Privacy Policy (GDPR)

1) Controller and contacts

Controller: Malamute Breed & Sled Union, z. s. (MBSU) – association

Registered office: Horní Tošanovice 8, 73953 Horní Tošanovice, Czech Republic

Company ID: 17650011

Privacy contact e-mail: privacy@mbsu.eu

The controller has not appointed a Data Protection Officer (DPO), because our activities do not require it under applicable law.

2) Scope and categories of data

We process mainly the following data (depending on what you provide):

• Identification and contact details: first name, last name, e-mail, phone number, nationality, optionally home address.
• Membership and activity data: membership type, application/membership status, participation in races (we keep long-term records of participation/non-participation and basic statistics).
• Dog data: names, age, photographs, and other descriptive information related to breeding.
• Content and communication: e-mails and forms related to applications, races, breeding agenda, and the community.
• Technical data: basic logs and identifiers needed to operate the website (see the Cookies section).

We do not process special categories of personal data under Article 9 GDPR (health, political opinions, etc.). We treat photographs of people as standard personal data; we do not perform biometric identification.

3) Purposes and legal bases

4) Photographs and publication

At events we take photographs and short videos for documentation and promotion of the association’s activities. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR) in documenting and promoting the association’s activities. We may publish recordings on the website and official MBSU profiles. By taking part in a race, the participant acknowledges that they may be photographed and filmed as part of documenting the race and results. If you do not wish to be captured, please contact us before the event or inform the organiser on-site; we always respect an objection under Art. 21 GDPR and offer reasonable options (avoid capturing, delete, blur).

5) Recipients and transfers to third countries

• Technical infrastructure: Google Firebase (hosting, database, storage; we choose EU data regions where possible). The provider acts as a processor; contractually it uses Standard Contractual Clauses (SCC) and additional security measures.
• E-mail communication: Zoho (EU account), a processor for transactional e-mails (confirmations, service messages).
• Banking institutions: payment recipients (banks) receive payment instructions to the extent necessary to execute a transfer.
• Public authorities: where required by law or a legitimate request.

Where a transfer outside the EEA may occur, it is covered by Standard Contractual Clauses and supplementary measures; we use EU data centres whenever realistically available.

6) Retention period

• Applications and membership: for the duration of membership; if an application is rejected, we keep basic data for up to 12 months for process accountability (then securely delete), unless there is a legal reason to keep it longer.
• Race entries and racer accounts: when submitting a race entry, a user account (e-mail + password) is created automatically to provide future access to race history, results and, potentially, later membership. The account and related data (entry data, results, photographs and placements) are kept until consent is withdrawn or until the user deletes the account themselves (in the profile settings via “Delete account”) or requests deletion at privacy@mbsu.eu. After deletion, it will not be possible to automatically recreate a new account for the same e-mail without a new registration and user consent.
• Communication and operational logs: typically up to 12 months.
• Accounting/tax records: according to statutory retention periods (typically 5–10 years, depending on local regulation).
• Photographs: until consent is withdrawn/a valid objection is upheld, or until justified removal from our channels.

If you delete your account in the application or profile, we will start deleting your data without undue delay (with exceptions for legally required retention).

7) Your rights (GDPR)

• Access to your data (Art. 15),
• Rectification of inaccurate data (Art. 16),
• Erasure – “right to be forgotten” (Art. 17),
• Restriction of processing (Art. 18),
• Data portability (Art. 20),
• Objection to processing based on legitimate interest (Art. 21),
• Withdrawal of consent at any time (where processing is based on consent – Art. 7).

You can exercise your rights via the contacts below. We respond without undue delay, no later than within 1 month (which may be extended by 2 months for complex requests).

8) Security

We use encrypted communication (HTTPS), access control, audit logs and data segmentation. Administrator access is protected with multi-factor authentication. Our processors are contractually required to maintain an appropriate level of security.

9) Cookies, online identifiers and analytics

We use only essential cookies on this website and—only after your consent in the cookie bar— also analytics measurement (Firebase/Google Analytics 4). Without consent, analytics cookies and similar identifiers are not set and measurement is limited or disabled according to the cookie bar settings and Google Consent Mode (v2).

9.1 Categories

• Essential (legitimate interest): technical operation of the website and forms.
• Analytics (consent): aggregated measurement of traffic and behaviour on the website.
• Marketing: we do not use (no remarketing and Google Signals are not enabled).

9.2 Firebase/Google Analytics 4 – what we process

After consent is granted, we measure events (e.g., page view, clicks, visit duration), technical information about the device/browser and approximate location (country/city) derived for traffic statistics. GA4 does not store IP addresses; in the EU, the IP address is used only to derive approximate location and is then discarded before data is stored.

9.3 Legal basis, retention, recipients

• Legal basis: your consent (Art. 6(1)(a) GDPR) given in the cookie bar. You can withdraw consent at any time in the cookie settings.
• Retention (GA4): typically 2 months or 14 months for user/event data depending on service settings. At MBSU, we maintain a 14 months setting for analytics data in reports unless stated otherwise.
• Recipient/processor: Google Ireland Limited (Europe) as the analytics provider. In some cases, transfers to third countries may occur within the Google group based on SCC; we use EU data regions where possible.

9.4 How to change or withdraw consent

You can change your preference at any time via the “Manage cookies” button in the footer/banner or in your browser (deleting/blocking cookies). Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

10) Document changes

We will announce material changes to these policies on the website and (where appropriate) by e-mail. Each version includes its effective date.

11) Contact for data subject requests

E-mail: privacy@mbsu.eu

Requests are handled free of charge; a fee may be charged only in cases of manifestly unfounded or repetitive requests under the GDPR.

12) Complaint to the supervisory authority

You have the right to lodge a complaint with your competent supervisory authority in the EEA. For the Czech Republic: the Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz.

13) Transparency notes

• If processing is based on consent (e.g., marketing), it can always be withdrawn without affecting the lawfulness of processing before withdrawal.
• We process data about children only via legal guardians and only to the extent necessary for participation in events.
• For published photographs, we aim for a reasonable balance of rights and interests; upon request, we will perform removal or blurring where appropriate.
• Providing required personal data is voluntary but necessary to establish membership or register for our events. Without providing such data, we could not process your application or provide the services.
• We do not use your personal data for automated individual decision-making, including profiling, that would have legal or similarly significant effects for you (Art. 22 GDPR). All decisions (e.g., membership admission, application approval, etc.) are always made by authorised staff.
• We do not disclose personal data to any third parties for their own marketing or commercial purposes. Your data is used solely to fulfil the purposes above within MBSU and by our contracted processors.

This document is prepared in line with the GDPR and related EEA regulations. Nevertheless, we recommend a legal review for your specific circumstances (bylaws, accounting, providers).