Protection of personal data
Principles of personal data processing
adopted in accordance with the Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of natural persons in connection with the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (general regulation on the protection of personal data), (hereinafter referred to as "GDPR") and in accordance with Act No. 110/2019 Coll., on the processing of personal data
1. Introduction
Entrepreneur Robert Schneider, with registered office at U Lomu 513/7, 795 01 Rýmařov, ID number: 12086568, VAT number: CZ6611120164, a natural person doing business according to the Trade Act not registered in the commercial register, as the operator of the online store www.rsmodels.cz (hereinafter referred to as the "Administrator") processes personal data of so-called data subjects - natural persons who:
• are interested in purchasing in the online store (potential customers);
• buy or have made purchases in the online store (customers).
The administrator ensures that the processing of personal data of data subjects is legal, correct, transparent, accurate, confidential and that personal data is processed only to the extent necessary. The administrator also ensures that personal data is properly secured and that all rules established by the GDPR as well as other legal regulations in the field of handling personal data are observed during the processing of personal data.
These principles were adopted, among other things, for the purpose of documenting the compliance of the processing of personal data by the Administrator with legal regulations. An explanation of individual terms related to the processing of personal data according to these principles is provided in Article 12 below.
2. Administrator of personal data
The administrator of personal data is entrepreneur Robert Schneider, with registered office at U Lomu 513/7, 795 01 Rýmařov,
ID number: 12086568, VAT number: CZ6611120164.
The administrator can be contacted in any of the following ways:
• in person (or in writing) at the headquarters of Administrator Robert Schneider - RS Models at: U Lomu 513/7,
795 01 Rymařov, Czech Republic;
• electronically via the e-mail address rsmodels@rsmodels.cz;
• by phone at +420 604 407 729.
3. Purposes of processing for which personal data are intended and legal basis for processing
3.1. Fulfillment of the purchase contract
The Administrator processes personal data mainly for the purpose of concluding and fulfilling the purchase contract, i.e. at least so that the Administrator can deliver the goods purchased in the online store to the customer.
The legal basis for this processing is Article 6 paragraph 1 letter b) GDPR – performance of a contract to which the data subject is a party.
3.2. Fulfillment of legal obligations of the Administrator
The Administrator processes personal data for the purpose of fulfilling the legal obligations of the Administrator, resulting from e.g. accounting and tax laws, the Act on Consumer Protection, etc., including the obligation of the Administrator to be able to prove that it processes personal data in accordance with generally binding legal regulations, especially in accordance with the GDPR.
The legal basis for this processing is Article 6 paragraph 1 letter c) GDPR – fulfillment of the legal obligation that applies to the Controller.
3.3. Legitimate interests of the Administrator
The Administrator may process personal data for the purpose of:
• application of direct marketing (see Article 5 below);
• determination, enforcement or defense of legal claims (especially legal claims arising from the concluded purchase contract).
The legal basis for this processing is Article 6 paragraph 1 letter f) GDPR – legitimate interest of the Administrator.
3.4. Consent of the data subject
Based on the consent of the data subject, the Administrator may process personal data for the purpose of:
• application of direct marketing (see Article 5 below);
• establishing and maintaining a customer account (see Article 10 below).
The legal basis for this processing is Article 6 paragraph 1 letter a) GDPR – consent of the data subject.
4. Processing of personal data based on consent
4.1. Voluntariness
Consent to the processing of personal data is completely voluntary. Any failure to grant consent will not have any adverse consequences for the data subject.
4.2. Withdrawal of consent
Each data subject has the right to withdraw consent to the processing of personal data at any time, in particular in one of the following ways.
• through a customer account;
• by electronic notification sent to the Administrator's e-mail address (see Article 2 above);
• by a written notification sent to the address of the registered office or establishment/some of the Administrator's establishments (see Article 2 above);
• by telephone using the Administrator's contact details (see Article 2 above).
Consent to maintaining a customer account can also be revoked by canceling the customer account (see paragraph 10.2 below). Revocation of consent does not affect the legality of processing based on consent that was given before its revocation.
5. Direct marketing
5.1. In general
The processing of personal data for the purposes of direct marketing means the processing of personal data for the purpose of sending business communications within the meaning of Act No. 480/2004 Coll., on certain information society services, as amended (hereinafter referred to as "Act No. 480/2004 Coll.").
Commercial communication means any form of communication, including advertising and invitations to visit the website of the online store, intended to directly or indirectly support the goods or services or the image of the Administrator (especially so-called newsletters).
