General principles for the protection and processing of personal data

We, Perfect Clinic, s.r.o., a company incorporated under Czech law, with registered office at Kartouzská 3274/10, Smíchov, 150 00 Praha 5, ID 26865831, registered in the Commercial Register maintained by the Regional Court in Ostrava, Section C, Insert 50765 and Perfect Clinic Dermatology a.s., with registered office at Kartouzská 3274/10, Smíchov, 150 00 Prague 5, ID No. 05139279, registered in the Commercial Register maintained by the Municipal Court in Prague, Section B, Insert 21587 (hereinafter referred to as the “Companies” or “our Companies“), we are aware of the importance of protecting the personal data of our clients and suppliers and have therefore decided to adopt the following general policy on the protection and processing of personal data (hereinafter referred to as the “General Policy“).
This General Policy applies to the processing of personal data in relation to our clients and suppliers. The privacy policy of our employees is regulated in our company’s internal directives.
Our company processes personal data of data subjects in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, effective from 25 April 2016. 5. 2018 (hereinafter referred to as “GDPR“) and other legal regulations governing the protection of personal data.

1. Contact details

Our company hereby informs you of the following contact details:

1. Delivery address: Kartouzská 3274/10, Smíchov, 150 00 Prague 5
2. Phone: 273 038 914
3. Email address: info@perfectclinic.cz
4. Contact details of the Data Protection Officer Michaela Krčmářová, e-mail: poverenec@perfectclinic.cz, tel. +420 739 473 306

2. Sources of personal data

Our company obtains personal data primarily directly from data subjects through orders and inquiries from data subjects, email communication, telephone communication, websites, contact form on our website, social networks, business cards, etc. We also obtain personal data from publicly accessible registers, lists and records (e.g. commercial register, trade register, land register, public telephone directory, etc.).

3. Scope of processing of personal data

Personal data is processed to the extent that the relevant data subject has provided it to our company, in connection with the conclusion of a contractual or other legal relationship with our company, or which our company has otherwise collected and processes in accordance with applicable law or to fulfil our legal obligations.

4. Processing of personal data of our current and future clients

In order to ensure the proper provision of our services, we need to process personal data about our clients. We also process personal data about those data subjects who have not yet become our clients, but have in any way expressed an interest in using our services. In particular, we process the following categories of personal data about these data subjects:

1. name, surname or nickname
2. contact and/or delivery address
3. email
4. phone
5. Gender
6. Age
7. health data
8. occupation or job position
9. image record
10. data on services provided
11. the content of the query you have submitted in the online advice centre on our website.

Performance of a service contract or other agreement between our client and our company

We process the personal data of our clients primarily for purposes related to the performance of obligations under a contract for the provision of our services or in connection with the performance of measures necessary to conclude such a contract. The lawful title of the processing in this case is Article 6(1)(b) GDPR. The processing of your personal data is therefore necessary in particular for the following purposes:

1. negotiation of the intention to enter into a contractual relationship with us and the performance of the contractual relationship that has arisen between our company and you, in particular on the basis of a contract, order, demand, etc.;
2. answering your question, request or other comment sent via the contact form or the form located on the online advice page of our website;
3. the provision of other services and performance related to the subject matter of the contractual relationship, including the organisation of the provision of our services.

The provision of your personal data and their subsequent processing for these purposes is a prerequisite for the conclusion of a contract between you and our company. Failure to provide the required personal data on your part may result in the impossibility of performance of the contract and therefore its nullity from the outset.
We process the personal data in question for the duration of the contractual relationship between you and our company. In justified cases, the period of processing of personal data may exceed the duration of the contractual relationship, in particular due to the assertion of legal claims of our company from expired contracts. Our company undertakes that the period of processing of personal data in this case will never exceed the statutory limitation period of 10 years.

