Personal data processing policy

1. Introduction

Railsformers s.r.o. is the owner of all rights and permissions to:

• Railsformers s.r.o. website available at https://railsformers.com/,
• the on-line system "Súčto" available at https://www.sucto.cz/ for on-line invoicing and bookkeeping,
• the website for the 'Win an Auction' system available at https://www.vyhrat-aukci.cz/,
• the automated 'Win an Auction System' for bidding in electronic auctions. It is used for easy bidding for a specific auction just before the end of the auction, available at https://system.vyhrat-aukci.cz/,
• the 'sRecipes' website available at https://srecepty.cz/, https://srecetas.es/, https://www.srecipes.eu/ and https://srecepty.pl/,
• the project management system 'Redmine' available at https://redmine.rails.cz/,
• the 'Mineralfit' website available at https://mineralfit.cz/,
• the 'Breeder' website available at https://chovatelka.cz/,
• the 'Samurai' website available at https://samuraj.cz/,
• the "Reservatic" website available at https://reservatic.com/ and a mobile application distributed on the Apple App store and Google Play called "Reservatic"

("Systems").

Railsformers s.r.o. processes the personal data of all users of the Systems who are natural persons ("data subjects"), regardless of whether or not such users use the Systems for their business ("data subjects"). Thus, all personal data is processed by Railsformers s.r.o. primarily for the purpose of providing the services of the Systems and purposes related thereto.

Railsformers s.r.o. ensures that the processing of personal data is lawful, fair, transparent, accurate, confidential and that personal data is processed only to the extent necessary.

Railsformers s.r.o. also makes sure that personal data is properly secured and that all the rules set out in the General Data Protection Regulation (hereinafter referred to as "GDPR") as well as other legal regulations in the field of personal data handling and protection are observed when processing personal data, and at the same time that all the rules from the perspective of cybersecurity are observed, both the general regulations and recommendations and the specific requirements of the users of the Systems arising from their obligations.

Further information on the scope and manner of processing of personal data is provided in other articles of this Policy.

2. Scope of processed personal data

Railsformers s.r.o. processes, in particular, identification and contact data of data subjects (name, surname, title, name, identification number, tax identification number, residence, registered office, telephone, e-mail) and other personal data that data subjects enter into the Systems. The scope of the data processed is always determined by the data controller.

In addition, Railsformers s.r.o. may in some cases also process personal data of a technical nature, such as cookies, IP address or other online identifiers, GPS location, etc. Further information regarding cookies can be found in this document below in the section on information about cookies.

3. Position of controller vs. processor of personal data

In order to inform personal data subjects in a transparent manner, it is necessary to distinguish the specific situation of Railsformers s.r.o. in relation to personal data subjects. Namely, whether it is the position of a data controller or a data processor (or another data processor in the case of so-called chaining).

3.1 Identification and contact details

Identification data of Railsformers s.r.o., ID No.: 24704440, with registered office at Vřesinská 2371/33, 708 00 Ostrava Poruba, Czech Republic, a company registered in the Commercial Register maintained by the Regional Court in Ostrava, Section C, Insert 36254..

Representatives of Railsformers s.r.o. can be contacted in particular as follows:

• Electronically (by e-maile)info@railsformers.com - general information
  gdpr@railsformers.com - Data Protection Officer, “DPO”
  
• In writing (corespondence address)Railsformers s.r.o., Vřesinská 2371/33, 708 00 Ostrava Poruba, Czech Republic
  

3.2 Data Protection Officer

On 1 May 2018, Railsformers s.r.o. appointed its Data Protection Officer (DPO), hereinafter referred to as "DPO". As of 1 August 2022, he is:

Name and surname of the Data Protection Officer Ing. Soňa Macíčková

Contact details of the Data Protection Officer e-mail: gdpr@railsformers.com

3.3 Controller or processor of personal data

Railsformers s.r.o. may be in the following positions in terms of personal data protection, always in relation to the purpose and legal basis for processing personal data.

