Security and Privacy Guarantee
Declaration of the processing of personal data under Regulation (EC) 2016/679 of the European Parliament and Council on the protection of individuals with regard to the processing of personal data and the guidance of data subjects (hereafter referred to as ‘GDPR’).
1. WEGSTR s.r.o. hereby informs you, in accordance with Article 12 of the GDPR, of the processing of our customer’s personal data and the rights of those data subjects.
2. Scope of processing of personal data
Personal data is processed to the extent that the relevant data subject has provided WEGSTR s.r.o., in connection with the conclusion of a contractual relationship with WEGSTR s.r.o. WEGSTR s.r.o. administers this personal data in accordance with the applicable legal regulations and in the fulfillment of its legal obligations.
3. Types of personal data that are processed:
· address and identification data of the data subject (name, surname, title, permanent address, business license/VAT/tax number) and data to maintain contact with the data subject (contact address, telephone number, e-mail address);
· descriptive data;
· data provided in excess of the relevant laws processed within the framework of the consent given by the data subject;
4. Sources of personal data
· WEGSTR s.r.o. may collect your data when you provide them to its various collection sources: registration, contact form or purchasing on the e-shop website, and by e-mail or phone.
5. Categories of data subjects:
· WEGSTR s.r.o. customers;
· service providers.
6. Categories of recipients of personal data:
· intermediary processors - the transport companies poslisnadno.cz and DHL and the accounting system fakturoid.cz;
· state authorities in the fulfillment of the legal obligations established by the relevant legal regulations.
7. The purpose of processing personal data:
· for purposes within the consent of the data subject;
· in the negotiation of a contractual relationship;
· in the fulfillment of the contract;
· to protect the rights of the processor, the recipient or other persons concerned;
· for archiving, in accordance with the law;
· in the fulfillment of legal obligations by the processor.
8. Method of processing and protecting personal data
The processing of personal data is carried out by WEGSTR s.r.o., the processing is carried out on its premises, or that of intermediary processors (the transport companies poslisnadno.cz, DHL and the accounting system fakturoid.cz). Processors guarantee to WEGSTR s.r.o. to comply with all necessary security measures to protect personal data provided by WEGSTR s.r.o.
WEGSTR s.r.o. processes personal data primarily using computer technology, subject to the necessary security principles. To this end, it has taken appropriate measures to ensure the protection of personal data in order to prevent unauthorized or accidental access to personal data, alteration, destruction or loss, unauthorized transmission, unauthorized processing or other misuse of personal data.
9. Duration of processing of personal data
Data is processed with the scope of time necessary to ensure the rights and obligations flowing from both the fulfillment relationship and the relevant legal regulations, or the period for which the data subject's processing has been granted.
10. Consent to processing
In accordance with Article 6 (paragraph 1) of the GDPR, WEGSTR s.r.o., as Administrator, may, without the consent of the data subject, process the data:
· as necessary for the performance of the contract to which the data subject is subject or for the implementation of measures taken before the conclusion of the contract at the request of that data subject;
· as necessary to fulfill the legal obligations that apply to the Administrator;
· as necessary to protect the vital interests of the data subject or other natural person;
· as necessary for the performance of a task performed in the public interest or in the exercise of public authority entrusted to the Administrator;
· as necessary for the purposes of the legitimate interests of the relevant Administrator or third party, except in cases where the interests or fundamental rights and freedoms of the data subject require the protection of personal data, which prevails over such interests.
Except in the contexts stated above, the Administrator will process data solely with the consent of the data subject.
By registering at the website of the vendor, the data subject agrees to the processing of his or her contact details: telephone, email, during the period of time while registered. Registration may be canceled by sending an e-mail to the address of the vendor. Canceling one’s registration will invalidate the Administrator's right to process the aforementioned data, as there will no longer be the subject’s consent to do so.
11. The data subject's rights
a) In accordance with Article 12 of the GDPR, the Administrator shall, at the request of the data subject, inform the data subject about the right of access to personal data and the following information:
· the purpose of the processing;
· the type of personal data concerned;
· the recipients or categories of recipients the personal data have been or will be made available to;
· the time the personal data is planned to be stored;
· all available information on the source of the personal data;
· if the data has not been provided directly by the subject, the fact as to whether automated selecting, including profiling, has been performed.
b) Any data subject who discovers or considers that the Administrator or processor is processing his or her personal data contrary to the protection of the privacy and personal life of the data subject or in contravention of the law, in particular where personal data are inaccurate with regard to the purpose of their processing, may:
· request the Administrator provide an explanation;
· request the Administrator to right the source of the problem. In particular, this may involve blocking, correcting, supplementing or deleting personal data or objecting to such processing;
· request all available information about the source of personal data if it has not been obtained from the data subject.
