Personal data processing policy
- Introductory Provisions
- The company Vitalvibe s.r.o., IČO: 293 07 031, with its registered office in Brno, Havlíčkova 133/19, zip code 602 00, which is registered in the commercial register kept at the Regional Court in Brno, section C, file no. 72990, contact person: Jan Petr, contact e-mail address: info@vitalvibe.cz (hereinafter also referred to as "company " or "administrator"), with regard to the necessity of fulfilling obligations in the field of personal data protection , arising in particular from Act No. 101/2000 Coll., on the protection of personal data and on the amendment of certain laws, as amended, and Regulation of the European Parliament and Council (EU) No. 2016/679 on the protection of natural persons in connection with the processing of personal data of data and on the free movement of such data and on the repeal of Directive 95/46/EC (general regulation on the protection of personal data) establishes these principles for the processing of personal data.
- With this document, the company provides information on which personal data it processes and for what purpose, and what rights and obligations belong to the persons whose personal data the company processes. This document does not concern the processing of personal data of company employees.
- This document may be revised and updated as necessary.
- The company processes personal data manually and automatically, keeps records of all activities during which personal data is processed.
- Basic concepts
- The company is the controller of personal data, as it determines the purposes and means of personal data processing; processes personal data itself or uses the services of other persons, i.e. processors, for this purpose.
- Personal data is all information about an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is a natural person who can be directly or indirectly identified, in particular by reference to a certain identifier, for example a name, identification number, location data, network identifier or to one or more special elements of physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
- Processing of personal data is any operation or set of operations with personal data or sets of personal data, which is carried out with or without the aid of automated procedures, such as collection, recording, arrangement, structuring, storage, adaptation or alteration, retrieval, inspection, use, disclosure transmission, dissemination or any other disclosure, arrangement or combination, restriction, erasure or destruction.
- The processor of personal data can be any natural or legal person or other entity that processes personal data for the company as a personal data controller.
- Basic principles of processing
- When processing personal data, the company
- processes personal data in relation to data subjects correctly, legally and transparently,
- collects personal data only for specific, explicitly expressed and legitimate purposes and does not further process them in a way that is incompatible with these purposes,
- only processes personal data that are adequate, relevant and limited to the necessary scope in relation to the purpose for which they are processed,
- processes only such personal data that is accurate and, if necessary, updated; for this purpose, the company will take all reasonable measures so that personal data that are inaccurate, taking into account the purposes for which they are processed, are deleted or corrected without delay,
- stores personal data in a form that enables the identification of data subjects for no longer than is necessary for the purposes for which they are processed,
- processes personal data in a way that ensures proper security of personal data, including their protection by means of appropriate technical or organizational measures against unauthorized or illegal processing and against accidental loss, destruction or damage.
- The company is responsible for compliance with all of the above policies and must be able to demonstrate compliance with these policies.
- The company is authorized to process personal data only on the basis of one of the legal reasons for processing established by legal regulations. Only if no other legal reason for processing is given, the company must obtain the consent of the data subject.
- Personal data processed
- In connection with its activity, the company processes the personal data listed below.
- These are basic identification and address data.
- name and surname,
- birthdate,
- residence or contact address,
- contact phone number,
- contact electronic (email) address,
- login name and password for the eshop (online store) customer account.
- If the data subject acts through a representative, the company also processes the identification and address data of this representative.
- In the event that the customer is a legal entity or communicates with the company, the company processes the following personal data attributable to this legal entity, namely the name and surname of the person acting on behalf of the legal entity; We also process personal data regarding this person's contact telephone number and contact email address, function or job title.
- Further, the company processes
- the customer's customer number
- data on purchased goods and/or services (date of order, date of delivery of goods, type, specification and quantity of goods or services, price),
- data from communication between the company and the customer (written or electronic communication, records of telephone calls, ...),
- customer account login data,
- payment morale data,
- camera records,
- information about sending news.
- The company continuously updates the processed personal data, especially if the company discovers the incorrectness of any of the processed personal data or the company receives information from the data subject about a change in any of the processed personal data.
- Sale of goods and provision of services
- In order to conclude and fulfill a contract for the sale of goods or the provision of a service, the company processes the identification and address data (see article 4.2.) of the customer and, where applicable, his representative. If the contract is concluded via e-mail or telephone, the company also processes data regarding the e-mail address and telephone number of the customer. If there is communication between the company and the customer related to the process of concluding the contract or its fulfillment, the company also processes the personal data contained in this communication. Also for this purpose, the company processes data related to the subject of the contract and the method of concluding the contract, i.e. in particular data related to the ordered goods or services, the date of the order and delivery of the goods and the price.
- If a contract is concluded through the e-shop (online store) of the company (www.vitalvibe.eu), which requires registration (creation of a customer account), the company processes data related to the login name, password and login date in order to verify the customer's identity .
