PRIVACY POLICY

PILANA Group a.s., ID No: 04161076, with the registered office at Nádražní 804, 768 24 Hulín, the Czech Republic, registered in the Commercial Register kept by the Regional Court in Brno, Section B, Insert 7323 (hereinafter “controller” or “our company”) processes personal data of its customers/suppliers who are natural persons and contact persons of legal persons who cooperate with PILANA Group a.s. (together “business partners”). In this document, we disclose information about the protection of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”), Act No. 110/2019 Coll., on the processing of personal data (hereinafter “Personal Data Processing Act”), as well as other related regulations, all as amended and in force. By disclosure via this Privacy Policy (hereinafter “Privacy Policy” or “Policy”), we fulfil the controller's duty to provide information in accordance with Articles 12, 13 and 14 of the GDPR.

1 What is personal data and who handles it?
Our company as a controller handles the personal data of its business partners, including you. In this document, we will explain what exactly personal data are, what personal data we collect about you, for what purpose, how we use them, what we do to keep them protected, and what rights you can exercise against us in relation to personal data.

Your personal data is any information allowing your identification, whether by a single piece of information or indirectly by other information and data. For example, your personal data includes your name, surname, your likeness, residence, birth number, but also your IP address, personal ID card number, etc.

Please note that if the business partner is a legal entity, the information and rights and obligations set out in this Policy apply only mutatis mutandis, as the GDPR applies to the protection of personal data of natural persons only. However, this Policy applies in full to contact persons of legal entities.

2 PILANA Group a.s. as data controller
Our company is a data controller within the meaning of Article 4(7) of the GDPR. This means that we determine what personal data we process, by what means and for what reasons, i.e. collect, store or use them or otherwise handle them within the processing operations pursuant to Article 4(2) of the GDPR.

We can assure you that the protection of your personal data is an absolute priority.

You are entitled to contact our company with respect to your personal data and exercise the rights you possess in this relation. Exercise of your rights is described in Article 10.1.

3 What personal data we process and to what extent?

3.1 Without your consent
a) Identification data – name and surname or company name of the business partner.

b) Contact details – information enabling to contact you, in particular telephone number, email address, contact address.

c) Tax identification number (TIN).

d) In addition, we also process data on the history of business cooperation, purchases and payments, payment history, data on services and products provided and payment data, bank details and similar personal data.

e) Data from communications between the business partner and the controller, data from communications between the business partner and the controller, data related to the negotiation and performance of contracts for the provision of services (or sale of goods).

f) Cookies that are or contain personal data.

g) Data about the exercise of your legal rights and records of their exercise against the controller.

h) Other data mandatorily processed by the controller in accordance with Czech or European Union laws.

3.2 With your consent
We may also process further personal data with your consent. In such cases, the exact scope of the personal data processed is specified in the consent you have granted for such processing. You may withdraw your consent at any time (see Article 9.10).

3.3 Consequences of refusal to provide personal data
We require personal data from you primarily for the purpose of concluding and performing a contract (in the cases referred to in Article 3.1 lit. a) to c)). If you fail to provide them, we will not be able to conclude a contract with you. In certain cases we require the provision of personal data in order to comply with legal obligations (in particular the cases provided for in Article 3.1 lit. h)), in which case the reasons for the request and the consequences of non-provision result directly from the relevant legal provision.

4 Legal bases and purposes of processing personal data
In accordance with applicable laws, we collect and process personal data for a predetermined purpose and only to the extent necessary to fulfil that purpose. We obtain personal data directly from you through personal and written communication, including registration in the web interface of the store at: www.pilana.group.

We process your personal data on the basis of the following legal bases and for the following purposes:

1) Performance of contract – This is our primary legal basis for the processing of personal data. Contract means a purchase contract, a contract of business cooperation or any other similar contract that our company has concluded with you or that is to be concluded between us based on the expression of intent. Personal data are processed in particular for the purpose of concluding a contract, its performance and fulfilment and communication with business partners. This purpose and the lawful basis for processing also applies to the preparation of the contract and the negotiation of its terms.

