PERSONAL DATA PROTECTION
The general principles applicable to the processing of personal data
1. Preliminary provisions
1.1 Company Jasněna Vláhová s.r.o., IN: 259 45 742, with its registered seat in Přibyslav 77, postal code 549 01, which is registered in the Commercial register maintained by Regional Court in Hradec Králové, section C, Insert No. 16622, contact person Dominik Zitko, contact e-mail address : zitko@vlahova.cz (hereinafter referred to as the „Company“ or „Administrator“), with regard to the necessity to fulfill the obligations concerning the sphere of personal data protection, resulting especially from Act No. 101/2000 Coll., on the personal data protection, as amended, and Regulation of the Council of the European Union and the European Parliament No. 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and on the repealing Directive 95/46/EC (General Regulation on the protection of personal data)1.2. This document provides information about which personal data and for what purpose the Administrator processes them and what rights and obligations belong to the persons whose personal data the Administrator processes. This document does not concern the processing of personal data of company employees.
1.3. The Administrator processes the personal data manually and automatically, keeps records of all activities during which are being personal data processed.
2. Basic Terms
2.1. The Company is the Administrator of a personal data since it determines purposes and means of processing the personal data. The company processes personal data by itself or uses the services of other persons, i.e. Processors.2.2. Personal data is any information about identified or identifiable natural person (hereinafter referred to as “the Data Subject”); an identifiable natural person is a natural person that can be identified directly or indirectly, especially by reference to a particular identifier such as name, identification number, location data, network identifier or one or more specific physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
2.3. The processing of personal data is any operation or set of operations with personal data or personal data files that are performed with or without the support of automated procedures such as collecting, recording, arranging, structuring, storing, customizing or modifying, searching, inspecting, using, accessing by transmission, distributing or any other disclosure, sorting or combining, restricting, deletion or destruction.
2.4. The processor of personal data may be any natural or legal person or other subject, which process personal data for processor.
3. General principles of processing
3.1. During processing the personal data, the Administrator shall:a) processes personal data in relation to data subjects correctly, legally and transparently,
b) collects personal data only for specific, explicitly stated and legitimate purposes and does not process them in a way that is incompatible with the principles mentioned above,
c) processes those personal data which are reasonable, relevant and limited to the extent necessary in relation to the purpose for which they are processed,
d) processes only personal data which are accurate, and in case of need actualized; for that purpose, the Administrator shall take all reasonable steps to ensure that the personal data which are inaccurate, with taking into account the purpose for which they are processed, are immediately erased or corrected,
e) stores personal data in a form which permits identification of data subjects for no longer than is necessary to fulfill the purposes for which they are processed,
3.2. processes personal data in the manner that ensures the proper protection of processed personal data, including their protection by appropriate technical or organizational measures against unauthorized or unlawful processing and against accidental loss, destruction or damage of personal data,
3.3. the Administrator is liable for complying with all principles mentioned above and also must be able to prove the compliance with these principles,
3.4. the Administrator is entitled to process personal data only on the basis of any of the legal grounds for processing provided by law. Only if there is no other legal reason for processing the Administrator has to obtain the consent of the Data Subject.
4. Processed personal data
4.1. In relation with his activities the Administrator processes personal data as stated below:4.2. It is concerning basic identification and address information such as:
a) First name and surname,
b) Date of birth,
c) Place of residence, or contact address,
d) contact telephone number,
e) contact e-mail address,
f) username and password for the e-shop costumer account(on-line shop).
4.3. If the Data Subject acts through a representative, the Administrator also processes the identifying and addressing details of that representative.
4.4. In case of that the costumer is legal person or legal person is communicating with the Administrator, the Administrator processes following personal data attributed to that legal person, explicitly the name and surname of the person acting behalf of that legal person, the Administrator further processes personal data concerning contact telephone number and e-mail address, function of that person or job title.
