Personal Data Protection
Information memorandum concerning personal data processing
Dear Customers and Business Partners,
The document that you are reading contains basic information about how we process your personal data. We appreciate that you share your personal data with you and we stand ready to protect them as much as possible. We also try to be as transparent as possible with respect to you, in particular in terms of how we process your personal data.
In view of the European Union’s new legislation, we have prepared this Information Memorandum in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on free movement of such data and repealing Directive 95/46/EC (GDPR).
In this Memorandum, we would like to provide you with well-arranged information and this is why, we chose the form of questions and our answers. You will be provided information in the following order:
- Who is the personal data controller?
- Who is the data protection officer?
- Why do we need personal data?
- What are our legitimate interests?
- How were personal data obtained?
- Which categories of personal data are processed?
- What is the legal ground for processing personal data?
- Will we transfer personal data to someone else?
- Will we transfer personal data to third countries or international organizations?
- How long will we archive personal data?
- What are your rights concerning personal data processing and how can you exercise these rights?
- Are personal data evaluated by automated means?
This Information Memorandum provides the basic information that we as the personal data controller must provide.
Should you have any question regarding the processing of your personal data, please do not hesitate to contact us at firstname.lastname@example.org. You can also write to our mailing address: VERMONT Holding a.s. Prague 1 - Hradčany, Pohořelec 114/22, zip code: 118 00 IN: 29142857, TIN: CZ 29142857
1. Who is the personal data controller?
The controller is an entity that alone or jointly with others determines how personal data will be processed and for what purpose.
The personal data controller is VERMONT Holding a.s. Prague 1 - Hradčany, Pohořelec 114/22, zip code: 118 00 IN: 29142857 , TIN: CZ 29142857, registered in the Commercial Register kept by the Regional Court in Prague, file no. 18784, Section B. The officer represents the controller.
2. Who is the data protection officer?
The data protection officer is a person who is experienced in the protection of personal data and does everything to make sure that personal data are processed correctly, in particular in compliance with applicable legal regulations. It is also the most competent person to handle questions and requests concerning personal data.
The data protection officer is Mrs. Mgr. Šturmová Dana who can be reached at +420 603 443 755 email@example.com
3. Why do we need personal data?
The controller processes personal data for the following purposes:
- to conclude and perform a contract between the controller and you (Article 6 (1, b) of GDPR). Other legal obligations arise from such a contract, and the controller thus must process personal data for these purposes as well (Article 6 (1, c) of GDPR);
- marketing purposes so that the controller could adjust the offer of, and commercial communications about, its products and services to your needs as much as possible; for these purposes, the controller obtains your explicit consent (Article 6 (1, a) of GDPR);
- protect its legitimate interests (Article 6 (1, f) of GDPR).
The provision of personal data to the controller is a generally legal and contractual requirement. Your consent is required for providing your personal data for marketing purposes, which is not considered the fulfillment of the controller’s contractual and legal obligation. If you do not provide the controller with your consent to processing your personal data for marketing purposes, it does not mean that the controller will refuse to provide you with its products or services based on a contract, but you cannot be a member of the Vermont Club.
4. What are our legitimate interests?
The controller also processes personal data to protect its legitimate interests. The controller’s legitimate interests include in particular the proper fulfillment of all contractual obligations of the controller, the proper fulfillment of all legal obligations of the controller, direct marketing, the protection of the controller’s business and assets, the protection of the environment and sustainable development.
In order to protect your privacy as much as possible, you have the right to request that your personal data be processed strictly for legal reasons or that your personal be blocked. Article 11 of this Information Memorandum provides more information about your rights concerning personal data processing.
5. How were personal data obtained?
The controller obtained your personal data from you, in particular from the registration form that you filled out at www.vermont.eu, from your registration in the store and from social networks and the Internet where you posted your personal data.
6. Which categories of personal data are processed?
The controller processes the following categories of personal data as part of your Vermont Club membership to ensure your satisfaction from a properly fulfilled obligation, to ensure the fulfillment of legal obligations, to personalize the controller’s offer of products and services and for other specified purposes.
