PERSONAL DATA PROTECTION POLICY

Through this Personal Data Protection Policy (hereinafter the “Policy”), we inform the data subjects whose personal data we process, about all processing activities and the principles of privacy protection policy for the data subjects.

1. Responsible persons

Personal data controller:
CYLINDERS HOLDING a.s., with its registered seat at Výstavní 81/97, Ostrava – Vítkovice 703 00
Contacts to claim your rights: Telephone: +420 596 664 762, E-mail: cylinders@cylinders.cz
(hereinafter also as “we”, “us” or “our” )

2. Basic terms

GDPR:
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, effective from 25/05/2018.

Personal data:
Personal data means within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, any information relating to an identified or identifiable natural person (i.e. data subject = you).

Special personal data:
Special personal data is the data on racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, on processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Data subject = you:
Data subject means an identified or identifiable natural person; an identified or identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data processing:
Personal data processing means within the meaning of Article 4 (2) of GDPR any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller:
Controller means within the meaning of Article 4 (7) of GDPR a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In relation to your personal data, we act as a controller.

Processor:
Processor means within the meaning of Article 4 (8) of GDPR a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

Supervising authority:
Supervising authority in the Czech Republic is the Office for Personal Data Protection (hereinafter “OPDP”).

Risky processing:
Risky processing means the processing that probably poses a risk for rights and freedoms of the data subject, is not occasional or includes processing of special personal data or personal data relating to criminal convictions and offences referred to in Article 10 of GDPR.

Automated individual decision-making including profiling:
Automated individual decision-making including profiling means in general any form of decision based on automated personal data processing, i.e. without human intervention, consisting among others in assessment of certain personal aspects relating to the data subject, in particular for the purpose of analysis or estimate/analysis or prognosis of aspects concerning the data subject’s work performance, economic situation, state of health, personal preferences, interests, reliability, behaviour, place of location or movement.

3. Categories of subjects; the processed personal data; purpose; legal basis and processing period

We process the personal data for a clearly defined purpose:

Categories of data subject

Purpose of personal data processing

Legal basis and the processed personal data

Processing period

Website visitors

Statistics prior to data anonymization, displaying advertisements for our services or merchandise.

The legal basis is a legitimate interest in the sense of a) improving our services and focusing on what you are really interested in; b) offering you similar services or goods that fit your needs based on the access to our website.

Identification data (name, surname), contact details (address, e-mail, telephone), IP address and cookies.

For the aforementioned, personal data may be processed for the period of 6 months.

Sending response to a question from a website visitor

The legal basis is performance of your contract, or your consent.

Identification data (name, surname), contact details (address, e-mail, phone), IP address and cookies, question asked via a form.

For this purpose, personal data may be processed until answering the question asked via the contact form, but not longer than for 30 days or for the period, during which your consent to the processing exists.

Newsletter subscribers

Sending commercial messages by e-mail

The legal basis is the consent you granted to us upon registration to subscribe the newsletter.

Identification data (name, surname), contact information (e-mail).

For the aforementioned purpose, personal data may be processed until the consent is revoked.

4. Period of personal data processing

We only keep the personal data for the period necessary for the purpose of processing – see the table above. After the said period, the personal data may only be retained for the purposes of the state statistical service, for scientific and archival purposes.

5. Recipients of personal data and handover of personal data outside the European Union

In justified cases we may hand over your personal data also to other entities (hereinafter the “recipients”).
Personal data may be transmitted to the following recipients:

  • Processors who process your personal data in accordance with our instructions, particularly in the area of public relations, electronic data administration or bookkeeping;
  • Public authorities and other entities, if required by the applicable legal regulation;
  • Other entities in the case of an unexpected event, when provision of data is necessary for the purpose of protecting life, health, property or other public interest, or if it is necessary to protect our rights, property or safety.

6. Cookies

After your first visit to our website, our server will send a small amount of data to your computer and will save it there. Each time you visit our site, the browser will send the data back to the server. This small file is called a “cookie”, and it is a short text file containing a specific string of characters with unique information about your browser. We use cookies to improve the quality of our services and to better understand how people use our site. That’s why we have user preferences saved in the cookies, and with their help we monitor user trends, how people behave on our website and how they browse it.

Most browsers are set to accept cookies. However, you have the option to set your browser to block cookies or to inform you each time a cookie is sent. However, without cookies some services or features will not work properly.

Our website uses “first-party” cookies, i.e. cookies only used by our website (hereinafter referred to as first-party cookies) and “third-party” cookies (i.e. cookies coming from websites of third parties). We use first-party cookies to save user preferences and data needed during your visit to our website (e.g. your shopping cart content). Third-party cookies are used to track user trends and behavioural patterns and for advertisement targeting, with the help of third parties – web statistics providers. Third-party cookies used to track trends and behavioural patterns are only used by our website and by the web statistics provider; they are not shared with any other third party.

We particularly use the following cookies:

  • Google Analytics
  • Google AdWords
  • Facebook Pixel
  • Sklik

7. Personal data processing policy

Legality
We process your personal data in accordance with the applicable legal regulations, particularly GDPR.

Data subject’s consent
We only process personal data in the manner and to the extent you granted your approval for, if the processing is subject to your consent.

Minimising and limiting the personal data processing
We only process the personal data to the extent necessary to attain the purpose of its processing for the period not longer than necessary for achieving the purpose of its processing.

Accuracy of the processed personal data
We process the personal data with emphasis put on their accuracy, taking the available actions. We process the updated personal data using the adequate means.

Transparency
Through this Policy and contact person you have the opportunity to learn how we process your personal data, as well as its scope and content.

