PREMISE

Ukryt, z. s. (hereinafter, also “the Organization” or “Ukryt”) is aware of the importance of safeguarding privacy and people’s rights and since the Internet is a potentially strong tool for the circulation of your personal data, it wanted to seriously commit itself to respect rules of conduct – in line with European Regulation 679/2016 of the European Parliament and of the Council,  of 27 April 2016 on the protection of individuals with regard to the processing of personal data, as well as on the free movement of such data (hereinafter “GDPR”) – which guarantee secure, controlled and confidential surfing the network.

This policy of protection of the confidentiality of information may change over time, also depending on the additions and legislative and regulatory changes on the subject or for our institutional decisions, therefore, we invite you to periodically consult this section of our site.

We, therefore, invite you to read the rules that our association has imposed on itself in collecting and processing personal data and in always providing a satisfactory service to users of its site.

BASIC PRINCIPLES OF UKRYT’S PRIVACY POLICY

• carry out the processing (Article 4, paragraph 2, GDPR: “any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available,  the comparison or interconnection, limitation, cancellation or destruction”) of personal data (Article 4, paragraph 1, GDPR: “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”) solely for the purposes and in the manner described in the information to be provided that is presented  to the user from time to time who accesses a section of the site in which the direct or indirect provision of personal data is envisaged;
• use the data that has been released spontaneously by the user;
• use technical cookies to facilitate navigation on the site and analytical cookies for statistical purposes;
• use profiling cookies only if the user has given consent to such use;
• transmit data to third parties (data processors – art. 4, paragraph 8, GDPR: “art. 4, paragraph 8, GDPR: “the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller”) exclusively for purposes instrumental to what is expressly requested and carefully selected by us;
• communicate the data to third parties for activities related to what is of interest or if this is required by law, regulation or community legislation;
• subject to explicit consent (Article 4, paragraph 11, GDPR: “any free, specific, informed and unequivocal expression of the will of the interested party, with which the same expresses his consent, by declaration or unequivocal positive action, that personal data concerning him are processed”), communicate the data to third parties for their independent processing;
• respond to requests for access to personal data, rectification, or cancellation of the same, the exercise of the right to be forgotten, limitation of processing or the right to oppose their processing. Ensure the exercise of the right to data portability as well as oppose the processing of data for the purposes of informative communications on our projects and requests for economic contributions to support our institutional activities;
• ensure correct and lawful processing of your data, safeguarding your confidentiality, as well as apply appropriate security measures to protect the confidentiality, integrity and availability of the data.

INFORMATION TO BE PROVIDED PURSUANT TO ART. 13, GDPR AND AN OUTLINE OF THE CRITERIA USED TO DELIMIT DATA RETENTION LIMITS

As better explained in the sections that allow you to adhere – by releasing your personal data – to the services reserved for users of our site, the requested data are used to respond to requests expressly made by the user. In particular, all data collection activities – and subsequent processing – are aimed at pursuing Ukryt’s institutional purposes and, in particular, for regular and one-off donations, carried out in various ways (credit card, bank domiciliation, PayPal or other); membership or request for information on the distance membership project; subscription to our newsletter; request for collaboration with our organization; signing petitions, initiatives or specific projects; request for information; all the various forms of support for Ukryt’s initiatives.

The forms to be filled in – online or to download – include both data that are strictly necessary to adhere to what is of interest and whose failure to indicate does not allow the request to be processed, and optional conferment data. Therefore, the user is free to provide personal data contained in the request forms or indicated in contacts with the Organization to request information or for the other purposes listed above. In these cases of mandatory provision of data, their absence may make it impossible to obtain what has been requested. The need to request data as mandatory for adherence to individual projects or initiatives or to make requests has been considered in compliance with the provisions of art. 25, GDPR (“Data protection by design and by default”), which require an assessment of appropriate technical and organisational measures, such as “pseudonymisation” (Art. 4(5) GDPR: “the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information,  provided that such additional information is kept separately and subject to technical and organisational measures to ensure that such personal data are not attributed to an identified or identifiable natural person”), aimed at effectively implementing data protection principles, such as minimisation, and integrating the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. In addition, Ukryt has put in place appropriate technical and organisational measures to ensure that only personal data necessary for the specific purpose of the processing resulting from the project to which the data subject has voluntarily subscribed are processed by default.

Personal data will be processed, mainly electronically and with statistical analysis tools, by Ukryt, z. s. – data controller – Vresova 677/5 Praha 8 Troja 18100 Czechia, for the completion of all phases related to the management of donations, adherence to our projects and specific humanitarian appeals and in general of actions to support Ukryt initiatives,  as well as related instrumental activities (e.g. communications on payments, donation summaries), as well as to comply with administrative and other mandatory rules under the law in force in our country or by virtue of EU decisions.

