Declaration on the protection and processing of personal data
Information about the personal data controller
The company CHRISTO GROUP s.r.o. (hereinafter referred to as the “Controller”), which is registered in the Commercial Register at the Regional Court in Pilsen; date of registration: 30 July 2007 (hereinafter referred to as the “Controller”) has adopted the following principles of processing and protection of personal data.
CHRISTO GROUP s.r.o. acts as a controller when processing personal data. As a controller, it defines the purpose and means for processing personal data.
Subjects whose data are processed by the company
– Persons who enter into a purchase contract with the controller in connection with the sale of goods offered by the controller (hereinafter referred to as the “customer”)
– Users of the website www.christo.cz (hereinafter referred to as “website” and “users”).
Both groups of entities are also referred to collectively as “providers”.
Categories of data processed
– The data of customers, potential customers and users who themselves provide the controller with electronic means of communication or enter their personal data into a form on the website. This includes, in particular, name, surname, home address or place of delivery, telephone number and e-mail address. If users register on the website only to receive commercial and marketing communications, the controller processes only their e-mail address.
– Data collected via cookies. If the provider of personal data has allowed his/her web browser to store cookies as part of the cookie settings and agrees to their use, the controller obtains data about his/her activity on the website and his/her preferences in order to improve its product and service offerings.
Purposes of the processing of personal data
Performance of the contract between the controller and the buyer (order processing) – identification data, in particular name, surname, residential address, or place of delivery, contact details (telephone and e-mail). Without these data, the controller cannot process the order. The telephone number is not obligatory, and if the buyer provides it to the administrator, he does so in order to process the order.
• Handling the provider’s enquiry. In the event that the Provider discloses any personal data to the Administrator in the context of an enquiry, whether via a web form or other form of communication, the Administrator will only use this data for the purpose of processing the response to the enquiry. Furthermore, the controller will process the personal data in the context of the enquiry for the purpose of archiving the enquiry and any subsequent related communication with the provider in order to protect its rights.
• Offer of services or products and also promotion of the controller in the form of commercial communications – e-mail address, occasionally also telephone number. In this case, processing is only carried out on the basis of the consent given by the provider, which is entirely voluntary. Consent can be given when placing an order for goods, when setting up a customer account, or also later in the customer account settings. Consent is also granted by entering an e-mail address in the form used to register for commercial communications on the website. In this case, the administrator only sends its commercial communications by e-mail.
• Personalisation and improvement of the content and quality of the website, analysis of its traffic and targeting of advertising and promotion of the controller – data about the visit to the website when using cookies, about the products and services viewed and other activity on the website. In most cases, data processing is only possible after consent has been given. On the basis of the data collected, the controller may create statistics, analyses and summaries of the behaviour of visitors to the website. On the basis of this data, the controller can then better target advertising or adapt the content of the website to what visitors are really interested in.
Entities with access to personal data
Personal data is processed by the controller, its agents and employees. All persons who work for or with the controller and have access to personal data are under an obligation of confidentiality. This obligation shall continue after their cooperation with the controller has ended.
The controller also entrusts other entities, so-called processors, with the processing of personal data. Any entity that processes personal data for the controller in the manner and for the purpose defined by the controller is considered a processor. The processor may not extend these purposes in any way. If the processing requires the consent of the provider, then the controller shall only transfer the data to the processors after consent has been given. The controller shall only transfer to processors the data that are strictly necessary to provide their services. The processors used by the controller include:
– Shipping companies – order delivery
– Google LLC, Facebook Inc., YouTube LLC, Seznam.cz, a.s., YANDEX LLC – online marketing tools
– Accountants – bookkeeping and accounting control
– Programmer – information system administration and development
Withdrawal of consent, termination of sending commercial communications
• Commercial communications – it is possible to cancel the sending of commercial communications by the administrator at any time. Either in the customer account settings or by using the appropriate link located at the end of each commercial communication. Cancellation can also be made by withdrawing consent in writing either to the Administrator’s email address or to the Administrator’s registered office.
• Cookies – if the provider wishes to disable the storage of cookies on his device, he can adjust the settings directly in his internet browser. The way to do this varies depending on the type of browser. The detailed procedure is usually given in the browser’s help. If the administrator cannot store cookies, some parts of the website may not work properly.
Duration of processing of personal data
– The controller processes the personal data collected for the purpose of the performance of the contract for the entire duration of the purchase contract and for a period of five years after the termination of the purchase contract. This is for the purpose of asserting any claim related to the purchase contract. The controller subsequently retains certain data contained in accounting documents by law.
– The controller sends commercial communications to the customer, potential customer and users until their subscription is terminated or until the consent given is withdrawn. However, the longest period of time for which he sends commercial communications is 5 years from the last time consent was granted. Thereafter, the controller shall again invite the provider to confirm whether it is still interested in receiving commercial communications.
– The controller shall process the personal data collected in connection with the processing of an enquiry from a customer, potential customer or user for the time necessary to compile and send the response. In the case of archiving an enquiry for the protection of rights, the controller shall archive the enquiry for the time necessary for such protection (e.g. with regard to limitation periods, etc.).
– Other processing of personal data beyond these time limits is carried out by the controller only if it is strictly necessary for the purposes of its legitimate interests or for the fulfilment of its obligations under the law or contractual obligations.
Rights of the provider of personal data
– To request information about the personal data processed by the controller, the purpose and nature of the processing of personal data and about the possible recipients of personal data outside the controller.
– To request access to the data communicated by the provider to the controller during the order process, when creating a customer account or registering on the website. If this right is exercised, the controller will confirm whether and what specific personal data is being processed. Where applicable, these data will be made available to the provider together with information about their processing.
Request rectification of personal data if it is in any way inaccurate or incomplete.
– Request an explanation and rectification (e.g. blocking, rectification, completion or destruction of personal data) if the provider believes that the controller is processing personal data in breach of the protection of his/her personal and private life or in breach of the law.
– Request the erasure of personal data (the so-called right to be forgotten) or their limited processing if they are no longer necessary for the purposes stated or if the controller no longer has a legitimate reason to process the personal data, including where the provider does not consent to further processing. If these conditions are met, the controller shall erase such data in whole or in part.
– Request the transfer of the automated personal data obtained on the basis of consent from the controller to another entity. In this case, the controller shall transmit the personal data in a commonly used format to the provider or to another controller as requested by the provider.
– If the provider considers that the controller has breached its obligations, it may lodge a complaint with the Data Protection Authority.
Security of personal data
The controller processes personal data in a secure manner. The handling of personal data is carried out in full compliance with applicable law, including the General Data Protection Regulation (GDPR). The controller looks at both technical and organisational security when processing personal data.
All personal data in electronic form are stored by the controller in databases and systems which can only be accessed by those who have an immediate need to handle the personal data to the extent necessary for the purposes set out in this policy.
With regard to the processing of personal data, or in the event of exercising their rights, providers may contact the controller by email at firstname.lastname@example.org, or by post at Divadelní 5a, Plzeň.
This policy comes into force on 25 May 2018.