What information we collect
When making an order, only data strictly necessary for a successful performance of the order (name, address and contact details) is required.
Furthermore, in the e-shop, we require invoicing data, which is used to fulfill legal obligations.
In what manner do we collect the information
We will obtain some of the information directly from you (for example, when you fill in the registration form). Some information is recorded automatically (using cookie files).
Information obtained from you
We only collect data which you choose to provide to us or such that is strictly necessary to meet the legal requirements (invoicing). If we ask you to provide personal information, you do not have to provide it to us. Such a refusal may result in a restriction of the Upgates services or an inability to take a full advantage of the system features.
Information which we obtain automatically
How is the information we obtain used?
The provided data will be used to fulfill the legal as well as other obligations, such as the processing of an order, or to handle complaints, etc. Personal data is also processed through an electronic database for the negotiations necessary and closely related to the fulfillment of the provider's obligations and the implementation of the contract, and also, where appropriate, through third parties - personal data processors, responsible for their actions.
Use of personal data
The personal data we collect helps us provide and improve our product and the related services. It also serves for effective communication with you.
Sharing of personal data
The data is available only to the provider, it is provided to third parties only in exceptional situations related to distribution or payment system, bookkeeping and fulfillment of other legal obligations of the provider. The data shall not be provided to any other third party.
The services of Evici webdesign s.r.o. use so-called cookies in order to increase the quality of services, personalise the offer, collect anonymous data and are also used for analytical purposes. By using the website, you agree to the use of the above technology.
Personal data processor - Evici webdesign s.r.o. (the data is encrypted and stored on developer servers in the offices in Ostrava and at Linode, LLC)
Server operator - Linode, LLC (the servers are located in London or Frankfurt).
Server location - Servers s1, s3 and s6 are located in London (England, UK); other servers are located in Frankfurt (Germany, DE).
The customer and the provider undertake mutually to maintain confidentiality in respect of any supporting documents and information expressly identified as confidential, or where confidentiality is implied by law, or where any documents are recognisably not intended for a third party.
We will keep this information up to date to better inform you about how we handle the personal information.
- In relation to the clients' personal data, the Provider is a processor pursuant to Article 28 of the GDPR. The Client is the administrator of this data.
- These terms govern the mutual rights and obligations in the processing of personal data to which the Provider has gained access within the framework of performance of the licence agreement entered into in the form of agreement with the general terms and conditions available at www.upgates.com (hereinafter referred to as the "licence agreement") entered into with the User on the date of establishment of the user account.
- The Provider undertakes to process personal data of the User to the extent and for the purpose specified in points 4 - 7 of this agreement. The processing of resources will be automated. As part of the processing, the Provider shall collect, store the data on data carriers, maintain, block and destroy the data. The Provider is not entitled to process the personal data in breach with or beyond the scope set out herein.
- The Provider undertakes to process personal data for the user to the following extent: :
- common personal data
- special category of data according to Article 9 of the GDPR
- The Provider undertakes to process personal data on behalf of the user for the purpose of providing the Upgates platform in the form of a licence agreement
- Personal data may be processed only at the workplaces of the Provider or its suppliers in accordance with point 8 of these terms and conditions; within the territory of the European Union.
- The Provider undertakes to process personal data of the User's clients on behalf of the User, all for the time necessary to exercise the rights and obligations arising from the contractual relationship between the Provider and the User and to assert the claims from these contractual relationships (for 5 years from the termination of the contractual relationship).
- The User hereby grants a consent to the involvement of a subcontractor as an additional processor under Article 28, Para. 2 of the GDPR, which is the hosting provider of Linode LLC. The User further grants the Provider a general permission to involve another processor of personal data in the processing; however, the Provider is obliged to inform the User in writing of any intended changes concerning the involvement of any other processors or their replacement and provide the User with an opportunity to object to such changes. The Provider must impose on its subcontractors, in the position of personal data processors, the same obligations for the protection of personal data as set out herein.
- The Provider undertakes that the processing of personal data shall be secured in particular in the following manner:
- The personal data is processed in accordance with the legal regulations and on the basis of the User's instructions, i.e. for the performance of all activities necessary for the provision of the Upgates e-shop platform in the form of a licence agreement.
- The Provider undertakes to technically and organisationally ensure the protection of the processed personal data so that unauthorised or accidental access to the data, its change, destruction or loss, unauthorised transmission, its other unauthorised processing, as well as other misuse, is prevented. All obligations of the personal data processor arising from legal regulations are ensured in terms of personnel and organisation for the duration of the data processing.
