These Personal Data Processing Principles (hereinafter referred to as "ZZOÚ") were issued by stockX a.s., with its registered office at Lublaňská 267/12, Vinohrady, 120 00 Praha 2, ID No.: 077 81 156, registered in the Commercial Register maintained by the Municipal Court in Prague, File No. B 24089 (hereinafter referred to as the "Company"). These ZZOÚ describe how the Company collects, processes, and shares information of users (hereinafter referred to as the "user") of the website www.xdigr.cz, as well as customers (hereinafter referred to as the "customer") who use its services.

The Company acts as both the controller and processor of personal data provided by customers when ordering services. The Company may also use additional processors for the processing of personal data, as specified below.

We recommend that you read the entire ZZOÚ and ensure that you fully understand the information provided. If you have any questions regarding these ZZOÚ or the collection, processing, and sharing of personal data by the Company, please contact us at [email protected].

The Company processes data obtained based on the use of the website and through cookies. For better targeting of advertising campaigns and improving the website, the Company uses information about the user and the pages viewed, or about the links they clicked on and other activities on the website, such as filling out order and contact forms. These data are obtained automatically through the Company's tools and the tools of the data processors mentioned below. If you have enabled the storage of cookies on your device, these data are also obtained through these files.

The Company primarily processes data you provide in the contact form. Some personal data are necessary for filling out the form (name and email address) and serve for the basic identification of the user. The data processed by the Company may include the following:

• First and last name, or the name of a business entity;
• Identification number of the entrepreneur (IČO);
• Tax identification number (DIČ);
• A copy of an identity document (ID card / driver’s license / passport / residence permit);
• Possibly other necessary data required to conclude and perform a contractual relationship, such as:
  • Gender;
  • Permanent residence address;
  • Other place of residence;
  • Date of birth;
  • Place of birth;
  • Citizenship;
  • ID document number;
  • The authority that issued the ID document;
  • ID document expiration date;
  • Birth number or other national identifier;
  • Email address;
  • Phone number.

The Company does not knowingly collect information from persons under the age of 18, and persons under 18 may not use its services. If you become aware that a person under 18 has provided us with personal information in violation of these ZZOÚ, you can notify us at [email protected].

 

The Company processes personal data solely for the purposes for which they were collected, based on a legitimate interest, legal obligation, or granted consent. We process personal data for various purposes, primarily for:

• fulfilling and implementing concluded contracts and orders;
• fulfilling legal obligations in the field of accounting, taxes, or as required by other applicable laws and regulations, or required by any judicial process or administrative authority;
• communication with customers, including sending information about current services and products, updates to business terms, and for marketing and promotional purposes;
• sending responses to queries from website users;
• handling responses to specific job offers;
• analyzing website traffic to improve services and their offerings;
• marketing outreach via electronic contact;
• transaction processing and fraud detection;
• targeting potential customers through online advertising. For better ad targeting and website optimization, the Company uses information about user activity on the website. These include data obtained through cookies.

 

Personal data are processed primarily by the Company and its employees, who are bound by confidentiality, and by the Company’s service providers if the data are processed in connection with fulfilling and implementing concluded contracts and orders (e.g., attorneys).

The Company may further use so-called processors to process personal data. These entities can only process personal data for the purposes and in the manner determined by the Company, and may not disclose them without further consent. We only share the data necessary for them to provide their services. The Company uses the following processors:

• Google LLC (tools for web analytics and online marketing);
• Facebook Ireland Ltd. (tools for online marketing);
• Seznam.cz, a.s. (tools for online marketing).
• In justified cases, the Company may transfer personal data to other entities (processors).

 

Personal data may be transferred to these processors:

• processors who process personal data according to the Company’s instructions in the field of public relations, electronic data management, or accounting;
• public authorities and other entities if required by applicable legal regulations;
• other entities in the event of an unexpected occurrence where the provision of data is necessary to protect life, health, property, or other public interest, or if it is necessary to protect our rights, property, or security.

 

Personal data for the purposes mentioned in Section 2 are processed to the extent necessary to fulfill these purposes and for the time necessary to achieve them or for the period directly prescribed by legal regulations. Afterward, personal data are deleted or anonymized.

After this period, personal data may only be stored for the purposes of state statistical services, for scientific purposes, or for archiving purposes.

Below are the basic periods for the processing of personal data.

The Company processes personal data of registered customers until their registration is canceled. Data about the contact persons of customers are processed throughout the duration of the business relationship or until the customer updates the data.

In the case of service customers, the Company is entitled to process their basic personal, identification, and contact data, data about services, and data from their communication with the Company for 10 years from the termination of the last contract.

Invoices issued by the Company are archived for 10 years from their issuance, in accordance with Section 35 of Act No. 235/2004 Coll., on Value Added Tax. Due to the necessity of proving a legal basis for issuing invoices, contracts are also archived for 10 years from the date of termination of the contract.

Data obtained for marketing purposes are processed for the entire duration of the consent, i.e., for as long as the user allows storage within the settings of cookies on the website or in their browser. Processing may continue even after consent is withdrawn, but no longer than until the expiration of the relevant type of cookie.

Business and marketing outreach via electronic contact is carried out until the consent is withdrawn or until the recipient unsubscribes.

