Protection of personal data

Information and Consent for Personal Data Processing

1. Introductory Provisions
   1. The company BONESSI s.r.o., based in Prague, U Nesypky 1261/10, 150 00 Prague 5 - Smíchov, ID No.: 194 03 135, registered with the Municipal Court in Prague under file number C 386026 (hereinafter referred to as the "Controller"), acts as a controller in the processing of personal data in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data).
      
      
2. Purchase without Registration (without Creating a Client Account)
   1. To fulfill the purchase contract concluded between the customer and the Controller, particularly for the delivery of goods from the e-shop available at www.spa-ceylon.cz/en, the Controller requires some personal data from the customer. These data are displayed on the third page of the order form under "Delivery Details" (primarily including the customer's name, surname, and delivery address). For sales purposes, the Controller needs the customer's email address to send order confirmation and a phone number for the delivery service. Without this data, the Controller would not be able to deliver the goods ordered by the customer.
      
      
3. Sending Commercial Communications (Newsletters)
   1. If the customer has given consent to receive commercial communications (newsletters) and subsequently confirmed this consent via a follow-up email (the so-called
      double opt-in principle), BONESSI s.r.o., based in Prague, U Nesypky 1261/10, 150 00 Prague 5 - Smíchov, ID No.: 194 03 135, registered with the Municipal Court in Prague under file number C 386026, will send targeted offers of its goods via email, based on an analysis of the customer’s previous shopping behavior (profiling the offer). Consent can be revoked at any time free of charge by sending an email to: shop@spa-ceylon.cz.
      
      
4. Information and Consent for Processing Personal Data of Registered Customers (Customers Who Created a Client Account)
   1. Information on Personal Data Processing: By registering in the client zone of the e-shop at www.spa-ceylon.cz/en, the customer gains various benefits, such as faster and more convenient shopping (eliminating the need to fill in data compared to a non-registered purchase), receiving discount notifications, special discounts for registered customers, personalized offers, etc.
      
      
   2. Purpose and Legal Basis for Processing Personal Data: To provide benefits to registered customers, the Controller needs to analyze customer data (specified below). The Controller uses these analyses for marketing purposes, such as deciding which products to offer a specific customer and what discounts to provide. The offer is based on profiling, meaning it is determined based on the most probable purchasing behavior of the customer. The Controller conducts profiling using specialized software that processes the following data:
      Identification and contact details;
      Purchase history;
      
      These data are used in connection with the customer’s previous shopping behavior and preferences as observed when the customer logs into their user profile on www.spa-ceylon.cz/en.
      
      The Controller will also process the customer’s data to fulfill obligations related to the customer’s participation in consumer competitions organized by the Controller and for analytical, promotional, marketing, and statistical purposes. The Controller may use the customer’s contact details (address, email, phone number) to offer products and services and send commercial communications via mail, SMS, and email.
      
      The legal basis for processing the customer’s data in connection with their registration, as specified in this section, is the customer’s consent.
      
      
   3. Scope of Personal Data Processing: The Controller will process the personal data provided by the customer when creating a client account (during registration):
      Identification and contact details (name, surname, residence, email address, phone number);
      
      The Controller will process the following data:
      Data on the customer’s previous shopping behavior (purchase date, purchased goods, numerical designation, EAN code, description, number of purchased items, and purchase price).
      
      
   4. Data Processing Security and Protection: The Controller implements appropriate technical and organizational measures to ensure a level of security corresponding to the nature of personal data and to minimize the risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
      
      
   5. Duration of Personal Data Processing and Withdrawal of Consent: The Controller will process the customer’s personal data for as long as the customer remains registered.
      
      The customer may withdraw their consent for personal data processing at any time. In such a case, the Controller will no longer analyze the data (as described above) and will not be able to provide benefits. The withdrawal of consent does not affect the legality of personal data processing before its withdrawal and does not prevent the customer from registering again.
      
      
   6. Processors and Recipients of Personal Data: The Controller may authorize other entities – processors – to process personal data. A list of processors is available via the Controller’s info line. Even in the case of using a processor, the Controller minimizes the risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data. Data will not be transferred outside the EU to third countries or international organizations.
      
      
   7. Place of Processing: The Controller and processors will process personal data at their registered offices and business premises recorded in the trade register.
      
      
   8. Processing Methods, Automated Processing, Decision-Making, and Profiling: The Controller will process personal data manually and automatically through its employees. If the Controller assigns a processor, the processor and its employees will also process data manually and automatically. Automated processing occurs without human intervention. Automated decision-making means decisions made by technological means without human interference. Profiling refers to using personal data to assess certain personal aspects, such as predicting individual preferences and interests. Customer data will be subject to automated decision-making and profiling as described above.
      
      
   9. Rights of the Registered Customer: Concerning the processing of personal data in connection with registration, the customer has the following rights:
      1. Right to withdraw consent;
      2. Right to access processed personal data;
      3. Right to rectification or deletion of personal data;
      4. Right to restrict personal data processing;
      5. Right to data portability;
      6. Right to object to data processing, especially for direct marketing purposes;
      7. the right to file a complaint with the supervisory authority, which is the Office for Personal Data Protection, whose website is: uoou.cz.
         
         
   10. Legal framework for personal data processing: The legal framework for personal data protection includes Regulation (EU) No. 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation, GDPR). The legal framework for sending commercial communications is contained in Act No. 480/2004 Coll., on Certain Information Society Services.
       
       
   11. Data Controller and Data Protection Officer:
       The Data Controller is BONESSI s.r.o., based in Prague, U Nesypky 1261/10, 150 00 Prague 5 - Smíchov, ID No.: 194 03 135, registered with the Municipal Court in Prague under file number C 386026, email: shop@spa-ceylon.cz, phone (Controller): +420 799 188 888.
       
       
   12. The Data Protection Officer for customer registration at the Controller is appointed as: Mr./Ms. Jevgenija Sedláčková, email: shop@spa-ceylon.cz, phone: +420 799 188 888. The website where the customer registers is located at: www.spa-ceylon.cz/en.
       
       
   13. Consent of the registered customer to the processing of personal data:
       By filling in and creating a customer account on the website: www.spa-ceylon.cz/en, I have granted my consent to the Controller under the GDPR Regulation to process my personal data and to send me commercial communications under the Act on Certain Information Society Services.
       
       Before giving consent, I have read and understood its content and the above-mentioned information on personal data processing, particularly the purpose and scope of processing, and my right to withdraw consent to the processing of personal data and/or receiving commercial communications at any time. I declare that the personal data I have provided is accurate and that I will update it as necessary in case of any changes.