PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA
issued by ECOMAIL.CZ, s.r.o., Company ID No.: 027 62 943, with its registered office at Na Zderaze 1275/15, 120 00 Prague 2, represented by Ing. Jakub Stupka, Executive, incorporated in the Companies Register kept by the Municipal Court in Prague, Section C, Insert 223183 (hereinafter referred to as “Ecomail” or “controller”)
for the provision of Ecomail application services, as available on https://www.ecomail.app/.
This document aims to provide you with all information relating to the processing of your personal data. We encourage you to read these Principles Relating to Processing of Personal Data. Should you have any questions about the processing of your personal data, please contact us by email at email@example.com or by mail at the aforementioned address.
We process your personal data on the grounds laid down by law, for the performance of contracts or for the purposes of our legitimate interests. Where none of the aforementioned three grounds for the processing of personal data applies, we will ask you for your consent. We make sure that your personal data are processed in accordance with the following principles:
- reasonable limits, which means that we use your personal data to the extent necessary to meet the purposes for which the personal data have been provided;
- transparency, in other words, we inform you in advance about why, for how long and to whom we transfer your personal data; and
- security, we always use our technology and internal procedures so as to ensure the security of your personal data; it goes without saying that we monitor, evaluate and implement our internal procedures in line with the development of modern technology.
Applicability of these Principles. Unless stated otherwise, these Principles Relating to Processing of Personal Data shall apply to persons who:
- use the Ecomail Application and related services;
- visit the websites run by us;
- register voluntarily to participate in online or offline events.
For ease of reference and for the convenience of the reader, the terms which are often referred to in these Principles are specified below.
|Application||means the software service containing in particular tools for email editing and mass distribution and campaign evaluation, as available on the website https://www.ecomail.app/;|
|GDPR||Regulation (EU) 2016/679 of the European Parliament and of the Council;|
|Newsletter||usually an email message or SMS message sent for the purpose of promoting similar products and services either by the User to the Recipient or by Ecomail to those who have granted their prior consent to this, or to customers;|
|Personal Data||any information on the User on the basis of which the User can be directly or indirectly identified;||Personal Data of the Recipient||any information on the Recipient on the basis of which the Recipient can be directly or indirectly identified; we process this information on behalf of our customer as the processor;|
|Recipient||a natural person to whom the Personal Data of the Recipient relate; most often the Recipients are customers of the User and, at the same time, subscribers of the Newsletter;|
|Contract||any contract for the provision of Ecomail services, whether provided directly via the Application or only in connection with the Application;|
|User||a natural person to whom the Personal Data relate; most often this is a customer or potential customer, or user of our website, or a participant in our online or offline events, also referred to as “you”;|
|Processor||carries out data processing activities on behalf of the controller (Ecomail) on the basis of a contract or other mandate;|
|Processing of Personal Data||means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or other making available, alignment or combination, restriction, erasure or destruction;|
|Special Categories of Personal Data||personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or data concerning a natural person’s sex life or sexual orientation. Genetic and biometric data, if processed for the purpose of uniquely identifying a natural person, are also considered a special category of data.|
Ecomail acts not only as the controller of the Personal Data of its customers, potential customers or users of the website https://www.ecomail.app/ but also as the processor of the Personal Data of the Recipients of Newsletters and other communications sent via the Application.
WHEN ECOMAIL ACTS AS THE CONTROLLER AND WHERE YOU CAN CONTACT US
Ecomail as the controller. The controller of personal data is ECOMAIL.CZ, s.r.o., with its registered office at Na Zderaze 1275/15, Nové Město, 120 00 Prague 2, Company ID No.: 02762943, registered with the Municipal Court in Prague, Section C, Insert 223183, represented by Jakub Stupka, Executive (hereinafter referred to as “we” or “controller”).
Contact details: firstname.lastname@example.org
Please note that these Principles Relating to Processing of Personal Data shall apply to the Processing of Personal Data of our Users, not those of the Recipients.
