Security and Privacy Guarantee
Declaration of the processing of personal data under
Regulation (EC) 2016/679 of the European Parliament and Council on the
protection of individuals with regard to the processing of personal data and
the guidance of data subjects (hereafter referred to as ‘GDPR’).
1. WEGSTR s.r.o. hereby informs
you, in accordance with Article 12 of the GDPR, of the processing of our
customer’s personal data and the rights of those data subjects.
2. Scope of processing of
personal data
Personal data is processed to the
extent that the relevant data subject has provided WEGSTR s.r.o., in connection
with the conclusion of a contractual relationship with WEGSTR s.r.o. WEGSTR
s.r.o. administers this personal data in accordance with the applicable legal
regulations and in the fulfillment of its legal obligations.
3. Types of personal data that are processed:
·
address and identification data of the data
subject (name, surname, title, permanent address, business license/VAT/tax
number) and data to maintain contact with the data subject (contact address,
telephone number, e-mail address);
·
descriptive data;
·
data provided in excess of the relevant laws
processed within the framework of the consent given by the data subject;
·
cookies - a cookie is a short text file sent by
a web page to a browser. It allows the site to record information of the
subject’s visit, such as preferred language and other settings. The explicit
consent of the data subject is required to use cookies.
4. Sources of personal data
·
WEGSTR s.r.o. may collect your data when you
provide them to its various collection sources: registration, contact form or
purchasing on the e-shop website, and by e-mail or phone.
5. Categories of data subjects:
·
WEGSTR s.r.o. customers;
·
carriers;
·
service providers.
6. Categories of recipients of personal data:
·
intermediary processors - the transport
companies poslisnadno.cz and DHL and the accounting system fakturoid.cz;
·
state authorities in the fulfillment of the
legal obligations established by the relevant legal regulations.
7. The purpose of processing personal data:
·
for purposes within the consent of the data
subject;
·
in the negotiation of a contractual relationship;
·
in the fulfillment of the contract;
·
to protect the rights of the processor, the
recipient or other persons concerned;
·
for archiving, in accordance with the law;
·
in the fulfillment of legal obligations by the processor.
8. Method of processing and protecting personal data
The processing of personal data is carried out by WEGSTR
s.r.o., the processing is carried out on its premises, or that of intermediary processors
(the transport companies poslisnadno.cz, DHL and the accounting system
fakturoid.cz). Processors guarantee to WEGSTR s.r.o. to comply with all
necessary security measures to protect personal data provided by WEGSTR s.r.o.
WEGSTR s.r.o. processes personal data primarily using
computer technology, subject to the necessary security principles. To this end,
it has taken appropriate measures to ensure the protection of personal data in
order to prevent unauthorized or accidental access to personal data,
alteration, destruction or loss, unauthorized transmission, unauthorized
processing or other misuse of personal data.
9. Duration of processing of
personal data
Data is processed with the
scope of time necessary to ensure the rights and obligations flowing from both
the fulfillment relationship and the relevant legal regulations, or the period
for which the data subject's processing has been granted.
10. Consent to processing
In accordance with Article 6
(paragraph 1) of the GDPR, WEGSTR s.r.o., as Administrator, may, without the
consent of the data subject, process the data:
·
as necessary for the performance of the contract
to which the data subject is subject or for the implementation of measures
taken before the conclusion of the contract at the request of that data subject;
·
as necessary to fulfill the legal obligations
that apply to the Administrator;
·
as necessary to protect the vital interests of
the data subject or other natural person;
·
as necessary for the performance of a task
performed in the public interest or in the exercise of public authority
entrusted to the Administrator;
·
as necessary for the purposes of the legitimate
interests of the relevant Administrator or third party, except in cases where
the interests or fundamental rights and freedoms of the data subject require
the protection of personal data, which prevails over such interests.
Except in the contexts stated above, the Administrator will
process data solely with the consent of the data subject.
This includes agreeing to the processing of an email address
to send business offers - information about new products and special offers to
the subject's e-mail address, and consent to the use of cookies.
By registering at the website of the vendor, the data
subject agrees to the processing of his or her contact details: telephone,
email, during the period of time while registered. Registration may be canceled
by sending an e-mail to the address of the vendor. Canceling one’s registration
will invalidate the Administrator's right to process the aforementioned data,
as there will no longer be the subject’s consent to do so.