- Basic identification details – first and last name, address, zip code, date of birth, country and communication language;
- Contact details – phone number and e-mail address;
- Information about the use of the controller’s products and services – information about which products you ordered from the controller and are using now, including product setting, etc.;
- Information from mutual communication – information from e-mails, phone call recordings or other contact forms;
- Invoice and transaction details – in particular information shown on invoices, information about invoicing terms and received payments;
- geolocation information – information from the Internet browser or mobile applications that you use.
7. What is the legal ground for processing personal?
The lawfulness of processing is laid down in Article 6(1) of GDPR, based on which processing is lawful if necessary for the performance of a contract, for compliance with a legal obligation of the controller and for the protection of legitimate interests of the controller or if personal data are processed based on your consent.
The protection of servers against hacking and the protection of user accounts against unauthorized used by third parties is also your legitimate interest pursuant to Article 6 (1, f) of GDPR.
The lawfulness of processing is also laid down e.g. in Act No. 563/1991 of Coll., on accounting, based on which invoice details are processed and archived, Act No. 89/2012 of Coll., the Civil Code, based on which the controller protects its legitimate interests and Act No. 235/2004 of Coll., on value-added tax.
8. Will we transfer personal data to someone else?
We are required to provide personal data, in the scope stipulated by law, to public administration authorities, e.g. tax administrator, courts, criminal justice authorities and authorities overseeing the capital market.
We provide our services with the help of the following processors, the operation of which is in compliance with the European personal data protection standards, and the processing of personal data by third parties is regulated by their own services provision terms. You consent to transferring your personal data to the following processors for the aforesaid purposes:
- GANT Central Europe s.r.o., Pohořelec 114/22, 118 00 Prague 1, IN: 26212137, TIN: CZ26212137
- VERMONT Selection s.r.o., Pohořelec 114/22, 118 00 Prague 1, IN: 04083482, file no.: C 242266 kept by the Municipal Court in Prague
- VERMONT Slovakia s.r.o., Vlčie Hrdlo 53, 821 07 Bratislava, IN: 48317942, registered in the Commercial Register of the Municipal Court in Bratislava I, Section Sro, Insert no. 106686/B
- VERMONT Hungary Kft., Hungary, Budapest 1023, Margit utca 27, IN: 01-09-683453
- VERMONT Services Slovakia s. r. o., Vlčie Hrdlo 53, 821 07 Bratislava, IN: 48321583, registered in the Commercial Register of the Municipal Court in Bratislava I, Section Sro, Insert no. 106688/B
9. Will we transfer personal data to third countries or international organizations?
We will not transfer personal data to countries outside the European Union or the European Economic Area or to international organizations.
10. How long will we archive personal data?
Personal data will be processed and archived at the least as long as you are a member of the VERMONT Club. Some personal data necessary e.g. for tax and invoicing obligations will be archived longer, usually for five years starting the year following the beginning of archived data.
Personal data that are crucial for the legitimate interests pursued by the controller will be archived for no more than three years after the contract with the controller was terminated.
Personal data processed for marketing purposes will be archived for no more than 15 years after they were obtained.
Personal data will never be archived longer than the maximum time period required by law. Once the archiving time period expires, personal data will be safely and irrecoverably destroyed so that they could not misused.
11. What are your rights concerning personal data processing and how can you exercise these rights?
The controller does everything to make sure that your personal data are processed in a proper and especially secured manner. This article describes your guaranteed rights that can exercise with the controller.
How to exercise your rights?
You can exercise your rights by sending an e-mail to firstname.lastname@example.org or by calling +420 603 443 755. You can also exercise your rights by sending a written request to our mailing address: VERMONT Holding a.s. Prague 1 - Hradčany, Pohořelec 114/22, zip code: 118 00
The controller provides all information and comments concerning your rights free of charge. However, if your request is apparently unjustified or unreasonable, in particular if it is repeated, the controller has the right to charge a reasonable fee for the administrative cost of the provided information that you requested. In the case that you repeatedly request copies of your processed personal data, the controller reserves the right to charge a reasonable fee for administrative costs.
The controller will provide comments and information about adopted measures as soon as possible, however no later than one month after your request. The controller may extend this deadline for two months if necessary and in view of the complexity and number of requests. The controller will inform you about such extension and reasons for such extension.
