period). As soon as the period for processing expires or the purpose of processing ceases to exist, we erase your personal data or anonymise them, i.e. modify them so that they are not connectable to you.
Principle of integrity and confidentiality, incontestability and availability which requires us to secure your personal data and protect them against unauthorised or illegal processing, loss or destruction. For these reasons, we adopt numerous technical and organisational measures for the protection of your personal data. Concurrently, we ensure that access to your personal data is granted only to selected employees.
Principle of responsibility (accountability) which requires us to be able to document compliance with all the conditions referred to above.
4. Contact for your questions or other inquiry
Should there be any vagueness in any part of this Statement or should you have any questions or comments regarding the protection of your personal data, do not hesitate to contact us on: info@lazyphish.com.
5. Personal data and their categorisation
Personal data are the information that allows us to identify you. Therefore, it includes information that is specifically attributable to you.
Personal data do not include anonymous or aggregated data, i.e. data that cannot be clearly attributed to you.
Personal data are classified into:
Basic data which include, for example, your name, surname, date of birth, number of identity card (another identity document).
Special category of personal data that includes sensitive data which are data of a highly personal nature including, for example, information on your health.
Basic data are further divided into individual categories, the list of which is available in chapter "15. Categories of personal data".
6. Legal basis for processing your personal data
We obtain your personal data from you and further handle them only in the necessary scope and to achieve a certain purpose. The transfer of your personal data is voluntary for you and when their transfer is based on a consent, erasure of processed personal data may be requested when certain conditions are met (for details refer to chapter "10. Your Rights").
In certain cases, such as conclusion of a purchase contract for the acquisition of our goods or service, we need to obtain the necessary scope of personal data from you already with your binding order of these goods or service. Without these data, we are unable to meet your requirements and conclude the above contract with you, primarily in terms of compliance with our legislative obligations, and in respect of the protection of our legitimate interests.
Below, we list the lawful bases stipulated by the legislation based on which we are authorised to process your personal data. The principal bases for the processing of your personal data include the following:
Consent – you give us consent for one or several specific purposes (for example for sending commercial messages). To obtain the consent with the processing of your personal data, we adhere to the following rules: i) we always collect consents with processing your personal data from you individually, giving the consent thus will not be part of the text of a contract or another arrangement, ii) the text of the consent will always be comprehensible, iii) consent will always be given as a result of your active behaviour, it means no boxes will be pre-filled for you, iv) for each processing purpose you will give your consent individually.
Performance of the contract – we need your personal data for the conclusion of the contract and subsequent performance of the contract, or before the conclusion of the contract (e.g. order preceding the conclusion of a purchase contract).
Compliance with the legal obligation – we need your personal data for their processing to comply with our legislative obligation as a controller.
Legitimate interest – processing your personal data would be necessary for the purposes of our legitimate interests, however, except for cases when your interests or your fundamental rights and freedoms prevail over these interests.
Rather marginally, the following basis will be used for processing your personal data:
Protection of interests of data subjects – processing your personal data would be necessary for the protection of your vital interests or vital interests of another person.
Public interest – we are obliged to process your personal data to accomplish our task performed in the public interest or exercise of public authority for which we will be authorised as the controller.
7. Methods of personal data processing
For details on the methods that we use to process your personal data, please refer to: Information About Data Processing - LazyPhish
8. Reasons for personal data processing.
As we discussed in chapter “6. Legal basis for processing your personal data”, it is necessary that we have legal basis for each processing of your personal data.
Below you will find examples of situations in which we will most frequently require your personal data and the legal basis for our requirement:
Registration to application and order of subscription of LazyPhish Services – the legal basis shall be represented by the conclusion and performance of the contract, or performance before the conclusion of the purchase contract.
Marketing purposes – the legal basis shall be represented by giving consent with the receiving of commercial announcements.
Storage of cookies necessary for the operations of websites – the legal basis shall be represented by our legitimate interest as the storage of cookies is necessary for the due operation of websites.