WHEN ECOMAIL ACTS AS THE PROCESSOR AND WHERE YOU CAN CONTACT US
Ecomail as the processor. Ecomail provides the services under the Contract to its customers who may send Newsletters or other information via the Application and, in this way, stay in touch with the Recipients. If we process Personal Data of Recipients, we do so only as the processor on behalf of our customers in accordance with instructions from our customers. If you are a Recipient of Newsletters from any of our customers, we encourage you to read carefully the customer’s documentation relating to the processing of Personal Data of Recipients. You should learn in those documents how the customer collects and uses the information about you (the Recipients). Where our customer has disclosed to us any Personal Data of the Recipient and you wish to exercise all rights, please ask directly the relevant customer. Our employees have only limited access to Personal Data of the Recipient. Should you still wish to file your request concerning the exercise of rights related to Personal Data of the Recipient directly with Ecomail, please make sure that your request includes the name of our customer. We will forward the request to the customer as soon as possible.
WHAT PERSONAL DATA WE PROCESS
We process the following Personal Data about you:
- name and surname,
- contact details (in particular email, telephone number),
- number of email contacts in your database;
- name of your website or eshop;
- billing information and bank details (details necessary for keeping the books and making payments for the services provided),
- information you disclose to us when communicating with us (these will be in particular your questions and answers to your questions, communication with you),
- operating data indicating mainly error conditions of the Application (time and address of error incident occurrence);
- user account name,
- user account login and behavior in the user account (in particular details entered by the user in the application, time of registration, date of the last profile update),
- IP address,
We do not process any Special Categories of Personal Data.
HOW WE PROCESS YOUR PERSONAL DATA
Duration of the Processing of Personal Data in general. We process your personal data to the extent necessary throughout the term of the Contract. We are obliged to end the Processing of Personal Data at the time indicated; if we conclude that it is necessary to archive or process the Personal Data for a longer period of time, in particular in order to protect our rights and legitimate interests (e.g. the exercise of rights arising from defects of the provided Application services on the basis of a warranty claim made or complaint lodged, or the exercise of any other right etc.). Please note that in some cases, the duration of the Processing of Personal Data may be as much as 15 years after the completion of the Contract in order to protect our interests.
FOR WHAT PURPOSE WE PROCESS YOUR PERSONAL DATA
Registration, setting up a user account. You provide us with Personal Data on a voluntary basis by setting-up a user account for the Application and by subsequent updates of such data. Your user account enables you to use the Application services.
Information on behavior in the Application. We can obtain information about how and when you use the Application, store it in log files or other types of files associated with your account and link it with other information collected about you. Such information may include, for example, your IP address, time, date, browser used and actions you carried out in the Application as well as the content you uploaded to the Application.
Data processing related to the security of the Application. If you visit our website or use the Application, your access to a certain web address may be unauthorized or it may cause error conditions (incidents).
Website. We also process information about when you visit or browse our website. This information may include, for example, IP address, date and time of access to our website, information about your web browser, operating system or your language settings. We can also inspect the history of your behavior on the website or in the Application, e.g. what links you visit on our website and which of the Services offered are displayed to you. However, the information on your behavior on the website is anonymized in order to ensure your maximum privacy.
If you access our website from a mobile phone or similar device, we can also process information about your mobile device (data about your mobile telephone etc.).
Personal data obtained automatically or by contractual partners. We can process Personal Data from publicly available sources and our contractual partners and combine them with the Personal Data which have been provided to us on a voluntary basis. We take measures to ensure that third parties are legally authorized to disclose such information to us. The information will include, for example, demographic data, IP addresses and cookies. The reason is to improve the provision of our services and to promote them.
Personalized advertising. We cooperate with third parties in order to manage and display our advertisements on third-party websites.
Blog. We have a publicly accessible blog on our website. Please note that any information which you enter as a comment on our blog can be seen by anyone. If your Personal Data appears on our blog and you wish to have them erased, please contact us at the email address email@example.com. If we are unable to erase your Personal Data from the blog, we will inform you and notify you of the reason.
Competitions and other promotional events. We can carry out surveys, organize competitions or other promotional events on our website or social networks. Your participation in our promotional events is voluntary. As part of these surveys, competitions and promotional events, we may ask you for your Personal Data, e.g. name and surname, address, date of birth, telephone number, email address, user name and similar details. We will use the Personal Data which you have disclosed to us for the purposes of managing these promotional events or for other purposes if specified in the conditions of the particular promotional event.
Social networks. We have a profile on Facebook, Instagram, Twitter, Youtube and LinkedIN. All information, communications or materials disclosed via social media platforms are disclosed also in accordance with the principles relating to processing of personal data applicable to those platforms.
