Privacy policy

Through these Personal Data Protection Principles (hereinafter the Principles”), we inform the data subjects, whose personal data we process, on all the processing activities and the principles for the protecting of the data subjects.

1. People Responsible

Personal Data Administrator:
TOMAS CARPIO s.r.o., ID 28255691, with registered office at Čimická 780/61, Praha 8  181 00
Contacts for exercising your rights: Telephone: 723 00 11 22, E-mail: info@tomas-carpio.cz
(hereinafter us”,or our”)

2. Basic Terms

GDPR:
Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC effective from 25.5.2018.

Personal Data
Personal data pursuant to Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as the GDPR”) meaning any information about an identified or identifiable natural person (i.e. about the data subject = you).

Special Personal Data:
Special personal data means data on racial or ethnic origin, political opinions, religion or philosophical beliefs or trade union membership, genetic data processing, biometric data for the sole purpose of identifying a natural person and health or sexual life, or the sexual orientation of the natural persons.

Data Subject = You:
The data subject is an identified or identifiable natural person, an identifiable natural person being a natural person that can be identified directly or indirectly, particularly by reference to a particular identifier such as name, identification number, location data, network identifier or one or more specific physical elements, the physiological, genetic, psychological, economic, cultural or social identity of that natural person.

Personal Data Processing:
The processing of personal data, pursuant to Article 4, Paragraph 2 of the GDPR, means any operation or set of operations with personal data or personal data files carried out with or without the help of automated procedures such as collecting, recording, arranging, structuring, storing, or alteration, retrieval, inspection, use, disclosure through transmission, distribution or any other disclosure, sorting or combining, restriction, deletion or destruction.

Administrator:
An administrator pursuant to Article 4, Paragraph 7 of the GDPR is a natural or legal person, a public authority, an agency or any other body which, alone or jointly with others, determines the purposes and means for processing personal data. We act as an administrator in relation to your personal data.

Processor:
A processor, pursuant to Article 4, Paragraph 8 the GDPR, is a natural or legal person, public authority, agency or other subject that processes personal data for the administrator.

Supervisory Authority:
The Supervisory Authority in the Czech Republic is the Office for the Protection of Personal Data (hereinafter referred to as the Office”).

Risk Processing:
Risk processing means processing that will probably pose a risk to the rights and freedoms of the data subjects, processing that is not occasional or involves the processing of special personal data or personal data relating to criminal convictions and offenses referred to in Article 10 of the GDPR.

Automated by Individual Decision-making including Profiling:
Automated individual decision-making including profiling is generally understood as any form of decision based on the automated processing of personal data, i.e. without human intervention, including, but not restricted to, the assessment of certain personal aspects relating to the data subject, particularly for analysis or estimation, analyzing or anticipating aspects relating to his/her work performance, economic situation, health, personal preferences, interests, reliability, behavior, where he/she is found or moving.

3. Categories of subjects, processed personal data, purpose, legal basis and processing time

We process personal data for a clearly defined purpose:

Categories of data subjectsThe purpose of personal data processingLegal basis and processed personal dataProcessing period
Our customersExecution of the contractExecution of the contract is basis of law.

Identification data (name), contact (delivery address, e-mail, phone), accounting data (credit card number, bank account number), history of orders, IP address, cookies and log-in account data and complaint form data.
Personal data could be proceed during duration contract or guarantee period and for this purpose.
Rights after ending contactLaw basis is our rightful interest of collecting debts, compensation for demage and other contract right.

Identification data (name), contact (delivery address, e-mail, phone), accounting data (credit card number, bank account number), history of orders, IP address, cookies and log-in account data and complaint form data are necessary after ending the contract for processing complaint, debts collecting and any other contract obligation.
Personal data could be proceed for 4 years after ending contract for this purpose and in case of judicial proceeding for its whole period.
Execution of accounting and taxesLaw basis is execution of law obligation follow from law directions as accounting law or VAT law.

Identification data (name), contact (delivery address, e-mail, phone), accounting data (credit card number, bank account number and other tax bills).
Personal data could be proceed up 10 years after ending accounting period for this purpose.
Communication of sales news, marketing materials, offers of our goods or servicesLaw basis is our rightful interest provide and offer services or goods that follow from our sale relation.

Personal and contact data are used for sale notification. 
Personal data could be proceed during contract period for this purpose.
Website VisitorsStatistics prior to data anonymization, displayed advertisements for our services or goods.The legal basis is a  legitimate interest  in the sense of a) improving our services and focusing on what interests you; b) offer you similar services or goods that fit your needs based on access to our website.

