Personal Data Processing Policy

Below you will find the personal data processing policy that applies when you provide us with personal data as the controller — when you visit our website at www.shine.cz, when you are our customer, or when you are interested in our products or services.

We process personal data in accordance with applicable legislation, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council — the General Data Protection Regulation (hereinafter "GDPR") — and in accordance with Act No. 110/2019 Coll. on the processing of personal data.

The purpose of this document is to inform you of how your personal data will be handled and to explain your rights.

CONTENTS

1. Controller — our identification and contact details

2. Source of personal data — where we obtain personal data from

3. Categories of personal data and requirement to provide them — which personal data we process and whether you are obliged to provide them

4. Purposes and retention periods — why we process personal data and for how long

5. Automated decision-making and profiling — whether we carry out automated individual decision-making or profiling

6. Cookies — which cookies we use

7. Recipients of personal data — to whom we disclose personal data

8. Transfer of personal data to third countries or international organisations — whether personal data are transferred to countries outside the European Union

9. Security of personal data — which technical and organisational measures we have adopted to secure personal data

10. Your rights — what rights you have in relation to the processing of your personal data

11. Final provisions — the effective date of this document and the possibility of amendment

1. CONTROLLER

1.1 The controller of personal data is:

SHINE Consulting s.r.o.

Company registered in the Commercial Register maintained by the Regional Court in Brno, Section C, Insert 24686

Registration No.: 25318292

Registered office: Oulehla 443, 664 07 Pozořice, Czech Republic

Phone: +420 737 929 033

1.2 We have not appointed a Data Protection Officer.

2. SOURCE OF PERSONAL DATA

2.1 We process personal data that we obtain directly from you. We collect your personal data when you visit our website, when you complete and submit one of the forms on our website, or by other means (e.g. when you provide them to us by e-mail, by telephone, during a video call, via social media or in person).

2.2 Where a course is attended by employees sent by a company, we obtain personal data from that company. In such cases, the sending company is responsible for obtaining the necessary consents to the processing of personal data and for complying with the obligations imposed on controllers by the GDPR.

3. CATEGORIES OF PERSONAL DATA AND REQUIREMENT TO PROVIDE THEM

3.1 To the extent necessary, we process in particular the following categories of common personal data about you, where you make them available to us: full name, company registration number, VAT number, residential or registered address, payment details, telephone number, e-mail address, identifiers for other forms of remote communication, IP address, information about products or services you have ordered, and any other information you provide to us in the course of our communication or cooperation.

3.2 For online courses, we make audio and video recordings of course sessions, which are made available to all participants of the relevant course. We also use them internally for the purpose of improving course content. We do not publish these recordings or any part of them, nor do we provide them to anyone other than course participants and public authorities that request them in accordance with the law.

3.3 If you allow us to publish your testimonial and also provide us with a photograph or video recording, we also process the personal data contained in the testimonial and the relevant photograph or video recording. If you use the log-in, discussion, rating or sharing functions via social media (Facebook, Instagram, YouTube or others), we also process information contained in your post or comment and publicly available information on your profile on the relevant social network (in particular your full name, photograph, age group and other public information according to your settings). With your consent, we also process your personal data in the form of marketing and analytical cookies, and information about your interests and preferences. If you attend one of our in-person events, we may also process personal data captured in photographs or video recordings from the event.

3.4 Providing the category of common personal data referred to in clause 1 of this section is necessary for mutual communication or for concluding and performing the contract; if you do not provide them, mutual communication or the conclusion and performance of the contract will not be possible. Where the processing of personal data is based on your consent, it is entirely your choice whether to provide your personal data to us or not.

3.5 We process special categories of personal data (sensitive data) about you only where you voluntarily disclose such data in the course of our cooperation and only with your explicit consent. This concerns personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health status, sex life or sexual orientation.

4. PURPOSES AND RETENTION PERIODS

A. PROCESSING FOR THE PURPOSE OF CONCLUDING AND PERFORMING A CONTRACT

1. We process your personal data for the purpose of concluding and performing a contract (mutual communication before and after conclusion of the contract, delivery of the ordered product or service, processing of payment). For this purpose, we process your common personal data referred to in Art. 3(1) above and, with your explicit consent, special categories of personal data (sensitive data) referred to in Art. 4(4) above. Further information may be provided optionally (e.g. professional field, etc.).

2. The legal basis for the processing of personal data is the performance of a contract concluded between us and the taking of steps prior to concluding the contract at your request.

3. For this purpose, we process your personal data for the duration of the contractual relationship between us and, following its termination, we continue to process certain personal data for other purposes (see sections B to F below).

B. PROCESSING FOR THE PURPOSE OF FULFILLING LEGAL OBLIGATIONS

1. We also process personal data for the purpose of fulfilling legal obligations applicable to us (e.g. statutory obligations in the field of taxation). For this purpose, we process the following personal data: full name, company registration number, VAT number, residential or registered address, company name, payment details, and information about products or services you have ordered.

