First of all, we would like to explain some basic terms we are using:
“Personal data” means any and all information that identifies you, or on the basis of which you can be identified, as well as information that informs about you (about your personality, activities, properties, etc.).
“Processing” personal data means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing means wholly or partially automated processing of personal data, and non-automated only if the personal data are, or are to be, part of a filing system.
You are our “customer” if we have or have had a contract with you on supplying of goods or provision of services (including informal contracts, based on orders and deliveries), or if you have expressed specific interest in our goods or services.
Personal data as a value. We consider your personal data as an important value and we treat them in this spirit. When we process personal data, we proceed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) and other applicable legal regulations.
What are the basic rules? When processing personal data, we observe the following basic rules in all circumstances:
- Lawfulness, fairness and transparency: We process your personal data lawfuly, fairly and in a transparent manner.
- Purpose limitation: We collect your personal data solely for specified, explicit and legitimate purposes, and we do not process personal data in a manner that is incompatible with such purposes.
- Minimisation: We only process personal data in adequate, relevant and limited scope, in relation to the purposes for which they are processed.
- Accuracy: We make sure that the personal data we process are accurate and, where necessary, kept up to date. We take any and all reasonable steps to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Storage limitation: We keep your personal data in a form that permits to identify you for no longer than necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality: We protect your personal data we process. We process your personal data in a manner that ensures appropriate security, including protection through technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage. We use advanced physical and electronic security measures.
Further directions. In principle, we process your personal data for no more than two purposes: performance and administration of contracts on the one hand, and marketing and commercial purposes on the other. Both these purposes and the rules we apply to them are discussed below. Furthermore, as certain data may be linked to a particular natural person under certain circumstances as a result of employment of cookies and web beacons, we specify below also the rules applicable to use of these technologies.
CONTRACT-RELATED PERSONAL DATA
What personal data are concerned? We process personal data contained in contracts you have entered into with us and personal data arising from performance of these contracts. These include, but are not limited to, identity and contact data, data on the subject of the contract, and data on exercising rights and fulfilling obligations following from the contract (billing, etc.), including commercial communications with you. Please note that contracts may be executed not only in writing (including electronic form), but also orally. Among other things, every accepted order of goods through our e-shop establishes a contract.
Why do we need these personal data? It is obvious that we have to process contract-related personal data in order to be able to meet contractual obligations and exercise rights from these contracts and to comply with legal obligations associated therewith – for example, we are obliged to keep accounting records and store them for the statutory periods.
Where do we obtain your personal data from? We primarily obtain contract-related personal data from you, but the data may also result from performance of the contracts (e.g. information about delivery of the ordered goods from the carrier). We always proceed in a transparent way.
Do we have access to data on payment cards? If you pay for our goods (services) using a payment card, the payment is made via a secured payment gate operated either by Československá obchodní banka a.s., or by Digital River, Inc. We have no access to personal or other data through which the payment transaction is authorised.
How long do we process personal data for? We process (store) personal data for the period of time during which they may be legally relevant for performance of the contract in question and settlement of rights and obligations resulting therefrom, i.e. until expiry of the applicable limitation, preclusion, warranty, storage and other similar periods set out by legal regulations or contract arrangement, whereas the expiration of the last of the said periods matters; in particular cases, the periods depend on assessment of the contract in question; it is usually not longer than 10 years after the contract has been discharged (terminated).
MARKETING AND COMMERCIAL PERSONAL DATA
Why do we process personal data for marketing and commercial purposes? We process personal data for marketing and commercial purposes for two reasons:
- to inform our customers and other persons whose interest can be anticipated about our offer and news in the form of electronic newsletters and other commercial communications, and to inquire, in individually assessed cases, with our customers and other persons whose interest can be anticipated, over the phone, by email or in another similar manner, about their interest in our offer; and
- to be able to personalise our dealings with you when establishing and performing a contract or business relationship or communicating with you (customer history, etc.).
Personal data for the purpose of contacting you with an offer or other similar commercial communications are processed only if a reasonable assumption exists that you are interested in our offer; this can be assumed in particular if you are or were our customer. Personal data for the purpose of personalisation are processed only if you have had commercial contact with us (by purchasing goods or services or if you expressed specific interest in purchasing our goods or services).
When is it possible to disseminate email commercial communications? We respect the rule that using your email address for commercial communications is only possible if you have provided the address to us as our customer, or if you have given us consent to use your email address for this purpose. You can withdraw your consent at any time; see the “Your Rights” section for the form in which this can be done. Anyhow, we give you a simple and clear opportunity in every email commercial communication to reject further commercial communications.
What personal data do we process for this reason? The following types of personal data are concerned (in concrete case, not all of the listed types of personal data must be processed):
- identity and contact personal data (name, postal address, email address, phone number, etc.);
- your profile personal data in relation to our cooperation (customer history and business relations, purchased or demanded goods, participation in 24U events, etc.);
- data allowing for personalisation of communication with you (history of communication, referral, etc.)
We create customer profiles from some or all of the processed personal data that we use for the described purposes. Personal data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic personal data, biometric personal data, data concerning your health, and data concerning your sex life or sexual orientation are never be processed as marketing and commercial personal data.
Where do we obtain your personal data from? The sources of marketing and commercial personal data are:
- contracts you entered into with us;
- messages you send to us (via an online form or social networks, over the phone, etc.);
- to a complementary extent, from open sources (e.g. public databases).