For the aforementioned purposes, the data will be kept until the conclusion of all the relative phases of the relationship established and within the terms and limits set out in the applicable regulations, in particular administrative, civil and fiscal.

Furthermore, if desired, the data acquired by Ukryt and those that it will acquire during the relationship with the interested party will be processed for purposes of promotional, informative and institutional contacts on our projects, activities and fundraising initiatives, surveys and research reserved for donors, through actions designed in a personalized manner based on the characteristics of behaviour (eg:  amount donated, donation frequency, area of residence), interests and preferences with respect to our actions, with the consequence of identifying the interested party as a potentially interested party in our initiatives with certain characteristics (eg projects, distance support, testamentary legacies, adherence to petitions, etc. ..) and to direct him only content in line with his needs (“profiling”). It should be noted that the contact actions carried out by Ukryt are only personalized as described (“profiled marketing”), in order to avoid unwelcome contacts or contacts, not of interest to the interested party: consequently, since profiling is structurally connected to each action for promotional purposes of Ukryt, a single expression of consent is required for such contacts.

The aforementioned activities may take place through both traditional contact methods (paper mail and telephone calls by operators on fixed and mobile numbers) and automated and similar (specifically, via e-mail and SMS).

For this purpose, the data (including profiling data) will be kept until the possible revocation of consent by the interested party or the exercise of the right of opposition to which it is due; failing this, they will be kept as long as Ukryt continues its mission with projects, initiatives, actions and activities that require financial contributions or that encourage awareness (e.g. petitions, adhesions to emergency projects) consistent with the profile of the interested party. Subsequently, they will be anonymized for statistical purposes. The data will also be processed by external managers responsible for services related to the above.

The persons authorized to process for the aforementioned purposes are those involved in managing relations with actual and potential donors, administration, organization of awareness campaigns and institutional and statutory activities, call centre, Web services, information systems and data security.

Pursuant to art. 15-22, GDPR, by writing to the owner at the relevant postal address or to the email pavel@ukryt.org you can exercise the rights of access, consultation, rectification, cancellation and oblivion, limitation of data processing and – where appropriate – obtain the transmission to another holder (data portability), as well as oppose their processing for legitimate reasons or revoke your consent.

With particular reference to the processing for profiled marketing purposes, it should be noted that the interested party has the right to object at any time, and without giving any reason, to the processing of his data for these purposes, and that he may exercise the right of opposition also separately for traditional and automated contact activities: if it is not specified to which contact methods he refers,  The objection to the processing of data for profiled marketing will be understood to be extended to all contact tools.

RIGHTS OF DATA SUBJECTS CONCERNING THEM

You can exercise, at any time, at the address pavel@ukryt.org (alternatively, by writing to Ukryt, z. s. – Vresova 677/5 Praha 8 Troja 18100 Czechia the rights pursuant to articles 15-22, GDPR below:

Right of access (Article 15, GDPR)

The person has the right to request whether his personal data is being processed and, therefore, has the right to access information concerning him and to have news on:

• purpose of the processing (e.g.: management of a donation);
• categories of personal data; (e.g., personal data, behavioural data)
• recipients or categories of recipients to whom the personal data have been or will be communicated, in particular, if recipients of third countries or international organizations.
• where possible, the envisaged retention period of personal data or, if not possible, the criteria used to determine this period.
• existence of the right to request rectification or erasure of personal data or restriction of processing of personal data or to object to their processing.
• the right to lodge a complaint with a supervisory authority;
• if the data are not collected directly from the person, all available information on their origin;
• existence of an automated decision-making process, including profiling and significant information on the logic used, as well as the importance and expected consequences of such processing for the person. (e.g.: if the person has associated a profile of donation habits by crossing the donation amount frequently and campaign).

Right to rectification (Article 16, GDPR)

The person has the right to obtain the rectification of inaccurate personal data concerning him without undue delay. Taking into account the purposes of the processing, the individual has the right to have incomplete personal data completed, including by providing a supplementary statement.

Right to erasure (“right to be forgotten”) (Article 17, GDPR)

The person has the right to obtain the cancellation of personal data concerning him or her if he or she is obliged to delete personal data without undue delay, for one of the following reasons:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the consent on which the processing is based is revoked and if there is no other legal basis for the processing (eg: own legitimate interest, regulatory or contractual obligations);
• you oppose the processing for marketing and profiling purposes and there is no legitimate overriding reason to proceed with the processing;
• the personal data have been unlawfully processed;
• the personal data must be erased to comply with a legal obligation under Union or Member State law to which it is subject.

