Privacy

DATA PROTECTION POLICY

in accordance with: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ES(General Data Protection Regulation)hereinafter: „GDPR Regulation“, „Regulation“ or just:„GDPR“

1. Company:Otto DIY Workshop s.r.o.ID no.: 08237841residing on the address Nové Sady 988/2, Staré Brno, 602 00 Brnoregistered in the Commercial Registry at the Regional Court in Brno, section C, file 112621represented by the managing director Tereza Švarcová
tel.:++420 736 723 321. e-mail: privacy@ottodiy.com Website: https://www.ottodiy.com/
(hereinafter the “Company“)
is the controller of the personal data of the data subjects, i.e. the body which determines the purposes and means of the processing of personal data of the data subjects.
2. Data subjects are understood in the sense of the Article 4 Paragraph 1 of the Regulation as the persons whose personal data are processed. These data subjects are namely:
customers making a purchase via the e-shop of the Company,
hereinafter „Customers“ or „Personal Data Subjects“.
3. The Company processes the following personal data of the Personal Data Subjects (Customers):
a) name and surnameb) address (shipping and/or billing),c) identification numberd) tax identification numbere) phone numberf) e-mail addressg) bank account number.
4. The Data Subject is obliged to transmit their personal data specified in Paragraph 3 letters a), b), e) and f), without transmitting this personal data it is not possible to send the electronic order on the website of the Controller (and therefore conclude the Purchase Agreement for goods), nor is it possible to conclude a Purchase Agreement with the Controller individually (outside of the electronic order). Personal Data specified in Paragraph 3 letters c) and d) have to be transmitted only by the Data Subject acting in the course of their business (as an entrepreneur). Personal Data specified in Paragraph 3 letter g) has to be transmitted by the Data Subject only if it is necessary for a payment refund from the Controller; if the Data Subject pays via bank transfer, the Controller shall receive the information about the bank account number of the Data Subject from their bank statement.
5. The reason and legal basis for the processing of Personal Data of the Personal Data Subjects are:Article 6 Paragraph 1 Letter b) of the GDPR, namely that processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.- this applies to the personal data specified in Article 3 Letters a), b), c), e), f) and g)
Processing of the data specified in Article 3 Letters a), b) and c) is necessary because these are basic data of the Data Subject, without which the subject cannot be identified and the ordered goods cannot be delivered.
Processing of the data specified in Article 3 Letter e) (phone number) is necessary contact information for the customs authorities of the Data Subject, who may use the data to contact the Data Subject and communicate with them about the clearance of the goods when entering the country of destination. The data is transmitted to these authorities by the carrier of the goods, to whom the data is transmitted by the supplier of the goods in the People’s Republic of China (PRC). This data is necessary also for the Controller, for the supplier of the goods in PRC and for the carrier with the purpose of necessary communication regarding the transportation of the goods.
Processing of the data specified in Article 3 Letter f) (e-mail address) is necessary contact information for the purpose of communication between the Controller (Seller) and the Data Subject (Buyer). E-mail serves as means of distance communication for concluding the Purchase Agreement and for further legal actions or related communication between the Controller (Seller) and the Data Subject (Buyer).
Processing of the data specified in Article 3 Letter g) (bank account number) is necessary contact information if it is necessary to refund the payment received by the Controller back to the Data Subject.
Article 6 Paragraph 1 Letter c) of the GDPR, namely that processing is necessary for compliance with a legal obligation to which the controller is subject, namely for the purposes of processing and keeping accounts/tax records.- this applies to the personal data specified in Paragraph 3 Letters a), b), c) and d).
6. The personal data of the Personal Data Subject shall be processed by the Company for the period of time necessary for exercising of rights and obligations resulting from the contractual relationship between the Company and the Personal Data Subject and for making claims based on such contractual relationship and further for 10 years after the termination of the contractual relationship. The Controller shall delete the personal data upon expiry of the retention period.
7. The personal data specified in Paragraph 3 Letters a), b) and e) shall be transferred to the supplier of the Controller in PRC, for which the Commission has not issued a decision about an adequate level of personal data protection according to the Article 45 of the GDPR. The transfer of the personal data is therefore based on a derogation in the sense of the provisions of Article 49 Paragraph 1 Letter b) of the GDPR, according to which the transfer is necessary for the performance of a contract between the data subject and the controller.
8. At present time the Company does not have any employees and the personal data is therefore processed directly by the statutory body of the Company and by the associates of the Company. If the Company has employees in the future and if these employees have access to the personal data due to the scope of their work, they will be bound by the obligation of secrecy to the Company.
9. Apart from the Data Subjects themselves, their personal data may further be transmitted to:
the Controller’s supplier in PRC, who is responsible for the shipment of the goods from PRC to the customers (this supplier only receives the data specified in Paragraph 3 Letters a), b) and e)),the carrier of the goods ordered by the Data Subject (who only receives the data specified in Paragraph 3 Letters a), b) and e)),public authorities of the country of destination (especially the customs authorities),external accountant of the Company (billing information),lawyer of the Company,public authorities (court, law enforcement and criminal justice etc.),distrainor or insolvency administrator.
10. Personal data of the Personal Data Subject are obtained directly from the Personal Data Subject.
11. Personal Data Subject shall have the right to access the personal data within the meaning of Article 15 of the Regulation. This includes the right to obtain from the Company confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
list of personal data that are being processed,the purposes of the processing of this personal data,the recipients or categories of recipient to whom the personal data have been or will be disclosed,where the personal data are not collected from the data subject, any available information as to their source,the envisaged period for which the personal data will be processed or the criteria used to determine that period,the existence of the right to request from the Company rectification/completion of the personal data within the meaning of Article 16 of the Regulation, the right to request erasure of the personal data (right to be forgotten) within the meaning of Article 17 of the Regulation, the right to restriction of processing of the personal data within the meaning of Article 18 of the Regulation, the right to object to processing of personal data within the meaning of Article 21 of the Regulation, the right to data portability within the meaning of Article 20 of the Regulation, the right to lodge a complaint with a supervisory authority within the meaning of Article 77 of the regulation and the right to a judicial remedy of the personal data subject within the meaning of Articles 78 and 79 of the Regulation.
The request to exercise the right of the Personal Data Subject under this Article shall be sent by the Personal Data Subject to the e-mail address of the Company and the Company shall send the requested data to the e-mail address of the Personal Data Subject, from which the request has been sent. Where Personal Data Subject sends the request in paper format, and where he or she requests the information under this Article in paper format (or where he or she does not provide contact e-mail where he or she can receive the information under this Article in electronic form), he or she shall be charged an administrative fee of 4 EUR by the Company.
The Company is obliged to respond in written form to requests from the Data Subject within the meaning of this Article without undue delay and at the latest within one month since the day of receiving the request; in case of special circumstances at the latest within two months since the day of receiving the request. Where response is delayed within the meaning of the previous sentence after the semicolon, the Company is obliged to inform the Data Subject within one month since the day of receiving the request and to include the reasons for the delay.
Where the Data Subject requests, the Company is obliged to issue him or her a copy of the personal data being processed, primarily in electronic form. Where the Personal Data Subject requests a copy in paper form, or where he or she does not provide to the Company an e-mail address for this purpose, the Company shall provide a copy in paper form. The Company charges an administrative fee of 0.2 EUR per paper for issuing a copy in paper form.
12. The Personal Data Subject has the right to request from the Company the rectification or completion of personal data within the meaning of Article 16 of the Regulation:
– by phone on the phone number specified in Article 1,- on the e-mail address specified in Article 1,- in paper form on the residing address of the Company.
Where the Personal Data Subject requests from the Company a reaction in witten form, he or she is obliged to send the request for exercising the right under this article in written form (to the e-mail address of the Company or in paper form – see above). The Company shall perform the rectification or completion and shall send to the e-mail address of the Personal Data Subject, from which the request has been sent, a confirmation of the rectification/completion. Where the Personal Data Subject sends the request in paper form and requests sending the information under this Article in paper form (or where he or she does not provide a contact e-mail address where the information under this Article can be sent in electronic form), he or she shall be charged an administrative fee of 4 EUR by the Company.
The Company is obliged to provide on request of the Personal Data Subject information about measures taken in relation to his or her request under this article without undue delay and at the latest within one month since the day of receiving the request; in case of special circumstances at the latest within two months since the day of receiving the request. Where response is delayed within the meaning of the previous sentence after the semicolon, the Company is obliged to inform the Data Subject within one month since the day of receiving the request and to include the reasons for the delay.