- The technical and organisational measures taken correspond to the degree of risk. Through these measures the Provider ensures constant confidentiality, integrity, availability and resilience of the processing systems and services, and to restore the availability of and access to personal data in a timely manner in the event of physical or technical incidents.
- The Provider hereby declares that the protection of personal data is subject to the Provider's internal security regulations.
- Only authorised persons of the Provider and subcontractors shall have access to personal data according to point 8 of these terms and conditions, in respect of which the Provider shall set the terms and conditions and scope of the data processing and each such entity shall have access to the personal data under its unique identifier.
- The Provider's authorised entities, who process personal data in accordance with these terms and conditions are obliged to maintain confidentiality of personal data and the security measures, the disclosure of which would jeopardise its security. The Provider shall ensure a demonstrable manner of undertaking this obligation of any such authorised entity. The Provider shall ensure that this obligation of the Provider and any authorised entities shall continue even after termination of the employment or other relationship with the Provider.
- The Provider shall assist the User through appropriate technical and organisational measures, where possible, to fulfill the User's obligation to respond to requests for the exercise of the data subject's rights set out in the GDPR; as well as in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the Provider.
- Upon termination of the provision of any services associated with the processing, according to point 7 of these terms and conditions, the Provider is obliged to delete all personal data or return it to the User, if it is not obliged to store the personal data under a special law.
- The Provider shall provide the User with all information necessary to prove that the obligations under this Agreement and the GDPR have been fulfilled, and shall enable audits, including inspections, to be performed by the User or another auditor authorised by the User.
- The User undertakes to immediately report all facts known to the latter, which could adversely affect the proper and timely fulfillment of obligations arising from these terms and conditions and to provide the Provider with the cooperation necessary for the fulfillment of these terms and conditions.
Description of security incident resolution processes
A security incident - a situation in which the security of personal data has been compromised or where the rules have been violated. A security incident results from a failure or non-compliance with the security measures or a breach of the security policy.
For example, a security incident may be represented by the following events: a theft, robbery, burglary, attack, unauthorised access to information or data, unauthorised use of information, unauthorised access to a building or system, data deletion, infrastructure or connection failure, a server, database, or application failure, hacker attack, data system intrusion, virus attack, ransomware attack, natural disaster, website forgery (spoofing).
In a security incident, data or information may be compromised, lost, stolen, misused or altered.
A mere unsuccessful attempt to steal or otherwise invalidate information may also be considered a security incident.
The responsible persons in charge of resolving incidents, detection of any infringements and risk assessment are: Ing. Jan Rataj (Company Executive)
If the Provider finds that a security incident has occurred, he shall immediately investigate whether there has been a breach of personal data security.
If the Provider finds that a personal data security has been breached, it shall assess the risk to the data subjects. The risks are assessed according to the following criteria:
- Type of the infringement - disclosure will cause a greater risk than a complete loss.
- Nature, sensitivity and volume of the personal data - the more sensitive the data, the greater the risk to an individual, the combination of personal data is more sensitive than the data item itself.
- Ease of identification of private individuals - sometimes may be performed directly from the compromised personal data. Encrypted data without an encryption key is unreadable by an unauthorised entity.
- Severity of consequences for private individuals - in respect of sensitive data, the potential harm to private individuals may be particularly serious; breaches of personal data in respect of vulnerable individuals may pose a higher risk of injury. Long-term effects have a greater impact.
- Special characteristics of a private individual - e.g. children, people with disabilities or vulnerable people.
- Number of private individuals concerned - the larger the number of private individuals involved, the greater the impact the infringement may have.
- Special characteristics of the data Provider - there are differences in sensitivity of the processed personal data.
By assessing the risks, the data Provider may reach the following conclusions:
- It is unlikely that the given breach would result in a risk to the rights and freedoms of private individuals.
- It is likely that the breach would result in a risk to the rights and freedoms of private individuals.
- It is likely that the breach would result in a high risk to the rights and freedoms of private individuals. A higher risk will arise if the protection of a special category of personal data (sensitive data) is breached.
The risk assessment according to (a) does not result in any reporting, i.e. notification obligation.
The risk assessment pursuant to (b) will result in a notification obligation on the part of the Provider in respect of a supervisory authority.