2. The legal basis for the processing of personal data is compliance with a legal obligation applicable to us.

3. For this purpose, we process your personal data for the period stipulated by generally binding legislation.

C. PROCESSING FOR THE PURPOSE OF DIRECT MARKETING

1. We also process your personal data for the purpose of direct marketing (sending commercial communications, newsletters, etc.). For this purpose, we process the following personal data: full name, residential or registered address, telephone number, e-mail address, job title, information about products or services you have ordered. Further information may be provided optionally (e.g. professional field, etc.).

2. Where you are our customer, the legal basis for such processing is our legitimate interest. Given your previous purchase of our product or service, we assume that you are interested in our news and information about our similar products or services.

3. You may unsubscribe from commercial communications at any time by clicking the relevant link in any e-mail we send. Otherwise, we will process your personal data for this purpose for 5 years from the termination of the contractual relationship.

D. PROCESSING FOR THE PURPOSE OF PUBLIC PRESENTATION

1. At in-person group events we organise, photographs and video recordings are made for promotional purposes — to present our products and services on our website and social media, or in other promotional materials. For this purpose, we therefore process your personal data captured in photographs and video recordings from the event.

2. Where photographs or video recordings capture the general atmosphere of the event (i.e. not a close-up of you personally), the legal basis for such processing is our legitimate interest. However, if you do not wish to appear in photographs or videos, you may inform us before or during the event and we will not photograph or record you.

3. For this purpose, we process your personal data for as long as the photographs and video recordings from the event are published on the website, social media or other promotional materials.

E. PROCESSING FOR THE PURPOSE OF PROTECTING RIGHTS AND ENFORCING CLAIMS

1. We also process personal data for the purpose of protecting our rights and enforcing legal claims (in particular arising from concluded contracts or loss caused). For this purpose, we process your personal data from concluded contracts and our mutual communication.

2. The legal basis for the processing of personal data is our legitimate interest.

3. For this purpose, we process your personal data for the duration of the contractual relationship and for the following 5 years after its termination, or for 5 years where no contract was concluded, and, in the event of a dispute, also for the entire duration of the dispute until its final resolution and satisfaction of all claims.

F. PROCESSING BASED ON YOUR CONSENT

1. Based on your consent, we will process your personal data for the following purposes:

  • sending newsletters, news, information about our products and services and other commercial communications, where you are not our customer;

  • sending commercial communications relating to third parties;

  • analysing your preferences and interests, improving our website and targeting advertising;

  • publishing your testimonial on our website, social media or in other promotional materials;

  • publishing a detailed image of you in a photograph or video recording from an in-person event on our website, social media or in other promotional materials;

  • discussion, rating or sharing of information via social media.

2. You may give your consent by, for example, completing and submitting one of the forms on our website, via a pop-up bar on our website, in the course of individual communication (e.g. by e-mail), in written form, by posting a comment or reaction on social media, or by other means. Before consent is given, we will inform you which personal data we will process on the basis of your consent and the specific purpose to which your consent will relate.

3. You may withdraw your consent at any time by clicking the relevant link in any e-mail we send, or by notifying us of the withdrawal at the e-mail address stated above, and in the case of cookies by disabling them in your browser settings or via the cookie bar on our website. However, where we also process your personal data on the basis of other legal grounds referred to in sections A to E above, we will continue to process it on the basis of the relevant ground even after the withdrawal of your consent.

5. AUTOMATED DECISION-MAKING AND PROFILING

5.1 We do not carry out automated individual decision-making within the meaning of Art. 22 GDPR.

5.2 With your consent, we may profile the personal data you provide to us for the purpose of analysing your preferences and interests and targeting advertising.

6. COOKIES

6.1 When you use our website, we use cookies and other related technologies. Cookies are small files that serve to store and receive identifiers and other information about the devices from which you access our website.

6.2 We use technical and functional cookies, analytical cookies and marketing cookies. Technical and functional cookies ensure the proper functioning of our website and facilitate your visit. These cookies may be placed without your consent. We use analytical cookies to analyse data for the purpose of improving our products and services. Marketing cookies are used to track the preferences of website visitors for the purpose of targeting advertising. We use analytical and marketing cookies in conjunction with third-party tools only on the basis of your prior consent.

6.3 You may refuse the use of cookies in your internet browser settings, or you may configure your browser to accept only certain cookies.

6.4 More information about the individual cookies we use can be found on our website.

7. RECIPIENTS OF PERSONAL DATA

7.1 Where we share your personal data with another party, we ensure that their protection is maintained.

7.2 Personal data may only be processed on our behalf by processors, exclusively on the basis of a data processing agreement, i.e. with guarantees of organisational and technical security for the data, with a defined purpose of processing; processors may not use the data for other purposes.