13. Personal Data Subject has the right to request from the Company erasure of his or her personal data (right to be forgotten) within the meaning of Article 17 of the Regulation, only if:
the personal data are no longer necessary in relation to the purposes for which they are processed,there is no legal ground for the processing of the data,the personal data have been unlawfully processed,the personal data have to be erased for compliance with a legal obligation.
Even when fulfilling the conditions specified above, the Personal Data Subject does not have the right to erasure of personal data when the processing is necessary:
for exercising the right of freedom of expression and information,for compliance with a legal obligation under valid and effective legal regulations or for the performance of a task carried out in the public interest or in the exercise of official authority,for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes,for reasons of public interest in the area of public health,for the establishment, exercise or defence of legal claims.
The request to exercise the right of the Personal Data Subject under this Article shall be sent by the Personal Data Subject to the e-mail address of the Company and the Company shall send the requested data to the e-mail address of the Personal Data Subject, from which the request has been sent. Where Personal Data Subject sends the request in paper format, and where he or she requests the information under this Article in paper format (or where he or she does not provide contact e-mail where he or she can receive the information under this Article in electronic form), he or she shall be charged an administrative fee of 4 EUR by the Company.
The Company is obliged to provide on request of the Personal Data Subject information about measures taken in relation to his or her request under this article without undue delay and at the latest within one month since the day of receiving the request; in case of special circumstances at the latest within two months since the day of receiving the request. Where response is delayed within the meaning of the previous sentence after the semicolon, the Company is obliged to inform the Data Subject within one month since the day of receiving the request and to include the reasons for the delay.
14. Personal Data Subject has the right to request from the Company restriction of processing of his or her personal data within the meaning of Article 18 of the Regulation, only if:
the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data; this personal data shall for the time of restriction of processing be processed only within the meaning of storing for the establishment, exercise or defence of legal claims, for reasons of important public interest, for the protection of the rights of another natural or legal person or with the Personal Data Subject’s consent.the processing is unlawful and the personal data subject does not want to exercise the right to be forgotten within the meaning of Article 17 of the Regulation and request the restriction insteadthe Company no longer needs the personal data of the Personal Data Subject for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims.
Where the Personal Data Subject exercises this right, the Company is obliged to inform him or her that the restriction of processing shall be lifted before it is lifted.
The Company is obliged to inform each recipient to whom the personal data of the Personal Data Subject has been disclosed about any rectification, erasure or restriction of processing of the personal data.
The request to exercise the right of the Personal Data Subject under this Article shall be sent by the Personal Data Subject to the e-mail address of the Company and the Company shall send the requested data to the e-mail address of the Personal Data Subject, from which the request has been sent. Where Personal Data Subject sends the request in paper format, and where he or she requests the information under this Article in paper format (or where he or she does not provide contact e-mail where he or she can receive the information under this Article in electronic form), he or she shall be charged an administrative fee of 4 EUR by the Company.
The Company is obliged to provide on request of the Personal Data Subject information about measures taken in relation to his or her request under this article without undue delay and at the latest within one month since the day of receiving the request; in case of special circumstances at the latest within two months since the day of receiving the request. Where response is delayed within the meaning of the previous sentence after the semicolon, the Company is obliged to inform the Data Subject within one month since the day of receiving the request and to include the reasons for the delay.