- The legal reason for the processing of personal data according to this article is its necessity for the conclusion and fulfillment of the contract. Data subject consent is not required for this processing. The company obtains these personal data from customers, and others from the course of the business relationship. If the customer refused to disclose any of the said personal data to the company or did not agree to their processing for this purpose, the company would have to refuse to sell goods or provide services.
- According to this article, the company processes personal data for the time necessary to achieve the stated purpose. If the customer fulfills all his obligations to the company (including payment obligations) in connection with the purchase of goods or the provision of a service, the company will stop processing personal data for this purpose after the expiry of the warranty period, unless otherwise specified in these policies.
- If the customer provides personal data to the company, but the contract is not concluded, the company will stop processing personal data after the expiration of three (3) calendar months from the date of termination of negotiations on the conclusion of the contract.
- The processing of personal data related to the customer account will be terminated by the company after two (2) years have passed since the customer's last login. In this case, the legal reason for processing personal data is the necessity for the purposes of the legitimate interests of the company, which is to enable the customer to place an order without having to create a new customer account.
- Management of contentious or other proceedings
- In the event that the company, the customer or another person initiates a disputed or other procedure in which the company is a party, the company processes personal data regarding identification and contact, delivered goods or services provided, outstanding amount, as well as other data related to this procedure, which has the company available.
- The legal reason for the processing of personal data according to this article is its necessity for the purposes of the company's legitimate interests, which are the protection of the company's property and/or good reputation. Data subject consent is not required for this processing. The company obtains this personal data from customers, from persons who initiated the relevant proceedings, from the authority or person with whom the proceedings are ongoing, from public registers or other publicly available sources.
- According to this article, the company processes personal data until the end of the proceedings, or termination of related rights and obligations, for their fulfillment, it is necessary to process these personal data.
- Compliance with legal obligations
- The company further processes personal data for the purpose of fulfilling obligations imposed by law. For the reasons required by the Accounting Act and other legal regulations, especially in the area of tax administration, the company keeps documents (in electronic or paper form) containing personal data, especially invoices and documents from which the legal reason for issuing invoices (i.e. especially orders and contracts) containing identification and address data of customers, data relating to goods sold and services provided, invoiced prices.
- The legal reason for the processing of personal data according to this article is its necessity for the fulfillment of the company's legal obligations. Data subject consent is not required for this processing. The company obtains this personal data from customers or during the course of a business relationship.
- According to this article, the company processes personal data for the period specified by law.
- Processing of personal data by camera system
- The premises of the company, which are intended for contact with customers or suppliers, are scanned by a camera system. This recording also includes the storage of camera recordings of people, which are also personal data, for the purpose of improving the services provided, preventing damage, or for the purpose of enforcing legitimate claims or protecting the rights of the company.
- Notice of CCTV with a reference to this policy is placed in appropriate places so that persons whose personal data is processed by the Company in this way can familiarize themselves with all relevant information, including information about their rights.
- The legal reason for the processing of personal data according to this article is its necessity for the purposes of the legitimate interests of the company. Data subject consent is not required for this processing. The company obtains this personal data by scanning it with a camera system.
- If the following paragraph is not followed, the company processes personal data in accordance with this article for a period of fourteen (14) days, after which the recording on the camera system is replaced by a new recording.
- In the event of suspicion that an illegal act has occurred, the company is entitled to hand over the recording from the camera system to the Police of the Czech Republic, and in the event of detection of an illegal act, the company is also entitled to use this recording for the purpose of enforcing legitimate claims or protecting the company's rights. In this case, the company will terminate the processing of personal data after all the company's claims have expired or after it has been established that no claim has arisen for the company.
- Dissemination of commercial messages and use of cookies
- If the company obtains an e-mail address from the customer in accordance with Article 5 of these policies in connection with the sale of goods or the provision of services, the company is entitled to process the e-mail address and identification data for the purposes of sending the company business communications regarding similar goods or services.
- A prerequisite for the possibility of disseminating business communications according to Article 9.1. is that the customer has a clear and distinct option in a simple way, free of charge or at the expense of the company, to refuse consent to such use of his email address even when sending each individual message, if he did not initially refuse this use.
- The legal reason for the processing of personal data according to Article 9.1. is necessary for the purposes of the legitimate interests of the company, which is to carry out marketing. Data subject consent is not required for this processing. The company is entitled to process personal data until the customer informs the company that he no longer agrees to this processing.
- Distribute commercial communications without fulfilling the conditions according to Articles 9.1. and 9.2. the company is authorized only on the basis of obtaining consent. In this case, the legal basis for processing personal data for this purpose is consent, which can be revoked at any time. The company is entitled to process personal data for these purposes until the data subject withdraws his consent, but for a maximum period of five (5) years from the date of granting this consent. Failure to provide this consent or its withdrawal has no effect on the ability to purchase goods or provide services.
