Protection of personal data
Principles of personal data processing
adopted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as " GDPR")
1. Introduction
CompanyYES PRODUCTS s.r.o. as an online store operatorhttps://eshop.stripschips.cz (hereinafter "Administrator") processes personal data of so-called data subjects - natural persons who:
- are interested in purchasing in the online store (potential customers);
- (customers) buy or have made purchases in the online store.
The administrator ensures that the processing of personal data of data subjects is legal, correct, transparent, accurate, confidential and that personal data is processed only to the extent necessary. The administrator also ensures that personal data is properly secured and that all rules established by the GDPR as well as other legal regulations in the field of handling personal data are observed during the processing of personal data.
These principles were adopted, among other things, for the purpose of documenting the compliance of the processing of personal data by the Administrator with legal regulations. An explanation of individual terms related to the processing of personal data according to these principles is provided in Article 12 below.
2. Administrator of personal data
The administrator of personal data is the companyYES PRODUCTS s.r.o., ID: 03103897 Husitská 107/3, 130 00 Prague - Žižkov, registered in the commercial register maintained by the Municipal Court in Prague, C 227583/MSPH.
The administrator can be contacted in any of the following ways:
- in person at the Administrator's headquarters at Husitská 107/3, 130 00 Prague - Žižkov,
- electronically via [ info@stripschips.cz ];
- by phone at [ +420 720 498 618 ].
3. Purposes of processing for which personal data are intended and legal basis for processing
3.1. Fulfillment of the purchase contract
The administrator processes personal data in particularfor a purpose conclusion and fulfillment of the purchase contract, i.e. at least so that the Administrator can deliver the goods purchased in the online store to the customer.
Legalbasis of this processing is Article 6 paragraph 1 letter b) GDPR – performance of a contract to which the data subject is a party.
3.2. Fulfillment of legal obligations of the Administrator
The administrator processes personal datafor a purpose fulfillment of the Administrator's legal obligations, resulting from e.g. accounting and tax laws, the Consumer Protection Act, etc., including the Administrator's obligation to be able to demonstrate that it processes personal data in accordance with generally binding legal regulations, especially in accordance with the GDPR.
Legalbasis of this processing is Article 6 paragraph 1 letter c) GDPR – fulfillment of the legal obligation that applies to the Controller.
3.3. Legitimate interests of the Administrator
The administrator can process personal datafor a purpose:
- applying direct marketing (see Article 5 below);
- determination, exercise or defense of legal claims (especially legal claims arising from the concluded purchase contract).
Legalbasis of this processing is Article 6 paragraph 1 letter f) GDPR – legitimate interest of the Administrator.
3.4. Consent of the data subject
Based on consent, the Administrator may process personal datafor a purpose:
- application of direct marketing (see Article 5 below);
- establishing and maintaining a customer account (see Article 10 below).
Legalbasis of this processing is Article 6 paragraph 1 letter a) GDPR – consent of the data subject.
4. Processing of personal data based on consent
4.1. Dobrovolnost
Consent to the processing of personal data is completevoluntarily. Any failure to grant consent will have no effect on the data subjectno adverse effects.
4.2. Withdrawal of consent
Every data subject has the right to consent to the processing of personal datarevoke at any time, in one of the following ways.
- through a customer account; [it is necessary to add a button to revoke consent/disagree]
- by electronic notification sent to the Administrator's e-mail address (see Article 2 above);
- by a written notification sent to the address of the registered office or establishment/some of the Administrator's establishments (see Article 2 above).
Consent to maintaining a customer account can also be revoked by canceling the customer account (see paragraph 10.2 below).
The withdrawal of consent does not affect the legality of the processing of personal data in the period before the withdrawal of consent, on the basis of which the processing was carried out.
5. Direct Marketing
5.1. In general
The processing of personal data for the purposes of direct marketing means the processing of personal data for the purpose sending commercial messages in the sense of Act No. 480/2004 Coll., on certain information society services, as amended (hereinafter referred to as "Act No. 480/2004 Coll.“).
Commercial communication is understood any form of communication, including advertising and invitations to visit the website of the online store, intended to directly or indirectly support goods or services or the image of the Administrator (especially so-called newsletters).