A detailed distinction of this position is given in the following chapters, the basic division of the position is therefore:

• Personal Data Controller - in the case of normal browsing of the System from the end user's perspective, displaying information pages, creating and managing a user account (without reservations).
• Personal data processor - in the case of processing personal data on the basis of the controller's instructions - mainly based on the license agreement between Railsformers s.r.o. and the client of Railsformers s.r.o. This mainly concerns the actual process of offering free dates to a specific service provider (i.e. the client of Railsformers s.r.o.) and the subsequent processes of creating and managing reservations.
• Another personal data processor - or also sub-processor, is a specific position where Railsformers s.r.o. has a license agreement with a processor who has its own license agreement with the controller. Railsformers s.r.o. therefore provides the system as a subcontractor.

4. Purpose and legal basis for processing

4.1 Providing system services

Railsformers s.r.o. processes personal data mainly for the purpose of providing the Systems services.

Railsformers s.r.o. provides the Systems on the basis of a license agreement. Thus, the processing of personal data for the purpose of providing the Services of the Systems is processing of personal data for the purpose of entering into a license agreement and the performance of the rights and obligations arising from the license agreement. This processing is a necessary condition for the provision of the Systems services, where the specific specification of the purpose of the processing is determined by the controller (the system subscriber). Without such processing, Railsformers s.r.o. would not be able to provide the Systems services to the users. In this case, Railsformers s.r.o. is in the position of a processor (or further processor - depending on the parameters of the specific license agreement).

The processing of personal data for the aforementioned purpose may be carried out by Railsformers s.r.o. without any consent of the data subjects. The legal basis for this processing is the processing necessary for the performance of a contract to which the data subject is a party, or for the adoption of measures taken before the conclusion of the contract at the request of the data subject (see Article 6(1)(b) GDPR).

4.2 Creating and maintaining a user account

A user account is a prerequisite for using the services of the Account System, Win Auction System, Redmine and Reservatic. Railsformers s.r.o. therefore assumes that every data subject who creates a user account is interested in using the services of the Systems at least temporarily. Even when using the services of the Systems free of charge or on a trial basis, a licence agreement is concluded.

General Terms and Conditions for the Systems:

• https://www.sucto.cz/ are available at https://www.sucto.cz/vseobecne-obchodni-podminky,
• https://www.vyhrat-aukci.cz/ and https://system.vyhrat-aukci.cz/ are available at https://www.vyhrat-aukci.cz/files/4/OP.pdf,
• https://srecepty.cz/ are available at https://srecepty.cz/stranky/provozni-podminky,
• https://srecetas.es/ are available at https://srecetas.es/paginas/condiciones-de-uso,
• https://www.srecipes.eu/ are available at https://www.srecipes.eu/pages/operating-conditions,
• https://srecepty.pl/ are available at https://srecepty.pl/strony/warunki,
• https://redmine.rails.cz/ are available at https://docs.google.com/document/d/1PGcCXrB7Y8H-oN4TRx5_mDW232R6bROJl0UQBHZqWRs/edit
• https://reservatic.com  are available at https://reservatic.com/en/pages/declaration-of-accessibility

In view of the above, Railsformers s.r.o. will also process personal data for the purpose of setting up and maintaining a user account.

The legal basis for this processing is the processing necessary for the performance of a contract to which the data subject is a party, or for the adoption of measures taken before the conclusion of the contract at the request of the data subject (see Article 6(1)(b) GDPR).

4.3 Performance of legal obligations of Railsformers s.r.o.

Railsformers s.r.o. also processes personal data for the purpose of fulfilling its legal obligations.

This includes legal obligations arising for Railsformers s.r.o. in particular from accounting and tax laws (e.g. VAT Act). In addition, Railsformers s.r.o. is obliged to be able to demonstrate that it processes personal data in accordance with generally binding legislation, in particular the GDPR. This purpose of processing personal data also falls under the legal obligations of Railsformers s.r.o.