5.2. How does it actually work?
Processing of personal data for the purpose of sending commercial messages to potential customers (i.e reindeer who have not yet purchased in the online store, but have decided to subscribe to commercial communications) is possible only on the basis of their consent to the processing of personal data. Also, the actual sending of commercial messages to potential customers can only be carried out on the basis of consent (in accordance with § 7 paragraph 2 of Act No. 480/2004 Coll.).
The processing of personal data for the purpose of sending commercial messages to customers (i.e. persons who have already purchased in the online store) is possible even without their consent, based on the existence of a legitimate interest of the Controller (see paragraph 3.3 above or Recital 47 GDPR). Likewise, the actual sending of commercial messages to customers, if these commercial messages relate to the Administrator's own similar products or services, can in such case be carried out without their consent (in accordance with § 7, paragraph 3 of Act No. 480/2004 Coll.), if the customer did not initially refuse it or does not subsequently refuse it. [see https://www.uoou.cz/gdpr-a-nbsp-primy-elektronicky-marketing/d-30715]
5.3. Termination of processing for direct marketing purposes
The Administrator shall terminate the processing of personal data for direct marketing purposes immediately after the customer or potential customer expresses their disagreement with such processing. Disagreement can be made, for example, in one of the following ways:
• withdrawal of consent to the processing of personal data (see Article 4 above);
• expressing disagreement with the processing of personal data, in the same way as consent to the processing of personal data can be revoked (see Article 4 above);
• opting out, which can be done in every commercial communication;
• by raising an objection to such processing (under the conditions of Article 21 GDPR).
Regardless of the above, the Administrator shall terminate the processing of personal data for direct marketing purposes no later than 3 years after the last purchase in the online store (conclusion of the purchase contract). Any further purchase therefore extends the processing time by another 3 years.
In the event that the purchase in the online store never takes place, the Administrator will terminate the processing at the same time as canceling the customer account (see paragraph 10.2 below).
6. Categories of recipients of personal data
The recipient of personal data is anyone to whom the Administrator provides personal data.
The Controller will transfer personal data in particular to the following recipients: entities providing accounting or tax services, postal or transport services, newsletter distribution services, legal services, IT services, operators of payment gateways, payment systems, domain administrators, technical support providers, etc. These recipients will process personal data either as independent administrators (i.e. as entities that determine the purposes and means of personal data processing themselves, independent of the Controller), or as processors (i.e. entities that process personal data for Administrator, based on his instructions).
In addition, the Administrator will provide personal data to public authorities if this obligation is imposed by generally binding legal regulations. These recipients will always process personal data as independent administrators. However, public authorities are not considered beneficiaries in the exercise of their investigative powers.
7. Transfer to third countries or international organizations
The manager will not transfer personal data to third countries or to international organizations in the sense of Article 44 et seq. GDPR.
8. Time of personal data processing
Personal data will only be processed for the time necessary for the purpose of their processing. The termination of one of the legal bases for the processing of personal data does not affect the processing of personal data (to the extent necessary) on the basis of another legal basis.
8.1. Fulfillment of the purchase contract
For this purpose, the Administrator will process personal data within 30 days after the termination of the last of the obligations arising from the purchase contract. This does not affect the Administrator's ability to subsequently process these personal data on the basis of other legal bases and for the purposes specified in these principles.
8.2. Fulfillment of legal obligations by the Administrator
For this purpose, the Administrator will process personal data for the duration of the relevant legal obligation of the Administrator established by generally binding legal regulations.
8.3. Legitimate interests of the Administrator
8.3.1. Direct marketing
For this purpose, the Administrator may process personal data until the time of expressing disagreement with such processing, but for a maximum period of 3 years from the last purchase in the online store (see paragraph 5.3 above).
8.3.2. Legal claims
For this purpose, the Administrator may process personal data for the duration of the existence of the relevant legal claim, but for a maximum period of 1 year after the expiry of the limitation period according to generally binding legal regulations. In the event of the initiation and duration of judicial, administrative or any other proceedings, in which the rights or obligations resulting from the relevant legal claim will be resolved, the period of processing of personal data for this purpose will not end before the final conclusion of such proceedings.
8.4. Consent of the data subject
8.4.1. Direct marketing
For this purpose, the Administrator may process personal data until:
• withdrawal of consent to the processing of personal data (see Article 4 above);
• expressing disagreement with the processing of personal data, in the same way as consent can be revoked (see Article 4 above);
however, at the latest until the customer account is canceled (see paragraph 10.2 below).
