PRIVACY POLICY

1. Introductory provisions


1.1. This document provides information on how MMP Agency s.r.o., Company ID No.: 19638604, VAT ID No.: CZ19638604, with its registered office at Mikulandská 119/10, Nové Město, 110 00 Prague 1, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, File No. 389573 (the “Controller”), processes personal data in connection with the Posedlí Dakarem brand.

1.2. This document applies in particular to the processing of personal data in connection with:

  1. a) the operation of the website www.posedlidakarem.cz;
  2. b) communication with prospective customers, customers, event participants and business partners;
  3. c) the sale of tickets for talk shows, open air events and other events;
  4. d) the organisation of cultural, social, sports, experiential and outdoor events;
  5. e) the organisation of expeditions, package tours and travel services;
  6. f) the processing of orders, payments, invoicing and contractual documentation;
  7. g) the use of registration, order and onboarding forms;
  8. h) the creation and use of photographs, videos, audio recordings and audiovisual recordings;
  9. i) the sending of commercial communications and marketing communication;
  10. j) the handling of enquiries, complaints, legal claims and customer support.

1.3. The Controller processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation (GDPR), Act No. 110/2019 Coll., on Personal Data Processing, and other applicable legal regulations.

1.4. This document is intended in particular for customers, prospective customers, event participants, expedition participants, newsletter subscribers, website visitors, contractual partners and other persons whose personal data are processed by the Controller.


2. Personal data controller


2.1. The personal data controller is:

MMP Agency s.r.o.

Company ID No.: 19638604

VAT ID No.: CZ19638604

registered office: Mikulandská 119/10, Nové Město, 110 00 Prague 1

e-mail: info@posedlidakarem.cz

website: www.posedlidakarem.cz

2.2. The Controller has not appointed a data protection officer, as it is not currently required to do so under applicable legal regulations.

2.3. The Controller may be contacted regarding personal data protection matters at info@posedlidakarem.cz.


3. Categories of personal data processed


3.1. The Controller processes personal data only to the extent necessary for the relevant purpose of processing.

3.2. Depending on the particular situation, the Controller may process in particular the following categories of personal data:

  1. a) identification data, in particular first name, surname, date of birth and, where applicable, company name, company ID number and VAT ID number;
  2. b) contact details, in particular e-mail address, telephone number, residential address, billing address and delivery address;
  3. c) order and contractual data, in particular information on ordered services, tickets, events, expeditions, dates, prices, payments, deposits, balances, confirmations of participation and contractual documentation;
  4. d) payment and invoicing data, in particular data included in invoices, advance invoices, payment instructions, bank statements and accounting documents;
  5. e) communication data, in particular the content of e-mail, telephone, form-based or other communication with the Controller;
  6. f) data from registration, order and onboarding forms, in particular data needed for the organisation of a specific event, expedition or package tour;
  7. g) travel data, in particular citizenship, travel document number, validity of the travel document, data needed for visas, flights, transport, accommodation, admissions, insurance and other travel services;
  8. h) emergency contact data, in particular first name, surname, relationship to the participant, telephone number and e-mail address;
  9. i) data on travel experience, language skills, preferences and practical needs of the participant, where necessary for the organisation of an expedition or package tour;
  10. j) data on driving authorisation and interest in driving a vehicle, in particular information on holding a driving licence, where applicable an international driving permit, and interest in driving a vehicle during the expedition;
  11. k) health and safety information to the necessary extent, in particular information on serious allergies, health limitations, dietary restrictions, practical safety needs or other circumstances that may be relevant to the safety of the participant or the group;
  12. l) photographs, videos, audio recordings and audiovisual recordings taken at events, expeditions, package tours or in connection with the Posedlí Dakarem brand;
  13. m) marketing data, in particular information on granting or withdrawing consent to receive commercial communications, preference data and interactions with marketing communications;
  14. n) technical data, in particular IP address, cookies, device identifiers, website visit data, form use data and analytical data;
  15. o) data necessary for the protection of rights and legal claims, in particular complaint communication, records of consents, versions of accepted terms, evidence of delivery of documents and related records.