The processing of personal data for the aforementioned purposes may also be carried out by Railsformers s.r.o. without any consent from the data subject. The legal basis for this processing is the fulfilment of a legal obligation to which Railsformers s.r.o. is subject as a data controller (see Article 6(1)(c) GDPR).

4.4 Legitimate interests of Railsformers s.r.o.

Railsformers s.r.o. is also entitled to process personal data for the following purposes:

• customer records;
• analysis of the use of the Systems by its users;
• establishing, exercising or defending legal claims (in particular, legal claims arising from a concluded licence agreement).

The processing of personal data for any of the above purposes may also be carried out by Railsformers s.r.o. without any consent of the data subjects. The legal basis for this processing is the legitimate interest of Railsformers s.r.o. (see Article 6(1)(f) GDPR).

This processing is not possible unless the interests or fundamental rights and freedoms of the data subjects override the interests of Railsformers s.r.o., which require the protection of personal data.

The data subject may object to processing of personal data based on a legitimate interest of Railsformers s.r.o. at any time (see Article 21 of the GDPR).

4.5 Consent of the data subjects

Based on the consent to the processing of personal data, Railsformers s.r.o. is entitled to process personal data for any purpose specified in the respective consent. The legal basis for this processing is the data subjects' consent to the processing of personal data (see Article 6(1)(a) GDPR).

Consent to the processing of personal data is entirely voluntary. Any failure to give consent will have no adverse consequences for the data subject.

Each data subject has the right to withdraw consent to the processing of personal data at any time, in particular:

• by electronic notification sent to the e-mail address gdpr@railsformers.com
• by written notification sent to the address of the registered office of Railsformers s.r.o.

Withdrawal of consent does not affect the lawfulness of the processing of personal data in the period before the withdrawal of consent, on the basis of which the processing of personal data was carried out.

5. Direct marketing

5.1 General

Processing of personal data for direct marketing purposes means processing of personal data for the purpose of sending commercial communications within the meaning of Act No. 480/2004 Coll., on certain information society services, as amended (hereinafter referred to as "Act No. 480/2004 Coll.").

Commercial communication means any form of communication, including advertising and encouragement to visit the website of the online shop, intended to directly or indirectly promote the goods or services or the image of Railsformers s.r.o. (hereinafter referred to as "Communication").

The ability to send commercial communications may be governed (limited) by a specific license agreement between Railsformers s.r.o. and the service provider using the System under that license agreement.

5.2 Method of sending communications

The processing of personal data for the purpose of sending the Communication may be carried out by Railsformers s.r.o. on the basis of the existence of a legitimate interest (see recital 47 of the GDPR). Also, the actual sending of the Communication may be carried out by Railsformers s.r.o. without consent (in accordance with Section 7(3) of Act No. 480/2004 Coll.), unless the data subject has initially refused it (e.g. by ticking the box "I do not wish to receive any emails from Railsformers").

5.3 Termination of processing

Railsformers s.r.o. shall terminate the processing of personal data for direct marketing purposes without delay after the data subject has expressed his or her opposition to such processing. The objection may be made, for example, in one of the following ways:

• by unsubscribing from the Communication (which can be done in each Communication or by ticking the "I do not want to receive any emails from Railsformers" box);
• by objecting to such processing (subject to Article 21 of the GDPR).

Notwithstanding the foregoing, the Operator shall cease processing personal data for direct marketing purposes no later than 2 years after the last active use of the System or logging into a user account (whichever is later). With each active use of the System or login to the user account, the processing period is extended for another 2 years.

6. Categories of recipients of personal data

The recipient of personal data is anyone to whom Railsformers s.r.o. provides personal data in connection with the above-mentioned purposes of processing personal data.

Railsformers s.r.o. may provide personal data to recipients whose services are used primarily in the operation and maintenance of the System. These include, in particular, entities providing accounting, printing and mailing services, legal services, IT services, cloud services, messaging services or operators of payment gateways and systems, etc.

These recipients will process personal data either as independent controllers (i.e. as entities that determine the purposes and means of processing personal data themselves, independently of Railsformers s.r.o.) or as processors (i.e. as entities that process personal data for Railsformers s.r.o. on its instructions).

