Personal data policy

according to Regulation (EU) 2016/679 of the European Parliament and Council on the protection of natural persons in connection with the processing of personal data and the instruction of data subjects (hereinafter also referred to as the "GDPR Regulation")

Obchodní společnost Jahoda&Broskev s.r.o., IČO: 176 28 881, with registered office at Bohunická 517/55, Horní Heršpice, 619 00 Brno, as the administrator of the personal data of its clients, natural persons, in this document provides all information regarding the processing of personal data of clients - natural persons (hereinafter also as "client" or "data subject"), which, as a personal data controller, he is obliged to provide according to the GDPR Regulation, as well as in accordance with Act No. 110/2019 Coll., on the processing of personal data, as amended (hereinafter also as " law").

In this statement, the administrator tries to present the information as clearly as possible.

  1. Who is the controller of personal data?
  2. For what purpose does the administrator need personal data?
  3. What are the controller's legitimate interests?
  4. How was personal data obtained?
  5. What categories of personal data are processed?
  6. Will personal data be passed on to someone else?
  7. Will personal data be transferred to a third country or international organization?
  8. How long will personal data be stored?
  9. What are your rights related to the processing of personal data and how can you exercise them?
  10. Are personal data automatically evaluated?

  1. Who is the controller of personal data?
    A personal data controller is a person who alone or jointly with others determines and decides how personal data will be processed. The controller of personal data is the business company Jahoda&Broskev s.r.o., ID number: 176 28 881, with registered office at Bohunická 517/55, Horní Heršpice, 619 00 Brno (hereinafter also referred to as the "controller").
  2. For what purpose does the administrator need personal data?

The administrator processes personal data in accordance with Article 6, paragraph 1 of the GDPR Regulation for:

  • ensuring the conclusion and subsequent fulfillment of the contractual obligation between the controller and the data subject (i.e. according to Article 6, paragraph 1, letter b) of the GDPR Regulation) - e.g. to provide the ordered performance (goods);
  • fulfillment of legal obligations that apply to the data controller (according to Article 6, paragraph 1, letter c) of the GDPR Regulation) - e.g. processing for the purpose of accounting;
  • protection of the vital interests of the data subject (according to Article 6, paragraph 1, letter d) of the GDPR Regulation);
  • to protect your legitimate interests (according to Article 6, paragraph 1, letter f) of the GDPR Regulation) - e.g. for the purpose of handling complaints, collecting claims and other obligations from contracts concluded between the administrator and the client;
  • on the basis of the consent of the data subject (according to Article 6, paragraph 1, letter a) of the GDPR Regulation) - in the event that the data subject gives the controller consent to the processing of specific personal data for a specific purpose of processing, the controller is authorized for the duration of the consent to the subject personal data process also for the purpose defined in the consent provided.
  1. What are the controller's legitimate interests?

The data administrator uses personal data primarily to provide the client with its services, to be able to conclude the required contract with the client, to fulfill the concluded contract, to comply with legal requirements, to notify the client of changes in its services, to improve its services or to provide the client with a better customer experience.

The administrator's legitimate interests consist, for example, in the possibility of proving the performance and defending his legitimate interests according to Act No. 235/2004 Coll., on value added tax and Act No. 563/1991 Coll., on accounting. The Administrator must also be able to assess the complaint of the performed performance and possibly rectification of defective performance according to Coll. No. 89/2012, Civil Code.

One of the legitimate interests may also be the processing of personal data for the purpose of direct marketing - sending commercial messages. This means that if the client has already purchased some goods from the administrator or used a service provided by the administrator, the administrator may sometimes send him an offer of similar products that might be of interest to him. However, he can cancel the sending of these commercial messages at any time via the link contained in the sent commercial message or via the contact email listed below, and after that the administrator will no longer send him anything.

  1. How was personal data obtained?

The administrator obtained personal data:

  • directly from the data subject, including data obtained through so-called cookies,
  • from publicly accessible registers and lists, e.g. commercial register, trade register,
  • from third parties who cooperate with the controller and have obtained personal data in accordance with the law and can pass them on to the controller.

The administrator either explicitly requests personal data from the client or can obtain it if the client registers for its services, enters into a contract with it or uses one of its services. Alternatively, the client can provide his personal data to the administrator, e.g. by filling out forms on the website or communicating with the administrator via telephone, e-mail, internet discussion or otherwise. Furthermore, the administrator collects some of the client's personal data automatically with the client's consent, e.g. by using cookies when visiting the administrator's website.

