Personal Data Processing Principles
1. INTRODUCTORY PROVISIONS
1.1. Adiquit s.r.o., with its Registered Address at Na Skále 632, 252 28 Černošice, ID No.: 07241356, Tax ID No.: CZ07241356, entered into the Trade Register kept by the Municipal Court in Prague, Section C, File 297401 (the Controller), hereby provides information about the way and scope of processing personal information, including the rights relating to the processing of personal data (the Principles).
1.2. Protection of privacy and personal data processing is a priority for the Controller, and the processing of personal data is considered as strictly confidential, and personal data are treated in compliance with the valid legal regulations in the area of personal data protection, in particular with the General Data Protection Regulation EU 2016/679.
1.3. Services provided by the Controller through the Controller’s Website https://www.adiquit.cz/ (the Website) and the mobile application Adiquit (the Application) may only function on condition we process your personal data in accordance with the below specifications. For more details about the services provided by the Controller, see the Website or the Application.
2. SCOPE OF THE PROCESSED PERSONAL DATA
2.1. The Controller particularly processes the following personal data:
a) identification data, which mainly refer to the username and the password;
b) contact data, which refer to the personal data that make it possible for the Controller to contact the Users, particularly the email address;
c) account settings, which refer to the data in the User’s user account;
d) embedded content, which means, in particular, the number of cigarettes smoked in a given period, information about situational variables regarding smoking, information on habits regarding using cigarettes, tobacco, and nicotine products (including e.g. the price of favorites cigarettes), motives for quitting smoking, general information on residence, current employment or entrepreneurship, highest educational attainment, age, and further also name, or possibly telephone number of a close person, communication with the Controller within user support;
e) health data, which means mainly personal data about the current state of health (e.g. ongoing treatment or illness, information on currently used medications). The data filled in the app are provided voluntarily and are processed on the basis of your explicit consent, which you can revoke at any time.
f) data about the user behaviour within the Website and the Application, including records of the activity of the Application (information about using the Application by the User, logins), which can also include records of the User’s activity, the way of movement around the Website, shifting the screen, and also data about the device from which the User browses the Website, such as the IP address and the position derived from it, identification of the device, its technical parameters, such as the operating system, its version, the screen resolution, the used web browser and its version, and also data acquired from the cookies and similar technologies for device identification; and
g) derived data, which refer to the User’s personal data derived from the account settings.
3. PURPOSES OF PERSONAL DATA PROCESSING
Processing of the personal data of the Website visitors and the Application Users
3.1. Data about the behaviour on the Website and data acquired through the Application are processed by the Controller based on their legitimate interest for the purpose of:
a) acquiring information on the basis of which the Controller will be able to improve the Website and the Application in the future; the Controller’s legitimate interest here refers to the improvements of the provided services;
b) creation of statistics and overviews, particularly monitoring of the number of the Website visits and, as the case may be, measurement of the advertising effectiveness; the Controller’s legitimate interest here refers to measurement of the Website effectiveness and, as the case may be, the cost of advertising; for this purpose, the Controller can acquire some other derived data from the Website visitors’ behaviour and use them for this purpose;
c) testing new functions and applications before launching, particularly for the purpose of preventing problems with the functionality of such new things in actual operation, which might worsen the experience with the use of the Website and the Application; the Controller’s legitimate interest here refers to the trouble-free functionality of the provided services; and
d) prevention of hacking into the Website and the Application and threatening their functionality and security of the processed data; the Controller’s legitimate interest here refers to the trouble-free functionality of the provided services and the data security.
In the event of registration
3.2. If a user account is created in the Application, the Controller processes the User’s name and contact data, the settings data, and the entered content on the basis of a Contract with the data subjects to be able to keep and administer the user account and provide the relating functionality. The legal basis for the processing of personal data is established by creation of the user account (registration). Some information in the content entered into the Application (the number of cigarettes smoked in a given period, information about the habits relating to smoking cigarettes, general information on residence, current employment or entrepreneurship and highest educational attainment) is administered by the Controller in compliance with the given consent.
3.3. If a user account is created, the Controller processes the User’s identification and contact data, the account settings data, and also any derived data also on the basis of the Controller’s legitimate interest for the purpose of:
a) acquiring information based on which the Controller will be able to improve the provided services in the future; the Controller’s legitimate interest here refers to the improvements of the provided services; and
b) providing tailored offers and personalized advertising; the Controller’s legitimate interest here refers to the effective promotion of products and services.