8.4.2. Customer account management
For this purpose, the Administrator may process personal data until the customer account is canceled (see paragraph 10.2 below).
8.5. Deletion of personal data
Immediately after the expiry of the processing period according to paragraph 8.1, 8.2 or 8.3.2 above, the Administrator anonymizes or disposes of the relevant personal data for which the purpose of their processing has expired.
In the cases according to paragraph 8.3.1 or 8.4 above, the Administrator shall terminate the processing of personal data for the stated purposes immediately after withdrawal of consent, expression of disagreement or cancellation of the customer account.
9. Rights of data subjects
Each data subject has, among others, the following rights:
• the right to request access to your personal data (under the terms of Article 15 GDPR);
• the right to correct or delete personal data (under the conditions of Article 16 or Article 17 GDPR);
• the right to limit the processing of personal data (under the terms of Article 18 GDPR);
• the right to object to processing (under the terms of Article 21 GDPR);
• the right to data portability (under the terms of Article 20 GDPR);
• the right to withdraw consent to the processing of personal data (see Article 4 above).
Any data subject who believes that the Controller is processing his personal data, which is in conflict with the protection of the private and personal life of the data subject or with the relevant legislation, especially if the personal data are inaccurate with regard to the purpose of their processing, may
a) ask the Administrator for an explanation (contact details see Article 2 above), or
b) demand that the Administrator remove the situation thus created, in particular by making corrections, additions or deletions of personal data (contact details see Article 2 above).
In the event that the data subject believes that his right to the protection of personal data has been violated, he also has the right to file a complaint with the supervisory authority, which is the Office for the Protection of Personal Data, with headquarters in Plk. Sochora 27, Holešovice, 170 00 Prague 7.
10. Customer Account
10.1. Setting up a customer account
The creation of a customer account is completely voluntary, as the Administrator allows you to make a purchase in the online store even without creating a customer account (so-called without registration).
In order for the Administrator to store personal data entered in the form for establishing and maintaining a customer account (or entered into the customer account at any time later), he needs consent.
Until the potential customer concludes a purchase agreement with the Administrator (i.e. becomes a customer), and subsequently after fulfilling all obligations from the concluded purchase agreement, the Administrator will not process personal data other than for the purposes of maintaining a customer account; however, this does not affect the Administrator's ability to process personal data on the basis of other legal bases, in particular on the basis of consent granted for the purposes of applying direct marketing (sending commercial communications).
10.2. Cancellation of customer account
The customer account can be canceled at any time through the customer account or on the basis of a request to cancel the customer account sent to one of the contact addresses listed in Article 2 above.
Regardless of the above, the Administrator may cancel a customer account after 3 years from the customer's last purchase in the online store, as well as the Administrator may cancel a customer account even if the customer violates his obligations under the purchase contract.
In the event that a purchase in the online store never takes place, the Administrator may cancel the customer account after 3 years from its establishment.
11. Cookies and other technical data
More detailed information about so-called cookies and other technical data processed when visiting the website of the online store is provided in the separate document Cookies.
12. Basic terms
Personal data is all information about an identified or identifiable natural person (the so-called data subject); an identifiable natural person is a natural person who can be directly or indirectly identified, in particular by reference to a certain identifier, for example, name, surname, date of birth, residence, e-mail, telephone number, identification number, location data, network identifier or to one or more special elements of the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
The processing of personal data is any operation or set of operations with personal data or sets of personal data, which is carried out with or without the aid of automated procedures, such as collection, recording, arrangement, structuring, storage, adaptation or alteration, retrieval, inspection, use, disclosure by transmission, dissemination or any other making available, arrangement or combination, restriction, erasure or destruction.
A customer is a natural person who concluded a purchase contract with the Administrator through the online store, i.e. a person who has a so-called customer relationship with the Administrator.
A potential customer is a natural person who has not yet entered into a purchase contract with the Administrator through the online store, i.e. a person who does not have a so-called customer relationship with the Administrator.
13. Further information on the processing of personal data
The administrator is obliged to accept such tech ical and organizational measures to prevent unauthorized or accidental access to personal data, its alteration, destruction, loss, unauthorized transfer or other unauthorized processing or misuse. This obligation applies even after the end of personal data processing.
In case of questions regarding the processing of personal data, the Administrator can be contacted via one of the contact addresses listed in Article 2 above of these policies.
General information on the processing of personal data can also be found on the website of the Office for the Protection of Personal Data available at www.uoou.cz.
These policies take effect on 7/24/2023.