Privacy policy

Dear customers and business partners,

The document you are reading contains basic information regarding the processing of your personal data. We appreciate that you wish to share your personal data with us and we are committed to protecting them to the maximum extent possible. At the same time, we strive to be as transparent as possible in our relationship with you, especially regarding the personal data that we process about you.

Due to the new EU legislation, this document was drawn up in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

In this document, we try to provide you with information in an organised manner, and that is why we chose the form of questions and answers arranged as follows:

1. Who is a controller?
2. Why do you need personal data?
3. What are your legitimate interests?
4. How were the personal data obtained?
5. Which categories of personal data are processed?
6. What is the legal basis for the processing of personal data?
7. Will you transfer personal data to anyone else?
8. Will you transfer personal data to third countries or international organisations?
9. For how long will you store personal data?
10. What are your data processing rights and how can you exercise such rights?
11. Are personal data automatically analysed?

If you have any questions regarding the processing of your personal data, do not hesitate to contact us at cz-gdpr@hranipex.com, or at our mailing address Jaroslavy Rýznerové 97, Komorovice, 396 01 Humpolec.

1. Who is a controller?

A controller is a person who alone or in cooperation with others determines the purpose and manner of the processing of personal data.
The controller is Hranipex a. s. with its registered office at Jaroslavy Rýznerové 97, Komorovice, 396 01 Humpolec, identification number: 26017997, a company registered in the Commercial Register of the Regional Court in České Budějovice, file number B 1047. The controller may be contacted at cz-gdpr@hranipex.com.

2. Why do you need personal data?

The controller processes personal data:

a) To ensure the conclusion and the subsequent performance of a contract between you and the controller (point (b) of Article 6(1) GDPR). This relationship results in additional legal obligations, therefore the controller must also process personal data for this purpose (point (c) of Article 6(1) GDPR); 
b) To protect its legitimate interests (point (f) of Article 6(1) GDPR), meaning the fastest and most effective handling of your purchase orders possible. This also includes the preparation of quotations, the processing of every purchase order, the handling of claims, business analysis and planning.
c) For marketing reasons to allow the controller to tailor the offer to your needs and inform you about new products. For this purpose of processing, the controller is obtaining your clear affirmative consent (point (a) of Article 6(1) GDPR). 
When processing the above personal data, the controller employs profiling for the purposes of improving its services and creating personalized content of business communication, and it does so based on its legitimate interest, i.e. for a reason under the provisions of point (f) of Article 6(1) of the Regulation.
E-mail addresses may be processed for the purposes of their recording in a database for business communication distribution. This procedure is allowed by section 7 (3) of Act No. 480/2004 Sb., on Information Society Services. These communications may concern only similar goods or services and you can easily opt out from receiving them – by sending a letter, e-mail or clicking on the "Unsubscribe" link in the business communication. The controller will process e-mail addresses for this purpose for the time of product purchases and then for a period of 3 years from their last use.

The provision of personal data to the controller is generally a legal and contractual requirement. You are asked to grant your consent to the processing of personal data for marketing purposes which is not part of the fulfilment of the controller's contractual and legal obligations. If you fail to grant consent to the processing of personal data for marketing purposes to the controller, it will not result in the controller refusing to provide its product or service to you under a contract.

3. What are your legitimate interests?

The controller also processes personal data to protect its legitimate interests. Legitimate interests of the controller include but are not limited to the proper compliance with all contractual obligations of the controller, the proper compliance with all legal obligations of the controller, direct marketing, protection of the controller's business and property, as well as environmental protection and sustainable development.

In order to ensure the best possible protection of your privacy, you have the right to raise an objection to ensure that your personal data are processed exclusively for the necessary legal reasons or blocked. More information about your data processing rights can be found in Article 10 of this document.

4. How were the personal data obtained?

The controller obtained the personal data directly from you, mainly from completed forms, mutual communication or contracts. In addition, personal data may originate from publicly available sources, registers and records, such as the Commercial Register, Register of Debtors, professional registers or the Cadastre of Real Estate. Furthermore, the controller could obtain personal data from third parties that are authorised to access and process your personal data and with whom you cooperate, as well as from information available on social media and the Internet if posted by you.