2) Performance of legal obligations – law dictates that we process some of your personal data in order to comply with our legal obligations. The purpose of the processing is therefore to comply with these legal obligations, which may arise, for example, from Act No. 563/1991 Coll., on accounting, Act No. 280/2009 Coll., the tax code, Act No. 499/2004 Coll., on archiving and file service, Act No. 235/2004 Coll., on value added tax, and other legal regulations, including compliance with the requirements of supervisory authorities and other public bodies.

3) Legitimate interests of the controller – for the purpose of protecting our legitimate interests, i.e. in particular for the purpose of assessing, exercising and enforcing our legal claims, protecting the rights, property or safety of our company and our employees, business partners or other persons, we process your personal data on the basis of a legitimate interest.

4) Consent – with your consent, which you can withdraw at any time (see Article 9.10), we process your personal data primarily for the purpose of sending newsletters and for the processing of cookies that are personal data.

5 Methods and means of personal data processing
We process your personal data both manually, in paper or electronic form (processing of orders, delivery notes, handover reports, tax and accounting documents), and automatically (in particular dispatch of your order data with a summary of the order and your contact details).

6 How do we protect your personal data?
Pursuant to applicable laws, our company secures the personal data in its possession using all appropriate technical and organizational measures to ensure the highest possible level of protection, taking into account the nature, scope and purposes of the processing and the likely risks. We have adopted security and control mechanisms in an effort to prevent unauthorized access or transfer, loss, destruction or other possible misuse of data.

Our employees are bound by a duty of confidentiality. If we pass on data to third parties, these parties are also bound by a statutory or contractual duty of confidentiality. If you would like to know more about the measures we take to protect your personal data, please do not hesitate to contact us in this respect using any of the methods listed in Article 10.1.

7 Who receives your personal data?
To ensure that our company provides services and products properly and fulfills its contractual obligations, we use the professional and specialized services of other entities, such as providers of cashless payment or shipping services. If we provide your personal data to these entities, they may only use them in accordance with our strict instructions. In addition, we transfer your personal data if we are lawfully required to do so by a public authority. We will never transfer your personal data to other entities for commercial purposes unless you have given your prior consent to that effect.

For example, we may transfer your personal data to the following entities in the following situations:

a) state authorities and other institutions in the performance of their statutory duties, in particular to state administration authorities, supervisory authorities, prosecution bodies, courts, distrainors, notaries, insolvency administrators, or other entities in cases where our company is required to do so by law;

b) to our business partners – if we engage someone else to perform an activity that forms part of our services, the transfer of personal data may be necessary;

c) to processors who provide services to us in connection with the performance of statutory and contractual rights and obligations;

d) members of PILANA Group a.s.;

e) other entities, if necessary to protect the rights and interests of our company. In such a case, we transfer personal data to the extent necessary to successfully exercise a claim or defend our rights (for example, to a legal representative, insurance companies or insurance broker, bank, courts, distrainors, auctioneers);

f) With your consent or based on your instructions, your personal data may be disclosed to other entities.

We will not transfer your personal data to third countries or international organizations.

8 Duration of processing
We process your personal data for as long as necessary to fulfil the purpose for which they were collected or other related purpose.

In most cases, the law directly determines the data processing time. In the absence of direct stipulation of a specific period of time for which personal data must be processed, we consider that the purpose of the processing continues and we will therefore process personal data for as long as legal claims against our company may be exercised (usually a 10-year limitation period) and for one calendar year after the termination of all possible legal claims (usually 11 years after the termination of the contractual relationship). This is to ensure that no action or claim has been filed against our company with a court or other authority even on the last day of the period. In other cases, the time limits are governed by our internal regulations.

If we process personal data on the basis of your consent, we will process it for the period specified in the consent or until it is withdrawn.

