Instructions on the processing of personal data of physical persons within the Portmonka service

This notice summarizes the basic principles of processing personal data by MAFRA, a.s. in the case of users of the Portmonka application. The Portmonka app is available for iOS and Android. You can install the app on your mobile devices. The data entered within the app is then transferred to our servers where we store it.

The Portmonka application is primarily used to manage your loyalty or discount cards and to receive loyalty coupons from individual companies - partners of the application.

The controller of personal data is MAFRA, a.s., with its registered office at Prague 5, Karla Engliše 519/11, Postal Code 150 00, ID No.: 45313351 (hereinafter referred to as "MAFRA"). When processing your personal data, we will be governed in particular by Regulation (EU) 2016/679, the General Data Protection Regulation (the "Regulation").

Registered users of the service

This part of the instruction summarizes the basic principles of the processing of personal data by MAFRA as far as registered users of the Portmonka application are concerned.

For what purposes do we process your data?

In this section we provide an overview of the purposes for which we will use (process) your personal data. Usually, each piece of data is used for more than one purpose at the same time. The means of processing, the duration of the processing, etc., are then determined by the stated purposes. In certain cases set out in the Regulation, we may also process your data for purposes other than those set out below, but these are exceptional and limited cases, which the Regulation makes subject to other conditions.

Our company does not process personal and other data of users of our services other than for the purposes permitted by law or for the purposes to which the user has consented.

The data collected within the Portmonka app is used for the following purposes:

• the performance of the concluded contract, or the provision of the Portmonka service that you use through our application, including records of users of this service and contractual relationships
• to protect our rights or the rights of third parties (e.g. in the event of litigation relating to our services)
• for statistical purposes (but in this context your data is usually aggregated in such a way that your identity cannot be determined)
• Portmonka app traffic measurement
• improving the content of Portmonka and its development
• Ensuring the security of our systems and network from external attacks or misuse by users in the usual market standard
• for the purposes of keeping accounting records and fulfilling other legal obligations (documenting consents with the processing of your personal data and the fulfilment of other obligations under EU Regulation No. 2016/679 and, where applicable, other data protection regulations)

• to the extent appropriate to send commercial notifications

We usually process your data on our own computer systems, although we may also use the systems of third parties (so-called processors).

Legal basis for processing

Any processing of personal data must be lawful - it must be based on one of the legal grounds for processing listed in the Regulation. As with the purpose, any data may be processed on the basis of more than one legal ground for processing. If all the legal grounds fall away, then we will stop processing your data. The possible legal grounds for processing are listed in Article 6 Regulation. Please note that if we process your personal data on the basis of your consent (e.g. data voluntarily provided by you), you have the possibility to withdraw this consent at any time (for withdrawal, please use the interface of the service you are using or contact us at the contacts below). Withdrawal of consent does not affect the lawfulness of processing based on consent given before its withdrawal.

The legal basis for the processing of your personal data is the necessity of the performance of the contract, the use of the Portmonka application itself, the legitimate interests of MAFRA (given by the interest in protecting our rights, incl. The processing for statistical purposes, measuring traffic to our website and app, analysing your preferences, improving the content of our website and app and developing it, ensuring the security of our systems and network, and for direct marketing) and third parties (in particular our contractors involved in the operation of the application and proving our performance to the card operators), as well as compliance with legal requirements (prevention of tortious activity, compliance with requirements under data protection regulations (in particular the Regulation), bookkeeping, compliance with obligations under tax and advertising regulations (in particular Act No. 40/1995 Coll.) ).

Your consent may also be the legal basis for processing your data, e.g. for certain secondary functionalities.

Please note that the withdrawal of consent to the processing of personal data does not affect the lawfulness of processing based on consent given prior to its withdrawal.

What data do we process and what are its sources?

In this section you will learn what types of personal data we will process about you. Personal data means any information about an identified or identifiable natural person (also called a "data subject"); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. We will usually obtain the personal data we process about you directly from you or as part of a contractual relationship with you. In justified cases (in particular when recovering amounts owed), we may also seek further information about you from open sources.

