General Data Protection Regulation
General Data Protection Regulation
INFORMATION ON THE PROCESSING OF PERSONAL DATA
provided according to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in the processing of personal data and on the free movement (hereinafter referred to as “GDPR Regulation”)
I. Data Privacy Manager
Megashops s.r.o., ID: 03772551 , with registered office Nad Lipinou , 738 01 Frýdek-Místek, legal entity registered in the Commercial Register kept by KS Ostrava, section C, insert
61191 (hereinafter referred to as the "Administrator") hereby informs you, in accordance with Article 12 of the GDPR, about the processing of your personal data and your rights.
II.Personal Data Protection Officer
Although, under the GDPR Regulation, the controller does not have a duty to appoint a Data Protection Officer in his case, he did so on a voluntary and in this case the regard to the transparency of the processing of personal data is mr. Mgr. Jiří Hölbling, contact details:
Contact with data subjects: Farní 19, Frýdek – Místek 738 01, tel. or email by appointment
Email: poverenec @kocinec.cz
Tel.: 731 496 055
Data subjects may contact Data Protection Officers in all matters relating to the processing of their personal data and the exercise of their rights under the GDPR Regulation.
III. Purpose of processing of personal data
fulfillment of legal obligations from the part of administrator, especially due to bookkeeping, tax obligations, and perform the other mandatory contributions,
ensuring the conclusion and subsequent fulfillment of a contractual obligation between the controller and the data subject,
for protect their legitimate interests in the framework of an agreed contractual obligation between the controller and the data subject, in particular to ensure the fulfillment of the obligations of the parties in the sense of, for example, claims, the protection of the interests of the administrator in possible litigation,
protection of the rights of the administrator, the recipient or other parts concerned (eg recovery of claims by an administrator),
archiving maintained under the Act number 563/1991 Col., about bookkeeping,
negotiations about contractual relationship,
tenders of job vacancies,
for marketing purposes, so that the trustee can best adjust the offer of his products and services,
for the business communication of the trustee, if is necessary for this purpose informed consent of the data subject, which is granted separately,
purposes contained within the data subject's consent
IIIA. Personal data sources
publicly accessible registers, lists and records (eg business register, trade register, land registry, public telephone directory, etc.) and other freely accessible data (eg press, social networks)
directly from the data subjects (name, surname, address, date of birth, e-mail, phone, chat, website, social networks, business cards,
IV. Personal data processing principles
Personal data are processed in the extent:
1. in that relation to the conclusion of a contractual or other legal relationship with the trustee
2. or which the administrator has collected otherwise and processes them in accordance with applicable legal regulations or the fulfillment of statutory duties of the trustee
V. Categories of personal data that are object of processing
address and identification data used for the unambiguous and not mistakable identification of the data subject (eg name, surname, title, date of birth, or personal identification number, permanent address, ID, VAT number) and contact details of the data subject mailing address, telephone number, fax number, e-mail address, and other information of a similar nature),
descriptive data (e.g., bank account),
other necessary data for performance of the contract,
data provided in framework of the relevant laws processed in the framework of the consent given by the data subject (photo processing, use of personal data for the purposes of personnel management, emails from the side by bidders, and others.)
VI. Categories of data subjects
those interested in the service (future prospective customer),
those interested in the products (future prospective customer),
person in a contractual relationship with the trustee (especially the customer),
supplier of services or goods
those interested in the position of a supplier of products or services,
another person against whom he asserts his right to the trustee (especially the
saboteur who did the damage to the administrator)
another person claiming and exercising his rights against the trustee (in particular the alleged injured party in damages)
VII. Categories of recipients of personal data
state and other authority in the framewrk of the statutory obligations laid down by the relevant legislation and their control and in the framework fullfing the tasks of public interest, especially the controlling authorities such as the Financial Office, the District Social Security Administration,
public institutions, such as courts in the case of a legitimate interest of the trustee in legal proceedings brought by an administrator against the data subject,
supplier of products and services,
VIII. Method of personal data processing and protection
Processing of personal data is performed by the administrator or the processor based on administrator's instructions. The processing is carried out at the headquarters of the administrator by individual authorized employees of the administrator, processor at the place of its registered office. The data processing is done by means of computer based electronic records, and manually to personal data in paper form, with all the security policies for managing and processing your personal information. For this purpose, the administrator has adopted technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to personal data, alteration, destruction or loss, unauthorized transmission, unauthorized processing, and other misuse of personal data. All entities to which personal data may be made available respect the privacy rights of data protection entities and are required to comply with applicable privacy laws.
