Personal Data Protection Policy
(hereinafter the Policy)
This document contains the basic information about personal data handling in our company. You will learn particularly the following in the text:
-
What personal data we process,
-
For what purpose and in what manner we process the personal data,
-
To whom the personal data may be transferred,
-
For how long we process the personal data,
-
What your rights are as a data subject in relation to the personal data protection.
If you need to have any part of the text explained, to get advice or to discuss further processing of your personal data, do not hesitate to contact us at the e-mail address
[email protected].
1.INTRODUCTORY PROVISIONS
-
This Policy is elaborated in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter GDPR).
-
The aim of this Policy is to provide the data subjects with the basic information concerning the personal data processing.
-
For the needs of this Policy:
-
Controller means Glassor Decorations Ltd., with its registered office at Ovocný trh 1096/8, Praha 1, 110 00, Identification No.: 08238812, represented by Pavel Vintr (hereinafter the Controller),
-
Data Subject means you, i.e. a natural person, whose personal data is processed and who visited our website on the internet domain decor-by-glassor.cz or decor-by-glassor.de (hereinafter the Data Subject)
-
Personal Data means name and surname, address, e-mail, telephone number, identification number of the natural person doing business, tax identification number, IP address, language preferences of the web browser, copy of “User Agent” web browser (hereinafter the Personal Data) and cookie identifier.
-
The Personal Data Controller hereby informs you about the manner and scope of the Personal Data processing, including the extent of your rights relating to the Personal Data processing.
-
The Controller is a retail seller and for this purpose operates an e-shop on internet domains decor-by-glassor.cz and decor-by-glassor.de. Within this activity, the Personal Data is processed by the Controller:
-
To the extent it was provided in connection with the order of the products and/or services of the Controller or, where appropriate, within the negotiations to conclude contract with the Controller as well as in relation to the concluded contract, and
-
for the purpose/s specified in Article 3 of this Policy.
2.PERSONAL DATA PROTECTION AND INFORMATION ABOUT PROCESSING
-
The Data Subjects are subject to Act No. 101/2000 Coll. on Personal Data Protection, as amended, and other relevant legal regulations.
-
The Data Subject acknowledges that by entering the pages of the internet store, the Controller will start processing the Personal Data.
-
If the Data Subject fails to provide its Personal Data, it is not possible to conclude a contract with the Controller and/or to provide the Services resulting from the Contract. Personal information is necessary in this context to provide a specific service or product of the Controller.
-
Providing Personal Data to the Controller is a generally contractual and legal requirement. In regard to provision of Personal Data for marketing purposes, which does not represent contractual and legal obligations of the Controller, consent is required from the Data Subject. If you have not granted permission to the Controller to process the Personal Data for marketing purposes, this does not mean that the Controller refuses to provide you with its services as a consequence.
-
The Data Subject is obliged to provide the Controller only with true and accurate Personal Data.
-
The Controller shall exert every effort to prevent unauthorised Personal Data processing.
-
The Personal Data is and shall be processed in electronic form by an automated method.
-
The Data Subject notes that its Personal Data is deposited in data centres of Master Internet s.r.o. The Controller makes use of the service provided by Convex Systems s.r.o., which operates servers in the data centre, operation of which is in accordance with the European standards of personal data protection.
-
The data subject notes that cookies may be saved on its devices by Convex Systems s.r.o., Facebook Ireland Ltd., Google Ireland Ltd., Seznam.cz a.s., Heureka Shopping s.r.o., Smartsupp.com, s.r.o. and business partners of such companies.
3.PURPOSE OF THE PROCESSING
-
The Controller processes Personal Data for the following purposes:
Purpose of personal data processing |
Legal title of personal data processing |
Entering into a purchase contract via the internet store and arranging for delivery of the ordered products and services |
Contract performance or negotiations about entering into the contract |
Utilisation of analytical and marketing tools via cookies or by direct provision of name and e-mail address |
Consent to personal data processing |
Ensuring the basic functions of the website, particularly session cookies to retain the session information |
Controller’s legitimate interest |
-
You may reject processing of your Personal Data for the purpose of sending marketing and commercial messages at any time, and this act will not affect any other relationships we have. Just send us an e-mail with the respective request to [email protected].
