First of all, we would like to explain some basic terms we are using:
Personal data as a value. We consider your personal data as an important value and we treat them in this spirit. When we process personal data, we proceed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) and other applicable legal regulations.
What are the basic rules? When processing personal data, we observe the following basic rules in all circumstances:
Further directions. In principle, we process your personal data for no more than two purposes: performance and administration of contracts on the one hand, and marketing and commercial purposes on the other. Both these purposes and the rules we apply to them are discussed below. Furthermore, as certain data may be linked to a particular natural person under certain circumstances as a result of employment of cookies and web beacons, we specify below also the rules applicable to use of these technologies.
What personal data are concerned? We process personal data contained in contracts you have entered into with us and personal data arising from performance of these contracts. These include, but are not limited to, identity and contact data, data on the subject of the contract, and data on exercising rights and fulfilling obligations following from the contract (billing, etc.), including commercial communications with you. Please note that contracts may be executed not only in writing (including electronic form), but also orally. Among other things, every accepted order of goods through our e-shop establishes a contract.
Why do we need these personal data? It is obvious that we have to process contract-related personal data in order to be able to meet contractual obligations and exercise rights from these contracts and to comply with legal obligations associated therewith – for example, we are obliged to keep accounting records and store them for the statutory periods.
Where do we obtain your personal data from? We primarily obtain contract-related personal data from you, but the data may also result from performance of the contracts (e.g. information about delivery of the ordered goods from the carrier). We always proceed in a transparent way.
Do we have access to data on payment cards? If you pay for our goods (services) using a payment card, the payment is made via a secured payment gate operated by Československá obchodní banka a.s. or by Digital River, Inc. We have no access to personal or other data through which the payment transaction is authorised.
How long do we process personal data for? We process (store) personal data for the period of time during which they may be legally relevant for performance of the contract in question and settlement of rights and obligations resulting therefrom, i.e. until expiry of the applicable limitation, preclusion, warranty, storage and other similar periods set out by legal regulations or contract arrangement, whereas the expiration of the last of the said periods matters; in particular cases, the periods depend on assessment of the contract in question; it is usually not longer than 10 years after the contract has been discharged (terminated).
Why do we process personal data for marketing and commercial purposes? We process personal data for marketing and commercial purposes for two reasons:
Personal data for the purpose of contacting you with an offer or other similar commercial communications are processed only if a reasonable assumption exists that you are interested in our offer; this can be assumed in particular if you are or were our customer. Personal data for the purpose of personalisation are processed only if you have had commercial contact with us (by purchasing goods or services or if you expressed specific interest in purchasing our goods or services).
When is it possible to disseminate email commercial communications? We respect the rule that using your email address for commercial communications is only possible if you have provided the address to us as our customer, or if you have given us consent to use your email address for this purpose. You can withdraw your consent at any time; see the “Your Rights” section for the form in which this can be done. Anyhow, we give you a simple and clear opportunity in every email commercial communication to reject further commercial communications.
What personal data do we process for this reason? The following types of personal data are concerned (in concrete case, not all of the listed types of personal data must be processed):
We create customer profiles from some or all of the processed personal data that we use for the described purposes. Personal data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic personal data, biometric personal data, data concerning your health, and data concerning your sex life or sexual orientation are never be processed as marketing and commercial personal data.
Where do we obtain your personal data from? The sources of marketing and commercial personal data are:
Legal basis for processing personal data and the right to object. The legal basis for processing your personal data are our legitimate interests in use of data for marketing and commercial purposes in the interest of maintaining and developing our clientele and business activities in general. You may object to processing of your personal data for marketing and commercial purposes. If you raise objections to the use of personal data for the purpose of commercial communications or other forms of direct marketing, we will automatically stop further processing for these purposes. If you raise objections to the use of your personal data for the purpose of personalisation, we will assess on the basis of the reasons of the objections (in view of your specific situation) whether there exist compelling legitimate grounds on our part for continuing with the processing that override your interests, rights and freedoms, and we will inform you of whether we will comply with the objections or that we cannot, and for what reasons. See the “Your Rights” section for the form in which objections may be raised.