The evaluation pursuant to (c) will result in a notification obligation on the part of the Provider in respect of the supervisory authority as well as the data subject.
The Provider is only required to report to the supervisory authority if the breach is likely to result in a risk to the rights and freedoms of private individuals.
The purpose of the reporting obligation is to limit any damage caused to private individuals. A breach of personal data protection must be reported to a supervisory authority no later than 72 hours through any of the following:
Address of the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7
Data box ID: qkbaa2n
If it is not possible to provide the information simultaneously, it may be provided gradually without undue delay.
If the infringements concern the same type of personal data, the security of which has been breached in the same manner within a relatively short time, it is possible to make a bulk notification.
The notification shall provide the supervisory authority with at least the following information:
- a description of the nature of the infringement of personal data security, including, where possible, the categories and approximate number of the data subjects concerned (e.g. children, people with disabilities, employees, vulnerable groups, etc.) and the categories and approximate number of personal data records concerned (e.g. medical data, school records, social care information, financial data, bank account numbers, passport numbers, etc).
- the name and contact details of the data protection officer or other contact point which may provide further information;
- a description of the likely consequences of the infringement of the personal data security;
- a description of the measures that the Provider adopted or proposed to be adopted in order to address the breach of personal data security, including any measures to mitigate possible adverse effects.
The Provider is required to notify a private individual only if the breach is likely to result in a high risk to the rights and freedoms of this private individual, i.e. if the breach may result in a material or non-material damage to the private individual concerned (discrimination, identity theft, fraud, financial loss, damage to reputation, etc.).
The Provider shall notify the personal data subject and the supervisory authority without undue delay.
The notification of the data subject shall provide at least the following information:
- a description of the nature of the infringement;
- the name and contact details of the data protection officer or other point of contact;
- a description of the likely consequences of the breach;
- a description of the measures taken or proposed by the Provider to deal with the case, including any measures taken to mitigate any possible adverse effects.
If possible, the Provider may provide private individuals with specific advice on how to protect themselves from any possible adverse consequences of a breach (e.g. a password reset, etc.).
Notification to the data subject stated above is not required if any of the following conditions are met:
- the Provider has put in place appropriate technical and organisational protection measures and these measures have been applied to the personal data affected by the personal data infringement. In particular, these are measures that have made this data incomprehensible to anyone who is not authorised to access it, such as encryption.
- the Provider has adopted follow-up measures to ensure that the high risk to the rights and freedoms of data subjects is no longer likely to occur.
- It would require a disproportionate effort. In such a case, the data subjects must be informed in the same effective way by means of a public notice or a similar measure.
If the supervisory authority considers that the breach is likely to result in a high risk, it may require the Provider to report the breach to the data subject concerned, if it has not yet done so. However, it may also decide that one of the conditions set out in the previous paragraph is met.
The Provider shall document all cases of personal data security infringement, stating the facts relating to the given infringement, its effects and the corrective measures taken.
The Provider keeps documentation on all cases, even if there is no obligation to report them to the supervisory authority. The description of an infringement of personal data security shall include:
- description of the event,
- causes of the infringement,
- which personal data have been affected,
- the effects and consequences of the infringement,
- corrective actions taken by the Provider,
- justification of possible non-reporting of the incident i.e. infringement, the reasons for postponement in case of late submission of the notification,
- proof of notification of personal data subjects,
- proof that the staff of the Provider have been instructed on how to behave in the event of an infringement of security of personal data.
In a similar manner, the Provider shall record security incidents in respect of which the infringement of security of personal data did not occur immediately, but at the same time it is possible that an infringement of security will occur later on.
Role of the data protection officer - the data protection officer cooperates with the supervisory authority and acts as a contact person for the supervisory authority and the data subjects. The name and contact details of the data protection officer are disclosed by the Provider when reporting an data security incident.
The Provider acquaints its employees with incident resolution processes and instructs them on how to behave in order to prevent a personal data security infringement and how to behave when such occur. This instruction of the employees is carried out at the beginning of the employment relationship, from then on regularly once every 2 years.
Any data security incident is reported by the employees to their manager, who contacts the responsible persons of the Provider. In the event of a breach of personal data security, they contact the data protection officer.
If the Provider uses a supplier and this supplier detects an infringement of security of the personal data it processes on behalf of the Provider, it is obliged to report such to the Provider without undue delay. If the supplier provides services to multiple Providers who have all been affected by the same incident, the supplier is obliged to report the details of such an incident to all Providers.