Information under Article 13 of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (hereinafter referred to also as GDPR or the General Regulation).

 

As said in the Convert 247 Terms of Service (hereinafter also as ToS), the provider can come in touch with personal data of users within providing the Service. So they act as a controller towards the registered Users of the Service (natural persons).

 

Provider of the Service in the position of personal data controller

 

The data subjects shall have the right to information from the controller under Article 13 of the General Regulation at the moment of obtaining personal data. The controller thereby does so and provides the subsequent information:

 

Information about the controller and basic terms

 

The personal data controller is Convert 247 which processes personal data of Users - natural persons in accordance with regulation (EU) No. 2016/679, on the protection of natural persons with regard to the processing of personal data (the General Regulation).

 

Registered users of the Service – natural persons are so called data subjects. Legal person is not a data subject. Data related to natural persons are not personal data, excluding natural persons' contact data with the legal entity.

 

Personal data are defined by the General Regulation as any and all information on an identified or identifiable natural person (data subject). An identifiable natural person is a natural person which can be identified directly or indirectly, especially by reference to a certain identifier e.g. name, identity No., location data, network identifier or one or more special features of physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.

 

Personal data in connection with the Service are all information about registered Users - natural persons on the basis of which the User can be directly or indirectly identified, especially by a reference to a certain identifier.

 

Processing shall mean any operation or set of operations with personal data or sets of personal data which is performed, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, inspection, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, limitation, erasure or destruction.

 

Scope of personal data being processed

 

Personal data of registered Users processed by the controller vary depending on the User of the Service.

 

• Registered users - IP Address, email address
• Registered users using fee-based products - personal data as registered users plus billing data (i.e. name, surname, company name, address, postal code code, state, VAT ID, PayPal email address, anonymized form of payment card)

 

The purpose of processing, legal title and the way of processing

 

The Provider is entitled to process User's personal data for the purpose of:

 

• Performance of the concluded Contract on the provision of the Service. The Provider cannot provide this Service without the provision of personal data for these purposes. The Provider as a controller does not need the User's consent to process personal data for these purposes. From this legal title, in addition to the provision of the Service, the controller processes IP addresses for a period of one year from the beginning of the provision of the Service in order to identify and solve problems with the operation of the Service.
• Fulfilling the legal obligations. Users' invoicing data may remain in the database in the form of invoices even after a registered User deletes their account. Invoices issued by the Provider may be archived for a period of 10 years after they have been issued.

 

Personal data for these above-mentioned purposes arising from the performance of the Contract and fulfillment of the Provider's legal obligation are processed in the scope necessary for the fulfillment of these purposes and for the period necessary to achieve them or for the time directly set by the legal regulations. Then the personal data is erased or anonymized.

 

The Provider keeps records of all activities, both manual and automated, during which personal data are processed.

 

Information on the rights of data subjects

 

Each identifiable natural person as personal data subject which proves its identity, shall have the following rights:

 

a) Right of access to personal data. It includes the right to obtain from the controller:

 

• confirmation, whether they process personal data,
• information about the purposes of processing, categories of the affected personal data, recipients to whom the personal data have been made available or will be made available, the scheduled time of processing, the existence of the right to ask the controller for correction or erasure of personal data related to data subject or restriction of their processing or the right to object against this processing, the right to file a complaint with the Supervisory Authority, all information on the source of personal data available, if they are not obtained from the data subject, the facts that there is automated decision making, including profiling, suitable guarantees when handing over the data outside the EU.
• in the event that the rights and freedoms of other persons are not adversely affected, as well a personal data copy.

 

The above-mentioned information and notification requested by the User will be provided by the Provider free of charge. In the event of repeated request, the Provider will be entitled to charge a reasonable fee for the personal data copy. The right for a confirmation of the processing of personal data and for information is to be exercised via e-mail to the Provider's electronic address.

 

b) The right to rectify inaccurate data
The User as a data subject has the right to rectify inaccurate personal data that will be processed by the Provider.

 

c) The right of erasure
The data subject has the right of erasure of personal data, pertaining to it, unless the Provider proves justified reasons for the processing of this personal data. The user can exercise the right of erasure of personal data via e-mail to the Provider's electronic address. The Provider shall carry out the erasure, without delay, within 7 days from the day on which he obtained the request from the User.

 

d) The right to restriction of processing
The data subject shall have the right of restriction of processing until the complaint is resolved, if they deny the accuracy of the personal data, the reasons of their processing or if they object against their processing, through e-mail to Provider's electronic email address.

 

e) The right to be notified of rectification, erasure or restriction of processing
The data subject shall have the right to be notified by the Provider in the case of rectification, erasure or restriction of processing.

 

f) The right to personal data portability
The data subject shall have the right to the portability of the data pertaining to it and which it has provided to the controller, in a structured, commonly used and machine-readable format and the right to ask the controller to hand over these data to another controller. If the exercise of this right could adversely affect the rights and freedoms of third parties, the User's request cannot be accommodated.

 

g) Automated individual decision making including profiling
The data subject shall have the right not to be a subject of any decision based solely on automated processing, including profiling, which would have legal effects for the data subject or the data subject would be significantly affected by it. The Provider states that they do not carry out automated decision making without the impact of human judgment with legal effects for data subjects.

 

h) Personal data protection
The Provider collects and stores the personal data entered by the User as well as technical personal data obtained in the course of providing the Service through electronic carriers of information in a secured database. The Provider protects personal data to the fullest extent possible using modern technologies corresponding to the degree of technological development. The Provider declares that they have taken any and all currently known measures to secure these data against unauthorized interventions of third parties.

 

Should any violation of personal data security be found, the Provider shall report it without due delay, if possible within 72 hours from the moment they have learned of it, to the Supervisory Authority and provide a reasonable remedy.

 

i) Other receivers of personal data - Processors
The Provider may use professional and specialized services of other entities when performing its obligations and duties from the Contract. Provider, as a controller, is therefore entitled to assign a third party as a processor of personal data, whereas the Provider as a controller, will use only those processors that provide sufficient guarantees to implement suitable technical and organizational measures so that the processing ensures the protection of rights of the data subjects. If these suppliers process personal data handed over from the Provider, they process the personal data only within instructions from the Provider and may not use them otherwise. The Provider enters with each such entity into a contract on the processing of personal data within the meaning of Art. 28 of the General Regulation. The processors also include companies having their seat outside of the territory of the European Union, in particular in the US. The personal data are therefore handed over outside the territory of the European Union. The personal data processors in question comply with the requirements of the General Regulation.

 

The Provider may hand over personal data to the administrative bodies and authorities set by applicable legal regulations in the course of fulfillment of its legal duties. The User acknowledges that the Provider may be obliged to provide personal data by law or to fulfill its legal duty (e.g. within legal or administrative proceedings).

 

j) Confidentiality
The Provider as well as other recipients of personal data who will process User's personal data, are required to keep confidentiality about personal data and security measures the publishing of which would threaten the security of personal data. This confidentiality shall last even after the contractual relationships with the User terminate. Personal data shall not be given to any other third party without the consent of the User.

 

Updates of the Privacy Policy: This Privacy Policy document shall be actualized by the controller, for operational, legal or regulatory reasons. The potential changes are published on the website of the controller. For this reason, please re-visit this Privacy Policy regularly to stay informed.