SECURITY POLICY
Cookies
A cookie is a short text sending a visited website to the browser. It enables to the website to remember
information about your visit, like preferred displaying of products, product
filters and other settings when shopping. Thus, the next visit of the website
may be easier and more productive. Cookies are important. Web browsing would be
much more difficult without them.
We use cookies for many objectives. For example, we use them to save
your codes when shopping, to show the history of browsed products, to monitor
the number of visitors on the site, to automatically login into your account at
your next visit and to protect your personal data.
Rules for personal data protection
I.
Fundamental
provisions
1.
The
company KARLSBADEN s.r.o., with its registered office at Blahoslavova 18/5, Drahovice, 360 01, Karlovy Vary, Company Reg. No. 02844770, registered in the Commercial
Register of the Regional Court in Plzeň, Section C, Insert 29630 (hereinafter
only the “Controller”) is the controller of personal data under
Article 4 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on
the protection of natural persons with regard to the processing of personal
data and on the free movement of such data (hereinafter only the “GDPR”)
is.
2. The Controller´s contact data are
Address:
Blahoslavova 18/5, 36009, Karlovy Vary
E-mail: [email protected]
Telephone: +420774466397
3. Personal data are considered to be all information
about an identified or identifiable natural person; the identifiable natural
person is a natural person who may be directly or indirectly identified by
referring, in particular, to a certain identifier, e.g. to a name, an
identification number, location data, a net identifier or to one or more
special elements of physical, physiological, genetic, psychological, economic, cultural
or social identity of this natural person.
4.
The Controller
did not appoint a data protection officer.
II.
Sources
and categories of processed personal data
1. The Controller processes personal data that you
provided to him or personal data that the Controller obtained by fulfilling
your order.
2. The Controller processes your identification and
contact data and data necessary to perform the contract.
III.
Legal
reason and purpose for the processing of personal data
1. The legal reason for the processing of personal data
is
·
the performance
of contract between you and the Controller under Article 6 (1) (b) of GDPR,
·
the legitimate
interest of the Controller to provide direct marketing (in particular sending
commercial messages and newsletters) under Article 6 (1) (f) of the GDPR,
·
your
consent to process personal data for the purpose of providing direct marketing
(in particular sending commercial messages and newsletters) under Article 6 (1)
(f) of the GDPR in connection to Section 7 (2) of Act No. 480/2004 Coll., on
Certain Information Society Services, in case that goods or services were not
ordered.
2. The purpose of personal data processing is
·
to execute
your order and to exercise rights and obligations resulting from the
contractual relationship between you and the Controller; when making an order,
your personal data are necessary to successfully execute your order (name and address,
contact); providing your personal data is a necessary prerequisite to conclude
and perform the contract; it is not possible for the Controller to conclude a contract
or perform it without providing personal data,
·
to send
commercial messages and carry out other marketing activities.
3.
It is not
the automated individual decision-making of the Controller within the intention
of Article 22 of the GDPR.
IV.
The period
for data retention
1. The Controller retains personal data
·
during the
period necessary to exercise rights and obligations resulting from the
contractual relationship between you and the Controller and to assert claims
under these contractual relationships (during the period of 15 years after the
contractual relationship is terminated).
·
during the
period before the consent to process personal data for the purposes of
marketing is withdrawn and no later than 10 years if personal data are
processed with consent.
2. The Controller will erase personal data after the expiration
of the period for personal data retention.
V.
Recipients
of personal data (Subcontractors of the Controller)
1. Recipients of personal data are persons
·
involved
in delivering goods / services / making payments based on the contract,
·
ensuring
services to run the e-shop and additional services in connection with the
operation of the e-shop,
·
ensuring
marketing services.
2.
The Controller
has no intention to transmit personal data to a third country (to a country
outside the EU) or to an international organization. Recipients of personal
data in third countries are providers of mailing services / cloud services.
VI.
Your
rights
1. Under conditions set out by the GDPR you have
·
the right
to access your personal data under Art. 15 of the GDPR,
·
the right
to rectification of your personal data under Art. 16 of the GDPR or restriction
of processing under Art. 18 of the GDPR.
·
the right
to erasure of personal data under Art. 17 of the GDPR.
·
the right to object to processing under Art. 21 GDPR a
·
the right to data portability under Art. 20 of the GDPR.
·
The right to
withdraw consent with processing either in writing or electronically at the
address or e-mail of the Controller stated in Art. III hereof.
2. Furthermore, you have the right to file a complaint at
the Office for Personal Data Protection in case that you think your right to
personal data protection has been violated.
VII.
Conditions to secure personal data
1. The Controller declares that he adopted all
appropriate technical and organizational measures to secure personal data.
The Controller adopted technical measures to secure data storages as
well as storage sites for personal data in documentary form. Technical measures
consist in the use of technologies preventing unauthorized access of third
persons to User´s data. In order to ensure the highest protection, we use
encryption of User´s data as well as end users, in particular passwords for
log-in into our system, communication in our system and all data stored on
servers. As for organizational measures, there is a set of rules of conduct for
our employees and these rules are integrated into our internal regulations
which are, however, considered to be strictly confidential.
All data are located on servers located only in the European Union or in
countries ensuring personal data protection in a manner equal to the protection
provided by legal regulations of the European Union.
2. The Controller declares that only persons authorized
by him have access to personal data.
VIII.
Final provisions
1. By sending an order through the online order form you
confirm that you have a full knowledge of the rules for personal data
protection and that you accept them in full extent.
2. You agree with the rules by marking your consent
through the online form. By marking the consent you confirm that you have a full
knowledge of the rules for personal data protection and that you accept them in
full extent.
3. The Controller is authorized to change these rules. He
will post a new version of the rules for personal data protection on his website
or he will send you a new version of these rules to the e-mail address that you
provided to the Controller.
These rules come into effect on 25th May 2018.