In addition, Railsformers s.r.o. will provide personal data to public authorities if it is or will be obliged to do so by generally binding legislation. However, public authorities in the exercise of their investigative powers are not considered recipients.

6.1 Other processors of personal data and third parties to whom personal data are transferred

Among the specific other data processors and third parties to whom personal data is transferred, whose services are provided by Railsformers s.r.o. within the systems (or which are used directly by the subject when using the product of the systems), are in particular the following recipients of personal data:

• Google LLC, located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA providing the reCaptcha Enterprise security feature.
• Seznam.cz, a.s., Radlická 3294/10, 150 00 Praha 5, ID No.: 26168685, VAT No.: CZ26168685 for the marketing channel Sklik
• The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA providing the Mailchimp e-mailing service.
• Meta Platforms, Inc., One Hacker Way Menlo Park, CA 94025, USA for advertising purposes on Meta's social media channels
• GOPAY s.r.o., Planá 67, 370 01 Planá, Czech Republic, providing a payment module for ordering Reservatic services as well as processing direct payments by entities to individual service providers who offer paid services through the Reservatic system.
• Openstreetmap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom providing map data for displaying the addresses of Railsformers s.r.o. and addresses of individual service providers.
• ATS Praha s.r.o., Kubánské nám. 11, Praha 10, Czech Republic, providing sms services for ordering services in the Reservatic system.

7. Period of processing of personal data

Railsformers s.r.o. will process personal data only for the period necessary for the purpose of processing, but generally for a maximum of 2 years. The termination of one of the legal bases for processing personal data does not affect the processing of personal data (to the extent necessary) on the basis of another legal basis (and for the relevant purpose).

The duration of the processing of personal data may be governed by a specific licence agreement between Railsformers s.r.o. and the service provider using the System under that licence agreement.

7.1 Provision of system services

Railsformers s.r.o. will process personal data for the purpose of providing the Services of the Systems (performance of the License Agreement) for at least the duration of the obligation under the License Agreement.

7.1.1 Creating and maintaining a user account

The User Account may be cancelled at any time at the same time as the termination of the use of the System services, based on a request for cancellation of the User Account sent to any of the contact addresses listed in Article 3 above (in particular, the e-mail addresses gdpr@railsformers.com and info@railsformers.com). In the event of termination of the use of the services in any of the System, Railsformers s.r.o. shall terminate the processing of the personal data entered in the user account no later than 2 years from the termination of the obligation under the license agreement (termination of the use of the System) or from the last login to the user account, if the data subject no longer uses the System.

If the data subject has never started to use the System services (e.g. has only set up a user account), Railsformers s.r.o. shall cancel the user account and cease processing the personal data entered into the user account immediately upon receipt and confirmation of an e-mail request sent to one of the contact addresses listed in Article 3 above, or at the latest within 2 years from the last login to the user account.

7.2 Performance of legal obligations of Railsformers s.r.o.

For the purpose of fulfilling legal obligations, Railsformers s.r.o. will process personal data for the duration of the relevant legal obligation set by generally binding legal regulations (e.g. tax documents containing personal data must be kept by Railsformers s.r.o. for 2 years).

7.3 Legitimate interests of Railsformers s.r.o.

For the purpose of direct marketing (sending of the Communication), Railsformers s.r.o. will process personal data until the time of expressing opposition to such processing, but no longer than for a period of 2 years from the last termination of the obligations under the license agreement (termination of use of the System) or logging into the customer account, if the data subject does not use the System.

For the purpose of customer registration, Railsformers s.r.o. will process personal data for a period of 2 years from the termination of the obligations under the license agreement (termination of use of the System) or login to the customer account, unless the data subject does not use the System.

For the purpose of analysing the use of the System by its users, Railsformers s.r.o. will process personal data for a period of 2 years from the last login of the user.

