COMEFLEX CONSULTING s.r.o., ID No.: 26454599 (hereinafter also “Comeflex” or the “Controller”), with its registered office at: nám. 14. října 1307/2, Prague 5, registered in the Commercial Register kept by the Municipal Court in Prague, Section C, File No. 83372, issues the following for its clients:
Information on the Processing of Personal Data pursuant to the GDPR Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (hereinafter also the “Regulation” or “GDPR”), effective as of May 25, 2018
The purpose of this Information on the processing of personal data is to provide essential details on what personal data Comeflex (as the Controller) processes about natural persons when providing services—specifically when providing a business address and administrative services, or selling goods to self-employed natural persons and legal entities under a contract, whereby it processes the personal data of managing directors, associated parties, and other natural persons; further, to provide information on the processing of personal data upon entering the website operated by Comeflex and during interactions with its clients, for what purposes and for how long Comeflex processes such personal data in accordance with applicable legal regulations, to whom and for what reason it may transfer them, as well as information on the rights natural persons hold in connection with the processing of their personal data.
This information applies to the processing of personal data of clients and, as appropriate, their representatives, potential clients (service applicants), and website visitors, always to the extent of personal data corresponding to their relationship with Comeflex.
1. Legal grounds for processing personal data; authorization of the Controller to process personal data.
1.1 Comeflex may process personal data for various purposes, but requires a legal ground for each purpose of processing. The processing of personal data is always tied to a purpose, based on which the legal ground is determined. It is possible that the Controller will process the same personal data (or a specific part thereof) for different purposes, and these purposes may arise or cease over time without triggering an obligation for the Controller to destroy the personal data. The obligation to destroy personal data arises when the Controller loses the last remaining legal ground for processing. The scope of processed data depends on the purpose of processing. Very often, personal data can be processed directly on the basis of a contract between Comeflex and its clients, the legitimate interest of Comeflex, or compliance with legal obligations (i.e., without the consent of the client as the data subject); for certain specific purposes, data may be processed solely on the basis of consent.
For the sake of clarity, the “data subject” in this context means in particular, but not exclusively, a self-employed natural person who is a client of Comeflex or their representative, as well as a managing director, associated party, or representative of a legal entity that is a client of Comeflex.
1.2 Legal grounds for processing personal data include:
a) the data subject has given consent to the processing for one or more specific purposes,
b) processing is necessary for the performance of a contract to which the data subject is party (a self-employed natural person, managing director, associated party, or representative of a legal entity; see above) or in order to take steps at the request of the data subject prior to entering into a contract,
c) processing is necessary for compliance with a legal obligation to which Comeflex as the Controller is subject,
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person,
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller,
f) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data,
g) processing is necessary for compliance with a legal obligation to which the Controller is subject.
1.3 Personal data of natural persons and contact details of natural persons
Personal data means any information relating to an identified or identifiable natural person that Comeflex is able to identify. In connection with the provision of services, Comeflex may process the following categories of personal data:
a) Basic personal data required for the conclusion and performance of a contract between Comeflex and the client (Article 1.2(b))
These include in particular:
- first and last name
- academic degree
- business firm name
- personal ID number / date of birth
- Company ID No. (IČO), VAT ID No. (DIČ)
- permanent residence address
- registered office address or place of business
- billing address
- numbers of submitted identification documents and copies thereof (all details not required for the provision of the service are redacted on the copies)
- identification details of the client’s representative or a contact person designated by the client
- identification details of the billing payer
- bank account details
- signature
b) Basic contact details required for the conclusion and performance of a contract (Article 1.2(b))
These include in particular:
- phone number
- email address
- social media profiles
1.4 Data processed on the basis of consent (Article 1.2(a))
The processing of these data is not strictly necessary for the performance of a contract, compliance with legal obligations, or the protection of Comeflex’s legitimate interests, but their processing allows the company to improve its services or inform customers about suitable offers. These data are processed only if consent is granted and may be processed for the duration of the validity of such consent. This applies specifically to data obtained through marketing surveys (processed for customers based on consent to personal data processing for marketing and commercial purposes).
Granting consent for marketing and commercial purposes is voluntary, and the customer may revoke it at any time after May 25, 2018. This consent remains valid for the duration of the use of Comeflex services and for the subsequent 2 years, or until revoked by the client. For marketing and commercial purposes, all categories of data listed in paragraph 1.3 (with the exception of the signature and copies of identification documents) may be processed based on consent, specifically for the period Comeflex is authorized to register these data for the purposes of providing services, fulfilling legal obligations, and protecting its legitimate interests, but no longer than until the consent is revoked or until the expiration of 4 years from the date of termination of the service contract with Comeflex, unless the client revokes the consent earlier.