Legitimate interests of our company

We also process the personal data of our clients for the purposes of our legitimate interests in disseminating commercial communications and direct marketing to our existing clients, as well as for purposes related to optimizing and improving the quality of the services we provide, as well as for the purposes of security and ensuring the protection of health and property. The lawful basis for processing in this case is Article 6(1)(f) GDPR. The processing of your personal data is therefore necessary in particular for these purposes:

1. the legitimate interest of our company, where our company may process certain categories of personal data of our past and present clients for direct marketing purposes;
2. dissemination of commercial communications by electronic means (in particular e-mail, SMS messages, telephone) pursuant to Act No. 480/2004 Coll., on certain information society services;
3. improving the quality of services provided and the possible development of new services, e.g. websites, sales of goods, competitions, etc. The development of new services and the improvement of existing services is done by identifying the needs and wishes of users through telephone calls, questionnaires, website analysis, interest in certain services and texts, etc;
4. our company’s legitimate interest in the operation of the CCTV and access control system in our company’s building to ensure the protection of health and property;
5. defending our legal claims.

The processing of the personal data in question for these purposes is based on our legitimate interests, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular where the data subject is a child. If you have any doubts in relation to our legitimate interests, you have the right to object to processing at any time, subject to the conditions and in the manner set out in these General Terms and Conditions.

We process the personal data in question for a reasonable period of time for the duration of our legitimate interest. Our company undertakes that the period of processing of personal data in this case will never exceed 3 years.

Fulfilling our legal obligations

Our company is obliged to comply with the entire legal system of the Czech Republic, in particular the laws in the area of billing for our services and bookkeeping, tax records, provision of health services, keeping medical records and issuing electronic prescriptions. The legal title of the processing in this case is Article 6 (1) (c) GDPR. The provision of your personal data is therefore a legal requirement in these cases. Failure to provide the requested personal data on your part may be sanctioned by the relevant legislation.

Our company is also obliged to transfer your personal data to the relevant government authorities, either in compliance with a legal obligation or upon request. These authorities may include, for example, the tax office, the social security administration, public health insurance companies, the court or other authorities. In such cases, the transfer of personal data shall only take place under the regime established by the relevant legislation or decision of the authority concerned.

For these purposes, we process personal data for the period of time specified in the relevant legislation. If you would like more detailed information, please contact us using the contact details above.

Your consent to the processing of personal data

We process the personal data of our clients for purposes related to the inquiries in our online advice on the website referred to in this General Policy and the marketing of our company. The lawful title of the processing in this case is Article 6 (1) (a) and Article 7 GDPR. The processing of your personal data is therefore necessary in particular for the following purposes:

1. sending you an information email about the answer in the online advice centre, including the text of the answer to the question you asked;
2. sending and distributing our newsletter or other commercial communications;
3. presentation of our company on our website;
4. use in marketing and promotional materials in paper and electronic form, including our website and social media.

We process personal data for the above purposes until your consent is withdrawn, for a maximum period of 1 or 3 years after the consent is given, depending on the specific consent given. You acknowledge that personal data may remain on the physical media already printed and distributed after this period.

5. Processing of personal data of visitors to our website

Our company is the operator of the websites perfectclinic.cz, perfectbeautymedicine.cz, perfektniprsa.cz, perfektniliposukce.cz, perfektnitelopoporodurodu.cz, prepistesvujvek.cz, vysetri.se, plastickepromeny.cz and perfectclinicforseniors.cz. As such, in order to ensure the optimal functioning of these websites and their optimization, the following personal data must be processed about their visitors:

1. IP address;
2. Cookies;
3. locations.

Legitimate interests of our company

We process the personal data of visitors to our website primarily for the purposes of our legitimate interests in ensuring the functionality of our website, its optimization and continuous updating. The lawful basis for processing in this case is Article 6(1)(f) GDPR. The processing of your personal data is therefore necessary in particular for these purposes:

1. ensuring the functionality of our website;
2. performing analyses and measurements, such as: traffic, readership, number of pages viewed, the device from which you come to our website and more. We collect this data using anonymised data so that we can offer quality content that is relevant to our users and to develop services that our users are clearly interested in;
3. improving the quality of services provided and the possible development of new services, e.g. websites, sales of goods, competitions, etc. The development of new services and the improvement of existing services is done by identifying the needs and wishes of users through telephone calls, questionnaires, website analysis, interest in certain services and texts, etc.