Legal basis for processing personal data and the right to object. The legal basis for processing your personal data are our legitimate interests in use of data for marketing and commercial purposes in the interest of maintaining and developing our clientele and business activities in general. You may object to processing of your personal data for marketing and commercial purposes. If you raise objections to the use of personal data for the purpose of commercial communications or other forms of direct marketing, we will automatically stop further processing for these purposes. If you raise objections to the use of your personal data for the purpose of personalisation, we will assess on the basis of the reasons of the objections (in view of your specific situation) whether there exist compelling legitimate grounds on our part for continuing with the processing that override your interests, rights and freedoms, and we will inform you of whether we will comply with the objections or that we cannot, and for what reasons. See the “Your Rights” section for the form in which objections may be raised.
How long do we process personal data for? We process (store) personal data for the purpose of contacting you with our offer or other commercial communications for as long as your interest in our offer can be reasonably assumed, unless you objected earlier to such processing. We process personal data for the personalisation purpose for 10 years from the date of the last commercial contact with you.
COOKIES AND WEB BEACONS
What are web beacons and how do we use them? We can also use web beacons, both on our website and in emailed messages. Web beacons are small graphical elements (data files, pixel tags) that are downloaded from our web server for the purpose of monitoring e-mail access, website traffic and user behaviour on them, and subsequent optimising of e-services for users (including ad personalisation).
No identification. We do not use personal data obtained from cookies and web beacons to identify you.
TRANSMISSION AND LOCALISATION OF PERSONAL DATA
Who do we transmit personal data to? Your personal data are confidential for us. With the exceptions described in the following paragraphs, we do not transmit personal data to any third party, either directly or indirectly (by allowing access). We do not trade with personal data in any way.
24U Group. We may transmit personal data to the entities that are part of the group (holding) that 24U is part of. Recipients will process the personal data they receive solely in accordance with the rules that apply to 24U, and we are responsible for the proper processing of personal data by the recipients.
Partners. We may transmit personal data to entities that process personal data for us, or who provide services to us inherently requiring access to personal data. These are primarily entities that provide IT services (such as server hosting or web hosting), database services, accounting services, tax consultancy or legal services. Cooperation with these entities is always of a strictly operational nature. The recipients do not process personal data independently, but only according to our instructions. We are responsible for ensuring that misuse of any personal data accessed by the recipients does not occur, and that obligations of integrity and confidentiality of personal data and other obligations necessary to be established under the applicable legal regulations have been agreed with them.
Approved transmissions. We are also entitled to transmit personal data to third parties if you have agreed with the transmission, subject to the terms of your consent. You can withdraw your consent at any time; see the “Your Rights” section for the form in which the withdrawal may be made.
Legal obligations and matter-of-course transmissions. Your personal data may also be transmitted to third parties if it is necessary to comply with our legal obligations (in particular with regard to public bodies) or if the transmission is a matter of course, in particular if it is part of a contract you are a party to (e.g. the transmission of necessary personal data to carriers for the purpose of delivering the purchased goods, or to payment-system operators for the purpose of settlement of the purchase price).
Where do we store personal data? We store your personal data in the European Union and with partner processors in the USA (partners in the USA ensure personal-data protection at the level applicable in the European Union through participation in the EU – U.S. Privacy Shield pursuant to EU Commission Decision 2016/1250 of 12 July 2016 or standard data protection clauses adopted by the EU Commission and available at: www.24uSoftware.com/gdpr). We do not transfer personal data to other countries.
Right to information. You have the right to obtain from us a confirmation of whether or not we process your personal data. If processing takes place, you have right to access the processed personal data and to be informed about processing details and the sources of personal data. If you have provided us with personal data on the basis of your consent or in connection with a contract, and if this concerns personal-data processing carried out by automated means, you have the right to receive it in a structured, commonly used and machine-readable format.
Right to rectification, erasure and restriction of data processing. You are entitled to have your inaccurate data rectified without undue delay; this also applies to the completion of incomplete personal data. You are furthermore entitled to request that we erase your personal data if we do not have sufficient legal ground for processing (e.g. if you have objected to the processing for direct marketing purposes). If you are requesting it, we only restrict processing of your personal data instead of erasing them, i.e. the personal data will only be stored and will not be otherwise processed without your consent.
Right to object. You have the right to object to processing of your personal data for the purposes of direct marketing, resulting in that the personal data will not be further processed for such a purpose. If you object to the processing of your personal data in other cases where we process personal data on the basis of our legitimate interests, we first assess (with respect to your particular situation) whether there exist compelling legitimate grounds on our part for continuing with the processing that override your interests, rights and freedoms, and we will inform you of whether we will comply with the objections or that we cannot, and for what reasons.
How you can exercise your rights and how we will process your request. You may exercise your rights in any form that intelligibly conveys the content of your request, notice or objections, in particular at: oou @ 24u.cz. If you ask us to take specific action, we will provide you with information on the action taken without delay and at latest within one month of receipt of your request; this period may be extended by up to two further months if necessary, and you must be informed of this on time.
How you can defend yourself. If you feel that your rights are affected in relation to how we process your personal data, you can contact the Czech Office for Personal Data Protection (www.uoou.cz). You also have the right to bring a civil action in court and seek legal protection.