Processing of personal data

Information on the processing of personal data
IN THE GOLFERIS MARKET APP

Your personal data is processed by the company as controller: 
name: MALEVIL, s.r.o.
ICKO: 25029479, DIC: CZ25029479

with registered office: Heřmanice v Podještědí, 471 25 Jablonné v Podještědí
Case No. C 13219, filed with the Regional Court in Ústí nad Labem (hereinafter referred to as the "Administrator"),
which hereby informs you about the processing of your personal data. 
This document contains detailed information on the processing of your personal data by the Administrator within the meaning of Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "GDPR"), in particular:

• what personal data the Controller processes;
• for what purpose and for how long the Controller processes your personal data;
• what rights you have and how you can exercise them.

Overview of basic terms

For the sake of clarity, we provide below a short overview of the basic concepts that apply to the processing of personal data, in accordance with their definition under the GDPR:

Personal data - any information about a natural person (the data subject, in this case the members of the Controller) from which the data subject is identified or identifiable, whether directly (from the data itself) or indirectly (in conjunction with other data held by the Controller), for example, a name, an identification number, location data, a network identifier or one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing of personal data - any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated processes, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, restriction, erasure or destruction.

Controller - A controller is a person (natural or legal), public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. 

Processor - a processor is a person (natural or legal), public authority, agency or other body which carries out the processing of personal data for the controller. 

Recipient – ​​the recipient is the person (natural or legal), public authority, agency or other body to whom the personal data are disclosed.

Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to the data subject, in particular to analyze or estimate aspects concerning his/her performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Principles, policies and procedures for processing personal data

When processing your personal data, the Administrator adheres to the following principles and procedures:

• It processes your personal data fairly, lawfully and transparently;
• It processes your personal data only for the purposes described in this document and only to the extent necessary to fulfill such purposes;
• It always considers your personal data to be true, accurate and up-to-date, and in the event of any change to your personal data, it hereby requests you to update them;
• It processes your personal data only for the period necessary to fulfill the purposes of the processing, as specified below in this document;
• It protects your personal data in such a way as to prevent their unauthorized use or disclosure to persons who are not authorized to process them, or to prevent any other breach of the security of your personal data;
• When processing your personal data, no decision is made based solely on automated processing, including profiling, which would have legal effects on you or similar effects that would significantly affect you in a similar way;
• The Administrator has properly selected its processors, as further specified in these terms and conditions, to prevent the misuse of your personal data.

Categories of personal data processed
        1.1. To register for the Application, you must provide your personal data to the Administrator, including your name, surname, e-mail address and residential address. You provide this data to the Administrator by completing the membership application form, which is available online on the Administrator's website / at the Administrator's premises upon request from an authorized person of the Administrator (manager, secretary, etc.). Based on this personal data, the authorized person of the Administrator registers you for the Application.
     1.2. After your registration with the Administrator, your additional personal data is required to be filled in by an authorized person of the Administrator to fulfill the purposes of processing. This is the following personal data:
            1.2.1. Title;
            1.2.2.Social security number;
            1.2.3. Handicap – a unique number indicating the quality of golfers;
            1.2.4. Telephone number;
            1.2.5. E-mail address;
            1.2.6. Membership number;
            1.2.7. Membership period;
            1.2.8. Information about payments you have made;
            1.2.9. Data about SMS messages and emails sent to you from the Application;

     1.3. We obtain your personal data directly from you when you provide this data to the Administrator for the purpose of registering for the Application, by completing the membership application form available online on the Administrator's website / at the Administrator's premises.
      1.4. Furthermore, the Administrator also obtains data from other sources, namely from the Czech Golf Federation, which publishes data about the course of your tournaments on its website.

