I. Basic provisions
1. The personal data controller pursuant to Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“the GDPR”) is
Miracle CBD s.r.o.
registration number: 09462597, registered office: Vajgar 566, Jindřichův Hradec 377 01 (“the controller”).
2. Controller’s contact details
Address: Vajgar 566, 377 01 Jindřichův Hradec
Telephone: +420 602 654 703
3. “Personal data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
II. Sources and categories of the personal data processed
1. The controller processes personal data provided to or obtained by it in the handling of your order.
2. The controller processes your identifying and contact data and the data necessary for contractual performance.
III. Statutory reasons for and purposes of personal data processing
1. Statutory reasons for processing personal data are:
- the performance of a contract between you and the controller in accordance with Article 6(1)(b) of the GDPR;
- a legitimate interest of the controller in providing direct marketing (especially the dispatch of commercial communications and newsletters) in accordance with Article 6(1)(f) of the GDPR;
- your consent to processing for purposes of direct marketing (especially the dispatch of commercial communications and newsletters) in accordance with Article 6(1)(a) of the GDPR, in conjunction with Section 7(2) of Act No 480/2004 on certain information society services, in those cases where goods or services have not been ordered.
2. Purposes of personal data processing are:
- the handling of your order; the exercise of rights and discharge of obligations deriving from the contractual relationship between you and the controller; an order requires personal data necessary for the successful execution of the order (name and address, contact details); the provision of personal data is a necessary requirement for the conclusion and performance of a contract; if personal data are not provided, a contract cannot be concluded or performed by the controller;
- the dispatch of commercial communications and the performance of other marketing activities.
3. The controller does not engage in automated individual decision-making as defined by Article 22 of the GDPR. You have given your explicit consent to such processing.
IV. Data retention period
1. The controller retains personal data as follows:
- for the period necessary to exercise rights and comply with obligations deriving from the contractual relationship between you and the controller and to file any claims arising from such contractual relations (for a period of 15 years from the end of the contractual relationship);
- for the period until the withdrawal of consent to the processing of personal data for marketing purposes, but for no longer than seven years, if personal data are processed on the basis of consent.
2. When the personal data retention period expires, the personal data controller will erase the data.
V. Recipients of personal data (the controller’s subcontractors)
1. Recipients of personal data are entities:
- contractually contributing to the delivery of goods or services or to the making of payments;
- providing services comprising the operation of a e-shop (Shoptet) and other services related thereto;
- providing marketing services.
2. The controller does not intend to transfer personal data to third countries (countries outside the EU) or international organisations. Personal data recipients in third countries are mailing/cloud service providers.
VI. Your rights
1. Under the terms and conditions laid down in the GDPR, you have the right:
- of access to your personal data in accordance with Article 15 of the GDPR;
- to rectification of your personal data in accordance with Article 16 of the GDPR and to the restriction of processing in accordance with Article 18 of the GDPR;
- to erasure of your personal data in accordance with Article 17 of the GDPR;
- to object to processing in accordance with Article 21 of the GDPR;
- to data portability in accordance with Article 20 of the GDPR; and
- to withdraw consent to processing in writing or electronically via the controller’s address or email provided in Article III of these terms and conditions.
2. You also have the right to lodge a complaint with the Office for Personal Data Protection if you believe that your right to the protection of personal data has been infringed.
VII. Terms and conditions applicable to the security of personal data
1. The controller declares that the controller has taken any and all appropriate technical and organisational measures to secure personal data.
2. The controller has taken technical measures to secure data repositories and repositories for personal data recorded on paper, including but not limited to…
3. The controller declares that only controller-authorised persons have access to personal data.
VIII. Final provisions
1. By sending a purchase order via the online order form, you confirm that you are aware of the terms and conditions applicable to the protection of personal data and that you accept them in full.
2. By ticking your consent via the online form, you agree to these terms and conditions. By ticking the consent, you confirm that you are aware of the terms and conditions applicable to the protection of personal data and that you accept them in full.
3. The controller is entitled to amend these terms and conditions. Any new version of terms and conditions applicable to the protection of personal data will be published on the controller’s website. That new version will also be sent to the email address that you have provided to the controller.
These terms and conditions take effect on 1 September 2020