Subscription for Newsletter. If you subscribe for our newsletter, we will send you interesting information about the operation of the Application. When you no longer wish to receive the emails, click on the unsubscribe button at the foot of our email.
Subscription for Ecomail changelog. Any visitor of our website or User may subscribe for our Ecomail changelog. We will regularly send you an overview of corrections and improvements made in the Application. If you subscribe for Ecomail changelog, we will not send you our newsletters unless you are our customer. When you no longer wish to receive the Ecomail changelog emails, click on the unsubscribe button at the foot of our email.
Newsletter for our customers. If you have entered into a contractual relationship with us, in particular on the basis of a Contract, we are entitled to send you Newsletters on the basis of our legitimate interest in promoting our services and/or related similar services. When you no longer wish to receive the emails, click on the unsubscribe button at the foot of our email. You can also object to the sending of newsletters (for details see the section on your rights).
Various types of newsletters. Sometimes we can send you newsletters according to your preferences expressed in advance (news, changelog, offline events etc.) If you unsubscribe, only one type of newsletter can be unsubscribed. If you wish to receive no emails from us at all, please write to firstname.lastname@example.org and we will erase your personal data from all databases.
Transaction emails. These are messages we send to Users in connection with the use and proper operation of the Application. They do not serve to promote the Application or related services. We can, for example, inform you about temporary or permanent changes to our services, such as planned maintenance, new functions, updates of versions, editions, warning against misuse and amendments to our principles relating to processing of personal data.
Sometimes you may receive such an email from our contractual partner – usually a platform we use for administration of training courses or webinars when we need to deliver to you a notice of the start or course of the event.
Communication with customer support or other queries. If you have contacted us by email, telephone or the contact form on our website or social networks, we process your personal data for the purposes of responding to your query.
Training courses and other events. We organize training courses, seminars, webinars and workshops. We process your Personal Data which you have entered into the order form. We process the data for the purposes of performance of the contract, i.e. your participation at the event. Please note that we can take video footage or photographs at these events. The video footage of the event will be available to event participants but also other persons. We will take photographs at these events for the purposes of further promotion. We make every effort to ensure maximum anonymization; therefore, we will not indicate your name or other details in relation to the photographs and footages unless you grant us your consent (e.g. in the case of references). If you do not wish to be captured in photographs or video footages, please contact us before the event is held at the address email@example.com or directly on site before the event starts.
Card payment. If you give us your credit card details, we do not have access to complete details. We only know that you are making the payment by card and the card details are processed by recipients of those data who process the payment for us.
SUMMARY OF THE GROUNDS FOR AND PURPOSES OF THE PROCESSING OF YOUR PERSONAL DATA
We understand that it may be difficult for you to get through an extensive text about how and why we process your Personal Data and where we obtain them. To give you a quick and transparent overview of the basic details about the processing of your Personal Data, we have prepared a summary table.
Purpose of processing Personal data Legal ground for processing Duration of processing Processors Provision of the Application services name, surname, email, telephone number, billing information, details about the user as disclosed by the user itself Performance of contract For the term of the customer’s contractual relationship with us Sparkpost
Bookkeeping billing information, bank details Compliance with legal obligations and performance of contract invoices for the period of 15 years Abra
Warranty claim or complaint handling name, surname, email, telephone number, details of the contract concluded, necessary details of payments Compliance with legal obligations and performance of contract For the term of the customer’s contractual relationship with us and then for 4 years from the termination of the contractual relationship
Responding to messages sent via the contact form or email name, surname, email, telephone number Consent to processing for the purposes of responding to a query Once your query has been answered, your Personal Data will be erased no later than upon the expiry of 12 months; this shall not apply if you become our customer Intercom Administration of training courses, workshops or other online events name, surname, email, telephone number, user account name,
Performance of contract For the term of the contractual relationship with us and then for 4 years from the termination of the contractual relationship Demio
Administration of training courses, workshops or other offline events name, surname, email, telephone number,
Performance of contract For the term of the contractual relationship with us and then for 4 years from the termination of the contractual relationship
Direct marketing (in particular sending newsletters to our customers) Contact details (name, surname, email)
Datils of one’s behavior in the Application