- Right of information about processing of your personal data
You have the right to obtain from the controller information as to whether or not your personal data are processed. If they are processed, you have the right to obtain from the controller information especially as to the identity and contact details of the controller, its representative or personal data protection officer, the purposes of processing, the categories of personal data concerned, the recipients or categories of recipients of personal data, authorized controllers, your rights, the option to contact the Office for the Protection of Personal Data, the source of processed personal data and automated decision-making and profiling.
In the case that the controller intends to process your personal data for purposes other than those for which your personal data were obtained, it will notify you about such other purposes and provide you with any other relevant information prior to the processing. The information provided to you as part of this right of yours is already contained in this Memorandum, however, this does not prevent you from requesting it again.
- Right of access to personal data
You have the right to obtain from the controller information as to whether or not your personal data are processed and if so, you have the right to access information about the purposes of processing, the categories of personal data concerned, the recipients or categories of recipients, the time of archiving your personal data, your rights (the right to ask the controller for rectification or erasure and restriction of processing, the right to object to processing), the right to lodge a complaint with the Office for the Protection of Personal Data, the right to information about the source of personal data, the right to information about potential automated decision-making and profiling and the right to information about the used procedure as well as the importance and expected consequences of such processing for you and the right to information and guarantees in the case that your personal data are transferred to third countries or international organizations. You have the right to obtain a copy of processed personal data. However, the right to obtain this copy may not adversely affect the rights and freedoms of others.
- Right to rectification
In case of change e.g. in your address, phone number or any other fact that is considered personal data, you have the right to ask the controller to rectify your processed personal data. Moreover, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure (right to be forgotten)
In some specified cases, you have the right to obtain from the controller the erasure of your personal data. Such cases include e.g. that the processed data are no longer necessary for the aforesaid purposes. The controller automatically erases personal data after the required archiving time expires, but you can request erasure from the controller at any time. Your request will be subject to individual evaluation (in spite of your right to erasure, the controller may have the obligation or legitimate interest to keep your personal data) and you will be informed in detail about the erasure of your personal data.
- Rights to restriction of processing
The controller processes your personal data only in the scope necessary. However, if you feel that the controller oversteps the aforesaid purposes, for which your personal data are processed, you can request that your personal data be processed strictly for legal reasons or that your personal be blocked. Your request will be subject to individual evaluation and you will be informed in detail about the handling of your request.
- Right to data portability
If you want the controller to provide your personal data to another controller or another company, the controller will transfer your personal data in the relevant format to the subject specified by you, unless there are some legal or other major obstacles.
- Right to object and automated individual decision-making
If you found out or just believe that the controller processes your personal data in violation of the protection of your private and personal life or in violation of legal regulations (provided that the controller processes your personal data based on the public or legitimate interest or for the purposes of direct marketing, including profiling, or for statistical purposes or scientific or historical purposes), you can ask the controller for explanation or for remedy of such defective situation.
You can also object to automated decision-making and profiling.
Right to file a complaint with the Office for the Protection of Personal Data
You can contact a supervisory authority, i.e. the Office for the Protection of Personal Data, with its registered office at Pplk. Sochora 27, 170 00 Prague 7, https://www.uoou.cz/, with any idea or complaint regarding the processing of your personal data at any time.
- Right to withdraw consent
You can withdraw your consent to processing of personal data at any time by writing to the registered office of the controller or by calling our officer Mgr. Šturmová Dana at 603 443 755.
The filled-out contact details are used for the purposes of exercising rights and fulfilling obligations only.
By registering in the VERMONT Club, you consent to including your first and last name, phone number, e-mail, address, zip code, country, communication language and date of birth in the controller’s database. The controller has the right to use this information with your consent only. Neither you nor we consider our emails sent to you unsolicited commercial communications pursuant to Act No. 40/1995, on advertising, and Act No. 480/2004, on certain information society services.
12. Are personal data evaluated by automated means?
Personal data are evaluated by automated means and can be used for profiling or automated decision-making for the marketing activities of the controller. The controller uses the following methods:
As a result of these activities of the controller, your behavior on the website will be mapped and evaluated, which represents a certain infringement on your right to privacy. However, this evaluation also makes it possible to send you only those product and service offers that may interest you based on the evaluation results.