Data protection and privacy notice

I.

General Provisions

1. The data controller within the meaning of Art. 4 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR") is SaYu s.r.o., ID No. 08320497, with its registered office at Červená Skála 338, Husinec 250 68 (the "Controller").

2. The contact details of the Controller are as follows:

Address: Červená Skála 338, Husinec 250 68
E-mail: kontakt@sayu.cz
Telephone: +420 773 739 774

3. "Personal data" is understood to mean any and all means of any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

4. The Controller has not appointed any data protection officer.

II.

Source and Category of Processed Personal Data

1. The Controller processes the personal data that you made available to it and the personal data that it obtained in connection with the fulfillment of your order of goods.

2. The Controller processes your identification and contact data to the extent that this is needed for its performance under the contract.

 

III.

Statutory Grounds and Purpose for Processing of Personal Data

1. The statutory grounds on which your personal data is being processed comprise:

- Performance of the contract between you and the Controller within the meaning of Art. 6 (1) (b) GDPR;

- The Controller’s legitimate interest in direct marketing (i.e. in particular, the distribution of commercial messages and newsletters) within the meaning of Art. 6 (1) (f) GDPR; and

- Your consent with data processing for the purpose of direct marketing (i.e. in particular, the distribution of commercial messages and newsletters) within the meaning of Art. 6 (1) (a) GDPR in conjunction with Sec. 7 (2) of Act No. 480/2004 Coll., on certain information society services, in case no goods or services were ordered.

2. The purpose for the processing of your personal data comprises:

- Processing your order, and exercising the rights and fulfilling the obligations arising from the contractual relationship between you and the Controller, whereas upon placing an order you will be asked to provide the personal data needed for the successful processing of such order (name and address, contact details), and providing this personal data is a necessary requirement for the contract to come into existence and for the parties to perform under the same, as it is objectively impossible for the parties to conclude the contract (and for the Controller to perform thereunder) without the personal data; and

- The distribution of commercial messages; other marketing activities.

3. The Controller does not engage in 'automated individual decision-making' as defined in Art. 22 GDPR.  You have given your explicit consent to such data processing.

 

IV.

Personal Data Storage Period

1. The Controller shall store the personal data:

- For as long as is necessary for the exercise of rights and fulfillment of obligations arising from the contractual relationship between you and the Controller and for bringing claims on the basis of these relationships (i.e. for a period of 15 years from the moment at which the contractual relationship ended); and 

- Unless and until the consent with processing for marketing purposes is withdrawn, and in any case for no longer than 15 years (if the personal data is being processed on the basis of such consent). 

2. Upon the lapse of the storage period, the Controller will erase the personal data.

V.

Recipients of personal data (subcontractors of the controller)

1. The circle of recipients of your personal data comprises: 

- Persons involved in the delivery of goods and services and the processing of payments performed on the basis of the contract; 

- Entities concerned with the operation of the e-shop (i.e. Shopify.com) and with the provision of other, related services; and

- Providers of marketing services.

VI.

Your Rights

1. Subject to the terms set out in the GDPR, you have:

- The right to access your personal data pursuant to Art. 15 GDPR; 

- The right to rectification of inaccurate personal data pursuant to Art. 16 GDPR or, as the case may be, to a restriction of processing pursuant to Art. 18 GDPR; 

- The right to erasure of personal data ('right to be forgotten') pursuant to Art. 17 GDPR;

- The right to object against the processing pursuant to Art. 21 GDPR;  

- The right to data portability pursuant to Art. 20 GDPR; and 

- The right to withdraw your consent with the data processing, in writing or by electronic means to the address or e-mail address of the Controller given in Art. III of this Privacy Notice. 

2. You may also raise a complaint with the Data Protection Authority (Úřad pro ochranu osobních údajů) if you believe that your right to the protection of your personal data has been infringed.

 

VII.

Terms on Which Personal Data Is Kept Secure

1. The Controller represents that it has taken all adequate technical and organizational measures to ensure the security of the personal data.

2. The Controller has taken technical measures to secure (electronic) data storage facilities, as well as the physical premises on which private data is being kept in paper form.

3. The Controller represents that only properly authorized persons have access to the personal data.

VIII.

Final Provisions

1. By submitting an order using our online order form, you confirm that you have been familiarized with the terms of protection of your personal data, and that you accept them without reservation.

2. The Controller has the right to amend this Privacy Notice from time to time. It will publish the new version on its website and also send the new version to the e-mail address that you provided to the Controller.

 

This Privacy Notice has come into force and effect as at October 20, 2019