Customers may cancel the subscription to any marketing and business communications at any time by:

• clicking on the relevant link in the footer of each business communication;
• using the dedicated webpage;
• sending a request to the listed contact.

The user can disable ad targeting (Cookies) by changing the settings directly in their browser. If you disable the storage of selected cookies, some parts of the website may not function properly.

Personal data are processed both manually and automatically in electronic information systems, either electronically or in paper form, always under high technical, organizational, and personnel security in accordance with the requirements of generally binding legal regulations.

All persons who come into contact with personal data in the course of their job (or under contractually assumed obligations) are trained and bound by confidentiality.

If the data subject is an identifiable natural or legal person and can prove their identity, they have the following rights:

• The right of access to personal data

Under Article 15 of the GDPR, the data subject has the right of access to personal data, which includes the right to obtain from the Company:

• confirmation as to whether it processes their personal data;
• information about the purposes of processing, the categories of personal data concerned, the recipients to whom the personal data have been or will be disclosed, the planned period of processing, the existence of the right to request from the controller the rectification or erasure of personal data relating to the data subject or restriction of their processing, or to object to such processing, the right to lodge a complaint with a supervisory authority, all available information about the source of the personal data if they are not obtained from the data subject, the fact that automated decision-making, including profiling, is taking place, and the appropriate safeguards for the transfer of data outside the EU;
• a copy of the personal data, provided that the rights and freedoms of others are not adversely affected.

In the event of a repeated request, the Company is entitled to charge a reasonable fee for a copy of the personal data.

The Right to Rectify Inaccurate Data

Under Article 16 of the GDPR, you have the right to rectify inaccurate personal data about you that the Company processes. You also have the obligation to notify changes in your personal data and prove that such a change has occurred. At the same time, you must provide cooperation to the Company if it is found that the personal data it processes about you are inaccurate. We will carry out the correction without undue delay, but always with regard to the given technical possibilities.

The Right to Erasure

Under Article 17 of the GDPR, you have the right to request the erasure of personal data relating to you, provided the Company does not prove legitimate reasons for processing such personal data. The Company has mechanisms in place to ensure the automatic anonymization or erasure of personal data if they are no longer needed for the purpose for which they were processed.

The Right to Restrict Processing

Under Article 18 of the GDPR, the data subject has the right to restrict processing until a raised concern is resolved, if they dispute the accuracy of personal data, the reasons for their processing, or if they have objected to their processing, by sending a written request to the Company's registered office.

The Right to Be Notified of Rectification, Erasure, or Restriction of Processing

Under Article 19 of the GDPR, the data subject has the right to be notified by the Company in the event of the rectification, erasure, or restriction of processing of personal data. If personal data are rectified or erased, the Company will inform the individual recipients, except in cases where this proves impossible or requires disproportionate effort.

The Right to Data Portability

Under Article 20 of the GDPR, you have the right to data portability concerning data that relate to you and that you have provided to us as the controller, in a structured, commonly used, and machine-readable format. You also have the right to ask us to transfer these data to another controller. If exercising this right could adversely affect the rights and freedoms of third parties, your request may not be granted.

The Right to Object to the Processing of Personal Data

Under Article 21 of the GDPR, you have the right to object to the processing of your personal data by the Company. If the Company fails to demonstrate that there is a compelling legitimate reason for processing that overrides the interests or rights and freedoms of the data subject, the Company will terminate the processing on the basis of the objection without undue delay.

The Right to Withdraw Consent to the Processing of Personal Data

If you have granted the Company consent to process your personal data, you may withdraw it at any time. The withdrawal must be made by an explicit, understandable, and clear statement of will, either in writing to the Company’s registered office or via the email address [email protected].

Automated Individual Decision-Making, Including Profiling

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which would produce legal effects concerning them or similarly significantly affect them. The Company states that it does not carry out automated decision-making without human assessment that would have legal effects for data subjects.

The Right to Contact the Office for Personal Data Protection

You have the right to lodge a complaint regarding our processing of your personal data with the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7. The website of the office: www.uoou.cz.

The Company undertakes to protect personal data and other information about its customers and users of its services. It uses a number of security technologies and measures designed to protect information from unauthorized access, use, or disclosure. The measures it employs are designed to provide a level of security appropriate to the risk of misuse of personal data. The security of personal data is regularly tested by the Company, and protection is constantly being improved. However, please note that 100% certainty cannot be guaranteed on the internet. All personal data in electronic form are stored in databases and systems accessible only to persons who need to handle personal data directly for the purposes stated in these rules, and only to the extent necessary.

If you have any questions regarding this personal data processing or if you wish to exercise your rights, do not hesitate to contact us at [email protected].

The controller of your personal data is stockX a.s., with its registered office at Čs. armády 371/11, Bubeneč, 160 00 Prague 6, ID No.: 077 81 156, registered in the Commercial Register maintained by the Municipal Court in Prague, File No. B 24089.

Please note that we may modify or update these Personal Data Processing Principles at any time.

Any changes to these principles will become effective after they are published at the following link: https://xdigr.cz/gdpr.

These Personal Data Processing Principles are effective from December 1, 2023.