INFORMATIONAL MEMORANDUM ON THE PROCESSING OF PERSONAL DATA
This informational memorandum has been prepared in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and it contains basic information about the processing of your personal data.
- Who is the personal data administrator?
- For what purpose do we need personal data?
- What are our legitimate interests?
- How were the personal data obtained?
- What categories of personal data are processed?
- What is the legal basis for processing of personal data?
- Will we pass on personal data to someone else?
- Will we pass on personal data to a third country or international organisation?
- How long will we store personal data?
- What are your rights relating to the processing of personal data, and how can you exercise them?
- Are personal data automatically evaluated?
1.1. Who is the personal data administrator?
- The administrator is the person who, alone or together with others, determines the purposes and decides on how personal data will be processed.
- The personal data administrator is our company, i.e. ČESKÉ DUKÁTY s.r.o., company ID: 04889827, Tax ID: CZ04889827, registered office: Rýdlova 1237/24, 251 01 Říčany, entered in the Commercial Register at the Prague Municipal Court, File No. C 255210 (hereinafter the “Administrator”). The administrator can be contacted at the email address email@example.com.
1.2. For what purpose do we need personal data?
- The Administrator process personal data for:
- a) securing the entering into and subsequent performance of the contractual obligation between the administrator and you (§ 6.1.b of the GDPR). Other legal duties arise from such a relationship, and the Administrator must also process personal data for that purpose (§ 6.1.c of the GDPR). For the purpose of securing the entering into a contractual obligation, the Administrator will send you commercial messages that serve to inform you about the Administrator’s current offerings. For this purpose, the Administrator will usually process your first and last name, residential address, and email address;
- b) the protection of its legitimate interests (§ 6.1.f of the GDPR), which are in particular:
- - the choice of suitable business partners, that legitimate interest of the Administrator being derived for this activity from the already concluded agreement between you and the Administrator. If such an agreement or a similar one has not been entered into, the Administrator is required to request your consent for the processing of personal data.
1.3. What are our legitimate interests?
- The Administrator also processes personal data for the protection of its legitimate interests. The Administrator’s legitimate interests are in particular the due performance of all contractual obligations of the Administrator, the due performance of all legal duties of the Administrator, and the protection of the Administrator’s business and assets. In the interest of securing the greatest possible protection of your privacy, you are entitled to raise an objection so that your personal data will be processed exclusively on absolutely necessary legal grounds or so the personal data will be blocked. You can read more about your rights relating to the processing of personal data in paragraph 1.10. of this Informational Memorandum.
1.4. How were the personal data obtained?
- The Administrator has obtained personal data directly from you, in particular by the completing of forms, mutual communication, or signed contracts. In addition, personal data may also come from publicly available sources, registers, and records such as the Commercial Register, registers of debtors, professional registers etc.
1.5. What categories of personal data are processed?
- To ensure the fulfilment of contractual and legal duties and for other aforementioned purposes, the Administrator processes the following categories of personal data:
- a) data for basic identification – e.g. first and last name, date of birth, residential address, birth ID no., place of birth, academic title;
- b) contact information – e.g. phone number and email address, billing and delivery address;
- c) transaction data – e.g. bank account number;
- d) information about a realised business dealings (reservations, orders, issue notes, invoice, purchase of goods, stored goods);
- e) contact history (sent emails and SMS text messages);
- f) IP address and cookie files in case of electronic access to the Administrator’s website.
- The Administrator furthermore obtains and processes other data that it obtains automatically in connection with the use of the website such as the IP address, browser type, hardware and operating system, time and number of visits to the website, information obtained using cookie files, and other similar information. This information is also obtained regardless of whether there is a contractual relationship between you and the Administrator or whether you have already registered on the Administrator’s website. Cookie files are the means for the obtaining of this information. The visitor is informed about the obtaining of this information through cookie files upon arrival at the Administrator’s website. The website also uses the service Google Analytics and possibly other services provided by the company Google, Inc., as that company further specifies them in paragraph 1.7.1. of this Informational Memorandum (hereinafter “Google”). Cookies are also used within the framework of use of those other services.
- Cookies are text files stored on a computer or other electronic device of every visitor to a website interface. They enable analysis of how the web interface is used.