Identification data (name, surname), contact details (address, e-mail, telephone), IP address and cookies.
Personal data may be processed for a period of time  6 months for  this purpose.
Sending a response to the question of a website visitor.The legal basis is the performance of a contract or your consent.

Identification data (name, surname), contact details (address, e-mail, phone), IP address and cookies, query submitted through a form.
For this purpose, personal data can be processed to address a query from the contact form, but no longer than 30 days, or the time your consent to the processing takes.
News SubscribersSending business messages through e-mailThe legal basis is the  consent  you give us when you subscribe to newsletters.

Identification data (name and surname), contact details (e-mail).
For this purpose, personal data may be processed until the withdrawal of consent.

4. Period of personal data processing

Personal data are maintained only for the period necessary for the purpose of processing  – see table above. After this time, personal data may be retained only for the purposes of the state statistical service, for scientific and archival purposes.

5. The recipients of personal data and the transfer of personal data outside the European Union

In justified cases, we may also transfer your personal information to other subjects (hereinafter recipients”).
Personal data may be transmitted to the following recipients:

  • Processors who process your personal information in accordance with our instructions, mainly in the area of public contact, electronic data management or accounting;  
  • public authorities and other subjects, if required by applicable law; 
  • other subjects in case of an unexpected event in which the provision of data is necessary for the purpose of protecting life, health, property or other public interest or if it is necessary to protect our rights, property or security.

6. Cookies

After your first visit to our website, our server sends a small amount of data to your computer and saves it there. Each time a visitor comes to the website, the browser sends the data back to the server. This small file is called a cookie”, and it is a short text file containing a specific string of characters with unique information about your browser. We use cookies to improve the quality of our services and to better understand how people use our website. That is why we have user preferences stored in cookies, and we follow user trends on how people behave on our website and how they view it.

Most browsers are configured to accept cookies. However, you have the option of configuring your browser to block cookies or to inform you of cookies. Without cookies, however, some services or features will not work properly.

Our website uses first party” cookies, i.e. cookies used only by our websites (hereinafter referred to as first party cookies) and third party” cookies (i.e. cookies from third party websites). We use first party cookies to store user preferences and the data you need during your visit to the website (e.g. your shopping cart content). Third party cookies are used to track user trends and behavioral patterns, ad targeting, with the help of third party website statistic providers. Third party cookies for tracking trends and behavior patterns are only used by our website and website statistics provider, not shared with any third party.

Cookie settings

7. Principles of personal data processing

Legality
We process your personal information in accordance with applicable law, especially with the GDPR.

Consent of Data Subject
We process personal data only in the way and to the extent that you have given us consent if the consent is the title of processing.

Minimization and Limitation of Personal Data Processing
We process personal data only to the extent necessary to achieve the purpose of its processing and for no longer than is necessary to achieve the purpose of its processing.

Accuracy of Processed Personal Data
We process personal data with an emphasis on their accuracy, using available measures. And we process updated personal data by using reasonable resources.

Transparency
Through this Policy and contact person, you have the opportunity to learn how we process your personal data, as well as its scope and content.

Restriction of Purpose
We process personal data only to the extent necessary for the fulfillment of the intended purpose and in accordance with this purpose.

Security
We process personal data in a way that ensures its proper security, including its protection through appropriate technical or organizational measures, against unauthorized or unlawful processing and against accidental loss, destruction or damage.

8. Automated by Individual Decision-making and Profiling:

Personal information processing  does not go  to automated individual decision-making, even through a profiling basis.

9. Your rights as a data subject

Right of Access to Personal Data
You have the right to request access to personal data about your person from us. You particularly have the right to receive a confirmation from us that personal data related to you are processed or not processed by us and to provide further information on the processed data and the processing method pursuant to the relevant GDPR provisions (purpose of processing, personal data category, the duration of the storage, the existence of your right to request a correction, deletion, the limitation on processing or the right to object, the source of personal data and the right to file a complaint). If desired we will provide you with a copy of the personal data we are processing about you free of charge. In case of a repeated request, we may charge a reasonable fee for providing a copy corresponding to the administrative costs for processing.

To access your personal data, use your user account or contacts listed in these principles.

The Right to Withdraw Consent Personal Data Processing if Processing Occurs on the Basis of Consent
You have the right at any time to withdraw consent to the processing of personal data by us on the basis of such consent.

You can revoke your consent through your user account or contacts listed in this policy.

Right of Correction, Restriction or Deletion
If you find that personal information about you is inaccurate, you may ask us to correct this information without undue delay. If appropriate in terms of the specific circumstances of the case, you may also request the completion of the information we have about you.