5. Which categories of personal data are processed?

To ensure your satisfaction with a fulfilled obligation, to ensure compliance with legal obligations, to ensure personalized offers of the controller's goods and services and for other aforementioned purposes, the controller processes the following categories of personal data:

a) Basic identification details – first name, last name, address of residence and identification number;
b) Contact details – phone number and email address;
c) Information about the utilisation of the controller's products and services – data regarding which of the controller's products you used in the past and which you are using now, including product settings etc.;
d) Information collected from mutual communication – information contained in e-mails, recordings of phone calls or other contact forms;
e) Invoicing and transactional details – especially information contained in invoices, regarding the agreed billing terms and payments received;
f) Geolocation information – information from the web browser or mobile applications that you use.

6. What is the legal basis for the processing of personal data?

The legality of the processing is defined in Article 6(1) GDPR that stipulates that processing is legal if it is necessary to perform a contract, to comply with the controller's legal obligation, to protect the controller's legitimate interests, or if the processing is carried out with your consent.

The legality of the processing also results from Act No. 563/1991 Sb., on Accounting, which provides for the processing and retention of billing details, from Act No. 89/2012 Sb., Civil Code, which provides for the protection of the controller's legitimate interests, and from Act No. 235/2004 Sb., on Value Added Tax.

7. Will you transfer personal data to anyone else?

Within legal limits, we are required to disclose personal data to state authorities, such as the tax administrator, courts, criminal justice authorities or capital market supervisory authorities.

Therefore, depending on the nature of the services that you are/were using, third parties that may have access to your personal data include:

  • Persons that take care of our technical operations and operators of technologies that we use for our services;
  • Persons that regularly provide and test the security and integrity of services and websites;
  • Persons that analyse traffic on our websites;
  • Persons that deliver shipments with your orders to you;
  • Payment gateway providers;
  • Business partners or sponsors that are involved in the organisation of our events, conferences, workshops etc.
  • (Collection agencies for the purposes of collecting or receiving our claims).
  • Operators of targeted advertising systems;
  • Operators of technical solutions that allow us to show you only the content and ads that are relevant to you.

 

Under certain clearly defined conditions, we are obliged to disclose some of your personal data under applicable legislation, e.g. to the Police of the Czech Republic or other criminal justice authorities, including specialised departments (Organised Crime Detection Unit, Customs Administration etc.) and other public authorities.

We will continue to transfer personal data to third parties only if you are fully aware of it and grant your express consent to such transfer.

8. Will you transfer personal data to third countries or international organisations?

We will not transfer personal data to countries outside the European Union or the European Economic Area or to any international organisation.

9. For how long will you store personal data?

Personal data will be processed and stored at least for the term of the contract. Some personal data needed, for example, to comply with tax and billing obligations will be retained for a longer period of time, usually 10 years starting from the year following the onset of the retained fact.

Personal data that are relevant to the controller's legitimate interests will be retained for no more than 3 years from the end of the contractual relationship with the controller.
Personal data processed for marketing purposes will be archived for no more than 3 years from their acquisition.

Personal data will never be retained longer than for the maximum period of time stipulated by law. Upon the expiry of the archiving period, personal data will be securely and irreversibly destroyed to prevent their misuse.

10. What are your data processing rights and how can you exercise such rights?

The controller makes every effort to ensure that your data are processed in a proper and mainly secure manner. You are guaranteed the rights described in this article that you can exercise with the controller.

How can I exercise my rights?

You can exercise your individual rights by sending an e-mail to gdp-cz@hranipex.com. You can also exercise your rights by a written request sent to our mailing address at Jaroslavy Rýznerové 97, Komorovice, 396 01 Humpolec.

All communications and statements regarding the rights exercised by you shall be made by the controller free of charge. However, if a request is clearly unjustified and unreasonable, mainly due to being repetitive, the controller is entitled to charge an adequate fee taking into account the administrative expenses associated with providing the requested information. In case of repetitive exercising of one's right to request a copy of personal data processed, the controller reserves the right to charge an adequate fee to cover administrative expenses.

