Processing of personal data

ITFutuRe s.r.o., registered office at Libčany 275, 503 22 Libčany, ID: 27490432, VAT: CZ27490432, registered in the Commercial Register of the Regional Court in Hradec Králové, Section C, Insert 22116, as the operator of the online store www.shopid.cz (hereinafter referred to as the "Controller") processes the personal data of so-called data subjects – natural persons who:

• are interested in purchasing in the online store (potential customers);
• have purchased or are purchasing in the online store (customers).

The Controller ensures that the processing of personal data is lawful, fair, transparent, accurate, confidential, and that personal data are processed only to the extent necessary. The Controller also ensures that personal data is properly secured and that all rules set out in GDPR and other legal regulations related to the handling of personal data are complied with.

These principles were adopted, among other reasons, to demonstrate compliance with the legal regulations governing the processing of personal data by the Controller. The explanation of individual terms related to personal data processing according to these principles is provided in Article 12 below.

The Data Controller is ITFutuRe s.r.o., registered office at Libčany 275, 503 22 Libčany, ID: 27490432, VAT: CZ27490432, registered in the Commercial Register of the Regional Court in Hradec Králové, Section C, Insert 22116.

The Controller can be contacted via the following methods:

• In person (or in writing) at the Controller's office at Libčany 275, 503 22 Libčany, Czech Republic;
• Electronically via email at: info@itfuture.cz;
• By phone at: +420 739 422 196; +420 732 264 505.

Fulfillment of the purchase contract

The Controller processes personal data (name, surname, residence, phone number, email) primarily for the purpose of concluding and fulfilling the purchase contract, specifically at a minimum to ensure the delivery of goods purchased in the online store.

The legal basis for this processing is Article 6(1)(b) of GDPR – performance of the contract to which the data subject is a party.

Fulfillment of legal obligations of the Controller

The Controller processes personal data to fulfill its legal obligations, arising, for example, from accounting and tax laws, the Consumer Protection Act, etc., including the obligation of the Controller to be able to prove that personal data is processed in compliance with generally applicable legal regulations, particularly GDPR.

The legal basis for this processing is Article 6(1)(c) of GDPR – compliance with a legal obligation to which the Controller is subject.

Controller's Legitimate Interests

The Controller may process personal data for the purpose of:

• Direct marketing (see Article 5 below);
• The establishment, exercise, or defense of legal claims (particularly legal claims arising from the concluded purchase contract).

The legal basis for this processing is Article 6(1)(f) of GDPR – the legitimate interests of the Controller.

Data Subject's Consent

On the basis of the data subject's consent, the Controller may process personal data for the purpose of:

• Direct marketing (see Article 5 below);
• Setting up and maintaining a customer account (see Article 10 below).

The legal basis for this processing is Article 6(1)(a) of GDPR – the data subject's consent.

Voluntary Nature

Giving consent to the processing of personal data is completely voluntary. Failure to give consent will not have any adverse consequences for the data subject.

Withdrawal of Consent

Every data subject has the right to withdraw their consent to the processing of personal data at any time, particularly in one of the following ways:

• via the customer account;
• by sending an electronic notification to the Controller's email address (see Article 2 above);
• by sending a written notification to the Controller's registered office or place of business (see Article 2 above);
• by phone using the contact details provided by the Controller (see Article 2 above).

Consent to the maintenance of a customer account can also be withdrawn by canceling the customer account (see Article 10.2 below).

The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

General

Processing personal data for direct marketing purposes means processing personal data for the purpose of sending commercial communications as defined by Act No. 480/2004 Coll., on Certain Information Society Services, as amended (hereinafter referred to as "Act No. 480/2004 Coll.").

Commercial communication refers to any form of communication, including advertising and invitations to visit the online store's website, intended for the direct or indirect promotion of goods, services, or the image of the Controller (particularly newsletters).

How does it work?

Processing personal data for the purpose of sending commercial communications to potential customers (i.e., individuals who have not yet made a purchase in the online store but have chosen to subscribe to commercial communications) is possible only based on their consent to the processing of personal data. Similarly, sending commercial communications to potential customers is only possible based on their consent (in accordance with Section 7(2) of Act No. 480/2004 Coll.).

Processing personal data for the purpose of sending commercial communications to customers (i.e., individuals who have already made a purchase in the online store) is possible even without their consent based on the legitimate interest of the Controller (see Article 3.3 above or Recital 47 of GDPR). Similarly, sending commercial communications to customers about the Controller's own similar products or services can also be done without their consent (in accordance with Section 7(3) of Act No. 480/2004 Coll.), unless the customer initially declined or later rejects it. [For more details, see https://uoou.gov.cz/novinky/obchodni-sdeleni/gdpr-a-primy-elektronicky-marketing]

Legitimate Interests

We use your personal data to provide you with relevant content, i.e., content that is interesting to you. For this purpose, we process personal data that we process automatically, including cookies, based on a legitimate interest.

For the same reason, we may send you emails and SMS messages, and send so-called push notifications through the mobile app as our customers.

