1. Introduction
This policy contains information on the scope and conditions of the processing of your personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and Council on the protection of individuals with regard to the processing of their personal data and on the free movement of such data ("GDPR") within the performance of our business activities or in connection with it, especially in the sale of goods and services, in the implementation of promotional competitions, direct marketing, in the operation of our website and e-shop www.bushman.cz, in email and other communications with you etc.
2. Your personal data managers are
the company Bushman Company a.s., IÄŒ 26052679, reg’d office Lazarská 1719/5, Nové MÄ›sto, 110 00 Prague 1, Czech Republic (hereinafter referred to as ‘1’)
and
the company Bushman s.r.o., IÄŒ 25618601, reg’d office Lazarská 1719/5, Nové MÄ›sto, 110 00 Prague 1, Czech Republic (hereinafter referred to as ‘2’)
together referred to as the "Administrators".
Contact details of the Administrators
For communications and questions regarding the protection of your personal data, please contact us at:
Lazarská 1719/5, 110 00 Prague 1, Czech Republic,
or by e-mail to: [email protected]
The Administrators did not appoint a data protection officer. The person responsible for personal data protection and communication with data subjects is Mgr. Petr Hulec, email: [email protected], phone: +420 602 766 363.
3. Sources and categories of processed personal data
Administrators process personal data that you provided them with when registering at the so-called BUSHMAN Club or personal data that administrators obtained by fulfilling your order on the e-shop (ie concluded distance purchase contracts) or personal data that you provided the Administrators with as part of their participation in a marketing competition organized by the Administrators or collectively or individually.
4. Legal reason for and the purpose of personal data processing, and what personal data are processed
The legal reason for the processing of personal data is:
-
the performance of a contract between you and the Administrators pursuant to Article 6, paragraph 1, letter b) GDPR,
-
the legitimate interest of the Administrators in the provision of direct marketing (in particular for the sending of commercial communications and newsletters) pursuant to Article 6 (1) (a). f) GDPR,
-
Your consent to processing for the purposes of providing direct marketing (in particular for the sending commercial messages and newsletters) pursuant to Article 6 (1) (a). a) GDPR in conjunction with § 7 paragraph 2 of Act No. 480/2004 Coll., on certain information company services in the event that no goods or services have been ordered, or as part of registration in the BUSHMAN Club and the Administrator's website.
• Your consent to the processing of personal data pursuant to Article 6 (1) (a) a) GDPR for the purposes of organizing marketing competitions and your participation in them.
The purpose of personal data processing is
• for processing your order and exercising the rights and obligations arising from the contractual relationship between you and the Administrators; when ordering, personal data are required, which are necessary for successful execution of the order (name and address, contact), the provision of personal data is a necessary requirement for concluding and fulfilling the contract, without providing personal data it is not possible to conclude the contract or perform it by the Administrators,
-
for sending business messages, newsletters and for other marketing activities.
• for your participation in marketing competitions organized by the Administrators, or either one of them.
There is no automatic individual decision-making by the Administrators within the meaning of Article 22 of the GDPR.
The personal data processed by us may (depending on the purpose of processing) include the name, surname, residential address, telephone number, e-mail address and date of birth of the customer. Furthermore, payment data, in particular the bank account number, payment card number, variable symbol, or a specific symbol, the sender's or payee's note, or other data that you provide in the payment; information about your orders, especially about the goods or services you have ordered; data that we obtain during your access to the administrators' websites, ie cookies, web metrics, etc. and when using them, especially your IP address, MAC address of the device through which you use the site, data about your access to the site, activity on the website, the length of your visit to the website, cookies, information about the location of the device through which you use the website. We mainly use Google Analytics to obtain the above information.
5. Who has access to your personal data, and the processors
In some cases, controllers use the services of other suppliers who process personal data on their behalf ("processors"). The controllers have concluded agreements on the processing of personal data with these processors; these are bound by the instructions of the Administrators. Processors are persons involved in the delivery of goods / services / implementation of payments on the basis of a contract (e-shop orders), providing marketing services, organizing marketing competitions. The controllers do not intend to transfer personal data to any third country (ie to a non-EU country) or to any international organization.
6. Time period for the processing personal data
The processing time depends on the purpose for which and for what reason we process the personal data. Due to the scope of the processed data and the variety of purposes, this time cannot usually be determined precisely. Therefore, the processing time of your personal data is defined by the criteria below.
If we process your personal data on the basis of your consent to their processing, then we can process your personal data for the duration of this consent.
In other cases, we process your personal data for the time necessary to achieve the purpose for which we process it, including the subsequent administration procedures associated with the termination of the processing and the deletion of the personal data.
