Privacy Policy
This Privacy Policy explains the ways in which we collect, use and protect your personal data.
It also explains what rights you (hereinafter “you”, “data subject” or “data subjects”) have in respect of your personal data and contains other relevant information.
We made sure that our Privacy Policy complies with the requirements of the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR).
Contact information
Our contact information for the purposes of this Privacy Policy (hereinafter “Policy”) and any questions, comments or complaints you may have about your personal personal data is set out below:
Elcomsoft s.r.o.
VAT ID: CZ27110842
Address:
Československé armády 371/11,
Praha 6-Bubeneč,
Czech Republic, PSČ 160 00
Email: info@elcomsoft.com
You can contact our Data Protection Officer by using the contact details above or via the following request form:
https://support.elcomsoft.com/index.php?/Tickets/Submit
Please choose “Personal Data and GDPR requests – contact Data Protection Officer”.
General information
Any amendments to this Policy will be posted to our website and will be effective when posted.
If we make any material changes to this Policy, we will notify the data subjects by email (to the e-mail address provided to us by you) and/or by means of a notice on our website.
Any data subject can choose to discontinue use of our products and services if the data subject does not accept the terms of this Policy, or any modified version of this Policy.
We do not knowingly collect any personal information from children under the age of 18. Our products and services are not offered to individuals under the age of 18 and are not designed for such individuals.
Refusal to provide some data may result in unavailability of some of our products and services or poor user experience.
We may obtain personal data directly from our customers during the purchase of our products or from partners selling or otherwise distributing our products.
Categories of Personal Data and Purposes of Processing
1. Identity and contact details (including name, email and postal address, telephone number) of data subjects for the following purposes:
- to enter into a contract with a data subject;
- to perform a contract with a data subject;
- to maintain employment relations with our employees for the purpose of performance of our employment contracts;
- to maintain communication with data subjects as our legitimate interest;
- to comply with our legal obligations;
- to provide technical support as a part of our contract performance to which the data subject is party;
- to consider job applications of job applicants as our legitimate interest;
- to conduct marketing communication as our legitimate interest.
Any marketing communication is subject to the right to object. The right to object may also apply to other kinds of processing activities.
2. Technical specifications of data subject’s device for the following purposes:
- to enter into a contract with a data subject;
- to perform a contract with data subjects;
- to comply with our legal obligations;
- to provide technical support as a part of our contract performance to which the data subject is party;
- to conduct marketing communication as our legitimate interest;
- to support availability of our products and services for the purpose of contract performance to which the data subject is party;
- to improve customer experience as our legitimate interest.
3. Device identification and location data for the following purposes:
- to perform a contract with data subjects;
- to comply with our legal obligations;
- to provide technical support as a part our contract performance to which the data subject is party;
- to support availability of our products and services as our legitimate interest.
4. Information on credit cards and other payment details for the following purposes:
- to perform a contract with data subjects;
- to provide technical support and fraud detection as a part of our contract performance to which the data subject is party.
5. Cookie data for the following purposes:
- to conduct marketing communication as our legitimate interest;
- to deliver targeting ads by our advertisers on the basis of data subject’s consent;
- to support availability of our products and services as our legitimate interest;
- to improve customer experience as our legitimate interest.
6. Data on customers’ communication and interaction with our products and services for the following purposes:
- to perform a contract with data subjects;
- to comply with our legal obligations.
Legitimate interests
When we process your personal data for our legitimate interests, we take into account any potential impact that such data processing may have on you and that our legitimate interests are not overridden by your interests or fundamental rights and freedoms. We carefully assess the legitimate interests and take into account various factors, in particular, whether you can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
Profiling
We maintain profiles of our customers as it is required to provide our customers with history of use of our products and services.
The profile includes current balance and billing history. No automated decision making is done on the basis of profiling except for the cases if our products and services may be provided in a different manner on the basis of the customer’s balance.
Recipients of Personal Data
We may share personal information with the following recipients:
- our employees;
- hosting providers;
- technical support providers;
- partners which act as our contractors for the sale or other distribution of our products and provision of our services and other services providers, in particular marketing providers;
- governmental bodies and official authorities.
International transfers of personal data
We may transfer your personal data outside of the European Economic Area (EEA) where:
- you instruct us to transfer your personal data to third parties located outside the EEA;
- such transfer is necessary to provide the products or services you have requested from us or
- it is otherwise required or permitted by law.
We ensure that appropriate safeguards are in place for the transfer of your personal data out of the EEA in accordance with the following transfer solutions:
Data processors
Providing personal data to our data processors is subject to signing a data processing agreement that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
Period of Storage
The data will be stored during the period when our products and services are provided to the customer and as long as we have a legal obligation to store the data in order to supply it to state bodies.
