GDPR

PERSONAL DATA PROCESSING AND PROTECTION DECLARATION

In conformity with the relevant provisions of Regulation of the European Parliament and of the Council (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the associated standards, and in conformity with the principles of transparency and legitimacy, we publish the following Declaration:

IDENTIFICATION OF THE CONTROLLER:

The company BLANÁŘ NÁBYTEK, a.s.
registered at the Regional Court in Brno under file number B 3642
registered seat: No. 410, 691 11 Brumovice
Company ID Number: 26259842
(hereinafter the “Controller” or the “Company”)

EXTENT OF PERSONAL DATA PROCESSING:

The Controller processes the personal data to the extent necessary to fulfil the particular purpose of processing. In doing so, the Controller always proceeds in conformity with the valid legal regulations and in conformity with the Controller’s obligations. 

PURPOSES OF PERSONAL DATA PROCESSING:

The Controller always processes the personal data for a clear and comprehensible purpose and keeps records of the purposes of individual processing. The purposes of processing at the Controller particularly include:

personal data processing for the reason of fulfilment of legal obligations (fulfilment of statutory obligations including obligations resulting from the Archiving Act),

• personal data processing for the purpose of ensuring the operation of the Company (personal data of employees, job candidates, etc.),
• personal data processing for the purpose of conclusion and/or performance of contracts (data of customers, suppliers, etc.),
• for the reasons of the Controller’s legitimate interests (such as security protection of persons and property – CCTV recording, documentation of Company history, direct marketing, etc.),
• protection of the Controller’s rights and Controller’s interests protected by law,
• for the purposes specified specifically in the consent to the personal data processing,
• to ensure operation of the Company kindergarten,

LEGAL TITLES FOR PROCESSING:

The Controller processes the personal data in conformity with the relevant legal standards and on the basis of the following legal titles: 

• the Data Subject gave consent to the processing of their personal data for one or more specific purposes;
• the processing is necessary for the fulfilment of the agreement of which the Data Subject is a party, or to take the measures adopted before conclusion of the agreement upon the request of such Data Subject,
• the processing is necessary to meet the legal obligations which applies to the Controller,
• the processing is necessary for the protection of the vital interest of the Data Subject or of another natural person,
• the processing is necessary to fulfil a task performed in the public interest or in the exercise of a public authority the Controller is charged with,
• processing is necessary for the purposes of legitimate interests of the respective Controller or a third party, with the exception of cases when the interests or the basic rights and freedoms of the Data Subject requiring protection of the personal data have precedence over such interests, especially when the Data Subject is a child. 

The processing of a special category of personal data may occur exclusively on the basis of the following legal titles (and/or exceptions for processing): 

• the Data Subject gives their explicit consent to the processing of such personal data for one or more defined purposes, with the exception when EU law or an EU member state law defines that the ban contained in paragraph 1 may not be cancelled by the Data Subject,
• the processing is necessary to meet the obligations and to exercise the special rights of the Controller or of the Data Subject in the field of labour law and the social security and social protection law, provided that it is allowed by EU law or an EU member state law or a collective agreement under the law of an EU member state in which the suitable guarantees referring to the basic rights and interests of the Data Subjects are defined,
• the processing is necessary for the protection of the vital interests of the Data Subject or another natural person in the event that the Data Subject is not physically or legally capable of giving their consent,
• the processing is performed within the scope of its activities and with suitable guarantees by a foundation, association or another non-profit-making entity which pursues the political, philosophic, religious and/or trade union goals, and on condition that the processing only relates to the present or former members of this entity, or to persons who keep in regular touch with such an entity in association with its objectives, and on condition that such personal data are not made accessible outside this entity without approval of the Data Subject,
• the processing relates to the personal data obviously published by the Data Subject,
• the processing is necessary for the definition, performance or defence of legal titles, or if the courts are acting within the scope of their jurisdiction;
• the processing is necessary for the reason of a significant public interest on the basis of EU law or an EU member state law which is adequate to the pursued goal, observes the nature of the rights for data protection and provides suitable and particular guarantees for the protection of the basic rights and interests of the Data Subject,
• the processing is necessary for the purposes of preventive medicine or occupational medicine, to assess the working abilities of the employee, medical diagnostics, provision of healthcare or social care or treatment or the management of the systems and services of the healthcare or social care under EU law or an EU member state law or under the agreements with a healthcare provider, subject to observance of the relevant conditions and guarantees,
• the processing is necessary for the reasons of public interest in the field of public healthcare, such as protection from serious cross-border health threats or assurance of strict standards of quality and safety of healthcare and medicines and/or medical devices under EU law or an EU member state law, defining the corresponding and special measures to ensure the rights and freedom of the Data Subject, especially the business secrets,
• the processing is necessary for the purposes of archiving in public interest, for the purposes of scientific and/or historical research or for statistical purposes in conformity with Article 89, paragraph 1 on the basis of EU law or an EU member state law which is adequate to the pursued goal, observes the nature of the rights for data protection and provides suitable and particular guarantees for the protection of the basic rights and interests of the Data Subject.  