The data we collect in relation to registered users of the Portmonka app will be collected primarily from you and will usually include your email, password (in a hashed form so that it is not easily readable) and gender as mandatory data. Optional data are first name, last name, date of birth, address, phone number. We will also process other information and documents entered by you in your profile, such as the specification of the discount cards you are using and clicks on the loyalty coupons displayed, etc.

In addition, we will process data about how you registered (usually by storing information about the method and time of registration, incl. Your IP address and the unique ID of the application from which you clicked the relevant box) and when you cancelled the registration.

We will also store logs of your activity within your account in the system to document your actions and as a security measure. In this context, we will collect related information about you, such as the IP address and unique ID of the application you use to log in to our services, the date and time you accessed those services and the changes you made.

If we are forced to cancel your registration, e.g. following a breach of the Terms of Service, we will retain your basic data and the reason for cancellation for a reasonable period of time.

The app also allows users to send loyalty coupons to the app's clients. Loyalty coupons can be targeted based on the information available to us, typically gender, age (if filled in), residence and by interests determined by the sections in which each card is classified.

For loyalty coupons (usually product-specific or in the form of a discount on a product category), we have an indication that the coupon has been activated, but we are not able to link this information to the purchase (we do not know whether the coupon was used to purchase a good or service).

We will thus obtain the personal data processed by us either directly from you (by providing it to us as part of your registration for the Service and your activity within the Service interface or from individual correspondence with you) or by tracking your activity within our Service.

Cookies are also used within our services (on the website). The general rules for their use can be found here.

How long will we process the data?

Our company cannot process your data for an arbitrarily long period of time, but the processing period is limited to the period when we actually need your data. We try to limit the length of this period so that it takes due account of both your interests and ours.

The data collected as part of the registration and during the use of the registered service is usually stored for the entire registration period and for 6 months after cancellation, during which time the account can be reactivated.

After 6 months, only basic identification data, data on the granting/withdrawal of consent and information on the reason for which the registration was terminated or data forming part of operational backups and security logs of the account activity are usually stored for a period of approximately 4 years (derived mainly from the time when legal claims against our company could be brought).

Details on the processing of personal data for the purpose of sending commercial communications can be found here.

With regard to the processing period, if it is not expressly stated in the terms of service or established by law, we base the determination of the adequacy of the processing period on the following aspects in particular (i) the length of the limitation period with a reserve for learning that a lawsuit has been filed or other proceedings have been initiated, (ii) the likelihood of legal claims against our company, (iii) the expected timeframes for detecting attacks on our network or other breaches of security, (iv) common market practices and recommendations of supervisory authorities, and (v) the likelihood and significance of the risks involved.

Cancellation of service

You can stop using our Portmonka app at any time by uninstalling the relevant app. If you wish to exercise your rights regarding the data we have stored in our interface, please contact the administrator of the service. By uninstalling the app, we will stop using your data for its original purposes. Please note that, as stated above, even after uninstalling the application, some data will be stored as backups in order to protect the rights of our company and third parties, IT security and to document our compliance with legal regulations, in particular on data protection and accounting.

By unchecking the box "I wish to receive commercial offers" you can express your opposition to us sending you newsletters.

Unregistered users of the service

This part of the instruction summarizes the basic principles of the processing of personal data by MAFRA for users of the Portmonka application who have not registered and have only generated access within the Portmonka application.

In the case of unregistered users, we will only process the data you save in the application. For the rest, the above instruction for registered users applies similarly.

To whom can we disclose information about you?

Not all processing of personal data is carried out by our company itself. We sometimes hire third parties, called data processors, to process personal data. We try to select only those processors who are sufficiently trustworthy.

MAFRA may disclose your personal data to third parties only if required or permitted by law or with your consent. MAFRA discloses personal data only to the usual extent to processors or other recipients:

• suppliers of external services for MAFRA (typically programming or other technical support services, server services, e-mailing, services related to directing traffic to our website and adapting its content to user preferences),
• the operators of backup servers or operators of technologies used by MAFRA, who process them in order to ensure the functionality of the relevant MAFRA services,
• to the extent strictly necessary to MAFRA's legal, economic and tax advisors and MAFRA's auditors who process them for the purpose of providing advisory services to MAFRA
• personal data relating to debtors with overdue debts may also be disclosed to debt insurance companies or collection agencies for the purpose of recovery or collection of debts MAFRA
• personal data may also be transferred to public authorities on request or in the event of suspected infringements.