4.PERIOD OF PERSONAL DATA PROCESSING
-
Personal Data shall be processed for the period of negotiations concerning concluding a contract between the Controller and the Data Subject for the purpose of entering into the contract as well for the period of existence of the contractual relationship specified in the consent.
-
In the event of entering into a contract according to the Controller’s Business Terms and Conditions, the Personal Data shall be processed and stored for the following 36 months in the case of a dispute concerning the relationship between the Controller and the Data Subject in order to protect the Controller’s legitimate interests.
-
To perform the statutory obligation to archive accounting documents pursuant to Act No. 563/1991 Coll., on Accounting, as amended, the Personal Data (except e-mail address and telephone number) shall be further processed and kept for 5 years starting from the year following the year during which the contract between the Controller and the Data Subject has been concluded. Personal Data processed on the basis of a consent shall be processed and stored for 13 months from the moment the consent is granted.
-
After the periods referred to in this article expire, the Controller shall safely dispose of the Personal Data.
5.ACCESS TO PERSONAL DATA
-
Your Personal Data is processed by the Controller.
-
Your Personal Data may be transferred to sub-processors for the aforementioned processing purposes to perform the processing.
-
Your Personal Data is transferred to the following Personal Data recipients:
Categories of Personal Data recipients |
Category description |
Operators of information systems |
Entities managing technical equipment and its internet connectivity. Developers of e-shop application or supporting system, where appropriate. |
Accounting and law offices |
External accountants, tax advisers, auditors and lawyers. |
Transport companies |
Companies providing transport of shipments ordered via e-shop. Personal Data is only transferred to the extent needed for delivery of the shipment. |
Marketing and analytical services |
Companies ensuring e-shop traffic measurement, analysis of saleability of merchandise and services and other supporting services, such as advertisement personalisation. Personal data is transferred to a limited extent without specification of name, telephone number and address. |
Financial services |
Payment instrument providers – online card payment or postponed payment |
State administration and authorities |
Public authorities, criminal authorities and authorities that may request provision of Personal Data under applicable legal regulations |
6.RIGHTS OF THE DATA SUBJECT
-
The Controller shall always work with your Personal Data so that the processing will be performed correctly and safely. The rights for the Data Subject are guaranteed to you, and you may claim them with the Controller.
-
The Data Subject may claim its rights electronically by sending an e-mail to [email protected] or orally by calling the telephone number +420 602 337 577. Another possibility consists in sending a written request to: Glassor Decorations s.r.o., Ovocný trh 1096/8, Praha 1, 110 00.
-
Comments and other information on the measures taken will be provided to the Data Subject as soon as possible, not later than one month after submitting the request. The said period may be extended by up to two months, with regard to complexity and number of applications. The Controller shall keep the Data Subject informed about the possible extension and the reasons for it.
-
The Controller provides exercise of the rights free of charge.
-
A reasonable fee, taking into account the administrative costs relating to provision of the requested information, may be charged if the request is manifestly unjustified or unreasonable, particularly if repeated.
-
In the event that the Data Subject believes that the Controller carries out the processing of the Personal Data contrary to protection of the Data Subject’s private and personal life, or contrary to the applicable legal regulations, especially if the Personal Data is inaccurate with regard to the purpose of their processing, the Data Subject may:
-
Ask the Controller for explanation by e-mail sent to [email protected],
-
Object to the processing and request the Controller by e-mail sent to [email protected] to arrange for a remedy of the resulting situation (e.g. by blocking, correcting, supplementing or disposing of the Personal Data). The Controller shall promptly decide on the objection and shall inform the Data Subject. If the Controller rejects the objection, the Data Subject will have to contact the Office for Personal Data Protection directly. This provision is without prejudice to the Data Subject’s right to contact the Office for Personal Data Protection directly with the Data Subject’s complaint.