Legitimate interest in promoting similar services, or consent to receiving newsletters 3 years of the last login to the user account unless you unsubscribe earlier Ecomail Routine analysis of the Application website traffic, security of our website, detection of server errors and prevention of fraud and attacks on the server pseudonymized identifiers of registered users,
Legitimate interest Specific time of cookies storage differs according to the specific cookie type, usually no more than 1 year Google Analytics Marketing and promotion of our services name and surname, email, telephone number of potential customers, IP addresses and other technical identifiers Consent to processing of cookies For the term of the consent, the period of storage of cookies may differ according to the cookie type COOKIEBOT Protection of our rights and property (or protection of the rights and property of third parties) name and surname, email, telephone number of the customer, address and details of the services provided Legitimate interest For the period of 4 years of the termination of our contractual relationships Legitas advokátní kancelář Processing and evaluation of competitions, announcing and publishing the winner on our website and social networks name, surname, address, telephone number, email address or other details as may be specified by the conditions of the competition Consent, legitimate interest (if specified by the conditions of the competition) 2 years of the end of the competition unless you withdraw your consent earlier Publishing customer reviews or your questions or comments on the provision of our services name, surname, email address Consent For the time for which the post on which you commented is published unless you ask for erasure of your comment earlier Wordpress
Google (google forms)
CHECKING THE CONTENT OF EMAILS SENT TO THE RECIPIENT
Where the User sends an email to the Recipient, it travels in the Internet network and the server administrator can read the content of the message. Therefore, please note that emails are not to be used for sending confidential information and most emails are delivered to your inbox and are not encrypted in any way. Do not use the services of our Application for sending confidential information.
Sometimes we can check the content of our Users’ email campaigns in order to make sure that they comply with our conditions for use of the Application and with legislation. To this end, our employees can perform random checks of your individual email campaigns. The established control mechanism is an advantage for all our Users who comply with our conditions for use of the Application and the applicable legislation since this procedure reduces the volume of unsolicited emails (spam) sent via our servers and helps us maintain high delivery rate of your email campaigns (low spam rate).
OUR OBLIGATIONS RELATING TO ACCOUNTING AND TAXES
Please note that many personal data are processed by us because we are legally required to do so. According to Section 31 of the Act on Accounting (No. 593/1991 Sb.), we are obliged to archive accounting documents and accounting records (invoices) for the period of 5 years from the end of the financial year to which such documents and records relate. We also have an obligation arising from Section 47 of the Tax Code (No. 337/1992 Sb.) to retain invoices for the period of 3 years from the end of the financial year in which the tax relating to the invoice became chargeable. Invoices include the following personal data: name, surname, email address, billing address or other identification details of the User and information about the services provided by us in the Application.
Further, please note that according to Section 35 of the Value Added Tax (No. 235/2004 Sb.), we are obliged to archive invoices for the period of 10 years from the end of the financial year in which the transaction occurred. Invoices include the following personal data: name, surname, email address, billing address or other identification details of the User and information about the services provided by us in the Application.
WHAT MEASURES WE HAVE IMPLEMENTED TO PROTECT YOUR PERSONAL DATA
Technical and security measures. Taking into account the likelihood of risks and the costs of possible measures as well as technical capacity, we have implemented technical security and organizational measures – in all areas where the Processing of Personal Data takes place (in particular website operation, Application operation, employee matters, communication with customers).
We use a secure information system which provides security to personal data corresponding to the state of the art, costs, nature, scope and purposes of the processing.
Organizational measures. All employees who have access to Personal Data have committed themselves to secrecy and must respect security principles. Access to all systems, including the information system, is personalized and secured by passwords which are created in a variety of ways. The information system keeps logs in order for us to be able to control access of individual employees to individual databases. Our employees regularly undergo training.
WHEN WE TRANSFER YOUR PERSONAL DATA TO THIRD PARTIES
Your Personal Data may be transferred to our business partners (Processors) or other third parties where required by law.
Processors. We use only pre-screened Processors with whom we have entered into a written agreement and who provide us with safeguards which are at least equal to those which we provide to you. They are only Processors who are based in the European Union or with whom we have entered into standard contractual clauses under Article 46 GDPR and who provide a level of protection of your personal data equivalent to the one resulting from the application of GDPR and Czech legislation. All these Processors have committed themselves to secrecy and they must not use the provided Personal Data for any purposes other than those for which we have disclosed them in accordance with these principles. Particular Processors are indicated for each individual ground and purpose of the Processing of Personal Data above.