4.5 Additionally, the Administrator processes
a) Customer ID
b) information on purchased goods and / or provided services (date of order, date of delivery of the goods, type, specification and quantity of goods or service, price),
c) data from the communication between the Administrator and the customer (written or electronic communication, telephone call records, ...),
d) details of customer account entry,
e) information on payment discipline,
f) CCTV records,
g) information on sending newsletters.
4.6. The Administrator continuously updates the processed personal data, especially if the Administrator detects the inaccuracy of any of the processed personal data or receives from the Data Subject information about the change of any of the processed personal data.
5. Sell of goods and providing services
5.1. In order to conclude and execute a contract for the sale of goods or the provision of service, the Administrator processes identification and address details of the costumer or his representative. If the contract is concluded by e-mail or telephone, the Administrator also processes the electronic address and costumer´s telephone number. If there is communication between the Administrator and the customer related to the process of concluding a contract or fulfilling it, the Administrator also processes the personal data contained in this communication. For this purpose, the Administrator also processes data relating to the subject of performance of the contract and the manner in which the contract is concluded, especially data relating to the ordered goods or services, the date of the order and the delivery of the goods and the price.5.2. If a contract is concluded through an e-shop (www.vlahova.cz), where registration is required (establishment of a customer account), the Administrator processes the login, password, and login data for the purpose of verifying the customer's identity.
5.3. The legal ground for the processing of personal data under this Article is its necessity for the conclusion and performance of the contract. The Data Subject's consent to such processing is not required. This personally identifiable information is obtained from the customer, while others are obtained from the business relationship. If the customer refuses to disclose some of the mentioned personal data to the Administrator or disagree with their processing for that purpose, the Administrator would have to refuse to sell the goods or provide services.
5.4. Personal data under this article shall the Administrator process within a time necessary to fulfill the purpose of the processing. If in connection with the purchase of goods or the provision of a service the customer fulfills all his obligations (including payment) to the Administrator, after the expiration of the warranty period, the Administrator terminates the processing of personal data for this purpose unless is otherwise specified in these principles or the law does require processing for a longer period
5.5. If the customer provides the personal data to the Administrator, but the contract is not concluded, the Administrator terminates the processing of costumer´s personal data after three (3) calendar months from the conclusion of the contract negotiations.
5.6. Processing of personal data relating to the customer account will be terminated by the Administrator after two (2) years after the customer's last login. In this case, the legal ground for the processing of personal data is a necessity for the purposes of the legitimate interests of the Administrator, which is to enable the customer to make an order without having to set up a new customer account.
6. Conduct of disputes or other proceedings
6.1. In case when the Administrator, the costumer or other person starts the dispute or other proceedings in which the Administrator is a participant, or the initiation of such proceedings appears to most likely incur, the Administrator processes personal data relating to the identification, contact, the goods supplied or the services provided, the unpaid amount, and other data relating to this procedure available to the Administrator.6.2. The legal ground for the processing of personal data under this article is its necessity for the purposes of the legitimate interests of the Administrator, such as the protection of the property and/or the reputation of the Administrator. The Data Subject´s consent to such processing is not required. This personal data Administrator obtains from costumers, from the persons who initiated the proceedings, from the authority or person managing the proceedings, from public registers or other publicly available sources.
6.3. The personal data according to this article are processed by the Administrator until the end of the proceedings, respectively the extinction of related rights and obligations which for personal data must be processed to fulfill them.
7. Fulfilling lawful obligations
7.1. The Administrator further processes personal data to fulfill the obligations imposed by law. For reasons required by the Accounting Act and other legal regulations, in particular in the field of tax administration, the Administrator maintains documents (in electronic or paper form) containing personal data, in particular invoices and documents, for a fixed period of time, which give rise to a legal ground for issuing invoices and contracts containing customer identification and address data, data relating to goods sold and services provided and prices billed.7.2. The legal ground for the processing of personal data under this Article is its necessity to fulfill the legal obligations of the Administrator. The Data Subject's consent to such processing is not required. This personal data is obtained from customers or from the business relationships.