Right to restriction of processing (Article 18, GDPR)

• The person has the right to obtain the limitation of the processing of his personal data when one of the following reasons exists:
• the person disputes the accuracy of the personal data, for the period necessary to verify the accuracy of such personal data;
• the processing is unlawful and the person opposes the erasure of the personal data and requests instead that its use be restricted; (e.g.: does not intend that the processing is carried out for marketing purposes but only for management and administrative purposes)
• although the data are no longer needed for the purposes of the processing, the personal data are necessary for the person to ascertain, exercise or defend a right in court;
• the person has opposed the processing if the processing is based on his legitimate interests, pending verification of the possible prevalence of his legitimate reasons with respect to those of the person.

Notification obligation in case of rectification or erasure of personal data or restriction of processing (Article 19, GDPR)

The person has the right to request that the rectification or erasure of data or restriction of processing be communicated by Ukryt to other persons to whom the data may have been communicated. Ukryt may not comply with the request if the means to be employed are disproportionate to the right to privacy invoked by the person.

Right to data portability (Article 20, GDPR)

This right allows the person to receive in a structured, commonly used and machine-readable format the personal data concerning him / her provided to a subject who subjects his data to processing and has the right to want to transmit such data to a subject for use of the latter without hindrance by the subject to whom he provided them. This right can be exercised in the following cases:

• the processing is based on consent or on a contract or on pre-contractual measures requested by the same person and, at the same time,
• the processing is carried out by automated means.
• The person has the right to have his data transferred directly from one subject to another (from the one to whom he has given them to the one to whom he wants them to be transmitted), if technically possible.

Right to object (Article 21, GDPR)

The person has the right to object to the processing of his data for the pursuit of the legitimate interest of Ukryt or third parties, provided that the interests or fundamental rights and freedoms of the person who require the protection of personal data do not prevail, including for profiling purposes.

If personal data are processed for marketing purposes, the individual has the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling to the extent that it is related to such marketing activity.

Automated individual decision-making, including profiling (Article 22, GDPR)

The person has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or which significantly affects his person. In particular, you have the right to object to the profiling to which you are subjected through automated processes.

This right cannot be exercised if the decision:

• it is necessary for the conclusion or performance of a contract;
• it is authorised by Union or Member State law to which one is subject, which also specifies appropriate measures to protect the rights, freedoms and legitimate interests of the individual;
• is based on explicit consent.

The person has the right to express his or her opinion and to contest Ukryt’s decision.

CRITERIA USED TO DEFINE THE DATA RETENTION LIMIT

The data will be kept in our archives (Article 4, paragraph 6, GDPR: “any structured set of personal data accessible according to specific criteria, regardless of whether this set is centralized, decentralized or distributed in a functional or geographical way”) according to variable criteria depending on the category of the data, the nature of the processing and the purposes of the processing itself. The criteria or the precise limit of conservation are described in the information to be provided pursuant to art. 13, GDPR at the time of providing personal data.

In principle, the following Ukryt assessments apply to determine the data retention policy:

• all data with respect to the various forms of support for Ukryt’s initiatives are kept as long as the relationship remains active and for a number of years equal to what laws, regulations, including EU ones, impose for administrative and accounting purposes
• all data used for marketing activities with profiling, the processing of which is supported by a positive action of the person to such processing, explicitly declaring to desire it, are kept as long as the profile of the interested party is in line with the personalized communications created through the crossing of the information available to us and, therefore, as long as Ukryt continues its mission with projects,  initiatives, actions and activities that require financial contributions or that encourage awareness (e.g. petitions, emergency appeals, requests for opinions and surveys) that are of interest to the person who has expressed the desire to receive information of this content and that reflect the characteristics and behaviors of the person and are, therefore, of his specific interest and not disturbing. Also in this case, this retention will cease if the interested party expresses opposition at any time to the processing of personal data concerning him carried out for these purposes, including profiling to the extent that it is connected to such direct marketing.

After the periods set out above, the identification data are transformed into anonymous form and used only for statistical reports that do not allow to trace the identity of the person but which are useful for adapting the projects, initiatives and actions for the realization and achievement of the statutory and institutional objectives of Ukryt. Personal data will, therefore, be destroyed.

DATA PROCESSORS

Your personal data may be processed, either manually or electronically, or directly by Ukryt or by third parties who, with experience, technical skills, professionalism and reliability, carry out processing operations on behalf of our association, respecting the security and confidentiality of the information and constantly controlled by us in their work. The data processor is “the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller” (Article 4, paragraph 8, GDPR) and is contractually bound by Ukryt, with the definition of the limits of operation on the data, the data that can be processed and the categories of interested parties to whom they refer,  and with the prohibition to make use of it other than the assignment entrusted. It may, if formally authorized by Ukryt, make use of other managers, who are contractually bound by the manager appointed directly by Ukryt: violations committed by such other managers fall under the responsibility of the first response and not of Ukryt.

