Privacy Policy

What is personal data: any information by which a natural person can be identified, whether directly (e.g. a name) or indirectly (e.g. an IP address in combination with other data), within the meaning of Article 4(1) GDPR.

This document describes how the controller processes the personal data of visitors to the website ladislav.eu, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR"), Act No. 110/2019 Coll., on the Processing of Personal Data, and Act No. 127/2005 Coll., on Electronic Communications, as amended.

1. Controller of personal data

The controller of personal data within the meaning of Article 4(7) GDPR is:

Ladislav Smetana
IČO (Company ID): 24059927
Registered office: Školská 660/3, 110 00 Prague 1 – Nové Město, Czech Republic
Register: Trade Register maintained by the Municipal District Office of Prague 1
E-mail: [email protected]

The controller has not appointed a data protection officer, as this obligation does not arise under Article 37 GDPR (the controller is not a public authority, its core activities do not consist of large-scale, regular and systematic monitoring of data subjects, nor of the processing of special categories of personal data). For the purpose of exercising rights under the GDPR and in other personal data protection matters, the controller can be contacted by e-mail at [email protected] or in writing at the registered office address above.

2. What personal data we process

The controller itself does not actively collect or store any personal data. The website ladislav.eu has no contact forms, user registration, login, e-commerce functionality, or any other tools for the deliberate collection of data.

However, as a consequence of the technical transmission of the HTTP request required to load a web page, the following technical data are processed (standard server logs and security records operated by the processor):

• IP address of the visitor's device
• Date and time of access (timestamp)
• Browser identification string (HTTP User-Agent header)
• Referring URL (HTTP Referer header), where sent by the browser
• Requested resource (URL) and HTTP method
• HTTP response status code and the volume of data transferred
• Approximate geographic location derived from the IP address (country/region level), used by the processor for traffic routing and security evaluation

These data are processed exclusively by the processor Cloudflare on its infrastructure. The controller has no routine access to the raw logs; it only has limited access to aggregated and anonymised statistics available in the Cloudflare dashboard (e.g. total number of requests, number of blocked threats, geographic distribution of traffic at country level).

The controller does not process any special categories of personal data within the meaning of Article 9 GDPR (data concerning racial or ethnic origin, political opinions, religious beliefs, health, sex life, etc.).

3. Purposes of processing and legal bases

The controller processes personal data only where it has a valid legal basis under Article 6 GDPR. The purposes and corresponding legal bases of processing are as follows:

a) Ensuring the security, availability and integrity of the website

Specifically: protection against DDoS attacks, detection and blocking of automated malicious traffic, protection against abuse, encryption of communications, delivery of static content via a CDN network, and availability monitoring.

Legal basis: the legitimate interest of the controller and of third parties under Article 6(1)(f) GDPR — namely the controller's interest in the secure and available operation of the website and the visitors' interest in protection against malicious content and cyberattacks. A balancing test was carried out; given the minimal scope of the data processed, the short retention period and the nature of the data (technical operational data, not profile information), the interests and fundamental rights of the data subject do not prevail.

Automated security evaluation: The processor Cloudflare may, based on automated evaluation of network traffic (bot management, web application firewall rules, request rate limiting), decide to temporarily restrict access to the website, e.g. by displaying a security challenge (CAPTCHA), a JavaScript challenge, or by briefly blocking an IP address, where it detects signs of automated or malicious behaviour. These decisions serve exclusively to protect the security and availability of the website, are short-term, and can be overcome through ordinary interaction (solving the challenge or waiting for the time limit to expire). According to the established interpretation of the European Data Protection Board (EDPB), these security measures do not constitute automated individual decision-making with legal or similarly significant effects within the meaning of Article 22 GDPR.

b) Retaining the technical state of this notice

Specifically: a record of whether the visitor has minimised this information notice, stored in the browser's local storage (localStorage). The record never leaves the visitor's device.

Legal basis: the controller's legitimate interest under Article 6(1)(f) GDPR in providing a functional control for the information element. For the purposes of Section 89(3) of Act No. 127/2005 Coll., this is storage technically necessary for the provision of a service knowingly requested by the visitor (displaying or hiding the notice according to their own choice), and therefore no consent is required for it.

c) Compliance with legal obligations

Specifically: providing cooperation to public authorities, where applicable, to the extent required by law (e.g. the Code of Criminal Procedure, the Act on the Police of the Czech Republic, the Tax Code for the controller's own accounting records unrelated to visitors).

Legal basis: compliance with a legal obligation of the controller under Article 6(1)(c) GDPR.

d) Handling communication sent to the contact e-mail

Specifically: processing of e-mail messages sent to [email protected], their content and the sender's details (e-mail address, name and any other information the sender voluntarily includes in the message), for the purpose of handling them and responding where appropriate.

Legal basis: the controller's legitimate interest in handling communication initiated by the data subject themselves under Article 6(1)(f) GDPR; where the communication is directed at concluding a contract or relates to its performance, also Article 6(1)(b) GDPR; where it concerns the exercise of rights under the GDPR or other legal claims, compliance with a legal obligation under Article 6(1)(c) GDPR. E-mail messages are retained for the time necessary to handle the enquiry and any follow-up communication, as a rule no longer than 3 years from the last contact, unless a specific legal provision requires a longer period (in particular for records relating to asserted claims).

