1) Data Controller

The controller of personal data is Graffin s.r.o., with its registered office at Hvězdova 870/39, 140 00 Prague, Company ID No.: 26765951, registered in the Public Register kept by the Municipal Court in Prague, Section C, Insert 92250 (hereinafter the “Controller”).

Contact e-mail for inquiries regarding the processing of personal data: marketing@graffin.cz

2) What personal data we process

Depending on the type of form/inquiry, we may process in particular:

Identification and contact details: first and last name, company, job position (if provided), e-mail, phone number,

Address details: site address (e.g., for a service visit), and possibly billing/correspondence details if the order is completed,

Data necessary to handle the request:

for service/spare parts: brand, model, machine serial number, description of the request, requested items (parts/consumables), possible attachments (e.g., photos),

for inquiries about new/used machines: specification of the requested machine, required parameters/configuration, deadline, installation location, possibly budget or other information you provide,

Communication: message content, responses to e-mails, history of arrangements.

3) Purposes of processing

We process personal data primarily for the purposes of:

Handling a service request (service visit, preventive maintenance, operator training) and related communication, scheduling, and recording service history.

Handling an order of spare parts / consumables, including specification of items and delivery/reservation.

Handling an inquiry for new machines (preparation of an offer, technical clarification, communication, follow-up).

Handling an inquiry for used machines (preparation of an offer, specification, availability, communication, possible inspection/reservation).

Internal records and service improvement (e.g., capacity planning, job evaluation, quality control).

Protection of legal claims and handling complaints/disputes.

4) Legal basis for processing

We process personal data mainly on the basis of the following legal grounds under the GDPR:

Performance of a contract / steps prior to entering into a contract – typically handling a service request or inquiry and preparing an offer based on your request (Art. 6(1)(b) GDPR),

Compliance with a legal obligation – typically accounting/tax obligations if the order is completed and invoiced (Art. 6(1)(c) GDPR),

Legitimate interest – keeping records of communication, internal administration, protection of legal claims, and improving service quality (Art. 6(1)(f) GDPR).

We request consent only for sending commercial communications (marketing).

5) Recipients of personal data (processors)

The following may have access to personal data:

the Controller’s employees and collaborators (service, sales, administration),

providers of technical services (e.g., hosting, e-mail, backups, possibly CRM/helpdesk, calendar solution, SMS gateway), only to the necessary extent and based on a contractual relationship.

6) Transfers to third countries

If we use services of providers outside the EU/EEA, we transfer personal data only under the conditions set by the GDPR and with appropriate safeguards ensuring the protection of personal data.

7) Retention period

We retain the data:

for the period necessary to handle the request/inquiry and subsequently for a reasonable period for internal records and protection of legal claims,

data related to invoicing/documents are retained for the period required by law.

8) Security

We protect personal data with appropriate technical and organizational measures (access management, passwords, backups, limitation of permissions, etc.) to prevent unauthorized access, loss, or misuse.

9) Rights of data subjects

In particular, you have the right to:

access your data, rectification, erasure, restriction of processing,

object to processing,

data portability (in relevant cases),

lodge a complaint with the supervisory authority – the Office for Personal Data Protection (ÚOOÚ).

10) Obligation to provide data

Providing the data marked as mandatory in the form is necessary to handle the request/inquiry. Without them, we may not be able to process the request.

11) Automated decision-making

We do not carry out automated decision-making or profiling.