The processing of the personal data in question for these purposes is based on our legitimate interests, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular where the data subject is a child. If you have any doubts in relation to our legitimate interests, you have the right to object to processing at any time, subject to the conditions and in the manner set out in these General Terms and Conditions.

We process the personal data in question for a reasonable period of time for the duration of our legitimate interest. Our company undertakes that the period of processing of personal data in this case will never exceed 3 years.

Google Ads Conversion

We use conversion measurement on the website using Google Ads, which includes advanced conversion functionality to increase the accuracy of measured conversions. Marketing data about our website visitors is passed to Google to improve the relevance of conversion measurement. This data is encrypted before it is sent for maximum protection.

Google may pair this data with its database to refine conversion measurement. The information about visitors to our website that we pass on to Google in this way is data that you enter into forms on our website, such as order or contact forms.

When personal data is transferred, Google becomes an additional controller, otherwise it is our processor. All information on the processing of personal data by Google can be found here: https: //policies.google.com/technologies/ads and https://policies.google.com/privacy or via your own user accounts.

6. Processing of personal data of our suppliers

In order to fulfil our contractual obligations, our company processes personal data about our suppliers – natural persons or contact persons of our suppliers – legal persons.

In particular, we process the following categories of personal data about these data subjects:

1. name, surname
2. contact and/or delivery address
3. email
4. ID NUMBER, VAT NUMBER
5. account number and payment details
6. phone
7. Gender
8. image record
9. professional history
10. details of the agreed remuneration
11. services provided
12. locations.

Performance of a service contract or other agreement between our supplier and our company

We process the personal data of our suppliers primarily for purposes related to the performance of obligations under a contract or in connection with the performance of measures necessary to conclude such a contract. The lawful title of the processing in this case is Article 6(1)(b) GDPR. The processing of personal data of our suppliers is therefore necessary in particular for these purposes:

1. negotiations on the intention to enter into a contractual relationship with us and the performance of the contractual relationship that has arisen between our company and the supplier, in particular on the basis of a contract, order, request, etc.;
2. communication with the supplier in connection with the subject of the contract;
3. the provision of other services and performance related to the subject of the concluded contractual relationship.

The provision of the supplier’s personal data and their subsequent processing for these purposes is a prerequisite for the conclusion of a contract between the supplier and our company. Failure by the supplier to provide the required personal data may result in the impossibility of performance of the contract and therefore its nullity from the outset.

We process the personal data in question for the duration of the contractual relationship between the data subject and our company. In justified cases, the period of processing of personal data may exceed the duration of the contractual relationship, in particular due to the assertion of legal claims of our company from expired contracts. Our company undertakes that the period of processing of personal data in this case will never exceed the statutory limitation period of 10 years.

Legitimate interests of our company

We also process the personal data of our suppliers for the purposes of our legitimate interests in safeguarding and ensuring the protection of health and property. The lawful basis for processing in this case is Article 6(1)(f) GDPR. The processing of this personal data is therefore necessary in particular for these purposes:

1. the legitimate interest of our company in the operation of the CCTV and access control system in our company’s building in order to ensure the protection of health and property
2. defending our legal claims.

The processing of the personal data in question for these purposes is based on our legitimate interests, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular where the data subject is a child. If you have any doubts in relation to our legitimate interests, you have the right to object to processing at any time, subject to the conditions and in the manner set out in these General Terms and Conditions.

We process the personal data in question for a reasonable period of time for the duration of our legitimate interest. Our company undertakes that the period of processing of personal data in this case will never exceed 3 years.

