under Regulation of the European Parliament and Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
These Rules on Personal Data Protection and Processing (hereinafter only „the Rules”) describe which personal data of natural persons, in particular customers, (hereinafter only “the Data Subject”) are processed in the course of activities of the company GRASPO CZ, a.s.., Company Id. No.: 25586092, with registered office at Zlín, Pod Šternberkem 324, Postal Code 763 02, registered in the Companies Register of the Regional Court in Brno, Section B, File 3174 (hereinafter only “the Controller”).
These Rules define the types of personal data which are collected and processed by us when you use our services or conclude agreements, and also the methods how your personal data are used, shared and protected. In this document you will also find the explanation of options which are at your disposal in relation to your personal data and information how you can contact us. By this document we inform you of your rights pursuant to Article 12 of Regulation of the European Parliament and Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter also only “the GDPR”).
The expression “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to a certain identifier such as a name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Controller has not designated the Data Protection Officer.
PROCESSORS AND RECIPIENTS OF PERSONAL DATA
The Controller is entitled to transmit the personal data to third parties with whom the Controller has concluded an agreement on personal data processing who will process the personal data for the Controller as the Controller’s Processors. On the basis of the above, the Controller is entitled to transmit the Personal Data of a Data Subject to the following Recipients / Categories of Recipients:
Third Parties in other contractual relationships with the Controller (e.g. providers of marketing and advertising services),
Financial institutions and insurance companies,
Public authorities within the framework of the Controller’s statutory obligations stipulated by relevant legal regulations,
CATEGORIES OF PERSONAL DATA PROCESSED
The Controller is entitled to process in particular the following Personal Data of Data Subjects:
Address and identification data enabling unambiguous and noninterchangeable identification of the Data Subject (e.g. the name, surname, if given, permanent address, business address, delivery address, identification number, tax number) and data enabling the contact with the Data Subject (e.g. the contact address, telephone number, email address and other similar information),
Login data to the account, including the name, which the Data Subject uses on the Internet, passwords and the unique user ID,
Personal settings (preferences) including marketing settings and Cookies settings of the Data Subject,
Other data necessary for performance of contracts,
Other personal data provided to the Controller by the Data Subject.
PURPOSES AND LEGAL BASIS FOR PERSONAL DATA PROCESSING
The Controller processes the Data Subject’s data for the following purposes:
Performance of agreement according to Article 6, Section 1, Letter b) of the GDPR,
Meeting the Controller’s statutory obligations imposed by the generally binding regulation according to Article 6, Section 1, Letter c) of the GDPR (e.g. the Controller’s obligation to keep accounting and tax documents),
Determination, execution or defence of the Controller’s legal claims according to Article 6, Section 1, Letter f) of the GDPR,
Sending commercial messages according to Article 6, Section 1, Letter f) of the GDPR on grounds of the Controller’s legitimate interest in direct marketing,
Other Controller’s marketing purposes related to the offer of products and services; sending information on organized events, products, services and other activities (e.g. in the form of newsletters, telemarketing), contacting for the purpose of market and marketing research, contacting for the purpose of sending Christmas or Easter or other holiday greetings, sending discount vouchers, gifts etc. according to Article 6, Section 1, Letter a) of the GDPR.
PERIOD OF PERSONAL DATA PROCESSING
Personal Data will be processed only for such periods which are necessary with regard to the purpose of their processing. With regard to the above:
For the purpose described above under Letter a), Personal Data will be processed until the extinction of obligations (the possibility of the Controller to process the Personal Data thereafter is not affected – in the necessary scope for the purposes as per Letters b), c), d) and/or e) stated above),
For the purpose described above under Letter b), Personal Data will be processed for the duration of the Controller’s relevant legal obligation,
For the purpose described above under Letter c), Personal Data will be processed until the end of the 4th calendar year following after the end of the warranty period under the agreement (if the quality warranty is stipulated in the agreement), however at least until the end of the 5th calendar year following after the extinction of contractual obligations,
In the event of commencement and continuation of court, administrative or other proceedings concerning the Controller’s rights and obligations in relation to the Data Subject concerned, the period of personal data processing for the purpose described above under Letter c) shall not end prior to the termination of such proceedings,
For the purpose of sending commercial messages described above under Letter d), the Personal Data shall be processed until the Data Subject shall express its disagreement with such processing,
For the purposes described above under Letter e), the Personal Data shall be processed for the period of time for which the Data Subject granted his/her consent upon a separately agreed consent to the Controller with the processing of Personal Data. In this case the Data Subject acknowledges that prior to the expiry of such period of time the Controller is allowed to contact the Data Subject for the purpose of extended consent.
At the latest by the end of the calendar quarter following after the expiration of the time for processing, the relevant Personal Data whose purpose for processing has ceased will be liquidated (by shredding or any other method ensuring that no unauthorized persons shall be capable to read the Personal Data) or anonymized.
METHODS OF PERSONAL DATA PROCESSING
The processing of Personal Data shall be carried out by the Controller. The processing shall be carried out in both Controller’s establishments by individual employees authorized by the Controller, or by Processors, as the case may be. The processing shall be executed by means of computer technology, and/or manual processing in case of Personal Data in documentary form, as the case may be, subject to the observance of all safety rules applying to the administration a processing of Personal Data. For this purpose the Controller has taken necessary administrative and organization measures to ensure the protection of Persona Data, in particular, in order to protect the Personal Data against unauthorized or incidental access to Personal Data, their modification, damage or loss, unauthorized transfers, unauthorized processing as well as other kinds of misuse of Personal Data. All third parties to whom the Personal Data shall be made available shall respect the Data Subjects’ rights to the protection of Personal Data and shall be obliged to proceed in compliance with valid legal regulations governing the protection of Personal Data.
Neither automated individual decision-making nor profiling on the basis of provided data shall be performed. Personal data of Data Subjects shall not be transmitted to third countries (i.e. countries outside the EU and the EEA). If there is an exceptional transition to the third countries, the Controller shall act pursuant to the corresponding provisions of GDPR.
INFORMATION PROVIDED TO THE DATA SUBJECTS PURSUANT TO THE GDPR
In relation to the processing of their Personal Data, the Data Subjects have many rights including the right to request the following from the Controller:
The right of access to their Personal Data (pursuant to Article 15 of the GDPR),
The right of rectification or erasure of Personal Data (pursuant to Article 16 or Article 17 of the GDPR),
The right of restriction of processing of Personal Data (pursuant to Article 18 of the GDPR),
The right to object to the procession of Personal Data (pursuant to Article 21 of the GDPR),
The right to portability of Personal Data (pursuant to Article 20 of the GDPR),
The right to withdraw their consent to the processing of Personal Data either in written or electronic form sent to the Controller’s email or address referred in herein.
If the Data Subject learns or believes that his/her Personal Data are being processed contrary to the protection of private and family life of the Data Subject or contrary to legal regulations, the Data Subject shall be entitled to request an explanation and/or the remedy of the situation. Such request shall be sent in written form by a letter or email to the following Controller’s postal or email address: firstname.lastname@example.org
If the Data Subject’s request is found to be justified, the Controller shall without any delay remedy the defective condition. This does not affect the Data Subject’s right to refer directly to the supervisory authority, i.e. the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, Tel. +420 234 665 555, www.uoou.cz.
These Controller’s Rules shall apply to the relations with Data Subjects, unless agreed otherwise between a third party and the Controller. The Controller reserves the right to amend these Rules on Personal Data Protection and Processing in any way and at any time and the current version shall always be posted on the following website: www.graspo.com