If one of the reasons for which we process your personal data for a specific purpose fails, it does not automatically mean our obligation to stop processing them. As long as we have another reason for their processing (eg our legitimate interest in processing ceases, but the processing of your personal data will still be necessary in order to fulfill the contract concluded between us or for our legal obligations), we may continue to process your personal data until all legal reasons for processing them have ceased to exist. However, in the event of revocation of consent to the processing of personal data, we do not proceed with the processing of your personal data for the purpose for which the revoked consent was originally granted.
7. Information on the rights of the data subject
Each identifiable natural person as a personal data subject who has proved his or her identity has the following rights:
a) Right of access to personal data.
This includes the right to obtain either from Administrator 1 or Administrator 2:
• confirmation of whether he processes the personal data,
-
information on the purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data were or will be disclosed, the planned processing time, the existence of a right to request the controller 1 / controller 2 to correct or delete personal data concerning the data subject or object to this processing, the right to complain to the Authority, of all available information on the source of personal data, if not obtained from the data subject, of the fact that automated decisions, including profiling, are made on appropriate safeguards for data transfers outside the EU,
• provided that the rights and freedoms of others and any copy of personal data are not adversely affected.
The above information and communications required by the data subject shall be provided by controller 1 or controller 2 free of charge. In case of a repeated request, Administrator 1 / Administrator 2 will be entitled to charge a reasonable fee for a copy of the personal data. The right to a confirmation of the processing of personal data and to information can be exercised by e-mail to the e-mail address of the controllers (see point 2 of this policy).
b) Right to correct inaccurate data
The data subject has the right to correct inaccurate personal data that will be processed by Administrator 1 / Administrator 2.
c) Right of cancellation
The data subject has the right to delete personal data concerning him or her, unless the controller 1 / controller 2 proves legitimate reasons for the processing of such personal data. The right to delete personal data may be exercised by the data subject by e-mail to the electronic address of Administrator 1 / Administrator 2 (see point 2 of this policy). Any deletion shall be made by Administrator 1 / Administrator 2 without delay, but no later than within 7 days from the request received by the data subject.
d) The right to restrict processing
Until any complaint is resolved, the data subject has the right to restrict the processing if he denies the accuracy of the personal data, the reasons for their processing or objects to their processing by e-mail to the e-mail address of controller 1 / controller 2 (see point 2 of these data principles).
e) The right to be notified of a correction, deletion or restriction of processing
The data subject has the right to be notified by the controller 1 / controller 2 in the case of any correction, deletion or restriction of the processing of personal data.
f) The right to the portability of personal data
The data subject has the right to the portability of the data concerning him or her which he or she has provided to the controllers (controllers 1 and / or controllers 2), in a structured, commonly used and machine-readable format, and the right to request the controller to transfer this data to another controller. In the event that the exercise of this right could adversely affect the rights and freedoms of third parties, the data subjects' requests may not be complied with.
g) The right to withdraw consent to the processing of personal data.
Consent to the processing of personal data for marketing purposes or for the purpose of participating in a marketing competition may be revoked at any time. Appeals must be made by an express, comprehensible and definite expression of will, either by email to the e-mail address of the Administrators: [email protected] or by post to the address of the Administrators specified in the introduction to this policy.
h) Automated individual decision-making, including profiling
The data subject has the right not to be the subject of any decision based solely on automated processing, including profiling, which would have legal effects for him or her in a similar way. Administrator 1 and Administrator 2 state that they do not carry out automated decision-making without the influence of human judgment with legal effects on data subjects.
i) The right to contact the Office for Personal Data Protection
The data subject has the right to contact the Office for Personal Data Protection (https://www.uoou.cz/ ).
j) Protection of personal data.
Controller 1 and controller 2 collect and store the personal data entered by the data subject, as well as personal data of a technical nature obtained from the data subject via electronic information carriers in a secure database. Administrators protect personal data as much as possible using modern technologies that correspond to the level of technical development. The controllers declare that they have taken reasonable measures to secure this data against unauthorized interference by third parties. In the event of any serious breach of personal data security, controllers are obliged to report without undue delay and, if possible, within 72 hours of becoming aware of it to the supervisory authority and to ensure adequate remediation. Administrator 1 / Administrator 2 may, in the performance of their legal obligations, transfer personal data to the administrative authorities and bodies provided for by the applicable legal regulations. The data subject acknowledges that controller 1 / controller 2 may be obliged to provide personal data on the basis of the law or in fulfillment of his / her legal obligations (eg for court or administrative proceedings).
k) Confidentiality
Controllers and other recipients of personal data who will process the personal data of data subjects are obliged to maintain the confidentiality of personal data and security measures, the disclosure of which would jeopardize the security of personal data. This confidentiality persists even after the termination of the contractual relations with the data subject. Personal data will not be disclosed to any other third party without the consent of the data subjects. These principles come into force and effect on 11.8.2020 and fully replace the existing principles of 30.8.2019.
In Prague dated 11.8.2020