Purpose, legal basis and processing time

Purpose of processing
        2.1. The Administrator processes your personal data for the following purposes:
            2.1.1. provision of performance based on a membership contract with the Administrator, the content of which is defined by the membership terms and conditions;
            2.1.2. sending commercial communications;
            2.1.3. settlement of any claims between you and the Administrator;
            2.1.4. fulfillment of legal obligations arising from legal regulations for the Administrator;
            2.1.5. handling any of your requests, suggestions or complaints.
The Administrator may not process your personal data for purposes other than those stated above.
Legal basis for processing
        2.2. The Administrator processes your personal data so that you can be registered as a member of the Administrator in the Application and the Administrator can manage the agenda of its members. Your data is processed based on your acceptance of the membership terms, which therefore constitute the legal basis for processing.
        2.3. The processing of your personal data for the purpose of sending commercial communications is based on the Administrator's legitimate interest in promoting its activities and informing members about planned events.
        2.4. The administrator further processes your personal data to settle any claims between you and him based on his legitimate interest in protecting his rights.
        2.5. Processing for the purpose of fulfilling the obligations that arise for the Administrator from legal regulations is necessary for fulfilling the legal obligations that apply to the Administrator.
        2.6. The administrator processes your personal data in order to be able to handle your requests, suggestions or other complaints, based on its legitimate interest in handling your request in accordance with legal regulations.

Processing time

       2.7. The Administrator processes your personal data for the period necessary to fulfill the purposes of their processing, which we have described above. If the Administrator loses the purpose and legal basis, then he is no longer authorized to further process your personal data.
        2.8. In the event of providing performance based on the terms of membership, your registration in the Application and enabling the Administrator to manage the agenda of its members, the Administrator processes your personal data for the duration of your membership.
        2.9. Your personal data for the purpose of sending commercial communications is processed for the duration of your membership. If you have given your consent to the processing of your personal data for the purpose of sending commercial communications for the period after the termination of your membership when filling out the membership application form available online on the Administrator's website / at the Administrator's premises, your data will be processed for this purpose even after the termination of your membership until you withdraw your consent. By withdrawing your consent, the Administrator can no longer process such data.
        2.10. Subsequently, the Administrator processes your personal data for a period of 10 years from the termination of your membership. This period serves to fulfill the Administrator's legal obligations and to settle any claims between you and the Administrator and is also related to the operation and technical maintenance of the Administrator's systems and the Application. The above does not apply to data on handicaps, sports results of the member from the ČGF system, these data are processed after the termination of your membership only if you have given consent to such processing when filling out the membership application available online on the Administrator's website / at the Administrator's premises and will be processed only until you withdraw your consent.
        2.11. You, as a member of the Administrator, grant your consent to the processing of personal data pursuant to paragraph 2.10 of this document, provided that you have reached the age of 15. If you are under 15 years of age, your legal guardian (parent) and you grant your consent to the processing, provided that you are mentally and freely mature enough to understand the content of this document and grant your consent, otherwise only your legal guardian. In the event that consent is granted by a member under 15 years of age who is unable to understand the content of this document, the Administrator will delete such data and will require that in such a case the legal guardian grant consent to the processing. If you believe that a member under 15 years of age has provided consent to the Administrator without sufficiently understanding the content of the document, please contact the Administrator at golf@malevil.cz so that he can rectify this situation.
        2.12. For the purposes of processing your requests, suggestions or complaints, the Administrator processes your personal data for the period necessary to process them, including the period necessary to prove that they were processed in accordance with legal regulations.
 
Recipients of your personal data
     3.1. Your personal data are processed by the Controller or by a processor or processors authorized by the Controller to process personal data. For this purpose, the Controller provides your personal data or part of it to the processors as one of the categories of recipients of personal data. The processors are:
            3.1.1. our company GolferIS.cz s.r.o.
            3.1.2. Malevil s.r.o.
        3.2. All obligations of the Controller in relation to the processing of your personal data always apply to processors authorized by the Controller.
        3.3. The administrator does not transfer your personal data outside the European Union.

