Rules for protecting and processing of personal data
Pursuant to the Regulation 2016/679 of the European Parliament and of the Council (EU) of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC
These rules for protecting and processing of personal data (hereinafter the Rules) describe which personal data of natural persons, especially customers (hereinafter the Data Subject) are processed within the activities of the company: SYKORA with registered office at Razov 1204, Vizovice, registered in the Companies Register kept by the Regional Court in Brno, Section C, File 7811 (hereinafter the Controller).
These rules specify the types of personal data which we collect and process when you use our services or enter into a contract with us, and also the method of how your personal data is used, shared and protected. Here you will also find clarification on possibilities you have available in relation to your personal data and how you can contact us. We hereby inform you below about the processing of your personal data and your rights in accordance with Article 12 of the European Parliament and of the Council (EU) of 2016/679 April 27 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (GDPR).
Personal data shall mean any information relating to an identified or identifiable natural person; an identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as the name, identification number, location data, network identifier or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
The controller did not appoint a processor of personal data protection.
PROCESSORS AND RECIPIENTS OF PERSONAL DATA
The controller is entitled to transfer personal data to entities with which he has entered a contract on the processing of personal data and who will process personal data for the controller as his processors. On the basis of the above, the controller is entitled to transfer personal data of data subjects to the following entities, or categories of entities:
- freight carriers
- assembly groups
- programmers of the information system used to process orders
Personal data of the Subject can be further transferred to the following recipients/categories of recipients:
- controller’s suppliers,
- controller’s employees,
- persons in another contractual relationship with the controller (e.g., marketing and advertising service providers),
- financial institutions and insurance companies,
- state authorities in compliance with legal obligations of controller given by the relevant legal regulations
CATEGORIES OF PROCESSED PERSONAL DATA
The controller is entitled to process mainly following personal data of data subjects:
- address and identification data used for unambiguous and unmistakable identification of the data subject (e.g., name, surname, title, permanent residence address, business address, delivery address, ID number, VAT number) and data allowing contact with the data subject (e.g., contact address, telephone number, e-mail address and other similar information),
- descriptive data (e.g., bank details, order history),
- pictures, photographs and videos,
- the account login information including the alias which the data subject uses on the internet, password and unique user ID,
- data provided beyond the frame of applicable laws, processed within the framework of the consent given by the data subject (e.g., use of personal data for the purpose of personnel management, use of personal data for the purpose of propagation, etc.),
- personal preferences including the settings in the marketing field and usage of cookies by the data subject,
- other data necessary for fulfilling the contract,
- other personal data the data subject provided to the controller.
PURPOSES AND LEGAL BASIS FOR PROCESSING OF PERSONAL DATA
The controller processes personal data of the data subject for purposes of:
- fulfilling the contract, based on the Article 6 (1)(b) of the GDPR,
- compliance with a legal obligation of the controller laid down by the legislation, based on the Article 6 (1)(c) of the GDPR (e.g., the obligation of the controller to keep the accounting and tax documents),
- establishment, exercise or defence of legal claims of the controller, based on the Article 6 (1)(f) of the GDPR,
- sending commercial messages, based on the Article 6 (1)(f) of the GDPR due to the existence of legitimate interest of the controller consisting of direct marketing,
- other marketing purposes of the controller associated with the offering of products and services; sending information about organized events, products, services and other activities (e.g., in the form of newsletters, telemarketing); contacting for market and marketing research purposes; contacting for the purpose of sending Christmas and Easter greetings or other holidays greetings and sending discount vouchers, gifts, etc., based on the Article 6 (1)(a) of the GDPR
DURATION OF THE PROCESSING OF PERSONAL DATA
Personal data will be processed only for the duration that is necessary in order to fulfil the purpose of their processing. In view of the above:
- for the purpose referred to in letter a) above, the personal data will be processed until the termination of obligations under the contract (this does not affect the possibility of the controller to further process these personal data - to the extent necessary for the purpose referred to in letters b), c), d) and/or e) above,
- for the purpose referred to in the letter, b) above, the personal data will be processed for the duration of the applicable legal obligation of the controller,
- for the purpose referred to in the letter, c) above, the personal data will be processed until the end of the 4th calendar year following the end of the warranty period according to the contract (if the quality guarantee has been agreed to in the contract) and at least until the end of the 5th calendar year following the termination of obligations under the contract,
- in case of commencement and for the duration of judicial, administrative or other proceedings in which the rights or obligations of the controller in relation to the data subject are resolved, the period of personal data processing for the purpose referred to in letter c) above, is not terminated until the end of these proceedings,
- for the purpose of sending commercial messages referred to in the letter, d) above, the data will be processed until the data subject expresses their disagreement with such processing,
- for the purposes referred to in letter e) above, the personal data will be processed for the duration for which the data subject has given consent to the controller according to separately agreed consent with the personal data processing. In this case, the data subject acknowledges that the controller may contact them in order to renew the consent before the expiration of this period.
By the end of the calendar quarter following the end of the processing period above and not later, the relevant personal data of which the purpose of processing has expired shall be destroyed (by shredding or other means that will ensure that no unauthorized persons will be able to access the personal data) or anonymized.
THE MEANS OF PROCESSING OF PERSONAL DATA
The personal data are processed by the controller. The processing is carried out in premises, branches and the registered office of the controller by his individual authorized employees or processors. The processing is carried out through computer technology or manually in case of collecting the personal data in paper form, in compliance with all security policies for management and processing of personal data. For this purpose, the controller has taken technical and organizational measures to ensure the protection of personal data, especially measures to prevent unauthorized or accidental access to personal data, their change, damage or loss, unauthorized transfers, unauthorized processing and other misuse of personal data. All entities to which the personal data may be available shall respect the rights to protection of privacy of data subjects and are obliged to follow relevant legal regulations concerning the protection of personal data.
No automated individual decision-making nor profiling based on provided data will not be carried out. Personal data of data subjects will not be transferred to third countries (i.e., countries outside the EU and EEA).
INFORMATION PROVIDED TO DATA SUBJECTS ACCORDING TO GDPR
With regard to the processing of their personal data, the data subjects have a number of rights, including the right to request the following from the controller:
- access to their personal data (under the conditions of Article 15 of the GDPR),
- rectification or deletion of personal data (under the conditions of Article 16 or Article 17 of the GDPR),
- restricting the processing of their personal data (under the conditions of Article 18 of the GDPR),
- may object to the processing of personal data (under the conditions of Article 21 of the GDPR),
- the right to the portability of personal data (under the conditions of Article 20 of the GDPR),
- the right to revoke their consent with processing of the personal data, in writing or electronically to the address or email of the controller listed in these rules.
If the data subject finds or believes that their personal data processing methods are violating the protection of privacy and personal life of the data subject or are violating the legal regulations, they have the right to contact the controller and request clarification and/or to seek redress. The request must be submitted in writing or via e-mail to the contact details of the controller: firstname.lastname@example.org.
If the request of the data subject is found to be justified, the controller shall immediately remedy the defective state. This does not affect the possibility of the data subject to directly contact the supervisory authority,
The Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Praha 7, Czech Republic, +420 234 665 555, www.uoou.cz.
These controller rules shall be applied in relation to data subjects unless otherwise agreed by the third party and the controller. The controller reserves the right to change these rules for protecting and processing of personal data in any way and at any time, whereas the current state will always be available at the website www.sykora.eu/o-nas/gdpr