I. Contracting Parties and Key Definitions
The Controller
Crisma Network s. r. o.
-
Address: Chudenická 1059/30, Hostivař, Prague 10, Postal Code 102 00
-
Company ID No.: 11799005
-
Tax ID No.: CZ11799005
-
Registration: Registered in the Commercial Register maintained by the Municipal Court in Prague, file no. C 354693
-
(hereinafter referred to as the “Controller”)
The Controller is the operator of websites, provider of services and other projects (hereinafter referred to as the “Services”), in particular a company associated with the operation and support of BNI for the Czech Republic, where BNI is the world’s largest business networking and referral organization. In the course of providing the Services, the Controller processes personal data of natural persons as a controller within the meaning of Article 4(7) of the GDPR.
Key Definitions
-
Personal Data: Any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, address and contact details, and similar.
-
Data Subject: For the purposes of this Policy, a natural person whose personal data is processed by the Controller.
-
Processing of Personal Data: Any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
-
Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller on the basis of a data processing agreement pursuant to Article 28 of the GDPR.
-
Legal Framework: The framework which governs the Controller’s processing of personal data consists primarily of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”), Act No. 110/2019 Coll., on the Processing of Personal Data, and Act No. 480/2004 Coll., on Certain Information Society Services, as amended.
II. Categories of Data Subjects, Purposes and Legal Bases for Processing
1. Registration for Meetings
-
Legal Basis (Organization): Processing for the purpose of registration, organization, and administration of meetings is necessary for the performance of a contract or for taking steps prior to entering into a contract under Article 6(1)(b) GDPR. Where no contractual relationship is established, it is based on the Controller’s legitimate interest under Article 6(1)(f) GDPR in organizing professional networking meetings and communicating with participants.
-
Legal Basis (Marketing): Processing for the purpose of sending marketing communications by the Controller is based on the data subject’s consent under Article 6(1)(a) GDPR, unless another legal basis is available under applicable law.
-
Legal Basis (Partners): Transfer of personal data to event partners for the partners’ own marketing communications is based on the data subject’s separate consent under Article 6(1)(a) GDPR.
-
Purpose of Processing: Organization and administration of meetings, communication with participants, maintenance of attendance records, event-related networking, follow-up communication, and, where consent has been granted, sending marketing communications and sharing selected contact details with named event partners for their own post-event follow-up and marketing communications.
2. Newsletter Subscribers
The Controller processes personal data of persons who subscribe to the newsletter (commercial e-mail communications) via the website or other forms.
-
Scope of Processed Data: E-mail address, and optionally first name, surname, and other data provided in the newsletter subscription form.
-
Legal Basis: Consent of the data subject (Article 6(1)(a) GDPR and Section 7 of Act No. 480/2004 Coll.). Consent may be withdrawn at any time via the unsubscribe link included in every e-mail sent.
-
Purpose of Processing: Sending information, news, and other commercial communications.
3. E-mail Campaigns Using Publicly Available Databases
The Controller uses the Bizmachine service, a database broker that provides contact data from publicly available sources. The Controller uses this data for direct marketing purposes (e-mail campaigns).
-
Scope of Processed Data: Business name / name, e-mail address, and optionally telephone number and other publicly available contact data.
-
Legal Basis: Legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting of direct marketing of its own services. Every e-mail includes an unsubscribe option. Upon unsubscribing, the recipient is automatically removed from future campaigns.
-
Purpose of Processing: Direct marketing – offering the Controller’s services.
-
Additional Safeguards: Commercial communications are sent only where permitted by applicable law, including Act No. 480/2004 Coll., on Certain Information Society Services. Each commercial communication clearly identifies the sender and includes a simple and free-of-charge option to unsubscribe or object to further marketing communication.
4. Website Visitors
When visiting the Controller’s website, personal data may be processed through analytical and marketing tools.
-
Scope of Processed Data: IP address, browser type, operating system, website behavior data (pages visited, time spent on page, visit source), cookies, and other electronic identifiers.
-
Legal Basis: Consent of the data subject (Article 6(1)(a) GDPR) granted via the cookie banner; for technically necessary cookies, the legitimate interest of the Controller (Article 6(1)(f) GDPR).