2. Processing of personal data for the performance of a contract, fulfillment of legal obligations, and legitimate interests of Comeflex
2.1 Providing personal data necessary for the performance of a contract, compliance with Comeflex’s legal obligations, and the protection of Comeflex’s legitimate interests is mandatory. Without providing personal data for these purposes, it would not be possible to provide the services. Comeflex does not require consent to process personal data for these purposes. Processing based on the performance of a contract and compliance with legal obligations cannot be refused.
This applies in particular to the following specific sub-purposes:
- billing of services – invoices, payment reminders, etc. (performance of a contract)
- fulfillment of statutory tax obligations (compliance with a legal obligation)
- purposes established by specific acts for the needs of criminal proceedings against a person and fulfilling the duty of cooperation with the Police of the Czech Republic and other state authorities (compliance with a legal obligation)
- recovery of client receivables and other contract disputes, e.g., judicial or administrative (performance of a contract)
- processes associated with client identification (performance of a contract)
- securing evidence in the event of a need to defend the rights of Comeflex (legitimate interest of Comeflex)
- records of debtors (legitimate interest of Comeflex)
2.2 Personal data are processed to the extent necessary to fulfill the above-mentioned purposes and for the time necessary to achieve them, or for the period stipulated by legal regulations. Afterwards, the personal data are deleted or anonymized. The processing retention periods for the specified purposes (contract performance, legal obligations, legitimate interest of Comeflex, etc.) are listed below.
2.3 For clients who have fulfilled all their liabilities towards the company, Comeflex is authorized to process their basic personal, identification, and contact details, data regarding services, and data from their communication with Comeflex for a period of 4 years from the date of termination of the last contract with Comeflex.
2.4 In the case of negotiations between Comeflex and a potential client regarding the conclusion of a service contract that did not result in a concluded contract, Comeflex is authorized to process the provided personal data for a period of 3 months from the respective interaction.
2.5 Invoices issued by Comeflex are archived in accordance with Section 35 of Act No. 235/2004 Coll., on Value Added Tax, for a period of 10 years from their issuance. Due to the necessity of proving the legal ground for issuing invoices, contracts on the provision of a business address and administrative services are also archived for 10 years from the date of contract termination.
2.6 Identification data necessary for providing services taken from the customer’s ID document are processed by Comeflex in accordance with Section 16 of Act No. 253/2008 Coll., on Certain Measures against Money Laundering and Terrorist Financing, for a period of 10 years from the date of contract termination with Comeflex. To fulfill this statutory obligation, Comeflex retains copies of ID cards containing the data necessary for providing services for 10 years from contract termination, while all other data on the copy not required for providing the service are redacted.
2.7 For persons against whom Comeflex holds a financial claim (debtors), Comeflex retains personal data related to the debt for a period of 4 years after the debt has been paid in full.
2.8 If the data subject has cookies enabled in their terminal equipment, behavioral records from cookies placed on the website operated by Comeflex are processed to ensure better website functionality.
3. Categories of personal data recipients; sharing personal data with other controllers
3.1 When fulfilling its contractual commitments and obligations (i.e., within the scope of contract performance), Comeflex uses the expert and specialized services of other entities. If these suppliers process personal data transferred from Comeflex, they hold the legal status of personal data processors and process personal data solely strictly under instructions from Comeflex and may not use them for any other purpose. This includes, in particular, debt recovery, the activities of experts, attorneys, auditors, IT system administration, online advertising, or commercial representation. We carefully select each such entity to ensure compliance with the duty to protect and secure personal data.
3.2 Within the scope of fulfilling its statutory obligations, Comeflex transfers personal data to administrative bodies and authorities defined by applicable legislation.
3.3 Unless the law provides otherwise, Comeflex as a data controller may transfer personal data to other data controllers for marketing purposes only if it holds the data subject’s consent to such transfer. Granting this consent is voluntary.
4. Method of personal data processing
4.1 Comeflex processes personal data both manually and through automated means. It maintains records of all processing activities, both manual and automated, during which personal data are processed.
4.2 Comeflex has the right to process data from public registers to the necessary extent (provided such processing is based on a legitimate interest); however, it must carry out a legitimate interest balancing test. Personal data from a public register may be used to verify the accuracy of identification data in business transactions. Comeflex does not use personal data from public registers for marketing purposes.
