I. Introductory provisions
2. Herbamedicus s.r.o. processes all personal data provided in accordance with legal regulations, in particular with Act No. 101/2000 Coll., on the Protection of Personal Data and on Amendments to Certain Acts, as amended and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Regulation on the protection of personal data).
3. This Policy supplements the general terms and conditions for the purchase of goods at the online store www.swissmedicus.ch (hereinafter referred to as "GTC") to the extent below. The terms defined in the GTC are similarly used for these Principles.
4. These Principles are in the Czech language and are valid from 25 May 2018.
II. Administrator and Personal Data Entity
1. The personal data manager is the operator of the e-shop, ie Herbamedicus s.r.o.
- The personal data manager is the operator of the e-shop, ie Herbamedicus s.r.o.
- IČ: 27788601, DIČ: CZ27788601
- Company registered in the Commercial Register maintained by the Regional Court in Ostrava, Section C, Insert 31096
- email: firstname.lastname@example.org
- telephone contact: +420 777 84 80 84
2. The subject of personal data is a customer - a customer for the purposes of this Policy is a natural person who is the user of an e-shop and whose personal data are processed by the trustee. A buyer who is a natural person is always considered to be a customer.
3. The obligation to appoint a Data Protection Officer is not given and the Personal Data Protection Officer has not been appointed.
III. The categories of personal information the administrator handles
1. The categories of personal information the administrator handles
2. In connection with the operation of the e-shop, the administrator may proceed to the processing of the following categories of personal data that are provided to the customer in connection with the conclusion of the purchase contract, when granting the customer's consent to the processing of personal data for the purposes defined in Article IV. Principle:
- 2.1. Customer identification data - these are the personal data through which the customer can identify unambiguously and uniquely, ie the customer's name and surname and, in the case of the customer who is an entrepreneur, also details of the customer's business, his identification number, or also a tax identification number;
- 2.2. customer contact details - these are the personal data that can be contacted by the customer, ie the billing address (in the case of a customer who is an entrepreneur, his registered office), telephone number and e-mail address or delivery address if a customer requires delivery of goods to a non-billing address;
- 2.3. Customer purchase history data - these are the personal data through which the customer's transaction history, ie transaction data, including bank customer contact, can be traced if the customer has given it for any reason in connection with the purchase of the goods , the numbers of orders made and the goods purchased, the invoices issued;
- 2.4. Additional data provided voluntarily by the customer - for example, comments on orders made or other communications with the customer.
3. The Customer is required to provide all personal data in accurate and up-to-date form when providing personal data to the Administrator, and undertakes to update any changes to them; personal data provided by the customer are considered by the trustee to be complete and correct. The Administrator is entitled to prompt the customer to update the personal data he is processing, within the deadlines corresponding to the potential risk of damage from the out-of-date personal data; the administrator is not responsible for the unavailability of personal data due to customer inactivity.
IV. The purposes of the processing and the legal basis of processing, including the processing of personal data
1. Personal data is processed for the purposes listed below, and the extent of the personal data processed depends on the particular purpose of the processing. For some processing purposes, it is possible to process personal data directly on the basis of a legal legal basis where customer consent is not required for such processing of personal data, and the second group is processed only with the consent of the customer.
2. The following legal basis is given for the processing of personal data that does not require the customer's consent:
- processing to fulfill the contract to which the customer is a party - especially for the purpose of realizing a purchase contract, including the execution of the order, fulfillment of a contract involving the related communication with the customer, handover of goods for the transport of goods and final sale of the ordered goods and delivery to the customer, purchase price - for the duration of the contractual relationship or the time necessary to fulfill the purchase contract;
- processing for the fulfillment of the legal obligations that are imposed on the administrator - especially for the purpose of fulfilling the administrator's accounting and ad-hoc obligations - for the necessary period of time according to the statutory deadlines stipulated by the legal regulations (eg the invoices issued by the administrator are in accordance with the provisions of § 35 of Act No. 235/2004 Coll., On Value Added Tax, as amended, shall be archived for 10 years after the end of the tax period in which the performance was effected, and for a reason to prove the legal reason for issuing the invoices, for 10 years from the date of termination of the contract also archived purchase contracts or customer orders);
- processing for the purpose of protecting the legitimate interests of the trustee - processing of personal data to protect the rights and rights of the trustee's interests, which can be performed without the consent of the customer, but in fulfilling the existence of an appropriate interest of the trustee in processing the data for the recording of debts the application of the claims of the administrator from the concluded purchase contracts (judicial or exequatic recovery of customer receivables and other customer disputes, claiming claims, etc.), customer claims (complaints, withdrawal from the contract, etc.) and future inquiries and complaints of customers, including the provision of evidence in the case of future litigation to which the Administrator is a participant.The processing of personal data is limited to the time necessary to achieve the intended purpose but no longer than 10 years from the commencement of the statutory limitation period in each case.