The app allows app partners to register users to their loyalty systems. In this case, the user fills in the data required by the partner (usually in the following range: first name, last name, e-mail, telephone, address, date of birth and possibly one other item), which is then forwarded to the partner. The partner further processes this data as an independent controller.

Are you obliged to provide us with the data?

You provide your personal data to MAFRA voluntarily (however, if you want to register for our service or generate a profile, we require certain data as mandatory, i.e. if you do not provide it to us, you will not be able to generate a registered profile in the Portmonka application). If in some cases you are obliged by a special law to provide personal data for processing, you will be informed of this fact separately in justified cases.

Our services and children

The Regulation or the Czech legislation adapting it restricts in some cases the processing of data in connection with web services if they are to be used by children under 15 years of age. It also provides for higher erasure rights for those users who entered data into the service when they were under 18 years of age.

Our Portmonka app is not directly intended for use by anyone under the age of 15. However, we are not always able to recognize that a child under 15 is registering for our service. We therefore urge parents to contact us if they suspect their child is using our service and they do not agree.

As part of the registration process, we reserve the right to directly require the registrant to indicate whether he or she is 15 years of age or younger so that we can verify whether the consent of his or her parent or other legal guardian is required for registration.

If you nevertheless register for our service as a person who is under 18 years of age, please note that you have a heightened right to request the deletion of any data processed about you that was entered before the age of 18. We will always endeavor to comply with your request for erasure. If you were under the age of 18 when you registered for or entered data into the Service and subsequently request us to delete such data, please let us know that this is the case so that we can take your age into account sufficiently and properly.

Consent
Although consent is only one of the grounds for processing, the Regulation imposes specific requirements for obtaining it. If you feel that your consent is being coerced by us, please contact us and we will address this immediately.

Please note that if the legal basis for processing your personal data is your consent, you may withdraw such consent at any time, free of charge, either directly through the Service interface or by contacting us at the contacts listed below. Withdrawal of consent does not affect the lawfulness of processing based on consent given prior to its withdrawal.

Right to object

The right to object is an important right. It allows you to have processing carried out on the basis of our so-called legitimate interest reviewed where your particular situation justifies it - i.e. where the processing itself is permissible but there are specific reasons on your side why you do not want the processing to take place anyway. However, the possibility to object does not apply to all cases of processing, e.g. it cannot be used if we process your data necessary for the performance of a contract or if we are required to process it by law. The right to object is enshrined in Article 21 of the Regulation.

You can object to the processing by using the contact details below or preferably by e-mail: osobni.udaje@mafra.cz or info@mojeportmonka.cz. In your e-mail, please indicate the specific situation that leads you to the conclusion that MAFRA should not process the data. Please note that even in the above cases, however, parallel processing will sometimes take place personal data for other purposes that will justify MAFRA continuing to process such data.

In the case of data processing for the purposes of direct marketing (sending newsletters) and targeted offers based on your data, you can always object without further notice, in which case you do not have to give any reasons why you do not wish to continue receiving such messages. In these cases, the best way to object is to opt-out of receiving further communications by clicking on the link that will usually be included in the communications for this purpose. You have the same right under Section 7 of Act No. 480/2004 Coll.

Automated decision making

Under the Regulation, you have the right as a data subject not to be subject to any decision based solely on automated processing, including profiling, which has legal effects concerning you or significantly affects you in a similar way (Article 22). Although the Regulation provides for several exceptions for cases where such automated decision-making can be carried out, our company tries not to carry out such processing.

Our company does not intend to carry out any automated decision-making that would have legal effects on you or similarly significantly affect you within the meaning of Article 22 of Regulation (EU) 2016/679. If you are, for example, denied the opportunity to register for our service due to an automated check of, for example, a duplicate email address, you can always contact the administrator of the relevant service or our company in general to request a final decision, which will always be based on an assessment by the operator.