4.2 Comeflex has the right to process data from public registers to the necessary extent (provided such processing is based on a legitimate interest); however, it must carry out a legitimate interest balancing test. Personal data from a public register may be used to verify the accuracy of identification data in business transactions. Comeflex does not use personal data from public registers for marketing purposes.
5. Commercial communications
5.1 It is always clear from commercial communications sent by Comeflex that the company is the sender. Commercial communications are sent either to customer contacts based on the legitimate interest of COMEFLEX CONSULTING s.r.o., solely until the client opts out, or based on explicit consent to the processing of personal data for marketing and commercial purposes. The sent commercial communications also include a contact option to refuse further receipt of such messages.
6. Comeflex statement on the rights of data subjects (natural persons) regarding personal data processing effective May 25, 2018 under the GDPR
6.1 Under the GDPR Regulation, as of May 25, 2018, provided the data subject is an identifiable natural person to Comeflex and properly proves their identity, they shall hold the following rights:
a) pursuant to Article 15 of the Regulation, the data subject has the right of access to personal data, which includes the right to obtain from Comeflex:
aa) confirmation as to whether personal data are being processed,
ab) information on the purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data have been or will be disclosed, the envisaged processing retention period, the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing, the right to lodge a complaint with a supervisory authority, any available information as to their source where personal data are not collected from the data subject, the existence of automated decision-making, including profiling, and—provided the rights and freedoms of others are not adversely affected—a copy of the personal data. In the event of repeated requests, Comeflex is entitled to charge a reasonable fee for the copy of personal data in the amount of ……. The right to a copy of personal data may be exercised at the company’s registered office, subject to proving the legitimacy of the request. The right to confirmation of processing and to information can be exercised in writing at the address of Comeflex’s registered office.
c) pursuant to Article 16 of the Regulation, the data subject has the right to the rectification of inaccurate personal data processed about them by Comeflex. The client also has the obligation to notify changes to their personal data and provide evidence that such a change has occurred. At the same time, they are obliged to provide cooperation if it is found that the personal data processed about them by Comeflex are inaccurate. Rectification shall be carried out without undue delay, always taking into account given technical capabilities. A request for rectification of personal data may be lodged at the company’s registered office, subject to proving the legitimacy of the request.
d) pursuant to Article 17 of the Regulation, the data subject has the right to the erasure of personal data concerning them if Comeflex fails to prove legitimate grounds for the processing of such personal data (e.g., contract performance, fulfillment of statutory obligations, legitimate interest of Comeflex – see above).
e) pursuant to Article 18 of the Regulation, the data subject has the right to restriction of processing until a raised matter is resolved if they contest the accuracy of the personal data, the lawfulness of their processing, or if they lodge an objection against their processing, submitted in writing to the company’s registered office address.
f) pursuant to Article 19 of the Regulation, the data subject has the right to notification from Comeflex regarding any rectification, erasure, or restriction of processing of personal data. If personal data are rectified or erased, we will inform individual recipients, unless this proves impossible or involves disproportionate effort. Based on the data subject’s request, we can provide information regarding these recipients. The request can be sent in writing to the company’s registered office address.
g) pursuant to Article 20 of the Regulation, the data subject has the right to data portability of the data concerning them which they have provided to the controller, in a structured, commonly used, and machine-readable format, and the right to request Comeflex to transmit those data to another controller.
h) if the data subject provides personal data in connection with a service contract or based on consent and the processing is carried out by automated means, they have the right to receive such data in a structured, commonly used, and machine-readable format. Where technically feasible, the data may also be transmitted directly to a designated controller, provided a person acting on behalf of the respective controller is properly designated and can be authorized. In the event that exercising this right could adversely affect the rights and freedoms of third parties, the request cannot be granted. The request can be lodged at Comeflex’s registered office upon proving the legitimacy of the demand.
Ch) pursuant to Article 21 of the Regulation, the data subject has the right to object to the processing of their personal data based on the legitimate interest of Comeflex. If Comeflex fails to demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, the company shall terminate the processing based on the objection without undue delay. The objection can be sent in writing to the company’s registered office address.
i) Right to withdraw consent to personal data processing: consent to personal data processing for marketing and commercial purposes effective May 25, 2018, can be withdrawn at any time after this date. The withdrawal must be made through an explicit, clear, and definite expression of will, either by phone, at the company’s registered office, or by registered mail.
j) The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Comeflex states that it does not carry out automated decision-making producing legal effects for data subjects without human assessment.
k) The data subject has the right to contact the Office for Personal Data Protection (www.uoou.cz).