Fulfilling our legal obligations

Our company is obliged to comply with the entire legal system of the Czech Republic, especially the laws in the field of invoicing and bookkeeping and tax laws. The legal title of processing in this case is Article 6 (1) (c) GDPR. The processing of personal data is therefore a legal requirement in these cases. Failure on your part to provide the requested personal data may be sanctioned by the relevant legislation.

Our company is also obliged to transfer the personal data in question to the relevant state authorities and other authorities, either for the purpose of fulfilling a legal obligation or upon request. These authorities may include, for example, the tax authorities, the auditor or the courts. In such cases, the transfer of personal data shall only take place under the regime set out in the relevant legislation or by decision of the authority concerned.

For these purposes, we process personal data for the period of time specified in the relevant legislation. If you would like more detailed information, please contact us using the contact details above.

Your consent to the processing of personal data

We process the personal data of our suppliers for the purposes related to inquiries in our online advice on the website referred to in this General Policy and the marketing of our company. The lawful basis for processing in this case is Article 6(1)(a) and Article 7 of the GDPR. The processing of your personal data is therefore necessary in particular for the following purposes:

1. presentation of our company on our website;
2. use in marketing and promotional materials in paper and electronic form, including our website and social media.

We process personal data for these purposes until your consent is withdrawn, for a maximum period of 1 or 3 years from the date of consent, depending on the specific consent given. You acknowledge that personal data may remain on the physical media already printed and distributed after this period

7. Method of processing and protection of personal data

The processing of personal data of data subjects is carried out on the premises of our company by individual authorised employees of our company, or the processing of personal data of data subjects is carried out by our processors on their premises by individual authorised employees of the processor. The processing takes place both electronically, i.e. by means of computer technology, and in paper form, i.e. manually, in compliance with all security principles. All personal data provided to our company by data subjects are secured by standard procedures and technologies, however, it is not objectively possible to guarantee 100% security of the personal data of data subjects. In this context, our company regularly reviews the security measures, which are then updated as necessary.

8. Recipients of personal data

In addition to employees and managers of our company, third parties may also be recipients of your personal data. Our company carefully chooses its business partners to whom it entrusts data subjects’ data and who are able to ensure that the technical and organisational security of data subjects’ personal data is such that unauthorised or accidental access to such data or other misuse of such data cannot occur.

In the context of legal relations with our business partners, they are bound by, among other things, a duty of confidentiality and must not use the data provided for any purposes other than those for which we have made it available to them and must also ensure other measures to secure the personal data of data subjects.

The third parties that may have access to the personal data of data subjects, depending on the nature of the service that the data subjects use or have used, are:

1. persons who provide the technical operation of a particular service for us or operators of the technologies we use for our services;
2. persons who provide accounting or other economic services for us;
3. persons who ensure the security and integrity of our services and websites and regularly test this security for us;
4. providers of postal, electronic communications and communications services;
5. persons to whom we provide data for the purpose of analysing traffic to our websites;
6. payment service providers and payment processors for the purpose of securing and executing payment transactions;
7. business partners or sponsors who participate in the organization of our events, conferences, seminars, etc.;
8. persons who provide us with the recovery of our company’s debts;
9. operators of advertising systems in connection with targeted advertising;
10. operators of CCTV, access control and other security systems installed in our company’s building to protect health and property and to secure the processing of personal data;
11. operators of technical solutions that enable us to show you only content and advertising that is relevant to you;
12. marketing and research agencies for the purpose of marketing processing or investigations and for offers of trade, services and products.

Under certain, precisely defined conditions, our company is obliged to transfer certain personal data of data subjects to the Police of the Czech Republic, the Financial Office, the Office for Personal Data Protection and other public administration authorities.

9. Transfer of personal data to third countries

For the purpose of sending commercial communications, our company uses the services of the MailChimp platform. As part of the use of this service, the Controller transfers your personal data abroad, specifically to the USA. The operator of the MailChimp platform, The Rocket Science Group LLC, located at 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, is a company certified under the European Commission’s EU-U.S. and Swiss-U.S. Privacy Shield Framework, which ensures a sufficient level of security for the transfer of your personal data to the United States. A current list of companies covered by this program is available on our website at www.privacyshield.gov.