- By using the web interface, the visitor gives consent to the use of cookie files and to the processing of data about the visitor by the company Google and by the Administrator in a manner and for the purposes described in detail on the web interface. The visitor is informed about the use of cookie files upon first access to the web interface.
- You can obtain more detailed information about how Google uses the data that it obtains through use of the web interface by clicking on the following link: https://policies.google.com/technologies/partner-sites.
- The Administrator also informs you that for the targeting and personalisation of internet advertising, such services as Sklik from Seznam.cz, AdWords from Google etc. may also be used. For the subject of the processing of personal data, this means that when browsing the internet, advertising will be displayed for products in which the subject of the personal data has shown interest in the past, e.g. by visiting the website of the Administrator. On the basis of information from cookie files, these services use information about movement on the web for the purposes described above. If the subject does not consent to the use of this data, it is possible to prevent the use of this service by using a setting that blocks the saving of information about visited websites in your internet browser.
1.6. What is the legal basis for processing of personal data?
- The legality of processing is given by § 6. 1 GDPR, according to which processing is legal if it is necessary for the performance of an agreement, for the fulfilling of the Administrator’s legal duties, for the protection of the Administrator’s legitimate interests, or if the processing takes place on the basis of consent that you have given us. For example, a legal duty arises to the Administrator through Act No. 563/1991 Coll. on Accounting, according to which billing data are processed and stored, through Act No. 89/2012 Coll., the Civil Code, in accordance with which the Administrator protects its legitimate interests, and through Act No. 235/2004 Coll. on Value Added Tax.
1.7. Will we pass on personal data to someone else?
- Within the bounds of the law, we must provide personal data to state administrative authorities such as the tax authorities, courts of law, social security and health insurance institutions, bailiffs, or criminal investigative authorities.
- As the Administrator, in the future we may decide to use other applications or processors to facilitate and improve processing. In such a case, when choosing processors, at least the same demands for security will be made as for our existing processors.
1.8. Will we pass on personal data to a third country or international organisation?
- We process your personal data within the territory of the Czech Republic with the exception of the providing of services by Google Analytics, which may be provided from the territory of the United States of America.
1.9. How long will we store personal data?
- Personal data from contractual relations will be processed and stored for at least the term of the agreement. Some personal data necessary e.g. for tax and billing duties will be kept longer, e.g. 10 years beginning with the year following the occurrence of the fact being stored.
- Personal data that are important for the exercise of the Administrator’s legitimate interests will only be stored for the necessary period during which the Administrator can reasonably expect to exercise its legitimate interests, but at least for a period of three years for personal data for persons who provided consent for the processing of their personal data unless such consent states a longer period of time. If the subject of the data revokes consent during the three-year period, the personal data will not be processed.
- Personal data will not be saved longer than the maximum period established by law. After the period for archiving lapses, personal data will be safely and irretrievably destroyed to prevent their misuse
1.10. What are your rights relating to the processing of personal data, and how can you exercise them?
- The Administrator does whatever it can to see that the processing of your data takes place properly and above all safely. Your rights set forth in this article are guaranteed, and you can exercise them with the Administrator.
How can you exercise your rights?
You can exercise individual rights by sending an email message to firstname.lastname@example.org. You can also exercise your rights by sending a written request to us at the address Rýdlova 1237/24, 251 01 Říčany. If the Administrator has reasonable doubt about the identity of the party making such a request, it is entitled to request further information to verify your identity.
The Administrator shall provide you with all statements and information for the exercise of your rights free of charge. However, it a request is obviously groundless or excessive, especially because it is repeated, the Administrator is entitled to charge a reasonable fee reflecting the administrative costs connected with the providing of the requested information. For this reason, n case of the repeated request of the providing of a copy of processed personal data, the Administrator reserves the right to charge a reasonable fee for administrative costs.
The Administrator will provide you with statements and any information about measures taken as soon as possible, but no later than within one month. The Administrator is entitled to extend the deadline by two months in cases of need and taking into consideration the complexity and quantity of requests. The Administrator will inform you about an extension and the reasons for it.
Right to information about the processing of your personal data
You are entitled to demand information from the Administrator about whether or not your personal data is processed. If personal data are processed, you are entitled to demand information from the Administrator in particular about the identity and contact information of the Administrator, the purposes of the processing, the categories of personal data in question, the recipients or categories of recipients of the personal data, about authorised administrators, about an enumeration of your rights, about the possibility of turning to the Office for Personal Data Protection, about sources of processed personal data, and about automated decisions and profiling.
