Personal Data Processing Principles1. Principles of personal data processing
The company SHANTI & Co. s.r.o., with registered office at Zábrdovická 801/11, Brno 615 00, Czech Republic, ID No.: 25549154, registered in the Commercial Register maintained by the Regional Court in Brno, Section C, Insert 32242, hereby establishes the rules to be followed in the processing of personal data in order to ensure the protection of personal data, the right to privacy of the subjects and to prevent the misuse of personal data.
The rules for processing personal data set out in this policy correspond to the obligations imposed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - General Data Protection Regulation (hereinafter referred to as "GDPR").
Through this policy, we also inform about the facts and rights that we are required to inform about in accordance with the GDPR, thereby ensuring sufficient transparency and openness in the processing of personal data.
This policy sets out the procedures and principles on the basis of which we process personal data and the rules on how we handle the data. If anything is unclear or you would like to enquire about anything relating to your personal data, please use the contact details below.
2. Collection of personal data 2.1 Reasons for collecting personal data
We collect and process personal data only when it is necessary for:
a. To perform a contract you have entered into or wish to enter into with us.
b. To provide the service you wish to use.
c. Fulfilling the requirements of the law.
d. Protecting your vital interests.
e. The purposes of our legitimate interests, unless your interests or your fundamental rights and freedoms requiring the protection of personal data take precedence in such case.
2.2 Sending for direct marketing purposes
One of our legitimate interests may be to process your personal data for direct marketing purposes - sending you commercial communications. This means that if you have already bought some goods from us or used a service provided by us, we may occasionally send you an offer of similar products that may be of interest to you. However, you can cancel the sending of these commercial communications at any time by using the link contained in the commercial communication sent or by using the contact email below and we will not send you anything after that.
In other cases, we may only collect and process your personal data with your explicit and free consent. You may withdraw your consent at any time by using the contact details provided in this policy. The specific conditions for the use of your personal data after consent is given are always set out in each individual consent.
2.4 Collection of personal data
We do not obtain your personal data from publicly available sources, but always only from you or from third parties who cooperate with us and have obtained personal data from you in accordance with the law and can pass it on to us. In any event, we will always follow this policy and the law when using your personal data, however we obtain it.
We may either explicitly request your personal data from you directly or we may obtain it if you register for our services, enter into a contract with us or use a service. Alternatively, you may provide us with your personal information by, for example, completing forms on the Website or by communicating with us by telephone, email, online discussion or otherwise. We also collect some of your personal data automatically with your consent, for example by using cookies when you visit our website.
We will always inform you of the specific reason for processing your personal data in each individual case. This information is either stated directly in the contract you enter into, in the terms of service or in this policy. Alternatively, you can ask us about the reasons for processing your personal data at any time using the contact details below.
3. Use of your personal data
We use your personal data primarily to provide you with our services, to enable us to enter into the contract you have requested, to fulfil the contract we have entered into, to comply with legal requirements, to notify you of changes to our services, to improve our services or to provide you with a better customer experience. We may also use this information, with your consent, to inform you about other services and products that we or selected third parties offer that may be of interest to you or that you may use. We will always inform you of any other uses of your personal data.
4. Transfer of your personal data to other parties
4.1. We will not disclose your personal data to anyone except as described in this policy.
Your personal data will be accessed by employees of our company who are authorised to handle such personal data. All employees who will have access to your personal data are bound in writing to confidentiality, so your personal data must not be shared anywhere. These employees have also been responsibly selected, have been made aware of the internal data protection rules and have also been properly trained so that they know how to handle your personal data and under what conditions your personal data may be processed. This is to ensure that your personal data is protected in the best possible way.
We will then transfer your personal data to certain third parties where necessary. These parties are called processors. Our company is responsible for ensuring that these processors provide appropriate safeguards for the processing of your personal data. We choose all processors responsibly. At the same time, the processors will be contractually obliged to fulfil obligations to protect your personal data, which will contractually ensure that your personal data is adequately protected and minimise the risk of misuse.
4.2 Third parties to whom personal data will be transferred
Here are the categories of persons to whom we may transfer your personal data and who may have access to your personal data:
|Categories of beneficiaries||Purpose of the transfer of personal data|
Use of Legal Advice
Use of Accounting Services
Use of Tax Consultancy
Use of Marketing Consultancy and Service
IT Service Providers
IT Administration and User Application Management
Managing Our Website
Probiders of Online Tools
|Use these tools to improve the quality of our service and your customer experience|
Service Providers for Sending Communications
Ensuring the distribution of commercial and other communications
|Shipping of ordered goods|
|Provision of sub-delivery for the service you have ordered|
If you give us your consent to do so, we may also pass some information to selected third parties to inform you of services and products that we or selected third parties offer that may be of interest to you.
We may also share your personal information with other third parties in order to prevent crime and reduce risk, where required by law and where we deem it appropriate, in response to legal process or to protect the rights or property of our company, our partners or you.
4.3 Transfers outside the EU
Your personal data is not transferred to countries outside the European Union or to international organisations, except when transferred there for the purpose of better data backup and protection and situations expressly set out in this policy.
5. Automated individual decision-making and profiling
When processing your personal data, our company does not carry out any automated individual decision-making or profiling that would have any legal effect on you or otherwise significantly affect you. Should this change, we will inform you immediately.
