- Service onlinefakturowanie.pl is provided by FakturaOnline s.r.o., Křížová 2598/4, 150 00 Praha – Smíchov, business ID 04129890, VAT ID CZ04129890, bank account: 02175000090000000039929139, SWIFT: RCBWPLPW - Raiffeisen bank, a.s., registered in the Commercial Register, kept by the Regional Court in Prague, section C File 242393, Czech Republic, contact: firstname.lastname@example.org. („Provider“)
- The user is a natural or a legal person that is registered in the application onlinefakturowanie.pl. (“User”)
- An Application is a web application onlinefakturowanie.pl, accessible via the website www.onlinefakturowanie.pl (“Website”). The application generates electronic documents from the data filled in by the User that may be used for the accounting in the sense of Act. No. 563/1991 Coll., on accounting, or tax document according to Act. No 235/2004 Coll., on the VAT, and allows the User to save the generated document in PDF format and send it by e-mail to the User's selected address. („Application“)
- Registration means creating the User account by filling in the e-mail address and then logging in with the sent code. ("Registration")
- This Policy describes how the personal data of the individuals is handled while using the Application and viewing the Website. The Provider complies with Regulation (EU) 2016/679 of the European Parliament and Council, the General Regulation on Personal Data Protection, also known as the GDPR (“GDPR”).
- Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by referring to or an identifier.
Provider Is a Personal Data Controller
- By registering of the User, the Provider begins to process User's data (e-mail address, network identifiers such as IP address).
- By purchasing a subscription, the Provider shall further process the following personal data of the Users:
- name and surname
- bank account number
- ID and VAT ID
- logo and stamp of signature
- any other personal data entered by the User into the document
- The Provider processes the personal data mentioned above due to:
a) performance of the agreement pursuant to Article 6 (1) b) GDPR, which means the provision of the service by making the Application available, informing about planned shutdowns, service-related administration (e. g. payment check), technical maintenance of software and hardware, handling of User queries to the customer support centre and informing about changes in the Application or its use. The Provider processes personal data according to this point for the duration of the service providing but for a maximum period of 15 years, which is the period corresponding to the limitation period for damages.
b) protecting servers against attacks and User accounts from misuse by third parties, which is a legitimate interest of Users and Provider within the meaning of Article 6 (1) f) GDPR. The Provider processes personal data at this point for the duration of the service agreement efficiency.
c) legitimate interest of the Provider consisting of informing about the news about the Application planned improvements, new products and services to provide a current and accurate overview of the available products and services of the Provider. Provider processes personal data at this point for the duration of the service and three years after termination of service agreement.
- The Provider collects the data mentioned above through the Website. The data is carried out through structuring, sorting, storing and removing it.
- The Provider processes the personal data contained in the documents under this article for five years from the generation of each document as the invoice data is backed up to enable Users to edit and generate the document subsequently.
The Provider Is a Personal Data Processor
- names and surnames of the customers of the User
- e-mail addresses of the customers of the User
- bank account numbers of the customers of the User
- User ID and VAT ID of the customers of the User
- addresses of the customers of the User
- any other personal data entered by the User as a note on the document relating to the customers of the User.
- The User is in the position of a data controller to his customers. The Provider provides an interface for issuing documents, sending them in PDF format, and storing document data to third-party servers. The Provider does not interfere with the database of User data, does not sort it or structure it. The User is always responsible for the data filled into the Application.
- The User and the Provider always enter into a free of charge data processing contract. The content of such contract is determined by the following provisions, within the meaning of Article 28 (3) of the GDPR.
- The Provider undertakes to process personal data only to provide the services under Article 2, and on the User's request, which he/she enters through the Application.
- The Provider provides the functionality and work of the Application, its regular maintenance and its accessibility to the User. Maintenance of the Application has a purely random nature, based on the need for bug fixes and system maintenance.
- The User agrees to use other processors to fulfill the purpose of the processing, i.e., the provision of services, in particular, Salesforce.com, Inc. and Google LLC that store data in data centers and contractors if necessary to secure or ensure the functionality of the Application. Such consent shall be deemed to be a general authorization within the meaning of Article 28 (2) of the GDPR. The Provider always informs the User about the intention to involve another processor beyond the processors mentioned in this paragraph, and the User has the right to objection.
