INFORMATION ON THE PROCESSING OF PERSONAL DATA
The company Boxxbike s.r.o., IČO 021 32 800, with its registered office at Kaprova 42/14, Staré Město, 110 00 Prague 1 (hereinafter referred to as the “Company“), as a company focusing on the development of unique, high-performance, light electric mopeds intended for riding in various types terrain, , processes the personal data of its customers, as data subjects, in accordance with applicable legal regulations, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in connection with the processing of personal data and on the free movement of such data and on the repeal of the directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “GDPR Regulation“).
In order to provide complete information regarding the processing of personal data of customers, the Company publishes the following Principles of processing and protection of personal data (hereinafter referred to as the “Policies“):
- I. ADMINISTRATOR OF PERSONAL DATA I.1 Boxxbike s.r.o.
Kaprova 42/14, Staré Město, 110 00 Praha 1
IČO: 021 32 800
Telefon: +420 724 069 905
- II. SCOPE OF PERSONAL DATA PROCESSED AND SOURCE OF THIS DATA
- 2.1 The company, as the administrator of personal data, processes personal data regarding its customers, the extent of which is primarily determined by legal regulations in the field of taxation, data necessary for the proper identification of the customer and data necessary for the performance of the concluded contract, in particular the following data: (i) Identification data: name, surname, date of birth or social security number, residential address, or address for delivery, ID number and VAT number in the case of entrepreneurs, or also the ID number;
- (ii) Contact information: telephone number, e-mail address;
- (iii) Data on our cooperation: in particular, data on the goods you ordered, delivery dates, due dates, payment data, order history, data on complaints and any breach of contractual obligations, data provided as part of our joint communication, if we you contact with any question;
2.2 If you order/purchase goods from us as a representative of a legal entity, we process the same data for the same purpose based on our legitimate interest in concluding and fulfilling a contract with the person you represent.
2.3 We need the data required to conclude the contract from you in order to be able to deliver the ordered goods to you. Without this data, the delivery of the goods would not be possible.
2.4 The source of personal data is primarily you as a customer, or a person authorized by you. We can also obtain personal data from publicly accessible sources, e.g. public registers, especially in the case of entrepreneurs.
- III. PURPOSE OF PROCESSING, LEGAL BASIS AND PERIOD OF PROCESSING
III.1 The company processes personal data provided by customers for the purpose of:
- (i) realization of the purchase and delivery of the goods that you have ordered through the order form on the web interface of the website or in a brick-and-mortar store, or in another way (e.g. by phone or e-mail). If there are any problems, your personal data lets us know who to contact;
- (ii) taking care of you, as our customers, in the event that you contact us with a question or problem, for the purpose of which we must process your data to answer/solve;
- (iii) sending advertising messages (so-called newsletters) with information about news in the Company’s assortment, events and discounts;
- (iv) protection of the Company’s property, by means of camera systems in our brick-and-mortar store and service; III.1 Personal data of customers are processed on the basis of:
Exercise of rights and legal claims and control of public authorities. We therefore also process your personal data for the reason that we need them to exercise our rights and legal claims (e.g. in the event that you have an unpaid claim against us or for the purpose of proving the delivery of the ordered goods). We can also process your personal data for the reason that we need it for the purposes of checks carried out by public authorities and for other similarly serious reasons.
- (i) fulfillment of the Company’s legal obligations set out in particular by the Accounting Act and other legal regulations in the field of taxation or civil law, when documents containing personal data, in particular invoices and other documents from which a legal reason for issuing an invoice is derived, are kept, for a period resulting from a specific legal regulation;
- (ii) the fulfillment of the Company’s contractual obligations, in order to realize the purchase of goods, their proper delivery and the fulfillment of obligations related to the sale of goods, for the time necessary to settle the given purchase and purchase-related matters (e.g. complaints). The processing of this personal data is necessary in particular for the actual purchase of the goods, the correct delivery of the ordered goods, handling of any complaints or questions related to the goods. Without the provision and processing of this personal data, it would not be possible to purchase the goods ordered by you;
- (iii) the Company’s legitimate interest, which includes the protection of the Company’s rights and legal claims. The following are processed on this basis:
- a) basic identification data of customers for the purpose of protecting the rights and legal claims of the Company, namely for the duration of the limitation period, which is 3 years, and also 1 year after its expiry with regard to claims made at the end of this limitation period. In the event of the initiation of judicial, administrative or other proceedings, we process your personal data to the extent necessary for the entire duration of such proceedings and the remaining part of the limitation period after its termination;
- b) customer data for direct marketing purposes involving the offer of our goods. The customer always has the option to unsubscribe free of charge, or refuse further sending of these marketing communications, in particular through the link provided in each marketing communication sent;
- c) data on customers entering the Company’s brick-and-mortar store captured using a camera system operated to protect the Company’s property, for a period of 3 days from their acquisition;
- d) data of persons representing a legal entity, as a customer who purchases our goods.
