Privacy Policy

Privacy Policy

_____________________________________

Saunama & SPA s.r.o., with its registered office at K Vodárně 1532, 735 53 Dolní Lutyně, Company ID No.: 14304091, a company registered in the Commercial Register maintained by the Regional Court in Ostrava under file No. C 88477, as the personal data controller (hereinafter referred to as the “Controller”), informs you, as its customers, users of the website www.fit-reb.cz, and as data subjects (hereinafter referred to as the “Data Subject”), about the collection of personal data described below and the privacy protection principles.

1. INTRODUCTION

1. These principles are prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), and in accordance with Act No. 110/2019 Coll., on the Processing of Personal Data.

1. Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to a specific identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

1. Other terms such as “special categories of personal data”, “data subject”, “processing of personal data”, “controller”, “processor”, “high-risk processing”, “automated individual decision-making incl. profiling”, and “appropriate technical and organisational measures” have the meaning and must be interpreted in accordance with and in the context of the GDPR.

• WHAT PERSONAL DATA THE CONTROLLER PROCESSES

• The Controller processes the following data about the Data Subject:
• address and identification data:  name and surname, address, e-mail, telephone
• billing and payment data:   optionally Company ID, VAT ID, registered office address
• data on purchased goods and services, data on the use of services, data on communication with the Controller

• As part of improving service quality, personalising offers, collecting anonymous data, and for analytical purposes, the Controller uses so-called cookies on its website. The rules for the use of cookies are set out in Article 6 below.

• Personal data may be stored for a longer period than specified in the table below if they are processed solely for the purposes of archiving in the public interest, for scientific or historical research purposes, or for statistical purposes.

• PURPOSE AND LEGAL BASIS OF PROCESSING – PROCESSING PERIOD

Processed personal data	Purpose of processing	Legal basis for processing	Processing period
Address and identification data	handling enquiries and communication regarding the conclusion and performance of a contract, sending commercial communications after the conclusion of a contract	measures taken prior to the conclusion of a contract (pre-contractual negotiations), performance of a contract, legitimate interest	for the period strictly necessary for pre-contractual negotiations and subsequently for contract performance; for commercial communications for 1 year after its termination
Payment and billing data	handling enquiries and contract performance, bookkeeping	performance of a contract, fulfilment of legal obligations	for 10 years from the date of the last payment
Data on purchased goods and services, their use, data on communication	performance of a contract, customer care	performance of a contract, legitimate interest	for the duration of the contract and for 1 year after its termination
All personal data	creation and management of a user account and performance of a contract	performance of a contract, legitimate interest	for the duration of the contract and for 3 years from the last login to the account
Name and e-mail provided outside contractual performance solely for newsletter subscribers	regular sending of commercial communications containing offers, information and updates in accordance with Act No. 480/2004 Coll.	consent given	until consent is withdrawn or until unsubscribed
Address and identification data, data on purchased goods and services	sending customer satisfaction surveys	legitimate interest	for 60 days from the conclusion of the contract
Address and identification data	handling messages sent via the website or e-mail	measures taken prior to the conclusion of a contract (pre-contractual negotiations), performance of a contract	for the period strictly necessary to handle the communication
Address and identification data	publication of comments on the website	consent given	until withdrawal or for 5 years from submission of the comment

• Newsletter subscription: If you have chosen to subscribe to the newsletter, you give the Controller consent to use your e-mail address for the purpose of sending commercial and marketing communications related to the offered products or services. Your e-mail address will be processed in accordance with personal data protection regulations and in compliance with these principles. You may withdraw your consent at any time by sending an e-mail to info@fit-reb.cz, by sending a notice to the Controller’s registered office address, or by clicking the unsubscribe link in every commercial communication sent.

• Heureka.cz customer satisfaction survey: We assess the Data Subject’s satisfaction with the purchase through e-mail questionnaires within the “Verified by Customers” programme, in which our e-shop participates. We send these questionnaires to the Data Subject every time they make a purchase, unless they refuse their sending in accordance with Section 7(3) of Act No. 480/2004 Coll., on Certain Information Society Services. We process personal data for the purpose of sending questionnaires within the “Verified by Customers” programme on the basis of our legitimate interest, which lies in determining satisfaction with purchases made from us. For sending questionnaires, evaluating the Data Subject’s feedback, and analysing our market position, we use a processor — the operator of the Heureka.cz portal, Heureka Shopping s.r.o., with its registered office at Karolinská 650/1, 186 00 Praha 8, Company ID No. 24725382; we may provide it with information on purchased goods and the Data Subject’s e-mail address for these purposes. Personal data are not transferred to any third party for its own purposes when sending e-mail questionnaires. The Data Subject may refuse the sending of e-mail questionnaires within the “Verified by Customers” programme at any time using the link provided in the e-mail containing the questionnaire.
  