Securing your personal data
        4.1. The Administrator applies appropriate technical and organizational measures to ensure the protection of your processed personal data in such a way that there can be no unauthorized or accidental access to your personal data, their alteration, destruction or loss, unauthorized transfers, their other unauthorized processing, as well as other misuse of personal data. For this purpose, the Administrator has chosen in particular appropriate technical measures and predetermined procedures, compliance with which it controls.
Your rights arising from the processing of personal data and their exercise

Overview of rights
        5.1. In connection with the processing of your personal data, you have rights arising from Articles 15 to 22 and 77 of the GDPR, which you can exercise against the Controller. These rights are:

            5.1.1. the right to access your personal data;

            5.1.2. the right to correct your personal data;

            5.1.3. the right to erasure of your personal data;

            5.1.4. the right to restrict the processing of your personal data;

            5.1.5. the right to portability of your personal data;

            5.1.6. the right to object;

         5.1.7. the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects for you or similarly significantly affects you;

            5.1.8. the right to file a complaint with a supervisory authority.

Right to access personal data
        6.1. You have the right to receive information from the Controller about whether your personal data is being processed. If your personal data is being processed, you also have the right to receive information from the Controller about:

            6.1.1. the purposes for which your personal data is processed;

            6.1.2. what categories of personal data are involved;

           6.1.3. the recipients of your personal data, i.e. whether your personal data is transferred to anyone, in particular recipients from countries outside the European Union or in international organizations; in the event of transfer to a third country or international organization, you have the right to be informed of appropriate safeguards pursuant to Article 46 of the GDPR;

            6.1.4. the planned period for which personal data will be stored, or the criteria for determining this period;

            6.1.5. the right to rectification, erasure or restriction of processing of your data, or the right to object to such processing;

            6.1.6. the right to file a complaint with the supervisory authority, which is usually the Office for Personal Data Protection;

            6.1.7. any available information about the source from which he obtained your personal data, if he did not obtain it directly from you;

        6.1.8. the fact whether automated decision-making is taking place, including profiling, and information regarding the process used, as well as the significance and anticipated consequences of such processing for you.

        6.2. You have the right to receive a copy of your processed personal data. The copy is provided free of charge. Please note that for further copies that you repeatedly request, the Controller is already entitled to charge a reasonable fee. Its amount will correspond to the administrative costs incurred by the Controller.

Right to rectification of personal data
        7.1. All personal data is processed in good faith and makes every effort to ensure that the data is accurate and up-to-date. However, it may happen that your processed personal data is inaccurate due to an error. In such a case, you have the right to request the Administrator to correct or supplement your inaccurate personal data.

Right to erasure of personal data
        8.1. You have the right to request that the Administrator erase your personal data that it processes. The Administrator is obliged to comply with your request if:

            8.1.1. Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

         8.1.2. withdraw your consent if your personal data has been processed on the basis of that consent, but only if there is no other legal basis for the processing;

          8.1.3. you object to processing based on legitimate interest or public interest, but only if there are no overriding legitimate grounds for processing or if you only object to processing for direct marketing purposes;

          8.1.4. The Controller processes your personal data unlawfully;

         8.1.5. Your personal data must be deleted by the Controller in order to comply with a legal obligation under Czech or European Union law;

         8.1.6.you are 15 years of age or older and your personal data has been collected in connection with the offer of information society services on the basis of your consent, or on the basis of the consent of your legal representative if you are younger than 15 years of age.

        8.2. Please note that there are exceptions to the above obligations. The controller is not obliged to erase your personal data even if it would otherwise be obliged to do so where the processing is necessary:
            8.2.1. for the performance of a legal obligation requiring processing under Czech or European Union law to which it is subject as a controller or for the performance of a task carried out in the public interest or in the exercise of official authority vested in it as a controller;
            8.2.2. for the establishment, exercise or defence of legal claims;
            8.2.3. and for other reasons contained in Article 17(3) of the GDPR.
        8.3. Please note that in other cases the Controller is not obliged to delete your personal data processed by it. 