-
Right to access:
-
The Data Subject has the right to get from the Controller a confirmation of whether the Personal Data concerning the Data Subject is or is not processed. If the Personal Data is processed, the Data Subject will have the right to get access to such data and to the following information (which forms a part of this Personal Data Protection Policy and information deed):
-
Purposes of processing,
-
The categories of personal data that are processed,
-
Recipients or categories of recipients, to whom the Personal Data was or will be made available, in particular recipients in third countries or in international organisations,
-
The planned period during which the Personal Data will be stored, or when such period is impossible to determine, the criteria applied to determine such period,
-
Existence of the right to require from the Controller correction or deletion of Personal Data concerning the Data Subject or restriction of its processing, or file an objection against such processing,
-
Right to file a complaint with the supervisory authority, which is the Office for Personal Data Protection in the Czech Republic,
-
Any and all available information about the source of the Personal Data if not acquired from the Data Subject,
-
The fact that automated decision making is performed, including profiling, and at least in such case the meaningful information regarding the procedure applied, as well as the meaning and the expected consequences of such processing for the Data Subject.
-
Where Personal Data is transferred to a third country or international organization, the Data Subject has the right to be informed about the appropriate guarantees that apply to the transfer.
-
The Data Subject has the right to require the Controller to provide the Data Subject with a copy of the processed Personal Data. For additional copies at the Data Subject’s request, the Controller may charge a reasonable fee based on the administrative costs. If the request is filed in electronic form, the information shall be provided in electronic form that is commonly used unless the Data Subject requests a different method. The right to get a copy must not adversely affect the rights and freedoms of other persons.
-
Right to correction:
-
The Data Subject has the right to require the Controller to correct any inaccurate Personal Data without undue delay. Taking into account the purposes of processing, the Data Subject also has the right to supplement incomplete Personal Data, also by submitting an additional statement.
-
Right to deletion:
-
The Data Subject has the right to require the Controller to delete the Data Subject’s Personal Data without undue delay, and the Controller is obliged to delete the Personal Data without undue delay if any of the following reasons exists:
-
Personal Data is no longer required for the purposes for which it was collected or otherwise processed,
-
The Data Subject withdraws its consent and there is no other legal reason for processing,
-
The Data Subject raises an objection to the processing carried out based on the public interest and exercise of official authority or legitimate interests of the Controller, including profiling, and there are no overriding legitimate reasons for the processing,
-
The Data Subject file an objection to processing for the purpose of direct marketing,
-
The Personal Data was processed unlawfully,
-
The Personal Data must be deleted to comply with the legal obligation laid down in the European Union laws or the Czech laws applicable to the Controller,
-
The Personal Data was collected in relation to an offer of services of an information society to a child.
-
After expiration of the period reserved for the Personal Data processing, the Controller shall delete the Personal Data, each time and automatically. The Data Subject may address the Controller with the deletion request at any time. Upon receipt of such a request, the Controller shall assess the legitimacy of the Data Subject’s right (the Controller may have legal obligations or legitimate interest in processing of the Personal Data, based on which the Controller may further process the Personal Data) and shall inform the Data Subject about the processing.
-
Right to restriction of processing:
-
The Data Subject has the right to request the Controller to restrict its Personal Data processing in any of the following cases:
-
The Data Subject denies accuracy of the Personal Data for a period necessary for the Controller to verify the Personal Data accuracy,
-
The processing is illegal and the Data Subject rejects the Personal Data deletion, and requests restriction of its use instead,
-
The Controller no longer needs the Personal Data for the purposes of processing, but the Data Subject requests it for establishment, exercise or defence of legal claims,
-
The Data Subject raises an objection to the processing carried out in the public interest and exercise of public authority powers or legitimate interests of the Controller, including profiling, until it is verified whether the Controller’s legitimate reasons override the legitimate reasons of the Data Subject.
-
If the processing has been restricted, the Personal Data may, with the exception of storage of such Personal Data, be processed only with the Data Subject’s consent or for the reason of establishment, exercise or defence of legal claims, for the purpose of protection of rights of another natural person or legal entity, or for a reason of important public interest of the European Union or any member state.
-
If the processing restriction of the Data Subject’s Personal Data is to be cancelled, the Data Subject shall be informed thereof by the Controller.
-
Right to transferability:
-
The Data Subject has the right to obtain Personal Data concerning the Data Subject, which has been provided to the Controller in a structured, commonly used and machine-readable format, and the right to pass this data to another Controller, without preventing this by the Controller to whom Personal Data has been provided, if:
-
The processing is based on consent or contract, and at the same time
-
The processing is performed automatically.
