Information for CUSTOMERS according to Articles 13 and 14 of the GDPR

In accordance with Articles 13 and 14 of the GDPR and on the basis of the relevant provisions of the Principles for the Processing and Protection of Personal Data (‑policy‑en/), Aspena, s.r.o., ID: 607 51 185, with its registered office at Brno, Veveří, Gorkého 64/15, Postal Code 602 00, registered in the Commercial Register under File Number: C 19243, maintained by the Regional Court in Brno, as a personal data administrator (hereinafter referred to as  „the Company“), informs the Company’s Customers about the processing of personal data:

1.   Name and Contact Information of the Company

Aspena, s.r.o., ID 607 51 185, with its registered office at Brno, Veveří, Gorkého 64/15, Postal Code 602 00, e‑mail: 

2.   Personal Data Protection Officer

The company is not required to have a Data Protection Officer.

3.   Purpose and Legal Basis for Processing Personal Data

  • For the Customer, the Company considers the following to be a natural person for the purpose of processing personal data according to the GDPR as one who:

            a)  provides the Company with their personal data for the purpose of using the services of the Company,

            b)  is authorised to act on behalf of the legal entity of the Customer for the purpose of using the Company’s services, and for this purpose providing the Company with personal data.

  • The Company obtains personal data from the Customer through the following methods:
  • directly from the Customer through an email or the order form on the Company’s website, as well as during a personal visit to the Company’s premises or in a personal meeting with the Customer;
  • from publicly available records (e.g. the Commercial Register, Trade Register, etc.), or social networks, in which case the Customer is asked to consent to the processing of personal data.
  • The Company processes the obtained personal data from the Customer in an automatic and manual manner.
  • The Company processes the personal data of the Customer in accordance with the GDPR for the following purposes, proceeding on the basis and within the mentioned legal titles below for the processing of personal data:
  • The implementation of pre‑contractual arrangements, , or the execution of measures taken prior to concluding a contract at the request of the Customer in case the Customer enters into a legal relationship with the Company (legal title according to Article 6, Paragraph 1), Letter b) of the GDPR),
  • The Customer’s consent sto the processing of personal data in case the Company initiates a legal relationship with the Customer; prior consent (legal title according to Article 6, Paragraph 1), Letter a) of the GDPR) is required for processing the personal data of the Customer during the pre‑contractual phase,
  • The fulfilment of a contract , to which the Customer is a party – mainly the identification and contacting of the Customer, the conditions of the contract fulfilment performance, information necessary to change the content of the contract, and the rights and obligations of liability for defects (legal title according to Article 6, Paragraph 1, Letter b) of the GDPR);
  • Compliance with the legal obligations applicable to the Company, being an accounting entity and a tax subject and, for this reason, retaining documents and accounting documents that may contain the Customer’s personal data, as well as compliance with the Company’s legal obligations within the liability for defects (Article 6, Letter c) of the GDPR);
  • The fulfilment of the legitimate interests of the Company – mainly the judicial or extra‑judicial recovery of receivables from the Customer, sending the newsletter to the Customer, evaluation of the Customer’s provided services, and the subsequent demand for the Customer’s services (Article 6, Letter f) of the GDPR).

4.   Category and Source of the Data Subject’s Data not Obtained Directly from the Customer

  • The Company acquires the Customer’s personal data either directly from the Customer or from publicly available sources (the Commercial Register, Trade Register, and other public records), also using the Customer’s voluntarily published information on social networks.
  • If the personal data are not obtained directly from the Customer, the Company hereby declares in accordance with the GDPR that the Customer will process the following personal data: identification and contact details to the extent of name, surname, address, e‑mail address, telephone number, Tax ID, as well as traffic data (e.g., payment data, contract data).
  • The Company processes the Customer’s special personal data only if he/she is the subject of a contract. In this case, the Company is in the position of a personal data processor for the Customer (for example, if information on health status is part of a translated document).

5.   Legitimate Interests of the Company

The Company mainly applies the following legitimate interests in the processing of personal data:

  • Marketing – sending a newsletter to a Customer established in the IS of the Company for the purpose of maintaining and increasing awareness of the Company’s services,
  • The recovery of receivables – the judicial or extra‑judicial recovery of possible receivables from the Customer,
  • The improvement of the provided services and development of business activities, sales statistics, etc. – based on its own initiative and the suggestions of the Customer, the Company is continuously trying to improve the provided services while maintaining the minimum degree of interference with the personal data protection rights of individuals.

6.   Recipient of Personal Data

The Company reserves the right to disclose the personal data of the Customer to the employees of the Company if necessary for the performance of their work duties, and to further processors with whom the Company has a personal data processing agreement (e.g. for accounting, IT and marketing services) as well as institutions in accordance with the law, mainly state authorities and other public administration authorities, on the basis of the legal obligation to provide personal data.
If the personal data of the Customer or a third party is in the subject of the contract (e.g. in a translated document), the Company has the status of the processor of these personal data and processes the personal data solely according to the Customer’s instructions as laid down by the contract with the Customer. In these cases, the Company reserves the right to transfer the personal data contained in the subject matter to another processor while ensuring the security of such personal data.

7.   Transfer of Personal Data to Third Countries or International Organisations

The Company does not have the intention of transferring personal data to third countries outside the EU or to international organisations.

8.   Period for Retaining Personal Data

The Customer’s personal data will be retained by the Company for the duration of the contract with the Customer or for 10 years from entering the personal data of the Customer into the IS of the Company. Upon termination of the contract with the Customer, the personal data of the Customer will be retained to fulfil legal obligations according to the applicable laws (especially in the field of accounting and taxation) and at the same time for 10 years after the termination of the contract in order to execute the above‑mentioned legitimate interests of the Company.

9.   The Rights of the Customer in the Processing of Personal Data

The Customer may exercise the following rights with the Company in relation to his/her personal data, by e‑mail to the address

  • Right to Access Personal Data,
  • Right to Modification,
  • Right to Deletion,
  • Right to Restriction of Processing after a Certain Period,
  • Right to Portability,
  • Right to Object Against Processing due to Legitimate Interest.

10.   Right to Revoke Consent

If the processing of personal data is based on consent, the Customer may at any time revoke this consent by e‑mail through

11.   Right to File a Grievance

The Customer has the right to file a grievance with the Personal Data Protection Office if he/she considers the processing of his/her personal data to have violated the GDPR.

12.   Legal/Contractual Requirement to Provide Personal Data

The provision of the Customer’s personal data is primarily a contractual requirement. The result of unprovided personal data by the Customer is an unconcluded contract.

13.   Automated Decision‑Making, including Profiling

The personal data of the Customer are not the subject of automated decision‑making nor profiling.