IX. Real-time data processing
Personal data will be processed during negotiations for the conclusion of a contract between the data administrator and the data subject, as well as for the duration of the contractual relationship or for a period specified in the consent given by the data subject, according to the following rules:
In the case of a contract being concluded, personal data will be processed and stored for the next 36 months in the event of a dispute concerning the relationship between the administrator and the data subject, in order to protect the legitimate interests of the administrator.
In order to fulfill the statutory obligation to archive bookkeeping documents pursuant to Act No. 563/1991 Coll., On bookkeeping, as amended, personal data (except e-mail address and telephone number) will be further processed and kept by the administrator for 5 years starting with the year following the year in which the contract was concluded between the administrator and the data subject.
Upon expiry of the above deadlines, the administrator will liquidate the processed personal data of the data subject.
X. Lessons on the rights of the data subject
1) Administrator processes the data in statutory cases because of the fulfillment of the contract due to fulfillment of a legal obligation for the protection of the legitimate interests of the trustee or third part for the fulfillment of a task carried out in the public interest or in the exercise of public authority for the protection of vital interests of the data subject where the processing of personal data does not require the consent of the data subject. If there is no other legitimate reason, the data subject's consent must be with the processing of the data.
Ask the administrator for an explanation
Require the administrator to remove the resulting situation.
If the administrator doesn´t do the request of the data subject, the subject has the right to appeal directly to the supervisory authority, the Office for Personal Data Protection
The procedure does not exclude the data subject from contacting the supervisory authority directly.
3) According to Article 15 of the GDPR, the data subject has the right to obtain from the controller a confirmation that his or her personal data is processed or not and, if so, has the right to access his or her personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients whose personal data have been or will be made available, in particular to recipients in third countries or to international organizations; d) d) planned period for which his personal data will be stored or, opposite that the criteria used for determine that period; e) existence of the right to require the administrator to repair or erase his personal data or to restrict its processing, or to object processing; f) right to complain in the Supervisory Authority; g) any available information on the source of his or her personal data, unless it has been obtained directly from the data subject; h) the fact that automated decision making, including profiling, referred to in Article 22 1) and 4) of the GDPR is taking place, and at least in these cases, meaningful information regarding the procedure used, and the significance and implications of such processing for me.
The data subject has the right to provide a copy of his or her personal data processed by the controller. For additional copies, the administrator may charge a reasonable fee based on administrative costs. If the data subject submits the application in electronic form, the information in the electronic form normally used shall be provided, unless otherwise requested.
4) According to Article 16 of the GDPR, the data subject has the right to correct inaccurate personal data relating to him without undue delay. Taking into account the purposes of the processing, the data subject has the right to supplement incomplete personal data, including by providing an additional statement.
5) According to Article 17 of the GDPR, the data subject has the right to delete his personal data without undue delay if one of the following reasons is a) his personal data are necessary not longer for the purposes for which they were collected or otherwise processed; b) the data subject has withdrawn consent to the processing of his personal data and there is no further legal reason for processing; c) the data subject has objected to the processing under Article 21 1) of the GDPR and there are no overriding legitimate reasons for the processing or the data subject has raised objections to the processing under Article 21 2) of the GDPR; d) personal data have been processed unlawfully; e) personal data must be erased in order to comply with a legal obligation laid down in the law of the European Union or its Member State which applies to the trustee.