9 Your rights arising from personal data processing

9.1 Right to information and explanation
Our company is obliged to provide you with the information set out in this document in a concise, transparent and comprehensible manner. If any provision of this Policy is unclear or not fully understandable to you, please do not hesitate to contact us.

9.2 Right of access to personal data (Article 15 of the GDPR)
You have the right to obtain confirmation from our company as to whether or not your personal data are processed by us, as well as to obtain copies of your personal data and to be informed of the details of the processing. If your personal data are being processed, you have the right to access and be informed about such personal data to the extent provided for in Article 17 of the GDPR. Where your personal data are processed, you have the right to obtain one copy of the personal data so processed.

9.3 Right to rectification or completion (Article 16 of the GDPR)
If you believe that the personal data we are processing are inaccurate, you have the right to notify us and request rectification. If you believe that we are processing incomplete data about you, you can request that we complete them.

9.4 Right to erasure – so called “right to be forgotten” (Article 17 of the GDPR)
If any of the following conditions are met, you have the right to request that we delete personal data relating to you:

a) your personal data are no longer necessary for the purposes for which they were processed and there is no other legal basis for further processing,

b) we have processed your personal data on the basis of your consent, which has been withdrawn, and there is no other legal basis for further processing,

c) where your personal data have been processed on the basis of a legitimate interest of our company, you have objected to the processing and our company has determined that our legitimate interest does not override your interest in terminating the processing,

d) your personal data have been processed unlawfully,

e) we are obliged by law to erase your personal data.

In some cases, our company can take action in this regard without express exercise of this right on your part.

Please note that in certain situations you do not have the right to erasure, as there may be reasons why the processing of personal data may continue. Specifically, these may be the situations referred to in Article 17(3) of the GDPR.

9.5 Right to restriction of processing (Article 18 of the GDPR)
If at least one of the conditions under Article 18 of the GDPR is met, you have the right to request that we restrict the processing of your data.

In the event that you legitimately exercise this right, your personal data concerned will be marked (e.g. temporarily removed from the website, made inaccessible, etc.) in order to limit their processing in the future. Our company will not be entitled to process them further, except where you have given your consent, and we will be entitled to continue to process them for the establishment, exercise or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the EU or one of its Member States. Once the grounds for restricting processing no longer apply, we will immediately lift the restriction, in which case you will be informed in advance.

9.6 Right to be informed about rectification, erasure or restriction of personal data processing (Article 19 of the GDPR)
If your personal data have been provided to another natural or legal person, public authority or other entity, we are obliged to notify these entities of any corrections, deletions and restrictions imposed. Therefore, if you exercise any of the rights mentioned, our company will be obliged to inform these entities of the action taken (for example, the rectification or erasure of your personal data). Our company is obliged to act in this respect without you having to expressly exercise that right.

9.7 Right to data portability (Article 20 of the GDPR)
You have the right to “take” your personal data from us to another data controller. Any personal data that we process by automated means, based on your consent or the performance of a contract can be transferred in this manner. We will make all data available to you or the new controller in a structured, commonly used and machine-readable format. However, your new controller will be responsible for completing the process of transferring your personal data and for having the technical means to read and work with them. We may also transfer your personal data to you without any new controller present.

9.8 Right to object (Article 21 of the GDPR)
Where we process personal data for the purposes of the legitimate interests of the controller or a third party, you have the right to object to such processing insofar as justified by your specific circumstances, i.e. where the processing itself is permissible but there are specific reasons on your side why you refuse processing of personal data.

If you object to the processing of your personal data, we will need to review such processing. We will no longer process your personal data unless there are compelling legitimate grounds for the processing which override your privacy interests or other interests, rights and freedoms, or the processing is for the establishment, exercise or defense of legal claims of the controller.

If you exercise this right, please always indicate the specific situation that makes you believe that the controller should not process your data.

The right to object will not apply to all cases of processing. It cannot be exercised where we process your data on a legal basis other than necessity due to a legitimate interest – for example, for the performance of a contract or the fulfilment of a legal obligation.