For the purpose of establishing, exercising or defending legal claims, Railsformers s.r.o. will process personal data for as long as the relevant legal claim exists, but for a maximum of 1 year after the expiry of the limitation period under generally binding legal regulations. In the event of the initiation and continuation of judicial, administrative or any other proceedings in which the rights or obligations arising from the relevant legal claim are addressed, the period of processing of personal data for this purpose shall not expire before the final conclusion of such proceedings.

7.4 Consent of data subjects

For the purpose stated in the respective consent to the processing of personal data (if the data subject has given such consent to Railsformers s.r.o.), Railsformers s.r.o. will process the personal data until the consent is withdrawn, otherwise for a maximum of 2 years from the moment of giving consent to the processing of personal data.

8. Rights of data subjects

Each data subject has, inter alia, the following rights:

• the right of access to personal data (under the terms of Article 15 GDPR)
• the right to rectification of personal data (under the terms of Article 16 GDPR)
• the right to erasure of personal data (under the terms of Article 17 GDPR)
• the right to restrict the processing of personal data (under the terms of Article 18 GDPR)
• the right to object to processing (under the terms of Art. 21 GDPR)
• the right to the portability of personal data (under the terms of Article 20 GDPR)
• the right to lodge a complaint with a supervisory authority (i.e. the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, e-mail posta@uoou.gov.cz)
• the right to withdraw consent to the processing of personal data

9. Information about cookies

We, the company Railsformers s.r.o., ID No.: 24704440, with its registered office at Vřesinská 2371/33, 708 00 Ostrava Poruba, Czech Republic, registered in the Commercial Register kept by the Regional Court in Ostrava, Section C, Insert 36254, as the controller, processor or other processor (depending on the specific situation) of personal data, would like to inform you that for the purpose of:

• measuring website traffic
• creating statistics regarding the traffic on our website and the behaviour of visitors on our website
• the correct functionality of our website
• adapting our website to your needs
• identifying which pages and features visitors to our website use most frequently
• improving the use of our servers

we use small amounts of data that are stored on your end device ("cookies"). You can find out more about cookies, for example, by visiting the following sources of information:

• https://commission.europa.eu/resources-partners/europa-web-guide_en
• https://cs.wikipedia.org/wiki/HTTP_cookie
• https://www.uoou.cz/cookies-a-gdpr

Cookies are used by almost every website in the world, and are generally a useful service because they increase the user-friendliness of a website you visit repeatedly (they allow your computer to remember the pages you have visited and your preferred settings for each page).

9.1 Advertising cookies

Cookies are used to improve your user experience on the website by allowing the website to identify your browser, either for the duration of your visit (using session cookies) or for repeat visits (using persistent cookies). This is useful, for example, when displaying your shopping cart, browsing history, hiding commercial messages, logging in, etc.

Our website also uses cookies for behaviourally targeted advertising, which allows us to tailor advertising and ensure it is relevant to you, based on the areas you view on our website and the geographic location of your IP address. These cookies are placed by third party advertising networks with our consent.

We use the following cookies on our website:

• Technical - first parties, short term. They ensure the basic technical functionality of the website, i.e. logging in, remembering settings, using services, etc.
• Statistical and diagnostic (e.g. Google Analytics companies ) - first pages, long-term. They are used to generate anonymous statistics about the use of the website. We use them to help us better tailor the site to you. We only use analytical functions in Google Analytics that do not collect the data needed to profile site users (age, gender, interests, IP address, etc.).
• First and third party advertising. These are cookies from the advertising systems of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4 - Ireland, Seznam.cz a.s., Radlická 3294/10, Praha 5 - Smíchov 150 00 and Meta Platforms Ireland Limited, Inc. 1601 Willow Rd, Menlo Park, CA 94025 (third party, long-term). These cookies are used for marketing profiling. They enable us to stay in touch with you, for example, through personalised advertising on social media. They are used for targeted advertising, whether it is recurring (remarketing, retargeting) or behavioral. That is to say, if advertising must be displayed (as the main income for the website and its content creation), then let the user/reader be shown offers that may actually interest him/her.