-
In exercising this right, the Data Subject may require from the Controller to transfer the Personal Data directly by one Controller to another Controller, if technically feasible.
-
The said right cannot be applied if the processing is required for performing a task carried out in the public interest or in exercise of official authority vested in the Controller.
-
Right to object:
-
The Data Subject has the right at any time to file an objection to the processing of its Personal Data, which is processed based on the public interest and exercise of official authority or legitimate interests of the Controller, including profiling. The Controller does not further process the personal data unless the Controller can prove that there are serious legitimate reasons for processing that override the interests or rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
-
If Personal Data is processed for direct marketing purposes, the Data Subject has the right at any time to file an objection to the processing of its Personal Data for such marketing purposes, which includes profiling as far as the direct marketing is concerned.
-
If the Personal Data of the Data Subject is processed for purposes of scientific or historical research or for statistical purposes, the Data Subject has the right, for reasons relating to its particular situation, to object to the processing of its Personal Data. The aforementioned shall not apply if the processing is necessary to perform a task carried out in the public interest.
-
As required by GDPR, this right was explicitly mentioned and is shown clearly and separately from any other information.
-
The right not to be subject to automated decision making, including profiling:
-
The Data Subject has the right not to be subject to any decision based solely on automated processing, including profiling, which has legal effects for the Data Subject or significantly affects the Data Subject in a similar manner.
-
The right cannot be used in cases where the decision is:
-
Necessary for concluding or performing the contract,
-
Permitted by law of the European Union or any member state applicable to the Controller, which also provides for appropriate measures to protect the rights and freedoms and legitimate interests of the Data Subject,
-
Based on express consent of the Data Subject.
-
If the Personal Data processing is based on a contract or express consent, the Controller shall take the appropriate measures to protect the rights and freedoms and legitimate interests of the Data Subject, at least the right to human intervention on the Controller’s side, the right to get an explanation regarding the decision made, and the right to contest the decision.
-
Right to withdraw consent:
-
The Data Subject has the right to withdraw the granted consent (or express consent) to the Personal Data processing at any time. An appeal may be filed using: a form referred to in the e-shop website’s footer or by sending the withdrawal of consent to the address of the Controller’s registered office,
-
Right to file a complaint with the supervisory authority:
-
The Data Subject has the right to file a complaint with any supervisory authority, in particular in the member state of its usual residence, place of job performance or the place where the alleged violation occurred, if the Data Subject believes that its Personal Data processing violates GDPR.
-
The supervisory authority in the Czech Republic is the Office for Personal Data Protection, which can be contacted at the address Pplk. Sochora 27, 170 00 Prague 7, telephone number +420 234 665 111 (exchange) or e-mail [email protected]. Other information is available at the address https://www.uoou.cz/.
7.AUTOMATED DECISION MAKING
-
Personal Data processing includes profiling.
-
Personal Data processing includes automated decision making.
-
The Personal Data is automatically assessed, and it may be used for profiling or automated decision making in the field of the Controller’s marketing activities. In doing so, the Controller makes use of the methods of analysis of interests and activities of the Data Subject on the pages of the Controller’s e-shop.
-
Due to such activities of the Controller, the Data Subject’s behaviour shall be mapped and assessed, representing a certain intervention in its privacy. However, such assessment contributes to achieving the situation when only such advertisement and other offers are sent to the Data Subject, which might be suitable and interesting with a view to the results of the performed assessment.
8.FINAL PROVISIONS
-
All legal relationships arising in connection with the Personal Data processing are governed by the legal rules of the Czech Republic, regardless of from where the data was accessed. The competent Czech courts will have the jurisdiction to resolve any disputes arising in connection with the privacy protection between the Data Subject and the Controller.
-
Data Subjects who, by visiting the e-shop’s website, provide their Personal Data for the purpose of concluding a contract with the Controller or provide their consent to the Personal Data processing, are doing so voluntarily and in their own name, and the Controller does not control their activity in any manner whatsoever.
-
The Controller may amend or supplement the text of the Policy. The Controller shall notify the Data Subjects about each such change by e-mail at least 30 days before the changes come into effect.
-
This Policy is effective from 24/05/2018.