Protection of personal data and their processing

Privacy Policy

1. Basic Provisions

1. The Data Controller of personal data referred to in Article 4 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as „GDPR”) is Palacio CZ s.r.o., identification No. 24124761 seated at Berounská 1, 273 51 Kyšice, Czech Republic. (hereinafter referred to as the: „Data Controller“).
2. The contact details of the Data Controller are

Address: Berounská 1, 273 51 Kyšice, Czech Republic

Email: info@palacio.cz

Telephone: +420 608 073 832

1. Personal data means all information about an identified or identifiable natural person; an identifiable natural person is a natural person that can be identified, directly or indirectly, in particular by reference to a particular identifier, such as name, identification number, location information, network identifier or one or more specific physical, physiological, genetic, psychological, economic, cultural or social identity of such a natural person.
2. The Data Controller has not appointed a Data Protection Officer.

1. Sources and Categories of Processed Personal Data

1. The Data Controller processes personal data you have provided to it or the personal data that the Data Controller has collected based on fulfilment of your order.
2. The Data Controller processes your identification and contact information and the data necessary to perform the contract.

III. Legal Basis and Purpose of Personal Data Processing

1. The legal basis for the processing of personal data is

• performance of the contract between you and the Data Controller pursuant to Article 6 (1) (b) GDPR,
• the legitimate interest of the Data Controller in providing direct marketing (in particular for sending commercial messages and newsletters) pursuant to Article 6 (1) (f) GDPR,
• Your consent to the processing for the purpose of providing direct marketing (in particular for sending commercial messages and newsletters) pursuant to Art. 6 (1)(a) GDPR in conjunction with Section 7 (2) of Act No. 480/2004 Coll., on Certain Information Society Services, in the absence of an order of goods or services.

1. The purpose of the processing of personal data is

• processing of your order and exercising the rights and obligations under the contractual relationship between you and the Data Controller; when placing an order, personal information is required for successful order processing (name and address, contact details), providing personal data is a necessary requirement for the entering into and performance of the contract; without providing personal data, it is not possible to conclude the contract nor to fulfil it by the Data Controller,
• sending business messages and carrying out other marketing activities.

1. There is no automated individual decision-making within the meaning of Article 22 of the GDPR by the Data Controller. You have given your explicit consent to such processing.

1. Data Retention Period

1. The Data Controller stores personal data

• for the period necessary to exercise the rights and obligations arising from the contractual relationship between you and the Data Controller and to assert the claims arising from these contractual relationships (for a period of 15 years after the termination of the contractual relationship).
• until consent to the processing of personal data for marketing purposes is withdrawn, at the latest for …. years, if the personal data is processed based on consent.

1. After the personal data retention period expires, the Data Controller shall delete the personal data.

1. Recipients of Personal Data (subcontractors of the Data Controller)

1. Recipients of personal data are persons

• involved in the delivery of goods / services / payments under the contract,
• providing e-shop administration services and other services related to e-shop operations,
• providing marketing services.

1. The Data Controller does not intend to transfer personal data to a third country (outside the EU) nor to an international organization.
2. Operators of services providing marketing and support services

• Google analytics – records cookies and web usage
• Google Adwords – records cookies and web usage
• Google Shopping – request of a review, email logs if you agree to it in the order process  
• Heureka – records purchase conversions and email for the “Verified by the Customer/ Ověřeno zákazníky” service
• Zboží.cz – records purchase conversions and email
• Sklik – records cookies, website usage, purchase conversion  

1. Your Rights

1. Under the conditions set out in GDPR, you have

• the right of access to your personal data under Article 15 of the GDPR,
• the right to rectification of personal data under Art. 16 of the GDPR, or limitations to processing under Art. 18 GDPR.
• the right to have personal data deleted pursuant to Art. 17 of the GDPR.
• the right to object to processing under Art. 21 of the GDPR a
• the right to data portability under Art. 20 of the GDPR.
• the right to withdraw the consent to processing in writing or electronically to the address or email of the Data Controller referred to in Article III of this policy. You can revoke consent at any time in your own customer account.

1. You also have the right to file a complaint with the Office for Personal Data Protection if you believe that your right to personal data protection has been violated.

VII. Conditions of Security of Personal Data

1. The Data Controller declares that it has taken all appropriate technical and organizational measures to safeguard personal data.
2. The Data Controller has adopted technical measures to secure paper and personal data storage, in particular by secure / encrypted web access, encryption of the customer passwords in the database, regular system updates, regular system backups.
3. The Data Controller declares that only duly authorized persons have access to personal data.

VIII. Final Provisions

1. By submitting an order form the online order form, you acknowledge that you are familiar with and accept the terms of privacy and you accept the terms in full.
2. You agree to this policy by checking your consent via the online form. By marking your consent, you acknowledge that you are familiar with and accept the privacy policy.
3. The Data Controller is authorized to change this policy. It will post a new version of the privacy policy on its website and at the same time, it shall send you a new version of this policy to your e-mail address which you provide to the Data Controller.

These terms become effective on November 20, 2019.