With the exception of the use of this tool, our company does not intend to transfer the personal data of data subjects to a third country. In the event that personal data of data subjects are transferred to third countries outside the EU, this will be done in accordance with the legal requirements and in any case the protection of the personal data of data subjects will be ensured. Our company undertakes to inform you immediately of any such transfer.

10. Rights of data subjects

In connection with the processing of personal data, data subjects may exercise the following rights:

1. the right to be informed about the personal data of data subjects that our company processes, the purpose and nature of the processing of personal data, including information about the potential recipients of the personal data;
2. the right to access the data provided by the data subject to our company, including on our website. If this right is exercised, the data subject will be informed whether and which specific personal data about him or her is being processed. All data will be made available together with information about their processing;
3. the right to rectification of personal data if it is inaccurate or incomplete in any way. Only in the case of up-to-date data can our company effectively handle the reactions of data subjects;
4. the right to an explanation and rectification (e.g. blocking, correction, completion or destruction of personal data) if the data subject believes that our company processes personal data in violation of the law;
5. the right to have personal data erased (the so-called right to be forgotten) or to restrict their processing if they are no longer necessary for the purposes stated or if our company no longer has a legitimate reason to process the personal data, including in cases where the data subject does not consent to their further processing. Upon exercising this right, our company will determine whether there are legitimate grounds for the further processing of the personal data and, where appropriate, erase the data subject’s data in whole or in part;
6. the right to transfer the automated processing of personal data obtained on the basis of the data subject’s consent to another entity, where our company will transfer the data subject’s personal data in a commonly used format to the data subject or to another controller as requested by the data subject;
7. the right to object to the processing of personal data, including profiling, which we carry out on the grounds of legitimate interest. Similarly, he or she may object to processing where we process the data subject’s personal data for direct marketing purposes. In this case, we will no longer process your personal data for this purpose;
8. the right to withdraw consent to the processing of personal data where the data subject has provided us with consent to the processing of personal data for purposes requiring consent. The processing of personal data that occurred before the withdrawal of consent is lawful. Our company will respond to requests from data subjects concerning the exercise of their rights without undue delay within 30 days of receipt of the request. However, the time limit may be extended by a further 30 days if necessary. We will always inform the data subject of such an extension, including the reasons for it;
9. the right to contact our company or the Office for Personal Data Protection in the event of a suspected violation of your rights and to request appropriate remedies, such as our company refraining from the conduct in question, remedying the situation, or providing an apology. The supervisory authority is the Office for Personal Data Protection, Pplk. Sochor 27, 170 00 Prague 7, https://www.uoou.cz/.

If you believe that our company is processing personal data in violation of your right to protection of your private or personal life, you can request an explanation from our company and the elimination of such situation.

You can exercise all your rights by contacting the contacts listed in this General Policy.

11. Lessons learned

The content of our website is protected by the relevant provisions of intellectual property legislation. If you use the content of our website in any form, you must have our express written consent.

12. Amendment of the General Principles

We reserve the right, if necessary, to amend these General Principles, in particular with regard to the development of national legislation, the decision-making practice of the Office for Personal Data Protection and other recommendations and opinions of other bodies whose outputs relate to the area of personal data protection. We encourage you to review this General Policy periodically to stay up-to-date on how we are helping to protect the personal data we process about you.

13. Contact

If you have any questions about data protection or withdraw your consent to further processing of your personal data, you can contact us at the contact details above or contact our data protection officer.

In this context, we would like to inform you that we may require you to provide us with appropriate proof of your identity in order to verify your identity. This is a precautionary security measure to prevent unauthorised persons from accessing your personal data.

14. Effectiveness

These Guidelines are effective from 25. 5. 2018.