7.3. Personal data according to this article is processed by the Administrator for the period stipulated by the legal regulations.
8. Processing of personal data obtained by CCTV
8.1. The Administrator's premises, which are designed for contact with customers or suppliers, are captured by the CCTV. This capture also includes storing camera records of persons. These records are also personal data for the purpose of improving the services provided, preventing the occurrence of damage, and when necessary for the purpose of enforcing legitimate claims or protecting the rights of the Administrator.8.2. Notifications about CCTV with a reference to these policies are placed in appropriate locations so that persons whose personal data are processed by the Administrator through CCTV could get acquainted with all relevant information including information about their rights.
8.3. The legal ground for the processing of personal data under this Article is its necessity for the purposes of the legitimate interests of the Administrator. The Data Subject's consent to such processing is not required. This personal information is acquired by the CCTV.
8.4. If the following paragraph is not followed, the Administrator handles the personal data processed according to this article for a period of fourteen (14) days, after which the recording on the camera system is replaced with a new record.
8.5. In the case of suspicion of an infringement, the Administrator is entitled to hand over the record from the camera system to the Police of the Czech Republic, and in the case of detection of the infringement, the Administrator is entitled to use this record also for the purpose of enforcing legitimate claims or protecting the rights of the Administrator. In this case, the processing of personal data will terminate after the Administrators claims have liquidated or if no claims raised.
9. Dissemination of commercial communications and use of cookies
9.1. If the Administrator obtains an email address from a customer under Article 5 of this policy in connection with the sale of goods or the provision of services, the Administrator is authorized to process the email address and identification data for the purpose of sending the commercial communications of the Administrator concerning similar goods or services.9.2. A condition for the possibility of distributing commercial communications under Article 9.1. is that the customer has an evident and clear option in a simple manner, free of charge or on behalf of the Administrator, to revoke the consent to such use of his email address even when sending each individual message unless the costumer initially didn’t refused this processing.
9.3. The legal ground for the processing of personal data under Article 9.1. is a necessity for the purposes of the legitimate interests of the Administrator, such as marketing. The Data Subject's consent to such processing is not required. The Administrator is authorized to process personal data until the customer notify the Administrator that he / she does not agree with this processing.
9.4. Spread commercial communications without complying with the terms of Article 9.1 and 9.2 is the Administrator permitted only with obtaining the consent of the costumer. In this case, the legal ground for the processing of personal data for this purpose is a consent that can be revoked at any time. The Administrator is authorized to process personal data for such purposes until the Data Subject has revoked his / her consent, but not longer than five (5) years from the date of granting such consent. Failure to grant or withdraw this consent has no effect on the ability to buy goods or provide services.
9.5. If the Administrator obtains consent from a costumer or other user of Administrator´s website to place cookies on that person´s computer, the Administrator is authorized based on that consent to place text files to that person’s computer for purpose to send back information about this user's behavior on the Administrator's website. Prior to granting consent under this Article, the consenting person must be informed that consent can be revoked at any time.
9.6. The legal ground for the processing of personal data under Article 9.5. is the consent of the Data Subject. Failure to grant or withdraw this consent has no effect on the ability to buy goods or provide services. This data is processed by the Administrator for the duration of the consent.
10. Transmission of personal data to third parties
10.1. The Administrator transfers personal data to another entity (such as a court or a tax office) if required by law or required to comply with an obligation imposed by law or by an enforceable decision of the competent authority.10.2. In fulfilling his obligations under the contracts or in the protection of his legitimate interests, the Administrator may use specialized and specific services of other entities. If these suppliers process personal data transmitted from the Administrator, they have the status of personal data processors and process such personal data only as directed by the Administrator and must not use them other way. This includes, in particular, the activities of an IT service provider, including data storage, the creation and operation of an on-line business, law services, bookkeeping, marketing and delivery services. At the request of the Data Subject, the Administrator shall disclose whether and to which entity his or her personal data has been provided and other relevant information.