3. The extent of the personal data processed for the processing of personal data referred to in the preceding paragraph for which the legal basis of the processing is given without the need to grant the customer's consent shall always be limited to the personal data necessary to fulfill the specific purpose for which they are processed and shall not exceed (Article III., paragraph 2 of the Principles). The administrator informs the customer that it is always necessary for the fulfillment of the purchase contract to provide and process personal data to the extent of the customer's identification data (Article III., paragraph 2.1 (Principles) and customer contact details (Article III., Paragraph 2.2 of the Principles), which become part of a concluded Purchase Agreement and without which the purchase contract can not be implemented; the processing of the customer's purchasing history (Article III., paragraph 2.3. of the Principles) then follows the implementation of the purchase contract and serves in particular for the other legal bases of processing referred to in Article IV, paragraph 2 of the Principles fulfillment of the concluded purchase contract. The provision of personal data is a customer's obligation under the above-mentioned contract.
5. Customer's consent is then required to process personal data for the following purposes:
- Sending business messages (newsletters);
- Managing a customer's customer account.
6. The processing of personal data for the purposes referred to in the preceding paragraph is based on the voluntary consent of the customer, who has the right to revoke at any time the customer is informed of the consent. However, the withdrawal of consent is not without prejudice to the lawfulness of the processing of personal data arising from the consent given by the customer prior to his / her removal. Revocation of consent also has no effect on the processing of personal data processed by the controller on the basis of a legal basis other than consent (ie, in particular, if the processing is necessary to fulfill the contract, legal obligations or for other reasons stated in the applicable legislation). regarding the granting of consent to the processing of personal data for the abovementioned purposes, including the scope of such personal data processed and the duration of such processing, are contained in the text of the individual consents by which the customer grants the right to process personal data for the purpose.
7. Unless expressly stated otherwise, personal data are processed only for the necessary time, especially for the duration of the contractual relationship or other legal title, which enables the administrator to process and store personal data of the customer, according to the deadlines imposed by the legal regulations. After loss the legitimate reason is erased by the relevant personal data. Personal data that is processed with the consent of the customer is retained only for the duration of the purpose for which the consent was granted, at the latest for the duration of the consent given by the customer or until the moment of his / her withdrawal.
V. Processors and categories of recipients of personal data
1. The administrator may disclose the customer's personal data:
- the processor of personal data - that is, the person who carries out the processing of personal data for the controller, on the basis of a contract for the processing of personal data;
- recipients of personal data - that is, the subject to which the personal data are provided.
2. The administrator may provide the customer's personal data for legitimate purposes to the following categories of recipients:
- external collaborators of the trustee and contractors of the trustee for performance of the contract;
- providers of postal and payment services;
- providers of transport and other services ensuring the transport and delivery of goods to the customer;
- providers of accounting, auditing and tax services;
- collecting agencies and law firms (especially for the purpose of recovering debts);
"administrators of IT systems;
- public authorities (eg courts, administrations).
3. The manager does not intend to pass on customer's personal data to third countries or international organizations.
VI. Information about the rights of the customer as a data subject
1. The administrator processes the customer's personal data in a correct, legally and transparent manner and in accordance with legal requirements. The Customer also has the right to contact the Administrator at any time to obtain information about the process of processing his or her personal data or for exercising the rights listed below that are related to personal information.
