Principles of personal data processing according to GDPR
Simple summary – GDPR
We meet the readiness for personal data protection according to the EU directive. We must protect all data against misuse and guarantee their maximum security.
However, in order to provide some basic functions of the e-shop, we have to work with some data. For example, we improve customer comfort when shopping, sometimes we send news by e-mail, or, on the contrary, we do not unnecessarily show you ads for products that you have not shown interest in. See below for more details…
The aim of these Principles of Personal Data Processing according to GDPR for customers of Studio NextLevel sro IČO: 06536981, with its registered office at Chudenická 1059, 102 00, Prague 10 (hereinafter referred to as the “Administrator”) and visitors to the operated websites www.vytvorsipotisk.cz is to provide information on what personal data the company, as the Administrator, processes when selling goods, providing services and during visits to its website.
These principles are effective from 25. 5. 2018 and are issued in accordance with the European Union Regulation no. 2016/679, on the protection of individuals with regard to the processing of personal data (“GDPR”) in order to ensure the information obligation of the Administrator.
1. Categories of personal data
The administrator processes personal data provided directly from individual entities or personal data obtained on the basis of order fulfillment.
Personal data is any information relating to a natural person by which the Administrator is able to identify that natural person. The following personal data may be processed by the Administrator to ensure the sale of goods and services provided.
- Billing and identification data
Name and surname, company name, ID number, VAT number, invoicing address, bank details.
- Contact information
Phone number, e-mail, profiles on social networks.
- Data on orders, inquiries and quotations
Type and parameters of goods, specification of provided services, number of orders and their prices, customer segment, payment history.
- Operational data
Data on the behavior of users on the website using a record in cookies to ensure online shopping and technical functionality of the website, global statistical reports and non-personalized Internet advertising.
- Data processed on the basis of an information obligation
Contact details for the purpose of sending business messages (newsletters), records in cookies provided to third parties for the technical provision of personalized Internet advertising (remarketing).
2. Reasons and purposes of personal data processing
The controller has a legal reason for processing personal data in the performance of the contract between him and the customer.
The Administrator has a legal reason for processing personal data in the provision of direct marketing (especially for sending business messages – newsletters) to customers who have entered into a business relationship with the Administrator.
The administrator has a legal reason for processing personal data in the framework of granting consent for the provision of direct marketing (especially for sending business messages – newsletters) in the event that no goods or services have been ordered.
The purpose of personal data processing is the conclusion of a contract (for the processing of orders, processing of inquiries and issuance of price offers) and the related rights and obligations of the Administrator. Without the provision of personal data, it is not possible to conclude the contract and perform it by the Administrator.
The Administrator may process personal data both on the basis of the user’s consent and on the basis of the Administrator’s legitimate interest. In both cases, the Administrator undertakes to always inform the user clearly and intelligibly about the given fact.
The controller may process personal data on the basis of a legitimate interest in the following cases:
- Sending business messages (newsletters) to customers.
- Sending business messages (newsletters) to potential customers interested in purchasing goods or services – typically inquiries, price calculations and offers.
- Remarketing campaigns and better targeting of ads (Facebook, Seznam.cz, Google.cz).
- For the analysis of website traffic and subsequent improvement of user usability of the website.
- For sending requests for feedback of orders.
3. Retention period of personal data
The controller retains personal data for the time strictly necessary to exercise the rights and obligations arising from the contractual relationship between him and customers for a period of 10 years from the termination of the contractual relationship.
- The administrator stores personal data for the purposes of direct marketing, for a maximum of 5 years.
- The administrator keeps personal data for remarketing purposes, for a maximum of 5 years.
- The administrator stores personal data through cookies, for a maximum of 1 year.
After the retention period of personal data, the Administrator will delete the data.
4. Recipients of personal data
The recipients of personal data are natural persons and legal entities (hereinafter referred to as “Processors”), which participate in:
- Operation of an online store
- Delivery of goods or services
- Execution of payments
- Providing marketing services
The scope of personal data provided is always only necessary to the extent necessary to fulfill the obligations arising from the contract or are necessary to ensure the functionality of the website and to ensure user comfort.
The controller always has personal data processing agreements with the recipients of personal data.
- Google Analytics, Google Adwords – Google policy
- Sklik of the company Seznam.cz – Company rules Seznam.cz
- Facebook – Facebook policy
Other Personal Data Processors:
5. Security of personal data
The administrator secures all personal data with standard technologies and procedures against theft or misuse. The measure regularly updates and checks whether they meet current requirements for adequate protection.
The administrator protects the personal data of website users (especially concerning user profiles) with a password. Sensitive data is encrypted when transmitted between the browser and websites.
Without responsible user access, the administrator cannot fully ensure the security of personal data. Users are therefore obliged to keep their unique passwords and other access data secret and at the same time they are obliged to observe basic security principles.
In some cases, the administrator cannot always encrypt communication between him and the user, especially through e-mail, chat, blog, comments and other types of electronic communication. If users provide their personal data to the Administrator, they always act voluntarily.
6. Rights of data subjects
Data subjects have the following rights to access personal data, which result for them from Art. 15 GDPR:
- Right of access to personal data
Confirm whether the Administrator processes personal data. Information on the purposes of processing, categories of personal data, recipients of personal data and processing times.
- The right to correct personal data
According to Art. 16 GDPR has the right of the data subject to correct inaccurate personal data processed about him by the controller. Customers are also required to notify changes to their personal information and to demonstrate that such a change has occurred. At the same time, they have an obligation to provide co-operation in the event that the personal data provided is inaccurate or incomplete.
- The right to delete personal data
According to Art. 17 GDPR has the right of the data subject to delete personal data, unless the Administrator proves a legitimate interest in the processing of personal data.
- The right to the portability of personal data
According to Art. 20 The GDPR has the right of the data subject to the portability of the data provided by the Administrator.
- The right to object to the processing
According to Art. 21 GDPR has the right of the data subject to object to the processing of personal data due to the legitimate interest of the Administrator.
- The right to withdraw consent to the processing of personal data
Consent to the processing of personal data for business purposes can be revoked at any time. Appeals must be made in an explicit and comprehensible manner, either by telephone or in writing.
Consent to the sending of business messages (newsletters) linked to a specific electronic contact (e-mail) can be revoked at any time either directly in the footer of any newsletter, or within the settings of the customer profile on the website, or through telephone or e-mail communication.
- The right to contact the Office for Personal Data Protection
The data subject has the right to contact Office for Personal Data Protection if he considers that his right to the protection of personal data has been infringed.