How long do we process personal data for? We process (store) personal data for the purpose of contacting you with our offer or other commercial communications for as long as your interest in our offer can be reasonably assumed, unless you objected earlier to such processing. We process personal data for the personalisation purpose for 10 years from the date of the last commercial contact with you.
What are web beacons and how do we use them? We can also use web beacons, both on our website and in emailed messages. Web beacons are small graphical elements (data files, pixel tags) that are downloaded from our web server for the purpose of monitoring e-mail access, website traffic and user behaviour on them, and subsequent optimising of e-services for users (including ad personalisation).
No identification. We do not use personal data obtained from cookies and web beacons to identify you.
Who do we transmit personal data to? Your personal data are confidential for us. With the exceptions described in the following paragraphs, we do not transmit personal data to any third party, either directly or indirectly (by allowing access). We do not trade with personal data in any way.
24U Group. We may transmit personal data to the entities that are part of the group (holding) that 24U is part of. Recipients will process the personal data they receive solely in accordance with the rules that apply to 24U, and we are responsible for the proper processing of personal data by the recipients.
Partners. We may transmit personal data to entities that process personal data for us, or who provide services to us inherently requiring access to personal data. These are primarily entities that provide IT services (such as server hosting or web hosting), database services, accounting services, tax consultancy or legal services. Cooperation with these entities is always of a strictly operational nature. The recipients do not process personal data independently, but only according to our instructions. We are responsible for ensuring that misuse of any personal data accessed by the recipients does not occur, and that obligations of integrity and confidentiality of personal data and other obligations necessary to be established under the applicable legal regulations have been agreed with them.
Approved transmissions. We are also entitled to transmit personal data to third parties if you have agreed with the transmission, subject to the terms of your consent. You can withdraw your consent at any time; see the “Your Rights” section for the form in which the withdrawal may be made.
Legal obligations and matter-of-course transmissions. Your personal data may also be transmitted to third parties if it is necessary to comply with our legal obligations (in particular with regard to public bodies) or if the transmission is a matter of course, in particular if it is part of a contract you are a party to (e.g. the transmission of necessary personal data to carriers for the purpose of delivering the purchased goods, or to payment-system operators for the purpose of settlement of the purchase price).
Where do we store personal data? We store your personal data in the European Union and with partner processors in the USA (partners in the USA ensure personal-data protection at the level applicable in the European Union through participation in the EU – U.S. Privacy Shield pursuant to EU Commission Decision 2016/1250 of 12 July 2016 or standard data protection clauses adopted by the EU Commission and available at: www.24u.cz/gdpr). We do not transfer personal data to other countries.
Right to information. You have the right to obtain from us a confirmation of whether or not we process your personal data. If processing takes place, you have right to access the processed personal data and to be informed about processing details and the sources of personal data. If you have provided us with personal data on the basis of your consent or in connection with a contract, and if this concerns personal-data processing carried out by automated means, you have the right to receive it in a structured, commonly used and machine-readable format.
Right to rectification, erasure and restriction of data processing. You are entitled to have your inaccurate data rectified without undue delay; this also applies to the completion of incomplete personal data. You are furthermore entitled to request that we erase your personal data if we do not have sufficient legal ground for processing (e.g. if you have objected to the processing for direct marketing purposes). If you are requesting it, we only restrict processing of your personal data instead of erasing them, i.e. the personal data will only be stored and will not be otherwise processed without your consent.
Right to object. You have the right to object to processing of your personal data for the purposes of direct marketing, resulting in that the personal data will not be further processed for such a purpose. If you object to the processing of your personal data in other cases where we process personal data on the basis of our legitimate interests, we first assess (with respect to your particular situation) whether there exist compelling legitimate grounds on our part for continuing with the processing that override your interests, rights and freedoms, and we will inform you of whether we will comply with the objections or that we cannot, and for what reasons.
How you can exercise your rights and how we will process your request. You may exercise your rights in any form that intelligibly conveys the content of your request, notice or objections, in particular at: email@example.com If you ask us to take specific action, we will provide you with information on the action taken without delay and at latest within one month of receipt of your request; this period may be extended by up to two further months if necessary, and you must be informed of this on time.
How you can defend yourself. If you feel that your rights are affected in relation to how we process your personal data, you can contact the Czech Office for Personal Data Protection (www.uoou.cz). You also have the right to bring a civil action in court and seek legal protection.