Data update

One of our obligations as a data controller is to process accurate data or, where appropriate, to complete incomplete data in the light of the circumstances. If you provide us with information about changes to your data, you will help us to fulfil this obligation properly. Therefore, if there is a change in the data you have provided, we ask you to send us information about such change or to make the change in the service interface.

Risks and recommended practices

Any processing of personal data carries certain risks. These may vary depending on the scope of the data processed and the way it is processed. Below are some best practices that can help you protect your data:

• Ø  If one of our colleagues asks you to provide data, do not be afraid to ask whether it is necessary and whether the purpose of the processing cannot be achieved without the data.
• Ø  People under 18 are particularly vulnerable. If the transfer of data will involve them, all circumstances must be considered particularly carefully. It is also necessary to consider whether the consent of such persons or their legal guardians (e.g. parents) is required for the disclosure of such data. If you are a person under the age of 18, if you are in any doubt as to whether you are able to make the right decision, please discuss the matter with your parent (or other legal guardian) or contact us separately. Please note that our Portmonka App is not intended for persons under the age of 15.
• Ø If you log into our systems using a password, always use a unique strong password that you will not use for other devices and accesses. Do not share or disclose your password with anyone, including our staff. We will never ask you to provide your password, so please beware of various email requests for passwords, even if they are signed in MAFRA's name. These are likely to be hoaxes for the purpose of extortion and subsequent misuse of passwords.
• ØIf you send us confidential information, please try to use a secure method of communication, such as encrypting the file and passing the password through another communication channel.

• Ø  If you feel that our company is not fulfilling all of its obligations, that there has been an unauthorized data leak or that someone is impersonating our associate, please tell us as soon as possible.
• Ø  We always try to keep these lessons up to date. Therefore, we will make adjustments to these rules from time to time. We will notify you separately for more substantial changes, but it is still a good idea to re-read these rules from time to time.
• Ø  Keep your details up to date in our service interface.

Instructions under Regulation (EU) No. 2016/679:

The individual has the right with our company as the data controller:

(a) to request access to the personal data processed by the controller, which means the right to obtain confirmation from the controller as to whether or not personal data relating to him or her are being processed and, if so, to obtain access to those personal data and to the other information referred to in Article 15 of the Regulation,

(b) to request the rectification of personal data processed about him or her if they are inaccurate (Article 16 of the Regulation). Taking into account the purposes of the processing, he or she also has the right to request the completion of incomplete personal data in certain cases,

(c) to request the erasure of personal data in the cases provided for in Article 17 of the Regulation.

(d) to request restriction of data processing in the cases provided for in Article 18 of the Regulation,

(e) obtain personal data relating to him or her; and

(i) which we process with their consent, or

(ii) which we process for the performance of a contract to which such natural person is a party or for the performance of pre-contractual measures taken at their request

in a structured, commonly used and machine-readable format, with the right to transmit such data to another controller, subject to the conditions and limitations set out in Article 20 of the Regulation; and

(f) has the right to object to processing within the meaning of Article 21 of the Regulation on grounds relating to his or her particular situation.

If we receive such a request, we will inform the applicant of the action taken without undue delay and in any event within one month of receipt of the request. This time limit may be extended by a further two months if necessary, taking into account the complexity and number of requests. Our company is not obliged to grant the request in whole or in part in certain cases provided for by the Regulation. This will be the case in particular if the request is manifestly unfounded or unreasonable, especially because it is repetitive. In such cases, we may (i) impose a reasonable fee, taking into account the administrative costs involved in providing the requested information or communication or taking the requested action, or (ii) refuse to comply with the request.

If we receive the above request but have reasonable doubt as to the identity of the applicant, we may ask the applicant to provide us with additional information necessary to confirm their identity.

We will keep information about the fact that the data subject has exercised his or her rights with us and how we have dealt with his or her request for a reasonable period of time (usually 3-4 years) to document this fact, for statistical purposes, to improve our services and to protect our rights.

In the event that the data subject believes that MAFRA processes his/her personal data unlawfully or otherwise violates his/her rights, he/she has the right to file a complaint with the supervisory authority (i.e. the Office for Personal Data Protection) or to seek judicial protection.

