Rules for the protection and processing of personal data

These rules for the protection and processing of personal data (hereinafter referred to as the “ Rules ”) describe how Lucie Závacká, Company ID: 064 08 397, with its registered office at Vančurova 1694/3, 251 01 Říčany, (hereinafter referred to as the “ Controller ”) processes the personal data of natural persons (hereinafter referred to as the “ Data Subject ”).

This Policy sets out the types of personal data we collect and process when you use our services, as well as how your personal data is used, shared and protected. It also explains the options you have in relation to your personal data and how you can contact us. We hereby inform you below about the processing of your personal data and your rights in accordance with Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “ GDPR ”).

Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier.

  1. PROCESSORS AND RECIPIENTS OF PERSONAL DATA

The Administrator is authorized to transfer personal data to entities with which it has concluded a personal data processing agreement and who will process personal data for the Administrator as its processors. Based on the above, the Administrator is authorized to transfer the personal data of the Data Subject to the following entities, or categories of entities:

  • freight forwarders
  • to the payment card issuer, in the case of a purchase made with the Administrator, where the goods were paid for via a payment card
  • suppliers Administrator
  • Administrator employees
  • persons in another contractual relationship with the Administrator (e.g. providers of marketing and advertising services, law firms)
  • financial institutions and insurance companies
  • state authorities in the framework of fulfilling legal obligations stipulated by relevant legal regulations

Furthermore, the controller is authorized to transfer personal data related to the administration of information systems and related to marketing services, in particular to the following recipients:

  • Facebook Ireland Limited
  • Google Ireland Limited
  • Heureka Shopping sro
  • Seznam.cz, as

  1. CATEGORIES OF PERSONAL DATA PROCESSED

The Administrator is authorized to process, in particular, the following personal data of the Data Subject:

  • address and identification data used for the unambiguous and unmistakable identification of the Data Subject (e.g. name, surname, title, date of birth, or birth registration number, permanent residence address, business address, delivery address, company ID, VAT number) and data enabling contact with the Data Subject (e.g. contact address, telephone number, fax number, e-mail address and other similar information),
  • descriptive data (e.g. bank details, payment information or credit card information),
  • account login information, including the name under which the Data Subject appears on the Internet and a unique user ID,
  • data provided beyond the scope of applicable laws processed within the framework of the consent granted by the Data Subject (e.g. use of personal data for the purpose of personnel procedures, use of personal data for the purpose of promotion, etc.),
  • personal settings (preferences), including settings in the area of ​​marketing and the use of cookies by the Data Subject,
  • other data necessary for the performance of the contract,
  • other personal data that the Data Subject provided to the Administrator.

Beyond the above, the Administrator specifies what data is processed in connection with the behavior of the Data Subject:

  • If anyone visits the Administrator's website, this person agrees that during their visit to the website, information is collected about them, such as IP address, browser settings and preferred language, visited websites, including the time of the visit. The Administrator monitors the person's movement on the website, in particular which links are clicked on. The Administrator does all this in order to personalize the displayed content. When visiting the website, so-called cookies are also stored in the visitor's internet browser, which are subsequently read by the Administrator.
  • The most frequently provided data is that obtained through the form for ordering goods or other services on the web interface of the Administrator. This is mainly data necessary for concluding a purchase contract and performing it (identification data, contact data, data arising from the duration of the contract - purchased goods, volume of services provided, customer segment). The Administrator expressly states that in the case of purchasing goods related to health, data on health status is not processed, since the purchase of a certain type of goods itself does not indicate a health status, and the Administrator does not find out for whom the product is intended.
  • If the data subject wishes to use the benefits of a user account, it is necessary to register for it. The user account is secured by a password chosen by the data subject. The administrator does not have access to this password, and in the event of its loss, is therefore unable to send it to the data subject, he is only able to generate a form for entering a new password. The data subject has access to his personal data within his user account and can edit them if necessary. Within the user account, the data subject can view the history of completed orders, purchased products, and unfinished orders, with the unfinished order remaining stored until the user logs in to the user account again. The data subject can also save his favorite products. If the data subject is registered, identification data, contact data, demographic data, login data (without an actual password), and data arising from the duration of the contract are processed, including complaints and returned goods.
  • The data subject can subscribe to commercial communications in the Controller's web interface. Subscription to these communications can always be refused, via the unsubscribe link in the footer of each e-mail containing these commercial communications. In this case, the Controller processes identification data, contact data and demographic data.
  • The Administrator offers Data Subjects the opportunity to connect their social networks to the Administrator's website. This involves automatic login to the user account. The connection can be canceled at any time. Data Subjects acknowledge that this functionality is supported by so-called social plugins. After the connection, the Administrator's targeted advertising may be displayed on the Data Subject's social networks or other websites.