15. The Personal Data Subject shall have the right to data portability within the meaning of Article 20 of the Regulation, which includes the right to receive the personal data concerning him or her, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller where the processing is carried out by automated means. Where technically feasible, the data subject shall have the right to request the Company to transmit those personal data directly to another controller.
The request to exercise the right of the Personal Data Subject under this Article shall be sent by the Personal Data Subject to the e-mail address of the Company and the Company shall send the requested data to the e-mail address of the Personal Data Subject, from which the request has been sent. Where Personal Data Subject sends the request in paper format, and where he or she requests the information under this Article in paper format (or where he or she does not provide contact e-mail where he or she can receive the information under this Article in electronic form), he or she shall be charged an administrative fee of 4 EUR by the Company.
The Company is obliged to provide on request of the Personal Data Subject information about measures taken in relation to his or her request under this article without undue delay and at the latest within one month since the day of receiving the request; in case of special circumstances at the latest within two months since the day of receiving the request. Where response is delayed within the meaning of the previous sentence after the semicolon, the Company is obliged to inform the Data Subject within one month since the day of receiving the request and to include the reasons for the delay.
16. Where the Company does not take the measures requested by the Personal Data Subject, the Company is obliged to inform the Personal Data Subject about the reasons at the latest within one month since the day of receiving the request.
17. The Personal Data Subject shall have the right to lodge a complaint with a data protection authority within the meaning of Article 77 of the Regulation if he or she thinks that processing of his or her personal data lead to an infringement of the Regulation. The personal data subject shall have the right to an effective judicial remedy against a legally binding decision of the data protection authority or where the authority does not process the complaint and does not inform the Personal Data Subject about the processing of the complaint within three months since the day of lodging the complaint.
The contact of the Czech data protection authority is:
Úřad pro ochranu osobních údajůresiding at: Pplk. Sochora 27, 170 00 Praha 7tel.: +420 234 665 111web: www.uoou.cz
18. Personal Data Subject shall have the right to judicial remedy against the data protection authority and the Company as the controller of personal data. Further information about exercising the right to judicial remedy are specified in Articles 78 and 79 of the Regulation.
19. Where a personal data protection breach is likely to result in a high risk to the rights and freedoms of the Personal Data Subject (with the exception of cases where Article 34 of the GDPR regulation does not require the Company to undergo this process), the Company is obliged to notify the supervisory authority of any personal data breach without undue delay and not later than 72 hours after having become aware of it. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. The rule concerning the obligation to notify the supervisory authority of the data breach shall not be used if the breach is unlikely to result in a risk to the rights and freedoms of the Data Subjects. The notification to the data protection authority has to contain the essential information specified in Article 33 of the GDPR Regulation.

…………………………………….……………………

Otto DIY Workshop s.r.o.

Mgr. Tereza Švarcová(managing director)