Personal Data Security and Protection

The following text describes how we use and process the personal data that you provide to us. Here you can find information about how to contact us if you have any questions regarding personal data. We will be happy to answer any questions.

Controller’s identity and contact details

Company/first name and surname: CRYFIN Investments s. r. o.

Registered office: Československé armády 254/8, 500 03 Hradec Králové

Company ID number: 05201748

E-mail: info@cryfin.com

What type of personal data do we gather?

We only gather personal data for the purpose of communication with website users, the realisation of a service offered or the sale of goods based on the performance of a concluded contract. This concerns your First name, Surname, Delivery address, Invoicing address, E-mail address and payment details in accordance with the type of payment.

For what purpose do we process personal data?

Personal data processing is necessary for communication with website users or the performance of a contract arising through the ordering of services offered for the following purposes:

  • Information about product news.
  • Service realisation.
  • Information about the state of an order.
  • Delivery of goods ordered.
  • Dealing with a complaint.

We need an e-mail address so that we can inform you of discounts and special offers, competitions and other interesting news. You have to give your conscious consent to this expanded marketing communication. Consent takes place through the completion of a form for registration for such e-mails, or confirmation of an e-mail that was sent based on an order for a service/product.

If you do not want to receive such information, you can rescind consent at any time. You can find this option in every newsletter you receive. You can contact us at the authorised person’s e-mail address.

What personal data do we share with third parties?

The website is linked to several third-party applications that process data for their purposes. You can find a complete summary of third-party applications that use our website in the following table:

Service nameDataPurposeType of consent
FacebookCookies, anonymous data about behaviour and interests of group.Controller’s legitimate interests.Opt-out, consent is not necessary.
Google analyticsCookies, anonymous data about website use.Analysis of anonymous data.Consent is not necessary.
Google AdwordsCookies, anonymous data about website use.Optimisation of campaigns based on anonymous data.Consent is not necessary.
MailchimpE-mail addressManagement and sending of e-mail communication.Controller’s legitimate interests, customer’s consent.
SmartsuppCookies, anonymous information about behaviour at website.Analysis of data about customer’s behaviour at website.Not necessary.

Using third-party applications, we gather information about your computer. These data are anonymous. They cannot identify you as a person and are used only to create statistics and to subsequently analyse them.

How we use cookies

We use third-party cookies, which anonymously store information about website visits. They can be used for analytical or marketing purposes. All information in the cookies that we store is anonymous. Cookies cannot be monitored automatically – we use the opt-in variant – i.e. we track cookies only after getting the consent of a website user.

What security procedures concerning personal data storage do we use?

The provider has adopted and maintains such technical and organisational measures so that there cannot be unauthorised or random access to personal data, they cannot be altered, destroyed or lost, transferred without authorisation, otherwise processed without authorisation or otherwise abused.

  • Anonymisation of personal data.
  • The ability to recover the accessibility of personal data and access to them in time and in the case of physical and technical incidents.
  • The process of regular testing, assessing and evaluating the effectiveness of technical and organisational measures introduced to ensure the security of processing.
  • Multi-level firewall.
  • Antivirus protection and checks on unauthorised access.
  • Encrypted data transfer using IT technology.
  • Access to personal data only for authorised persons of the Provider.
  • Servers with personal data locked in the server room.

How can you check the personal data that you provided?

If you want to verify what specific data we work with, please contact the authorised person – see the e-mail address in the first part of this page. You can act in the same way if you want to remove your personal data.

General Provisions

  1. A customer voluntarily provides his personal data and consents to their provision to third parties under the conditions set out below.
  2. The personal data will be processed in electronic form automatically or in printed form non-automatically.
  3. If the website user is of the opinion that the controller or processor is performing the processing of his personal data in conflict with the protection of his private and personal life or in conflict with the law, in particular if the personal data are imprecise with regard to their purpose of processing, he can: – ask the seller or processor, using its e-mail address or in writing, for an explanation, – ask the controller or processor, in a request sent to its e-mail address or in writing, to correct such a state.
  4. If a website user asks for information regarding the processing of his personal data, the seller is obligated to hand over such information to him using his electronic address or in writing by post. The controller is entitled, in return for the provision of information in accordance with the previous sentence, to ask for reasonable payment not exceeding the costs necessary for the provision of information, in the event of a repeat request.
  5. The seller is a properly registered personal data controller. The customers’ personal data are secured against abuse. The handling of the customers’ personal data is governed by the relevant provisions of Act No. 110/2019 Coll., on Personal Data Protection and on an amendment to some acts, as amended.
  6. You can report all errors, questions, leaks or abuse of personal data to the Office for Personal Data Protection (OPDP).