5.2. How does it actually work?
Processing of personal data for the purpose of sending commercial messagesto potential customers(i.e. to persons who have not yet made a purchase in the online store, but have decided to subscribe to commercial communications) is only possible on the basis of their consent with the processing of personal data. Also, the actual sending of business messages to potential customers can only be done on the basis ofconsent (in accordance with § 7 paragraph 2 of Act No. 480/2004 Coll.).
Processing of personal data for the purpose of sending commercial messagestowards customers(i.e. to people who have already made a purchase in the online store) it is possible iwithout their consent, based on the existence of a legitimate interest of the Administrator (see paragraph 3.3 above or Recital 47 GDPR). It is also possible to send commercial messages to customerswithout their consent (in accordance with § 7 paragraph 3 of Act No. 480/2004 Coll.),unless the customer originally refused. [closer seehttps://www.uoou.cz/gdpr-a-nbsp-primy-elektronicky-marketing/d-30715]
5.3. Termination of processing for direct marketing purposes
The Administrator shall terminate the processing of personal data for direct marketing purposes immediately after the customer or potential customerexpress their disagreement with such processing. Disagreement can be made, for example, in one of the following ways:
- withdrawal of consent with the processing of personal data (see Article 4 above);
- expression of disagreement with the processing of personal data, in the same way as consent to the processing of personal data can be revoked (see Article 4 above);
- by logging out, which can be done in every commercial communication;
- by raising an objectionagainst such processing (under the conditions of Article 21 GDPR).
Notwithstanding the foregoing The administrator will stop processing personal data for direct marketing purposes no later than 2 years after the last purchase in the online store (conclusion of the purchase contract). Any further purchase therefore extends the processing time by another 2 years.
In the event that the purchase in the online store never takes place, the Administrator will terminate the processing at the same time as canceling the customer account (see paragraph 10.2 below).
6. Categories of recipients of personal data
The recipient of personal data is anyone to whom the Administrator provides personal data.
The administrator will transfer personal data in particular to the following recipients: entities providing accounting services, postal services, newsletter distribution services, legal services, IT services, operators of payment gateways, payment systems, domain administrators, technical support providers, etc. These recipients will process personal data either as independent administrators (i.e. as entities that themselves determine the purposes and means of personal data processing, independently of the Administrator), or as processors (i.e. entities that process personal data for the Administrator, based on his instructions).
In addition, the Administrator will provide personal data to public authorities if this obligation is imposed by generally binding legal regulations. These recipients will always process personal data as independent administrators. However, public authorities are not considered beneficiaries in the exercise of their investigative powers.
7. transfer to third countries or international organizations
The manager will not transfer personal data to third countries or to international organizations in the sense of Article 44 et seq. GDPR.
8. Time of personal data processing
Personal data will only be processed for the time necessary for the purpose of their processing. The termination of one of the legal bases for the processing of personal data does not affect the processing of personal data (to the extent necessary) on the basis of another legal basis.
8.1. Fulfillment of the purchase contract
For this purpose, the Administrator will process personal data within 30 days after the termination of the last of the obligations agreed in the purchase contract. This does not affect the Administrator's ability to subsequently process these personal data on the basis of other legal bases and for the purposes specified in these principles.
8.2. Fulfillment of legal obligations by the Administrator
For this purpose, the Administrator will process personal data for the duration of the relevant legal obligation of the Administrator established by generally binding legal regulations.
8.3. Legitimate interests of the Administrator
8.3.1. Direct marketing
For this purpose, the Administrator may process personal data until the time of expressing disagreement with such processing, but no longer thanfor a period of 2 years fromof the last purchase in the online store (see paragraph 5.3 above).
8.3.2. Legal claims
For this purpose, the Administrator may process personal data for the duration of the existence of the relevant legal claim, but for a maximum period of 1 year after the expiry of the limitation period according to generally binding legal regulations. In the event of the initiation and duration of judicial, administrative or any other proceedings, in which the rights or obligations resulting from the relevant legal claim will be resolved, the period of processing of personal data for this purpose will not end before the final conclusion of such proceedings.
