Personal Data Protection Policy (“Policy”)
The giyou.cz e-shop is operated by the company AND LILAC s.r.o.
It is the mission of AND LILAC s.r.o. to create original designs, create and sell silver flowers (under the brand name Giyou or other brands) and similar products made from precious metals, and provide enjoyment of these flowers and their use.
In the Czech Republic, we operate e-shop at www.giyou.cz. To develop this mission, we have adopted a personal data protection policy which applies to any customer, partner, or visitor coming into contact with our websites and online solutions.
Information on personal data processing
As a data controller, AND LILAC s.r.o., based in Saky 3, 273 08 Třebichovice, incorporated in the Business Register maintained by the Municipal Court in Prague, C 334535, company registration no. 09326294/tax registration no. CZ09326294 (hereinafter referred to as “AND LILAC”) hereby provides information on the manner and scope in which it processes personal data, including the scope of rights enjoyed by data subjects as related to the processing of their personal data by AND LILAC.
All data is processed by AND LILAC in the Czech Republic.
Purpose and scope of personal data processing
AND LILAC only processes the exact personal data obtained as per Act No. 110/2019 Coll., on personal data processing, and in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “Regulation”), where AND LILAC collects and processes such personal data only for the stated purpose, in the scope detailed below, for the duration of the contractual relationship and/or presence of a data subject’s valid consent and/or during a period of a legitimate interest being exercised and subsequently for a period stipulated by other statutory requirements. AND LILAC processes personal data correctly, legally, and transparently while meeting the condition of minimising personal data to a scope necessary for the purpose to which it is being processed. AND LILAC does not process any special categories of personal data within the meaning of Article 9 of the Regulation.ařízení.
Personal data and its consent-based processing
Based on your consent we process the following personal data (the particular scope depends on which personal data you provide to us): name and surname, delivery address, invoice address, phone number, email address, order items, date of birth, date of registration, date of orders, last log-in date, marketing segmentation. Data is processed based on your consent so that we can engage in a purposeful conversation with you. Personal data, processed on the basis of consent, is being processed by us only for the duration of your consent.
You can revoke your consent at any time. Revocation of your consent does not affect the legality of consent-based processing performed before the revocation. Contract performance, including the provision of AND LILAC services, is never made dependent by AND LILAC on your consent to any personal data processing that is not necessary for the performance of that particular contract.
Our services are intended for people aged 16 years and above.
Personal data processing based on contract performance
We process the following personal data for the purposes of performing our contract with you (the particular scope depends on which personal data you provide to us): name and surname, delivery address, invoice address, phone number, email address, order items, IP address, date of registration, date of orders. Your data is processed for the purpose of delivering ordered goods/services and handling any complaints. Personal data processed on the basis of contract performance is being processed for a period of 7 years.
Personal data processing to exercise AND LILAC’s legitimate interests
We process the following personal data for the purposes of exercising AND LILAC’s legitimate interests (the particular scope depends on which personal data you provide to us): name and surname, delivery address, invoice address, phone number email address, order items, IP address, information about your web browser, date of orders, last log-in date, marketing segmentation (sensitive order items excluded). The data is being processed for the purpose of direct communication, potential legal disputes, information systems security, and fraud prevention. The exercise of our legitimate interests applies to customers who placed an order with AND LILAC in the past 7 years.
Personal data processing to comply with statutory requirements
We process the following personal data for the purposes of meeting statutory requirements (the particular scope depends on which personal data you provide to us): name and surname, university degree, delivery address, invoice address (including company registration number and tax registration number), bank account number, phone number, email address, order items, IP address, date of orders. The data is processed for the purpose of bookkeeping, tax administration, and potential provision of information by state bodies. Personal data processed to comply with statutory requirements is being processed for a period of 10 years, starting at the end of the tax period in which a taxable event occurred.
Use of our services
If there is a legal reason for the processing (see above), we can record your visits and use of services, including our mobile applications.
We can record data on use when you visit or otherwise use our services, including our websites, applications, and technologies, for example when you view content or advertising (on our website and in our applications or outside them) or when you click on them, when you perform a search, install one of our mobile applications, or share your experience. For the purpose of identifying and recording your use of our services we use log-in data, cookies, information about the device used, and internet protocol addresses (“IP”).
