Privacy notice under Regulation of the European Parliament and of the council (EU) no. 2016/679 on the protection of natural persons with regard to the processing of personal data and instruction to data subjects (hereinafter as “GDPR”)
Personal data controller
Danfil Jewellery s.r.o., registered office at Lomová 704, 46312 Liberec 25 (Vesec), ID no.: 27277844, Tax ID no.: CZ27277844, which has been incorporated since 20 May 2005 in the Companies Register kept by the Regional Court in Ústí nad Labem, file no. C 22160 (hereinafter the “Controller”), hereby informs you in accordance with Article 12 GDPR on the processing of your personal data and your rights.
Extent of personal data processing
Personal data are processed to the extent to which they were provided to the Controller by the relevant data subject in connection with the entry into a contractual or other legal relationship with the Controller or which the Controller has otherwise collected and processed in compliance with legal regulations or in order to perform the statutory obligations of a controller.
Sources of personal data
- Directly from data subjects (registrations and e-shopping, e-mails, phone, chat, web pages, website contact form, social networks, visiting cards etc.)
- Publicly accessible registers, indexes and records (e.g. companies register, trades licenses register, land register, public phone directory etc.)
Categories of the personal data processed
- Addresses and identification data enabling a unique and unmistakable identification of a data subject (e.g. first name, surname, title, birth certificate number, date of birth, permanent residence address, company ID number, VAT number) and data enabling contact with the data subject (contact data—e.g. contact address, phone number, fax number, e-mail address and other similar information)
- Descriptive data (e.g. bank details)
- Other data necessary for the performance of a contract
- Data provided beyond the requirements of applicable laws and processed on the ground of a consent granted by a data subject (processing of photos, use of personal data for HR management purposes, etc.)
Data subject categories
- Controller’s customer (only for data subjects registered in the e-shop)
- Controller’s employee
- Service provider
- Other persons who are contractors of the Controller
- Job applicant
Personal data recipient categories
- Financial institutions
- Public institutions
- State and other bodies performing statutory obligations imposed by applicable legal regulations
Purpose of personal data processing
- Purposes contained in the consent granted by data subjects
- Contract negotiation
- Contract performance
- Protection of the rights of the Controller, recipients or other affected parties (e.g. collection of Controller’s receivables)
- Archives kept on the basis of the act on selection procedures for vacant posts
- Performance of statutory obligations by the Controller
- Protection of vital interests of data subjects
Manner of processing and protecting personal data
The processing of personal data is performed by the Controller. The processing is carried out in the Controller’s establishments, branch offices and registered office by individual authorized employees of the Controller, or potentially by a processor. The processing is performed by computer technology or, as the case may be, manually in the case of personal data in the physical form in compliance with personal data management and processing security principles. To that end the Controller has adopted technical and organizational measures to ensure the protection of the personal data, including in particular measures preventing unauthorized or accidental access to, alteration, destruction or loss or unauthorized transfers or unauthorized processing as well as other misuse of the personal data. All entities to which the personal data may be made accessible respect the right of data subjects to the protection of privacy and have the obligation to proceed pursuant to the valid personal data protection legal regulations.
Personal data processing period
In accordance with the time limits specified in the relevant contracts, the Controller’s filing and shredding rules and in applicable legal regulations the data are processed for a period necessary to perform the rights and obligations ensuing from an obligational relationship as well as applicable legal regulations.
The Controller processes data with data subject’s consent with the exception of the cases defined by law where the processing of personal data does not require data subject's consent. In accordance with Article 6(1) GDPR a controller may process the following data without data subject’s consent:
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
- processing is necessary for the compliance with a legal obligation to which the controller is subject,
- processing is necessary in order to protect the vital interests of the data subject or of another natural person,
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data
Rights of data subjects
In accordance with Article 12 GDPR the Controller informs a data subject upon the data subject’s request on the right to access his or her personal data and to the following information:
- purpose of processing,
- category of the personal data concerned,
- recipient or the category of the recipients to whom the personal data were or will be made accessible,
- planned period for which the personal data will be retained,
- all available information on the source of the personal data,
- if not acquired from the data subject, information on whether automated decision-making, including profiling, is used.
Each data subject who finds out or considers that the Controller or a processor engages in the processing of his or her personal data which is in conflict with the protection of the data subject’s private and personal life or in conflict with law, in particular if the personal data are inaccurate with regard to the purpose of the processing, the data subject may:
- Ask the Controller for explanation.
- Demand that the Controller rectifies the situation. This may in particular involve the blocking, rectification, supplementation or erasure of the personal data.
- Where the data subject’s application under paragraph 1 is recognized as legitimate, the Controller shall rectify the defective situation without delay.
- If the Controller dismisses the data subject’s application under paragraph 1, the data subject has the right to turn directly to the supervisory office, that is, the Office for Personal Data Protection.
- The procedure under paragraph 1 does not rule out the option that the data subject may submit his or her objection directly to the supervisory office.
- The Controller has the right to demand for the provision of information an adequate payment not exceeding the costs necessary for the provision of the information.