• PRINCIPLES OF PERSONAL DATA PROCESSING

• The Controller processes personal data fairly, lawfully and transparently. These Principles inform the Data Subject about the scope, content and manner in which the Controller processes personal data.

• The personal data processed by the Controller are, in relation to the contractual relationship, adequate, relevant and limited to what is necessary for fulfilling the specified purpose.

• The Controller needs the Data Subject’s personal data to be accurate and up to date. If any of the provided data become outdated, the Data Subject is obliged to inform the Controller of the correct data.

• The Controller processes personal data in a manner that ensures their proper security, including protection through appropriate technical or organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage.

• RECIPIENTS OF PERSONAL DATA AND INTENT TO TRANSFER INFORMATION

• The Controller may also transfer the Data Subject’s personal data to a third party as a recipient. The Controller does so only in justified cases. Personal data may be transferred to the following recipients:
• processors who process the Data Subject’s personal data according to the Controller’s instructions and whose relationships with the Controller are governed in accordance with Article 28 of the GDPR; for example, providers of software used by the Controller to improve the security and operation of its services; these will have access only to the extent necessary and for the purpose of administration and technical support of the used software;
• public authorities and other entities if required by applicable legal regulations;
• other entities in the event of an unexpected situation in which the provision of data is necessary to protect life, health, property or another public interest, or if it is necessary to protect the rights, property or safety of the Controller.

• The Controller does not intend to transfer personal data to a third country or an international organisation.

• PRINCIPLES OF COOKIE USE

• Cookies

Cookies are small files stored on the Data Subject’s device that help the Controller collect information about the Data Subject’s activities. Cookies allow the Controller in particular to store settings and preferences, provide targeted content and marketing communication, and analyse the functioning of the website. Cookies may originate from the Controller (“first-party cookies”) or from third parties whose services the Controller uses (“third-party cookies”). Most browsers accept cookies automatically by default. Nevertheless, the Data Subject has the option to set their browser to display cookies before they are stored or to categorically refuse them.

Details on cookie settings and related changes in the most common browsers are available here:

• Google Chrome: https://support.google.com/accounts/answer/61416?hl=en
• Internet Explorer: https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-deletemanage-cookies
• Microsoft Edge: https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy
• Mozilla Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
• Opera: http://www.opera.com/help/tutorials/security/privacy/
• Safari: https://support.apple.com/kb/PH19214?viewlocale=en_US

The Controller notes that changes to settings always apply only to the given browser. If the Data Subject uses multiple browsers, it is necessary to change the settings in each of them individually. Cookies can also be deleted from storage at any time. Further information is available in the functions of the browser or operating system.

IP address

An IP address is a unique number assigned to a computer or another device communicating via the Internet Protocol.

Analytical scripts

Analytical scripts are small pieces of computer code that can be used to track users and their behaviour on websites. This may involve basic tracking of whether a user has visited the site, or more advanced tracking such as adding a product to the cart, selecting a product, submitting a form, etc. Analytical scripts may provide the collected data to a third party — the provider of the script.

Use of social plugins

The Controller’s website may offer the option to use social network plugins. However, data are not transferred through a social plugin automatically, but only when the social plugin is activated — by clicking the respective button. The content and scope of data sent as a result of activating the social plugin are determined solely by the operator of the respective social network. This operator is also responsible for the protection of personal data received through the social plugin.

• Types of cookies

Technical or functional cookies

Some cookies ensure that certain parts of the website function properly and that the Data Subject’s user preferences remain known. By placing functional cookies, the Controller facilitates the visit to the website. In this way, the Data Subject does not need to repeatedly enter the same information when visiting the website. These cookies may be placed without the Data Subject’s consent.

Analytical cookies

The Controller uses analytical cookies to optimise the website for users. Through these analytical cookies, the Controller obtains information about the use of the website. The storage of these cookies is based on the Data Subject’s consent.

Marketing/Tracking cookies

Marketing/tracking cookies are cookies or any other form of local storage used to create user profiles to display advertising or to track a user on the website for similar marketing purposes. The storage of these cookies is based on the Data Subject’s consent.

• Placement of cookies

To increase user-friendliness and for analytics, the Joint Controllers use so-called cookies for the operation of the website — text files that are stored on the visitor’s computer when visiting the website. On the website, you have the option to choose individual settings and thereby allow or disable the storage of cookies. A website visitor may disable the storage of cookies in the browser settings.

• Management of consent settings and the option to delete cookies

Using an internet browser, it is possible to delete cookies automatically or manually. It is also possible to specify that certain cookies may not be placed. Another option is to change the browser settings so that a notification appears each time a cookie is stored. More information about these options can be found in the help section of the internet browser.

