I. PERSONAL DATA PROTECTION

1.1 By providing personal data, the user confirms that they understand the personal data protection terms, agree with their wording, and accept them in their entirety.

1.2 The Provider is the controller of users' personal data pursuant to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “GDPR”). The Provider undertakes to process personal data in accordance with legal regulations, in particular the GDPR.

1.3 Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

1.4 When placing an order, personal data necessary for the successful processing of the order (name, address, contact details) are required. The purpose of processing personal data is to process the user’s order and to exercise the rights and obligations arising from the contractual relationship between the Provider and the User. The purpose of processing personal data also includes sending commercial communications and conducting other marketing activities. The legal basis for processing personal data is the performance of a contract pursuant to Article 6(1)(b) GDPR, compliance with a legal obligation of the controller pursuant to Article 6(1)(c) GDPR, and the legitimate interest of the Provider pursuant to Article 6(1)(f) GDPR. The legitimate interest of the Provider is the processing of personal data for direct marketing purposes.

1.5 To fulfill the license agreement, the Provider uses the services of subprocessors, in particular mailing service providers (personal data is stored in third countries) and web hosting providers. Subprocessors are vetted for secure personal data processing. The Provider and the web hosting subprocessor have entered into a data processing agreement, under which the subprocessor is responsible for properly securing the physical, hardware, and software perimeter, and thus bears direct responsibility towards the user for any breach or leakage of personal data.

1.6 The Provider stores the user’s personal data for the period necessary to exercise the rights and obligations arising from the contractual relationship between the Provider and the User and for asserting claims from these contractual relationships (for a period of 15 years from the termination of the contractual relationship). After this period, the data will be deleted.

1.7 The User has the right to request from the Provider access to their personal data pursuant to Article 15 GDPR, correction of personal data pursuant to Article 16 GDPR, or restriction of processing pursuant to Article 18 GDPR. The User has the right to erasure of personal data pursuant to Article 17(1)(a), and (c) to (f) GDPR. Furthermore, the User has the right to object to processing pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR.

1.8 The User has the right to lodge a complaint with the Office for Personal Data Protection if they believe that their right to personal data protection has been violated.

1.9 The User is not obliged to provide personal data. However, the provision of personal data is a necessary requirement for entering into and fulfilling a contract, and without providing personal data, it is not possible to conclude or fulfill the contract on the part of the Provider.

1.10 The Provider does not engage in automated individual decision-making within the meaning of Article 22 GDPR.

1.11 By filling out the contact form, the user consents to the use of their personal data for the purposes of electronically sending commercial communications, advertising materials, direct sales, market research, and direct product offers from the Provider and third parties, but no more frequently than once a week, and declares that the sending of information pursuant to point

1.11.1 is not considered unsolicited advertising within the meaning of Act No. 40/1995 Coll., as amended, as the user expressly consents to the sending of information pursuant to point 1.11.1 in conjunction with Section 7 of Act No. 480/2004 Coll. The consent under this paragraph may be revoked by the user in writing at any time at info@denvil.cz.

1.12 The Provider uses cookies on its website to improve service quality, personalize offers, collect anonymous data, and for analytical purposes. By using the website, the User consents to the use of this technology.

II. RIGHTS AND OBLIGATIONS BETWEEN THE CONTROLLER AND THE PROCESSOR (DATA PROCESSING AGREEMENT)

2.1 The Provider is a processor of personal data of the User’s clients pursuant to Article 28 GDPR. The User is the controller of this data.

2.2 These terms govern the mutual rights and obligations in the processing of personal data to which the Provider has gained access in the context of fulfilling a license agreement concluded by agreeing to the general terms and conditions at info@denvil.cz (hereinafter referred to as the “license agreement”) concluded with the User on the date of establishing the user account.

2.3 The Provider undertakes to process personal data for the User to the extent and for the purposes set out in Articles 2.4 to 2.7 of these terms. The means of processing will be automated. The Provider will collect, store on information carriers, retain, block, and dispose of personal data as part of the processing. The Provider is not authorized to process personal data in violation of or beyond the scope specified by these terms.