The the above mentioned paragraph doesn´t apply if the processing of personal data is necessary: a) for the performance of the right to freedom of expression and information; b) to comply with a legal obligation which requires processing under European Union or its Member State's law applicable to the Administrator or for the performance of a task carried out in the public interest or in the performance of official authority if the Administrator has been entrusted with it; c) on grounds of public interest in the field of public health; d) for purposes of archiving in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 1) of the GDPR; e) for the determination, perfomance or defense of legal claims.
6)The data subject is entitled According to Article 18 of the GDPR to have the administrator restrict the processing in any of the following cases: a) if the data subject would deny the accuracy of the personal data, for the time necessary to verify the accuracy of the personal data; b) processing is unlawful and the data subject would refuse to erase his personal data and would instead request restrictions on their use; c) administrator needs no more the personal data of the data subject for processing purposes but has requested it for the purposes of determining, enforcing or defending legal claims; d) if the data subject has objected to processing pursuant to Article 21 1) of the GDPR until it has been ascertained whether the legitimate reasons of the Administrator outweigh its legitimate reasons.
If processing has been restricted under the preceding paragraph, such personal data may be processed only with the consent of the data subject or except their saving, enforcing or defending legal claims for the protection of the rights of another natural or legal person, or for important reasons public interest of the European Union or of one of its Member States.
7) The Administrator notifies under Article 19 GDPR to individual recipients to who were the personal data of the data subject was made available, any corrections or deletions of his personal data, or limitation of processing, except when this proves impossible or requires unreasonable effort. The administrator inform the data subject about those recipients only if the data subject do the requests.
8)According to Article 20 of the GDPR, the data subject has the right to obtain personal data relating to him provided to the administrator in a structured, commonly used and machine-readable format and the right to pass this data to adminiatrator without the administrator to whom the personal data were provided: a) the processing is based on the consent referred to in Article 6 (1) (a) or Article 9 (2) (a); (a) or on the contract referred to in Article 6 (1) b); and (b) processing is automated. The data subject is entitled to have personal data transmitted directly from one administrator to another administrator if is it technically posible. This right shall not apply to the processing necessary for the performance of a task carried out in the public interest or in the exercise of public authority by which the controller is entrusted.
9) According to Article 21 of the GDPR, the data subject is entitled, on grounds relating to his particular situation, at any time to object to the processing of his personal data, pursuant to Article 6 (1) (e) or (f) GDPR, including profiling based on these provisions. The controller will not further process his personal data unless he can substantiate serious legitimate reasons for processing that outweigh his interests or rights and freedoms, or for the determination, exercise or defense of legal claims.
The subject has the right at any time to object to the processing of personal data concerning him if personal data are processed for direct marketing purposes, including profiling as far as this concrete direct marketing is concerned.
The subject may apply its right of objection by automated means by means of technical specifications.
10)According to Article 22 of the GDPR, the data subject has the right not to be the subject of any decision based exclusively on automated processing, including profiling, which has a legal or significant effects for it. This shall not apply if the decision: (aa) is necessary to conclude or perform a contract between me and the administrator; (b) authorized by the law of the European Union or its Member State, which applies to the trustee, and which also lays down appropriate measures to protect the rights and freedoms and legitimate interests; (c) based on its explicit consent.
11)According to Article 34 of the GDPR, if its probably that the breach of the protection of personal data is likely to entail a high risk to the personal rights and freedom of some natural persons, responsible immediately notifies the data subject of the breach. If any of the following conditions are met notification doesn´t required : a) the administrator has taken appropriate technical and organizational security precautions and has applied these precautions to the personal data affected by the breach, in particular those by which the personal data is shared with all persons those who are not authorized to access personal data are made inaccessible, for example by encryption; (b) the administrator has ensured by subsequent action that the high risk to the rights and freedoms of the data subjects referred to in paragraph 1 is likely to cease to exist; c) | this would be associated with a disproportionate effort. In Frýdek-Místek, 24.5.2018
as a personal data administrator
This statement is publicly accessible on the website of administrator