How can you contact us?

You can use the following contacts for any comments and questions about data protection and to contact us regarding the exercise of your legal rights:

MAFRA, a.s.

Karla Engliše 519/11, Prague 5, Postal Code 150 00
e-mail: osobni.udaje@mafra.cz, info@mojeportmonka.cz
tel: 225061234 (please request a transfer to the company's legal department)

Data box ID: tu3cfw9

Portmonka General Terms and Conditions for Users

By filling in the forms you confirm that the information is true.

The User acknowledges that MAFRA, a.s. (hereinafter also referred to as the "Provider") is not obliged to enter into a contract for the provision of services of the Portmonky application (it may refuse to register the User), in particular with persons who have previously materially breached the contract for the provision of services (including the terms and conditions). To this end, the Provider will keep a register of such persons to the extent necessary.

The User agrees to the use of remote means of communication when concluding a contract for the provision of services. Costs incurred by the user in using distance communication means in connection with the conclusion of the service contract (e.g. internet connection costs) shall be borne by the user and shall not differ from the basic rate.

The Provider may unilaterally change these terms and conditions (e.g. in the event of changes in legislation, changes in the technical conditions of the Provider's service suppliers, changes in the interpretation of legislation, changes in the technical parameters of the Internet, changes in the industry of comparable services, changes in the service, etc.). Changes to the Terms and Conditions will be notified to the User within the user interface or by other appropriate means. The User may refuse to change the Terms and may terminate the use of the Service at any time by canceling the registration.

The provision of the service is not guaranteed. MAFRA, a.s. may not provide the service or may restrict or discontinue its provision at any time, even for individual users. The service will be restricted in particular if the service is prevented by difficulties on the part of the user or other persons.

All recommendations and information displayed within the Service and on the Website are of a non-binding nature, which the User acknowledges. The user is always obliged to contact a professional advisor regarding the use of these recommendations and information.

The User may not store or distribute information within the Service whose content is contrary to good morals or generally binding legal regulations in force in the Czech Republic or in other countries where the Service is available.

The user acknowledges that MAFRA, a.s. is not responsible for the settings made by the user in the user account.

The user is not entitled to use the service for business purposes without the provider's permission. The User may not send unsolicited commercial communications within the Service. The User may not send information within the Service that is strikingly similar to third party services or applications in order to confuse or mislead Internet users (phishing, etc.). The User shall not distribute computer viruses and other harmful software and content within the Service.

The User shall not use mechanisms, tools, software or procedures within the Service that have or could have a negative impact on the operation of the Internet Security Provider's equipment or other Internet users.

The user must not take any action to prevent or restrict the operation of the service or to carry out other attacks on the server on which the service is operated, nor must the user assist a third party in such action. The User shall not use the User Account and the Service in a manner that would unreasonably restrict the use of the Service by other Users or otherwise unreasonably limit the provision of the Service. In particular, the user must not burden the server on which the service is operated with automated requests.

The user acknowledges that MAFRA, a.s. is not responsible for the content of the information stored by the user in accordance with the provisions of Section 5 of Act No. 480/2004 Coll., on certain information society services and on amendments to certain acts (Act on certain information society services), as amended. The User further acknowledges that the Provider is not liable for the unlawful acts of the User.

MAFRA, a.s. is entitled (but not obliged) to carry out preventive control of the information stored or distributed by the User within the Service. In the event that the content of such information may violate these Terms and Conditions, generally binding legal regulations or good morals, or be contrary to the interests of MAFRA, a.s., MAFRA, a.s. is entitled to delete such information or prevent its dissemination and to terminate the provision of such service to the respective user. In the event that any third party asserts rights against MAFRA in connection with the storage or dissemination of information stored or disseminated by the user within the Service, MAFRA, Inc. shall be entitled to immediately remove the content of the information stored or disseminated by the user within the Service without further delay.

Contractual relations between MAFRA, a.s. and users are governed by Czech law.
The service is provided to users free of charge, unless otherwise expressly provided.

MAFRA is authorized to do business on the basis of a trade license. Trade control is carried out within the scope of its competence by the competent trade licensing authority.