This privacy policy (hereinafter referred to as the “policy“) informs the data subjects whose data we process regarding all processing activities and the privacy policy principles of our organization.
1. Responsibility
Data processor:
CENTRUM BABYLON, a.s., IČ (Company ID): 25022962, with its registered office at Nitranská 415/1, Liberec III-Jeřáb, Liberec 460 07
Contacts for your rights claims: Phone: +420 485 249 111, E-mail: gdpr@centrumbabylon.cz
(hereinafter also referred to as “we“, “us“, “our“ or “ours“)
2. Basic definitions
GDPR:
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, effective from 25 May 2018.
Personal data:
Within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR"), personal data means any information about an identified or identifiable natural person (i.e. data subject = you).
Special category personal data:
Special category personal data means data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning the health or sex life or sexual orientation of a natural person.
Data subject = you:
A data subject refers to an identified or identifiable natural person, whereby an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Controller:
Within the meaning of Article 4(7) of the GDPR, a controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. We act as a controller in relation to your personal data.
Processor:
A processor within the meaning of Article 4(8) of the GDPR is a natural or legal person, public authority, agency or other body that processes personal data for the controller.
Supervisory authority:
The supervisory authority in the Czech Republic means the Office for Personal Data Protection ("OPPD").
Processing likely to result in high risk:
Processing likely to result in high risk means processing that is likely to pose a risk to the rights and freedoms of data subjects, such processing is not occasional, or involves the processing of special personal data or personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR.
Automated individual decision-making, including profiling:
Automated individual decision-making, including profiling, generally means any form of decision based on automated processing of personal data, i.e. without human intervention, based, inter alia, on the evaluation of certain personal aspects relating to the data subject, in particular for the purpose of analysing or estimating, or analysing or predicting aspects relating to his or her performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
3. Categories of subjects, personal data processed, purpose, legal bases and duration of processing
We process personal data for clearly defined purposes:
Data subject category | Purpose of personal data processing | Legal bases and personal data processed | Duration of processing |
---|---|---|---|
Our customers | Performance and execution of contracts between us and customers | The legal basis is performance of a contract. | For this purpose personal details can be processed for the duration of a contract and a warranty period. |
Making claims arising from contracts after contract termination | The legal basis is our legitimate interest based on the right to chase debts, claim damage and other claims as may arise throughout the duration of our contract. | For this purpose personal details can be processed for the period of four years following the termination of a contract; in the event of court proceedings, for the entire duration of such proceedings. | |
Meeting our obligations in accounting and taxation | The legal basis is compliance with legal requirements stipulated by laws such as the Accounting Act and the VAT Act. | For this purpose personal details can be processed for the period of ten years following the end of the taxation period during which a customer was provided with the subject matter of performance. | |
Communicating marketing messages in the form of special information and messages, marketing materials and offers of our products and services | The legal basis is our legitimate interest to provide and offer services or products to meet your needs based on our contractual relationship. | For this purpose personal details can be processed for the duration of a contract. | |
Website visitors | Statistics before the anonymization of details, displaying ads for our services and products | The legal basis is our legitimate interest with respect to a) improving our services and focusing on what truly interests you; b) offering such services and products to meet your needs based on your visits to our website. | For this purpose personal details can be processed for the period of six months. |
Sending replies to inquiries from website visitors | The legal basis is performance of a contract or your consent | For this purpose personal details can be processed until an inquiry coming through an inquiry form has been dealt with, but no longer than 30 days or for the duration of your consent with the processing. | |
News recipients | Regular communication of marketing messages by e-mail | The legal basis is your consent you provided when registering for news subscription. | For this purpose personal details can be processed until your consent is withdrawn. |
4. Duration of personal data processing
We only retain personal data for the period of time necessary for the purpose of processing - see the table above. After this period, personal data may only be retained for the purposes of the National Statistical Service, for scientific purposes and for archiving purposes.
5. Recipients of personal data and transfer of personal data outside the European Union
In justified cases, we may transfer your personal data to other entities (hereinafter referred to as "recipients").
Personal data may be transferred to the following recipients:
- Processors who process your personal data according to our instructions, in particular in the area of public relations, electronic data management and/or accounting;
- Public authorities and other entities as required by applicable laws;
- Other entities in the case of an unexpected event in which disclosure is necessary to protect life, health, property or other public interest or where it is necessary to protect our rights, property or safety.
6. Cookies
Following your first visit to our website, our server sends a small amount of data to your computer and stores it there. Your browser then sends this data back to the server each time you visit the site. This small file is called a "cookie" and is a short text file containing a specific string of characters with unique information about your browser. We use cookies to improve the quality of our services and to better understand how people use our site. To do this, we store user preferences in cookies and use them to track user trends and how people browse and behave on our site.
Most browsers are set up to accept cookies. However, you have the option to set your browser to block cookies or to notify you when cookies are sent. However, some services or features will not work properly without cookies.
Our website uses "first party" cookies – i.e., cookies used only by our website ("first party cookies"), and "third party" cookies (i.e. cookies originating from third party websites).We use first party cookies to store user preferences and data needed during your visit to the website (e.g. the contents of your shopping basket).We use third party cookies to track user trends and behaviour patterns and target advertising, with the help of third party web statistics providers. Third party cookies used to track trends and behaviour patterns are only used by our website and the web statistics provider; they are not shared with any other third party.
7. Personal data processing principles
Lawfulness
We process your personal data in accordance with applicable law, in particular the GDPR.
Data subject consent
We only process personal data in the manner and scope for which you have given your consent, if consent is the title for the processing.