- The Provider always keeps an appropriate choice of processors. All instructions for the other processors follow the laws and instructions of the Users regarding the provision of the service.
- The Provider undertakes to ensure that the other processors or persons involved in the processing under the Provider's mandate always meet a high standard of trust, for example by concluding a confidentiality agreement or subcontracting agreement.
- The Provider undertakes to secure personal data by Article 32 of the GDPR. The parties declare that, at the date of conclusion of the contract, the Provider has taken technical measures to ensure the security of personal data by encrypting the data transfer to the servers of Salesforce.com, Inc. and Google LLC using the HTTPS protocol.
- The User acknowledges that he has full control of and responsibility for the data he/she enters and states when using the Application. The User must meet the requirement for accuracy, purpose and storage limitation and minimization of stored data.
- Data contained in previously generated documents are kept for five years when the User has access to it. If the User does not express the request for handing the data over, then data is automatically deleted. The Provider and the processors are not liable to the User for any loss resulting from the loss of data embedded in the Application.
- The parties are obliged to cooperate in case of suspicion of misuse of personal data. The Parties shall use their best endeavours and take steps to avoid the risk of misuse of personal data.
Other Stipulations Regarding Personal Data
- The following provisions apply to the processing of personal data by Application where the Provider is in the position of data controller or processor and is part of the data processing agreement under Article III. Where the provisions of Articles III and IV differ, the provisions of Article III always prevail.
- The Provider does not process personal data of children or specific categories of personal data, so-called sensitive personal data, within the meaning of Article 9 GDPR.
- Authorized processors always handle data within the limits of this Policy.
- The Provider may use and collect the technical data and related information including technical information about the User, system, and Application software and peripherals that are regularly collected to facilitate the provision of updates, Application support, and other Application-related services, through the Website. The Provider is entitled to use this information to improve his/her products or to provide services or technologies, and only for the period that is necessary.
- Once the reason for processing the data has ceased, the Provider discards the personal data.
- The Provider use his/her best endeavours to prevent unauthorized processing of personal data by other persons but is not liable to the User or other data subjects for any harm caused by unauthorized processing of personal data by third parties.
- Provider stores the personal data on his servers located in the Czech Republic. Besides, personal data is stored on third-party storages that are treated as the processor of the Users and Providers data. The storage of personal data is governed by their terms of service, consistent with the EU-US Privacy Shield. User agrees to submit Personal Information to the following processors:
- Data Centres Heroku (PaaS) provided by Salesforce.com, Inc., San Francisco, California, USA and
- Data Centres Google LLC, LLC, Mountain View, California, USA providing G Suite.
- Emails sent by the Provider to the User are not considered as unsolicited commercial communications within the meaning of Law No. 40/1995 on Advertising and Act No. 480/2004 on Certain Information Society Services.
- If the Provider becomes aware of the personal data security risk, he/she notifies the User without undue delay.
- The Provider undertakes, in the event of damage regarding the leakage of personal data or other situation leading to the occurrence of harm, to provide the User with assistance and legal assistance in recovering compensation from the responsible processors. However, the Provider is not liable for the damages caused by mistakes of the processors.
- The User confirms that the personal data provided are true, accurate and relate solely to his or her person, or that he/she has provided data whose use did not interfere with the rights of third parties. The User will always notify of changes in personal data so that only up-to-date and complete data can be processed. The User will notify the Provider at the request of the Provider or even without the request.
- The Provider will process the personal data in electronic form in a non-automated manner. Anonymized personal information can also be processed automatically. Data subjects will not be subject to an individual automated decision within the meaning of Article 22 of the GDPR.
Assistance in handling personal data
- If the User thinks that his data is not processed correctly, e.g., unlawfully or in a way that is privacy infringing, he can:
a) ask the Provider for an explanation by sending an e-mail to email@example.com
b) lodge an objection to processing for legitimate interest by e-mail to firstname.lastname@example.org
c) request the Provider by e-mail at email@example.com for providing with the information about the extent or manner of processing of personal data. The Provider provides such information within a reasonable period (maximum 30 days).
- The User also has the right to directly contact the Czech Office for Personal Data Protection (www.uoou.cz).