If the Administrator intends to further process your personal data for a purpose other that that for which it was obtained, before processing it for that further purpose you will be informed about that different purpose and other relevant information. Information provided to you within the framework of the exercising of this right are already contained in this Memorandum, but that does not hinder you from requesting the information again.
Right of access to personal data
Your are entitled to demand information from the Administrator about whether or not your personal data is being processed, and if so, you have access to information about the purposes of processing, relevant categories of personal data, recipients or categories of recipients, the length of time that personal data are stored, information about your rights (rights to demand that the Administrator correct or delete data, to limit processing, or to raise an objection to processing), about the right to file a complaint with the Office for Personal Data Protection, information about the sources of personal data, information about whether automatic decisions or profiling are used, and information concerning the use of access, as well as the importance and expected consequences of such processing for you, and information and guarantees in the case of the passing of personal data to a third country or an international organisation. You are entitled to receive a copy of processed personal data. However, the right to obtain this copy may not unfavourably affect the rights and freedoms of other persons.
Right to correction
If, for example, you have had a change of address, telephone number, or other facts that can be regarded as personal data, you have the right to demand the correction of processed personal data. In addition, you have the right to supplement incomplete personal data by providing an additional statement.
The right to deletion (the right to be forgotten)
In certain designated cases, you have the right to demand that the Administrator delete your personal data. Such cases include, for example, when processed data are no longer needed for the aforementioned purposes. After the lapsing of the necessary period, the Administrator may delete the personal data automatically, but you can turn to the Administrator with such a request at any time. Your request is then subject to an individual evaluation (despite your right to deletion, the Administrator may have the duty of or a legitimate interest in keeping your personal data), and you will be informed in detail about the handling of the request.
Right to the limitation of processing
The Administrator processes your personal data only to the extent necessary, but if, for example, you feel that the Administrator is going beyond the purposes set forth above for which it processes personal data, you may submit a request that your personal data be processed exclusively on the most necessary legal grounds or that your personal data be blocked. Your request is then subject to an individual review, and you will be informed in detail about the handling of the request.
Right to the transferability of data
If you want the Administrator to provide your personal data to a different administrator or another company, the Administrator shall turn over your personal data in an appropriate format to the subject that you designate if the Administrator is not hindered from doing so by any legal or other significant obstacles.
Right to raise an objection and automated individual decisions
If you determine or simply believe that the Administrator is processing personal data in a manner contrary to the protection of your privacy and personal life or in violation of legislation (assuming that the personal data are processed by the Administrator on the basis of public interest or other legitimate interest or are processed for the purposes of direct marketing, including profiling, or for statistical purposes or for purposes of scientific or historical importance), you may contact the Administrator and demand an explanation or the cessation of the improper circumstances that have arisen. You may also raise an objection directly against automated decisions and profiling.
Right to make a complaint to the Office for Personal Protection of Data
You many at any time take a suggestion or complaint concerning the processing of personal data to the supervisory authority, i.e. the Office for Personal Data Protection, address: Pplk. Sochora 27, 170 00 Prague 7, web site: https://www.uoou.cz/.
Right to revoke consent
If personal data are processed on the basis of granted consent, you have the right to revoke the granted consent at any time by an email sent to the address email@example.com.
1.11. Are personal data automatically evaluated?
- The personal data are not automatically evaluated and are not used for profiling or automatic decisions.
2. CONCLUDING PROVISIONS
- The data subject consents to this memorandum in electronic format by checking the appropriate box by the text stating that the subject has become familiar with the Informational Memorandum and consents to its contents, or by a similar text that shall express familiarisation and the consent of the subject to this Informational Memorandum. The same applies to the granting of consent of data subjects granted in hard copy.
- Our company ČESKÉ DUKÁTY s.r.o. hereby declares that it has undertaken all appropriate technical, procedural, and organisational measures for the protection of the personal data of personal data subjects. It furthermore declares that the only parties with access to the data are contractual processors and official public authorities on the basis of legal authorisation.
This informational memorandum takes effect on 25 May 2018.