How we use your data
We always your data in accordance with effective legislation to provide, support, adjust, and develop our services. Our use of your personal data depends on the services you use, how you use them, what your consent covers, and what your settings are. We use the data we have about you to provide, support, and adjust our services (including advertisements) and make them more relevant and useful to you and others.
Personal data security, processors, and recipients
To fulfil the above-mentioned purposes, personal data can also be processed by AND LILAC’s processors who are not AND LILAC and the company’s staff, based on agreements on personal data processing concluded in accordance with the Regulation. AND LILAC uses only such processors who give sufficient guarantees and have suitable technological and organisational measures in place to comply with the Regulation’s requirements and ensure the rights of data subjects are protected.
AND LILAC can process personal data manually and automatically. In terms of technology and organisation, personal data protection is ensured as per the requirements of the Regulation and Act No. 110/2019 Coll., on personal data protection, and relies on ISO/IEC 27001 requirements. AND LILAC requires its personal data processors to ensure at least the same level of security.
Following a legal request, personal data can be provided to third-party subjects who are legally authorised to require the provision of material personal data.
As a personal data processor, AND LILAC emphasises personal data protection. In the same capacity, AND LILAC does not intend to disclose your personal data to third parties, with the exemption of carriers who receive buyers’ personal data in the minimum scope necessary to carry goods, and of other processers, primarily:
- providers of accounting services or information, accounting, and invoicing software;
- server and website administrator;
- computer administrator;
- Česká pošta;
- Heureka Shopping s.r.o., based in Karolinská 650/1, Karlín, 186 00 Prague 8, company registration no. 023 87 727, and online payment services operators;
- or any other providers of processing software, services, and applications.
AND LILAC undertakes to ensure the security of the personal data being processed, both technologically and in terms of organisation, in order to prevent unauthorised or accidental data access, change, destruction, or loss, unauthorised transfer, other unauthorised processing or abuse, and make certain that all data controller’s obligations pursuant to legal regulations are continuously met for the duration of the data processing, both in terms of personnel and organisation.
All personal data provided by customers as regards their use of goods is processed automatically by a secure electronic system. In terms of organisational security, AND LILAC prevents third parties from having unauthorised access to the data, primarily by restricting access to the database and personal data which can be accessed only by those who underwent training in personal data protection and have a duty of confidentiality.
AND LILAC processes personal data manually and automatically. In terms of technology and organisation, personal data protection is ensured as per the requirements of the Regulation and Act No. 110/2019, Coll., on personal data protection. AND LILAC requires that its personal data processors adhere to at least the same level of protection.
Following a legal request, personal data can be provided to third-party subjects who are legally authorised to require the provision of material personal data.
Sources of personal data
AND LILAC obtains personal data from you, a data subject, when you place an order.
Technological and organisational security of personal data
Aware of the importance of protecting personal data in terms of confidentiality, integrity, and accessibility, AND LILAC adopted the following main Policy and incorporated it in the AND LILAC management system:
- Information can be accessed only by those who need it to do their job;
- Such persons are not authorised to make copies of personal data;
- Incompatible duties and responsibilities are separated for relevant processes;
- Measures to restrict access to systems containing personal data are in place;
- All processors have safe (encrypted) mechanisms for personal data transfer in place (your personal data is never transferred anywhere without being properly encrypted);
- We use only internally approved, tested software and update it regularly;
- We verify the quality of our information systems’ security;
- We manage access rights to information systems containing personal data;
- We require our staff and suppliers use quality passwords which are regularly changed;
- We observe the clear desk and clear screen policy;
- Paper documents containing personal data are stored in secure (locked) areas;
- We do not store unencrypted personal data on unencrypted media;
- We manage our staff’s and any suppliers or visitors’ physical access to AND LILAC’s premises;
- We have an internal audit process in place, focused on personal data security.
Rights of data subjects
You are entitled to access your personal data, have it rectified or deleted, or restrict its processing and transfer to another subject. You can also object against the processing or lodge a complaint with The Office for Personal Data Protection.
How do we use “cookies”?