4. Purposes and legal bases of processing


4.1. The Controller processes personal data always for a specific purpose and on the basis of an appropriate legal basis.

4.2. Processing for the purpose of negotiating and performing a contract

The Controller processes personal data for the purpose of handling enquiries, orders, reservations, ticket sales, confirmations of participation, conclusion and performance of contracts, provision of services, organisation of events, expeditions and package tours, issuing documents, communicating with the customer and ensuring the agreed performance.

The legal basis is the performance of a contract or taking steps prior to entering into a contract.

4.3. Processing for the purpose of organising expeditions and package tours

For expeditions and package tours, the Controller processes personal data for the purpose of arranging transport, flights, visas, accommodation, admissions, insurance, communication with local partners, safety, participant records, practical travel organisation and compliance with the obligations of a travel agency.

The legal basis is the performance of a contract, compliance with legal obligations and the legitimate interest of the Controller in the proper and safe organisation of an expedition or package tour.

4.4. Processing of health and safety information

The Controller may process a limited scope of health and safety information provided by the participant for the purpose of safely organising an expedition, assessing practical risks, providing appropriate assistance in the event of difficulties and protecting the life, health and safety of the participant or other persons.

Such data are processed only to the extent necessary for the specific purpose. Depending on the particular situation, the legal basis may be the explicit consent of the participant, performance of a contract, protection of the vital interests of the data subject or another person, and the legitimate interest of the Controller in the safe course of the expedition.

4.5. Processing of emergency contact data

The Controller processes emergency contact data for the purpose of being able to contact a close or designated person in the event of an emergency, health issues, a safety incident or another serious circumstance related to participation in an expedition or event.

The legal basis is the legitimate interest of the Controller and the participant in ensuring safety and emergency communication, or the protection of the vital interests of the participant or another person.

4.6. Processing for invoicing, accounting and compliance with legal obligations

The Controller processes personal data for the purpose of bookkeeping, tax records, issuing invoices and complying with other legal obligations.

The legal basis is compliance with the Controller’s legal obligations.

4.7. Processing for complaints, legal claims and protection of rights

The Controller processes personal data for the purpose of handling complaints, objections, requests, insurance claims, legal claims, debt recovery, defence of rights and proving compliance with obligations.

The legal basis is the legitimate interest of the Controller in protecting its rights and legal claims, or compliance with legal obligations.

4.8. Processing of photographs, videos and audiovisual recordings created by the Controller

The Controller may create and use photographs, videos, audio recordings and audiovisual recordings at events, expeditions and package tours for the purpose of documenting the course of the event, internal archiving, journalistic/reporting use, appropriate communication of Posedlí Dakarem brand activities and protection of the Controller’s rights.

The legal basis may be the legitimate interest of the Controller in documenting and appropriately promoting its activities.

Detailed marketing use of the likeness of a specific person, a testimonial, an individual advertising output, a paid campaign or other more intensive use of a personal recording may be based on the separate consent of the person concerned.

4.9. Processing of materials provided by a participant

If a participant or another person provides the Controller with photographs, videos, audio recordings, texts, reviews, posts, social media tags or other content related to the Posedlí Dakarem brand, the Controller may process and use such content within the scope set out in this policy, the terms and conditions, consent, licence arrangement or another agreement.

The legal basis for processing personal data in such content may be the performance of a contract, the Controller’s legitimate interest in communication, promotion and protection of its rights, or the consent of the person concerned, depending on the nature of the particular use.

4.10. Processing for marketing communication

The Controller may process personal data for the purpose of sending commercial communications, newsletters, information about events, expeditions, offers and related projects.

The legal basis is either the Controller’s legitimate interest in direct marketing of its own similar services, where permitted by law, or the consent of the data subject.

4.11. Processing of technical data and cookies

The Controller processes technical data and cookies for the purpose of operating the website, ensuring its functionality and security, analytics, measuring traffic, marketing and improving services.

Details are provided in a separate Cookies document.


