ADOPTED IN ACCORDANCE WITH REGULATION NO. (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA AND REPEALING DIRECTIVE 95/46 / EC (GENERAL REGULATION ON THE PROTECTION OF PERSONAL DATA) (HEREINAFTER REFERRED TO AS THE “GDPR “)

1. INTRODUCTION

lafarmaciashop.com. hereinafter referred to as (the “Controller”) as the operator of the lafarmaciashop.com internet store processes personal data of the so-called data subjects – natural persons who shop or have shopped in the internet store (customers), or persons interested in receiving (potential customers).

The Controller ensures that the processing of personal data of the above-mentioned persons is legal, correct, transparent, accurate, and confidential and that personal data are processed only to the extent necessary. The Controller also ensures that the personal data are properly secured and that all rules established by the GDPR and other personal data protection laws are respected when processing personal data.

These Guidelines have been adopted, among other things, in order to demonstrate compliance with the processing of personal data by the Controller with legal regulations. An explanation of the individual terms related to the processing of personal data according to these Guidelines is given in Article 12 below.
 

2. PERSONAL DATA CONTROLLER

2.1 Identity of the Controller

The personal data Controller is lafarmaciashop.com

2.2 Contact Information of the Controller

3. PURPOSES OF THE PROCESSING FOR WHICH THE PERSONAL DATA ARE INTENDED AND THE LEGAL BASIS FOR THE PROCESSING

3.1 Fulfilment of the Purchase Contract

The Controller processes personal data in particular for the purpose of fulfilling the Purchase Contract, at least in order for the Controller to be able to deliver the goods purchased in the internet shop to the customer.

The legal basis for such processing is article 6, paragraph 1, letter b) GDPR – fulfillment of the contract to which the data subject is a party. The time for the processing of personal data for this purpose is given in paragraph 7.1 below.

3.2 Fulfilment of the Legal Obligations by the Controller

The Controller processes personal data for the purpose of fulfilling the Legal Obligations of the Controller, arising e.g. from accounting and tax laws, laws on consumer protection, etc., including the obligation of the Controller to be able to prove processing of personal data in accordance with generally binding legal regulations, in particular in accordance with the GDPR.

The legal basis for such processing is article 1 letter c) GDPR – compliance with a legal obligation to which the controller is subject.

The time for the processing of personal data for this purpose is given in paragraph 7.2 below.

3.3 Legitimate interests pursued by the Controller

The Controller may process personal data for the purpose of:

• applying direct marketing (see article 5 below)

• designation, enforcement, or defense of legal claims (in particular legal claims arising from a concluded purchase contract).

The legal basis for such processing is article 6, paragraph 1, letter f) GDPR – legitimate interests pursued by the Controller. The time for the processing of personal data for this purpose is given in paragraph 7.3 below.

3.4 Consent of the Data Subject

Based on the consent, the Controller may process personal data for the purpose of:

The legal basis for such processing is article 6, paragraph 1, letter a) GDPR – consent of the data subject.

The time for the processing of personal data for this purpose is given in paragraph 7.4 below.

4. PROCESSING OF PERSONAL DATA ON THE BASIS OF CONSENT

4.1 Voluntariness

Giving consent to the processing of personal data is entirely voluntary. Any refusal to give the consent will have no adverse consequences for the data subject.

4.2 Withdrawal of Consent

Every data subject has the right to withdraw his or her consent to the processing of his or her personal data at any time in one of the following ways:

• by an electronic notice sent to the e-mail address or to the data box of the Controller (see paragraph 2.2 above);

• by a written notice sent to the Controller’s address (see paragraph 2.2 above).

The consent to customer account management can also be withdrawn by canceling the customer account (see paragraph 9.2 below).

Withdrawing the consent is without prejudice to the lawfulness of the processing of personal data in the period prior to the consent withdrawal.

