I. Basic provisions
1. The administrator of personal data pursuant to Article 4 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”) is the company MILAN NESTAREC s.r.o., company identification number: 066 76 553, with its registered office at Záhumní 449, 691 01 Moravský Žižkov, registered with the Regional Court in Brno, Section C, File 103518 (the “Administrator”) .
2. The contact details of the Administrator are:
MILAN NESTAREC s.r.o.
Záhumní 449, 691 01 Moravský Žižkov
3. The Administrator processes personal data in accordance with the GDPR and Act No. 110/2019 Coll., on the processing of personal data.
4. Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to a specific identifier, such as name, identification number, location data, network identifier or one or more specific physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
5. The Administrator has not appointed a data protection officer.
II. Sources and categories of personal data processed
1. The Administrator processes personal data provided by the customer or personal data obtained by the Administrator on the basis of the fulfilment of the customer's order.
2. The Administrator processes the customer's identification and contact data and the data necessary for the performance of the purchase contract.
III. Legal reason and purpose of personal data processing
1. The legal reason for processing personal data is
- performance of the contract between the customer and the Administrator pursuant to Article 6 (1), letter b) of the GDPR,
- the legitimate interest of the Administrator in the provision of direct marketing (especially for sending commercial messages and newsletters) pursuant to Article 6 (1), letter f) of the GDPR,
- the customer's consent with processing for the purposes of providing direct marketing (especially for sending commercial messages and newsletters) pursuant to Article 6 (1), letter a) of the GDPR in conjunction with Section 7 (2) of Act No. 480/2004 Coll., on certain information society services and on amendments to certain acts (Act on Certain Information Society Services), as amended, in the event that no goods or services have been ordered.
2. The purpose of personal data processing is
- settlement of the customer's order and exercise of rights and obligations arising from the contractual relationship between the customer and the Administrator; when ordering, personal data are required which are necessary for successful processing of the order (name and address, contact), provision of personal data is a necessary requirement for concluding and fulfilling the purchase contract, without providing personal data it is not possible for the Administrator to conclude or fulfil the purchase contract,
- sending of business messages and other marketing activities,
- sending of a notification that the customer's purchase has not been completed, the contents of the customer's cart are still saved and the customer can complete it at any time after logging in.
3. There is no automatic individual decision-making by the Administrator within the meaning of Article 22 of the GDPR.
4. The Administrator shall process the following personal data:
a) identification data, which means in particular first and last name, username and password in illegible form;
b) contact details, which means personal data enabling the customer to be contacted, in particular e-mail address, telephone number and postal address;
c) personal settings of the customer, which means data about his/her account, in particular the stored address, settings of newsletters, type of membership in the loyalty program and evaluation of products and services by the customer;
d) data on the customer's orders, which are in particular data on goods and services ordered by the customer, the method of delivery and payment, including the number of the payment account, data on complaints.
IV. Data retention period
1. The Administrator shall store personal data
- for the period necessary to exercise the rights and obligations arising from the contractual relationship between the customer and the Administrator and to enforce claims arising from these contractual relationships, but no longer than for 15 years from the termination of the contractual relationship;
- until the consent with the processing of personal data for marketing purposes is revoked, but no longer than for 15 years from the granting of the consent, if the personal data are processed on the basis of the consent.
2. The Administrator will delete the personal data once the retention period of personal data expires.
V. Recipients of personal data (subcontractors of the Administrator)
1. The recipients of personal data are persons
- participating in the delivery of goods and the implementation of payments on the basis of a contract,
- providing e-shop operation services (Shopify) and other services in connection with e-shop operation,
- providing marketing services (Mailchimp).
2. The Administrator intends to transfer personal data to a third country (outside the EU) only on condition that the recipient has provided a reference to appropriate guarantees and that the customer's enforceable rights and effective legal protection of the customer are available. Recipients of personal data in third countries are persons providing email services, persons providing cloud services, persons with whom email communication and data backups are stored or persons providing services referred to in paragraph 1 of this Article.
3. The web interface uses Google Analytics, a service provided by Google, Inc. (“Google”).
4. Google Analytics uses “cookies”, text files stored in the computer of each visitor of the web interface, make it possible to analyse the method of use of the web interface.
5. The information generated by the cookie about the use of the website (including the IP address) will be transmitted to and stored by Google on servers in the United States of America. Google will use this information for the purpose of evaluating the use of the web interface and compiling reports on website activity for users and using the internet in general. Google may also provide this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate the subject's IP address with any other data held by Google.
6. By using the web interface, the customer agrees to the processing of data about it by Google in the manner and for the purpose stated above.
9. No personal data is transferred to any third party other than the above for further processing.
VI. Customer rights
1. Under the conditions set out in the GDPR, the customer has
- the right to access their personal data pursuant to Article 15 of the GDPR,
- the right to correct personal data pursuant to Article 16 of the GDPR, or restrict processing pursuant to Article 18 of the GDPR,
- the right to delete personal data pursuant to Article 17 of the GDPR,
- the right to object to the processing pursuant to Article 21 of the GDPR,
- the right to data transferability pursuant to Article 20 of the GDPR a
- the right to withdraw the consent with processing in writing or electronically by sending a communication to the address or email of the Administrator referred to in Article I, paragraph 2 of these conditions.
2. The customers also have the right to file a complaint with the Office for Personal Data Protection if they consider that their right to personal data protection has been violated.
VII. Terms of personal data security
1. The Administrator declares that he has taken all appropriate technical and organizational measures to secure personal data.
2. The Administrator has taken technical measures to secure data repositories and personal data repositories in paper form, in particular by encryption, anti-virus system, firewall and guarded area in which the documents in paper form are stored.
3. The Administrator declares that only persons authorized by him have access to personal data.
VIII. Final provisions
1. The customers confirm by ticking the consent via the online form and sending the order from the online order form that they are familiar with the conditions of personal data processing and that they accept them in full.
2. The Administrator is entitled to change these conditions. He will publish the new version of the conditions of personal data processing on his website and at the same time send it to all customers to their e-mail addresses which they have provided.
These conditions become effective on 1 November 2020.