pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
__________________________________________________________________________________
These rules for the protection and processing of personal data (hereinafter referred to as the "Rules") describe which personal data of natural persons, especially customers (hereinafter referred to as the "Data Subject"), are processed in the activities of G 3 s.r.o., with registered office at Zdounky, Zborovská 1, 76802, ID No.: 27732622, registered in the Commercial Register maintained by the Regional Court in Brno, Section C, File 29563 (hereinafter referred to as the "Controller").
These Rules set out the types of personal data we collect and process when you use our services or enter into another contract with us, as well as how your personal data is used, shared and protected. You will also find an explanation of the options available to you regarding your personal data and how you can contact us. We hereby inform you below about the processing of your personal data and your rights in accordance with Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter also referred to as "GDPR").
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Controller has not appointed a data protection officer.
RECIPIENTS OF PERSONAL DATA
The Data Subject's personal data may be further transferred to the following recipients/categories of recipients:
- Controller's suppliers,
- Controller's employees,
- persons in other contractual relationships with the Controller (e.g. providers of marketing and advertising services),
- financial institutions and insurance companies,
- state authorities within the fulfilment of the Controller's legal obligations stipulated by relevant legal regulations,
CATEGORIES OF PROCESSED PERSONAL DATA
The Controller is authorized to process the following personal data of the Data Subject in particular:
- address and identification data serving for unambiguous and unmistakable identification of the Data Subject (e.g. name, surname, title, date of birth, possibly birth number, address of permanent residence, address of establishment, delivery address, ID No., VAT No.) and data enabling contact with the Data Subject (e.g. contact address, telephone number, fax number, e-mail address and other similar information),
- descriptive data (e.g. bank connection, payment information)
- images, photographs and videos,
- data provided beyond the scope of relevant laws processed within the framework of consent granted by the Data Subject (e.g. use of personal data for personnel proceedings, use of personal data for promotional purposes, etc.),
- other data necessary for the performance of the contract,
- other personal data that the Data Subject has provided to the Controller.
PURPOSES AND LEGAL BASIS FOR PROCESSING PERSONAL DATA
The Controller processes the Data Subject's personal data for the purposes of:
a) performance of the contract, based on Article 6(1)(b) of the GDPR,
b) compliance with the Controller's legal obligation stipulated by generally binding legal regulation, based on Article 6(1)(c) of the GDPR (e.g. the Controller's obligation to keep accounting and tax documents),
c) establishment, exercise or defense of the Controller's legal claims, based on Article 6(1)(f) of the GDPR,
d) sending of commercial communications, based on Article 6(1)(f) of the GDPR due to the existence of the Controller's legitimate interest consisting in direct marketing,
e) other marketing purposes of the Controller related to the offer of products and services; sending information about organized events, products, services and other activities (e.g. by sending newsletters, telemarketing); contacting for market research and marketing research purposes; contacting for the purpose of Christmas and Easter or other holiday wishes and sending discount vouchers, gifts, etc., based on Article 6(1)(a) of the GDPR
DURATION OF PERSONAL DATA PROCESSING
Personal data will be processed only for the period that is necessary with regard to the purpose of their processing. With regard to the above:
- for the purpose according to point a) above, personal data will be processed until the expiry of obligations under the contract (this does not affect the Controller's possibility to subsequently further process this personal data - to the extent necessary for the purpose according to points b), c), d) and/or e) above,
- for the purpose according to point b) above, personal data will be processed for the duration of the relevant legal obligation of the Controller,
- for the purpose according to point c) above, personal data will be processed until the expiry of the 4th calendar year following the end of the warranty period according to the contract (if a quality warranty was agreed in the contract), but at least until the expiry of the 5th calendar year following the expiry of obligations under the contract,
- in the event of initiation and duration of court, administrative or other proceedings in which the Controller's rights or obligations in relation to the relevant Data Subject are resolved, the period of personal data processing for the purpose according to point c) above will not end before the end of such proceedings,
- for the purpose of sending commercial communications according to point d) above, personal data will be processed until the Data Subject expresses disagreement with such processing,
- for the purposes according to point e) above, personal data will be processed for the period for which the Data Subject granted consent to the Controller according to a separately agreed consent to the processing of personal data. In this case, the Data Subject acknowledges that before the expiry of this period, the Controller may contact them for the purpose of renewing their consent.
No later than by the end of the calendar year following the expiry of the processing period above, the relevant personal data for which the purpose of their processing has ceased will be destroyed (by shredding or another method that ensures that unauthorized persons will not be able to access the personal data) or anonymized.
METHOD OF PERSONAL DATA PROCESSING
Personal data processing is carried out by the Controller. Processing is carried out at the Controller's establishments and registered office by individual authorized employees of the Controller, or by Processors. Processing takes place through computer technology, or manually in the case of personal data in paper form, while observing all security principles for the management and processing of personal data. For this purpose, the Controller has adopted technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to personal data, their alteration, destruction or loss, unauthorized transfers, their unauthorized processing, as well as other misuse of personal data. All entities to whom personal data may be made accessible respect the Data Subjects' right to privacy and are obliged to proceed in accordance with valid legal regulations concerning the protection of personal data.
Automated individual decision-making or profiling based on provided data will not be carried out. Personal data of Data Subjects will not be transferred to third countries (i.e. countries outside the EU and EEA).
INFORMATION PROVIDED TO DATA SUBJECTS UNDER GDPR
In connection with the processing of their personal data, Data Subjects have a number of rights, including the right to request from the Controller:
- access to their personal data (under the conditions of Article 15 of the GDPR),
- rectification or erasure of personal data (under the conditions of Article 16 or Article 17 of the GDPR),
- restriction of processing of personal data (under the conditions of Article 18 of the GDPR),
- to object to the processing of personal data (under the conditions of Article 21 of the GDPR),
- the right to data portability (under the conditions of Article 20 of the GDPR),
- the right to withdraw consent to the processing of personal data in writing or electronically to the address or email of the Controller stated in these Rules.
If the Data Subject discovers or believes that their personal data is being processed in violation of the protection of the Data Subject's private and personal life or in violation of legal regulations, they have the right to contact the Controller with a request for explanation and/or remedy. The request must be submitted in writing by sending a letter or email to the Controller's contact details: G 3 s.r.o., Zdounky, Zborovská 1, 76802, e-mail:
If the Data Subject's request is found to be justified, the Controller will immediately remove the defective state. This does not affect the Data Subject's possibility to contact the supervisory authority directly, the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Praha 7, Czech Republic, +420 234 665 555, www.uoou.cz.
CONCLUSION
These Controller's Rules shall apply in relation to Data Subjects provided that no other agreement is made between a third party and the Controller. The Controller reserves the right to change these rules for the protection and processing of personal data in any way and at any time, with the current status always being posted on the website www.g3.cz.