- The controller of personal data pursuant to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR“) is Envitrail (“Data Controller“).
- The contact details of the Data Controller are (i) address Bucharova 2657/12, 158 00, Prague 5 and (ii) email: firstname.lastname@example.org
- The Data Controller has not appointed a data protection officer.
II.Sources and categories of personal data processed
- In particular, but not exclusively, the data controller processes the following personal data
- The name and surname of the natural person;
- Contact details of the natural person, e.g. e-mail address, telephone number or home address, or delivery address;
- Your order details, which are in particular details of the services or products you have ordered from us, including your bank account number;
- Information about your behaviour on the Envitrail website.
III. Lawful basis and purpose for processing personal data
- The lawful basis for processing personal data is
- performance of the contract between you and the Data Controller pursuant to Article 6(1)(b) GDPR;
- the legitimate interest of the Data Controller in improving the products and services offered by Envitrail, including the conduct of promotions and other events for clients or business partners, pursuant to Article 6(1)(f) of the GDPR;
- the legitimate interest of the Data Controller for direct marketing purposes, in particular for sending commercial communications and newsletters if the Data Controller is reaching out to an existing client or business partner, pursuant to Article 6(1)(f) of the GDPR;
- Your consent to the processing of your personal data for the purposes of direct marketing, in particular for the sending of commercial communications and newsletters, pursuant to Article 6(1)(a) GDPR in conjunction with Section 7(2) of Act No. 480/2004 Coll., on certain information society services, as amended, in the event that the Data Controller addresses a person who is not an existing client or business partner and from whom no order for goods or services has been placed;
- compliance with the requirements of the law pursuant to Article 6(1)(c) of the GDPR.
- The purpose of the processing of personal data is
- processing your order and exercising the rights and obligations arising from the contractual relationship between you and the Data Controller, including making and receiving payments related to the order; when placing an order, the personal data required for the successful processing of the order (name and address, contact details) are required, the provision of personal data is a necessary requirement for the conclusion and performance of the contract, without the provision of personal data it is not possible to conclude the contract or its proper performance by the Data Controller;
- improving the quality of the services and products provided to clients and business partners, e.g. by sending commercial communications and other marketing activities, informing about the improvement or expansion of the portfolio of services offered by Envitrail;
- for the purpose of pursuing legitimate third party claims, if the Data Controller receives a legitimate claim from a government or public institution;
- We may also process your personal data for other purposes not listed above, to the extent required by law and where necessary for other legitimate purposes, in particular to ensure the reliable performance of the services or products ordered for you and other users.
- On the part of the Data Controller, there is automatic individual decision-making within the meaning of Article 22 of the GDPR. You have given your explicit consent to such processing.
IV. Personal data security principles
- We respect the privacy and personal life of the individuals concerned.
- We transparently inform the individuals concerned about our processing of personal data and their related rights and obligations. We assist the data subjects in exercising their rights.
- We comply with the technical and organisational measures we have taken to secure personal data. To secure data storage and storage of personal data in paper form.
- The data controller declares that only persons authorised by it have access to personal data.
- The controller of the personal data shall inform the relevant persons without delay of a personal data breach.
- We, as the Data Controller, only collect personal data to the extent that is strictly necessary to achieve the specific purpose of the processing determined by us or by generally binding regulations, and we only retain it for the time necessary to fulfil this purpose. After the time necessary to achieve the purpose, we always irreversibly destroy or anonymise the personal data, taking into account the period of time for which it is necessary to keep the personal data in view of the requirements of the law or possible claims of third parties.
- We maintain reasonable measures to ensure that the data processed by us is accurate.
- We process personal data in a transparent manner, only within the limits of the legitimate and specific purpose of processing personal data, adhering only to the strictly necessary scope of the personal data processed.
- In our capacity as Data Controller, we only use the services of data processors who guarantee compliance with the obligations set out in the applicable data protection legislation.
V.Data retention period
- We choose the specific storage period of personal data with regard to the nature of the personal data and the purposes of processing.
- The data controller shall retain the personal data
- for the period necessary to exercise the rights and obligations arising from the contractual relationship between you and the Data Controller, taking into account the time necessary to exercise any claims arising from such contractual relationship, or taking into account the time required by law (normally for 3 years from the end of the contractual relationship);
- for as long as the consent to the processing of personal data for direct marketing purposes is withdrawn.
- After the expiry of the period and purpose of retention of personal data, the Data Controller will delete the personal data.
VI.Recipients of personal data (subcontractors of the Data Controller)
- The recipients of personal data are persons
- involved in the delivery of goods / services / the execution of payments under the contract;
- those involved in the operation of the services;
- providing marketing services.
- Where personal data is transferred to third parties, it is transferred by the service provider in accordance with legal requirements and using the security mechanisms set out in the GDPR.
- The data controller intends to transfer personal data to a third country (non-EU country) or an international organisation. Recipients of personal data in third countries are Google mailing service providers / cloud service providers.
- The data controller will transfer personal data to the third country provided that the recipient of the personal data provides appropriate safeguards to effectively protect the data subject and the personal data transferred.
VII:Rights of the data subject – Your rights
- In accordance with and subject to the conditions set out in the GDPR, you have
- The right to be informed about the processing of your personal data;
- the right to access your personal data in accordance with Article 15 of the GDPR;
- the right to rectification of your personal data pursuant to Article 16 GDPR or restriction of processing pursuant to Article 18 GDPR;
- the right to erasure of personal data pursuant to Article 17 GDPR;
- the right to object to processing under Article 21 GDPR;
- the right to data portability pursuant to Article 20 GDPR;
- the right to request restriction of the processing of your personal data;
- the right to notify that you do not consent to the processing of your personal data;
- where we make decisions about you by automated means or profile you, the right to notify us that you disagree with a decision we have made by automated means, including on the basis of profiling, and to request that a human being be involved in such a decision;
- the right to withdraw consent to processing in writing or electronically to the address or email of the Data Controller set out in Article I(3) of this Policy.
- You also have the right to lodge a complaint with the Data Protection Authority if you believe that your right to data protection has been violated.
This Policy will take effect on November 15, 2023.