If the data subject's request is found to be justified, the Administrator shall immediately correct the improper functioning.
If the data Administrator does not satisfy the data subject's request as per paragraph 1, the data subject has the right to take it up directly with the supervising authority, in this case the Personal Data Protection Authority.
The above procedure does not preclude the data subject from using his initiative to contact the supervising authority directly.
The Administrator is entitled to require reasonable compensation for the provision of the information, not exceeding the costs necessary to provide the information.
c) Extended right of access to personal data:
The data subject has the
right to obtain from the Administrator a confirmation as to whether the
personal data concerning him / her are processed or not and, if so, has the
right to access such personal data.
The data subject also has the right to request from the Administrator a copy of the processed personal data, provided that the rights and freedoms of others are not adversely affected. For additional copies at the request of the data subject, the Administrator may charge a reasonable fee based on administrative costs. Where the data subject submits the application in electronic format, the information requested shall be provided in an electronic format normally used, unless the data subject requests otherwise.
d) Right of rectification
The data subject has the right to have the Administrator correct any inaccurate personal data relating to him or her without undue delay. Taking into account the purposes of the processing, the data subject has the right to supplement incomplete personal data, including by providing an additional statement.
e) Right to deletion (right to be forgotten)
The data subject has the right to have the Administrator delete the personal data relating to the data subject without undue delay and the Administrator has the obligation to delete the personal data without undue delay if one of the following reasons is given:
· the personal data are no longer required for the purposes for which they were collected or otherwise processed;
· the data subject withdraws the consent on the basis of which the personal data were processed and there is no further legal reason for their processing;
· the data subject objects to the processing of personal data for the purposes of direct marketing;
· the personal data have been processed unlawfully;
· the personal data must be erased in order to comply with a legal obligation set by the European Union or Czech Republic law;
· the personal data were gathered by an information technology company with the consent of an under-aged minor.
f) Right to limit processing
The data subject has the right to have the Administrator limit the processing of his or her personal data, in any of the following cases:
· for the time period necessary for the Administrator to verify the accuracy of the personal data in cases where the data subject denies the accuracy of the personal data;
· the processing is unlawful and the data subject refuses the deletion of personal data and instead requests restrictions of its use;
· the Administrator no longer needs the personal data for processing but the data subject requests their processing to determine, exercise or defend legal claims.
g) Right to the portability of personal data
The data subject has the right to obtain the personal data concerning him / her which he has provided to the Administrator in a structured, commonly used and machine-readable format and the right to pass this information to another administrator without the Administrator preventing it if:
· the processing is based on consent to the processing of personal data or the processing of personal data for the purposes of concluding and performing a contract with the data subject; and at the same time;
· the processing is carried out in an automated manner.
In exercising his right to data portability, the data subject has the right to have personal data transmitted by the Administrator directly to another administrator if feasible. The right to the portability of personal data must not adversely affect the rights and freedoms of others.
h) Right to object
When processing personal data for the purposes of direct marketing, the data subject has the right at any time to object to the processing of personal data relating to him / her for marketing, including profiling (i.e. any form of automated processing of personal data associated with their use to evaluate personal aspects of the data subject) as far as this direct marketing is concerned. If the data subject opposes processing for direct marketing purposes, personal data for that purpose will no longer be processed.
i) The right not to be the subject of automated decision making, including profiling
The data subject has the right not to be the subject of any decision based solely on automated processing, including profiling (i.e. any form of automated processing of personal data to be used for the assessment of certain personal aspects relating to the data subject)which has legal or similar effects. This right shall not apply if the automated decision is necessary to conclude or perform a contract between the data subject and the Administrator or is based on the explicit consent of the data subject; in these cases, however, the data subject has the right to human intervention to an automated decision by the Administrator, the right to express his or her opinion and the right to challenge an automated decision.
j) The right to file a complaint with the competent authority
The data subject has the right to lodge a complaint against the processing of his personal data by the Administrator with the supervising authority, being the Personal Data Protection Office, with registered office at Pplk. Sochora 27, 170 00 Praha 7.