ZATEC HOP COMPANY Ltd.
YOUR PARTNER FOR HOP BUSINESS

ENGLISH VERSION
CZECH VERSION

PRIVACY NOTICE

1.         Definitions of Basic Terms

2.         Rules of Website Use, Copyrights

3.         Personal Data Processing

4.         Disclosure of Personal Data to Third Parties

5.         Personal Data Transfers to Third Countries

6.         Measures to Ensure Data Security

7.         Data Accuracy

8.         Data Minimization

9.         Storage Limitation

10.       Rights of Data Subjects Related to Processing

11.       Contact Details

 

Introductory Provisions

 

This privacy notice (the “Notice”) is issued by Žatec Hop Company a.s., ID No. 416 91 237, with its registered office at U Kolejí 8/317, Prague 6, Postal Code: 161 00, entered in the Commercial Register administered by the Prague Municipal Court under File No. B 916 (the “Company”).

This Notice is intended for all customers and suppliers of the Company (and their representatives), as well as all users of the Company’s website http://www.zhc.cz (the “Website”). The present Notice is issued so as to comply with the transparent processing principle under Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”), and serves to inform the above-specified persons (data subjects) of the scope and manner of processing of their personal data and of their rights related to such processing.

1.                  Definitions of Basic Terms

For the purposes hereof, the terms below have the following meaning:

(a)                personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(b)               controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has primary responsibility for compliance with personal data protection regulations (GDPR, in particular);

(c)                OPDP” means the Office for Personal Data Protection, which is an independent supervisory authority within the meaning of the GDPR in the Czech Republic, in charge of supervision over the compliance with the respective personal data protection laws;

(d)               processingmeans any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(e)                processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller under a written agreement on personal data processing concluded in accordance with the GDPR;

(f)                special categories of personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;

(g)                cookies” means electronic data generated by a web server and stored in the equipment of the website user via their browser, and re-sent to such web server any time the user visits the website again.

2.                  Rules of Website Use, Copyrights

The Website is owned and operated by the Company. Pursuant to Act No. 121/2000 Coll., on Copyright, on Copyright-Related Rights and on Amendment of Certain Acts (the Copyright Act), as amended, all copyrights to all content placed by the Company on the Website belong to the Company.

The Website may contain links to websites not controlled by the Company. This is why this Notice does not extend to the links that redirect the user from the Website and that refer to the external information and services. The Company is not in any way liable for any statements and procedures of such websites’ operators.

The Company does not process the information on Website users in the form of cookies.

3.                  Personal Data Processing

In relation to its customers and suppliers (and their representatives), the Company is the personal data controller, which alone determines the below-stated purposes and means of processing of personal data, and which determines the measures related to such processing, particularly the security of the same. In its capacity as the controller, the Company must make sure that the personal data of its customers and suppliers maintained in the database of its business partners is processed in accordance with the requirements of the respective laws (GDPR, in particular).

In the processing of personal data, the Company does not make any decisions on the data subjects based on solely automated processing of personal data (including profiling), which have legal effects for the data subject or which have similarly major effect on them.

Sources of Personal Data:

Personal data of the Company’s customers and suppliers (and their representatives) is obtained directly from these data subjects when negotiating a contract and then when performing such concluded contract. If the customers and suppliers (and their representatives) do not provide certain personal data, it may cause the Company not to attain certain purposes of personal data processing, which are specified below in this Notice.

In addition, the Company may also obtain personal data of such data subject from public resources, such as public indexes, registers and other records, and also from public authorities or based on special laws.

Creation of Personal Data:

The Company may also create personal data related to its customers and suppliers (and their representatives), such as a customer account number, records of communication with the Company, and details of the contractual relationship between the customer/supplier and the Company. Such personal data helps the Company operate and manage its own business.

Personal Data Processed by Company:

 

The Company processes the following categories of personal data of customers and suppliers (and their representatives):

 

(a)                Basic information: name and surname, academic title, title of position with the customer/supplier, ID number and Taxpayer number (in the case of suppliers that are not natural persons);

(b)               Contact details: telephone number (both fixed line and mobile tel.), e‑mail address; and

(c)                Information essential for the performance of a contractual relationship with the customer/supplier (only in the case of suppliers that are natural persons): bank account number, references, and information on the previous orders of the supplier.

Special Categories of Personal Data Processed by Company:

The Company does not collect or process any special categories of personal data of the data subjects.

Purposes of Personal Data Processed:

The personal data of the Company’s customers and suppliers (and their representatives) is processed for the following purposes:

(a)                Performance under Contracts: Negotiations to enter into a contractual relationship, performance of rights and obligations under the existing contractual relationships, and improvement of services provided by the Company; and

(b)               Business and Financial Management: Management and operation of the Company, management of the Company’s business, sales, auditing, organization, marketing, purchases, internal communication, and external communication.

