Privacy

Information on the processing of personal data by Penterep Security s.r.o.

INFORMATION ON THE PROCESSING OF PERSONAL DATA BY PENTEREP SECURITY S.R.O.

1. PERSONAL DATA CONTROLLER

The controller of personal data pursuant to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "GDPR") is the company Penterep Security s.r.o., Company ID: 17749433, with its registered office at Ševčenkova 570/4, Brno-Bosonohy, Postcode 783 46, Czech Republic, registered in the Commercial Register kept at the Regional Court in Brno, Section C, Insert 131321 (hereinafter "Penterep Security" or "we").

Penterep Security processes personal data of users ("User" or "you") on the website www.penterep.com (hereinafter the "Website"), where User accounts are created and the Provider's services are offered. On the penterep.online website (hereinafter the "Application"), the personal data database is created and managed exclusively by Users. The Provider does not access or process this data in any way.

Personal data means any information about an identified or identifiable natural person; an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, a network identifier, or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Penterep Security's contact details are:

  • Mailing address: Ševčenkova 570/4, Brno-Bosonohy, Postcode 783 46, Czech Republic
  • Email: info@penterep.com 

Penterep Security has not appointed a data protection officer.

2. CATEGORIES OF PERSONAL DATA PROCESSED

Penterep Security obtains personal data of Users or visitors to the Website, business partners and other natural persons from the following sources:

  • personal data provided directly by the natural person when creating a User account;
  • personal data provided by another User for the purpose of creating an invitation to participate in a project; the User may invite another non-registered user to a project via the Platform using their email address;
  • from third parties, if you have consented to this (e.g. location data from your Internet browser).

Penterep Security processes personal data of the following categories of persons:

  • registered Users (i.e. clients) of the Website
  • email addresses of invited and not yet registered users
  • suppliers of goods and services
  • persons subscribing to the newsletter
  • own employees.

Penterep Security processes your identification and contact data and data necessary for the performance of a contract (creation of a User account and provision of services consisting in the possibility of performing penetration testing through the Application operated by Penterep Security on the Website). The list of data enumerated below does not imply that Penterep Security processes the full data about each customer. It is meant only to fulfil an information obligation, and the scope of the data is always individualized to the specific customer, except for data that Penterep Security is required to process by law. At the same time, for the sake of completeness, we also list data relating only to legal persons, which are not personal data within the meaning of the data protection regulations. Only personal data of natural persons is protected under the applicable data protection regulations.

Penterep Security does not process any personal data that constitutes User-created content, i.e. personal data that Users collect, enter, upload or store on the Website and/or in the Application and that they manage within their User account. Penterep Security has no access to User-created content when the Application is run on the User's servers. User-created content kept in the cloud on Penterep Security's servers is stored in an encrypted database and Penterep Security does not access or use this content in any way for its own needs.

We process the following personal data:

  • name and surname / company name
  • email address
  • place of residence / company headquarters
  • correspondence address, if different from the place of residence
  • Company ID / VAT ID 
  • telephone number only if it has been voluntarily provided by the User
  • bank account number
  • information about the services subscribed to
  • information on payments made
  • IP address and logs (i.e. dates and times of actions performed)
  • language preferences
  • profile photo, if the User has voluntarily uploaded it to the User account
  • gender.

3. LAWFUL BASIS AND PURPOSE OF PROCESSING OF PERSONAL DATA

There are several lawful reasons why Penterep Security processes your personal data:

  • performance of a contract between you and our company as controller pursuant to Article 6(1)(b) GDPR;
  • fulfilment of a legal obligation of the controller pursuant to Article 6(1)(c) GDPR, in particular:
    • fulfilment of our tax obligations under Czech Act No. 235/2004 Coll. on value added tax;
    • fulfilment of obligations under Czech Act No. 563/1991 Coll., on accounting;
  • the legitimate interest of our company as the controller in providing direct marketing (in particular for sending commercial communications and newsletters) pursuant to Article 6(1)(f) GDPR; 
  • Your consent to the processing for the purpose of providing direct marketing (in particular for sending commercial communications and newsletters) pursuant to Article 6(1)(a) GDPR in conjunction with Section 7(2) of Czech Act No. 480/2004 Coll, on certain information society services, in case of absence of an order for goods or services; for the purposes of tailoring our services to your needs (i.e. sending you targeted customized offers), you may give us your consent to processing your traffic and location data for marketing and commercial purposes.

The purpose of processing personal data is:

  • the provision of the Website and Application services and the performance of our contractual obligations; your personal data is necessary for the conclusion and performance of the contract as well as the provision of our services, for the processing of payments for the services provided, etc.;
  • the performance of our legal obligations towards public authorities; this includes, but is not limited to, the processing of your personal data necessary to comply with the obligation to keep accounts and provide information to relevant authorities, such as tax administration, etc.
  • handling of complaints;
  • asserting our rights and legitimate interests through legal proceedings;
  • preventing fraud and abuse of our services;
  • ensuring data, system and network security;
  • communication with customers and marketing; we process your personal data to be able to inform you about new features, improvements to the Website and/or the Application or the services we provide and other changes.

There is no automated individual decision-making taking place on part of our company within the meaning of Article 22 GDPR.

4. THIRD PARTIES

We are allowed to share your personal data with third parties when access to and use of such personal data is necessary to (i) comply with any applicable laws, regulations or court orders; (ii) detect, prevent and address fraud, crime, security and technical issues; or (iii) protect the interests, property and safety of our company, of Users and the public, where lawful to do so.

We share your personal data with authorized persons that provide services to us, namely the Application developers, IT administrators, external accountants, external email messaging systems, external companies on whose servers the Application will be hosted, cloud service providers, payment service providers, businesses providing professional and consulting services (e.g. tax advisors, attorneys, bailiffs, insolvency administrators), public authorities (e.g. tax authorities, courts, criminal authorities), postal and delivery service providers. We disclose your personal data to third parties to the extent necessary to provide the Website services. 