- If the company obtains consent from a customer or other user of the company's website to place cookies on his computer, the company is entitled, based on this consent, to place text files on that person's computer in order to send back information about the behavior of this user on the company's website. Before giving consent according to this article, the person giving consent must be informed that this consent can be revoked at any time. You can change the cookie settings here.
- The legal reason for the processing of personal data according to Article 9.5. is the consent of the data subject. Failure to provide this consent or its withdrawal has no effect on the ability to purchase goods or provide services. The company processes these personal data for the duration of consent.
You can find detailed information about the use of cookies on the Vitalvibe website in this page.
- Transfer of personal data to third parties
- The company transfers personal data to another entity (e.g. court or tax authority) if it is required to do so by a legal regulation or if it is necessary to fulfill an obligation imposed by a legal regulation or an enforceable decision of a competent authority.
- The company may use the professional and specialized services of other entities in fulfilling its obligations from concluded contracts or in the case of protecting its legitimate interests. If these suppliers process personal data transferred from the company, they have the status of personal data processors and process this personal data only within the framework of instructions from the company and may not use it otherwise. It is mainly the activities of an IT service provider, including data storage, creation and operation of an online store, accounting, marketing and delivery services. At the request of the data subject, the company will inform whether and to which subject his personal data and other related information have been provided.
- The company carefully selects each such supplier and concludes a personal data processing agreement with each one, which sets out obligations for the protection and security of personal data, including the obligation to maintain confidentiality.
- The company is entitled to transfer personal data only to those persons who provide sufficient guarantees by introducing appropriate technical and organizational measures so that the processing meets all the requirements set by legal regulations and to ensure the protection of the rights of data subjects.
- For this handling of personal data, the company does not need the consent of the data subject, because otherwise the company would not be able to fulfill its obligations under the contract, or this provision occurs due to its necessity for the legitimate interests of the company.
- The company does not intend to transfer personal data to countries outside the European Union.
- Method of processing and access to personal data
- Personal data is processed through the company's information system, whose security against loss of personal data and against access by unauthorized persons is regularly verified. Access to the system is limited according to the set management roles. The security of transferring personal data in electronic form to third parties is ensured through access to the company's information system protected by a secure password. The information system is standard, its supplier provides the usual security guarantees, its functionality and security are regularly tested and maintained by an external supplier with whom the company has a contract for the processing of personal data.
- The company implements the following technical and organizational measures in particular when processing personal data:
- locking the administrator's premises where personal data is processed,
- locking personal data in printed form in lockable cabinets,
- processing of personal data only by responsible persons;
- training of responsible persons on how to handle personal data.
- Every action that involves any handling of personal data is recorded in the company's information system, including information about the person who performed the action.
- The company continuously updates the processed personal data, especially in connection with changes notified to it by customers or that the company finds out from customers, other persons or from other publicly available sources.
- If the company has already achieved the purpose of processing personal data and has no other reason for processing it, it will delete this personal data without the possibility of restoring it.
- Access to personal data in the company is granted only to persons for whom it is necessary to achieve the purpose for which the personal data is processed. For this purpose, a regular audit takes place in the company.
- Company employees who have access to personal data are properly trained on their protection and are required to observe confidentiality.
- Rights of the data subject
- The data subject has the following rights in relation to the protection of personal data:
- for access to his personal data, which includes in particular the right to obtain confirmation from the company as to whether it is processing his personal data, information on the purposes of processing, categories of personal data, recipients to whom personal data have been or will be made available, the planned period of processing, the existence of the right to request from the controller corrects or deletes personal data relating to the data subject or restricts their processing or raises an objection to this processing,
- to correct inaccurate personal data; however, the data subject is also obliged to notify changes to their personal data and to document that such a change has occurred. At the same time, he is obliged to provide cooperation if it is found that the personal data being processed about him is not accurate, the right to delete personal data concerning him, if the company does not demonstrate legitimate reasons for the processing of such personal data,
- to limit the processing of personal data until the resolution of the complaint, if he denies the accuracy of the personal data, the reasons for their processing or if he objects to their processing,
the right to be notified of the correction, erasure or restriction of the processing of personal data, unless this proves to be impossible or requires disproportionate effort, - to the portability of data in a structured, commonly used and machine-readable format, and the right to request the transfer of such data to another administrator,
- object to the processing of his personal data due to the legitimate interest of the company (e.g. for sending commercial messages); in the event that the existence of a serious legitimate reason for the processing, which prevails over the interests or rights and freedoms of the data subject, is not proven, the company will terminate the processing based on the objection without unnecessary delay,
- revoke consent to the processing of personal data at any time, if the company processes them based on his consent; however, this withdrawal of consent will not affect the lawfulness of the processing based on the consent granted before its withdrawal,
- contact the Office for the Protection of Personal Data (www.uoou.cz) with an initiative or complaint.
- Efficiency
- These policies are effective as of 5/25/2018