7.3 Our data processors include:

  • consultants engaged to lead individual courses or consulting assignments we offer;

  • IT companies engaged to perform IT administration of the software programmes we use.

7.4 With your consent, personal data you provide to us (in particular your e-mail address, telephone number and cookies) may be shared in encrypted form with third parties (e.g. Meta Platforms, Google) for the purpose of analysing your preferences and interests and targeting advertising.

7.5 Your personal data are also accessible to other users of social networks on which you post, comment or react, and to other clients who have purchased the same product or service as you (e.g. in an online course, other participants can see your name and image). By using these features, you consent to this sharing of your personal data.

7.6 If you use the option of posting comments or questions on our website or in response to our posts on social media (Instagram, Facebook, Medium, Twitter, YouTube and LinkedIn), you consent to your personal data (full name and information contained in the comment or question) being visible to other visitors.

7.7 Your personal data will also be disclosed to the relevant administrative authorities or courts, or to legal representatives, in order for us to fulfil our statutory obligations or to protect our rights and legitimate interests.

7.8 If, in the future, we begin using additional applications or services of other parties, we will, in selecting them, ensure that our standard for the security and processing of personal data is maintained.

8. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIGANISATIONS

8.1 As we use certain foreign processors, your personal data may be transferred not only to countries in the EEA, the United Kingdom or Switzerland, but also to third countries, specifically the United States of America. On 10 July 2023, the European Commission adopted an adequacy decision within the meaning of Art. 45(3) GDPR. Pursuant to that decision, the United States ensures an adequate level of protection for personal data transferred from the European Union to organisations in the United States that are listed on the relevant register, the Data Privacy Framework List.

9. SECURITY OF PERSONAL DATA

9.1 As the controller, we have adopted all technical and organisational measures necessary to secure your personal data against accidental or unlawful access, alteration, destruction or loss, unauthorised processing or other misuse. The technical and organisational measures adopted are proportionate to the level of risk to the rights and freedoms of natural persons and to the nature, scope and purposes of the processing.

9.2 In particular, we have adopted the following technical and organisational security measures:

  • protection of access to computing equipment used to process personal data by means of individual strong passwords, and protection of those passwords against disclosure;

  • protection of that computing equipment by antivirus software;

  • protection of portable computing equipment or portable data storage media (monitoring, password protection, etc.);

  • locking of premises in which documents containing personal data are stored;

  • restricting access to personal data to authorised persons only, who are bound by an obligation of confidentiality in respect of your personal data and the security measures adopted.

9.3 The technical and organisational measures in place are regularly tested, and their effectiveness in ensuring the security of personal data processing is assessed and evaluated.

10. YOUR RIGHTS

10.1 In relation to the processing of your personal data, you have the following rights:

a) Right of access to personal data (Art. 15 GDPR)

You have the right to obtain confirmation as to whether or not your personal data are being processed and, where they are, to access your personal data and information about the details of their processing.

b) Right to rectification or completion of personal data (Art. 16 GDPR)

You have the right to request that we correct inaccurate personal data concerning you and, taking into account the purposes of the processing, you also have the right to have incomplete personal data completed.

c) Right to erasure of personal data (Art. 17 GDPR)

You have the right to request that we erase personal data concerning you; where one of the grounds set out in Art. 17 GDPR applies, we are obliged to erase your personal data upon your request.

d) Right to restriction of processing of personal data (Art. 18 GDPR)

Where the conditions laid down in Art. 18 GDPR are met, you have the right to request that we restrict the processing of your personal data.

e) Right to data portability (Art. 20 GDPR)

Where the processing of your personal data is carried out by automated means and is based on consent or on a contract, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit them to another controller. Where technically feasible, you also have the right to request that we transmit your personal data directly to another controller.

f) Right to object to the processing of personal data (Art. 21 GDPR)

Under the conditions set out in Art. 21 GDPR, you have the right to object at any time to the processing of your personal data. Where you object to the processing of personal data for direct marketing purposes, including profiling, we will no longer process your personal data for those purposes.

g) Right to withdraw consent to the processing of personal data

Where personal data are processed on the basis of your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

h) Right to lodge a complaint with the Office for Personal Data Protection

If you believe that your right to personal data protection has been infringed, you have the right to lodge a complaint with the Office for Personal Data Protection (https://uoou.gov.cz/).

10.2 You may exercise your rights with us using the contact details stated above. Before processing your request, we may contact you to verify your identity in an appropriate manner.

11. FINAL PROVISIONS

11.1 We are entitled to amend this Personal Data Processing Policy to a reasonable extent. The current version is available on our website at the address stated above.

11.2 This Personal Data Processing Policy takes effect on 1 January 2026.