  1. What categories of personal data are processed?

The administrator processes for the purpose stated in point 2 in particular:

  • basic identification data – name, surname, all previous surnames, title, date of birth, social security number, address and permanent residence, identification number, tax identification number
  • contact details – correspondence address, telephone number and e-mail address,
  • invoicing and transaction data – this mainly concerns bank account numbers, information appearing on invoices, agreed invoicing terms and received payments,
  • personal data related to the provision of services by the administrator - all data that the client provided to the administrator in connection with the provision of services or that the administrator otherwise learned in this connection.
  1. Will personal data be passed on to someone else?

The personal data of the data subject may be accessed by employees of the administrator who will be authorized to work with this personal data. All employees who will have access to personal data will be bound by confidentiality in writing, so personal data must not be disseminated anywhere. These employees are also responsibly selected, have been familiarized with the internal rules on the protection of personal data and have also been properly trained to know how to handle personal data and under what conditions personal data may be processed.

The administrator will then pass on the personal data to some third parties if necessary. These persons are called processors. The administrator is responsible for ensuring that these processors provide appropriate guarantees for the processing of personal data.

Here, the administrator lists the categories of persons to whom he can transfer personal data and who can thus gain access to personal data:

Beneficiary category

Purpose of transfer of personal data

Legal advisors

Use of legal advice.

Accounting consultants

Use of accounting services.

Tax advisors

Use of tax advice.

Marketing consultants

Use of marketing consultancy and services.

IT service providers

IT management and user application management.

Website Manager

Administrator website management.

Providers of online tools

Use of these tools to improve service quality and customer experience (including card payment).

Service providers for sending messages

Ensuring the sending of commercial and other messages.

Providers of postal or forwarding services

Delivery of ordered goods to the client.

The administrator provides data without the data subject's consent to the above-mentioned third parties only in connection with the above-defined purposes of personal data processing and for the above-mentioned processing reasons. Any provision of personal data of the data subject to any other recipients for reasons other than those mentioned above is possible only on the basis of express consent granted by the administrator.

  1. Will personal data be transferred to third countries (non-EU countries) or international organizations?

Personal data may be transferred by the administrator to a third country or to an international organization only for the purpose of better data backup and protection.

  1. How long will personal data be stored?

Personal data are generally processed only for the necessary period, i.e. at least for the duration of the contract. If personal data are no longer needed for processing purposes, they are deleted immediately.

In the event that the controller stores personal data as a result of a legal obligation, it processes them for the period specified in the relevant law.

In the event that the law requires the archiving of certain data, the administrator archives this data in accordance with the law for the period specified in this law.

Personal data obtained on the basis of the client's consent are stored for the period specified in this consent.

Personal data obtained in connection with the conclusion of a contract or the provision of services is processed by the administrator for the duration of the performance of the contract or the provision of the service and generally for a period of 10 years, during which time personal data are processed only for the purpose of possible legal proceedings and claims.

In the event that proceedings are initiated for which the client's personal data are required, the administrator processes these data throughout the course of such proceedings, including any enforcement and other subsequent proceedings.

  1. What are your rights related to the processing of personal data and how can you exercise them?

The administrator does everything to ensure that the processing of personal data of clients takes place properly and, above all, securely. The personal data of all data subjects is protected with the maximum level of security, both in physical form and in electronic form.

The data subject is guaranteed the rights described in this article, which he can exercise with the administrator.

Individual rights can be exercised by sending an e-mail to the address info@jahodabroskev.cz The client can exercise his rights in the form of a written request sent to the address Bohunická 517/55, Horní Heršpice, 619 00 Brno.

All communications and statements regarding the exercised rights are provided by the administrator free of charge. However, if the request would be clearly unfounded or unreasonable, especially because it would be repeated, the administrator is entitled to charge a reasonable fee taking into account the administrative costs associated with providing the requested information. In case of repeated application of the request to provide copies of processed personal data, the controller reserves the right to charge a reasonable fee for administrative costs for this reason.

Statements and possibly information about e.g the administrator will provide the measures taken as soon as possible, but within one month at the latest. The administrator is entitled to extend the deadline by two months if necessary and taking into account the complexity and number of applications. The administrator will inform the client about the extension, including the reasons.

In accordance with Article 12 of the GDPR Regulation, the client is entitled to request information from the controller as to whether or not personal data is being processed. If personal data is processed, the controller has the right to request information in particular about the identity and contact details of the controller, his representative and, where appropriate, the personal data protection officer, the purposes of processing, the categories of personal data concerned, the recipients or categories of recipients of personal data, the authorized administrators, about the list of client rights, about the possibility to contact the Office for Personal Data Protection, about the source of processed personal data and about automated decision-making and profiling.

