Information under Article 13 of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (hereinafter referred to also as GDPR or the General Regulation).
As said in the Pdfcrowd Terms of Service (hereinafter also as ToS), the provider can come in touch with personal data of users within providing the Service. So he acts as a controller towards the registered Users of the Service (natural persons).
The data subjects shall have the right to information from the controller under Article 13 of the General Regulation at the moment of obtaining personal data. The controller thereby does so and provides the subsequent information:
The personal data controller is Pdfcrowd s.r.o which processes personal data of Users - natural persons in accordance with regulation (EU) No. 2016/679, on the protection of natural person with regard to the processing of personal data (the General Regulation).
Registered users of the Service – natural persons are so called data subjects. Legal person is not data subject. Data related to natural person are not personal data, excluding natural persons' contact data with the legal entity.
Controller's contact data:
Kostelní náměstí 506/1, 288 02 Nymburk, Czech Republic
email contact: firstname.lastname@example.org
Personal data are defined by the General Regulation as any and all information on an identified or identifiable natural person (data subject). An identifiable natural person is a natural person which can be identified directly or indirectly, especially by reference to a certain identifier e.g. name, identity No., location data, network identifier or one or more special features of physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
Personal data in connection with the Service are all information about registered Users - natural persons on the basis of which the User can be directly or indirectly identified, especially by a reference to certain identifier.
Processing shall mean any operation or set of operations with personal data or sets of personal data which is performed, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, inspection, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, limitation, erasure or destruction.
Personal data of registered Users processed by the controller vary depending on the User of the Service.
The Provider is entitled to process User's personal data for the purpose of:
Performance of the concluded Contract on the provision of the Service. The Provider cannot provide this Service without the provision of personal data for these purposes. The Provider as a controller does not need the User's consent to process personal data for these purposes.
From this legal title, in addition to the provision of the Service, the controller processes IP address for a period of one year from the beginning of the provision of the Service in order to identify and solve problems with the operation of the Service.
Personal data for these above-mentioned purposes arising from the performance of the Contract and fulfilment of the Provider's legal obligation are processed in the scope necessary for the fulfilment of these purposes and for the period necessary to achieve them or for the time directly set by the legal regulations. Then the personal data are erased or anonymized.
The Provider keeps records of all activities, both manual and automated, during which personal data are processed.
Each identifiable natural person as personal data subject which proves its identity, shall have the following rights:
a) Right of access to personal data. It includes the right to obtain from the controller:
The above-mentioned information and notification requested by the User will be provided by the Provider free of charge. In the event of repeated request, the Provider will be entitled to charge a reasonable fee for the personal data copy. The right for a confirmation of the processing of personal data and for information is to be exercised via e-mail to the Provider's electronic address.
b) The right to rectify inaccurate data
The User as a data subject has the right to rectify inaccurate personal data that will be processed by the Provider.
c) The right of erasure
The data subject has the right of erasure of personal data, pertaining to it, unless the Provider proves justified reasons for the processing of these personal data. The user can exercise the right of erasure of personal data via e-mail to the Provider's electronic address. The Provider shall carry out the erasure, without delay, within 7 days from the day on which he obtained the request from the User.
d) The right to restriction of processing
The data subject shall have the right of restriction of processing until the complaint is resolved, if he or she denies the accuracy of the personal data, the reasons of their processing or if he or she objects against their processing, through e-mail to Provider's electronic email address.
e) The right to be notified of rectification, erasure or restriction of
The data subject shall have the right to be notified by the Provider in the case of rectification, erasure or restriction of processing.
f) The right to personal data portability
The data subject shall have the right to the portability of the data pertaining to it and which it has provided to the controller, in a structured, commonly used and machine-readable format and the right to ask the controller to hand over these data to another controller. If the exercise of this right could adversely affect the rights and freedoms of third parties, the User's request cannot be accommodated.
g) Automated individual decision making including profiling
The data subject shall have the right not to be a subject of any decision based solely on automated processing, including profiling, which would have legal effects for the data subject or the data subject would be significantly affected by it. The Provider states that he does not carry out automated decision making without the impact of human judgment with legal effects for data subjects.
h) The right to turn to the Office for Personal Data Protection
The data subject shall have the right to turn to the Office for Personal Data Protection of the Czech Republic (https://www.uoou.cz/en/).
i) Personal data protection
The Provider collects and stores the personal data entered by the User as well as technical personal data obtained in the course of providing the Service through electronic carriers of information in a secured database. The Provider protects personal data to the fullest extent possible using modern technologies corresponding to the degree of technological development. The Provider declares that he has taken any and all currently known measures to secure these data against unauthorised interventions of third parties.
Should any violation of personal data security be found, the Provider shall report it without due delay, if possible within 72 hours from the moment he has learned of it, to the Supervisory Authority and provide a reasonable remedy.
j) Other receivers of personal data - processors
The Provider uses professional and specialised services of other entities when performing its obligations and duties from the Contract. Provider, as a controller, is therefore entitled to assign a third party as a processor of personal data, whereas the Provider as a controller, will use only those processors that provide sufficient guarantees to implement suitable technical and organisational measures so that the processing ensures the protection of rights of the data subjects. If these suppliers process personal data handed over from the Provider, they process the personal data only within instructions from the Provider and may not use them otherwise. The Provider enters with each such entity into a contract on the processing of personal data within the meaning of Art. 28 of the General Regulation. The processors include also companies having their seat outside of the territory of the European Union, in particular in the US. The personal data are therefore handed over outside the territory of the European Union. The personal data processors in question comply with the requirements of the General Regulation.
The Provider may hand over personal data to the administrative bodies and authorities set by applicable legal regulations in the course of fulfilment of its legal duties. The User acknowledges that the Provider may be obliged to provide personal data by law or to fulfil its legal duty (e.g. within legal or administrative proceedings).
The Provider as well as other recipients of personal data who will process User's personal data, are required to keep confidentiality about personal data and security measure the publishing of which would threaten the security of personal data. This confidentiality shall last even after the contractual relationships with the User terminate. Personal data shall not be given to any other third party without the consent of the User.