Minimisation and restriction of personal data processing
We only process personal data to the extent necessary to achieve the purpose of processing and for no longer than necessary to achieve the purpose of processing.
Accuracy of processed personal data
We process personal data with an emphasis on its accuracy, using available measures and, using reasonable means, we process updated personal data.
Transparency
Through this Policy and the contact person, you have the opportunity to learn about the way we process your personal data, as well as its scope and content.
Purpose limitation
We only process personal data to the extent necessary to fulfil the stated purpose and in accordance with that purpose.
Security
We process personal data in a manner that ensures its appropriate security, including protection by appropriate technical or organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage.
8. Automated individual decision-making and profiling
The processing of personal data does not involve automated individual decision-making, not even on the basis of profiling.
9. Your rights as data subjects
Right of access to personal data
You have the right to request from us access to personal data concerning you. In particular, you have the right to obtain confirmation from us as to whether or not the personal data concerning you are being processed by us, as well as to be provided with further information about the data processed and the manner of processing in accordance with the relevant provisions of the GDPR (purpose of processing, categories of personal data, recipients, intended storage period, existence of your right to request rectification, erasure, restriction of processing or right to object, source of personal data and right to lodge a complaint). If you request it, we will provide you with a copy of the personal data we process concerning you free of charge. In the event of a repeated request, we may charge a reasonable fee for providing such a copy which will reflect the administrative costs of processing.
To obtain access to your personal data, please use your user account or the contacts provided in this policy.
Right to withdraw consent to the processing of personal data where the processing is based on consent You have the right to withdraw your consent to the processing of personal data processed by us on the basis of that consent at any time.
You can withdraw your consent by using your user account or through the contacts listed in this policy.
Right to rectification, restriction or erasure If you discover that the personal data we hold about you is inaccurate, you may request that we correct the data without undue delay. You may also request that we complete the data we hold about you if this is reasonable in the particular circumstances of the case.
You may request the rectification, restriction of processing or erasure of data by using your user account or through the contacts listed in this policy.
Right to erasure of personal dataYou have the right to request that we erase the personal data we process about you without undue delay in the following cases:
- If you withdraw your consent to the processing of your personal data and there is no other legitimate reason on our part for processing it that overrides your right to erasure;
- If you object to the processing of personal data (see below);
- Your personal data is no longer necessary for the purposes for which we collected or otherwise processed it;
- The personal data has been unlawfully processed by us;
- The personal data was collected by us in connection with the offer of information society services to a person under the age of 18;
- The personal data must be erased to comply with a legal obligation under European Union law or Czech law to which we are subject.
You can request erasure in these cases by using your user account or through the contacts listed in this Policy.
The right to request the erasure of personal data is not granted in situations where the processing is necessary
- For the exercise of the right to freedom of expression and information;
- To comply with our legal obligations;
- For reasons of public interest in the context of public health;
- For archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, where the erasure of the data is likely to prevent or seriously jeopardise the achievement of the purposes of that processing;
- For the establishment, exercise or defence of legal claims.
You can find out whether there are grounds for not being able to exercise the right to erasure by contacting us through your user account or the contacts listed in this Policy.
Right to restriction of processing of personal data
You have the right to have us restrict the processing of your personal data where:
- You contest the accuracy of the personal data. In this case, the restriction applies for the time necessary for us to verify the accuracy of the personal data.
- The processing is unlawful and you refuse to erase the personal data and request instead that we restrict its use.
- We no longer need your personal data for the purposes for which we processed it, but you require it for the establishment, exercise or defence of legal claims;
- You object to the processing (see below). In this case, the restriction applies for a period of time until it is verified that the legitimate grounds on our side outweigh your legitimate grounds.
During the period of restriction of processing, we may only process your personal data (except for storage) with your consent or for the establishment, exercise or defence of our legal claims, for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. As stated above, you can request a restriction of processing through your user account or the contacts listed in this Policy.
Right to object to processing
You have the right to object to the processing of your personal data in the following cases:
- Where personal data is processed on the grounds that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us or for the purposes of our legitimate interests and you object to the processing, we may not further process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of our legal claims.
- If personal data is processed for direct marketing purposes and you object to the processing, we will no longer process the personal data for these purposes.
- If your personal data is processed for scientific or historical research purposes or for statistical purposes, we will no longer process it unless the processing is necessary for the performance of a task carried out for reasons of public interest.
You can object to this by using your user account or through the contacts listed in this Policy.
Right to data portability
Where we process your personal data on the basis of your consent or because it is necessary for the performance of a contract between us, you have the right to obtain from us the personal data relating to you that you have provided to us, in a structured, commonly used and machine-readable format, where the personal data is so processed by us. You have the right to transfer this data to another data controller or to request that we provide this data directly to another data controller, if technically feasible.
You can obtain your personal data through your user account or the contacts listed in this Policy.
The right not to be subject to any decision based solely on automated processing, including profiling
We do not use personal data to make automated decisions.
The right to receive information about a breach of your personal data security
If a breach of our security is likely to result in a high risk to your rights and freedoms, we will notify you of the breach without undue delay. If appropriate technical or organisational measures have been applied to the processing of your personal data, for example, to ensure that it is incomprehensible to an unauthorised person, or if we have taken additional measures to ensure that the high risk does not occur, we do not have to provide you with information about the breach.
Right to lodge a complaint with the supervisory authority
If you believe that the processing of your personal data is in breach of the obligations set out in the GDPR, you have the right to lodge a complaint with the supervisory authority. The supervisory authority in the Czech Republic is the Office for Personal Data Protection.
This Privacy Policy is effective as of May 25, 2018.