-
Purpose of Processing: Traffic analysis, service improvement, targeting of marketing communications.
III. Recipients of Personal Data and Processors
The Controller transfers personal data to the following categories of recipients:
1. Processors – Technology Service Providers
-
Brevo (Sendinblue): A platform for sending e-mail campaigns and newsletters. Brevo processes e-mail addresses, names, and e-mail interaction data (opens, clicks, unsubscribes). Processing takes place on the basis of a Data Processing Agreement.
-
SwipeScale: A CRM system with artificial intelligence features for automating business processes. It processes contact data, communication history, and other data necessary for customer relationship management.
-
Google Analytics (or a comparable analytical tool): A service for analyzing website traffic. It processes anonymized or pseudonymized data on user behavior on the website (cookies, IP address).
-
Bizmachine: A database broker providing publicly available contact data. The Controller obtains publicly available business contacts from this provider for direct marketing purposes.
-
Social media platforms (e.g., LinkedIn and others): The Controller uses social media plugins and integration tools. The conditions for processing personal data are governed by the policies of the respective social media operators.
2. Cooperating Companies (Independent Controllers)
The Controller transfers personal data to the following cooperating companies:
Partner A: Company Vlastní cesta s.r.o.-
Address: Tichého 426/11, Žabovřesky, 616 00 Brno
-
Company ID No.: 29212154 (registered in the Commercial Register maintained by the Regional Court in Brno, file no. C 66074)
-
Purpose of Transfer: Event-related networking, post-event follow-up, and the Partner’s own marketing communications, subject to applicable GDPR transparency and consent requirements.
-
Scope of Transferred Data: First name, surname, company name, job title, e-mail address, and telephone number, where provided.
-
Legal Basis: Consent of the data subject under Article 6(1)(a) GDPR for partner marketing communications. For limited event-related administration and networking, the Controller may rely on legitimate interest under Article 6(1)(f) GDPR.
Partner B: Company SEBA Academy s.r.o.
-
Address: Kolbenova 762/6, Vysočany, 190 00 Prague 9
-
Company ID No.: 19974451 (registered in the Commercial Register maintained by the Municipal Court in Prague, file no. C 394897)
-
Purpose of Transfer: Event-related networking, post-event follow-up, and the Partner’s own marketing communications, subject to applicable GDPR transparency and consent requirements.
-
Scope of Transferred Data: First name, surname, company name, job title, e-mail address, and telephone number, where provided.
-
Legal Basis: Consent of the data subject under Article 6(1)(a) GDPR for partner marketing communications. For limited event-related administration and networking, the Controller may rely on legitimate interest under Article 6(1)(f) GDPR.
Important Note on Partner Consent: The Partners act as independent controllers for their own post-event communication and marketing. The Partners are responsible for complying with GDPR and applicable electronic marketing rules in relation to their own communications.
Personal data are transferred to the Partners for their own marketing communications only where the data subject has given separate, specific, and freely given consent. Such consent is collected separately from event registration and is not a condition for participation in the event. The data subject may withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
IV. Transfer of Personal Data to Third Countries
Some of the processors listed above may have their registered office or servers outside the European Economic Area (EEA). In such cases, the Controller shall ensure that any transfer of personal data complies with Chapter V of the GDPR, in particular on the basis of an adequacy decision by the European Commission, standard contractual clauses, or other appropriate safeguards within the meaning of Article 46 of the GDPR.
V. Cookies and Electronic Identifiers
The Controller uses cookies and other electronic identifiers in the operation of its website. Cookies are small text files stored on the user’s device when visiting the website. The Controller distinguishes the following categories of cookies:
-
Technically necessary cookies: These are necessary for the proper functioning of the website and cannot be disabled. Processing takes place on the basis of the Controller’s legitimate interest.
-
Analytical cookies: These allow the Controller to analyze website usage and improve it (e.g., Google Analytics). Processing is based on user consent.
-
Marketing cookies: Used for advertising targeting and content personalization (e.g., social media platforms). Processing is based on user consent.
Consent to cookies is given via the cookie banner displayed on the first visit to the website. The user may withdraw consent or change their preferences in the cookie settings at any time.
