PRIVACY

Data Protection and Privacy Policy

 

Last updated: 3 March 2023

This Data Protection and Privacy Policy of Eventival, s.r.o., with its registered office at Praha 3, Seifertova 1527/16, Post Code 130 00, The Czech Republic, Company ID 28991214 (“the Company”) sets out the policies regarding the collection, use and processing of any personal information or data (“Personal Data”) collected by the Company from and/or about: (i) our customers and other users of the services, software, websites and applications created by the Company (the “Service”), (ii) our employees and contractors, (iii) any other persons that may provide us with their personal data in connection with our business (the “Policy”).

The Company complies with all the applicable legal regulations regarding Data Protection and Privacy, in particular with the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”).

This Policy is applicable to and applied by all employees and contractors used by the Company as an internal policy and the Company ensures regular appropriate training.

1. Important Notice

When you upload personal data to the Service or otherwise provide your personal data to the Company, you acknowledge and agree that the Company will process such data in order to provide and improve the Service. Personal data regarding the Company's employees and contractors will be processed solely for the purpose of managing their employment or similar relationship.

The Company does not collect data from public sources but only processes personal data uploaded to the Service by its customers or end users, or otherwise provided to the Company directly by the data subjects interested in making contact with other users of the Service or in maintaining a relationship with the Company (such as an employment or other contractual or potential contractual relationship).

Such personal data may include a person’s: (i) name, (ii) email address, (iii) phone number, (iv) postal address, (v) gender, (vi) date of birth, (vii) nationality, (viii) citizenship, (ix) photos, (x) education, (xi) other contact details, (xi) information regarding his/her profession and professional activities and interests.

The Company will not disclose the personal data to any other recipients (except its third party providers in accordance with clause 12 of the Data Protection and Privacy Policy who are bound by confidentiality duty), and it will not transfer the data outside the EU. The personal data will be retained by the Company only as long as required to provide you with the Service or maintain the employment or similar relationship with you (for example based on a cooperation agreement).

The Company may use the personal data to carry out profiling based on certain criteria which may further enable it to improve the Service and connect its customers with an appropriate group of end users, including the sending of commercial notices for this purpose.

The Company may also store the data uploaded by the users of the Service for the purpose of further improving the Service and its security, and may create and share aggregate, anonymized data about the use of the Service.

Any individual has the right to have personal data concerning him or her rectified, and a “right to be forgotten” where the retention of such data infringes the General Data Protection Regulation of the Czech Republic. If you have given a consent with the processing of your personal data through the Service and you no longer agree with that, you have the right to withdraw your consent at any time. Regarding any such request, please notify us at the following e-mail address: data@eventival.com.

You have the right to lodge a complaint regarding the personal data processing with the supervisory authority, being the Czech Data Protection Office at www.uoou.cz.

For further details regarding the above, read our entire Data Protection & Privacy Policy below.

2. General Principles

Any Personal Data processed by the Company shall be: (i) processed lawfully, fairly and in a transparent manner, (ii) collected and processed only for specified, explicit and legitimate purposes, (iii) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, (iv) accurate and, where possible, kept up to date, (v) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed and (vi) processed in a manner that ensures appropriate security of the personal information.

The Company mainly serves as a Personal Data processor for a number of data controllers, and complies with all the obligations applicable to processors.

To the extent that the Company is the controller of certain Personal Data, it complies with all the obligations applicable to controllers.

3. Obligations of Customers as Data Controllers

When using the Service as a customer accessing the Service through the administrative interface of the Company's Applications (the „Customer“), you, as the data controller within the meaning of the General Data Protection Regulation, must ensure full compliance with the requirements laid down by the General Data Protection Regulation, in particular:

  • respect the above listed general principles applicable to any Personal Data processing and be able to demonstrate that,
  • to the extent any processing of Personal Data using the Service is based on consent, you, as the controller, will bear the burden of proof regarding the data subject's consent,
  • must ensure that the data subject has an effective right to withdraw his or her consent at any time and inform the data subjects of this right,
  • must not collect and process, using the Service, any Personal Data revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic or biometric data or data concerning health or sex life or criminal convictions (except when such processing is permitted under Article 9 (2) (d) of the General Data Protection Regulation),
  • comply with your notification obligations vis-à-vis the data subjects and provide them with all the information required pursuant to Articles 12 – 14 of the General Data Protection Regulation.

To the extent that the Company acts as a controller regarding any Personal Data processed by it, the above obligations equally apply to the Company and all its employees and contractors.

4. Obligations of the Company as Data Processor

We use any Personal Data processed through the Service only for the purpose of providing and improving the Service, and will not use or share it with anyone except as described in this Data Protection and Privacy Policy.