2. The manager shall inform the customer of his rights, such as:
- 2.1. Right of access to personal data - Under this right, the customer has the right to obtain from the controller a confirmation of the processing of his or her personal data and, if so, the right to information related to such processing, or in the event that the rights and freedoms of others are not adversely affected, as well as a copy of the personal data processed;
- 2.2. the right to rectification of personal data - based on this right, the client of the administrator may request correction of inaccuracies in the personal data processed by the controller, or the addition of incomplete personal data;
- 2.3. The right to delete data - based on this right, the administrator's customer may request the deletion of any or all of the personal data processed by him / her, unless they are necessary for the purpose for which they were processed or if the customer has withdrawn their consent to their processing there is no longer any legal reason for processing) or objections to the processing (and there are no overriding reasons for the processing manager), furthermore if the personal data have been unlawfully processed, must be deleted to meet the legal obligation or were collected in connection with the offer of information services companies;
- 2.4. The right to limit the processing of personal data - based on this right, the Trustee may request a limitation on the processing of personal data about him / her if the customer denies the accuracy of his or her personal data (for the time necessary for the trustee to verify the accuracy of the personal data) , or the processing is unlawful, but the customer refuses to erase such personal data or if personal data are no longer needed for the purpose for which they were provided but the customer requests processing (for example, in connection with the claim to a court to which the customer the processed personal data needs), or if the customer has raised an objection to processing, and it is not clear whether the legitimate interests of the trustee outweigh the legitimate interests of the customer;
- 2.5. The right to the portability of personal data - in the case of automated processing of personal data based on a contract or consent granted by the customer, the customer has the right to so-called portability of such data and its provision in a structured, commonly used and machine format;
- 2.6. exclusion of automated individual decision-making and profiling - the customer has the right not to be the subject of any decision based exclusively on automated processing, including profiling that would have legal effects or has been significantly affected by it. automated processing without the influence of human assessment with legal effects for data subjects;
- 2.7.Revoke the consent to the processing of personal data - in the case where the customer has given the administrator permission to process personal data for purposes requiring consent, the customer has the right to revoke the consent at any time. legal;
- 2.8. The right to notify cases of breaches of personal data protection - the customer has the right to inform the controller of the breach of the security of his or her personal data if it is also likely that such a breach will result in a high risk for rights and freedoms (ie, if the controller has taken steps to ensure that the high risk is unlikely to occur or if such notification would be disproportionate to the point where it is necessary to provide information by means of a public notice or similar measure);
- 2.9. right to lodge a complaint with a supervisor - the customer has the right to contact the Office for Personal Data Protection as a Supervisory Body if he considers that personal data protection has been violated while processing his personal data contact details:
Office for Personal Data Protection:
Pplk. Sochora 27, 170 00 Praha 7
phone: +420 234 665 111 (switchboard)
email address: email@example.com
email address: www.uoou.cz
Against the decision of the supervisory authority, the customer also has the right to effective judicial protection against the decision that concerns him.
The customer also has the right to object to the processing of personal data - the customer has the right at any time to object to the processing of personal data that the administrator processes for legitimate interest. If the administrator does not prove that there is a serious legitimate ground for processing, which outweighs the interests or the rights and freedoms of the data subject, or to determine, exercise or defense of legal claims, the administrator terminated on the basis of such objection processing of personal data without undue delay.
Likewise, the customer may object to processing in the case that his or her personal data is processed for direct marketing purposes. In this case, the administrator will no longer process the personal data for this purpose without further personal information.
3. All the above rights (with the exception of the right to file a complaint with the Surveillance Authority) can be claimed by e-mail (e-mail) sent to firstname.lastname@example.org. This address can be addressed also in connection with a request for additional information regarding the above mentioned rights práv.Obdobně can also be claimed by correspondence to the address of the administrator - Herbamedicus s.r.o., Ostružnická 325/6, 779 00 Olomouc.
4. At the request, which relates to the exercise of rights of customers, the administrator will respond promptly within one month of receipt of the application in which the client will provide information on measures taken and the manner in which it was made such a request to exercise rights (ie (in writing or electronically). This deadline can be extended by another two months, if necessary (due to complexity and number of requests), and the customer's manager will always be informed of such an extension, including the reasons for the extension, within one month of receipt of the request.
5. If the controller fails to take action requested by the customer, he shall inform the customer, within the aforementioned period, of the reasons for non-acceptance of the measure and the possibility of filing a complaint with the supervisory authority and requesting judicial protection.