- (iv) the customer’s consent, for the period specified in the consent. With the customer’s consent, the Company processes personal data to the extent and for the purpose resulting from the specific consent granted. The customer gives consent voluntarily and of his own free will. Failure to provide consent does not harm the customer in any way and may not be disadvantaged by the Company. If consent is revoked or it is no longer necessary to process personal data, these are deleted immediately.
- IV. Camera system at a brick-and-mortar store IV.1 The Company’s brick-and-mortar store and service at Hutě pod Třemšínem 49 is monitored by a camera system with recording, so in a given case your appearance, date and time of recording may be captured, based on the legitimate interest of the Company in order to protect its property. Camera recordings are only kept for 3 days, after which they are immediately deleted. Camera recordings are not passed on to any other person, except for public authorities, and serve only to protect the Company’s property and the health of people in these premises.
- V. TRANSFER OF PERSONAL DATA V.1 The Company does not share customers’ personal data with anyone without their consent, unless the law or the Company’s policies allow it. Based on a legal obligation or request, personal data may be transferred to third parties that have the legal authority to require the transfer of the personal data in question.
- V.2 To fulfill its legal obligations, the Company uses other entities – suppliers, who are obliged to process the personal data of customers primarily on the basis of contractual agreements with the Company and who provide sufficient guarantees of personal data protection primarily on the basis of contractual agreements with the Company. Personal data are transferred in the sense of the above:
- (i) external companies providing accounting and tax agenda;
- (ii) an external IT specialist providing comprehensive computer network management;
- (iii) companies providing postal and delivery services;
- (iv) companies providing legal advice;
- (v) the company with which the Company has an insurance contract, in the case of reporting insurance events;
- (vi) to the supplier of the goods or to the service center of the relevant manufacturer in connection with the complaint of the ordered goods; V.3 The company pays attention to the principles of the protection of personal data of customers and carefully ensures and verifies that those to whom it transfers personal data are obliged to comply with all personal data protection rules, in particular not to make them available to other persons, not to misuse them and/or with them otherwise they did not load illegally.
- V.4 The company itself does not transfer personal data to third countries, i.e. to countries outside the EU.
- VI. CUSTOMERS RIGHTS VI.1 In connection with the processing of personal data, customers have the following rights:
- (i) Right to Information
- (ii) Right of Access to Personal Data
- (iii) The right to repair or addition
- (iv) Right to erasure
The customer has the right to be informed about the processing of his personal data concerning him. This information includes the controller’s contact details, the purpose and legal basis of the processing, information about his legitimate interests, about the recipients of personal data, the period of retention of personal data, all the rights of data subjects, the reason for providing personal data, as well as information about the transfer of personal data to third countries outside the European Union union and possibly also, information on whether automated decision-making takes place, including profiling.
The customer also has the right to ask the Company to tell him whether it processes any personal data about him, and if so, what kind. Of course, he can request the communication of specific data or a complete overview of all personal data.
The company will provide the first copy of the requested information completely free of charge.
In the event that the Company processes inaccurate, incorrect or incomplete personal data about the customer, the customer has the right to ask the Company to correct or supplement them.
In order for the Company to be able to ensure the correction or addition, it must verify whether the personal data processed so far is accurate or complete.
The customer can exercise this right with the Company if:
- a) personal data are no longer needed for the purposes for which they were collected or otherwise processed;
- b) revokes his consent on the basis of which personal data were processed and there is no other legal reason for processing;
- c) objects to the processing and there are no overriding legitimate reasons for the processing;
- d) personal data were processed unlawfully;
- e) personal data must be deleted to fulfill a legal obligation. (v) Right to Restriction of Processing
As soon as the Company verifies the fulfillment of all conditions necessary to comply with the request for erasure of personal data, it will delete the customer’s personal data.
This right gives the Customer the possibility to ask the Company to limit the processing of his personal data, in the event that
- a) denies the accuracy of his personal data for the time required for the Company to verify the accuracy of the personal data;
- b) the processing is unlawful and the customer refuses the erasure of personal data and requests instead the restriction of their use;
- c) The company no longer needs the personal data for processing purposes, but the customer requires them for the determination, exercise or defense of legal claims;
- d) if the customer has raised an objection to the processing, until it has been verified whether the legitimate reasons of the Company prevail over the legitimate reasons of the customer. (vi) Right to Data Portability
If the Company restricts processing on the basis of the above, it may process the customer’s personal data, with the exception of their storage, only with his consent, or for the purpose of determining, exercising or defending legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest interest of the European Union or a member state. In such a case, the Company will notify the customer in advance that the processing restriction will be lifted.
Based on this right, the customer can obtain from the Company his personal data, which he has provided to the Company, in a structured, commonly used and machine-readable format, and at the same time transfer this data to another administrator.
