GDPR – Contact Forms

This document outlines the terms and conditions under which companies within the Second Foundation Group process personal data of individuals who enter into legal or other relationships with our companies. For any matters related to data processing, you can contact the Company via email at: gdpr@second-foundation.eu.

Unless otherwise stated, the following terms apply:

“Company” or “Controller” refers to either Second Foundation Tech a.s., ID: 14078601, registered at Na Florenci 2139/2, Nové Město, 110 00 Prague 1, File No. B 26919 in the Commercial Register or Second Foundation a.s., ID: 08561443, registered at the same address under File No. B 24741.

“Data Subject” refers to any individual (natural person) whose personal data is being processed. This includes, but is not limited to, clients and their employees, suppliers and their employees, contractors and their employees, visitors to Company premises or events, and individuals communicating with the Company via email or phone.

“GDPR” means General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council, in conjunction with Act No. 110/2019 Coll., on the processing of personal data;

“Personal data” means any information related to a Data Subject.

“Processing” means any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.1  
Information on Personal Data Processing

The Company informs individuals who have a contractual or other relationship with the Company about the processing of their personal data, including the legal basis, purpose, retention period, security measures, whether and to whom personal data is disclosed, and their rights under the GDPR. This document does not cover Company employees, who are provided with separate privacy terms.

As outlined above, the Company determines the purposes and means of processing and is therefore the data controller. It may engage third-party processors (e.g., service providers) to process personal data on its behalf. The Company may also share data with public authorities or third parties if required or permitted by law.

1.2
No Data Protection Officer

The Company is not required to appoint a Data Protection Officer (DPO), as it does not meet the criteria under Article 37 of the GDPR. Data protection responsibilities are handled by the Company’s Administrative Board or its authorized representative.

1.3
Types of Personal Data Processed and Purpose

The Company processes personal data to fulfill its legal obligations or contractual obligations arising from contractual cooperation with Data Subjects or their employers or for the purpose of legitimate interests of the Company. This may include:

Identification data, such as names and contact information.

Reference-related data, such as qualifications and payment details.

Technical data, like IP addresses, for contract performance and legitimate interest purposes.

Metadata related to the email messages processed by the Company’s systems

Cookies necessary for the operation of the Company’s website.

Images of people captured by the Company’s CCTV system in the Company’s premises.

1.4
Legitimate Interests

The Company processes personal data to protect its legitimate interests, such as:

Managing internal communication

Handling disputes or providing evidence in legal matters.

Utilizing Data Loss Prevention (DLP) tools to safeguard against accidental or intentional data leaks (e.g., email monitoring, cloud services).

Protecting property, lives and health of the people in the Company’s premises and ensuring workplace safety.

1.5
Data Retention

Personal data is stored for as long as necessary to fulfill the purposes for which it was collected. Generally, data is retained for the duration of the contractual relationship and up to 3 years afterward, unless required by law or agreed otherwise. For accountancy and archiving legislation compliance purposes, this usually means 3 to 10 years, for handling disputes and legal matters evidence this means 4 years or until the final enforcement of the rights if any potential dispute emerges. CCTV data is retained for 10 days, and DLP-monitored data is stored for 3 months unless a longer retention period is justified and allowed by law.

1.6
Security Measures

Personal data is stored securely, both in paper and electronic form. Access to this data is restricted to authorized personnel, and additional cyber security measures are in place for electronic data in compliance with ISO 27001 requirements. The Company does not share personal data without consent, except when required by law or with confidentiality-bound processors as part of its legitimate reasons.

1.2
Data Subject Rights

• As a Data Subject, you have the following rights under the GDPR:
• Right of access: Obtain confirmation on whether your personal data is processed and access the data.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of data under specific conditions (e.g., if no longer needed or processed unlawfully).
• Right to restriction of processing: Request that the Company limits the processing of your data in certain circumstances.
• Right to data portability: Request the transfer of your data to another controller, where technically feasible.
• Right to object: Object to the processing of your data based on the Company’s legitimate interests.
• Right to withdraw consent: If processing is based on your consent, you can withdraw it at any time, without affecting the lawfulness of prior processing.
• Right to file a complaint: You may file a complaint with the Office for Personal Data Protection (Pplk. Sochora 27, 170 00 Prague 7; website: www.uoou.cz).

1.8
Additional Information

For further inquiries or complaints regarding personal data processing, you can contact either of the joint controllers (Second Foundation Tech a.s. and Second Foundation a.s.) using the contact details provided. As these joint controllers have an arrangement in place to ensure that data subjects’ rights are addressed efficiently, regardless of which controller is contacted Data subjects can exercise their GDPR rights with either of the controllers.