Principles for Personal Data Protection

These “Principles for Personal Data Protection” apply to the provider’s services. Under this document, the service provider CRYFIN a. s., company ID number: 05201748, Československé armády 254/8, 500 03 Hradec Králové, undertakes to apply and comply with the principles stated below with regard to Regulation No 2016/679 of the European Parliament and of the Council (the “General Data Protection Regulation”) regarding data subjects. The regulation is valid from 25 May 2018. The joint controllers act, in relation to them, as the controller or processor of the personal data.

The principles of protecting personal data apply to the following situations:

  • Provision of online services.
  • Management and performance of a contract.
  • Performance of a contract of employment or performance of statutory duties by the employer.
  • Selection of job seekers and assessment of recruitment proceedings when hiring new employees, for the purpose of negotiations on the conclusion of a contract of employment or an agreement concluded outside an employment relationship.
  • Subscription to newsletters, etc.
  • Processing of personal data obtained as a part of registration, establishing and altering a profile.
  • Personal data gathered by third parties in favour of the controller, if it occurred.

Principles for Processing Personal Data

The regulation introduces some new duties and principles, which we apply in the area of personal data protection. We always try to work with precise and, where needed, updated data, we store them only for the necessary time and handle them in a manner that ensures their appropriate security. Your rights in relation to personal data processing are specifically defined in the text below.

Information Gathered

We divide data gathered into two categories: on the one hand they are data that a user provides to us directly (e.g. through registration for a service, a contract), and on the other hand they are data that we obtain through your activities when using our service (e.g. information regarding cookies, analytical information, etc.).

Data You Provide Us with Directly as a User

Online Form

This is a record of data completed in forms and fields as part of a service. The data are processed based on the performance of a contract with the aim of providing the requested service, though always in accordance with the facts that are stated in the contractual conditions and the information about principles for personal data processing. Data processing takes place for compliance with an obligation that arises regarding you.

Data when Registering for Our Service

We work with data in the form of a unique code for the relevant installation (if it exists), the IP address of the terminal device, cookies issued and information about the method of using the relevant data. We do so in accordance with the legal grounds in the form of performance of a contract and with the aim of ensuring our service is functional for you. We do not work with specific data (content) that arise through your activity as a part of the service. Data processing takes place for the performance or closing of an obligation arising regarding you.

Direct Consent to Service Provided by Us

In addition to the service that brings you contacts and information, we have the option of having closer contacts with you, specifically by sending our marketing and commercial messages. This is always, however, based on a legal reason in the form of legitimate interest or consent to personal data processing and under the conditions stipulated by the Regulation.

Data We Obtain through Your Activity

Information about Issued Online Identifiers

Cookies are short text files that are created by visited websites and they are saved on your device through a browser. Cookies primarily contain information about settings related to the website visited (e.g. the chosen language, information about logins or preferred pre-selections as a part of a visited website). When you return to it, the browser returns to it the identifiers that it has linked to the relevant website. Thus, the website retains your settings. Cookies can only be stored if you yourself enable this. We use various types of cookies, which you can display and manage in your browser, for the operation of our services.

There are three basic categories of cookies: advertising, identification and technical.

Legal Grounds and Purposes of Processing Personal Data

As part of the activities of CRYFIN Investments s. r. o., personal data is processed only for the purpose of one of the following legal grounds:

Legal Grounds for Personal Data Processing

Performance of Contract

We use this legal ground in a situation where personal data processing takes place for the purpose of concluding, performing or terminating a contractual relationship between you and CRYFIN Investments s. r. o. We will not process your personal data for other purposes without additional consent.

Legitimate Interest

When complying with the conditions stipulated below, the Regulation gives us the option to base the processing of your personal data on our own subjectively-determined interest. So we can do this, we have to inform you of the right to object to the processing and the right to erasure and also to assess legitimacy. We have to define the legitimate interest (in accordance with the law). The category of legitimate interest is ordinarily complied with by direct marketing activities.

