Introductory Provisions
BJP JP Nutrition s.r.o., ID: 17594481, headquartered at Velkopavlovická 4074/10, Židenice, 628 00 Brno, registered in the Commercial Register kept by the Regional Court in Brno, Section C 130674, contact person: Marek Pastorek, contact email address: [email protected] (hereinafter referred to as “company” or “controller”), considering the necessity of fulfilling obligations in the field of personal data protection, arising in particular from Act No. 101/2000 Coll., on the Protection of Personal Data and on Amendments to Certain Acts, as amended, and Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), establishes these principles for the processing of personal data.
This document provides information on the personal data processed by the company, for what purpose, and what rights and obligations belong to individuals whose personal data the company processes. This document does not concern the processing of personal data of company employees.
This document may be revised and updated as needed. The company processes personal data manually and automatically, maintaining records of all activities involving the processing of personal data.
Basic Concepts
The company is the controller of personal data, as it determines the purposes and means of processing personal data; it processes personal data itself or utilizes the services of other persons, i.e., processors, for this purpose.
Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processing of personal data means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
A processor of personal data may be any natural or legal person, public authority, agency, or other body which processes personal data on behalf of the company as the controller of personal data.
Basic Principles of Processing
In processing personal data, the company:
processes personal data relating to data subjects fairly, lawfully, and transparently,
collects personal data only for specified, explicit, and legitimate purposes and does not further process them in a manner that is incompatible with those purposes,
processes only such personal data that are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed,
processes only such personal data that are accurate and, where necessary, kept up to date; for this purpose, the company takes all reasonable steps to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay,
retains personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed,
processes personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
The company is responsible for complying with all the above principles and must be able to demonstrate compliance with these principles. The company is authorized to process personal data only on the basis of one of the legal grounds for processing established by legal regulations. Only if another legal ground for processing is not given, must the company obtain the consent of the data subject.
Processed Personal Data
In connection with its activities, the company processes the personal data listed below.
These are basic identification and address data:
name and surname,
date of birth,
residence, or contact address,
contact telephone number,
contact email address,
login name and password for the customer account of the e-shop (online store).
If the data subject acts through a representative, the company also processes the identification and address data of this representative.
In the case when a legal entity is a customer or communicates with the company, the company processes the following personal data assignable to this legal entity, namely the name and surname of the person acting on behalf of the legal entity; for this person, the company also processes personal data related to the contact telephone number and contact email address, position, or job classification.
Furthermore, the company processes:
customer number of the customer
data on purchased goods and/or subscribed services (order date, delivery date, type, specifications, and quantity of goods or services, price),
communication data between the company and the customer (written or electronic communication, records of telephone calls, …),
login data for the customer account,
data on payment morale,
camera recordings,
newsletter subscription data.
The company regularly updates the processed personal data, especially when it detects inaccuracies in any of the processed personal data or receives information from the data subject about a change in any of the processed personal data.
Sale of Goods and Provision of Services
For the purpose of concluding and fulfilling a contract for the sale of goods or the provision of services, the company processes the identification and address data (see Article 4.2.) of the customer and, if applicable, their representative. If the contract is concluded via email or phone, the company also processes data relating to the customer’s email address and telephone number. If there is communication between the company and the customer related to the process of concluding or fulfilling the contract, the company also processes personal data contained in this communication. Also for this purpose, the company processes data related to the subject of the contract and the method of contract conclusion, in particular, data related to the ordered goods or services, order date, delivery date, and price.
If a contract is concluded through the company’s e-shop (online store), which requires registration (creation of a customer account), the company processes data for the purpose of verification of the customer’s identity, such as login name, password, and login date.
The legal basis for the processing of personal data under this article is its necessity for the conclusion and performance of the contract. The consent of the data subject to this processing is not required. The company obtains these personal data from customers, and additional data are obtained from the course of the business relationship. If a customer refuses to provide any of the personal data mentioned or disagrees with their processing for this purpose, the company would have to refuse to sell the goods or provide services.
The personal data under this article are processed by the company for the time necessary to achieve the stated purpose. If the customer fulfills all his obligations towards the company in connection with the purchase of goods or the provision of services (including payments), after the warranty period expires, the company will terminate the processing of personal data for this purpose unless otherwise specified in these principles.
If a customer provides personal data to the company but a contract is not concluded, the company will terminate the processing of personal data after three (3) calendar months from the date of termination of negotiations for the conclusion of the contract.
The processing of personal data related to the customer account by the company will be terminated after two (2) years from the customer’s last login. In this case, the legal basis for the processing of personal data is the necessity for the purposes of the company’s legitimate interests, which enable the customer to place an order without having to create a new customer account.
Dispute Resolution or Other Proceedings
In the event that the company, customer, or another person initiates dispute resolution or other proceedings, in which the company is a participant, the company processes personal data related to identification and contact, delivered goods or services, unpaid amounts, and other data related to this proceeding that the company has available.