The Company as Personal Data processor ensures full compliance with the requirements laid down by the General Data Protection Regulation, in particular:

  • it carries out any processing of Personal Data belonging to its Customer only on instructions from the Customer and promptly informs the Customer if, in its opinion, an instruction infringes the General Data Protection Regulation,
  • it employs only staff who have committed themselves to confidentiality,
  • it maintains all the required evidence of Personal Data processing,
  • it respects the conditions for engaging another processor,
  • insofar as this is possible given the nature of the Service, it creates in agreement with its Customers the necessary technical and organisational requirements for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights,
  • it assists its Customers in ensuring compliance with their obligations pursuant to Articles 32 to 36 of the General Data Protection Regulation;
  • it hands over to the Customer or destroys all results of the processing after the end of the processing and does not process the Personal Data otherwise;
  • it makes available to its Customers and to the supervisory authority all information necessary to control compliance.

5. Personal Data Collection and Use

While using our Service or otherwise entering into a legal relationship with the Company, you may provide us with certain personal data that can be used to identify or contact you or other persons.

Such Personal Data collected by us may include a person’s: (i) name, (ii) email address, (iii) phone number, (iv) postal address, (v) gender, (vi) date of birth, (vii) nationality, (viii) citizenship, (ix) photos, (x) education, (xi) other contact details, (xi) information regarding his/her profession and professional activities, (xii) other Personal Data you may decide to upload onto the Service.

Any Personal Data will be processed by the Company only as long as necessary for the purpose of such processing (that is, for the use of the Service, maintaining a relationship with our Customers and managing information about our employees and contractors, as the case may be).

6. Retention and Deletion of Personal Data

Upon termination of a Customer’s use of the Service, the Company will, without undue delay and unless otherwise agreed with the Customer, remove or delete the Personal Data uploaded to the Service by the Customer, in accordance with the Terms of Service.

However, the Company may not delete any data provided by the Customer to other Customers or end users of the Company or to third parties. If you wish to delete such data, you have to contact these other Customers or end users directly.

The Company will also delete any Personal Data regarding its employees, contractors or business partners once the mutual relationship is terminated.

Eventival will in general remove any Personal Data that it no longer needs for the above specified purposes.

7. Individuals Rights

To the extent that the Company acts as controller of Personal Data, it ensures that the data subjects have the right to obtain from the Company a confirmation as to whether or not Personal Data concerning him or her is being processed, and, where that is the case, access to such data and the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where the personal data is not collected from the data subject, any available information as to its source;
  8. the existence of automated decision-making, including profiling, and a meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Upon the data subject’s request, the Company will provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Company may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information will be provided in a commonly used electronic form.

8. Information and Marketing

As our Customer or end user of the Service, you agree that the Company may use your e-mail address to send you Service-related notices (including any notices required by law, in lieu of communication by postal mail).

We may also use your e-mail address to send you announcements and information about other products or services (including third party services or products) that we think may interest you (“Marketing Messages”).

You may opt-out of receiving Marketing Messages at any time by following the instructions provided in the Marketing Message or by simply e-mailing us at data@eventival.com. Through your account interface, you may also opt-out of receiving categories of Service-related notices that are not deemed by the Company to be integral to your use of the Service.

Even if you are not a registered user of our Service and you send us an e-mail, we may retain a record of such communication, including your e-mail address, the content of your e-mail, and our response.

9. Your Content

Your use of the Service as a Customer or end user will involve you uploading or inputting various content into the Service (the “Content”). You are responsible for your Content (including the Content uploaded on your behalf and/or by your authorised users, with or without your knowledge or consent), and you control how your Content is shared with others by means of your configuration of the Service.

The Company may view your Content only as necessary (i) to maintain, provide and improve the Service; (ii) to resolve a support request from you; (iii) if it has a good faith belief, or has received a complaint alleging, that such Content is in violation of this Policy; (iv) as reasonably necessary to allow the Company to comply with or avoid the violation of applicable law or regulation; or (v) to comply with a request that meets the requirements of this Policy.

You agree that we may also analyse the Content in aggregate and on an anonymized basis, in order to better understand the manner in which our Service is being used.

10. Log Data

We may also collect information that your browser sends whenever you visit our Service ("Log Data"). This Log Data may include information such as your computer's Internet Protocol ("IP") address, browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages and other statistics.

In addition, we may use third party services such as Google Analytics that collect, monitor and analyse this type of information in order to increase the quality and performance of our Service. These third party service providers have their own privacy policies addressing how they use such information.

11. Cookies

The Company may use "cookies" to collect information necessary to provide the Service. Cookies are files with a small amount of data that may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer's hard drive.

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some parts of our Service.

12. Service Providers

The Company may employ third party companies and individuals to facilitate our Service, to provide the Service on its behalf, to perform Service-related services (such as server providers, mobile phone applications and box office software providers) or to assist it in analysing how its Service is used.