5. Special provisions for expeditions and package tours


5.1. For expeditions and package tours, the scope of personal data processed is broader than for a standard ticket purchase, because the Controller must ensure travel, organisational, safety, insurance and contractual processes.

5.2. An expedition participant is obliged to provide the data necessary for arranging the expedition truthfully, completely and on time. Without such data it may not be possible to arrange participation in the expedition, travel services, flights, visas, insurance, accommodation, transport or other performance.

5.3. For expeditions, the Controller may process in particular:

  1. a) basic identification and contact details of the participant;
  2. b) date of birth and citizenship;
  3. c) residential address;
  4. d) passport data and data on the validity of the travel document;
  5. e) data needed for visas and entry into the destination country;
  6. f) data needed for flights, accommodation, transport, admissions and insurance;
  7. g) emergency contact data;
  8. h) health, allergy, dietary or safety-related circumstances to the necessary extent;
  9. i) data on driving authorisation and interest in driving a vehicle;
  10. j) data on travel experience, language skills and practical preferences;
  11. k) confirmations of familiarisation with documents, conditions, risks and instructions;
  12. l) consents and withdrawals of consents.

5.4. Certain data may be transferred to air carriers, accommodation providers, insurance companies, visa or immigration intermediaries, local partners, organisers of accompanying programmes, vehicle providers, admission providers, local authorities and other persons where necessary to arrange the expedition or perform the contract.

5.5. For expeditions outside the European Union or the European Economic Area, personal data may be transferred to third countries, in particular to countries where the expedition takes place, through which the participant travels or where necessary travel service providers are established.

5.6. The Controller transfers personal data to third countries only to the extent necessary for arranging the expedition, performing the contract, arranging travel services, complying with legal obligations or protecting the participant’s safety. Where possible and appropriate, the Controller uses safeguards under the GDPR.


6. Forms, electronic tools and internal systems


6.1. The Controller may use third-party electronic form, database, project management, CRM, accounting, cloud, communication and administrative tools for data collection, orders, registrations, participant onboarding, internal records, project management, CRM, financial records, communication and organisation of services.

6.2. These tools may be used in particular to collect data from participants, keep records of enquiries and orders, manage customer communication, manage payments, keep participant records, store documents, organise expeditions, share information within the team and comply with contractual and legal obligations.

6.3. Some tools may be operated by providers established outside the Czech Republic or outside the European Economic Area. In such a case, the Controller proceeds in accordance with the rules for transfers of personal data to third countries set out in this document.

6.4. Such providers may act as processors of personal data or as independent controllers, depending on the nature of the service provided and their own terms.

6.5. The Controller selects tools and providers for which an appropriate level of security and personal data protection can reasonably be expected.

6.6. Access to personal data in these systems is granted only to persons who need it to perform their work, contractual or organisational tasks.


7. Whatsapp and operational communication


7.1. For expeditions, package tours and organisationally demanding programmes, the Controller may also use telephone, SMS, e-mail, WhatsApp or similar communication tools for operational communication.

7.2. WhatsApp or a similar communication group may be used in particular for organisational instructions, programme changes, safety information, timing instructions, practical information and communication during the expedition.

7.3. The participant acknowledges that when using WhatsApp or similar services, personal data may also be processed by the operator of the relevant platform in accordance with its own terms and privacy policy.

7.4. The Controller will not share sensitive health information or other data that are not necessary for joint organisational communication through a WhatsApp group.

7.5. Participation in a WhatsApp group may be important for the safe and operational course of certain expeditions. If a participant does not use WhatsApp or does not wish to use it, the participant must notify the Controller in advance so that an alternative method of communication can be assessed.


8. Photographs, videos and audiovisual content


8.1. The Controller may create photographs, videos, audio recordings and audiovisual recordings as part of events, expeditions, package tours and other Posedlí Dakarem brand activities.