5. DIRECT MARKETING

5.1 In general

The processing of personal data for direct marketing purposes means the processing of personal data for the purpose of:

5.2 Commercial Communications

Commercial communication means any form of communication, including advertising and encouragement to visit websites of the internet-store, intended for the direct or indirect support of goods or services, or a Controller’s image, distributed by e-mail, SMS, or other forms of electronic means.

The processing of personal data for the purpose of sending commercial messages to persons who have not yet made any purchase in the Internet store is possible only on the basis of consent, and the sending of commercial messages will be done on the basis of consent (in accordance with § 7, paragraph 2 of Act No. 480/2004 Sb.).

The processing of personal data for the purpose of sending commercial communications to the customers (i.e. persons who have already made some purchase the Internet store) is possible even without consent, based on the legitimate interest of the Controller (see paragraph 3.3 above), where the actual sending of commercial communications will also be done without consent (in accordance with Section 7, paragraph 2 of Act No. 480/2004 Coll.), unless the customer initially refused it and the commercial communications will concern only such products of the Controller, which are similar to those purchased by the customer in the internet shop. In other cases, commercial communications will be sent only on the basis of consent.

5.3 Printed Catalogue

The processing of personal data for the purpose of sending commercial communications to the customers) is possible even without consent, based on the legitimate interest of the Controller (see paragraph 3.3 above). The actual sending of the printed catalog will be done solely on the basis of the customer’s consent through the customer account. 

5.4 The Scope of Processing of Personal Data for Direct Marketing Purposes

For the purpose of sending commercial communications, the Controller processes the only gender, email address, and telephone number. The Controller processes the gender in order to individualize commercial communications. If the customer agrees, he or she may also voluntarily communicate his / her date of birth to the Controller for the purpose of sending annual commercial communications containing birthday congratulations with surprise (such as a promotional gift, provision of additional discounts on the purchase, etc.) or possibly his / her location for sending business communications with information about various social events held in the vicinity of the customer’s location, in which the Controller will participate.

For the purpose of finding the customer’s satisfaction with the purchase in the internet store, the Controller processes the e-mail addresses and information about the purchased goods. For the purpose of sending printed catalogues, the Controller processes the first name, surname, and delivery address.

5.5 Termination of the Processing for Direct Marketing Purposes

The Controller shall terminate the processing of personal data for the purposes of direct marketing immediately (see paragraph 7.5 below) after the customer or potential customer expresses his or her disagreement with such processing. The disagreement can be expressed, for example, in one of the following ways:

Notwithstanding the foregoing, the Controller will discontinue the processing of personal data for direct marketing purposes no later than 10 years after the last purchase in the internet shop (conclusion of purchase contract). With each new purchase, the processing period is extended by another 10 years.

6. CATEGORIES OF PERSONAL DATA RECIPIENTS

The Controller is entitled to transfer personal data to the recipients with whom the Controller has entered into a contract on the processing of personal data and who will process personal data for the Controller as processors (e.g. entities providing accounting services, online marketing services, postal services, legal services, IT services, providers of payment gates, internet search engines and comparators, domain administrators, technical support providers, collection agencies, advertising system operators, etc.).

The Controller will only transfer personal data to those processors who will guarantee to the Controller that personal data will not be transferred to any other processor that would not be able to provide sufficient personal data protection.

7. THE TIME PERIOD OF THE PROCESSING OF PERSONAL DATA

Personal data will be processed only for the time period necessary for the purpose of their processing. The termination of one of the legal bases for the processing of personal data is without prejudice to the processing of personal data (to the extent necessary) based on another legal basis.

7.1 Fulfilment of the Purchase Contract

The Controller will process personal data for this purpose for the duration of the concluded purchase contract and further for a period of 30 days from the date of termination of the last of the obligations stipulated in the purchase contract (i.e. usually within 30 days from the date of delivery of the purchased goods).

7.2 Fulfilment of Legal Obligations by the Controller

The Controller will process personal data for this purpose for the duration of the relevant legal obligation of the Controller, laid down by generally binding legal regulations.