These third parties may have access to any Personal Data controlled or processed by the Company only to perform these tasks on our behalf, and are obligated not to disclose or use it for any other purpose.

You agree that we may enlist another processor, provided that the same data protection obligations applicable to the Company shall be imposed on that other processor, and we shall inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes and stop using the Service.

13. Disclosure of Personal Data to ensure Compliance with Laws

The Company may disclose the Personal Data it processes where required to do so by law or if the Company believes that such action is necessary to comply with the law and the reasonable requests of the respective authorities or to protect the security or integrity of its Service.

14. Security

The security of all Personal Data is important to us and we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with any misuse of such data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing.

Despite our effort to ensure maximum security, please note that no method of transmission over the Internet, or method of electronic storage of data is 100% secure. Therefore, while we strive to use commercially acceptable means to protect all Personal Data processed by us, we cannot guarantee its absolute security.

We use industry-standard physical, managerial, and technical safeguards to preserve the integrity and security of Personal Data, by, for example, (i) continuously and regularly backing up the data to help prevent data loss and aid in data recovery, (ii) guarding against common web attack vectors, (iii) hosting data in secure data centres, and (iv) regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

We ensure that any natural person acting under the authority of the Company who has access to Personal Data does not process them (except upon instructions from the respective Customer or data subject), unless he or she is required to do so by law.

To the extent that the Company acts as a processor for its Customers, it shall notify the respective Customer without undue delay after becoming aware of a Personal Data breach, specifying:

  1. the nature of the breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  2. the name and contact details of the data protection manager or other contact point where more information can be obtained;
  3. the likely consequences of the breach;
  4. the measures taken or proposed to be taken by the Customer to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

If it is not possible to provide the above information at the same time, the information may be provided in phases without undue further delay.

To the extent that the Company acts as Personal Data controller, it shall document any Personal Data breaches, comprising the facts relating to the breach, its effects and the remedial action taken

15. International Data Transfer

All Personal Data processed by the Company is maintained on servers located in the European Union, and will not be transferred elsewhere.

16. Links to Other Web Sites

The Service may contain links to other sites that are not operated by the Company. If you click on a third-party link, you will be directed to that third party's site where the Company's Data Protection and Privacy Policy does not apply.

When accessing any third-party services and applications, including those accessible by means of the Eventival Account, your rights and obligations regarding such services and applications will be governed by their terms and conditions, as may be applicable.

We strongly advise you to review the terms and the privacy policy of every site you visit. We have no control over, and assume no responsibility for the content, privacy policies or practices of any third-party sites or services. 

17. Children's Privacy

Our Service is not intended for use by anyone under the age of 16 ("Children").

To the extent that the Personal Data you control and process using the Service relates to Children, you must ensure that any consent with his or her Personal Data processing is expressed or approved by his parents or responsible legal representatives.

If you are a parent or guardian and you are aware that Personal Data of your Children is being processed using the Service and do not agree with such processing, please contact us at data@eventival.com. If we become aware that we are processing any Personal Data from a Child without parental consent, we will take steps to remove that information.

18. Changes to Our Data Protection and Privacy Policy

Whenever we update this Data Protection and Privacy Policy, we will post the changes on this page and will send you an e-mail notice. Please make sure that you review any updates of this Policy. Changes to our Privacy Policy are effective when they are posted on this page.

19. Records of Personal Data Processing

To the extent that the Company acts as Personal Data processor for its Customers, where required by applicable law, it maintains an electronic record of all categories of processing activities carried out on behalf of a Customer, containing:

  1. the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection manager;
  2. the categories of processing carried out on behalf of each controller;
  3. where applicable, transfers of personal data to a third country or an international organisation, the documentation of suitable safeguards;
  4. where possible, a general description of the technical and organisational security measures.

To the extent that the Company acts as the controller of Personal Data, it maintains an electronic record of processing activities under its responsibility, containing all of the following information:

  1. the name and contact details of the controller, the controller's representative and the data protection manager;
  2. the purposes of the processing;
  3. a description of the categories of data subjects and of the categories of personal data
  4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  5. where applicable, transfers of personal data to a third country or an international organisation, the documentation of suitable safeguards;
  6. where possible, the envisaged time limits for erasure of the different categories of data;
  7. where possible, a general description of the technical and organisational security measures.

20. Cooperation with the Data Protection Authority

The Company and its representatives cooperate with the supervisory authority of the Czech Republic, which may be contacted at www.uoou.cz.

The Company will in particular make the above-described records available to the supervisory authority upon its request, including records of any breaches Personal Data security.

You have the right to lodge a complaint regarding the personal data processing with the supervisory authority, being the Czech Data Protection Office at www.uoou.cz.

21. Contact Us

The Company has appointed a data protection manager who may be contacted at data@eventival.com. If you have any questions about the Company's Data Protection and Privacy Policy, please contact the data protection manager or email us at info@eventival.com