8.4. Consent of data subjects
8.4.1. Direct marketing
For this purpose, the Administrator may process personal data until:
- withdrawal of consent with the processing of personal data (see Article 4 above);
- expression of disagreement with the processing of personal data, in the same way as consent can be revoked (see Article 4 above);
the longest thoughuntil the customer account is cancelled(see paragraph 10.2 below).
8.4.2. Customer account management
For this purpose, the Administrator may process personal data until the customer account is canceled (see paragraph 10.2 below).
8.5. Deletion of personal data
Immediately after the expiry of the processing period according to paragraph 8.1, 8.2 or 8.3.2 above, the Administrator anonymizes or disposes of the relevant personal data for which the purpose of their processing has expired.
In the cases according to paragraph 8.3.1 or 8.4 above, the Administrator shall terminate the processing of personal data for the stated purposes immediately after withdrawal of consent, expression of disagreement or cancellation of the customer account.
9. Rights of data subjects
Each data subject has, among others, the following rights:
- the right to demandaccess to your personal data (under the terms of Article 15 GDPR);
- the right torepair orerasure personal data (under the terms of Article 16 or Article 17 GDPR);
- the right tolimitations processing of personal data (under the terms of Article 18 GDPR);
- the right to raiseobjection against processing (under the terms of Article 21 GDPR);
- the right toportability data (under the terms of Article 20 GDPR);
- the lawwithdraw consent with the processing of personal data (see Article 4 above).
In the event that the data subject believes that his right to the protection of personal data has been violated, he also has the right to file a complaint with the supervisory authority, which isOffice for Personal Data Protection, based in Pplk. Sochora 27, Holešovice, 170 00 Prague 7.
10. Customer Account
10.1. Setting up a customer account
The creation of a customer account is completely voluntary, as the Administrator allows you to make a purchase in the online store even without creating a customer account (so-called without registration).
In order for the Administrator to store personal data entered in the form for establishing and maintaining a customer account (or at any time later in the customer account),it needs consent to do so.
Until the potential customer concludes a purchase agreement with the Administrator (i.e. becomes a customer), and subsequently after fulfilling all obligations from the concluded purchase agreement, the Administrator will not process personal data other than for the purposes of maintaining a customer account; howeveris not affectedthe Administrator's ability to process personal data on the basis of other legal bases, in particular on the basis of consent granted for the purposes of applying direct marketing (sending commercial communications).
10.2. Cancellation of customer account
Customer's account you can at any time cancel through a customer account or based on a request to cancel a customer account sent to one of the contact addresses listed in paragraph 2.2 above.
Notwithstanding the foregoingThe administrator will cancel the customer account within 3 years at the latest from the customer's last purchase in the online store.
In the event that the purchase in the online store never takes place, the Administrator will cancel the customer accountdo 3 let since its establishment.
11. Cookies and other technical data
More detailed information about so-called cookies and other technical data processed when visiting the website of the online store is provided in a separate document available atCookies files.
12. BASIC terms
Personal data is all information about an identified or identifiable natural person (so-calleddata subject); an identifiable natural person is a natural person who can be directly or indirectly identified, in particular by reference to a certain identifier, for example first name, surname, date of birth, residence, e-mail, telephone number, identification number, location data, network identifier or to one or more special elements of the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
By processing personal data is any operation or set of operations with personal data or sets of personal data that is carried out with or without the aid of automated procedures such as collection, recording, arrangement, structuring, storage, adaptation or alteration, retrieval, inspection, use, disclosure by transmission, dissemination or any other disclosure, arrangement or combination, restriction, erasure or destruction.
A customeris a natural person who concluded a purchase contract with the Administrator through the online store, i.e. a person who has a so-called customer relationship with the Administrator.
A potential customeris a natural person who has not yet entered into a purchase contract with the Administrator through the online store, i.e. a person who does not have a so-called customer relationship with the Administrator.
13. Further information on the processing of personal data
In case of questions regarding the processing of personal data, the Administrator can be contacted via one of the contact addresses listed at the beginning of this policy.
General information on the processing of personal data can also be found on the website of the Office for the Protection of Personal Data available atwww.uoou.cz.
These policies take effect on May 25, 2018.