9.9 Right not to be subject to automated decision-making (Article 22 of the GDPR)
In accordance with Article 22 of the GDPR, you have the right not to be subject to any decision based solely on automated processing, including profiling, which has legal effects on you or significantly affects you in a similar way.

You will not enjoy this right if the automated decision is necessary for the conclusion or performance of a contract between you and our company, if you have given your explicit consent, or if it is expressly permitted by EU or national law.

9.10 Right to withdraw consent (Article 7 of the GDPR)
Where we collect and process data on the basis of your consent, you have the right to withdraw this consent at any time. Consents are always granted completely voluntary. Withdrawal of your consent will not affect processing that has already taken place at the time the consent was validly granted, nor processing that is required from our company on the grounds of the consent previously given and the processing activities already carried out (in order to comply with legal obligations or to protect our legitimate interests). Withdrawal of consent is completely free of charge and you may do so by any of the methods set out in Article 10.1. You may withdraw the consent in the same manner in which it was granted.

9.11 Right to lodge complaint with a supervisory authority (Article 77 of the GDPR)
If you disagree with the way we process your personal data or disagree with our company's policy in this regard, you can contact the Office for Personal Data Protection at any time with a complaint, contact details are available on: www.uoou.cz.

10 How can you exercise your rights?

10.1 Contact addresses
If you wish to exercise your rights, you may do so in any of the following ways:

via a data message to our company's data mailbox: udw5jka
via a postal service provider to the address of the controller's registered office (Nádražní 804, 768 24 Hulín, Czech Republic) – in this case, please mark the document visibly “GDPR”
in person at the registered office of the controller (Nádražní 804, 768 24 Hulín, Czech Republic) – in this case, please mark the document visibly “GDPR”
by email to the email address of our company: gdpr.group@pilana.cz – in this case, please state “GDPR” in the subject line of the email
otherwise – if your personal data are processed on the basis of your consent, you may exercise your right to withdraw your consent (see Article 9.10) in the same manner in which it was granted

If you wish to exercise your rights, but also have other questions, requests or objections, you can contact us in addition to the above methods by phone at + 420 573 527 813.

10.2 Identity verification when contacting the controller

10.3 Preventing disclosure of your personal data to a third (unauthorized) party, from being lost, irreversibly altered, misused or otherwise misappropriated is a top priority. For this reason, if we have reasonable doubt as to the identity of the person exercising the rights under Article 9, you may be asked to provide additional information necessary to establish your identity, allowing us to reliably assure we are communicating with the right person. If necessary, our company may also request that the form or request be accompanied by your certified signature.

11 Complaint and request procedure
Exercise of any of your rights can affect third-party rights.

If you contact us with an objection or a request to exercise one of your legal rights, we will inform you of the measures taken. If we do not take any action, we will also inform you and explain the reasons. We will provide you with this information within one month of receiving your request. If, due to the complexity and number of requests, it is necessary to extend this period, we will also let you know within one month of receiving the request, together with the reasons for the delay. We will extend the time limit for a maximum of two more months. We will make every effort to provide you with information on the measures taken as soon as possible.

We will provide you with information about the measures taken in the same way you request it. All objections and requests and our responses are free of charge. However, if your requests are repetitive or manifestly unreasonable, we may claim reimbursement of the costs incurred in providing the information, or we may not comply with the request at all.

Be advised that our company may only grant your request or objection if it has no doubts about the identity of the person making the request or objection (see Article 10.2).

12 Cookies
In addition to personal data, our company also processes cookies and pixel tags. Some cookies and pixel tags may contain your personal data or may fully consist of your personal data. In such case, this Policy applies in full.

Detailed information on cookies, their types and processing can be found in the separate information document “What are cookies and how do we use them?”, available here. In the event of a conflict between the cookie policy and the Privacy Policy, the latter will apply to the conflicting part.

13 Conclusion
This Privacy Policy will take effect on 1.1.2023. This document will be amended and supplemented from time to time.