Information on processing customers' personal data

pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing the Directive 95/46 / EC.

This document sets out the principles and procedures for the processing of personal data and rights, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter referred to as "the Regulation"), and Act No. 480/2004 Coll., on certain services of information society, as amended.

I. Concepts

Personal information: All information about an identified or identifiable customer; identifiable customer is a natural person who can be identified directly or indirectly, in particular by reference to a particular identifier such as name, identification number, location data, network identifier or one or more specific physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person;

Administrator: U ČÁPA PIVNICE, s.r.o. (hereinafter referred to as the "Administrator"), the entity that determines the purpose and means of the processing of personal data, performs the processing and is responsible for it. The Administrator may authorise a processor to process the personal data unless a special law provides otherwise;

Processor: Any entity which, based on a special law or under authorisation by the Administrator, processes personal data under the Act and the Regulation on the basis of a contract on the processing of personal data;

Data subject (hereinafter referred to as "Customer"): A natural person (including self-employed persons) to whom the personal data relate (e.g., a potential, current or lost customer);

II. The principle of processing personal data

The Administrator processes personal data in the sense of the following principles arising from the Regulation:

• legality, correctness and transparency of the processing;
• purpose limitation - collection only for certain, expressly expressed and legitimate purposes;
• minimization of data - adequacy, relevance and limitation of processing to the extent necessary in relation to the purpose;
• accuracy and timeliness - the Administrator takes all reasonable measures to ensure that personal data which are inaccurate, taking into account the purposes for which they are processed, are deleted or corrected without delay;
• limited storage - personal data are stored in a form that allows data subjects to be identified for no longer than is necessary for the purposes for which the data are processed, provided the appropriate technical and organizational measures required by existing legislation are in place to guarantee the rights and freedoms of the data subject;
• integrity and confidentiality - personal data are processed in a manner that ensures their proper security, including their protection by means of appropriate technical or organizational measures against unauthorized or unlawful processing and against accidental loss, destruction or damage.

III. Customer’s rights

The Customer is entitled to the following information:

• information on processing purposes
• information on processed personal data
• information on processors
• information on the planned time period for which the personal data will be stored, or if it is not possible to determine it, the criteria used to determine that time
• concretisation of the legitimate interest of the Administrator or a third party in case the processing is based on this reason
• information on the source from which the personal data originated

The Customer is entitled to:

1. access, correct, delete or limit the processing of processed personal data;
2. object to such processing;
3. lodge a complaint with the Supervisory Authority;
4. withdraw their consent to the processing of personal data at any time with effect to the future;
5. obtain confirmation from the Administrator if its personal data are processed or not;
6. have the Administrator correct inaccurate personal data relating to it without undue delay. Taking into account the purposes of processing, the data subject has the right to fill in incomplete personal data;
7. have the Administrator delete the data (including the right to be forgotten) of the data subject (s) and the Administrator is obliged to delete the personal data without undue delay, for the exhaustive reasons stated in the Regulation: a) the personal data are not necessary any more for the purposes for which they were collected or otherwise processed; b) the Customer withdraws consent to personal processing and there is no further legal title to processing; (c) the Customer objects to processing and there are no overriding reasons for further processing; (d) the personal data have been processed unlawfully; (e) the personal data must be erased in order to comply with a legal obligation laid down by the EU or national legislation applicable to the Administrator; (f) the personal data have been gathered in connection with the provision of information society services. Details and exceptions to this right are governed by the Regulation;
8. have the Administrator limit the processing in any of the following cases: (a) the data subject denies the accuracy of the personal data, for the time necessary for the Administrator to verify the accuracy of the personal data; (b) the processing is unlawful and the data subject refuses the deletion of personal data and instead requests limitation of its use; (c) the Administrator no longer needs personal data for processing but the data subject requires them to identify, exercise or defend legal claims; (d) the data subject has objected to processing, until it is verified whether the legitimate reasons of the Administrator outweigh the legitimate reasons of the data subject;
9. the portability of personal data, i.e., to obtain the personal data concerning it which it has provided to the Administrator in a structured, commonly used and machine-readable format and to pass these data to another administrator without the Administrator to whom the personal data were provided preventing it, in case that: (a) the processing is based on consent or a contract, the processing is done automatically;
10. object to the processing of personal data at any time. The Administrator does not process personal data any more unless it can prove that there are serious legitimate reasons for the processing that outweigh the interests or rights and freedoms of the data subject or reasons for the determination, exercise or defense of legal claims;
11. not be the subject of any decision based exclusively on automated processing, including profiling, which has legal effects on it or applies to it similarly. Exceptions and details are set out in the Regulation.

IV. Possibilities of exercising the Customer's rights to the Administrator

List of communication channels through which a customer request can be received and responded to:

• e-mailem: info@congusto.cz
• by post to: Con Gusto s.r.o., Údolní 532/76, 602 00 Brno

V. Sources of personal data

The Administrator acquires personal data of its customers especially from the customers themselves as part of the purchase, request for services, sending of the newsletter or reservations on www.pivnice-ucapa.cz.