At the same time, the customer is entitled to ask the Company to transfer his personal data in a structured, commonly used and machine-readable format directly to another administrator, if this is technically feasible.
The customer has the right to data transfer only if the data is processed:
- a) automated; and at the same time
- b) on the basis of the customer’s consent or on the basis of the fulfillment of contractual obligations. (vii) The right to withdraw consent to the processing of personal data
- (viii) Right to Object
It follows from the above that not all data available to the Company about the customer will therefore be able to be transferred to another administrator using the above procedure.
If the Company processes the customer’s personal data on the basis of consent, the customer is entitled to revoke the consent at any time. Withdrawal of consent to the processing of personal data does not need to be justified in any way. However, revocation of consent does not affect the legality of the processing of personal data that took place after the consent was granted before its revocation.
If there is no other legal reason for processing, the Company will delete the customer’s personal data immediately after withdrawing consent.
The customer is entitled to object to the processing of his personal data for the purposes of the Company’s legitimate interest.
If the Company does not prove serious legitimate reasons for processing that outweigh the interests or rights and freedoms of the customer, or for the
- (ix) Right to file a complaint with a supervisory authority
- VI.2 The customer has all the above-mentioned rights even after the end of the legal relationship with the Company.
- VI.3 The customer can exercise all the above-mentioned rights in the following way:
- VI.4 In order to ensure proper protection of personal data and customer rights and to prevent their misuse by other persons, the Company must verify the customer’s identity.
- VI.5 If it is not possible to identify the customer from the data provided in the application for the exercise of rights, the Company is entitled to ask the customer to complete the data on the basis of which the Company could sufficiently verify the identity of the customer. If it is not possible to identify the customer even after providing additional information, the Company cannot comply with the customer’s request.
- VI.6 The company handles all requests received without undue delay, no later than 1 month after their delivery. If it is not possible to process the customer’s request within this period (mainly due to the complexity of the request), the Company is entitled to extend the period for processing the request by up to two months. The Company will inform the customer of this fact together with the justification for the extension of the deadline, within 1 month of the delivery of the request.
- VI.7 In the event that the Company evaluates that the request does not meet the above-mentioned requirements for its positive processing, it is entitled to reject the request and informs the customer about the reasons for the rejection. In such a case, the customer is entitled to file a complaint with the supervisory authority (for this see above in Article 6, paragraph 6.1, letter (ix) of the Policy) and/or request legal protection from the general courts.
- VI.8 If the Company grants the request, it will take appropriate measures based on this decision and inform the customer about them.
determination, exercise or defense of legal claims, it is obliged to stop processing the customer’s personal data.
Furthermore, the customer is entitled to object to the processing of his personal data for direct marketing purposes at any time with the Company.
If the customer believes that there is and/or has been a violation of legal regulations governing the protection of personal data due to the processing of his personal data, he may file a complaint with the supervisory authority.
In the Czech Republic, the competent supervisory authority is the Office for the Protection of Personal Data, with headquarters in Pplk. Sochora 27, 170 00 Prague 7, website: https://www.uoou.cz/.
- (i) by email to the email address firstname.lastname@example.org
- (ii) in person at the brick-and-mortar store at Hutě pod Třemšínem 49
- (iii) in writing at the address of the Company’s headquarters, i.e. Kaprova 42/14, Staré Město, 110 00 Prague 1.
- VII. PROTECTION OF PERSONAL DATA
- VII.1 The Company’s priority is the protection of customers’ personal data against unauthorized or accidental access to personal data, its change, destruction or loss, unauthorized transmissions, against other unauthorized processing, as well as against other misuse of customers’ personal data.
- VII.2 Upon discovering that the security of personal data has been breached, or upon suspicion that this security has been breached, the Company will assess whether a security breach has actually occurred, evaluate the severity and, according to the severity (no risk, low risk, high risk) of the breach informs customers and the supervisory authority, which is the Office for Personal Data Protection
- VII.3 For this purpose, the company has adopted relevant technical and organizational measures, including internal training of employees on the handling of personal data. The company regularly tests, checks and verifies all personal data security measures for their up-to-dateness, adequacy and adequacy.
- VII.4 The company also conducts random inspections or audits of its suppliers, to whom it has made personal data available to customers in order to determine compliance with personal data protection.
- VII.5 At the same time, all employees of the Company, as well as all its suppliers and their employees, are bound by contract and/or by law to confidentiality about all information and personal data made available to them.
- VIII. USEFUL CONTACTS VIII.1 Boxxbike s.r.o.
- VIII.2 Office for the Protection of Personal Data
Kaprova 42/14, Staré Město, 110 00 Praha 1
IČO: 021 32 800
Phone: +420 724 069 905
Pplk. Sochora 27, 170 00 Praha 7
Phone: +420 234 665 111