Legal Basis for Processing of Personal Data:

In the processing of the above-specified personal data for the purposes set out in this Notice, the Company relies on any of the below-given legal grounds:

(a)                Express prior consent to the processing; such legal basis is only used in relation to processing that is entirely voluntary and is not used in processing that is in any way necessary or compulsory;

(b)               The processing is unavoidable in order to negotiate the conclusion of, and perform, a contract with a customer or supplier;

(c)                The processing is necessary for the Company to comply with its legal obligations under the respective laws; or

(d)               The processing is necessary for the sake of legitimate interests of the Company that are not overridden by the interests of data subjects or their fundamental rights or freedoms; such legitimate interests of the Company comprise:

(i)                 Internal communication; management, operation and support of the Company’s business;

(ii)               Protection and assertion of the Company’s legal claims; and

(iii)             Provision of high-quality services and pursuit of the Company’s business.

4.                  Disclosure of Personal Data to Third Parties

In certain cases, the Company uses other persons (processors or controllers) to process personal data. Personal data is always processed only to the necessary extent, which means that the individual processors or controllers only have access to such personal data that they need to know to pursue their business. Personal data is processed by other processors or controllers always under an agreement on the processing of personal data, which the Company must conclude in writing with each and every processor or controller. Each processor or controller must undertake in such agreement (i) to adopt all measures to protect the confidentiality and security of the personal data, and in the case of processor, also (ii) to process personal data only in compliance with the previous instructions of the Company.

The Company may disclose personal data of the data subjects to the following categories of personal data processors or controllers and other personal data recipients:

(a)                Legal, tax and regulatory authorities upon request or in order to notify them of an actual violation or suspected violation of the respective law;

(b)               Experts, accountants, tax advisors, auditors, lawyers and other external professional advisers to the Company, provided that they are professionally or contractually bound by confidentiality;

(c)                Any relevant person, administrative authority or law enforcement, judicial and penal authorities or a court, to the extent required to prove, assert or defend statutory rights; and

(d)               Any relevant person in order to prevent, investigate, reveal or prosecute crimes, including safeguarding against and prevention of threats to public security.

5.                  Personal Data Transfers to Third Countries

The Company does not transfer personal data to other subjects in the position of controllers or processors outside the territory of the EEA.

6.                  Measures to Ensure Data Security

The Company has adopted adequate technical and organizational measures to ensure data security against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, as well as other illegal or unauthorized forms of processing, all this in compliance with the respective legal regulations (the GDPR, in particular).

7.                  Data Accuracy

The Company takes all adequate steps in order to safeguard the:

(a)                Accuracy and, if need be, the updating of the personal data being processed; and

(b)               Prompt erasure or rectification of any inaccurate (considering the purpose of processing) personal data processed by the Company.

The Company may demand that its customers and suppliers (and their representatives) confirm the accuracy of their personal data.

8.                  Data Minimization

The Company takes all adequate steps to safeguard that the processed personal data of data subjects is limited to personal data reasonably demanded in connection with the purposes described in this Notice.

9.                  Storage Limitation

The Company takes all adequate steps to safeguard that personal data is only processed for a limited period of time necessary to fulfill the purposes specified in this Notice.

The period of storage of the personal data of the Company’s customers and suppliers (and their representatives) is governed by the following criteria:

(a)                The Company will store copies of personal data of the Company’s customers and suppliers (and their representatives) in such form allowing such information to be identified only for the period of time:

(i)                 for which the contractual relationship exists; or

(ii)               for which the personal data is necessary for the statutory purposes described in this Notice, for which the Company has a legitimate legal basis (for instance, where the Company is obligated to retain personal data); and further

(b)               To the necessary extent for the duration:

(i)                 of any period of limitation or elapsed time limit under applicable laws in the event that a customer/supplier or the Company should assert any legal claim in connection with personal data or for which personal data could be of relevance; and

(ii)               Another two (2) months following the expiration of such period of limitation or elapsed time limit (to give the Company, in case of the assertion of a claim towards the end of the time limit, a reasonable time to identify the personal data affected by such claim).

In the event of the assertion of any relevant legal claims, the Company will continue to be authorized to process the personal data for such additional necessary time (i.e. until the completion of the respective proceedings pending in relation to such asserted claims), but only on a need-to-know basis.

As soon as the above-specified data storage limits expire (each of them to the defined extent), the Company will (i) permanently erase or otherwise destroy the personal data; or (ii) anonymize the relevant personal data.

10.             Rights of Data Subjects Related to Processing

Under the GDPR, data subjects have the following particular rights in connection with their personal data being processed by the Company:

(a)                The right to withdraw their consent at any time, where the Company processes the given personal data only upon their consent; the withdrawal of consent, however, shall not affect the lawfulness of processing based on consent given to the Company before its withdrawal;

(b)               The right to obtain confirmation from the Company as to whether or not personal data concerning them is being processed, and where that is the case, access to the personal data or the right to obtain a copy of the same, together with information on the nature of such processing;

(c)                The right to obtain the rectification of any inaccurate personal data;

(d)               The right to demand, where justified, (i) the erasure of the personal data that is being processed, or (ii) restrictions on processing;

(e)                The right to object, where justified, to the processing of personal data; and

(f)                The right to lodge a complaint with the OPDP.

11.             Contact Details

To assert any rights under Article 10 of this Notice and to submit any comments, inquiries or doubts as to the data contained in this Notice or to submit any other issues concerning the personal data processing by the Company, data subjects are advised to address Ing. J. Šedivý, data protection coordinator, (telephone: +420 602 350 515, e‑mail address: sedivy@zhc.cz).