The Controller warns that the website may not function properly if all cookies are disabled. If the Data Subject deletes cookies in their browser, they will be placed again after consent is granted when the Data Subject visits the Controller’s website again.

• RIGHTS OF THE DATA SUBJECT

• The rights of the Data Subject are an important element of personal data protection. If the Data Subject exercises any of the rights listed below, the Controller shall provide information on the measures taken without undue delay and in any case within one month of receiving the Data Subject’s request. In exceptional cases, the Controller may extend this period by up to two months. The Controller shall inform the Data Subject of any such extension and the reasons for it.

• Personal data are processed automatically in electronic form.

• The Data Subject has the right to:
  • be informed about the processing of personal data

Information about the processing of personal data is provided by the Controller in particular through these privacy principles.

• right of access to personal data

If the Data Subject requests it, they will receive information (confirmation) from the Controller as to whether or not their personal data are being processed. If they are being processed, the Data Subject has the right to obtain the following information: the purposes of processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed; the planned period for which the personal data will be stored; the existence of the right to request from the Controller the rectification or erasure of personal data; the right to object; the right to lodge a complaint with a supervisory authority; any available information on the source of the personal data if not obtained from the Data Subject; the fact that automated decision-making, including profiling, is taking place. Most of this information can be found in these privacy principles, but the Data Subject may also inquire about the above if they wish.

• right to rectification or completion

If the Data Subject knows or believes that the Controller is processing inaccurate personal data, they may notify the Controller, who is obliged to correct such data. If the Data Subject wishes to complete any incomplete personal data with regard to the purpose of processing, they may notify the Controller, who is obliged to complete the data.

• right to erasure

This right obliges the Controller to delete personal data in accordance with Article 17(1) GDPR if at least one of the following conditions is met:

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• the Data Subject withdraws consent and there is no other legal ground for the processing;
• the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
• the personal data have been processed unlawfully;
• the personal data must be erased to comply with a legal obligation;
• the personal data were collected in connection with the offer of information society services pursuant to Article 8(1) GDPR.

and at the same time none of the exceptions listed in Article 17(3) GDPR can be applied.

• right to restriction of processing

Under this right, the Data Subject may request the Controller to restrict the processing of personal data. If the conditions under Article 18(1) GDPR are met, the Controller must do so.

• right to data portability

The Data Subject has the right to obtain, in particular to download, their personal data from the Controller in a structured, commonly used and machine-readable format, and also has the right to have the personal data transmitted directly to another controller.

• right to object

In certain cases, the Data Subject has the possibility to raise an objection to processing. This applies in particular to situations where the Data Subject had no possibility to influence the fact that their data are being processed, and at the same time the processing is not carried out for the performance of a legal obligation or a vital interest, in which such impossibility would be justifiable. The Data Subject may raise three types of objections to processing. These are objections to:

• processing based on the legal ground of legitimate interest and the performance of a task carried out in the public interest or in the exercise of official authority;
• processing for direct marketing purposes based on the legal ground of legitimate interest;
• processing for scientific or historical research purposes or for statistical purposes.

If an objection is raised, the Controller will no longer process the data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject, or for the establishment, exercise or defence of legal claims. If an objection is raised against the processing of personal data for direct marketing purposes or profiling, the Controller must stop processing the personal data.

• not to be subject to automated individual decision-making, including profiling

When processing the Data Subject’s personal data, automated individual decision-making, including profiling, never takes place.

1. withdraw consent to the processing of personal data, if the processing is based on consent

The Data Subject may withdraw their consent to the processing of their personal data at any time, where such data are processed by the Controller on the basis of this consent.

• obtain information about a breach of the security of their personal data

If it is likely that a high risk to the rights and freedoms of the Data Subject may arise as a result of a security breach by the Controller, the Controller shall inform the Data Subject without undue delay.

• lodge a complaint with a supervisory authority

If the Data Subject believes that the Controller is violating its obligations in processing their personal data, the Data Subject has the right to lodge a complaint with the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7; e-mail: posta@uoou.cz; website: https://www.uoou.cz; tel.: +420 234 665 111.

• CHANGES TO THE PRINCIPLES

• The Privacy Policy may change over time. All changes to the Privacy Policy will be published by the Controller on its website. If the changes are significant, the Controller may inform the Data Subject by e-mail.

• OUR CONTACT DETAILS

• If the Data Subject wishes to contact the Controller in connection with the processing of their personal data, they may use the following contacts:
  • in writing at the registered office address: K Vodárně 1532, 735 53 Dolní Lutyně
  • by e-mail at: info@fit-reb.cz

THIS PRIVACY POLICY ENTERS INTO FORCE AND EFFECT ON 1 OCTOBER 2023