Personal Data Protection
I.
Basic Provisions
- The controller of your personal data pursuant to Article 4 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter only the “GDPR”) is: Phyto CZ, s.r.o., ID No. 26229021 with its registered office at Dukelská brána 5, 79601 Prostějov (hereinafter only the “Controller”).
- The Controller’s contact details are as follows:
address: Dukelská brána 5, 796 01 Prostějov
email: phyto@phyto.cz
tel. no.: 00420 582 334 321
- Personal data mean any information relating to an identified or identifiable natural person; an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to a specific identifier, such as name, identification number, location data, network identifier or one or more specific physical, physiological, genetic, mental, economic, cultural or social identity elements of that natural person.
- The Controller did not appoint a Data Protection Officer.
II.
Sources and Categories of Personal Data Being Processed
- The Controller processes personal data that you have provided to him or personal data obtained by the Controller on the basis of your purchase order fulfillment.
- The Controller processes your identification and contact data and data necessary for the Contract performance.
III.
Legal Reason and Purpose of Personal Data Processing
- The legal reason for the personal data processing is:
- performance of the Contract between you and the Controller pursuant to Article 6 (1) (b) of the GDPR
- the Controller’s legitimate interest in the provision of direct marketing (in particular for commercial communication and newsletters sending) pursuant to Article 6 (1) (f) of the GDPR,
- your consent to the processing for the purposes of direct marketing provision (in particular for commercial communication and newsletters sending) pursuant to Article 6 (1) (a) of the GDPR in connection with Sec. 7 (2) of Act No. 480/2004 Coll., on Certain Information Society Services, in the event that no goods or services have been ordered.
- The purpose of personal data processing is:
- your purchase order processing and the exercise of rights and obligations arising from the contractual relationship between you and the Controller; when submitting your purchase order personal data are required, which are necessary for successful processing of the purchase order (name and address, contact details), the personal data provision is an essential requirement for the Contract conclusion and performance, without the personal data provision it is not possible to conclude the Contract or perform it by the Controller,
- sending business messages and conducting other marketing activities.
- There is no automatic individual decision making by the Controller within the meaning of Article 22 of the GDPR.
IV.
Data Retention Period
- The Controller keeps the personal data
- for the period necessary to exercise the rights and obligations arising from the contractual relationship between you and the Controller and to assert claims under such contractual relationships (for a period of 15 years from the contractual relationship termination).
- until the consent to the personal data processing for marketing purposes is revoked, for a maximum of 10 years, if the personal data are being processed on the basis of a consent.
- After the personal data retention period expiry, the Controller shall delete the personal data.
V.
Personal Data Recipients (Controller’s Subcontractors)
- Other recipients of your personal data will be shipping companies and other persons:
- participating in the delivery of the goods or the execution of payments under the Contract,
- providing the Controller with technical services relating to the e-shop operation, including the software and data storage operations,
- providing marketing services, managing Internet advertising, newsletter distribution and data analysis.
- Recipients of your personal data processed to fulfill the obligations arising from legal regulations may also be financial administration bodies or other competent authorities in cases, in which the obligation is imposed upon the Controller by the generally binding legal regulations.
- The Controller does not intend to transfer your personal data to a third country (to a non-EU country) or to an international organization.
VI.
Your Rights
- Under the conditions set out in the GDPR, you have
- the right of access to your personal data pursuant to Article 15 of the GDPR,
- the right to correct the personal data pursuant to Article 16 of the GDPR, or to restrict the processing pursuant to Article 18 of the GDPR,
- the right to delete the personal data pursuant to Article 17 of the GDPR,
- the right to object to the processing pursuant to Article 21 of the GDPR, and
- the right to data portability according to Article 20 of the GDPR.
- the right to withdraw the consent to processing in writing or electronically to the Controller’s address or e-mail specified in Article III hereof.
- You also have the right to file a complaint with the Office for Personal Data Protection if you believe that your right to personal data protection has been violated.
VII.
Personal Data Security Conditions
- The Controller declares that it has adopted all appropriate technical and organizational measures to secure the personal data and data repositories.
- The Controller declares that only persons authorized by it have access to the personal data.
VIII.
Final Provisions
- By the purchase order submitting via the on-line purchase order form, you confirm that you are familiar with the personal data protection conditions and that you accept them in the full scope.
- The Controller is entitled to change these conditions. The new version of the personal data protection conditions will be published on its website and at the same time the new version of these conditions will be sent to your e-mail address that you have provided to the Controller.
These Terms and Conditions become effective on 25 May 2018.