9.2 Generally cookies

The use of cookies can be set using your browser. Most internet browsers automatically accept cookies by default. However, you can refuse cookies by setting your internet browser. You can find more information on how to set this on the following pages:

• Google Chrome (https://support.google.com/accounts/answer/61416?hl=cs)
• Mozilla Firefox (https://support.mozilla.org/cs/kb/povoleni-zakazani-cookies)
• Internet Explorer (https://support.microsoft.com/cs-cz/help/17442/windows-internet-explorer-delete-manage-cookies)
• Safari (https://www.apple.com/legal/privacy/)

At the same time, in accordance with the legislation in force, we allow you to approve the use of all cookies, or to select them (with the exception of necessary technical cookies) according to your preferences directly in the system.

However, technical cookies that are necessary for the functionality of our website will only be stored for the time necessary for the functioning of the website.

You can object to the processing of cookies under the terms of Article 21 GDPR. An objection can be sent to Railsformers s.r.o. or its Data Protection Officer via one of the contact addresses listed in Article 3 of this Policy. If you object to the processing of technical cookies, the full functionality and compatibility of our website cannot be guaranteed in this case.

The cookies that are collected for the purpose of measuring the traffic to our website and generating statistics concerning the website's traffic and the behaviour of visitors to the website are processed in a nearly anonymised form that, although it allows your identification, only with considerable and professional effort.

All cookies are stored for the period of time indicated below for each type of cookie.

The collected cookies may be processed by other processors:

• Security feature provider reCaptcha Enterprise, operated by the company Google LLC, sídlem 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  https://policies.google.com/technologies/cookies
  https://policies.google.com/privacy

In the context of the optional simplified registration or login to user systems, these processors may also (using the Single Sign-On system of the listed processors) create and handle additional cookies in accordance with their contractual terms available here:

• SSO - Google LLC, with registered office 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA https://policies.google.com/technologies/cookies
  https://policies.google.com/privacy/update
• SSO Facebook, Inc., with registered office 1 Hacker Way Menlo Park, CA 94025, USA https://www.facebook.com/policy.php
  https://www.facebook.com/policies/cookies/
• SSO Apple, Inc., with registered office 1 Apple Park Way Cupertino, CA 95014, USAhttps://www.apple.com/legal/privacy/cz/cookies/
  https://www.apple.com/legal/privacy/cz/
• SSO MojeID - CZ.NIC, z. s. p. o., with registered office Milešovská 1136/5, 130 00 Prague 3, Czech Republic
  https://www.mojeid.cz/cs/zasady/
  https://www.mojeid.cz/cs/pravidla/

In accordance with the GDPR, you have the following rights in terms of cookies - see Article 8 of this Privacy Policy - Data Subject Rights.

For other cookie arrangements, we follow our Privacy Policy set out in the previous sections of this document.

9.3 List of cookies for each system

The list of cookies that may (but may not, depending on the functions of the System used by the personal data subject) be processed in the Systems are listed in the following subsections for each System.

You can change your settings for storing cookies at any time in the cookie settings in the footer or on the Systems' websites.

10. Cooperation with the professional public

Railsformers s.r.o. also consults representatives of the professional public on aspects of personal data protection. Subsequently, Railsformers s.r.o. implements processes and procedures to improve organisational and technical measures to ensure adequate protection of personal data. The representatives of the professional public are highly professional data protection bodies:

• The Data Protection Society https://www.ochranaudaju.cz/
• Iuridicum Remedium, z.s. https://www.iure.org/

You can read more about the cooperation, for example, here:

https://digitalnisvobody.cz/blog/2021/10/18/registrace-k-ockovani-nove-bez-googlu/

11. Further information on the processing of personal data

In case of questions regarding the processing of personal data or in case of exercising the rights of the data subject referred to in Article 8 of this Policy, Railsformers s.r.o. or its Data Protection Officer may be contacted via one of the contact addresses listed in Article 3 of this Policy.

General information on the processing of personal data can also be found on the website of the Data Protection Authority available at https://uoou.gov.cz/.

This Policy shall take effect on 31 March 2022.