“Cookies” are small text files saved in your browser or on the hard drive of the computer used to visit a website. The next time you visit the website, “cookies” allow your device to be identified and adapt the website to fit your preferences. AND LILAC’s “cookies” do not store any personal data. The data stored in “cookies” is used exclusively to provide the AND LILAC and www.giyou.cz services. They improve your online experience by saving your preferences when you visit a web page. The data is used only in aggregate. “Cookies” do not contain any personally identifying information and cannot profile our system or collect information from your hard disk. Find more information about cookies on www.allaboutcookies.org.
As per the relevant provisions of Act No. 127/2005, Coll., on electronic communications, visitors have the right to decide whether they allow “cookies” in their device via computer settings. Visitors who do not change the settings of the software installed in their computer agree to have “cookies” stored in their device. Visitors can prevent “cookie” files from being saved by opening www.giyou.cz in an incognito window. This private browsing feature is enabled by all modern web browsers; “cookies” are not saved in your browser while this feature is on.
Your rights in terms of personal data protection
Anyone whose personal data we process has:
- the right to access personal data: right to have AND LILAC confirm whether your data is or is not being processed, and if so, to access this personal data as well as information on the purpose of the processing, personal data categories, the recipient or categories of recipients who were or will be given access to the personal data, period for which the personal data will be stored, and to receive a copy of the personal data being processed;
- the right to rectification: right to have incorrect personal data rectified by the data controller without any undue delay, and to have incomplete data completed;
- the right to deletion: right to have personal data deleted by the collector without any undue delay if such personal data is no longer necessary for the purpose to which it was collected and processed, or if the consent to processing is revoked or if an objection is made against the processing and there are no prevailing legitimate reasons for the processing or if the personal data was processed illegally;
- the right to restrict processing: right to have processing restricted by the data controller if you find the personal data inaccurate, for a period necessary to allow the controller to verify the personal data’s accuracy, or if processing is illegal and you refuse to have your personal data deleted, or if you object against your personal data being processed until it is ascertained whether the controller’s legitimate reasons prevail over yours;
- the right to data portability: right to obtain personal data in a structured, commonly used, and machine readable format, and to provide this data to another controller;
- the right to object: right to object against personal data processing performed on the grounds of the controller’s legitimate interests. The controller does not process personal data unless they substantiate serious legitimate reasons for the processing which prevail over your interests or rights and freedoms, or for establishing, exercising, or defending legal claims.
To exercise your rights (requests) contact us by sending an email to firstname.lastname@example.org or send a letter to AND LILAC s.r.o., Saky 3, 273 08 Třebichovice.
Once identification is made as required, you will be given information on the handling of your request, done as per statutory requirements, within the statutory period.
If you would like to contact us with a suggestion or complaint regarding our processing of your personal data, use the addresses mentioned above; your suggestion will be forwarded to a responsible staff member of AND LILAC who will look into it and subsequently work with you on handling it. If you still believe your personal data was not processed adequately as per statutory requirements, you can contact the Office for Personal Data Protection.
AND LILAC collects and manages users’ email addresses, obtained in connection with the sale of its products or services. Regardless of their nature, email addresses obtained in this manner are viewed as electronic contact addresses acquired in connection with the sale of a product or service within the meaning of Section 7, Paragraph 3 of Act No. 480/2000, Coll., on certain information society services, and AND LILAC is authorised to use these for the purpose of sending business communications concerning similar products or services of the company.
AND LILAC must give users the option to opt out of receiving further business communications at the provided email address, and to do it in each business communication. Opting out of receiving further business communications is free of charge for customers, excluding the cost of internet connection and data transfer.
The use of AND LILAC services is governed by general terms and conditions, available on www. giyou.cz.
AND LILAC reserves the right to amend this Policy, as well as terms and conditions, without prior notice. The current version of terms and conditions and personal data protection policy can be always found on www. giyou.cz.
AND LILAC’s contact data for matters concerning this Policy: 420-775-555-531, email@example.com.
Relations not explicitly regulated by this Policy are governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and by Czech law.
This Policy comes into effect on August 15, 2022
In Prague, on August 15, 2022
AND LILAC s.r.o.