PERSONAL DATA SOURCES 

The Controller obtains the personal data for processing in the following ways: 

• directly from the Data Subject,
• from the registers, records or lists accessible to the public,
• from contract partners.  

CATEGORIES OF THE DATA SUBJECT 

• employees (including job candidates),
• customers and clients (including the Company kindergarten),
• other persons having contractual relationships with the Controller,
• natural persons captured on CCTV recordings,
• service suppliers. 

CATEGORIES OF PERSONAL DATA

the personalised and identification data serving for a definite and unmistakable identification of the Data Subject and communication with the same,

• descriptive data,
• special categories of personal data, i.e., such personal data which testify about the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health condition or sexual life or sexual orientation of a natural person. Also genetic and biometric data which is processed for the purpose of the unique identification of a natural person is considered a special category of data. Processing of this category is only possible subject to compliance with the defined obligations.  

PERSONAL DATA RECIPIENTS 

A recipient shall mean natural persons or legal entities, public authorities, an agency or any other entity to which the data is communicated.

The Controller shall keep information on personal data recipients and shall at all times respect the purpose of processing as well as any legal obligations and responsibilities.

METHOD OF PERSONAL DATA PROCESSING 

The Controller processes the personal data at its premises or branch offices via its employees or other appointed processors. Processing occurs both in paper and electronic form, both in an automated and in manual manner. 

PERSONAL DATA PROCESSORS

Google Analytics

• Purpose: To improve the site and our marketing campaigns
• Legal basis: Consent to the use of analytics cookies
• Processed CAs: Google Analytics also uses anonymized IP address, screen resolution, device type, browser, country, preferred user language, cookies (see below).
• Type of cookies: first parties, long-term, analytical
• Processing Time: Data is stored for 50 months in Google Analytics 3, data is stored in Google Analytics 4 for 14 months
• Developer: Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland
• Terms of use https://policies.google.com/technologies/ads

Google Optimize

• Purpose: Improving the site - A / B testing and personalization
• Legal basis: Consent to the use of analytics cookies
• OUs being processed: same data as for Google Analytics
• Type of cookies: first parties, long-term, analytical
• Processing Time: Data stored for 14 months
• Developer: Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland
• Terms of use https://policies.google.com/technologies/ads

Hotjar

• Purpose: to gather analytics data to improve the site
• Legal basis: Consent to the use of analytics cookies
• Processed CAs: cookies, anonymized IP address, screen resolution, device type, browser, country, preferred user language. Hotjar stores this data in a pseudonymized user profile. Neither Hotjar nor we ever use cookies to identify specific people or to link data to a specific user.
• Type of cookies: first parties, long-term, analytical
• Processing Time: Data saved for 1 year
• Prepared by: Hotjar Limited, St Julian’s Business Center, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta
• Terms of use https://www.hotjar.com/legal/ policies / privacy /