6. Duration of processing of personal data
We only process your personal data for as long as is strictly necessary. If we no longer need your personal data for the purposes of processing, we will delete it without delay.
If we process your personal data on the basis of your consent, the processing period is specified in this consent.
If we process your personal data as a result of statutory provisions, we process it for the period of time required by law. If the law requires the archiving of certain data, we will archive your personal data for the required period in accordance with the law.
Where we process your personal data as a result of the conclusion of a contract or the provision of a service, we will process your personal data for the duration of the performance of that contract or the provision of the service and for 10 years after the contract or the provision of the service has been terminated. However, during this period we will only process your personal data for the purpose of defending any legal claims or legal proceedings. The 10-year period then corresponds to the maximum limitation period for which claims can be successfully brought before a court. In the event that legal or other proceedings are initiated that require your personal data, we will continue to process your personal data throughout the duration of these proceedings, including any enforcement and other follow-up proceedings.
7. Your rights
7.1. You can contact us at any time to confirm whether we are processing your personal data by using the contact details below. If we are processing your personal data, you have the right to access this information:
a. For what purposes we process your personal data and what categories of personal data we process.
b. Who are the recipients and processors of your personal data.
c. For how long your personal data will be stored and, if this period cannot be determined, the criteria used to determine this period.
d. For which personal data you can request erasure or restriction of processing and object to such processing.
e. Your right to lodge a complaint with a supervisory authority.
f. About the sources of the personal data if it was not obtained from you.
g. Whether there is automated individual decision-making or profiling.
If you ask us to do so we will provide you with copies of your personal data that we process. If you request further copies, we may charge a fee for providing them at the cost incurred. If you request in electronic form, copies will be provided to you in electronic form unless you request otherwise. However, we have the right to require you to verify your identity to ensure that this information relating to your personal data does not come into the possession of an unauthorised person.
We will endeavour to supply you with this information as soon as possible, depending on the extent of the information you have requested. However, no later than 30 days.
7.2 Right to rectification
If you discover that we have inaccurately, incorrectly or incompletely provided any of your personal data, you have the right to have us correct or complete your personal data without undue delay after you have notified us.
7.3 Right to be forgotten - right to erasure
You have the right to have us delete your personal data without undue delay if:
a. Your personal data is no longer needed for the purposes for which it was collected.
b. You withdraw your consent.
c. You object to the processing.
d. We have processed your personal data unlawfully.
e. The erasure will fulfil a legal obligation under the law.
f. The personal data was collected in connection with the offer of information society services.
However, we will not delete your personal data even for the above reasons if one of the grounds under Article 17(3) GDPR is present.
If it is then technically possible and feasible and your personal data has been disclosed or third-party personal data has been transmitted, we will also arrange for the deletion of this personal data.
7.4 Right to restriction of processing
You have the right to have us restrict the processing of your personal data if:
a. You tell us that your personal data is inaccurate, while we verify the accuracy of the personal data.
b. We process your personal data unlawfully but you ask us to restrict its use instead of erasing it.
c. We no longer need your personal data but you request it to establish, exercise or defend legal claims.
d. You have objected to the processing while it is being examined to see if it is justified.
During the period of restriction of processing, your personal data may only be stored and otherwise processed only with your consent, for the establishment, exercise or defence of legal claims or for reasons of public interest.
7.5 Right to object
You have the right to object to the processing of your personal data if we process it for direct marketing purposes. You must send your objection to us in writing or by email as set out below. If you object to processing for direct marketing purposes, we will no longer process your personal data to that extent unless we can demonstrate compelling legitimate grounds for processing which override your interests or rights and freedoms or for the establishment, exercise or defence of legal claims.
7.6 Right to data portability
If you ask us to do so, we will transfer your personal data to you in a structured, commonly used format so that you can provide it to another controller. In doing so, where technically feasible, you may want us to transfer your personal data directly to the controller you identify to us.
7.7 Right to lodge a complaint
You may at any time lodge a complaint regarding the processing of your personal data or our failure to comply with our obligations under the GDPR with a supervisory authority. The supervisory authority in the Czech Republic is the Office for Personal Data Protection, located at Pplk. Sochor 27, 170 00 Prague 7, www.uoou.cz.
8. Measures in place
Our company has put in place personnel, organisational and technical measures to eliminate the various risks to your rights and freedoms and to the protection of your personal data. To this end, we have trained all our employees who come into contact with personal data. Furthermore, all personal data in physical form is secured against unauthorised access. For personal data stored in electronic form, we adhere to security standards and it is also secured against unauthorized access. At the same time, we have carried out a risk analysis to prevent risks and have implemented appropriate measures to reduce the risks as much as possible.
9. Data Protection Coordinator
Our company is not obliged to appoint a data protection officer within the meaning of the GDPR and has not appointed one. However, it has appointed a data protection coordinator who is responsible for
personal data protection. You can contact the Data Protection Coordinator on any matter relating to your personal data and to exercise your rights. The Data Protection Coordinator is Radek Sádlík, e-mail: firstname.lastname@example.org.
10. Contact details
In case of any requests, requirements, comments or uncertainties, you can contact us by e-mail at email@example.com or in writing at our registered office.
This policy was adopted on 24 May 2018. This policy is subject to change at any time. We will notify you of any changes to this policy on our website.