  1. PURPOSES AND LEGAL BASIS FOR PROCESSING PERSONAL DATA

The Administrator processes the personal data of the Data Subject for the purposes of:

  1. conclusion of a contract and performance under the contract, based on Article 6(1)(b) GDPR,
  2. compliance with the Administrator's legal obligation set out in a generally binding legal regulation, based on Article 6(1)(c) of the GDPR (e.g. the Administrator's obligation to keep accounting and tax documents),
  3. determination, exercise or defense of legal claims of the Administrator, based on Article 6(1)(f) of the GDPR,
  4. sending commercial communications, based on Article 6(1)(f) of the GDPR due to the existence of the Controller's legitimate interest in direct marketing,
  5. other marketing purposes of the Administrator related to the offer of products and services; sending information about organized events, products, services and other activities (e.g. by sending newsletters, telemarketing); contacting for the purpose of market surveys and marketing research; contacting for the purpose of sending Christmas and Easter or other holidays wishes and sending discount vouchers, gifts, etc., based on Article 6(1)(a) of the GDPR

  1. PERIOD OF PROCESSING PERSONAL DATA

Personal data will be processed only for the period necessary for the purpose of their processing. In view of the above:

  • for the purpose according to letter a) above, personal data will be processed until the obligations under the contract expire (this does not affect the possibility for the Administrator to subsequently process such personal data - to the extent necessary for other purposes)
  • for the purpose referred to in letter b) above, personal data will be processed for the duration of the relevant legal obligation of the Controller,
  • for the purpose under letter c) above, personal data will be processed until the 4th calendar year following the end of the warranty period under the contract (if a quality guarantee was agreed in the contract), but at least until the 5th calendar year following the termination of the obligations under the contract,
  • in the event of the initiation and continuation of judicial, administrative or other proceedings in which the rights or obligations of the Controller in relation to the relevant Data Subject are addressed, the period of processing personal data for the purpose referred to in letter c) above shall not end before the end of such proceedings,
  • for the purpose of sending commercial communications pursuant to letter d) above, personal data will be processed until the Data Subject expresses his/her disagreement with such processing,
  • for the purposes referred to in letter e) above, personal data will be processed for the period for which the Data Subject has granted the Controller consent pursuant to the separately agreed consent to the processing of personal data. In this case, the Data Subject acknowledges that the Controller may contact him/her before the expiry of this period in order to renew his/her consent.

After the relevant period has expired, the personal data concerned will be destroyed and will no longer be used or processed.

  1. METHOD OF PROCESSING PERSONAL DATA

The processing of personal data is carried out by the Administrator or an authorized processor. The processing is carried out at the Administrator's headquarters by individual authorized employees of the Administrator or the Processor. The Administrator may collect or obtain personal data through its websites, forms, electronic or telephone contact, personal meetings or otherwise. Processing takes place using computer technology, or. also manually for personal data in paper form, in compliance with all security principles for the management and processing of personal data.

For this purpose, the Administrator has adopted technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to personal data, their alteration, destruction or loss, unauthorized transfers, their unauthorized processing, as well as other misuse of personal data. All entities to which personal data may be made available respect the right of Data Subjects to privacy protection and are obliged to proceed in accordance with applicable legal regulations regarding the protection of personal data.

Automated individual decision-making or profiling based on the data provided will not be carried out. Personal data of Data Subjects will not be transferred to third countries.

  1. INFORMATION PROVIDED TO DATA SUBJECTS UNDER GDPR

In connection with the processing of their personal data, Data Subjects have a number of rights, including the right to request from the Controller:

  • access to your personal data (under the conditions of Article 15 of the GDPR),
  • correction or deletion of personal data (under the conditions of Article 16 or Article 17 of the GDPR),
  • restriction of processing of personal data (under the conditions of Article 18 GDPR),
  • to object to the processing of personal data (under the conditions of Article 21 of the GDPR),
  • the right to personal data portability (under the conditions of Article 20 GDPR),
  • the right to withdraw consent to the processing of personal data, in writing or electronically to the address or email of the Administrator specified in these Rules.

If the Data Subject discovers or believes that his/her personal data are being processed in violation of the protection of the Data Subject's private and personal life or in violation of legal regulations, he/she has the right to contact the Controller with a request for explanation and/or redress. The request must be submitted in writing by sending a letter or e-mail to the Controller's contact details: obchod@gdess.cz , or by phone at + 420 736 466 783.

If the Data Subject's request is found to be justified, the Controller shall immediately remedy the situation. This does not affect the Data Subject's right to contact the supervisory authority, the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, +420 234 665 555, www.uoou.cz.

  1. COOKIE POLICY

The Administrator's website uses cookies. Cookies are small text files that websites can use to improve the user experience.

Cookies are used by the Administrator to personalize content and advertisements, provide social media features, and analyze traffic. Information about website usage is also shared with the Administrator's partners in the field of social media, advertising, and analytics, who may combine it with other information provided to them by website users or collected by them when using their services.

The law stipulates that the Administrator may store cookies on the website user's device if they are strictly necessary for the operation of this website (see the Necessary Cookies section), without the website user's consent. For all other types of cookies, the website user's consent is required, which can be revoked or changed at any time.

  1. TYPES OF COOKIES

Necessarily
Necessary cookies help to make the website usable. They provide basic functions such as page navigation and access to secure areas of the website. Without these cookies, the website cannot function properly.
Cookies can be blocked = disabled, but some pages may not display correctly, some parts may not even work. Cookie settings for the most commonly used browsers can be found here:

Analytical, performance and statistical
These cookies are used to improve the functioning of the website. For example, they are used to understand how visitors interact with the website and usually help provide information about visitor metrics, bounce rates, traffic sources, etc. Analytical cookies also allow visitors to easily find what they are looking for. They can also be used to improve the performance and speed of the website.

Preferential
Preference cookies allow a website to remember information that changes the way the website behaves or looks. This can include, for example, a preferred language or the region in which the website user is located.

Advertising and marketing
Advertising cookies are used to track visitors across websites. The intention is to display advertisements that are relevant and engaging to individual users, and therefore more valuable to publishers and third-party advertisers.

Other cookies
These are cookies that cannot be classified into one of the above categories based on their type and purpose.

Effective date 1.11.2024