Processing of Personal Data and Information for Data Subjects
Privacy Policy
I. Basic Provisions
The controller of personal data pursuant to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: “GDPR”) is:
Šumavaprodukt s.r.o. (hereinafter: “the Controller”)Company ID: 29097436Address: Drouhavec 3, 341 42 VelharticeEmail: eshop@sumavaprodukt.czPhone: +420 602156008
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, network identifier, or one or more specific factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
The Controller has not appointed a Data Protection Officer.
II. Sources and Categories of Personal Data Processed
The Controller processes personal data that you have provided or personal data obtained based on the fulfillment of your order.
The Controller processes your identification and contact data and data necessary for the performance of a contract.
III. Legal Basis and Purpose of Processing Personal Data
The legal basis for processing personal data is:
- Performance of a contract between you and the Controller pursuant to Article 6(1)(b) GDPR
- Legitimate interest of the Controller in direct marketing (especially for sending commercial communications and newsletters) pursuant to Article 6(1)(f) GDPR
- Your consent to processing for direct marketing purposes (especially for sending commercial communications and newsletters) pursuant to Article 6(1)(a) GDPR in conjunction with Section 7(2) of Act No. 480/2004 Coll., if no order of goods or services has been made
The purpose of processing personal data is:
- To process your order and exercise rights and obligations arising from the contractual relationship between you and the Controller; personal data required for successful processing (name, address, contact details) are necessary for concluding and performing the contract
- To send commercial communications and carry out other marketing activities
The Controller performs automated individual decision-making within the meaning of Article 22 GDPR. You have provided explicit consent for such processing.
IV. Data Retention Period
The Controller retains personal data:
- For the period necessary to exercise rights and obligations arising from the contractual relationship and to assert claims (for 10 years after termination of the contract)
- For marketing purposes until consent is withdrawn, but no longer than 3 years, if processing is based on consent
After the retention period expires, the Controller deletes the personal data.
V. Recipients of Personal Data (Controller’s Subcontractors)
Recipients of personal data include:
- Persons involved in the delivery of goods/services or execution of payments
- Providers of e-shop operation services and related services
- Providers of marketing services
- For accounting and tax purposes in accordance with applicable laws, to the extent of:
- Name and surname, title
- Postal address
- Billing address
- Email address
- Telephone contact
- Bank details
- Details of goods/services provided
The Controller does not intend to transfer personal data to third countries (outside the EU) or international organizations.
VI. Your Rights
Under GDPR, you have the right to:
- Access your personal data (Article 15 GDPR)
- Rectification of personal data (Article 16 GDPR) or restriction of processing (Article 18 GDPR)
- Erasure of personal data (Article 17 GDPR)
- Object to processing (Article 21 GDPR)
- Data portability (Article 20 GDPR)
- Withdraw consent at any time in writing or electronically via the Controller’s contact details
You also have the right to lodge a complaint with the Data Protection Authority if you believe your rights have been violated.
VII. Personal Data Security Conditions
The Controller declares that all appropriate technical and organizational measures have been taken to secure personal data.
Measures include:
- Securing data storage (login credentials, antivirus, firewall)
- Securing physical documents (locked premises)
Only authorized persons have access to personal data.
VIII. Final Provisions
By submitting an order via the online form, you confirm that you have read and agree to these privacy conditions in full.
You express your agreement by checking the consent box in the online form.
The Controller reserves the right to change these conditions. A new version will be published on the website and sent to your email address.
These conditions take effect on April 15, 2020.