The controller does not process personal data for the purposes of direct marketing, profiling, behavioural advertising, or automated decision-making with legal or similarly significant effects within the meaning of Article 22 GDPR. No data are transferred to third parties for targeted advertising purposes.

4. Recipients and processors

The controller uses the services of the following processors of personal data:

Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, United States of America — provides CDN (Content Delivery Network) infrastructure, DDoS protection, a web application firewall (WAF), DNS management and TLS encryption. Processing takes place on the basis of a data processing agreement (Data Processing Addendum, version 6.3 of 20 June 2025) meeting the requirements of Article 28 GDPR. The agreement is publicly available at cloudflare.com/cloudflare-customer-dpa.

Cloudflare may, in accordance with the data processing agreement, use sub-processors, an up-to-date list of which is publicly available in Cloudflare's documentation.

Proton AG, Route de la Galaise 32, 1228 Plan-les-Ouates, Geneva, Switzerland (identification number CHE-354.686.492) — provides the encrypted e-mail infrastructure for the operation of the contact address [email protected]. Processing takes place on the basis of a Data Processing Agreement meeting the requirements of Article 28 GDPR, available at proton.me/legal/dpa. The service uses end-to-end encryption where the other party to the communication supports it, and otherwise zero-access encryption at rest and TLS in transit. Proton AG's European representative within the meaning of Article 27 GDPR is Proton Europe sàrl, with its registered office at rue de Grünewald 94, L-1912 Luxembourg.

The controller does not sell personal data, does not trade in them, and does not provide them to any third party for payment or any other consideration. Nor do we transfer data to data brokers, advertising networks, data aggregators or any other entities for the purposes of targeted advertising, profiling or behavioural tracking. The operation of this website is not, and never has been, monetised through visitors' personal data.

We do not transfer personal data to any other third parties, except where required by applicable law or by a legitimate and duly issued request of a public authority.

5. Transfers outside the European Economic Area

Transfers to Switzerland (Proton AG): No additional safeguards under Chapter V GDPR are required for transfers of personal data to Switzerland, as the European Commission issued a decision on 26 July 2000 finding that Switzerland ensures an adequate level of protection of personal data, the validity of which was most recently confirmed on 15 January 2024. Transfers to Switzerland are therefore equivalent to transfers within the EU/EEA.

Transfers to the United States (Cloudflare, Inc.): Part of the processing by Cloudflare may take place on infrastructure located outside the European Economic Area, in particular in the United States of America. Transfers are safeguarded by one of the mechanisms permitted under Chapter V GDPR, specifically:

• Certification under the EU-U.S. Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the adequate level of protection of personal data under the EU-US Data Privacy Framework). Cloudflare is actively certified — its participation can be verified at dataprivacyframework.gov.
• Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, in Modules 2 (controller → processor) and 3 (processor → processor), applied as an additional (fallback) mechanism in the event the DPF ceases to be valid.
• Supplementary technical and organisational measures: end-to-end encryption in transit (TLS 1.2/1.3), encryption at rest, customer environment isolation, access controls, and regular third-party audits (ISO 27001, ISO 27018, ISO 27701, SOC 2).
• Global CBPR (Cross-Border Privacy Rules) and PRP (Privacy Recognition for Processors) certifications — Cloudflare is certified under these international systems recognised in 39 jurisdictions.

6. Data retention periods

The controller itself does not retain any personal data of visitors. The retention periods of technical logs at the processor Cloudflare are governed by its policies for the given product; security logs are typically retained for the time strictly necessary for the detection and resolution of incidents (typically days to weeks), and aggregated statistical data for longer. Further details are set out in Cloudflare's privacy policy available at cloudflare.com/privacypolicy.

The record of the display state of this information notice stored in localStorage remains in the visitor's browser until the visitor removes it themselves (by clearing browser data or manually deleting the record in browser settings). This record contains no personal data.

7. Cookies and other technologies stored on the device

The controller itself does not use any cookies or other identifiers stored on the visitor's device for tracking, analytics, profiling or marketing purposes.

The website uses only the following on-device storage technologies:

Browser local storage (localStorage)

A single record with the key gdpr_notice_state_v2, used to retain the state (open/closed) of this information notice. The record contains no personal data, is purely functional, and serves solely for the visitor's convenience. For the purposes of Section 89(3) of Act No. 127/2005 Coll., on Electronic Communications, this constitutes storage necessary for the provision of a service explicitly requested by the visitor, and therefore no consent is required for it.

Cloudflare cookies

The processor Cloudflare may set strictly necessary cookies for security reasons. The most common are:

• __cf_bm — a short-lived cookie (approx. 30 minutes) used to distinguish automated from human traffic (bot management)
• cf_clearance — a cookie set after a security challenge has been successfully solved, limiting repeated challenges within a single browser

These cookies are strictly necessary for the functioning of the security mechanisms. They are not used for profiling, cross-site tracking or targeted advertising. They fall under the exemption in Section 89(3) of Act No. 127/2005 Coll., for which no consent is required.

