1. Introduction

This document (hereinafter the “Rules”) provides customers, suppliers and business partners (hereinafter the “Data Subject”) of ŽALUZIE NEVA s.r.o., Háj 370, 798 12 Kralice na Hané, Company ID No 26301270, registered at the registration court in Brno, file record C 42544 (hereinafter the “Controller”) with information about the procedure for processing their personal data and the related rights according toArticle 12 of Regulation (EU) of the European Parliament and of the Council 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”).

Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

A Data Protection Officer was not designated by the Controller

2. Data controller

The Controller is entitled to submit the personal data to subjects with which it has signed a personal data processing agreement and those that will process the data for the Controller as its processors. According to this, the Controller is entitled to submit the personal data of the Data Subject to the following subjects, or categories of subjects:

  • companies or persons engaged in the transport of goods,
  • assembly teams,
  • persons providing the operation of software and storage of data (creation of a purchase order).

The personal data of the Data Subject may also be provided to the following recipients/​categories of recipients:

  • the Controller’s suppliers,
  • Controller’s employees,
  • persons with contractual relationships with the Controller (for instance, providers of marketing and advertising services),
  • financial institutions and insurance companies,
  • and state authorities within the framework of the performance of the statutory obligations of the Controller stipulated by the applicable legislation.

3. Personal data processing categories

The Controller is authorised to process mainly the following personal data of the Data Subjects:

  • address and identification data used for one-off or the specific identification of Data Subjects (for instance, the name, surname, title, permanent residential address, address of the business unit, mailing address, Company ID No, Tax ID No) and the contact data of the Data Subject (for instance, contact address, telephone number, e‑mail address, etc.),
  • descriptive data (for instance, bank details, order history),
  • photographs, preview images, banners and videos,
  • data provided beyond the framework of the applicable laws processed within the scope of consent to the processing of personal data provided by the Data Subject (for instance, the use of personal data for the purpose of personnel management, use of personal data for promotional and similar purposes),
  • preferences including settings in the field of marketing and use of cookies by the Data Subject,
  • additional data necessary for fulfilment of the agreement,
  • additional personal data which the Data Subject provided to the Controller.

4. Personal data processing purposes

The Controller processes the personal data of the Data Subjects for the following purposes:

  • A) Fulfilment of a contract according to Article 6(1)(b) GDPR,
  • B) Compliance with the legal obligations of the Controller that are stipulated by generally binding legislation on the basis of Article 6(1)© GDPR (for instance, the obligation of the Controller to archive accounting and tax documents),
  • C) Designation, performance or defence of the legal claims of the Controller on the basis of Article 6(1)(f) GDPR,
  • D) Sending of business messages on the basis of Article 6(1)(f) GDPR for reason of existence of the justified interest of the Controller consisting in direct marketing,
  • E) Other marketing purposes of the Controller related to its offer of products and services; sending of information about innovations (products, technologies, showrooms), company presentations (trade fairs, exhibitions), services, etc. (for instance, in the form of distribution of newsletters, telemarketing); contacts for the purpose of market research and marketing surveys; contacts for the purpose of wishes on significant national holidays and sending gift vouchers and the like on the basis of Article 6(1)(a) GDPR.

5. Personal data processing period

The personal data shall be processed only for the processing period essential for the processing purpose. With regard to the above-stated:

  • for purposes according to letter A) above, the personal data shall be processed until the expiration of the obligation under the contract (this does not affect the Controller’s option to further process these personal data – to the necessary extent
  • for purposes according to letters B), C), D) and/​​or E) above,
  • for purposes according to letter B) above, the personal data shall be processed for the duration of the existence of the relevant legal obligation of the Controller,
  • for purposes according to letter C) above, the personal data shall be processed upon the lapse of the 4th calendar year following the end of the guarantee period according to the contract (if a quality guarantee was contracted), but at least upon the lapse of the 5th calendar year following the demise of the obligation under the contract,
    in the case of the initiation and continuation of court, administrative or other proceedings in which the rights and obligations of the Controller are resolved in relation to the given Data Subject, provided the personal data processing period for the purpose according to letter C) does not expire before the end of such proceedings,
  • for the purpose of sending business messages according to letter D) above, the personal data shall be processed until the Data Subject withdraws its consent to such processing,
  • for the purposes according to letter E) above, the personal data shall be processed for the period that the Data Subject shall provide consent to the Controller according to separately granted consent to personal data processing. The Data Subject in this case acknowledges that the Controller may contact them for the purpose of renewing this consent prior to the expiry of this period.

At the latest by the end of the calendar quarter following the expiry of the above-stated processing period, the given personal data whose processing purpose has ended will be discarded (by shredding or other method, which shall ensure that unauthorised persons will not be able to access these data) or anonymised.

6. Personal data processing procedure

Personal data processing is performed by the Controller. Processing is done in the plants, branches and headquarters of the Controller by its designated employees, or Processors. The processing of Personal Data is done by computer or manually in the case of documentary personal data, while respecting all the security policies for control and processing of personal data. For this purpose, the Controller adopted technical and organisational measures to ensure the security of the personal data, particularly measures to prevent the unauthorised or accidental access to personal data, their change, destruction or loss, unauthorised transfers, unauthorised processing, as well as other abuse of personal data. All subjects that may be provided with access to personal data respect the right of the Data Subjects to the protection of privacy and are obligated to act according to the applicable legislation on the protection of personal data. Neither the automation of individual decision-making or profiling shall be done on the basis of data provided. The personal data of the Data Subjects will not be provided to third countries (i.e. countries outside the EU and EEA).

7. Right to consent to personal data processing

In connection with the processing of their personal data, the Data Subjects have many rights, including the right to request the Controller

  • to provide access to own personal data (according to Article 15 GDPR),
  • correction or deletion of personal data (according to Article 16 or 17 GDPR),
  • restriction of personal data processing (according to Article 18 GDPR),
  • to object to personal data processing (according to Article 21 GDPR),
  • the right to transferability of personal data (according to Article 20 GDPR)
  • and the right to revoke consent to the processing of personal data in writing or electronically to the address or e‑mail of the Controller stated in these Rules.

If a Data Subject ascertains or assumes that the processing of their personal data infringes upon the protection of their private or personal life or violates legislation, the Data Subject has the right to contact the Controller with a request for an explanation and/​or remedy of such state. The application must be made in writing by letter or e‑mail sent to the Controller’s contact address: info@neva.eu.

If the application of the Data Subject shall be found to be justified, the Controller shall immediately remedy the faulty situation. This does not affect the option of the Data Subject to directly contact the supervisory authority, which is the Office for Protection of Personal Data (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, +420 234 665 555, www.uoou.cz.

8. Conclusion

These rules shall apply to data subjects unless a third party and the Controller agree otherwise. The Controller reserves the right to amend these personal data processing conditions in whatever form and at any time, whereas the current version shall always be posted on the web site www.neva.eu/gdpr.