SECURITY POLICY

Cookies

A cookie is a short text sending a visited website to the browser.  It enables to the website to remember information about your visit, like preferred displaying of products, product filters and other settings when shopping. Thus, the next visit of the website may be easier and more productive. Cookies are important. Web browsing would be much more difficult without them.

We use cookies for many objectives. For example, we use them to save your codes when shopping, to show the history of browsed products, to monitor the number of visitors on the site, to automatically login into your account at your next visit and to protect your personal data.

Rules for personal data protection

I.
Fundamental provisions
1.       The company KARLSBADEN s.r.o., with its registered office at Dr. Horákové 1359/7, 360 01 Karlovy Vary, Company Reg. No. 02844770, registered in the Commercial Register of the Regional Court in Plzeň, Section C, Insert 29630 (hereinafter only the “Controller”) is the controller of personal data under Article 4 (7) of Regulation (EU) 2016/679  of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter only the “GDPR”) is.
2.      The Controller´s contact data are
Address: Blahoslavova 18/5, 36009, Karlovy Vary
E-mail: [email protected]
Telephone: +420774466397
3.      Personal data are considered to be all information about an identified or identifiable natural person; the identifiable natural person is a natural person who may be directly or indirectly identified by referring, in particular, to a certain identifier, e.g. to a name, an identification number, location data, a net identifier or to one or more special elements of physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
4.                 The Controller did not appoint a data protection officer.
II.
Sources and categories of processed personal data
1.      The Controller processes personal data that you provided to him or personal data that the Controller obtained by fulfilling your order.
2.      The Controller processes your identification and contact data and data necessary to perform the contract.

III.
Legal reason and purpose for the processing of personal data
1.      The legal reason for the processing of personal data is
·         the performance of contract between you and the Controller under Article 6 (1) (b) of GDPR,
·         the legitimate interest of the Controller to provide direct marketing (in particular sending commercial messages and newsletters) under Article 6 (1) (f) of the GDPR,
·         your consent to process personal data for the purpose of providing direct marketing (in particular sending commercial messages and newsletters) under Article 6 (1) (f) of the GDPR in connection to Section 7 (2) of Act No. 480/2004 Coll., on Certain Information Society Services, in case that goods or services were not ordered.
2.      The purpose of personal data processing is
·         to execute your order and to exercise rights and obligations resulting from the contractual relationship between you and the Controller; when making an order, your personal data are necessary to successfully execute your order (name and address, contact); providing your personal data is a necessary prerequisite to conclude and perform the contract; it is not possible for the Controller to conclude a contract or perform it without providing personal data,
·         to send commercial messages and carry out other marketing activities.
3.                 It is not the automated individual decision-making of the Controller within the intention of Article 22 of the GDPR.
IV.
The period for data retention
1.      The Controller retains personal data
·         during the period necessary to exercise rights and obligations resulting from the contractual relationship between you and the Controller and to assert claims under these contractual relationships (during the period of 15 years after the contractual relationship is terminated).
·         during the period before the consent to process personal data for the purposes of marketing is withdrawn and no later than 10 years if personal data are processed with consent.
2.      The Controller will erase personal data after the expiration of the period for personal data retention.

V.
Recipients of personal data (Subcontractors of the Controller)
1.      Recipients of personal data are persons
·         involved in delivering goods / services / making payments based on the contract,
·         ensuring services to run the e-shop and additional services in connection with the operation of the e-shop,
·         ensuring marketing services.
2.       The Controller has no intention to transmit personal data to a third country (to a country outside the EU) or to an international organization. Recipients of personal data in third countries are providers of mailing services / cloud services.

VI.
Your rights
1.      Under conditions set out by the GDPR you have
·         the right to access your personal data under Art. 15 of the GDPR,
·         the right to rectification of your personal data under Art. 16 of the GDPR or restriction of processing under Art. 18 of the GDPR.
·         the right to erasure of personal data under Art. 17 of the GDPR.
·         the right  to object to processing under Art. 21 GDPR a
·         the right  to data portability under Art. 20 of the GDPR.
·         The right to withdraw consent with processing either in writing or electronically at the address or e-mail of the Controller stated in Art. III hereof.
2.      Furthermore, you have the right to file a complaint at the Office for Personal Data Protection in case that you think your right to personal data protection has been violated.

VII.
Conditions to secure personal data
1.      The Controller declares that he adopted all appropriate technical and organizational measures to secure personal data.
The Controller adopted technical measures to secure data storages as well as storage sites for personal data in documentary form. Technical measures consist in the use of technologies preventing unauthorized access of third persons to User´s data. In order to ensure the highest protection, we use encryption of User´s data as well as end users, in particular passwords for log-in into our system, communication in our system and all data stored on servers. As for organizational measures, there is a set of rules of conduct for our employees and these rules are integrated into our internal regulations which are, however, considered to be strictly confidential.
All data are located on servers located only in the European Union or in countries ensuring personal data protection in a manner equal to the protection provided by legal regulations of the European Union.

2.      The Controller declares that only persons authorized by him have access to personal data.

VIII.
Final provisions
1.      By sending an order through the online order form you confirm that you have a full knowledge of the rules for personal data protection and that you accept them in full extent.
2.      You agree with the rules by marking your consent through the online form. By marking the consent you confirm that you have a full knowledge of the rules for personal data protection and that you accept them in full extent.
3.      The Controller is authorized to change these rules. He will post a new version of the rules for personal data protection on his website or he will send you a new version of these rules to the e-mail address that you provided to the Controller.

These rules come into effect on 25^th May 2018.