Microsoft Clarity

• Purpose: to gather analytics data to improve the site
• Legal basis: Consent to the use of analytics cookies
• Processed CAs: Clarity collects data about user behavior - clicks, scrolling, and web interactions. It uses cookies to collect data on user behavior, it also records the anonymized IP address, screen resolution, device type, browser, country, preferred language of the user. Clarity stores this data in a pseudonymized user profile. Clarity is never used to identify specific people or to link data to a specific user.
• Type of cookies: first parties, long-term, analytical
• Processing Time: Data stored for 3 months
• Developer: Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052
  Microsoft adheres to the principles set out in the EU-US Privacy Shield Framework Agreement and Switzerland-US Privacy Shield Agreement, but EU-US Privacy Shield.
• Terms of processing https://privacy.microsoft.com/en-US / privacystatement

Google Ads

• Purpose: remarketing and evaluation of marketing campaigns
• Legal basis: consent to the use of marketing and analytical cookies
• OUs processed: cookies, IP address, browser type, browser language and date and time of requests. Remarketing settings can be adjusted on the Ad Personalization Settings page.
  Without consent, the code runs without cookies or other technologies - only as a conversion counter.
• Type of cookies: first party, long-term, analytical and marketing
• Processing Time: Data stored for 18 months
• Developer: Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland
• Terms of use https://policies.google.com/technologies/ads

Click

• Purpose: remarketing and evaluation of marketing campaigns
• Legal basis: consent to the use of marketing and analytical cookies
• OUs processed: first-party cookies that contain random numbers or strings of characters. You can change your ad settings on the "personalized ad" page.
• Type of cookies: third party, long-term, analytical and marketing
• Processing time: We could not find </ li>
• Prepared by: Seznam.cz, a.s., Radlická 3294/10, 15000 Prague, Smíchov, Czech Republic, ID 26168685
• Terms of processing https://o.seznam.cz/ochrana-udaju/

Facebook Pixel

• Purpose: remarketing and evaluation of marketing campaigns
• Legal basis: consent to the use of marketing cookies
• OUs processed: cookies containing random numbers or strings of characters, IP address, browser and user device data, browser language, and request date and time. You can adjust or turn off the display of personalized ads on the ad personalization settings page.
• Type of cookies: third party, long-term, analytical and marketing
• Processing Time: Data stored for 6 months
• Developer: Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, D02 X525, Ireland
• Terms of use https://en-us.facebook.com/about / privacy

LinkedIN Insights

• Purpose: remarketing and evaluation of marketing campaigns
• Legal basis: consent to the use of marketing cookies
• OUs processed: cookies, IP address, browser and device information, site events and time
• Type of cookies: third party, long-term, analytical and marketing
• Processing time: Data is deleted after 180 days
• Developer: LinkedIn Corporation, ATTN: Copyright Agent, Legal Department, 1000 West Maude Avenue, Sunnyvale, CA 94085, USA
• Terms of use https://www.linkedin.com/legal/privacy -policy

Zbozi.cz campaign evaluation

• Purpose: To gain data for campaign evaluation
• Legal basis: consent to the use of marketing cookies
• OUs processed: cookies containing random numbers or strings of characters, IP address, browser and user device data, browser language and date and time of requests, content of orders
• Type of cookies: third party, long-term, analytical and marketing
• Processing time: data stored for the necessary time
• Prepared by: Seznam.cz, a.s., Radlická 3294/10, 15000 Prague, Smíchov, Czech Republic, ID 26168685
• Terms of processing: https://o.seznam.cz/ochrana-udaju /

Zbozi.cz reviews

• Purpose: To determine your satisfaction with your purchase using an email questionnaire
• Legal basis: acceptance of the questionnaire
• Processed CAs: email address, order content
• Type of cookies: third party, long-term, analytical and marketing
• Processing time: none
• Prepared by: Seznam.cz, a.s., Radlická 3294/10, 15000 Prague, Smíchov, Czech Republic, ID 26168685
• Terms of processing: https://o.seznam.cz/ochrana-udaju /