8. Your rights as a data subject

As a data subject, you have the following rights in relation to the processing of your personal data, which you may exercise with the controller by e-mail at [email protected] or in writing at the registered office address:

• Right of access (Article 15 GDPR) — the right to obtain confirmation of whether we process your personal data and, if so, to obtain access to them and information about the processing.
• Right to rectification (Article 16 GDPR) — the right to have inaccurate data corrected or incomplete data completed.
• Right to erasure (Article 17 GDPR) — the "right to be forgotten".
• Right to restriction of processing (Article 18 GDPR).
• Right to data portability (Article 20 GDPR) — the right to receive your data in a structured, commonly used and machine-readable format.
• Right to object to processing based on legitimate interest (Article 21 GDPR).
• Right not to be subject to solely automated decision-making, including profiling (Article 22 GDPR) — the controller does not carry out such decision-making.
• Right to withdraw consent (Article 7(3) GDPR) — if processing were based on consent, it could be withdrawn at any time. The controller does not currently base any processing on consent.

Given that the controller itself does not store any data enabling the identification of a specific visitor (the controller does not know the IP address of a specific visit and does not work with it), it will in some cases not be practically possible to identify you. In such a case, the controller proceeds under Article 11(2) GDPR and informs the data subject that it is unable to identify them, unless the data subject provides additional information enabling their identification.

Rights concerning specific data processed by Cloudflare (e.g. a request for the erasure of a specific log) can be exercised directly with Cloudflare via the contacts listed in its privacy policy (e-mail: [email protected]).

9. Right to lodge a complaint with a supervisory authority

If you believe that the processing of your personal data violates the GDPR or other personal data protection regulations, you have the right to lodge a complaint with a supervisory authority, which in the Czech Republic is:

Úřad pro ochranu osobních údajů (Office for Personal Data Protection, ÚOOÚ)
Pplk. Sochora 27, 170 00 Prague 7
Telephone: +420 234 665 111
E-mail: [email protected]
Data box ID: qkbaa2n
Web: uoou.gov.cz

A complaint may also be lodged with the supervisory authority of the EU member state of your habitual residence, place of work or the place of the alleged infringement (Article 77 GDPR).

10. Security of processing

Taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller has adopted appropriate technical and organisational measures within the meaning of Article 32 GDPR, in particular:

• Encryption of data in transit using TLS 1.2/1.3 (HTTPS) with automatic redirection from HTTP, and mandatory HSTS
• Security filtering of traffic at the CDN, WAF and anti-DDoS level at the processor Cloudflare
• Application of the data minimisation principle (Article 5(1)(c) GDPR) — the controller itself actively collects no personal data beyond what is technically necessary for delivering the web page
• Application of the principle of data protection by design and by default (Article 25 GDPR) — the website was designed from the outset without any tracking, analytics, behavioural advertising or social media tools attached to it
• Regular dependency updates and hosting on audited infrastructure holding ISO 27001, ISO 27018, ISO 27701 and SOC 2 certifications

11. Processing of minors' data

The website is not directed exclusively at children, nor does it target content at them. Given that the controller itself does not actively collect any personal data, no obligation arises to verify a visitor's age or to obtain the consent of a legal guardian within the meaning of Article 8 GDPR. Should we nevertheless learn that we have inadvertently processed the data of a child under 15 years of age without the consent of a legal guardian, we will take immediate steps to remove them.

12. Source of personal data

All technically processed data (described in Section 2) originate directly from the data subject — they are generated by the visitor's browser at the moment an HTTP request is sent to the website. The controller does not obtain personal data from any publicly available sources or from third parties (apart from the technical intermediation by the processor Cloudflare).

13. Obligation to provide data

The provision of the technical data listed in Section 2 is technically necessary for the transmission of a web page over the internet — without an IP address, no response can be sent back to the browser. Not providing these data (e.g. by using an anonymisation network with a spoofed IP) will make it impossible to access the website, but has no other legal consequences.

14. Changes to this policy

This policy may be updated in the future, in particular in response to changes in the legal framework or in the facts described above. The current version is always available on this page, with its effective date indicated. Changes that would significantly extend the scope of the processing of personal data will not be made without the express consent of the persons concerned or without another permissible legal basis.

15. Contact

For any questions, requests to exercise your rights, and other matters concerning the protection of personal data, you can contact the controller:

E-mail: [email protected]
(mailbox operated by Proton AG, Switzerland, with end-to-end encryption)

By post:
Ladislav Smetana
Školská 660/3
110 00 Prague 1 – Nové Město
Czech Republic

This privacy policy takes effect on 18 May 2026 and constitutes complete information on the processing of personal data pursuant to Articles 13 and 14 GDPR. This document is an English version of a policy originally drawn up in the Czech language; in the event of any discrepancy in interpretation, the Czech original prevails and is available from the controller on request.