9. Personal Data Protection
We give due care to your personal data protection; for this reason, we adhere to the below listed technical and organisational measures ensuring the security of your personal data. These measures include:
Physical access control – we store all data in a manner to protect access to them, it means that places where data are stored are secured by technical means such as smart cards, keys, electronically lockable door etc.
Controlled access – access to personal data storing systems is not granted to anyone without the relevant password or two-factor verification, data are thus accessible only to authorised persons.
Access control – we have adopted measures that prevent unauthorised reading, copying, modification, removal from the system or other dealing with them.
Creation of pseudonyms – we process personal data by modifying them into a form in which they are not attributable to a specific person (they are pseudonymised).
Control of the transfer – all dealing with personal data in their electronic transfer is protected to prevent unauthorised reading, copying, modification or erasure.
10. Your Rights
No personal data protection would be complete if you did not have rights to data protection. Please find below the list of your rights relating to personal data protection along with the practical explanation of their use:
Right for the provision of information on personal data processing
Entitles you to obtain information relating to our full identification as the controller of your personal data, together with contact data to our personal data officer. Concurrently, you are entitled to know the legal basis for processing (e.g. performance of the contract), purpose (e.g. contracts for the purchase of our goods) or information on the period of personal data storage. We will always inform you on the legal basis and purpose of the personal data processing before we start to process them.
Right to access personal data
Entitles you to obtain the information whether we process your personal data and if we do so, in what scope. Concurrently, you have the right to request a copy of the processed personal data. Upon your request, we are also obliged to inform you on the purpose of data processing, recipient of processed personal data, or other related information.
Right to rectification
Will allow you, for example, to ask us to change any of your personal data that we process if it has changed (e.g. change in the surname, change in the address, etc.).
We, as the personal data controller, are not obliged to actively ascertain whether the personal data that we collect are up to date, incorrect or inaccurate, however when you notify us about such fact, it is our obligation to deal with your comment or request for rectification. Under similar terms, you have the right to ask us to amend your personal data.
Right to erasure
Also called the “right to be forgotten” requires us, as the personal data controller, to liquidate your personal data, in the following cases:
The purpose of processing no longer exists (e.g. termination of the contract);
You withdraw your consent with personal data processing and there is no other reason for processing your personal data (e.g. withdrawal of the marketing consent provided that you have not concluded, for example, a contract with us);
You object to personal data processing (provided it is allowable and there are no legal grounds for processing your personal data); and
In accordance with the applicable legislation, we are required to erase your data (e.g. obligation to shred).
Right to object
Is analogous to the right for withdrawal of the consent and will apply when personal data are processed pursuant to a legitimate interest (e.g. for the purpose of protecting your property). You may also object when your personal data are processed for the purpose of direct marketing. In justified cases, your personal data will be erased when the objection is acknowledged and we will no longer process them.
Right for data portability
If you ask us to transfer your personal data to another controller, we are obliged to do so and transfer them in a structured, commonly used and machine-readable format. You may exercise this right only when the processing is based on the consent or contract and concurrently it is automated, i.e. processing solely made using technical means based on a pre-determined algorithm and without any human intervention.
Right not to be subject to a decision based solely on automated processing in automated decision-making
Means that you have the right to ask for the processing of your personal data by a person when the processing of your personal data is supposed to serve as a basis for a certain decision, typically for example in the assessment of your creditworthiness before the provision of a loan.
11. Who is the controller and the processor and what they do
Controller - In cases when you provide us with your personal data, for example when ordering our services, when you communicate with us in our marketing campaigns or ask us questions, or you make a complaint regarding the services, we deal with you from the position of your personal data controller.
As the personal data controller, we determine the purpose and means of your personal data processing.
Processing involves any operation with your personal data, for example their collection, processing, organisation, structuring, etc.
As the controller of your personal data, we are concurrently responsible for compliance with all obligations and principles relating to personal data protection, primarily their sufficient protection. If the security of your personal data is breached, which we naturally seek to prevent, we are obliged to communicate this fact to the Office for the Protection of Personal Data within 72 hours.
If the breach of your personal data security involves a significant risk, we are also obliged to communicate this fact to you provided we have your up-to-date contact information available.