8.2. Recordings may be created in particular for the purpose of:

  1. a) documenting the course of an event, expedition or package tour;
  2. b) internal archiving;
  3. c) journalistic/reporting use;
  4. d) communication of Posedlí Dakarem brand activities;
  5. e) publication on the website and social networks to a reasonable extent;
  6. f) creating aftermovies, reports and summary outputs;
  7. g) protecting the rights and legitimate interests of the Controller.

8.3. For ordinary event shots, group shots, journalistic/reporting shots and documentation of the course of an event, the legal basis may be the legitimate interest of the Controller.

8.4. If a specific person is to be used as the main element of individual marketing communication, a testimonial, an advertising output, a paid campaign or another intensive marketing output, the Controller may request separate consent.

8.5. Consent to the marketing use of a photograph, video or likeness is voluntary. Failure to grant consent does not affect the possibility of participating in an event or expedition, unless such consent is necessary for a specific agreed performance.

8.6. Consent granted may be withdrawn at any time by e-mail to info@posedlidakarem.cz. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.

8.7. After withdrawal of consent, the Controller will cease using the recordings for purposes based on consent within a reasonable period. The participant acknowledges that already published materials may not be technically or organisationally capable of being completely removed from all locations, especially if they have been further shared by third parties; however, the Controller will take reasonable remedial steps.

8.8. If a participant provides the Controller with photographs, videos, audio recordings, texts, reviews, posts, social media tags or other content related to the Posedlí Dakarem brand, the participant thereby grants the Controller a non-exclusive, royalty-free, territorially unlimited, time-unlimited and transferable licence to use such content by all methods of use, in particular for documentation, archiving, editorial, marketing, promotional, business and commercial purposes of the Controller and the Posedlí Dakarem brand.

8.9. The Controller is entitled to use the content under Article 8.8 in particular on websites, social networks, newsletters, advertising campaigns, presentation materials, printed materials, audiovisual outputs, aftermovies, reports, business offers and other online and offline communication channels.

8.10. The Controller is entitled to edit, shorten, combine the content under Article 8.8 with other content, add graphics, subtitles, a logo, music or commentary, include it in a collection or use it as part of a broader audiovisual, marketing or business output, always in a manner that does not diminish the dignity of the participant.

8.11. The participant represents that he or she is entitled to provide such content to the Controller, that the content does not infringe the rights of third parties, in particular copyright, rights to likeness, personality rights or trademark rights, and that he or she has obtained the necessary consents of persons captured in the content.


9. Recipients of personal data


9.1. Personal data may be made available only to persons who need them for the relevant purpose of processing.

9.2. Recipients of personal data may include in particular:

  1. a) employees, co-workers and team members of the Controller;
  2. b) accounting, tax, legal and administrative advisers;
  3. c) providers of IT services, hosting, cloud services, form tools, CRM, database, project, accounting, communication and administrative systems;
  4. d) providers of payment, invoicing and accounting systems;
  5. e) providers of e-mailing and marketing services;
  6. f) operators of social networks and online platforms;
  7. g) photographers, camera operators, editors, graphic designers, production staff and other persons involved in content creation;
  8. h) organisers, venue operators, security services and technical services at events;
  9. i) carriers, airlines, accommodation providers, insurance companies, visa intermediaries, local partners, vehicle providers, admission providers and other travel partners;
  10. j) public authorities, where required by law or necessary to protect the Controller’s rights;
  11. k) insurers, banks and other persons in connection with insurance, complaints, insurance claims or legal claims.

9.3. The Controller does not transfer personal data to third parties for their own independent marketing use without a legal basis.


10. Transfers of personal data to third countries


10.1. In connection with the operation of the website, online tools, social networks, cloud services, marketing tools, form tools, analytics and the organisation of expeditions outside the EU/EEA, personal data may be transferred to third countries outside the European Union or the European Economic Area.

10.2. Transfers may take place in particular where:

  1. a) the participant travels to or through a third country;
  2. b) it is necessary to transfer data to a carrier, accommodation provider, local partner, insurance company, visa intermediary or authority in a third country;
  3. c) the Controller uses an online tool, cloud service, social network or provider that may process data outside the EU/EEA;
  4. d) the transfer is necessary for the performance of a contract, arranging a travel service, protection of rights or compliance with legal obligations.