2.4 The Provider undertakes to process personal data for the User to the following extent: ordinary personal data, special categories of data pursuant to Article 9 GDPR, which the User has obtained in connection with their own business activities.

2.5 The Provider undertakes to process personal data for the User for the purpose of processing client inquiries and requests obtained from the contact form.

2.6 Personal data may only be processed at the Provider’s or its subprocessors’ premises pursuant to Article 2.8 of these terms, within the territory of the European Union.

2.7 The Provider undertakes to process the personal data of the User’s clients for the period necessary to exercise the rights and obligations arising from the contractual relationship between the Provider and the User and for asserting claims from these contractual relationships (for a period of 15 years from the termination of the contractual relationship).

2.8 The User grants permission to engage a subprocessor as an additional processor pursuant to Article 28(2) GDPR, which is the provider of the application hosting. The User further grants the Provider general authorization to engage another processor of personal data, but the Provider must inform the User in writing of any intended changes concerning the addition or replacement of other processors and provide the User with the opportunity to object to such changes. The Provider must impose on its subprocessors acting as personal data processors the same data protection obligations as those set out in these terms.

2.9 The Provider undertakes to ensure the security of personal data processing, in particular in the following manner: Personal data is processed in accordance with legal regulations and based on the User’s instructions, i.e., for the performance of all activities necessary for providing the web platform. The Provider undertakes to technically and organizationally ensure the protection of processed personal data to prevent unauthorized or accidental access to the data, their alteration, destruction, or loss, unauthorized transfers, other unauthorized processing, or other misuse, and to ensure continuously, for the entire period of data processing, all obligations of the personal data processor arising from legal regulations. The adopted technical and organizational measures correspond to the level of risk. The Provider ensures ongoing confidentiality, integrity, availability, and resilience of processing systems and services and restores the availability of personal data and access to them in a timely manner in the event of physical or technical incidents. The Provider declares that personal data protection is subject to the Provider’s internal security regulations. Only authorized persons of the Provider and subprocessors pursuant to Article 2.8 of these terms will have access to personal data, and they will have the conditions and scope of data processing specified by the Provider, with each such person accessing personal data under a unique identifier. Authorized persons of the Provider processing personal data under these terms are obliged to maintain confidentiality regarding personal data and security measures whose disclosure would jeopardize their security. The Provider will ensure their demonstrable commitment to this obligation. The Provider will ensure that this obligation continues for the Provider and authorized persons even after the termination of their employment or other relationship with the Provider. The Provider will assist the User through appropriate technical and organizational measures, where possible, to fulfill the User’s obligation to respond to requests for exercising the data subject’s rights under GDPR; similarly, in ensuring compliance with obligations under Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to the Provider. Upon termination of the provision of services related to processing pursuant to Article 2.7 of these terms, the Provider is obliged to delete all personal data or return them to the User unless required to store personal data under a specific law. The Provider will provide the User with all information necessary to demonstrate compliance with the obligations under this agreement and GDPR, and will allow audits, including inspections, conducted by the User or another auditor authorized by the User.

2.10 The User undertakes to promptly report all facts known to them that could adversely affect the proper and timely fulfillment of obligations arising from these terms and to provide the Provider with the necessary cooperation to fulfill these terms.

III. FINAL PROVISIONS

3.1 These terms cease to be valid upon the expiration of the period specified in Articles 1.6 and 2.7 of these terms.

3.2 The User agrees to these terms by checking the consent box via the online form. By checking the consent box, the User confirms that they have read these terms, agree with them, and accept them in their entirety.

3.3 The Provider is entitled to amend these terms. The Provider is obliged to publish the new version of the terms on its website without undue delay or send the new version to the User’s email address.

3.4 The Provider’s contact details for matters related to these terms: +420 732 666 352, info@denvil.cz

3.5 Relationships not expressly governed by these terms are subject to GDPR and the legal order of the Czech Republic, in particular Act No. 89/2012 Coll., the Civil Code, as amended.

These terms take effect on 9.5.2023