The Processor is an entity to which we, as the controller, transfer your personal data and which further handles them in line with instructions provided by us. These, for example, include our business partners, typically external marketing agencies that send you commercial and marketing messages on our behalf.
To ensure that your personal data are handled in line with the applicable legislation and are sufficiently secured, we concluded a written contract for personal data processing with the processor.
12. Rules for sharing your personal data with third parties
The rules used for sharing your personal data with their processors are divided into two basic categories.
The first category includes sharing personal data in the European Union and European Economic Area, the second category includes sharing with third countries outside the territory of the European Union and European Economic Area and sharing with international organisations.
To be able to share your personal data with the processor in the European Union and European Economic Area, we take care to ensure that this involves:
Sharing personal data for a specific purpose (e.g. preparation of a marketing campaign);
Transfer of only a clearly defined and necessary scope of personal data;
Transfer based on a duly concluded contract for personal data processing; and
Sharing made in a secured manner (encrypting, pseudonymisation, etc.).
When your personal data are shared with third countries outside the European Union and European Economic Area and international organisations, they are shared solely based on standard contractual clauses, i.e. template contract issued by the European Commission and these will exclusively include entities based in countries that ensure adequate personal data protection according to the resolution of the European Commission.
13. When you are a data subject
You are a data subject solely as the natural person; legal regulation regarding personal data protection does not apply to legal persons, cooperatives, associations, etc.
Pursuant to these legal basis, we may include you in two basic groups. We see the first group as our customers. You become our customer when your personal data are processed for the conclusion and performance of contracts for the purchase and use of LazyPhish services.
The second group of personal data subjects we process is the group of third parties. You will be a third party for example when you give us marketing consent or use our website without wanting to be our customer. If you want to know when and under what conditions you may know the scope of your personal data we process, please read chapter "10. Your Rights", in which individual procedures and their conditions are explained.
14. Glossary
Sensitive data
Data of a special nature, such as the information on your health or biometrical data allowing the identification of a person (currently called by the legislation “special categories of personal data”).
Cookies
Short text file that a visited website sends to the browser. It allows the web to record information on your visit, for example the preferred language and other settings. The next visit of the website thus may be easier and more productive. Cookie files are important. Without them, web browsing would be much more complicated.
Legitimate interest
Interest of the controller or a third party for example in a situation when the data subject is a customer of the controller, however with the exception of cases when interests of the subject or his/her fundamental rights and freedoms prevail over these interests.
Personal data
Information on a specific, identifiable person.
Recipient
Person to whom data are delivered.
Service
Any of the services that we offer to you, including our products, services offered online and their promotion.
Controller
Entity which determines the purpose and means of the processing of personal data; the controller may authorise a processor to do the processing.
Data subject
Living person to whom personal data relate.
Purpose
Reason for which the controller uses your personal data.
Processing
Activity that the controller or the processor do with personal data.
Processor
Entity processing personal data for the controller.
15. Categories of personal data
Below you will find individual categories of personal data and a breakdown of specific data included in them.
Identification data: Name, surname, pre-nominal letters/post-nominal letters, gender, language, permanent residence, date and place of birth, citizenship/nationality, person identifier (allocated by the company), type of the document, number of identity card, corporate ID, tax ID, log-in in the application, signature.
Contact information: Correspondence address, work place address, telephone number, fax number, email address, data box, contact information in social media.
Psychological characteristics: Any information on the character/personality/state of mind/mood.
Risk profiles: Cyber risk, other safety or security risk.
Evaluation and relating communication: Responses in surveys, complaints/suggestions/proposals/requests/questions and dealing with them, servicing requirements.
Trading history: Transactions and contracts including relating information, offers/demands of business opportunities, subject matter, date, place of the transaction, reminders.
Communication, interactions and profiles derived from these data: Chat (instant messaging), conversations, email communication, behaviour or browsing/clicking /search and listening/ browsing relating to internet/emails/media/applications, information obtained through feedback/surveys/ comments/suggestions/complaints relating to the controller, approval / disapproval of the type of form of communication.
Network identifiers: Mac address, IP address, Device Fingerprint, cookies or similar browser information technology.