You may request a correction, limitation of processing or deletion of data through your user account or contacts listed in these principles. 

Right to Deletion of Personal Data
You have the right to request immediate deletion of the personal data processed by us that relate to you in the following cases:

  • If you revoke your consent to personal data processing, and there is no other legitimate reason for our processing that would prevail over your right to deletion; 
  • if you object to the processing of personal data (see below); 
  • Your personal data is no longer needed for the purposes for which we have gathered or otherwise processed them; 
  • the personal data has been unlawfully processed by us; 
  • the personal data was gathered in connection with the provision of information society services to a person below the age of 18; 
  • personal data must be deleted to comply with the legal obligation laid down in European Union law or Czech law applicable to us.

You may request a deletion in these cases through your user account or contacts listed in these principles.

The Right to Request the Deletion of Personal Data is Not Given in a Situation Where Processing is Essential 

  • For the exercise of the right to freedom of expression and information; 
  • to fulfill our legal obligations; 
  • due to public interest in the field of public health; 
  • for purposes of archiving due to public interest, for scientific or historical research purposes or for statistical purposes, where the deletion of data would probably disrupt or seriously jeopardize the attainment of the objectives of the mentioned processing; 
  • for the determination, exercise or defense of legal claims.

Reasons for which it is not possible to use the right of deletion can be found through your user account or contacts listed in these principles.

The Right to Limit the Processing of Personal Data
You have the right to limit the processing of your personal data in the following cases:

  • you deny the accuracy of your personal information. In this case, the limitation is valid for the period required to verify the accuracy of the personal data. 
  • the processing is illegal and you do not want to delete your personal information and instead want to limit their use. 
  • We no longer need your personal data for the purposes for which we processed it, but you are required to identify, exercise or defend legal claims; 
  • you object to the processing (see below). In this case, the limitation applies for a period until it is verified that the legitimate reasons on our side outweigh your legitimate reasons.

When the processing of personal data is limited, we may process your personal data (with the exception of its storage) only with your consent or for the purpose of determining, enforcing or defending our legal rights, for the protection of the rights of another natural or legal person or for reasons of significant public interest or a Member State. As mentioned above, you can request processing restrictions through your user account or contacts listed in this policy.

Right to Object to Processing
You have the right to object to the processing of your personal data in the following cases:

  • In case that the personal data is being processed because the processing is necessary to fulfill a task executed in the public interest or in the act of a public authority to which we are entrusted or for the purposes of our legitimate interests and you object to the processing, unless we can demonstrate serious legitimate reasons for processing that outweigh your interests, rights and freedoms, or to determine, exercise or defend our legal rights. 
  • If the personal data is processed for direct marketing purposes and you object to the processing, we will no longer process personal data for this purpose. 
  • If your personal data is processed for the purposes of scientific or historical research or for statistical purposes, we will not further process it unless the processing is necessary to fulfill a task executed for reasons of public interest.

You can submit an objection through your user account or contacts listed in this policy.

Right to Data Portability
In case we process your personal data based on your consent or for the reasons that it is necessary to comply with the Contract concluded between us, you are entitled to obtain from us the personal data related to you and that you have provided us in a structured, commonly used and machine-readable format, if personal data are processed by us. You have the right to transfer this data to another data controller or to require us to provide this information directly to another data controller if this is technically feasible. You may obtain your personal information through your user account or contacts listed in this policy.

The Right Not to be Subject to any Decision Based Exclusively on Automated Processing, including Profiling
We do not use personal data for automated decision-making.

The Right to Obtain Information on a Security Breach of Your Personal Data
If it is probable that a breach of our security will be a high risk for your rights and freedoms, we will immediately notify you of this breach. If proper technical or organizational measures have been used to process your personal data, ensuring e.g. incomprehensibility for an unauthorized person, or we would ensure by means of additional measures that a high risk will not occur, that we are not obliged to inform you about the breach.

Right to File a Grievance with the Supervisory Authority
If you believe that the processing of your personal data is in violation of the obligations set forth in the GDPR, you have the right to file a grievance with the Supervisory Authority. The Supervisory Authority in the Czech Republic is the Office for Personal Data Protection.

These Personal Data Protection Principles are effective from 25. 5. 2018.

We accept the following types of payment cards: MasterCard, MasterCard Electronic, Maestro, Visa, Visa Electron, Sodexo

VISA Mastercard Maestro VISA electron Mastercard electronic Sodexo
ARSY line - creation of websites and e-shops