Separate data protection rules may apply to third parties that may also be personal data controllers of the Application users, i.e.:
vendors, offering their products by means of the Application, with respect to the personal data indicated by the user for the issuance of an electronic VAT invoice;
Payconiq International S.A., 9-11 rue Joseph Junck, L-1839 Luxembourg, handling the online payment process, to the extent of the personal data indicated by the user to process the online payment;
Odoo S.A., Chaussée de Namur, 40, 1367 Grand-Rosière, Belgium, providing the odoo system, on the basis of which the Application functions, with regard to personal data indicated by the user for the use of services offered by Odoo S.A.
1. Collection, use, and sharing of data.
The Data Controller processes the personal data of users of the Application in accordance with generally applicable legal regulations, including in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter: "GDPR").
Within the Application, the Data Controller processes the following personal data of the Application users:
The Data Controller does not process special category personal data within the meaning of Article 9 of the GDPR, or any data relating to criminal convictions and offences within the meaning of Article 10 of the GDPR.
Providing personal data by the user is not obligatory, but if the user refuses to provide personal data, then, among other things, it may not be possible to execute the contract with the Data Controller or the administrator in terms of payment (and others indicated above). Similarly, it may not be possible to fulfil other rights and obligations of the user or the Administrator.
The basis for data processing is:
voluntary consent of the Application User – in order to send commercial information (promotional offers); or
execution of the contract for the provision of electronic services – in order to maintain a user account within the Application (provision of personal data is necessary to perform a service provided electronically).
Personal data may be made available to external recipients such as: cooperating companies, advisors, couriers, banks, IT providers, insurers, accounting offices, law firms, only for the purpose for which they were collected.
Although the Data Controller does not transfer personal data to a third country (i.e. outside the European Economic Area or to international organizations), does not carry out profiling and does not make, on the basis of personal data provided by the user, decisions in an automated manner, your data may still be transferred outside the European Economic Area or to an international organization, profiled or decisions may be made on its basis in an automated manner by the other data controllers mentioned above.
2. Storage and user’s access to collected data.
The user's personal data shall be stored for the period in which they are useful for the purpose for which they were collected, however not less than the period of limitation of mutual claims, the period for which the data controller is obliged to process data under the applicable laws, whichever period shall be longer, and in the case of data processed on the basis of the consent, not longer than until the consent is revoked.
The user has the right to access their data and the right to rectify, erase, restrict processing, the right to data portability, the right to object, the right to withdraw consent at any time if the data are processed on the basis of consent, as well as the right to lodge a complaint to the supervisory authority - the President of the Office for Personal Data Protection. Withdrawal of consent does not affect the legality of personal data processing, which was performed on the basis of consent before its withdrawal. Consent may be withdrawn by sending an e-mail to the following address firstname.lastname@example.org.
As a rule, the Data Controller shall consider and comply with the users’ requests immediately, within a period not exceeding one month, unless the provisions of law provide for a shorter period. If there are grounds for refusal to comply with the user’s request, the Data Controller shall inform such person, within the aforementioned time limit, of:
the refusal of a request;
the rights of such person with regard to the refusal.
The Data Controller ensures the security of the personal data provided by the user and ensures that the data is protected against unauthorized access, as well as against other cases of disclosure or loss, and against destruction or unauthorized modification of the said data and information, by means of applying appropriate technical and organizational security measures.