Exponea

• Purpose: To determine your satisfaction with your purchase using an email questionnaire
• Legal basis: acceptance of the questionnaire
• Processed CAs: email address, order content
• Type of cookies: third party, long-term, analytical and marketing
• Processing time: none
• Prepared by: Seznam.cz, a.s., Radlická 3294/10, 15000 Prague, Smíchov, Czech Republic, ID 26168685
• Terms of processing: https://o.seznam.cz/ochrana-udaju /

Heureka.com Campaign Evaluation

• Purpose: To gain data for campaign evaluation
• Legal basis: consent to the use of marketing cookies
• OUs processed: cookies containing random numbers or strings of characters, IP address, browser and user device data, browser language and date and time of requests, content of orders
• Type of cookies: third party, long-term, marketing
• Processing Time: 6 months
• Prepared by: Heureka Group a.s., Karolinská 650/1, 186 00 Prague 8 - Karlín, Czech Republic
• Processing conditions: https://www.heurekashopping.cz/pro- customers / terms-of-use-for-customers / privacy-protection

Heureka.cz reviews

• Purpose: To determine your satisfaction with your purchase with the Customer Verified email questionnaire
• Legal basis: acceptance of the questionnaire
• Processed CAs: email address, order content
• Cookie type: none
• Processing time: We couldn't find it
• Prepared by: Heureka Group a.s., Karolinská 650/1, 186 00 Praha 8 - Karlín, Czech Republic
• Terms of processing: https: //www.heurekashopping.cz/pro-zakazniky/podminky-pouzivani-pro-zakazniky/ochrana-soukromi

While processing the personal data, the Controller shall at all times ensure compliance with the statutory requirements as well as the general principles of personal data protection.  

PERSONAL DATA PROTECTION 

The Controller shall ensure the organisational and technical protection of personal data in a manner to avoid any unauthorised or accidental access to the personal data, changing, destruction, loss, unauthorised transfers and/or unauthorised processing or misuse of the personal data.

Personal data protection also forms an integral part of the Security Policy of the Company.

PERIOD OF PERSONAL DATA PROCESSING 

The Controller shall always only process the personal data for the period necessary to accomplish the purpose of processing, and in conformity with all the obligations under the statutory standards.  

RIGHTS OF THE DATA SUBJECT 

The rights of the Data Subject are an important element of personal data protection for the Controller. 

The Data Subject has the right to be informed on the processing of their personal data on the basis of a request made in conformity with the relevant statutory provisions, in particular with respect to the following information: 

• purpose of processing,
• categories of personal data affected,
• recipient or category of recipients,
• period of processing and/or storage of personal data,
• available information on the source of personal data,
• the fact whether automated decision-making takes place, including profiling. 

Furthermore, the Data Subject has the following rights: 

• right to access the personal data,
• right to correction and/or completion of the personal data,
• right to deletion of the personal data,
• right to restriction of processing,
• right to transferability of data,
• right to object,
• right not to be the subject of automated individual decision-making, including profiling. 

If the Subject believes that the Controller processes the personal data in contradiction with the Data Subject’s rights or the law, the Data Subject may furthermore: 

• ask the Controller for explanation,
• ask for elimination of the unlawful condition,
• refer to the relevant supervisory authority, which is the Personal Data Protection Office (uoou.cz).  

INSTRUCTION 

All information, communication and actions pursuant to the GDPR are provided and made for free. 

Only when the requests made by the Data Subject are evidently unjustified or inadequate, in particular because they are repeated, may the Controller charge either an adequate fee or refuse to comply with the request. 

Any questions and/or requests to enforce the rights of the Data Subjects may be directed in writing to the address of the Company or electronically by e-mail atgdpr@blanar.cz or the data box.

BLANÁŘ NÁBYTEK, a.s.