Processing with Consent

Through consent, you give us your approval to process your personal data. Its form is precisely defined in the Regulation. Our duty is to prove that consent was given (or by whom, when and how consent was granted). We also base actions on this legal ground when you approve personal data processing. We will provide you with a request for consent to personal data processing separate from other facts (e.g. conditions for the relevant service). In the same way, we mention your right to rescind consent granted.

Performance of Legal Duty

If the processing of your personal data results from specific national or European legislation, we are obligated to process your personal data. In these cases, we are in a situation where we do not have the choice of complying with authorities’ requests (set duties) or not. An example is a court decision on the matter of gathering and handing over specific data to the authorities active in criminal proceedings.

Purposes of Personal Data Processing

We use personal data gathered for complying with a certain, expressly stated and legitimate purpose. We define the purpose by commencing the collection itself, where we inform you of it transparently.

As a part of our services, we process your personal data for the following purposes:

  • To provide a service.
  • To identify a contracting party before the conclusion of a contract.
  • To comply with a legal duty.
  • To improve and enhance our services.
  • To ensure the security of our services and to protect against abuse.
  • For the purpose of the direct marketing of our services.
  • To communicate with you.

Personal Data Storage

Our approach to gathered personal data is simple: if we cannot avoid personal data, we do not hold them for a period longer than necessary to achieve the purposes for which they were gathered. And where possible, we will have them anonymised or pseudo-anonymised. This approach is in accordance with the principle of restriction of storage, which anchors a duty to erase or anonymise personal data if we no longer need them to achieve the purpose of their gathering. Through active anonymization, we implement the principle of the special-purpose restriction (not processing personal data for purposes other than for which they were gathered) and minimisation of their processing (processing only data that are necessary to achieve the set purpose). Obviously with exceptions in the form of duties that are determined by the legal regulations of the Czech Republic.

The period for storing personal data differs, with respect to the above and depending on the legal grounds selected.

Personal Data Storage

Our approach to gathered personal data is simple: if we cannot avoid personal data, we do not hold them for a period longer than necessary to achieve the purposes for which they were gathered. And where possible, we will have them anonymised or pseudo-anonymised. This approach is in accordance with the principle of restriction of storage, which anchors a duty to erase or anonymise personal data if we no longer need them to achieve the purpose of their gathering. Through active anonymization, we implement the principle of the special-purpose restriction (not processing personal data for purposes other than for which they were gathered) and minimisation of their processing (processing only data that are necessary to achieve the set purpose). Obviously with exceptions in the form of duties that are determined by the legal regulations of the Czech Republic.

The period for storing personal data differs, with respect to the above and depending on the legal grounds selected.

Notification of Changes

It is in our interest for you to be informed of the changes that occur as a part of the service and can influence the form, extent or purpose of the processing of your personal data. We announce changes to the principles of protection of personal data based on an assessment of the real consequences, though always in a transparent and user-friendly manner. Whereas in the case of less serious changes we choose the path of a call for re-confirmation of the conditions for processing personal data, for more fundamental alterations we proceed to a more general information campaign with the aim of explaining the planned changes.

Summary of Your Rights

Below, we would like to inform you of the following rights that result for you directly from the Regulation:

  • To obtain a confirmation that we process your personal data and you have the right to access them.
  • To the rectification of personal data processed (the rectification of imprecise personal data or the right to the supplementation of incomplete personal data) and the right to their erasure under the conditions stipulated by the Regulation.
  • To the erasure of your user profile and all related personal data that we process about you.
  • To the restriction of processing if your personal data are not up-to-date or are being processed unlawfully.
  • To be informed of all rectifications, erasures and restrictions on personal data processing; i.e. with the exception of cases where it is not possible or requires unreasonable effort.
  • To the portability of personal data that you provided to us in the course of using our services, in a structured, ordinarily-used and machine-readable format; you also have the right to hand these data over to another controller, if the processing is based on consent or a contract, or the processing is performed automatically; in accordance with the Regulation, we would also like to notify you that your right to the portability of personal data cannot unfavourably affect the rights and freedoms of other persons.
  • The right to object to personal data processing that is performed for the purposes of the controller’s legitimate interest. The aforementioned definition covers the right to object to personal data processing for direct marketing purposes.
    • You can make an objection – an opt-out – in every marketing communication that we send you, right in the footer of the relevant text.