The legal basis for the processing of personal data under this article is its necessity for the purposes of the company’s legitimate interests, which include protecting the property and/or good reputation of the company. The consent of the data subject to this processing is not required. The company obtains these personal data from customers, from persons who initiated the relevant proceedings, from the authority or person with whom the proceedings are taking place, from public registers, or other publicly available sources.
The company processes personal data under this article until the end of the proceedings or the termination of related rights and obligations, for the performance of which it is necessary to process this personal data.
Fulfillment of Legal Obligations
The company further processes personal data for the purpose of fulfilling obligations imposed by law. Due to legal requirements under the accounting law and other legislation, especially in the area of tax administration, the company keeps documents (in electronic or paper form) containing personal data and processes this data in accordance with the legal regulations. These documents include, in particular, tax documents (invoices, receipts) and other documents containing personal data, which the company is obliged to keep under the law.
The legal basis for the processing of personal data under this article is the legal obligation of the company. The company obtains these personal data from customers or from other persons, in particular from state authorities or public registers.
The company processes personal data under this article for the period specified by law, but at least for the duration of the statutory limitation period for any legal claims associated with the relevant contract.
If the personal data contained in the documents are no longer needed for the purposes of accounting or other obligations under the law, the company will destroy or anonymize them.
Direct Marketing
The company may also process personal data for direct marketing purposes, especially for sending business communications and newsletters. In this case, the company processes the personal data mentioned in Article 4.2 and, if applicable, other personal data that the company has available.
The legal basis for the processing of personal data under this article is the legitimate interest of the company, which consists in the promotion of its services and goods. The consent of the data subject to this processing is not required. The company obtains these personal data from customers or from other persons. For this purpose, the company processes personal data for a period of 10 years from their acquisition.
Cookies
The company uses so-called cookies on its website. Cookies are small text files that are stored in the user’s web browser when they visit the website and can be read during subsequent visits to the website. Cookies allow the website to remember information about the user’s visit, such as their preferred language and other settings. This can make the user’s next visit to the website easier and more productive.
The company uses cookies to analyze user behavior on its website and to customize the website to the user’s preferences. The company also uses cookies to personalize advertising and to provide social media features. The data obtained through cookies may be processed by third-party providers, such as Google Analytics, which provides website analysis services.
By using the company’s website, the user agrees to the use of cookies in accordance with this privacy policy. If the user does not agree to the use of cookies, they can disable the use of cookies in their web browser settings. However, disabling cookies may affect the functionality of the website and the user experience.
Camera Recordings
The company uses camera systems to monitor and secure its premises. These camera systems may record images of individuals entering or staying on the company’s premises.
The legal basis for the processing of personal data under this article is the legitimate interest of the company, which consists in the protection of its property and the safety of its employees and customers. The consent of the data subject to this processing is not required. The company processes personal data under this article for the time necessary to achieve the stated purpose, but for a maximum of 10 days, unless the recording is necessary for the investigation of an incident or a violation of the law.
Security of Personal Data
The company implements appropriate technical and organizational measures to ensure the security of personal data. These measures include the use of encryption, access controls, secure data storage, regular security audits, and employee training in data protection matters.
The company ensures that personal data are accessible only to authorized persons who need to access them for the purposes for which they were collected. The company also ensures that personal data are not disclosed to unauthorized persons or entities.
The company regularly reviews its security measures to ensure that they remain effective and up-to-date in light of technological developments and changes in the threat landscape.
The company also requires its third-party service providers to implement appropriate security measures to protect personal data.
Rights of Data Subjects
Data subjects have certain rights regarding their personal data processed by the company. These rights include the right to access their personal data, the right to rectify inaccurate personal data, the right to erase personal data (the “right to be forgotten”), the right to restrict the processing of personal data, the right to data portability, the right to object to the processing of personal data, and the right not to be subject to automated decision-making, including profiling.
Data subjects can exercise their rights by contacting the company using the contact information provided in this privacy policy.
Data subjects also have the right to lodge a complaint with the relevant supervisory authority if they believe that the processing of their personal data by the company violates applicable data protection laws.
Changes to this Privacy Policy
The company reserves the right to amend this privacy policy from time to time to reflect changes in legal or regulatory requirements, changes in industry best practices, or changes in the company’s business practices. Any changes to this privacy policy will be posted on the company’s website and will be effective immediately upon posting. Data subjects are encouraged to review this privacy policy periodically to stay informed about how the company is processing their personal data. In the event that the existence of a serious legitimate reason for processing, which outweighs the interests or rights and freedoms of the data subject, is not proven, the company shall cease processing based on objection without undue delay.
The data subject may withdraw consent to the processing of personal data at any time if the company processes it based on their consent; however, the legality of processing based on consent granted before its withdrawal shall not be affected.
Submit a request or complaint to the Office for Personal Data Protection (www.uoou.cz).
Effectiveness
These principles are effective from May 25, 2018.