Personal data protection terms

4. The Controller has not appointed a Data Protection Officer.

II. Sources and Categories of Processed Personal Data

1. The Controller processes personal data that you have provided to them or personal data obtained by the Controller in connection with the fulfillment of your order.

2. The Controller processes your identification and contact information, as well as data necessary for the performance of the contract:

• First and last name,
• Address,
• Phone number,
• Email address,
• IP address,
• Order history.

III. Legal Basis and Purpose of Processing Personal Data

1. The legal basis for the processing of personal data is

• Performance of the contract between you and the data controller under Article 6(1)(b) GDPR,
• Legitimate interest of the data controller in providing direct marketing (especially for sending business messages and newsletters) under Article 6(1)(f) GDPR,
• Your consent to the processing for direct marketing purposes (especially for sending business messages and newsletters) under Article 6(1)(a) GDPR in conjunction with § 7(2) of Act No. 480/2004 Coll., on Certain Information Society Services, in case no order for goods or services has been placed.
• Your consent to the processing for the purpose of registering a user account.

 2. The purpose of processing personal data is

• Processing your order and fulfilling the rights and obligations arising from the contractual relationship between you and the data controller; when placing an order, personal data necessary for the successful processing of the order is required (name and address, contact), the provision of personal data is a mandatory requirement for contract conclusion and performance, without providing personal data, contract conclusion or performance by the data controller is not possible,
• Sending commercial messages and conducting other marketing activities – commercial messages can be unsubscribed at any time in any manner (for example, by sending an email to the address info@cannapurna.cz or by clicking on the link in the respective commercial message).

 3. The administrator does not engage in automatic individual decision-making within the meaning of Article 22 of the GDPR.

IV. Data Retention Period

1. The administrator retains personal data

• for the period necessary to fulfill the rights and obligations arising from the contractual relationship between you and the administrator and to assert claims arising from these contractual relationships (for a period of 15 years after the termination of the contractual relationship),
• For the duration during which consent for the processing of personal data for marketing purposes has been granted, a maximum of 5 years, if personal data is processed based on consent.

 2. After the retention period expires, the personal data will be deleted by the administrator.

V. Data Processors and Recipients of Personal Data 

1. Data processors of personal data are:

• Providers of services for the operation of the online shop (Shoptet s.r.o., Prague, Czech Republic) and other services related to the operation of the online shop,
• Providers of marketing services (Lepidus s. r. o., Brandýs nad Labem, Czech Republic; Google Analytics, Google Ads, Google Tag Manager, Google Inc., USA; ECOMAIL.CZ, s.r.o., Prague, Czech Republic; Sklik, Seznam.cz, Prague, Czech Republic; Hotjar, Hotjar Ltd., Malta; Facebook, Instagram, Facebook Inc., California, USA).

1. The recipients of personal data are individuals

• involved in the delivery of goods/services/payment processing based on a contract.

 2. The Controller does not intend to transfer personal data to third countries (outside the EU) or international organizations.

VI. Your Rights

1. Under the conditions specified in the GDPR, you have

• the right to access your personal data according to Article 15 GDPR,
• the right to rectify personal data according to Article 16 GDPR, as well as the right to restrict processing according to Article 18 GDPR,
• the right to erase personal data according to Article 17 GDPR,
• the right to object to processing under Article 21 of the GDPR,
• the right to data portability under Article 20 of the GDPR,
• the right to withdraw consent in writing or electronically to the address or email of the controller specified in Section III of these terms.

 2. Furthermore, you have the right to lodge a complaint with the Data Protection Authority if you believe that your right to data protection has been violated.

VII. Conditions for the Protection of Personal Data

1. The controller declares that they have taken all appropriate technical and organizational measures to secure personal data.

2. The controller has taken technical measures to secure data storage and storage of personal data in paper form.

3. The controller declares that only authorized persons appointed by them have access to personal data.

VIII. Cookies

On this website, we process cookies necessary for its proper functioning and for analytics and also use cookies for advertising purposes. You can find the full Terms of Using Cookies here.

VIII. Final Provisions

1. By submitting an order through the online order form, you confirm that you have read the terms of personal data protection and accept them in their entirety.

2. By agreeing to these terms by checking the consent box through the online form, you confirm that you have read the terms of personal data protection and accept them in their entirety.

3. The administrator is entitled to change these terms. The new version of the personal data protection terms will be published on its website, and at the same time, the new version of these terms will be sent to your email address provided to the administrator.

 

These terms shall become effective on March 10, 2020.