11. The data subject's rights
a) In accordance with Article
12 of the GDPR, the Administrator shall, at the request of the data subject,
inform the data subject about the right of access to personal data and the
following information:
·
the purpose of the processing;
·
the type of personal data concerned;
·
the recipients or categories of recipients the personal
data have been or will be made available to;
·
the time the personal data is planned to be
stored;
·
all available information on the source of the personal
data;
·
if the data has not been provided directly by
the subject, the fact as to whether automated selecting, including profiling, has
been performed.
b) Any data subject who discovers or considers that the Administrator
or processor is processing his or her personal data contrary to the protection
of the privacy and personal life of the data subject or in contravention of the
law, in particular where personal data are inaccurate with regard to the purpose
of their processing, may:
·
request the Administrator provide an explanation;
·
request the Administrator to right the source of
the problem. In particular, this may involve blocking, correcting,
supplementing or deleting personal data or objecting to such processing;
·
request all available information about the
source of personal data if it has not been obtained from the data subject.
If the data subject's request is found to be justified, the
Administrator shall immediately correct the improper functioning.
If the data Administrator does not satisfy the data
subject's request as per paragraph 1, the data subject has the right to take it
up directly with the supervising authority, in this case the Personal Data
Protection Authority.
The above procedure does not preclude the data subject from
using his initiative to contact the supervising authority directly.
The Administrator is entitled to require reasonable
compensation for the provision of the information, not exceeding the costs
necessary to provide the information.
c) Extended right of access
to personal data:
The data subject has the
right to obtain from the Administrator a confirmation as to whether the
personal data concerning him / her are processed or not and, if so, has the
right to access such personal data.
The data subject also has the right to request from the Administrator a copy of
the processed personal data, provided that the rights and freedoms of others
are not adversely affected. For additional copies at the request of the data
subject, the Administrator may charge a reasonable fee based on administrative
costs. Where the data subject submits the application in electronic format, the
information requested shall be provided in an electronic format normally used, unless
the data subject requests otherwise.
d)
Right of rectification
The data subject has the
right to have the Administrator correct any inaccurate personal data relating
to him or her without undue delay. Taking into account the purposes of the
processing, the data subject has the right to supplement incomplete personal
data, including by providing an additional statement.
e) Right to deletion (right
to be forgotten)
The data subject has the
right to have the Administrator delete the personal data relating to the data
subject without undue delay and the Administrator has the obligation to delete
the personal data without undue delay if one of the following reasons is given:
·
the personal data are no longer required for the
purposes for which they were collected or otherwise processed;
·
the data subject withdraws the consent on the
basis of which the personal data were processed and there is no further legal
reason for their processing;
·
the data subject objects to the processing of
personal data for the purposes of direct marketing;
·
the personal data have been processed
unlawfully;
·
the personal data must be erased in order to
comply with a legal obligation set by the European Union or Czech Republic law;
·
the personal data were gathered by an
information technology company with the consent of an under-aged minor.
f) Right to limit processing
The data subject has the right to have the Administrator limit
the processing of his or her personal data, in any of the following cases:
·
for the time period necessary for the
Administrator to verify the accuracy of the personal data in cases where the
data subject denies the accuracy of the personal data;
·
the processing is unlawful and the data subject
refuses the deletion of personal data and instead requests restrictions of its
use;
·
the Administrator no longer needs the personal
data for processing but the data subject requests their processing to determine,
exercise or defend legal claims.
g) Right to the portability
of personal data
The data subject has the
right to obtain the personal data concerning him / her which he has provided to
the Administrator in a structured, commonly used and machine-readable format
and the right to pass this information to another administrator without the
Administrator preventing it if:
·
the processing is based on consent to the
processing of personal data or the processing of personal data for the purposes
of concluding and performing a contract with the data subject; and at the same
time;
·
the processing is carried out in an automated
manner.
In exercising his right to data portability, the data
subject has the right to have personal data transmitted by the Administrator
directly to another administrator if feasible. The right to the portability of
personal data must not adversely affect the rights and freedoms of others.
h) Right to object
When processing personal data for the purposes of direct
marketing, the data subject has the right at any time to object to the
processing of personal data relating to him / her for marketing, including
profiling (i.e. any form of automated processing of personal data associated
with their use to evaluate personal aspects of the data subject) as far as this
direct marketing is concerned. If the data subject opposes processing for
direct marketing purposes, personal data for that purpose will no longer be
processed.
i) The right not to be the
subject of automated decision making, including profiling
The data subject has the
right not to be the subject of any decision based solely on automated
processing, including profiling (i.e. any form of automated processing of
personal data to be used for the assessment of certain personal aspects
relating to the data subject)which has legal or similar effects. This right
shall not apply if the automated decision is necessary to conclude or perform a
contract between the data subject and the Administrator or is based on the
explicit consent of the data subject; in these cases, however, the data subject
has the right to human intervention to an automated decision by the
Administrator, the right to express his or her opinion and the right to
challenge an automated decision.
j) The right to file a complaint
with the competent authority
The data subject has the
right to lodge a complaint against the processing of his personal data by the
Administrator with the supervising authority, being the Personal Data
Protection Office, with registered office at Pplk. Sochora 27, 170 00 Praha 7.