If the administrator intends to further process the client's personal data for a purpose other than that for which it was obtained, it will provide the client with information about this other purpose and other relevant information before the said further processing.

The information provided to the client in the exercise of this right is already contained in this Statement, but this does not prevent the client from requesting it again.

In accordance with Article 15 of the GDPR Regulation, the client is entitled to request information from the administrator as to whether his personal data is being processed or not and, if so, he has access to information on the purposes of processing, categories of personal data concerned, recipients or categories of recipients, the period of storage of personal data , information about your rights (rights to request correction or deletion from the administrator, restriction of processing, object to this processing), about the right to file a complaint with the Office for Personal Data Protection, information about the source of personal data, information about whether automated decision-making is taking place and profiling and information regarding the procedure used, as well as the meaning and expected consequences of such processing for the client, information and guarantees in the event of the transfer of personal data to a third country or international organization. The client has the right to provide copies of processed personal data. However, the rights and freedoms of other persons may not be adversely affected by the right to obtain this copy.

In accordance with Article 16 of the GDPR Regulation, if the client finds out, or if the client believes that the controller is processing personal data in violation of the protection of his private and personal life, or in violation of the law, he may:

  • ask the administrator for an explanation,
  • request that the administrator remove this status,
  • in the event that the administrator does not comply with his request, contact the supervisory authority (Office for the Protection of Personal Data.

If the client's request is justified, the administrator must immediately remove the objectionable state.

If the client has changed personal data, e.g. residence, telephone number, etc., the client has the right to request correction of the processed personal data from the administrator. In addition, he has the right to complete incomplete personal data, including by providing an additional statement.

In accordance with Article 17 of the GDPR Regulation, the client has the right to delete his personal data from the administrator's device, but only if this is permitted by the legal regulations to which the administrator is bound. Reasons for deletion include:

  • the processed data are no longer needed for the purpose for which they were collected
  • the client has withdrawn their consent
  • the client has objected to the processing
  • the client's data is processed illegally
  • the deletion will fulfill the legal obligation according to the law
  • personal data was collected in connection with the offer of information society services

Personal data will not be deleted even for the above-mentioned reasons, if any of the reasons according to Article 17, paragraph 3 of the GDPR Regulation are given.

The administrator deletes personal data automatically after the expiration of the necessary period, but the client can request deletion at any time. The request is then subject to individual assessment (despite the client's right to erasure, the administrator may have an obligation or legitimate interest to retain personal data) and the client will be informed in detail about its processing.

In accordance with Article 18 of the GDPR Regulation, the client has the right to limit the processing of his personal data in the event that:

  • the administrator processes his personal data to a wider extent than is necessary,
  • the client denies the accuracy of personal data for the time required for the administrator to verify the accuracy of the data,
  • the processing is illegal and the client refuses the erasure of personal data and instead requests the restriction of their use,
  • the administrator no longer needs the personal data for the purposes of processing, but the data subject requires them for the determination, exercise or defense of legal claims,
  • the client has objected to the processing until it has been verified whether the legitimate reasons of the controller outweigh the legitimate reasons of the data subject.

The request is subject to individual assessment and the client will be informed in detail about its processing. If the processing has been restricted, personal data may only be stored, otherwise they may only be processed based on the client's consent, or for the purpose of determining, exercising or defending legal claims, for the purpose of protecting the rights of another natural or legal person or for reasons of important public interest of EU or a Member State.

In accordance with Article 19 of the GDPR Regulation, the client has the right to be informed about the recipients of personal data. If the client submits this request, the administrator is obliged to answer it without undue delay, no later than within 30 working days.

The client has the right to portability of personal data.

If the client finds out or believes that the administrator is processing personal data in violation of the protection of the client's private and personal life or in violation of legal regulations (provided that the personal data is processed by the administrator on the basis of public or legitimate interest, or is processed for purposes of direct marketing, including profiling, or for statistical purposes or for purposes of scientific or historical significance), the client can contact the administrator and ask him for an explanation or removal of the problematic situation that has arisen.

The client can also object directly to automated decision-making and profiling.

In accordance with Article 77 of the GDPR Regulation, the client is entitled to file a complaint with the supervisory authority, which is the Office for the Protection of Personal Data - Office for the Protection of Personal Data, Plk. Sochora 27, 170 00 Prague 7, website https://www.uoou.cz/.

  1. Are personal data automatically evaluated?

Personal data is not automatically evaluated.

The administrator is entitled to unilaterally change and update these principles of processing and personal data protection at any time.

These policies apply from 1 June 2023.