E.g. accounting documents must be kept for 5 years, tax documents for 10 years).

7.3   Legitimate interests of the Controller

7.3.1 Direct Marketing

The Controller may process personal data for this purpose until a disagreement with such processing is expressed, but no longer than for  10 years from the last purchase in the Internet store (see paragraph 5.6 above).

7.3.2  Legal Claims

The Controller may process personal data for this purpose for the period of existence of the relevant legal claim, but no longer than for  1 year after the expiry of the limitation period according to generally binding legal regulations. In the event of the commencement and duration of any judicial, administrative, or any other proceedings in which the rights or obligations arising out of the relevant legal claim will be resolved, the processing of personal data for that purpose shall not end before the final end of such proceedings.

7.4   Consent of the Data Subject

7.4.1 Direct Marketing

The Controller may process personal data for this purpose until the moment of:

7.4.2 Customer account management

 The Controller may process personal data for this purpose until the moment of canceling the customer account (see paragraph 10.2 below).

7.5   Erasure of Personal Data

Immediately upon the expiry of the period of the processing according to paragraphs 7.1, 7.2 or 7.3. above, the Controller shall anonymize or destroy the relevant personal data in which the purpose of their processing has expired.

In the cases under the paragraphs 7.3.1. or 7.4 above the Controller shall terminate the processing of personal data for those purposes immediately after the withdrawal of consent, expression of disagreement, or cancellation of the customer account takes place.
 

8. RIGHTS OF THE DATA SUBJECT

Each data subject shall, among other things, have the following rights:

If the data subject believes that his or her right to the protection of personal data has been violated, he or she also has the right to file a complaint with the supervisory authority, which is the Office for the Protection of Personal Data (“Úřad pro ochranu osobních údajů”), with its registered address at Pplk. Sochora 27, Holešovice, 170 00 Praha 7.

10. CUSTOMER ACCOUNT

10.1 Setting up a customer account

Setting up a customer account is fully voluntary because the Controller allows shopping in the Internet store even without the customer account (i.e. without registration).

In order for the Controller to be able to store personal data entered into the form for setting up and maintaining a customer account (or entered anytime later into the customer account), the Controller needs the customer’s consent.

10.2 Cancelling the Customer Account

The customer account can be canceled anytime via the customer account or based on a request sent to any of the contact addresses listed in paragraph 2.2 above.

Notwithstanding the above said, the Controller shall cancel the customer account within at the latest 10 years from the latest purchase of the Customer in the Internet store.

11. COOKIES AND OTHER TECHNICAL DATA

For more information about the so-called cookies and other technical data processed during a visit of the Internet store website, see the separate document available at [doplnit odkaz / insert link].
 

12. BASIC TERMS

Personal data is any information about an identified or identifiable natural person (the so-called data subject); an identifiable natural person is a natural person who can be identified directly or indirectly, in particular by reference to a particular identifier such as first name, surname, date of birth, residence, e-mail, telephone number, identification number, location data, network identifier, or one or more particular elements of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

Processing of personal data is any operation or set of operations with personal data or personal data files that is performed with or without the help of automated procedures such as collecting, recording, arranging, structuring, storing, customizing or altering, searching, inspecting, using, accessing by transmission, distribution or any other disclosure, sorting or combining, limiting, erasing or destruction.

A controller is generally a person who, alone or together with others, determines the purposes and means of the processing of personal data.

The recipient is generally any person to whom personal data are provided.

The processor is generally any person who processes personal data for the Controller. At the same time, the processor is also the recipient.

A customer is a natural person who has entered into a purchase contract with the Controller through the Internet store, i.e. a person who has a so-called customer relationship with the Controller.

A potential customer is a natural person who has not yet concluded a purchase contract with the Controller through the Internet store, i.e. a person who does not have a so-called customer relationship with the Controller.