1. As defined under Article 4(7) of the Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data (“GDPR”), the controller means Beauty Active s.r.o., having its registered office at Pod Pekařkou 107/1, Podolí, 147 00 Prague 4, Czech Republic, Company ID: 09738045, VAT Number: CZ09738045, recorded in the commercial register of the Metropolitan Court in Prague, Section C, File 341510.
2. The contact details of the Controller are: Beauty Active s.r.o.
Postal address: U staré tvrze 285/21 19600 Praha
Phone details: +420 774 030 354
3. The personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
4. The Controller did not appoint the data protection officer.
Sources and categories of the processed personal data
- The Controller processes the personal data that were provided by you or the personal data that the Controller obtained in your order:
- name and surname
- e-mail address
- postal address
- phone number
- confirmation of your medical education
2. The Controller processes your identification and contact details and the personal data that are necessary for the performance of the contract.
Lawful ground and purpose of personal data processing
- Personal data processing will be lawful when:
- processing is necessary for the performance of a contract made between you and the Controller, as defined under Article 6(1)(b) of the GDPR;
- processing is necessary for compliance with a legal obligation of the Controller, as defined under Article 6(1)(c) of the GDPR;
- processing is necessary for the purposes of the legitimate interest pursued by the Controller in the provision of direct marketing services (namely, to send commercial notices and newsletters), as defined under Article 6(1)(f) of the GDPR;
- you have given your consent to the processing of your personal data for the purposes of the provision of direct marketing services (namely to send commercial notices and newsletters), as defined under Article 6(1)(a) of the GDPR and under Section 7(2) of Act No. 480/2004 Sb., on certain information society services when the order for the goods or services has not been placed.
2. The purpose for the personal data processing is
- to process your order and to exercise and perform the rights and obligations ensuing from the contractual relation made between your and the Controller; when placing an order, it is required to specify personal data that are necessary for the proper processing of an order (name and address, contact); the provision of personal data is vital for the execution and performance of the contract; without providing personal data, it is not possible for the Controller to execute the contract or perform the contract;
- to perform any and all legal obligations against the state;
- to send any commercial notices and to perform any other marketing activities.
3. The Controller is not involved in any automated individual decision-making, as defined under Article 22 of the GDPR.
- The Controller keeps the personal data
- for as long as the personal data are necessary for exercising and performing any rights and obligations ensuing from the contract made between you and the Controller and for any claims arising from such contractual relations (over the period of 15 years upon the termination of the contractual relation);
- for as long as the consent with personal data processing for the marketing purposes is revoked; no later than 3 years, if the personal data are processes with the consent.
2. After the lapse of the period for keeping the personal data, the Controller will delete the personal data.
Recipients of personal data (sub-contractors of the Controller)
- The recipients of personal data are these persons and entities:
- Those involved in the supply of goods/services/payments made under the contract;
- Those arranging the services of the e-shop operation and other services associated with the e-shop operation;
- Those arranging the marketing services.
2. The Controller has no intention to transfer personal data to a third country (a country outside the European Union) or any international organisation.
Personal data processor
- The personal data processing is carried out by the controller. However, the personal data may be also processed by these processors:
- Mailchimp – services provider, marketing agency;
- Or any other provider of processing software services and applications that are not currently used by the Controller.
- Under the conditions defined under the GDPR, you have:
- a right of access to your personal data, as defined under Article 15 of the GDPR;
- a right to rectification the personal data, as defined under Article 16 of the GDPR, or a right to restriction of processing, as defined under Article 18 of the GDPR;
- a right to erasure the personal data, as defined under Article 17 of the GDPR;
- a right to object to processing of personal data, as defined under Article 21 of the GDPR;
- a right to data portability, as defined under Article 20 of the GDPR; and
- a right to revoke your consent with the personal data processing in writing or electronically to be sent to the postal address or the email address of the Controller specified under Article I of these conditions.
2. In addition, you have a right to file a complaint to the Office for Personal Data Protection if you believe that your right of personal data protection was violated, or else you have a right to bring the case to a court.
Security of personal data
- The Controller hereby declares that all appropriate technical and organisational measures required for the personal data security have been implemented.
- The Controller have implemented all technical measures to secure the data storages and paper personal data storages (hard-copy), namely to secure data and data files by using a password, anti-virus programmes and documents back-ups.
- The Controller declares that only the persons explicitly authorised by the Controller have access to the personal data.
- By placing an order via the online order form, you confirm that you have read the personal data protection conditions and you accept them in full.
- By ticking off the consent in the online form, you express your consent with these conditions. By ticking off the consent, you confirm that you have read the personal data protection conditions and you accept them in full.
- The Controller may change these conditions at any time. The Controller will publish the new version of these data protection conditions on its website. In addition, the Controller will send you this new version via email address that you provided to the Controller.
These conditions become effective on 1 June 2021.