VI. Automated Decision-Making and Profiling
The Controller uses automation features powered by artificial intelligence within the SwipeScale CRM system. These tools may perform automated operations such as contact segmentation, automatic message sending, or lead scoring.
This processing has no legal effects or similar significant impacts on data subjects within the meaning of Article 22 of the GDPR. Data subjects always have the right to request human review of an automated decision.
VII. Personal Data Retention Period
The Controller retains personal data for the period necessary to fulfil the purposes of processing, or for the period stipulated by law. Specifically:
-
Contractual Relationships: For the duration thereof and subsequently for the duration of the limitation periods (generally 3 years, up to a maximum of 10 years under the Civil Code).
-
Consent-based Processing: Until the consent is withdrawn by the data subject, but no longer than 5 years from the date consent was given, unless the consent is renewed.
-
Legitimate Interest Processing: Until a successful objection is raised by the data subject or until the legitimate interest ceases to exist.
-
E-mail Campaigns (Bizmachine / Brevo / SwipeScale): Until the recipient unsubscribes or raises an objection.
-
Tax and Accounting Documents: For the period stipulated by law (generally 5–10 years).
-
Event Registration Data: Retained for up to 3 years after the relevant event, unless a longer retention period is necessary for the establishment, exercise, or defence of legal claims or for compliance with statutory obligations.
-
Records of Consent: Records of consent (including marketing and partner transfer consents) are retained for the duration of the consent and for a reasonable period thereafter in order to demonstrate compliance with GDPR.
-
Unsubscribed Contacts: Where a data subject unsubscribes or objects to direct marketing, the Controller may retain the necessary contact details in a suppression list to ensure that no further marketing communications are sent to that person.
VIII. Rights of Data Subjects
The Controller guarantees data subjects the following rights in connection with the processing of personal data, arising from the GDPR and Act No. 110/2019 Coll.:
-
Right of access to personal data (Article 15 GDPR): The right to obtain confirmation as to whether personal data is being processed, and if so, to access such data and further info.
-
Right to rectification (Article 16 GDPR): The right to have inaccurate personal data rectified and incomplete data completed.
-
Right to erasure (Article 17 GDPR): The right to request the erasure of personal data where legal conditions are met (e.g., data is no longer necessary, consent withdrawn).
-
Right to restriction of processing (Article 18 GDPR): The right to request restriction of processing (e.g., where accuracy is contested).
-
Right to data portability (Article 20 GDPR): The right to receive personal data in a structured, commonly used, and machine-readable format.
-
Right to object (Article 21 GDPR): The right to object at any time to processing based on legitimate interest. In the case of direct marketing, the Controller shall always cease processing immediately without further action.
-
Right not to be subject to automated decision-making (Article 22 GDPR): The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects.
-
Right to withdraw consent: Where processing is based on consent, the right to withdraw it at any time, without affecting prior lawfulness.
How to Exercise Your Rights
To exercise your rights, you may contact the Controller at:
-
E-mail: national_office@bni-czechia.com
-
Subject Line:
GDPR - Personal Data Processing
Data subjects are entitled to lodge a complaint with the supervisory authority:
-
Authority: Office for Personal Data Protection (Úřad pro ochranu osobních údajů)
-
Address: Pplk. Sochora 27, 170 00 Prague 7
-
E-mail: posta@uoou.cz
-
Data Box: qkbaa2n
-
Website: www.uoou.cz
IX. Security of Personal Data
The Controller has adopted appropriate technical and organizational measures to ensure the security of personal data, in particular measures to ensure the confidentiality, integrity, and availability of the personal data processed, in accordance with Article 32 of the GDPR.
X. Final Provisions
-
This Personal Data Protection Policy is governed by the GDPR, Act No. 110/2019 Coll., on the Processing of Personal Data, and Act No. 480/2004 Coll., on Certain Information Society Services, as amended.
-
The Controller reserves the right to amend this Policy in the event of changes to legislation, changes in the Controller’s activities, or changes in the technological solutions used. The current version shall always be published on the Controller’s website.
-
The Controller does not systematically transfer personal data outside the EU/EEA countries in the course of its activities, except as set out in Article IV of this Policy.
-
This Personal Data Protection Policy is effective as of 01.01.2026.