3.4. Unless rejected by the User during the process of registration or later on, the Controller processes identification and contact data, account settings data, behavioural data, and derived data for the purpose of sending commercial communications, particularly by email, text message or any other electronic means, or by mail; the Controller’s legitimate interest here refers to the effective promotion of products and services.
3.5. If an account is created, the Controller processes the account settings data for the purpose of testing new functions and applications before they are launched; the Controller’s legitimate interest here refers to the trouble-free functionality of the provided services.
3.6 After creating an account, the app Controller further processes user-entered health data, namely in accordance with the user’s consent. The primary purpose of the data processing is to provide the relevant functionalities of the Application and the possibility of their usage by the user in the performance of the contract. Granting consent to processing is not a condition for creating an Application account, however, the Controller cannot process the data without it. This may result in the user not being able to use all the offered functionalities of the Application.
3.7. The User may refuse to give consent or withdraw their consent given earlier. Such a withdrawal of consent shall not affect the legitimacy of any processing of the personal data before the withdrawal. See more about the way of application of the rights by data subjects in Article 8 of the Principles.
Fulfilment of the legal obligations by the Controller
3.8. The Controller also processes the User’s identification and contact data for the purpose of fulfilment of the legal obligations, particularly the obligations within the meaning of the accounting and tax legislation. Fulfilment of legal obligations also refers to provision of data and information to the law enforcement authorities or to the other public authorities in compliance with the applicable legal regulations.
4. PERSONAL DATA RECIPIENTS
4.1. Personal data are only accessible to the authorized personnel of the Controller, or to individual personal data processors and controllers, but only to the extent as it is necessary for fulfilment of the respective processing purposes. This cooperation aims to provide only the Users of the Controller’s services with the best possible and most relevant services. The above services mainly include verification, system hosting and maintenance, email services, management of payment transactions, checking of the address for service and the email address, and the Website traffic analysis.
4.2. The personal data acquired this way may only be used by the service providers on condition the legal conditions are met, mainly including those based on an agreement on provision of personal data or an agreement on the processing of personal data entered into by and between such Recipients and the Controller.
4.3. The Controller shall provide more detailed information or the current list of Recipients upon request.
4.4. The Controller shall not disclose personal data to any Recipients outside the territory of the European Union or the European Economic Area.
5.1. In their presentation, the Controller uses, within the processes of enhancement of the quality of Website services, personalization of the offer, collecting anonymous data, and for the purpose of analytics, so-called cookies. Setting of the cookies is fully under control of the User. In the browser settings, the User can set everything according to their wishes, i.e. they can delete, block, or choose the option of saving Cookies only with the User’s consent in separate cases.
5.2. Consent can be given through a check box included in the so-caller cookie bar. Cookies can also be rejected or use of only some of them can be set by the User subsequently in the settings of the web browser. However, if the User rejects the cookies, or in the browser settings all cookies (including the essential cookies) are turned off, the User may not be able to obtain access to the Website, or to some of its parts.
5.3. For further information about our cookies and their current list, see particularly the Tools for Developers in your web browser.
6. PERSONAL DATA SECURITY
6.1. The Controller has taken the relevant technical and organizational personal data protection measures, both against their accidental or illegal destruction, loss, alteration, unauthorized use, access or sharing, especially where the processing includes network data transfer, and against any other forms of illegal processing or another misuse. Any Personal Data Recipient shall process personal data exclusively in compliance with the Controller’s instructions and shall be bound to observe strict security procedures when dealing with personal data
7. PERIOD OF PERSONAL DATA PROCESSING
7.1. Personal data processed by the Controller based on the consent shall be processed for the period of such granted consent, but only until such consent is withdrawn. Unless otherwise specified in these Principles, personal data included in the user account (including mainly the health data) shall be deleted immediately upon settlement of a request for cancellation of the account.
7.2. The Controller also processes personal data for the period necessary for fulfilment of all the rights and obligations under the respective contractual relationship, and also for the period for which the Controller is obliged to keep personal data in compliance with the generally binding legal regulations. Personal data are also processed by the Controller in accordance with the purpose for the following periods:
Fulfilment of the contractual relationship:
For the period of the contractual relationship, but no longer than for the period of 10 years after termination of the contractual relationship.
Fulfilment of legal obligations:
For the period stipulated by the respective legal regulation.
Legitimate interest of the Controller:
No longer than for the period of 3 years from collection of personal data, or until an objection to the processing is filed, unless special legal regulations stipulate, in some cases, a longer period, or unless there is a need, in a justified case, to keep the data for a longer period in relation to a particular case.