Penterep Security does not transfer your personal data to third countries (i.e. countries outside the European Union) or international organizations. All recipients of personal data process your personal data within the European Union.

5. DATA RETENTION PERIOD

The period of retention of personal data depends on the nature of the data and the purpose of its processing. The maximum retention period thus may vary according to the purpose of the processing.

Most of the User's personal data related to their User account created on the Platform will be anonymized or deleted at the latest 1 year after the User cancels their account. Email addresses of not yet registered users in case no User account is created are processed only for a period of 30 days.

In other cases, Penterep Security retains personal data:

  • for as long as necessary to exercise the rights and obligations arising from the contractual relationship between you and our company and to assert claims arising from these contractual relationships (for a period of at least 3 years and at most 10 years from termination of the contractual relationship);
  • if the personal data is processed on the basis of your consent for marketing purposes, we continue processing it until you withdraw your consent, but no longer than 5 years.

6. YOUR RIGHTS

You may check or change the information in your User account or cancel your User account at any time.

Under the terms of GDPR, you have the following rights in relation to your personal data:

  • the right to access your personal data according to Art. 15 GDPR - upon exercising the right of access to your personal data, we will provide you with information on whether and what your personal data we process, for what purpose, what is the nature of the processing and to which recipients we transfer the personal data; we will also provide you with information on other rights you can exercise in connection with the processing of your personal data; with regard to the protection of your person, i.e. to ensure that no unauthorized person gains access to your personal data, it may be necessary for us to verify your identity in an appropriate manner;
  • the right to rectification of personal data pursuant to Article 16 GDPR - upon exercising the right to rectification, we will correct inaccurate personal data without undue delay;
  • the right to erasure of personal data according to Article 17 GDPR - upon exercising the right to be forgotten, we will erase the personal data designated by you; however, we will not erase your personal data if the purpose of processing it continues or if there is a legal ground for processing it, in particular if it is necessary for the establishment, exercise or defence of our legal claims or the performance of our legal obligations;
  • the right to restriction of processing of personal data pursuant to Article 18 GDPR - upon exercising the right to restrict the processing of personal data, we may restrict the processing of personal data designated by you; during the period of restriction of processing of personal data, we will only be allowed to process the personal data concerned with your consent, or without such consent for the establishment, exercise or defence of our legal claims or to protect the rights of another person;
  • the right to object to processing according to Article 21 GDPR - your personal data will not be further processed upon objection, unless there are compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims;
  • the right to data portability under Article 20 GDPR, if technically feasible - upon exercising the right to data portability, we will transfer your personal data in a structured, commonly used and machine-readable format to the chosen data controller if this processing is based on your consent, or for the performance of a contract;
  • the right not to be subject to automated individual decision-making according to Article 22 GDPR - you have the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you; 
  • the right to withdraw consent to processing for direct marketing purposes (in particular for sending commercial communications and newsletters) pursuant to Article 6(1)(a) GDPR in conjunction with Section 7(2) of Czech Act No. 480/2004 Coll., on certain information society services, in the event that no order for goods or services has been placed. 

You can exercise the above rights by email or by sending a letter to our contact address provided in this Information on the Processing of Personal Data. We have the right to request additional information in order to properly identify you (ascertain your identity). We also have the right to refuse your request, or to charge you for the administrative costs associated with providing the requested information or disclosures in the event that it is a repeated request, is manifestly unfounded or unreasonable, or manifestly abusive. 

7. RIGHT TO WITHDRAW CONSENT

You have the right to withdraw your consent to the processing of personal data for direct marketing and market research purposes. The User exercises this right by clicking on the "Unsubscribe" option in an email received from us or by changing the emailing options in the settings of their User account.

8. FILING A COMPLAINT

If you believe that we are processing your personal data contrary to applicable data protection regulations (GDPR), you have the right to let us know and request redress. 

If, in your opinion, we do not remedy the situation, you are entitled to lodge a complaint with the competent data protection supervisory authority. 

Supervision of personal data protection in the Czech Republic is exercised by:

Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, telephone: 234 665 111, email: posta@uoou.cz, Databox: qkbaa2n, www.uoou.cz 

More detailed information about your rights can be found on the website of the Office for Personal Data Protection: https://www.uoou.cz/6-prava-subjektu-udaj/d-27276.

You also have the right to file a complaint with the competent data protection authority in the country of your residence.

In the European Union, the European Data Protection Supervisor also supervises data protection.

9. INFORMATION SECURITY

We apply administrative, organizational, technical and other measures to protect the personal data we collect and process. These measures include, among others, database encryption, firewall and access control. The purpose of our security controls is to maintain an appropriate level of data confidentiality, integrity, availability, resilience and recoverability. We regularly test the security of the Website and Application services.

If, despite the security measures taken and applied, any breach of personal data security occurs, such security breach will be reported without undue delay to the supervisory authority, i.e. the Office for Personal Data Protection of the Czech Republic. In cases under GDPR and other laws, we will notify you directly of a personal data breach. 

10. FINAL PROVISIONS

A prerequisite for creating a User account on the Platform is confirmation of you having read this Information on the Processing of Personal Data. By ticking the box, you confirm that you have read this Information on the Processing of Personal Data and that you accept it in its entirety.

The controller is entitled to amend this Information on the Processing of Personal Data as may be necessary due to changes in data processing procedures or for other reasons. The new version of the Personal Data Processing Information will be published by the controller on the Website and will be also sent to your e-mail address you have provided to the controller. 

This Information on the Processing of Personal Data by Penterep Security takes effect on 1.1.2023.