Termination of Use of Our Service

How long you use CRYFIN Investments s. r. o. services is up to you. From the viewpoint of personal data processing and protection, such a decision is related to the following fact: if there is no statutory reason for further retaining your personal data, the data will be completely erased from our servers. We will erase the data in a manner that makes their future recovery, and therefore any additional use by CRYFIN a.s., impossible (with respect to the validity of the aforementioned restriction). The Regulation gives you the right to the portability of personal data that you provided to us in the course of the use of our services, specifically in a structured, ordinarily-used and machine-readable format.

Personal Data Security

The security of our users’ data is a priority. As the controller, we guarantee suitable technical, procedural and organisational measures that ensure the standard of security corresponding to the relevant risk.

This concerns the following, in particular:

  • We have an ingenious system of access rights and verification of their effectiveness in such a manner that unauthorised persons cannot access them;
  • Our organisational structure and internal rules reflect the requirements for personal data protection;
  • We regularly back up personal data and technically secure them in accordance with current security trends;
  • In accordance with the type and need for personal data processing, we pseudo-anonymise, encrypt or anonymise them;
  • We have adopted measures to ensure the ongoing confidentiality, integrity, accessibility and durability of the processing and service systems; we have processes and tools for recovering timely accessibility and access to personal data in the event of a physical or technical incident;
  • We regularly perform the testing, assessment and evaluation of the efficiency of technical and organisational measures to ensure the security of the processing;
  • We monitor and archive all access to processed personal data;
  • We store data in Microsoft’s OneDrive cloud repository and on our server repository. We have the data under control and we use the latest technologies for their management.

Reporting in Case of Interference/Leak of Personal Data

If there is interference with the security of personal data and it is probable that the nature and extent of the interference will have result in a high risk to the rights and freedoms of natural persons, we will notify you of this immediately. In the notification we will clearly and comprehensibly describe the actual nature of the breach of personal data security and also provide you, at least, with the following information:

  • The name and contact details of the Guarantor for the GDPR at CRYFIN Investments s. r. o.
  • A description of the probable consequences of the interference with the protection of personal data.
  • A description of measures adopted or proposed to deal with the situation.

We will not take the aforementioned steps in a situation where the measures introduced make the attacked personal data incomprehensible (anonymisation of personal data, encryption), if we adopted such measures that the risk to your rights and freedoms will probably not arise and if it would require unreasonable effort. In such a case, we will, in accordance with the Regulation, provide information in the form of a public notification or similar measure.

Employees’ Duties in Connection with Processing

Employees are obligated to comply with generally binding legal regulations (in particular the GDPR), as well as internal regulations and procedures of CRYFIN a.s., if they process personal data to which they have access as a part of the performance of their duties.

Employees are obligated, in particular:

(a) To always comply with the relevant legal regulations, in particular the GDPR, when processing personal data;

(b) To familiarise themselves with the General Data Protection Regulation;

(c) To not negotiate access or otherwise process personal data over the framework necessary for the performance of their work; and

(d) To maintain strict confidentiality about all personal data to which they have access, even after the termination of an employment relationship.

We Will Be Happy to Answer Your Questions

We know that the new Regulation will lead to a lot of questions for all those involved. In the event of any lack of clarity in relation to the processing of your personal data, please do not hesitate to contact us at info@cryfin.com.

Right to Submit Complaint to Supervisory Authority

Exercising rights in the aforementioned manner does not in any way affect your right to file a complaint with the Office for Personal Data Protection, which is based at the address Pplk. Sochora 27, 170 00 Prague 7. You can exercise this right, in particular, in the event that you think that we are processing your personal data without authorisation or in conflict with generally binding legal regulations.

You can ask us anything

Fill in the form and we will contact you as soon as possible.

  • Toto pole slouží k ověření a mělo by být ponecháno beze změny.

In order to improve our services, our website uses CRYFIN files cookies. I understand and agree

Tato stránka je pouze pro kvalifikované investory. Služby nejsou určeny veřejnosti, ale pro omezený počet investorů. Stisknutím tlačítka "Souhlasím" můžete pokračovat v prohlížení.

Agree