GDPR Compliance Statement - EKS Home Servis s.r.o.

Effective Date: January 1, 2025
Last Updated: November 5, 2025

1. Our Commitment to GDPR Compliance

EKS Home Servis s.r.o. ("EKS") is fully committed to complying with the General Data Protection Regulation (EU) 2016/679 (GDPR) and Czech data protection laws. This document outlines our comprehensive approach to data protection and demonstrates our dedication to safeguarding your personal information.

2. Key GDPR Principles We Follow

2.1 Lawfulness, Fairness, and Transparency

We process personal data only with valid legal basis

We are transparent about our data processing activities

We provide clear information about how we use your data

2.2 Purpose Limitation

We collect data only for specified, explicit, and legitimate purposes

We do not process data in ways incompatible with those purposes

Any new purposes are communicated and, where necessary, consent is obtained

2.3 Data Minimization

We collect only the minimum data necessary for our services

We regularly review data collection practices

We delete unnecessary data promptly

2.4 Accuracy

We maintain accurate and up-to-date personal data

We provide easy mechanisms for data correction

We respond promptly to update requests

2.5 Storage Limitation

We retain data only as long as necessary

We have defined retention periods for different data categories

We conduct regular data purging exercises

2.6 Integrity and Confidentiality

We implement robust security measures

We protect against unauthorized processing, loss, or damage

We maintain confidentiality of all personal data

2.7 Accountability

We maintain comprehensive documentation of processing activities

We conduct regular compliance audits

We can demonstrate compliance with all GDPR requirements

3. Data Subject Rights Implementation

We have implemented comprehensive procedures to ensure you can exercise all your GDPR rights:

3.1 Right to Information (Articles 13-14)

Our Implementation:

Clear privacy notices at all data collection points

Transparent communication about data processing

Easy-to-understand language in all communications

3.2 Right of Access (Article 15)

Our Implementation:

Response within 30 days of request

Free first copy of personal data

Secure verification process to confirm identity

Comprehensive data reports available

3.3 Right to Rectification (Article 16)

Our Implementation:

Online account management for self-service updates

Email/phone support for data corrections

Immediate update of incorrect data

Notification to third parties where data was shared

3.4 Right to Erasure (Article 17)

Our Implementation:

Clear deletion request process

Assessment within 72 hours

Complete deletion where legally permitted

Retention only where legal obligations require

3.5 Right to Restriction (Article 18)

Our Implementation:

Temporary suspension of processing upon request

Clear marking of restricted data

Processing only with consent or for legal claims

3.6 Right to Data Portability (Article 20)

Our Implementation:

Data export in CSV/JSON formats

Direct transfer to other controllers where feasible

Covers all data provided by you or generated through service use

3.7 Right to Object (Article 21)

Our Implementation:

Immediate cessation of direct marketing upon objection

Case-by-case assessment for other processing

No further processing unless compelling legitimate grounds exist

3.8 Rights Related to Automated Decision-Making (Article 22)

Our Implementation:

No fully automated decision-making affecting you

Human review available for any automated processes

Clear information about logic involved in any automation

4. Technical and Organizational Measures

4.1 Technical Safeguards

Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit

Access Controls: Multi-factor authentication, role-based access

Network Security: Firewalls, intrusion detection systems, regular security updates

Data Backup: Regular encrypted backups with tested recovery procedures

Monitoring: 24/7 security monitoring and logging

4.2 Organizational Safeguards

Staff Training: Regular GDPR and security training for all employees

Confidentiality Agreements: All staff sign comprehensive NDAs

Access Management: Principle of least privilege, regular access reviews

Incident Response: Documented procedures, regular drills

Vendor Management: Due diligence on all data processors

5. Data Processing Activities

5.1 Customer Service Delivery

Purpose: Providing cleaning services
Legal Basis: Contract performance
Data Categories: Contact details, service addresses, preferences
Retention: Duration of service + 3 years
Recipients: Service staff, scheduling system

