Personal Data Protection
1. General conditions
This GDPR describes how the Company collects, processes and shares the information of users (hereinafter referred to as "User") of the website: carlachocolate.com
The Company may use the other processors listed below for the processing of personal data.
2. What data will be processed
The company processes data collected during the use of the website and cookies. In order to better target advertising campaigns and improve the website, the Company uses information about the pages viewed by the user, the links clicked on and other activities on the website, such as filling in orders and contact forms. This data is collected automatically with the help of the Company's tools and data processors listed below. If you have cookies enabled on your device, this data is also collected with these files.
The company primarily processes the data you provide when creating and using a user account, creating an order or registering for a loyalty program, and when subscribing to the newsletter. Some personal data is necessary for registration (name and email address) and serves for basic user identification or customer account registration. The data that the Company processes when registering for the newsletter or creating a user account may be as follows:
- Name and surname or company name
- Phone number
- Delivery address
- Company identification data
- Payment details
- Server, email and web access details
- Any other data necessary for the performance of the contractual relationship
The Company does not knowingly collect information from children under 15, and children under 15 cannot use its services. If you become aware that a child has provided us with personal information violating this GDPR, you may notify us at email@example.com.
3. For what purposes will the personal data be used
The company always processes personal data solely for the purposes for which it was collected, based on a legitimate interest, legal obligation or consent. We process personal data for various purposes, in particular:
- performance and implementation of concluded contracts and orders,
- fulfillment of statutory bookkeeping and tax obligations, as required by other applicable laws and regulations or as required by any legal process or governmental agency.
- communicating with customers, including sending information about current services and products, updating terms and conditions, and for marketing and promotional purposes,
- responding to inquiries from website users,
- replying to a specific job offer,
- analyzing website traffic to improve the services and offerings,
- marketing outreach through electronic contact,
- transaction processing and fraud detection,
- Push notifications. If you have this feature enabled, the Company may send so-called push notifications directly in the website interface. These notifications are displayed based on your consent given after the respective information is displayed in the website interface.
4. Processors who have access to the data
Personal data is processed primarily by the Company and its employees, who are bound by confidentiality, as well as by the Company's suppliers insofar as it is processed in connection with the performance and execution of concluded contracts and orders (e.g., transport companies).
The Company may also use a so-called processor to process personal data. These entities may only process personal data for the purposes and in the manner specified by the Company and may not disseminate it without further consent. We only pass on to processors the data that they necessarily need to provide their services.
The Company may transfer personal data to other entities (processors) in justified cases.
Personal data may be transferred to the following processors:
- processors who process personal data according to the Company's instructions in the area of public relations, electronic data management or accounting,
- public authorities and other entities where required by applicable law;
- other entities in the event of an unexpected event in which the provision of data is necessary to protect life, health, property or other public interest or where it is necessary to protect our rights, property or safety.
5. The period for which the personal data will be retained
Personal data for the purposes referred to in point 3 are processed to the extent necessary for fulfilling these purposes and for the period needed to achieve them or for the period directly provided for by law. After that, the personal data shall be erased or anonymized.
After this period, personal data may be retained only for the National Statistical Service's purposes, for scientific and archiving purposes.
The basic time limits for processing personal data are available below.
- The Company processes the personal data of registered customers until their registration is canceled. Customer contact details are processed for the duration of the business relationship or until the customer updates the details.
- In the case of service customers, the Company is entitled to process their basic personal, identification, contact, service and communication data with the Company for 10 years from the date of termination of the last contract.
- In the case of purchase of goods from the Company, the Company is entitled to process the customer's basic personal, identification, contact, goods and communication data for a period of 5 years from the date of expiry of the warranty period for the goods.
- Invoices issued by the Company are archived for 10 years from the date of issue in accordance with Section 35 of Act No. 235/2004 Coll., on Value Added Tax. Contracts are also archived for 10 years from the date of termination of the contract due to the need to prove the legal reason for issuing the invoices.
- The data collected for marketing purposes are processed for the entire duration of the consent, i.e., also for as long as the user allows storage within the cookie settings on the website or in his browser. The processing may also continue after the withdrawal of consent, at the latest, until the respective type of cookie expires.
- Sales and marketing communications via electronic contact are sent until the consent is withdrawn or until the user unsubscribes.