Additionally, the Administrator obtains personal data on the basis of consent to the processing of personal data.

VI. Scope of processing

The Administrator and its contractual processors, following the relevant legal title and the purpose of processing, process the following personal data or categories of personal data:

1. name, surname, business address, company ID, bank account number
2. electronic contact details: telephone number, mobile phone number, e-mail address
3. other electronic data: IP address, cookies, authentication certificates, social networking and communication platform identifiers (e.g., Skype),

VII. Processing of personal data

The Administrator processes the Customer's personal data for the following legal reasons (titles):

• authorized interest of the Administrator,
• performance of the contract,
• valid consent to the processing of personal data.

1. Administrator's legitimate interest

The personal data will be processed in order to identify the parties and to perform the contract and for the purpose of recording contracts and possible future application and defense of the rights and obligations of the contracting parties. Such processing is permitted by Article 6 (1) (b) and (f) of the Regulation.

The personal data will be processed for the duration of the contractual relationship and further to the necessary extent for a period of 10 years from termination of the contractual relationship, unless it is required by another regulation to retain the contractual documentation for a longer period.

The processing of personal data is carried out by the Administrator, but the personal data can also be processed by these processors:

• Con Gusto s.r.o., Údolní 532/76, 602 00 Brno, Company ID: 04702557,
• the e-mail client provider,
• the relevant banking institution,
• possibly other providers of processing software, services and applications, which are not currently used by the Administrator.

Pursuant to the Regulation, the customer is entitled to:

• ask the Administrator for information about what personal data it is processing,
• request access to these data and update or correct these data, or request limitation of the processing,
• request the deletion of such personal data,
• in case of processing carried out on the basis of a legitimate interest, the Administrator may object to such processing,
• the portability of data and the right to request a copy of the processed personal data,
• file a complaint with the Office for Personal Data Protection and exercise the right to effective judicial protection if it assumes that its rights under the Regulation have been breached as a result of the processing of its personal data in contrast to the Regulation.

2. Performance of the contract

The Administrator processes the personal data of the data subjects for the purposes of the concluded Purchase Contract with the Customer. Usually, these are: name, surname, e-mail address, phone number.

The processing time is defined by the duration of the Customer's contractual relationship with the Administrator.

3. Valid consent to the processing of personal data

In case the Administrator processes the Customer's personal data for other purposes that cannot be subordinated to the legitimate interest or performance of the contract, it can only do so on the basis of valid consent to the processing of personal data by the Customer, which is an expression of the free will of the Customer and creates a specific title for such personal data handling.

The Customer grants their consent to the processing of personal data – processing of the e-mail address - by completing the form on www.pivnice-ucapa.cz.

The e-mail address will be processed for the purpose of its inclusion in the business messaging database.

The personal data will be processed for 3 years from the date of granting consent if you do not prolong this period.

You can withdraw your consent at any time, for example, by sending a letter, an e-mail or by clicking on the link in the business message. Withdrawal of consent will result in the suspension of commercial communications.

The processing of personal data is carried out by the Administrator, but the personal data can also be processed by these processors:

• Con Gusto s.r.o., Údolní 532/76, 602 00 Brno, Company ID: 04702557,
• the e-mail client provider,
• possibly other providers of processing software, services and applications, which are not currently used by the Administrator.

Pursuant to the Regulation, the Customer is entitled to:

• ask the Administrator for information about what personal data it is processing,
• request access to these data and update or correct these data, or request limitation of the processing,
• request the deletion of such personal data,
• in case of processing carried out on the basis of a legitimate interest, the Administrator may object to such processing,
• the portability of data and the right to request a copy of the processed personal data,
• file a complaint with the Office for Personal Data Protection and exercise the right to effective judicial protection if it assumes that its rights under the Regulation have been breached as a result of the processing of its personal data in contrast to the Regulation.

VIII. Processing method

Personal data are processed automatically and manually and may be made available to the Administrator’s employees if this is necessary for the fulfillment of their job responsibilities, to the processors with whom the Administrator has a contract on personal data processing and, if applicable, to another person in accordance with the Act and the Regulation.

IX. Personal data processors

The processing of personal data may be done by the processors for the Administrator solely on the basis of a contract on the processing of personal data, i.e., with guarantees of the organizational and technical security of these data and with the definition of the purpose of the processing, and the processors must not use the data for other purposes.

X. Data Protection

The Administrator works with the Customer’s data in other processing systems and their protection is secured by unique user names and passwords. User names and passwords are stored on a personal computer of the Administrator access to which requires a username and password.

The processing of personal data may be done by the processors for the Administrator solely on the basis of a contract on the processing of personal data, with guarantees of the organizational and technical security of these data and with the definition of the purpose of the processing, and the processors must not use the data for other purposes.

XI. Termination of handling

The Administrator terminates the handling of Customer data after termination of the contractual relationship, after expiry of the period specified in the consent to the processing of personal data or after forfeiture of the legitimate reasons for the archiving of personal data.

XII. Security breaches

In the event of a breach of security of data handling or data leakage, the Administrator shall promptly inform the Customer and the Office for Personal Data Protection within 24 hours.