Right to restriction of processing of personal data
        9.1. You have the right to request that the Controller restrict the processing of your personal data. We are obliged to comply with your request if:

            9.1.1. you deny the accuracy of the personal data processed, for the time necessary to verify its accuracy;

            9.1.2. the processing of your personal data is unlawful and instead of erasing your personal data you only request a restriction on its use;

            9.1.3. no longer needs your personal data for processing purposes, but you require it for the establishment, exercise or defence of legal claims;

            9.1.4. you have objected to processing based on legitimate interest, it will restrict the processing of your personal data until it has verified that its legitimate grounds outweigh your objection.

        9.2. During the period for which the processing of your personal data is restricted, the processing of your personal data will only be carried out on the basis of your consent to such processing. Please note that, even without consent, it is entitled to store your personal data and to process them for the establishment, exercise or defence of legal claims for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or its Member States.

Right to portability of personal data
        10.1. You have the right to request that the Controller transfer your personal data to you if all of the following conditions are met simultaneously:
            10.1.1. you have provided such personal data to it on the basis of your consent to the processing of personal data or in connection with the performance of a contract to which you are a party; and
            10.1.2. automated processing of personal data.
        10.2. The structured file containing your personal data will be transmitted to you in a format that is both commonly used and machine-readable.
       10.3. If all of the above conditions are met at the same time, you have the right to transfer the file with your personal data provided in this way to another controller or to request the Controller to transfer the file with the personal data directly to another controller. Your request to transmit the personal data file directly to him/her will be granted if it is technically feasible for him/her to do so.

Right to object
       11.1. You have the right to object to the processing of your personal data if the Controller processes such data on the basis of legitimate interest or public interest, including profiling. 
        11.2. The Controller or a third party may have a legitimate interest in the processing. If the Controller receives the objection, it will no longer process your personal data. However, this does not apply where the Controller has compelling legitimate grounds for such processing of your personal data which override your interests, rights and/or freedoms, or where it is necessary to process that personal data for the establishment, exercise or defence of legal claims. If the Controller finds compelling legitimate grounds, it will inform you without delay.
      11.3. You have the right to object to the processing of your personal data if the Controller processes these data for direct marketing purposes, including profiling. If the Controller receives your objection, it will not process your personal data further.

Right to lodge a complaint with the supervisory authority
        12.1. You have the right to lodge a complaint directly with a supervisory authority in a Member State of the European Union. For the Czech Republic, please contact the Office for Personal Data Protection, located at Pplk. Sochor 27, 170 00 Prague 7. For more information about its activities and how to lodge a complaint, please visit its website at www.uoou.cz or the Office's headquarters.
Information on exercising your rights
        ◦ You can exercise your rights at the Administrator's e-mail address golf@malevil.cz or you can also send it to the Administrator's address: Malevil s.r.o., Heřmanice v Podještědí 280, 471 25 Jablonné v Podještědí.
        ◦ Once the Controller receives your request, which does not show who the applicant is, he will have to verify your identity, i.e. that the request was made by an authorised person. If he/she is not sure of your identity, he/she may provide your personal data to a third party. If you refuse to cooperate with the Controller in verifying your identity, the Controller will not be able to comply with the request.
        ◦ The Administrator will respond to your request without undue delay, but no later than one month after receiving your request. If, for certain reasons, it is not possible to process your request within this period, the Controller will send you a notice to that effect, extending the period by a maximum of two more months (i.e. a maximum of three months in total).
        ◦The Administrator will send a response to your request to the email from which the request was received. If you insist that the Controller inform you of the processing of your request in another way, for example by post, please provide this information directly in the submitted request.
     ◦ Your request is handled by the Administrator free of charge. However, the Controller is entitled to require you to pay the costs associated with providing the requested information or communication or with taking the requested action if the request made would be unfounded or unreasonable (in particular if it is repetitive). In such a case, the Controller may also refuse to comply with the request outright.