Legal obligations. We can transfer your Personal Data also to third parties, in addition to Processors, if required by law or when responding to legitimate requests of public authorities or at the request of the court in legal proceedings.
YOUR LEGAL RIGHTS
You can request access to personal data and request rectification, alteration, erasure or restriction of processing of personal data where the personal data are inaccurate or were processed in violation of the applicable data protection laws. You have the right to data portability, the right to object to processing, the right to withdraw consent to the processing of personal data and the right not to be subject to automated individual decision-making, including profiling.
You can exercise your rights in relation to the processing of Personal Data at the email address firstname.lastname@example.org, in person or by mail at the address of the controller.
We aim to comply with your requests without delay but no later than within 1 week. However, there may be circumstances in which we cannot provide the access (for example, where the required information compromises the privacy of others or endangers other legitimate rights, or where the costs of granting the access would be disproportionate to the risks compromising the individual privacy in the particular case). We can take reasonable action to verify user’s identity before we take any steps in relation to the rights of Users of the data.
Right of access to personal data
According to Article 15 GDPR, you will have the right of access to personal data, which includes the right to obtain from the controller:
- confirmation as to whether personal data are being processed,
- information about the purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be processed, the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the Users or to object to such processing, the right to lodge a complaint with a supervisory authority, any available information as to the source of personal data where the personal data are not collected from Users, the existence of automated decision-making, including profiling, the appropriate safeguards where personal data are transferred outside the European Union,
- a copy of the personal data provided that the rights and freedoms of others are not adversely affected.
For any further copies requested, the controller may charge a reasonable fee.
Right to rectification of inaccurate data
According to Article 16 GDPR, you have the right to rectification of inaccurate personal data. At the same time, you are obliged to inform us about any changes to your personal data (e.g. user profile records). You are also obliged to cooperate with us should it be established that the personal data we process are inaccurate. We will perform the rectification without undue delay but, in any case, taking into account the technical capacities available.
Right to erasure
According to Article 17 GDPR, you have the right to erasure of personal data concerning you unless we prove legitimate grounds for processing of those personal data. We have established mechanisms to ensure automatic anonymization or erasure of personal data when they are no longer necessary in relation to the purposes for which they were processed.
Right to restriction of processing
According to Article 18 GDPR, you have the right to obtain restriction of processing pending the resolution of your complaint if you contest the accuracy of personal data or the grounds for processing of personal data or if you object to processing of personal data.
Right to be notified of rectification, erasure or restriction of processing
According to Article 19 GDPR, you have the right to be notified of any rectification, erasure or restriction of processing of personal data. In case of any rectification or erasure of personal data, we will inform each recipient, unless this proves impossible or involves disproportionate effort.
Right to portability of personal data
According to Article 20 GDPR, you have the right to receive the data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format, and the right to request that the data be transmitted to another controller.
Where you provide any personal data in the context of our contractual obligations or on the basis of consent and the processing of the personal data is carried out by automated means, you have the right to receive the data in a structured, commonly used and machine-readable format. Where technically feasible, the data can be transmitted to a controller indicated by you provided that the person acting on behalf of the relevant controller is properly identified and can be authorized. If the exercise of this right might adversely affect the rights and freedoms of others, we cannot comply with your request.
Right to object to processing of personal data
According to Article 21 GDPR, you have the right to object to processing of your personal data on the ground of legitimate interest.
Unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, we will end the processing on the basis of your objection without undue delay.
Where you object to processing for direct marketing purposes, we will end the processing without undue delay.
Right to withdraw consent to processing of personal data
Any consent to processing of personal data for marketing and commercial purposes may be withdrawn at any time. The withdrawal of consent shall be made by an explicit, comprehensible and specific manifestation of will. Processing of any data from cookies can be prevented by web browser settings.
Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We state, however, that we do not perform any automated decision-making unaffected by human intervention which produces legal effects concerning Users.
These Principles Relating to Processing of Personal Data may be amended only in writing. Users will be informed about any amendments on our website or in the Application.
Should you have any questions concerning our Principles Relating to Processing of Personal Data, please contact us at the email address email@example.com.
If you are dissatisfied, you can lodge an objection or complaint at any time with the Office for Personal Data Protection, with its registered office at Pplk. Sochora 727/27, 170 00 Praha 7 – Holešovice (further details can be found at https://www.uoou.cz/)
These Principles Relating to Processing of Personal Data take effect on 1 April 2021.