The complete and updated list of data processors (and, where appropriate, of the managers appointed by the first manager, subject to the authorization of Ukryt) can be requested at the e-mail pavel@ukryt.org (alternatively, by writing to Ukryt, z. s. – Vresova 677/5 Praha 8 Troja 18100 Czechia).

THIRD PARTIES TO WHOM YOUR DATA HAS BEEN COMMUNICATED

Your data may be made available to third parties, and independent data controllers, for purposes related to the provision of services of interest or in compliance with laws and regulations that provide for communication, as well as to supervisory bodies. For example, they will be made available to credit institutions or credit card issuers to allow the transactions necessary for the donation, as well as PayPal.

WHAT COOKIES ARE AND HOW THEY ARE USED BY UKRYT, Z. S.

Cookies are information stored on your PC’s hard drive and sent by your browser to a web server and refer to your use of the network. As a result, they allow you to know the services, the sites frequented and the options that, surfing the net, have been manifested.

This information is not, therefore, provided spontaneously and directly, but leaves a trace The data collected through cookies will be used for technical needs, in order to ensure easier, immediate and rapid access to the site and its services and easier navigation for the individual user.

Profiling cookies may also be used, subject to the user’s consent, to create user profiles based on the sections of the site or the actions performed by the user on this site or surfing the net.

The use of so-called session cookies (which are not stored permanently on the user’s computer and are automatically deleted when the browser is closed) is strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server) necessary to allow the safe and efficient exploration of the site. The so-called session cookies that are used on this site avoid the use of other computer techniques potentially prejudicial to the confidentiality of user navigation and do not allow the acquisition of the personal identification data of the user. In any case, you can configure your browser so that you are notified when a cookie is received and then decide whether to accept it.

To know our policy on cookies and third-party cookie policies, please read the extended information by clicking here.

NAVIGATION DATA

The computer systems and software procedures used to operate this site acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified users, but by their very nature could, through processing and association with data held by third parties, allow the identification of the users themselves. This category of data includes IP addresses or domain names of the computers used by users connecting to the site, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful,  error or similar) and other parameters relating to the operating system and the user’s computer environment. These data are used only to obtain anonymous statistical information on the use of the site and to check its correct functioning and are deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes against the site.

THE SECURITY OF YOUR PERSONAL DATA

Ukryt, z. s. adopts appropriate and preventive security measures to safeguard the confidentiality, integrity, completeness and availability of your personal data. As established by the regulatory provisions governing the security of personal data, technical, logistical and organizational measures are developed that have as their objective the prevention of damage, loss, even accidental, alteration, improper and unauthorized use of data concerning you.

In particular, Ukryt has put in place appropriate technical and organizational measures to ensure a level of security appropriate to the risk that could affect the rights and freedoms, including confidentiality and confidentiality, of individuals. It adopts security policies that include, among others:

• “pseudonymization” (Art. 4(5) GDPR: “the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and subject to technical and organisational measures to ensure that such personal data are not attributed to an identified or identifiable natural person”) and data encryption
• systems that permanently safeguard the confidentiality, integrity, availability and resilience of processing systems and services
• systems to restore timely availability and access of personal data in the event of a physical or technical incident
• procedures to test, verify and regularly evaluate the effectiveness of technical and organizational measures in order to ensure the security of processing.

Similar preventive security measures are adopted by third parties (data processors) to whom the Organization has entrusted processing operations of your data on its own behalf.

On the other hand, the Organization is not responsible for untruthful information sent directly by the user (example: correctness of the e-mail address or postal address or other personal data), as well as information concerning him and that has been provided by a third party, even fraudulently.

CREDIT CARD AND FINANCIAL INFORMATION

In the case of a donation made by credit card, Ukryt guarantees maximum confidentiality and security. The financial information of the credit card (number, expiry, general information of the holder) can only be known by the issuing institution.  Ukryt will only become aware of a code (“token”) that cannot be traced back to the details of the credit card.

If the donation is made through PayPal, you will be redirected to the PayPal site and, therefore, the criteria of confidentiality and security are the sole responsibility of PayPal, excluding any liability on the part of Ukryt.

Finally, in general, Ukryt, z. s. assumes no responsibility with reference to unauthorized or fraudulent use by third parties of the information relating to the tools used for the transaction connected to the donation.