Statements and/or information regarding any measures taken will be provided to you by the controller as soon as possible but no later than within one month. This period may be extended by the controller by two months where necessary, taking into account the complexity and number of the requests. The controller will notify you of any such extension indicating the reasons.

Right to information regarding the processing of your personal data

You are entitled to request information from the controller regarding whether personal data are processed or not. If personal data are processed, you are entitled to request information from the controller, especially regarding the controller's identity and contact details, the purposes of processing, categories of the personal data concerned, the recipients or categories of recipients of personal data, legitimate controllers, a list of your rights and the possibility to contact the Office for Personal Data Protection, regarding the source of the personal data processed and automated decision-making and profiling.

Where the controller intends to further process your personal data for a purpose other than that for which the personal data were obtained, the controller shall provide you prior to that further processing with information on that other purpose and with any relevant further information.

Information provided to you when exercising this right are contained in this document but that does not prevent you from requesting them again.

Right of access to personal data

If your personal data are processed, you have access to information about the purposes of such processing, categories of personal data concerned, the recipients or categories of recipients, duration of retention of personal data, information about your rights (right to request a rectification or erasure from the controller, limitation on processing, object to processing), about the right to file a complaint to the Office for Personal Data Protection, information about the source of the personal data, information about whether automated decision-making and profiling are employed and information regarding the procedure used, as well as the relevance and expected results of such processing for you, information and guarantees in the event that the personal data are transferred to a third country or an international organisation. You are entitled to receive a copy of personal data processed. However, the right must not adversely affect the rights and freedoms of others.

Right to rectification

If your place of residence, phone number of other facts that can be considered as personal data have changed, you are entitled to request that the controller rectify the personal data processed. In addition, you have the right to have incomplete personal data completed.

Changes should be sent by e-mail to your sales representative or assistant, or alternatively to cz-gdpr@hranipex.com.

Personal data of a company (such as its registered office) may be changed only by a person authorised to act on behalf of the company.

Right to erasure (right to be forgotten)

In certain specific situations, you have the right to request that the controller erase your personal data. Some of such situations include, for example, a situation where the processed data are no longer needed for the aforementioned reasons. The controller will erase personal data after the necessary period of time automatically; however, you may submit your request at any time. Your request will be subject to an individual evaluation (regardless of your right to erasure, your controller may be entitled or have a legitimate interest to retain your personal data) and you will be informed in detail about the result.
Erasure of personal data of a company (such as its registered office) may be requested only by a person authorised to act on behalf of the company.

Right to limitation on processing

The controller processes your personal data only to the extent necessary. If you feel, however, that the controller exceeded the above purposes, for which it processes the personal data, you can submit a request to have your personal data processed only for the absolutely necessary legal reasons or blocked. Your request will be subject to an individual evaluation and you will be informed in detail about the result.

Right to data portability

If you want the controller to provide your personal data to another controller or another company respectively, the controller will transfer your personal data in an appropriate form to an entity nominated by you unless this is not possible due to legal or other major obstacles.

Right to object and automated individual decision-making

If you find out or believe that the controller processes personal data in violation of the protection of your privacy and personal life or in violation of the law (provided that the personal data are processed by the controller due to a public or legitimate interest, or for the purposes of direct marketing, including profiling, or for statistical purposes or for the purposes of scientific or historic importance), you can contact the controller and ask the controller to explain or remove the defective condition.

You can also object directly to the automated decision-making and profiling.

Right to file a complaint with the Office for Personal Data Protection

You can contact the authority supervising personal data processing related matters with your suggestions or complaints at any time: Office for Personal Data Protection with its registered office at Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz.

Right to withdraw consent

You have the right to withdraw your previously granted consent to the processing of personal data at any time by sending your withdrawal to the address of the controller's registered office at cz-gdpr@hranipex.com or by using the appropriate link in electronic communication.

11. Are personal data automatically analysed?

Personal data are automatically analysed and may be used to analyse your activities on the controller's website, profiling or automated decision-making regarding the controller' marketing activities.

Due to such activities of the controller, your behaviour on the website will be mapped and analysed, representing a certain interference with your right to privacy. At the same time, however, this analysis contributes to you receiving only advertisements regarding the controller's products and services that you might be interested in based on the results of the analysis.