Restriction of the purpose


We only process personal data to the extent necessary for the fulfilment of the intended purpose and in accordance with that purpose.

Safety


We process the personal data in a manner that ensures its proper security, including its protection by appropriate technical or organizational measures, against unauthorized or unlawful processing and against accidental loss, destruction or damage.

8. Automated individual decision-making and profiling

In personal data processing, there is no automated individual decision-making, including based on profiling.

9. Your rights as a data subject

Right of access to personal data


You have the right to require from us to get access to the personal data relating to your person. In particular, you have the right to receive a confirmation from us whether the personal data relating to you is or is not processed by us, and to be provided with further information about the processed data and the processing method within the meaning of the applicable GDPR provisions (purpose of processing, personal data category, recipients, the planned deposition period, existence of your right to request correction, deletion and limitation of processing, or the right to file an objection, the source of personal data and the right to file a complaint). If you ask for it, we will provide you with a copy of the personal data we process about you, free of any charge. In case of a repeated request, we may charge a reasonable fee for providing a copy, corresponding to the administrative costs of the processing.

To access your personal data, use your user account or contacts provided in this Policy.

The right to withdraw your consent to your personal data processing, if it is performed based on your consent


You have the right to revoke your consent to the personal data processing performed by us on the basis of such consent at any time.

You can revoke your consent through your user account or contacts provided listed in this policy.

Right of repair, limitation or deletion


If you find the personal information about you inaccurate, you may require us to correct this information without undue delay. If appropriate with regard to the specific circumstances of the case, you may also request amending the information we have about you.

You may request correction, limitation of processing or deletion of data through your user account or contacts listed in this policy.

Right to deletion of personal data


You have the right to ask us to erase without undue delay the personal data processed by us relating to you in the following cases:

  • If you revoke your consent to the personal data processing, and there is no other legitimate reason for our processing that would prevail over your right to deletion;
  • If you file an objection against the personal data processing (see below);
  • Your personal data is no longer needed for purposes for which we have collected it or otherwise processed it;
  • The personal data has been illegally processed by us;
  • The personal data was collected in connection with offer of information society services to a person younger than 18 years of age;
  • The personal data must be deleted to comply with a legal obligation set out in the European Union law or in the Czech legal rules applicable to us.

You may request deletion in the aforementioned cases through your user account or contacts provided in this Policy.

The right to request the deletion of personal data is not granted in a situation where processing is necessary

  • For exercising the right to freedom of speech and information;
  • For performance of our legal obligations;
  • For reasons of public interest in the field of the public health;
  • For the purposes of archiving in the public interest, for scientific or historical research purposes or for statistical purposes, where data deleting would disallow or seriously jeopardize meeting the objectives of such processing;
  • For determination, exercise or defence of legal claims.

You may learn whether there are reasons for impossibility to apply the right to deletion through your user account or contacts provided in this Policy.

The right to limit the personal data processing


You have the right to limit processing of your personal data in the following cases:

  • You deny the accuracy of your personal data. In this case, the limitation shall apply for the time we need to verify the personal data accuracy.
  • Processing is illegal and you do not want to delete your personal information, and instead you require limiting its use.
  • We no longer need your personal data for the purposes we processed it, but you require it to identify, exercise or defend legal claims;
  • You file an objection against the processing (see below). In this case, the limitation applies for a period until it is verified that the legitimate reasons on our part outweigh your legitimate reasons.

During the period of the limited personal data processing we may only process your personal data (with the exception of its deposition) with your consent or for the purpose of identification, exercise or defence of our legal rights, for reason of protecting the rights of another natural or legal person, or for reasons of an important interest of the Union or of a member state. As mentioned above, you can request limitation of processing through your user account or contacts provided in this Policy.

Right to file an objection against processing


You have the right to file an objection against your personal data processing in the following cases:

  • In the case that the personal data is processed because processing is inevitable to fulfil a task carried out in the public interest or in exercising public authority’s competencies, to which we are authorised, or for the purpose of our legitimate interests, and you file an objection against the processing, we cannot continue to process the personal data unless we can demonstrate serious legitimate reasons for processing that outweigh your interests, rights and freedoms, or for identification, exercise or defence of our legal rights.
  • If the personal data is processed for direct marketing purposes and you file an objection against the processing, we shall no longer process your personal data for the said purpose.
  • If your personal data is processed for the purposes of scientific or historical research or for statistical purposes, we will no longer process it, unless processing is necessary to fulfil a task carried out for reasons of public interest.

You can submit a complaint through your user account or contacts provided in this Policy.

Right to data transferability


In the case that we process your personal data based on your consent or because it is necessary to comply with the contract concluded between us, you are entitled to obtain from us the personal data relating to you, which you have provided us in a structured, commonly used and machine-readable format, if personal data is processed so by us. You have the right to pass this data to another data controller or to require us to provide this information directly to another data controller if this is technically feasible. You may obtain your personal information through your user account or contacts provided in this Policy.

The right not to be a subject to any decision based exclusively on the automated processing, including profiling


We do not use personal data for automated decision making.

The right to obtain information about a breach of your personal data


If it is likely that a breach of our security will result in a high risk for your rights and freedoms, we will notify you of such breach without undue delay. If the appropriate technical or organizational measures have been applied to process your personal data, such as making the data incomprehensible for the unauthorized persons, or by additional measures to ensure that the high risk does not manifest, we are not obliged to provide you with the information about the breach.

Right to file a complaint with the supervising authority


If you believe that your personal data processing violates the obligations set out in GDPR, you have the right to file a complaint with the supervising authority. The supervising authority in the Czech Republic is the Office for Personal Data Protection.

This Personal Data Protection Policy is effective from 11 April 2018.