Sensitive Information
We do not process the following information in any manner:
- racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric and health data or data concerning a person’s sex life or sexual orientation.
Rights of the Data Subjects
Each data subject has the following rights which may be exercised by contacting us to the contact details provided above.
All the rights below have specific exceptions in certain cases. The requests will be processed within 30 days.
1) The right to access allows any data subject to request the following information from us:
- confirmation that her/his data are processed by us;
- which data are processed;
- which are the recipients or categories of recipients of personal data;
- data storage period;
- existence and nature of the rights to rectification/erasure/restriction/objection;
- existence of the right to lodge a complaint to supervisory authorities;
- sources of data;
- existence of profiling and automated decision-making including their logic and consequences;
- existence of safeguards of international data transfers.
2) The right to rectification is the right to correct incorrect data and the right to complete the incomplete data.
3) The right to erasure (“to be forgotten”) means that the data subject may request erasure of his or her data in the following cases:
- the data no longer needed for the purposes of processing;
- consent for processing is withdrawn and no other grounds of processing apply where such processing is based on consent;
- data subject objects to processing;
- processing is unlawful;
- the personal data have to be erased for compliance with a legal obligation in the European Union or the national law of the Czech Republic;
- the data are related to a child and was processed in the context of offering a service directly to a child (art. 8 (1) of the GDPR).
Please note that the following consequences of data erasure or failure to provide personal data may apply:
- You will not be able to enter into an agreement with us and use our products and services.
- You as a customer will be unable to have any technical support.
- You as a customer will be unable to restore lost registration key using our system.
- You as a customer will be unable to download the latest program version which is covered by license.
- You as a customer will be unable to upgrade program edition or get a discount to another product as Elcomsoft customer.
- You as a customer will not get discount to extend the license.
- You as a customer will not be informed about license expiration.
4) The right to restriction means that processing shall be restricted if:
- the data subject claims that the data are inaccurate and controller needs to verify if the data are actually inaccurate;
- processing is unlawful but the data subject wants processing to be restricted rather than the data to be erased;
- processing is no longer required for its purposes but the data subject requires it for specific purposes;
- processing is under an objection but the controller needs to verify if the objection is not overridden by legitimate interest of the controller.
5) The right to notification means that the data controller shall communicate the request of the data subject in exercise of his or her rights to each recipient unless it proves that it will take disproportionate effort.
6) The right to data portability means that data subject may request the data controller to provide collected data in structured and readable form.
7) The right to object to our using your personal data on the basis of our legitimate interests when your personal circumstances override our legitimate interests as the basis for processing.
8) The data subject has the right not to be subject to profiling which significantly affects his or her interests.
9) The right to lodge a complaint to the competent authority. Each data subject has the right to lodge a complaint to the data protection authority in the Czech Republic or in your country of work or residence in case of personal data breach, misuse or any violation of applicable law related to personal data processing. The data protection authority in the Czech Republic is the Office for Personal Data Protection / Úřad pro ochranu osobních údajů , website: https://www.uoou.cz/en/
Protection of Personal Data
We take the following measures to protect your personal data, to prevent the data breaches, misuse and the violation of rights of data subjects:
- Providing this Policy for review to any person or entity which is about to process the personal data;
- Keeping our officers and contractors responsible for proper data processing conducted by such officers and contractors;
- Providing advice to any officer, data subject or partner on the subject of compliance with this Policy and the legislation;
- Making sure no access to personal data is provided to unauthorized parties;
- Using only reliable and tested software for processing or personal data;
- Assuming technical and organizational risks of data processing before such processing takes place;
- Ensuring that all actions in respect of the data are exercised by protected accounts to access the data and all data storages are available only to a limited number or persons on a password protection basis;
- Ensuring that we are able to suspend data processing or withdraw any piece of data from processing if we believe that such processing may violate applicable law;
- In case of change in any business process we will determine whether such change is data-related and check if such change is in line with this Policy;
- Providing that each location and device where personal data may be stored is a safe environment;
- Utilizing firewall to minimize the risk of unauthorized access to the hosting infrastructure;
- Utilizing secure VPN and HTTPS connections with strong encryption algorithms;
- Where necessary use third-party vendors to perform security assessments to identify issues with its data security that could result in security vulnerabilities;
- Providing encryption of personal data where appropriate;
- Ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- Providing the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- Processing regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the data processing.
This Privacy Policy has become effective and shall apply to our processing of personal data starting from May 25, 2018