Sending commercial communications:
For the period until the User rejects receiving commercial communications or withdraws their consent granted earlier.
For the period they are being settled and for a maximum of 6 months after that, unless the Controller is entitled or obliged to keep them for a longer period in a particular case.
8. Rights of the Data subject
8.1. The User, as a data subject, has some rights relating to the processing of personal data, which they can exercise at any time. These rights are based on legal regulations. They include the right (i) to access to personal data, (ii) to rectification of inaccurate and to completion of incomplete personal data, (iii) to erasure of personal data, if the data are no longer needed for the purposes for which they were collected or otherwise processed, or if it is found out that they were processed unlawfully, (iv) to restriction of the processing of personal data, (v) to data portability, (vi) the right to object upon which the processing of their personal data will be terminated, unless there are demonstrable, serious, and legitimate reasons for the processing that prevail over the interests or rights and freedoms of the data subjects, particularly if the reason is potential enforcement of legal claims, (vii) the right to withdraw consent for personal data processing, if the personal data are processed based on the basis of consent, and (viii) the right to address the Office for Personal Data Protection (www.uoou.cz).
a) The right to access to your personal data: if the User wishes to know whether the Controller processes their personal data, they are entitled to get information about the fact whether their personal data are processed or not. If so, they are entitled to get access to these personal data. In the case of groundless, excessive, or repeated requests, the Controller shall be entitled to charge a reasonable fee for a copy of the provided personal data, or to reject a request (this provision similarly applies to the below rights).
b) The right to rectification of inaccurate and completion of incomplete personal data: Providing the User believes that the Controller processes their inaccurate or incomplete personal data, they are entitled to request rectification and completion of such data. The Controller shall rectify and complete the data without undue delay, but always with respect to the technical possibilities.
c) The right to erasure: providing the User asks for erasure, the Controller shall erase their personal data on condition (i) they are no longer necessary for the purposes for which they were collected or otherwise processed, (ii) the processing is unlawful, (iii) the User objects to the processing and there are no prevailing legitimate reasons for the processing of their personal data, (iv) the erasure is imposed on the Controller by a legal obligation, or (v) the User withdraws their consent to the processing of their personal data.
d) The right to restriction of the processing of personal data: providing the User asks for restriction of the processing, The Controller shall make the personal data inaccessible, remove them temporarily, or keep them, or shall perform another processing activity necessary for the proper fulfilment of the exercised right;
e) The right to data portability: if the User requests the Controller to hand their personal data over to a third party, they can exercise their right to data portability. However, if fulfilment of this right would adversely affect someone else’s rights and freedoms, the Controller shall not satisfy such a request.
f) The right to object: the right to object to the processing of your personal data that are processed for the purposes of fulfilment of a task carried out in the public interest or within the performance of tasks of the public authority or for the reasons of protection of the legitimate interests of the Controller. Unless the Controller proves that there is a serious and legitimate reason for the processing prevailing over the interest or the rights and freedoms of the data subjects, the Controller shall terminate the processing without undue delay based on the objection.
g) The right to withdraw consent to have the personal data processed: If the Controller processes your personal data on the basis of your consent, this consent is always revocable. You can revoke the consent at any time, via email at email@example.com or directly in the app; the consent is also withdrawn after canceling the account in the app by clicking on the “Delete data in application” button. Once the consent has been revoked, the Controller may no longer process such personal data, unless they had another legal reason for their processing.
h) The right to contact the Office for Personal Data Protection: the data subject may lodge a complaint with the Office for Personal Data Protection if they consider that by the data processing their right to the protection of personal data or related legislation, including violating the above- mentioned rights were disobeyed.
8.2. The Controller reserves the right to ask the data subject for additional information in the event they are not able to determine the content of the request or to identify the person filing the request for exercise of the rights.
9. GENERAL PROVISIONS
9.1. The Principles are an integral part of the contractual relationship with the Controller.
9.2. The data subject may address the Controller concerning any remarks on the processing of their personal data, or in the event of exercising their rights, using the email address firstname.lastname@example.org.
9.3. The Controller reserves the right to modify these Provisions without prior notification, particularly for the reasons of ensuring the appropriate level of personal data protection, taking account of the development of legal regulations or the generally accepted practice. For this reason, the Controller recommends continuous monitoring of the Website, where it is always possible to find the current version of the Principles.
9.5. These Principles come into effect on 1 May 2021.