10.3. The Administrator selects each of these suppliers carefully and concludes with each supplier a personal data processing agreement that sets out obligations to protect and safeguard personal data, including the obligation to maintain confidentiality.
10.4. The Administrator is only allowed to transmit personal data to those who provide reasonable assurance that appropriate technical and organizational measures are in place to ensure that the processing complies with all legal requirements and that Data Subject´s personal data will be protected.
10.5. The Administrator does not need the consent of the Data Subject for this processing of personal data, as otherwise he would not be able to fulfill his obligations under the contract, and such provision is made by its necessity for the legitimate interests of the Administrator.
10.6. The Administrator does not intend to transfer personal data to countries outside the European Union.
11. Method of processing and access to personal data
11.1. Personal data are processed through the Administrator's information system, which is regularly verified against the loss of personal data and the access of unauthorized persons. Access to the system is limited according to the managerial roles set. The security of the transfer of personal data in electronic form to third parties is secured through access to the password-protected Administrator's information system. The information system is standard, its provider provides the usual security guarantees, its functionality and security is regularly tested and maintained by an external contractor with whom the Administrator has a personal data processing agreement.11.2. The Administrator carries out the following technical and organizational measures for the processing of personal data, especially:
a) locking the premises of the Administrator where the personal data are processed,
b) locking of personal data in printed form into lockable cabinets,
c) the processing of personal data only by responsible persons;
d) training courses of responsible persons how to handle with personal data.
11.3. Every act, which involves handling of personal data, is recorded in the Administrator´s information system, including the data of the person who performed such act.
11.4. The Administrator continuously updates processed personal data, in particular in the context of changes that are not notified by the customer or which the Administrator discovers from other persons or other publicly available sources.
11.5. If the Administrator no longer has the purpose of processing personal data and no other reason for processing, he will delete this personal data without the possibility of renewing them.
11.6. Access to the personal data processed by the Administrator is restricted to persons who necessarily need to achieve the purpose for which personal data is processed. For this purpose the Administrator is subject to a regular audit.
11.7. Persons having access to personal data processed by the Administrator are adequately trained in their protection and are required to observe confidentiality.
12. Rights of Data Subjects
12.1. The Data Subject has the following rights in relation to the protection of personal data:a) access to his or her personal data, including in particular the right to obtain from the Administrator a confirmation of the processing of his or her personal data, information on processing purposes, categories of personal data, recipients to which personal data have been or will be made available, require planned term of processing, require the Administrator to correct or delete personal data relating to the Data Subject or to restrict his processing or to make objection to such processing.
b) to correct inaccurate personal data; on the other hand, the Data Subject has the obligation to notify changes to his or her personal data and to demonstrate that such a change has occurred. At the same time, the Data Subject is obliged to provide synergy if it is determined that personal data processed about Data Subject are not accurate,
c) the right to dele Data Subject´s personal data if the Administrator does not prove legitimate reasons for the processing of such personal data,
d) limitation of the processing of personal data until the resolution of the complaint if data subject denies the accuracy of the personal data, the reasons for its processing or if data subject makes objections to its processing,
e) to be notified about correction, deletion or limitation of the processing of personal data unless it proves that the request is impossible or requires unreasonable effort,
f) the portability of data in a structured, commonly used and machine-readable format, and the right to request the transmission of such data to another Administrator,
g) to make objections to the processing of his or her personal data due to the legitimate interest of the Administrator (eg to send commercial communications); in the absence of proof of the existence of a valid legitimate reason for processing which prevails over the interests or rights and freedoms of Data Subject, the Administrator shall, on the basis of the objection, terminate without undue delay,
h) withdraw consent to the processing of personal data whenever it is processed by the Administrator based on his / her consent; this withdrawal of consent will not affect the lawfulness of the processing based on the consent granted prior to its revocation,
i) address the complaint or complaint to the Office for Personal Data Protection (www.uoou.cz).