Last updated: 8 February 2018
1 / Data processing purpose and legal basis
1.1 / Contractual relationship
The Controller collects and processes personal data provided by its customers when they purchase goods through its online shop. The processing of personal data is necessary for the conclusion and fulfilment of the contract. If the customer does not agree to provide his/her personal data, the contract cannot be concluded. For the purpose of conducting the contractual relationship, the customer’s personal data is processed by means of online registration (name and surname, address, identification number or tax identification number), his/her contact details (email or phone number), and information related to the subject of the contract (identification of the goods, payment method including payment details such as the customer’s bank account number and bank identification information). The Controller is also entitled to process this data for the protection of its rights in case of any potential dispute with the customer. The aforesaid data will be processed and stored for the duration of the contractual relationship, or even longer if required by law or necessary for the protection of the Controller’s rights.
1.2 / Marketing activities
On the basis of the valid legislation, the Controller may use the personal data of the customer to disseminate commercial communications concerning product or service offers like those already provided to customers, whereas the personal data will be processed and stored for the duration of the contractual relationship unless the customer revokes his/her consent.
The legal basis for such processing is the legitimate interest of the Controller.
In all other cases, the Controller processes the personal data of its customers or potential customers with their consent only. It typically happens when a potential customer grants their consent to being sent newsletters or other commercial messages by the Controller. This also concerns cases when the Controller collects and processes additional data received during their mutual contractual relationship (such as customer purchasing habits, preferences, and logs including IP address or cookies used for identifying such preferences) in order to offer of goods and services directly. The processing of personal data is voluntary and bears no impact on the contractual relationship regardless of whether consent is given or not. If consent is given, it is valid for the time necessary to process the data, unless and until the customer revokes it.
1.3 / Maintenance of online shop and website
2 / Method of processing
The Controller processes personal data under Article 1 above by means of online registration or by concluding a contractual relationship through its online shop. Therefore, personal data is automatically processed in electronic form. If necessary, personal data may be processed manually in paper form, e.g., through a paper order. Personal data is stored in the Controller’s information system and can be backed-up on back-up server/data carriers if necessary.
The Controller has adopted all necessary security measures to prevent any unlawful or accidental access to personal data, its alteration, destruction or loss, unauthorized transmission, or other unauthorized processing or abuse.
As pertains to automated processing, the Controller has adopted security measures that allow access to the automated processing systems to authorized persons only. These persons shall have access only to information corresponding to their authorization and on the basis of the specific user authorizations established exclusively for these persons. The Controller shall keep electronic records that allow for the identification and verification of when, by whom, and for what reasons personal data was accessed or otherwise processed.
3 / Transfer and access to personal data
Personal data is collected and processed solely by the Controller, on the understanding that the Controller may also use the services of third parties for processing of personal data and these third parties may process this data, for example for the purpose of sending marketing materials. These third parties (IT services, accounting company) are always bound by agreements to preserve confidentiality and must not use information for any other purposes. The Controller also transfers personal data necessary for the delivery of ordered goods to parties responsible for such delivery (i.e., Czech Post, s.p., Politických vězňů 909/4, 225 99, Praha 1, ID No. 471 14 983; PPL CZ s.r.o., K Borovému 99, Jažlovice, 251 01, Říčany, ID No 251 94 798or Uloženka s.r.o., Na Hřebenech II 1718/8, 140 00 Praha 4, ID 242 99 162).
Personal data will be available only to the employees of the Controller who are bound by confidentiality as regards personal data as well as valid security measures. Employees are entitled to process personal data only per the explicit instructions of the Controller. The confidentiality obligation of employees continues after the termination of the employment relationship.
4 / Links to other sites
5 / Social media widgets
6 / Child privacy
The website, online shop, and related marketing services may only be accessed by customers or potential customers who are 18 years of age or older. The Controller does not knowingly collect personally identifiable data from persons under 18. If the customer or potential customer is a parent or guardian and is aware that his/her child has provided the Controller with his/her personal data, the Controller should be informed of this. If the Controller discovers that a person under 18 has provided it with personal data, the Controller will immediately delete such information from its servers.
7 / Right to information
The data subject is always entitled to access personal data which the Controller holds concerning them. The data subject may request a summary of this information by contacting the Controller at email@example.com or +420 778 065 388. In the case of an e-mail request, enter “Request for personal data” as the subject of your e-mail to enable us to process your request as quickly as possible.
For the provision of such information, the Controller is entitled to reasonable reimbursement not exceeding the costs necessary for the providing the information.
8 / Right to correction
If the data subject believes the Controller is processing his/her personal data contrary to law or to his/her private or personal life, in particular if his/her personal data is inaccurate regarding the purpose of processing, the data subject may:
Ask the Controller for an explanation.
Demand rectification, i.e., restriction of processing, correction, completion, or deletion of his/her personal data.
If the demand is deemed justifiable, the Controller is obliged to rectify the improper state of affairs without delay. If the Controller does not comply with the demand, the data subject is entitled to directly contact the Czech Data Protection Authority, with registered office at Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz.
If the basis for processing of personal data is the legitimate interest of the Controller (including direct marketing), the data subject may raise objection to such processing if this processing relates to the purpose being objected to.
If technically feasible, the data subject may also request that the Controller provide his/her personal data for the purpose of further provision of this to the personal data Controller indicated by him/her (either directly or via the data subject)..
10 / Contact us