6. Withdrawal of consent
Customers may unsubscribe from any marketing and commercial communications at any time by:
- by clicking on the relevant link in the footer of each commercial communication;
- on the designated website;
- by sending a request to the contact provided
The user can disable the targeting of advertising (cookies) by changing it directly in his browser. If you disable the storage of selected Cookies, some parts of the website may not work properly.
7. Methods of processing and storage of personal data
Personal data will be processed and stored:
- machine (automated) through computer hardware and software,
- in written form.
8. Rights of the data subject
The data subject will have the following rights if he or she is an identifiable natural or legal person and proves his or her identity:
Right to access personal data
According to Article 15 of the GDPR, the data subject has the right of access to personal data, which includes the right to obtain from the Company:
- Confirmation as to whether it processes his/her personal data,
- information about the purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data have been or will be disclosed, the intended duration of the processing, and the existence of the right to request the controller to rectify or erase personal data relating to the data subject or to restrict or object to the processing, the right to complain with a supervisory authority, any available information about the source of the personal data if not obtained from the data subject, the fact that automated decision-making, including profiling, takes place, appropriate safeguards in the event of a transfer of data outside the EU,
- if the rights and freedoms of others will not be adversely affected, a copy of the personal data.
If a repeated request occurs, the Company will be entitled to charge a reasonable fee for a copy of the personal data.
Right to correct inaccurate data
According to Article 16 of the GDPR, you have the right to correct inaccurate personal data that the Company processes. You also have an obligation to notify changes to your personal data and to provide evidence that such changes have occurred. You are also obliged to cooperate with the Company if it is found that the personal data it processes about you is not accurate. We will make the correction without undue delay but always taking into account the technical possibilities.
Right to delete data
According to Article 17 of the GDPR, you have the right to delete personal data concerning you unless the Company demonstrates legitimate grounds for processing such personal data. The Company has set up mechanisms to ensure the automatic anonymization or deletion of personal data if they are no longer needed for the purpose they were processed.
Right of restriction of processing
According to Article 18 of the GDPR, the data subject has the right to restrict processing until the complaint is resolved if he or she contests the accuracy of the personal data, the grounds for processing or objects to the processing in writing to the Company's registered office.
Right to notification of rectification, deletion or restriction of processing
According to Article 19 of the GDPR, the data subject has the right to be notified by the Company in case of rectification, deletion or restriction of processing of personal data. If personal data are rectified or deleted, the Company will inform the individual recipients, except where this proves impossible or requires disproportionate effort.
Right to portability of personal data
According to Article 20 of the GDPR, you have the right to the portability of data relating to you that you have provided to us as a controller in a structured, commonly used and machine-readable format. You also have the right to ask us to transfer this data to another controller.
If the exercise of this right could adversely affect the rights and freedoms of third parties, your request cannot be granted.
Right to object to the processing of personal data
According to Article 21 GDPR, you have the right to object to the processing of your personal data by the Company. If the Company does not demonstrate that there is a compelling legitimate reason for the processing which overrides the interests or rights and freedoms of the data subject, the Company will terminate the processing without undue delay on the basis of the objection.
Right to withdraw consent to the processing of personal data
If you have given the Company your consent to the processing of personal data, you may withdraw it at any time. The revocation must be made by an explicit, intelligible and specific expression of will, either in writing to the Company's registered office or by emailing firstname.lastname@example.org.
Automated individual decision-making, including profiling
The data subject has the right not to be subject to any decision based solely on automated processing, including profiling, which would have legal effects concerning him or her or similarly significantly affect him or her. The Company states that it does not carry out automated decision-making without the influence of human judgment having legal effects on data subjects.
Right to contact the Data Protection Authority
You have the right to lodge a complaint regarding our processing of your personal data with the Office for Personal Data Protection, Pplk. Sochor 27, 170 00 Prague 7.
The Company is committed to protecting personal data and other information about its customers and users of its services. To do this, it uses a range of security technologies and measures designed to protect information from unauthorized access, use or disclosure. The measures it uses are designed to provide a level of security appropriate to the risk of misuse of personal information. The Company's security of personal information is regularly tested, and protection is continually improved. However, please keep in mind that the Internet cannot be guaranteed to be 100% secure.
All personal data in electronic form is stored in databases and systems that can only be accessed by those who have an immediate need to handle the personal data for the purposes set out in this policy and only to the extent necessary.
The controller of your personal data is Carla spol. s.r.o., Krkonošská 2850, Dvůr Králové nad Labem, 544 01, Czech Republic (referred to as the "Company").