5.2 Marketing Communications

Purpose: Promotional communications
Legal Basis: Consent or legitimate interest
Data Categories: Contact details, preferences
Retention: Until withdrawal of consent
Recipients: Email service provider

5.3 Website Analytics

Purpose: Website improvement
Legal Basis: Legitimate interest
Data Categories: Usage data, device information
Retention: 26 months
Recipients: Analytics providers

5.4 Payment Processing

Purpose: Transaction processing
Legal Basis: Contract performance
Data Categories: Payment details, billing address
Retention: 10 years (legal requirement)
Recipients: Payment processors, accounting

6. Third-Party Data Processors

6.1 GoHighLevel (via GoSmartUp)

Service: CRM and automation
Location: USA (with appropriate safeguards)
Data Processed: Customer data, communications
Safeguards: Standard Contractual Clauses, encryption

6.2 Email Service Provider

Service: Email communications
Location: EU
Data Processed: Email addresses, communication history
Safeguards: GDPR-compliant processor agreement

6.3 Cloud Storage Provider

Service: Data backup and storage
Location: EU
Data Processed: All backup data
Safeguards: ISO 27001 certified, encrypted storage

7. Data Breach Response

7.1 Detection and Assessment

Continuous monitoring systems

Immediate assessment upon detection

Severity classification within 24 hours

7.2 Notification Procedures

Supervisory Authority: Within 72 hours if high risk

Affected Individuals: Without undue delay if rights/freedoms at risk

Documentation: Complete breach register maintained

7.3 Mitigation Measures

Immediate containment actions

Risk assessment and impact analysis

Implementation of additional safeguards

8. International Data Transfers

When transferring data outside the EEA:

Legal Mechanisms: Standard Contractual Clauses (SCCs)

Risk Assessment: Transfer impact assessments conducted

Additional Safeguards: Encryption, pseudonymization where appropriate

Transparency: Clear information about transfer destinations

9. Data Protection by Design and Default

9.1 Design Principles

Privacy considered at system design stage

Data minimization built into processes

Default settings maximize privacy

Regular privacy impact assessments

9.2 Default Settings

Minimum data collection by default

Strictest privacy settings pre-selected

Opt-in for additional processing

Clear choices presented to users

10. Compliance Monitoring

10.1 Regular Audits

Annual GDPR compliance audits

Quarterly security assessments

Monthly access reviews

Continuous monitoring of processing activities

10.2 Performance Indicators

Response time to data subject requests

Breach notification timeliness

Training completion rates

Security incident metrics

11. Cookie Compliance

11.1 Cookie Consent

Clear cookie banner with granular choices

Easy withdrawal of consent

No pre-checked boxes

Cookie-free basic functionality

11.2 Cookie Categories

Essential: No consent required (session management)

Performance: Consent required (analytics)

Functional: Consent required (preferences)

Marketing: Explicit consent required (advertising)

12. Special Categories of Data

We do not intentionally collect special categories of personal data (health, religion, political opinions, etc.). If such data is inadvertently collected:

Immediate assessment of legal basis

Enhanced security measures

Prompt deletion if no valid basis

Documentation of processing justification

13. Children's Data Protection

Services not directed at children under 16

Age verification for suspected minors

Parental consent required for under-16s

Immediate deletion of children's data if collected inadvertently

14. Your Rights - How to Exercise Them

14.1 Making a Request

Email: [email protected]
Post: EKS Home Servis s.r.o., Peroutkova 570/83, Praha 5, 158 00
Phone: +420 728 670 789

14.2 What We Need

Your identity verification (ID copy may be required)

Specific description of your request

Any relevant account/reference numbers

14.3 Our Response

Acknowledgment within 48 hours

Full response within 30 days

Extension to 60 days for complex requests (with notification)

Free of charge (except repetitive/excessive requests)

15. Supervisory Authority

You have the right to lodge a complaint with:

Czech Data Protection Authority (ÚOOÚ)
Pplk. Sochora 27
170 00 Praha 7
Czech Republic
Email: [email protected]
Website: www.uoou.cz
Phone: +420 234 665 111