GDPR

PRINCIPLES OF PROCESSING AND PROTECTION OF PERSONAL DATA

1. Introduction

1.1. The purpose of these Principles of Processing and Protection of Personal Data (hereinafter referred to as the “Principles”) is to inform guests, participants, competitors of the Middle Film Festival, an international film festival (hereinafter referred to as the “Festival”), as well as purchasers making ticket purchases for the Festival via the website https://www.middlefest.cz, about the scope of processing and protection of their personal data and about the conditions for handling cookies.

2. Personal Data Controller

2.1. The controller of personal data pursuant to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) (hereinafter referred to as the “GDPR”) is Middle Art Production z. s., Company ID No.: 21991341, with its registered office at Za Tratí 600, 788 13 Vikýřovice, registered in the Commercial Register kept by the Regional Court in Ostrava, File No. L 21577 (hereinafter referred to as the “Controller”); the Controller is the operator of the website https://www.middlefest.cz.

3. Legal Basis and Purpose of Personal Data Processing

3.1. The legal basis for the processing of personal data is:

  • compliance with the legal obligations of the Controller (Article 6(1)(c) GDPR),

  • conclusion and performance of a contract (Article 6(1)(b) GDPR),

  • legitimate interest of the Controller (Article 6(1)(f) GDPR),

  • revocable, informed, explicit and freely given consent (Article 6(1)(a) GDPR).

3.2. In connection with the organisation of the Festival, the operation of the website and the provision of additional accompanying services, the Controller processes personal data for the following purposes:

  • inviting guests and maintaining their database;

  • accreditation of journalists;

  • ticket sales, provision of accompanying services and organisation of the Festival;

  • newsletter distribution and other marketing communications;

  • promotion of the Festival on the website;

  • employee agenda;

  • accounting records;

  • ensuring legal protection.

4. Sources and Categories of Processed Personal Data

4.1. The Controller processes personal data that you have provided to the Controller or personal data that the Controller has obtained via its website in the course of performing a contract between you and the Controller.

4.2. The Controller processes:

  • identification data – first name, last name, academic title, date of birth, place of residence, country of residence;

  • contact data – e-mail address and telephone number;

  • economic and billing data – amount of payment, bank account number, payment card number, billing address.

5. Transfer of Personal Data

5.1. Personal data are stored privately and with maximum security. The Controller makes personal data available only to authorised employees or individual personal data processors contractually engaged by the Controller, always only to the extent necessary to fulfil the individual purposes of processing and on the basis of an appropriate legal title for processing personal data. The security of personal data at recipients is ensured through their contractual obligations, including confidentiality obligations.

5.2. In cases provided for by law, the Controller may be obliged to transfer certain data to public authorities, including law enforcement authorities or courts.

6. Your Rights

6.1. Under the conditions set out in the GDPR, you have:

  • the right of access to your personal data pursuant to Article 15 GDPR;

  • the right to rectification of personal data pursuant to Article 16 GDPR, or restriction of processing pursuant to Article 18 GDPR;

  • the right to erasure of personal data pursuant to Article 17 GDPR;

  • the right to data portability pursuant to Article 20 GDPR;

  • the right to object to the processing of personal data pursuant to Article 21 GDPR;

  • the right to withdraw consent to the processing of personal data pursuant to Article 7 GDPR.

6.2. You have the right to lodge a complaint with the Office for Personal Data Protection if you believe that your right to the protection of personal data has been violated; you may contact the Office for Personal Data Protection via the following contacts:

  • website: https://uoou.gov.cz/

  • e-mail address: posta@uoou.gov.cz

  • mailing address: Pplk. Sochora 27, 170 00 Prague 7, Czech Republic

6.3. In all matters related to the processing of your personal data, whether it concerns an inquiry, the exercise of a right, filing a complaint or anything else, you may contact the Controller via the following contacts:

  • e-mail address: gdpr@middlefest.cz

  • mailing address: Za Tratí 600, 788 13 Vikýřovice, Czech Republic

7. Conditions for Securing Personal Data

7.1. The Controller declares that it has adopted all appropriate technical and organisational measures to secure personal data.

7.2. The Controller has adopted appropriate technical measures to secure data storage and storage of personal data in paper form.

7.3. The Controller declares that only persons authorised by the Controller have access to personal data.

8. Period of Personal Data Processing

8.1. The Controller stores:

  • data necessary for the conclusion and performance of a contract and data processed for the analysis of website visitor behaviour for the duration of the contract;

  • data processed on the basis of consent for a period of 10 years or until the consent is withdrawn;

  • data processed for the protection of legal claims for the duration of the limitation period, including the period covering any suspension or interruption thereof, typically no longer than 16 years after the termination of the contract;

  • data processed for compliance with relevant legal obligations for the duration of the relevant obligation.

8.2. If, before the expiry of any of the above periods, judicial, criminal, administrative or other similar proceedings are initiated, the Controller processes personal data for the entire duration of such proceedings and the remaining part of the limitation period after their completion.

8.3. After the expiry of the personal data retention period, the Controller deletes the personal data.

9. Consent to Audio and/or Visual Recordings of Visitors

9.1. By entering the Festival premises, visitors agree, without further notice, to the free use of their image or likeness as part of any visual recording, transmission or production of an event organised on the Festival premises for commercial or promotional purposes within the meaning of Section 84 of Act No. 89/2012 Coll., the Civil Code (hereinafter referred to as the “Civil Code”), within the depiction of the entire Festival or any part thereof organised on the Festival premises by the Controller and/or its contractual partners. Consent to the use of image or likeness under this provision is granted by visitors to the Controller and its contractual partners for an indefinite period, while the visitor is entitled to withdraw this consent. Unless such withdrawal is justified by a substantial change in circumstances or another reasonable reason, the visitor shall be liable to the Controller pursuant to Section 87(2) of the Civil Code for any damage incurred as a result of the withdrawal of consent.

9.2. Festival visitors acknowledge that audio and/or visual recordings may be made on the Festival premises for the purposes of press, radio, television or similar news reporting. Visitors acknowledge that pursuant to Section 89 of the Civil Code, their consent is not required for the making of such recordings, provided that they are used in an appropriate manner and such use does not conflict with their legitimate interests.

10. Cookies

10.1. The website uses so-called cookies. Cookies are small data files that are stored on your device by the websites you visit. They are widely used to ensure the operation of websites or to improve their efficiency, as well as to provide information to website operators. Cookies are not harmful to your device or its software.

10.2. Necessary technical cookies
Cookies are used on the website to ensure its proper functioning and to secure the operation of the website (in particular orders and the e-shop). These cookies are necessary for the proper provision of services. They mainly include cookies for storing session information (purchases, orders) and for storing user settings (e.g. language preference). If the storage of these cookies is disabled in the browser settings, it may not be possible to provide the offered services properly or at all.

10.3. Analytical cookies
Third-party services for website traffic analytics are used on the website, which use cookies for their operation.

10.4. Marketing cookies
The website uses third-party tools based on cookie technology to track the effectiveness of the Controller’s advertising campaigns within the platforms of these third parties.

10.5. Cookie settings
The browser can be set to refuse all cookies or only certain cookies. Information on how to set browser preferences can usually be found in the browser’s help section. If all cookies are refused, the website may not function properly. After visiting the website, you can also delete all stored cookies from your browser to maximise your privacy.

11. Final Provisions

11.1. The Controller reserves the right to change these Principles at any time.

11.2. These Principles are valid and effective as of 5 September 2025.

In Šumperk on 5 September 2025