Ending Processing for Direct Marketing Purposes

The Controller will stop processing personal data for direct marketing purposes without delay after the customer or potential customer expresses their disagreement with such processing. Disagreement can be expressed, for example, in one of the following ways:

• Withdrawal of consent to the processing of personal data (see Article 4 above);
• Expressing disagreement with the processing of personal data in the same way consent can be withdrawn (see Article 4 above);
• Unsubscribing, which can be done in every commercial communication;
• Raising an objection to such processing (under the conditions of Article 21 of GDPR).

Regardless of the above, the Controller will stop processing personal data for direct marketing purposes no later than 3 years after the last purchase in the online store (conclusion of the purchase contract). Each subsequent purchase extends the processing period by another 3 years.

If no purchase is made in the online store, the Controller will stop processing when the customer account is deleted (see Article 10.2 below).

A recipient of personal data is anyone to whom the Controller provides personal data.

The Controller will provide personal data primarily to the following recipients: entities providing accounting or tax services, postal or courier services, newsletter distribution services, legal services, IT services, payment gateway operators, payment systems, domain administrators, technical support providers, etc. These recipients will process personal data either as independent controllers (i.e., entities that determine the purposes and means of processing personal data independently of the Controller) or as processors (i.e., entities that process personal data for the Controller based on its instructions).

Additionally, the Controller will provide personal data to public authorities if required by generally binding legal regulations. These recipients will always process personal data as independent controllers. However, public authorities are not considered recipients in the context of their investigative powers.

The Controller will not transfer personal data to third countries or international organizations within the meaning of Articles 44 et seq. of GDPR.

Personal data will be processed only for the duration necessary for the purposes of their processing. The expiration of one of the legal bases for processing personal data does not affect the processing of personal data (to the necessary extent) based on another legal basis.

Fulfillment of the purchase contract

For this purpose, the Controller will process personal data for up to 30 days after the termination of the last obligation arising from the purchase contract. This does not affect the Controller's ability to continue processing personal data on the basis of other legal grounds and for the purposes stated in these principles.

Fulfillment of legal obligations by the Controller

For this purpose, the Controller will process personal data for the duration of the relevant legal obligation imposed on the Controller by generally binding legal regulations.

Every data subject has, among other things, the following rights:

• The right to request access to their personal data (under the conditions of Article 15 of GDPR);
• The right to rectification or erasure of personal data (under the conditions of Articles 16 or 17 of GDPR);
• The right to restriction of personal data processing (under the conditions of Article 18 of GDPR);
• The right to object to processing (under the conditions of Article 21 of GDPR);
• The right to data portability (under the conditions of Article 20 of GDPR);
• The right to withdraw consent to the processing of personal data (see Article 4 above).

Every data subject who believes that the Controller is processing their personal data in a way that contradicts the protection of the privacy and personal life of the data subject or relevant legal regulations, especially if the personal data is inaccurate with respect to the purpose of its processing, may:

a) Request an explanation from the Controller (contact details in Article 2 above), or
b) Request the Controller to remedy the situation, particularly by correcting, supplementing, or deleting the personal data (contact details in Article 2 above).

If the data subject believes that their right to the protection of personal data has been violated, they also have the right to file a complaint with the supervisory authority, which is the Office for Personal Data Protection, located at Pplk. Sochora 27, Holešovice, 170 00 Prague 7.

Setting up a customer account

Setting up a customer account is entirely voluntary, as the Controller allows purchases in the online store to be made without creating a customer account (i.e., without registration).

To store the personal data entered into the customer account setup form (or entered into the customer account at any time later), the Controller needs consent.

Until the potential customer concludes a purchase contract with the Controller (i.e., becomes a customer), and subsequently after fulfilling all obligations from the concluded purchase contract, the Controller will not use the personal data for any purposes other than maintaining the customer account. However, this does not affect the Controller's ability to process personal data based on other legal grounds, particularly the consent given for the purpose of direct marketing (sending commercial communications).

Deleting a customer account

The customer account can be deleted at any time through the customer account or by submitting a request to delete the customer account to one of the contact addresses listed in Article 2 above.

Regardless of the above, the Controller may delete the customer account after 3 years from the customer's last purchase in the online store, as well as the Controller may delete the customer account if the customer violates their obligations under the purchase contract.

If no purchase is ever made in the online store, the Controller may delete the customer account 3 years after its creation.

More information about cookies and other technical data processed during visits to the online store's website is provided in a separate Cookies document.

Personal data means any information relating to an identified or identifiable natural person (i.e., the data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, surname, date of birth, residence, email, phone number, identification number, location data, network identifier, or one or more specific elements of physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Processing of personal data means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Customer means a natural person who has entered into a purchase contract with the Controller through the online store, i.e., a person who has a so-called customer relationship with the Controller.

Potential customer means a natural person who has not yet entered into a purchase contract with the Controller through the online store, i.e., a person who does not have a so-called customer relationship with the Controller.

The Controller is required to implement technical and organizational measures to prevent unauthorized or accidental access to personal data, alteration, destruction, loss, unauthorized transmission, or any other unauthorized processing or misuse. This obligation continues even after the personal data processing has ceased.

For any questions regarding personal data processing, the Controller can be contacted using any of the contact addresses listed in Article 2 above of these principles.

General information about personal data processing can also be found on the website of the Office for Personal Data Protection, available at www.uoou.cz.

These principles come into effect on 19th September 2024.