Your Privacy Matters
We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and Czech data protection laws.
Your Rights Under GDPR
Right to Access
You can request a copy of all personal data we hold about you, including how it's processed and shared.
Right to Rectification
You can request correction of inaccurate or incomplete personal data we hold about you.
Right to Erasure
You can request deletion of your personal data when it's no longer necessary for the original purpose.
Right to Restrict Processing
You can request limitation of processing your personal data in certain circumstances.
Right to Data Portability
You can request your personal data in a structured, machine-readable format for transfer to another service.
Right to Object
You can object to processing of your personal data for direct marketing or legitimate interests.
Legal Basis for Data Processing
We process your personal data based on the following legal grounds under GDPR Article 6:
Contract Performance (Article 6(1)(b))
Processing necessary for performing our consulting services contract with you, including project delivery, communication, and billing.
Legitimate Interests (Article 6(1)(f))
Processing for our legitimate business interests, such as improving services, marketing, fraud prevention, and maintaining business records.
Legal Obligation (Article 6(1)(c))
Processing required to comply with legal obligations, including tax records, anti-money laundering, and regulatory reporting.
Consent (Article 6(1)(a))
Processing based on your explicit consent, such as marketing communications and optional services. You can withdraw consent at any time.
Data Security Measures
Enterprise-Grade Security
We implement comprehensive technical and organizational measures to protect your personal data.
Technical Measures
- End-to-end encryption for data transmission
- AES-256 encryption for data at rest
- Multi-factor authentication for system access
- Regular security updates and patches
- Automated backup and disaster recovery
- Network firewalls and intrusion detection
Organizational Measures
- Staff training on data protection
- Role-based access controls
- Regular security audits and assessments
- Data processing agreements with vendors
- Incident response procedures
- Privacy impact assessments
Data Retention Policy
We retain personal data only as long as necessary for the purposes for which it was collected:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Client contact information | 7 years after contract end | Legal obligation (tax records) |
| Project deliverables and communications | 5 years after project completion | Legitimate interests (liability) |
| Financial and billing records | 10 years | Legal obligation (accounting) |
| Marketing communications | Until consent withdrawn | Consent |
| Website analytics and cookies | 13 months maximum | Legitimate interests |
| Assessment tool responses | 3 years or until deletion requested | Legitimate interests |
Data is automatically deleted at the end of retention periods unless legal obligations require longer retention.
International Data Transfers
When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards:
- Adequacy Decisions: Transfers to countries with adequate data protection (UK, Switzerland, etc.)
- Standard Contractual Clauses: EU-approved contracts for transfers to other countries
- Binding Corporate Rules: Internal rules for multinational service providers
- Certification Schemes: Transfers under approved certification mechanisms
- Explicit Consent: Your specific consent for certain transfers when required
We regularly review and update our transfer mechanisms to ensure continued compliance with GDPR requirements.
Data Breach Response
72-Hour Notification
We will notify the supervisory authority within 72 hours of becoming aware of a personal data breach.
Our data breach response procedure includes:
Immediate Response (0-24 hours)
- • Contain and assess the breach
- • Document the incident details
- • Implement immediate security measures
- • Notify senior management
Follow-up Actions (24-72 hours)
- • Notify supervisory authority if required
- • Inform affected individuals if high risk
- • Coordinate with law enforcement if needed
- • Begin forensic investigation
We maintain detailed records of all data breaches and our response actions as required by GDPR Article 33.
Privacy by Design and Default
We implement privacy by design principles in all our systems and processes:
Design Principles
- Data minimization - collect only necessary data
- Purpose limitation - use data only for stated purposes
- Storage limitation - delete data when no longer needed
- Accuracy - maintain accurate and up-to-date data
Default Settings
- Opt-in consent for marketing communications
- Minimal cookie usage by default
- Restricted access to personal data
- Automatic data deletion schedules
Data Protection Contacts
Data Protection Officer
Email: info@cohoinvest.org
Phone: +420 774 761 660
Response Time: 30 days maximum
Languages: English, Czech
Supervisory Authority
Czech Republic:
Úřad pro ochranu osobních údajů (ÚOOÚ)
Pplk. Sochora 27
170 00 Prague 7
Website: uoou.cz
Phone: +420 234 665 111
How to Exercise Your Rights
Submit a Data Subject Request
To exercise any of your GDPR rights, please contact us using the information below:
Email Request
info@cohoinvest.org
Phone Request
+420 774 761 660
Written Request
Kuninova 1722, Prague 4
Required Information:
- Your full name and contact information
- Proof of identity (copy of ID or passport)
- Specific request type (access, deletion, rectification, etc.)
- Details about the data or processing you're concerned about
Response Time: We will respond within 30 days of receiving your request.
© 2025 Coho Invest. All rights reserved.
This GDPR compliance information is current as of January 2025 and is regularly updated to reflect changes in data protection law.