10.3. Where relevant and possible, the Controller uses appropriate safeguards under the GDPR, in particular adequacy decisions, standard contractual clauses or other mechanisms provided for by the GDPR.

10.4. For certain transfers necessary for travel to a third country, the legal basis may be the necessity of the transfer for the performance of a contract between the data subject and the Controller or for the implementation of pre-contractual measures taken at the request of the data subject.


11. Retention period of personal data


11.1. The Controller retains personal data only for the period necessary for the purpose for which they were collected or for the period required by legal regulations.

11.2. In general, the following indicative retention periods apply:

  1. a) data related to orders, contracts, participation in events, expeditions and package tours: for the duration of the contractual relationship and subsequently for the period necessary to protect legal claims;
  2. b) accounting and tax documents: for the period required by legal regulations;
  3. c) complaint and legal documentation: for the period of handling the complaint or dispute and subsequently for the period necessary to protect legal claims;
  4. d) data from expedition forms: for the period necessary to organise the expedition and subsequently for the period necessary to prove compliance with obligations and protect rights;
  5. e) health and safety information: only for the period necessary to organise the expedition, resolve safety or health situations and protect rights, unless longer retention is necessary;
  6. f) consent records: for the duration of the consent and subsequently for the period necessary to prove that the consent was granted or withdrawn;
  7. g) marketing contacts: for the duration of consent or legitimate interest, no longer than until unsubscribe or objection;
  8. h) photographs and videos created by the Controller: for a period appropriate to the purpose of use, archiving and protection of rights, unless stated otherwise in a specific consent or documentation;
  9. i) materials provided by a participant under Article 8.8: for the duration of the licence, purpose of use, archiving and protection of rights, unless agreed otherwise.

11.3. After the relevant retention period has expired, the Controller deletes or anonymises personal data, or retains them further only where another legal ground exists.


12. Security of personal data


12.1. The Controller adopts appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration, disclosure or destruction.

12.2. The measures include, in particular, limiting access to data, using secure systems, internal rules for handling data, confidentiality of persons who have access to data, and appropriate access control.

12.3. Access to personal data is granted only to persons who need it to perform their tasks.

12.4. The Controller requires an appropriate level of personal data protection from its processors and suppliers.


13. Rights of data subjects


13.1. The data subject has the rights set out in the GDPR in connection with the processing of personal data.

13.2. The data subject has in particular the right to:

  1. a) request access to his or her personal data;
  2. b) request rectification of inaccurate or incomplete personal data;
  3. c) request erasure of personal data where the conditions under the GDPR are met;
  4. d) request restriction of processing;
  5. e) object to processing based on legitimate interest;
  6. f) object to processing for direct marketing purposes;
  7. g) request data portability where the conditions under the GDPR are met;
  8. h) withdraw consent where processing is based on consent;
  9. i) lodge a complaint with a supervisory authority.

13.3. Where processing is based on consent, the data subject has the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.

13.4. If the data subject objects to processing for direct marketing purposes, the Controller will cease processing personal data for that purpose.

13.5. Rights may be exercised by e-mail at info@posedlidakarem.cz.

13.6. Before handling a request, the Controller may request reasonable verification of the applicant’s identity if it has doubts about the applicant’s identity or if this is necessary to protect personal data.

13.7. The Controller handles requests without undue delay and no later than within the time limits set by the GDPR.


14. Complaint to the supervisory authority


14.1. The data subject has the right to lodge a complaint with a supervisory authority if he or she believes that the processing of his or her personal data has infringed legal regulations.

14.2. The supervisory authority in the Czech Republic is:

Office for Personal Data Protection

Pplk. Sochora 27

170 00 Prague 7

website: www.uoou.cz


15. Changes to this document


15.1. The Controller is entitled to update this document, in particular due to changes in legal regulations, changes in tools used, changes in services or changes in the method of processing personal data.

15.2. The current version of this document is available on the Website.

15.3. This version becomes effective on 1 June 2026.