(pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council)

1. Introduction and Data Controller Identification

This document governs the method, scope, and purpose of personal data processing carried out by MMP Agency s.r.o., with its registered office at Mikulandská 119/10, 110 00 Prague 1, Company, VAT ID: CZ19638604, registered with the Municipal Court in Prague under file no. C 389506 (hereinafter referred to as the “Controller” or “Company”), in accordance with applicable laws, in particular Regulation (EU) 2016/679 (“GDPR”). The Controller has not appointed a Data Protection Officer, as its activities do not meet the threshold defined in Article 37 of the GDPR. Any questions regarding the processing of personal data may be directed to: hq@mmproduction.agency

2. Scope and Purpose of Personal Data Processing

The Controller processes personal data of various categories of data subjects, including clients, business partners, website visitors, newsletter subscribers, and other individuals who contact the Controller via online forms or electronic communication.

The Controller processes the following categories of personal data:

  • Technical data (e.g., IP address, browser type, cookies)
  • Identification and contact details (e.g., name, email address, phone number)
  • Website usage data (e.g., analytics and behavioral metrics)
  • Data provided via communication (e.g., messages, inquiries)
  • Other data voluntarily provided by the data subjec

Purposes of processing include:

  • Execution of contractual and pre-contractual relationships
  • Fulfillment of legal obligations (e.g., tax and accounting records)
  • Sending of commercial communications and marketing (based on consent or legitimate interest)
  • Ensuring website functionality and traffic analysis
  • Direct communication through digital platforms and social media
  • Protection of the legitimate interests and legal claims of the Controller

3. Legal Basis for Processing

Processing of personal data is based on one or more of the following legal grounds as defined in Article 6 of the GDPR:

    • Consent of the data subject (e.g., for newsletters)
    • Performance of a contract or steps prior to entering into a contract
    • Compliance with legal obligations (e.g., accounting regulations)
    • Legitimate interests of the Controller (e.g., direct marketing, IT security, client communication)

Where processing is based on consent, the data subject may withdraw their consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4. Data Recipients and Processors

In the course of its operations, the Controller may share personal data with third parties in their capacity as data processors or independent data controllers. 

These include:

  • Cloud and storage service providers (e.g., Dropbox)
  • Email and marketing tools providers (e.g., Mailchimp)
  • Accounting and tax service providers
  • Providers of analytical and web administration tools (e.g., Google Analytics, Klik)
  • IT administrators and technical support services
All such processors are contractually bound to ensure data protection compliance under Article 28 of the GDPR. Personal data is not transferred outside of the European Union unless adequate protection measures are in place.

5. Data Retention Period

Personal data is stored only for the time necessary to fulfill the purpose for which it was collected or to comply with legal obligations.

In general:

  • Data processed based on consent is stored until the consent is withdrawn
  • Accounting and tax records are stored for 10 years
  • Analytics data is typically retained for a maximum of 24 months
  • Communication records are retained for up to 3 years after the relationship ends

6. Data Subject Rights

Every natural person whose personal data is processed by the Controller (hereinafter referred to as the “data subject”) has the right to the protection of their personal data in accordance with applicable legal regulations. These rights are stipulated in particular in Articles 12 to 22 of Regulation (EU) 2016/679 (“GDPR”) and include, but are not limited to, the following:

The data subject has the right to request access to their personal data, to request rectification or erasure of such data, as well as the right to restrict processing. Furthermore, the data subject has the right to object to processing, and where processing is based on consent, the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

In certain circumstances, the data subject may also have the right to data portability, i.e., to receive their personal data in a structured, commonly used and machine-readable format and to transmit those data to another controller.

Requests relating to these rights can be submitted to the Controller via the contact details provided in Section 1 of this Policy. The Controller shall respond to all such requests without undue delay, and no later than one month from receipt of the request. In complex cases or if the Controller receives a large number of requests, this period may be extended by an additional two months, with prior notice to the data subject.

If the data subject believes that their data is being processed unlawfully or in breach of applicable regulations, they have the right to lodge a complaint with the competent supervisory authority – The Office for Personal Data Protection of the Czech Republic (address: Pplk. Sochora 27, 170 00 Prague 7, website: www.uoou.cz).

7. Data Security Measures

The Controller declares that it has implemented all appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with the processing of personal data, taking into account the nature, scope, context, and purposes of the processing.

These measures include, in particular, access control management, secure data transmission protocols, regular system and software updates, encryption, backup processes, and internal guidelines for handling personal data. Access to personal data is granted only to authorized personnel who have been properly trained and are bound by confidentiality obligations.

The effectiveness of these measures is regularly reviewed and adapted to reflect the latest technological advancements and potential risks. All data processing is carried out in accordance with the principles of data minimization, confidentiality, integrity, and availability.

In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of individuals, the Controller shall notify the affected data subjects without undue delay, in accordance with Article 34 of the GDPR.

8. Final Provisions

These Privacy Policy terms may be updated by the Controller in the event of legal, organizational, or technical changes related to data processing. The current version is always available at www.mmproduction.agency.

This document is effective as of: 1.5.2025