Jump to product categories Jump to shopping cart Jump to navigation

Personal Data Protection Policy

We take personal data protection and your privacy seriously; therefore, we will always retain and process your data in line with the applicable legislation, including without limitation with the Act on Personal Data Protection, with the relevant provisions of the Civil Code and also with the General Data Protection Regulation of the European Parliament and the European Council (GDPR).

We protect your personal data to the maximum extent taking into account the state-of-the-art technology. We create and maintain databases containing personal and operational data (hereinafter jointly referred to as the “Data”) which we have obtained in connection with entering into a contract with you, providing products and/or services, and/or with other direct or indirect contact with you.

This policy will provide you with the information on the methods of the use and processing of your personal data. By means of this policy we also comply with the information obligation arising out of GDPR.

 

Who is the data controller

The Data Controller is KetoDiet CZ s.r.o., with its registered office at Kolovratská 58/1, 100 00 Prague 10, Company Id. No. 02648661, registered with the Companies Register kept by the Metropolitan Court in Prague, File No. C221830.

 

How to contact us

You can contact us by post at: KetoDiet CZ s.r.o., Generála Svobody 748, 533 51 Pardubice, by phone at: +420 608 044 100, by e-mail at: nachazel@ketodiet.cz, or by other channels as specified on our website www.ketodiet.cz. The Data Protection Officer is Petr Nacházel (see the contact details above).

 

Who is the data subject

Any natural person who starts any contractual relationship with us, or a representative of such natural person, or a person authorised to act on behalf of this natural person and/or the natural person’s contact person.

 

What are the sources of the Data we use

We either obtain the data directly from you, or we obtain the data through services or from third parties (yet only on the condition that there is a legal basis for the processing of such data) or from public registers, such as companies register and the like). If there is a change in your personal data, you should inform us of the fact.

 

What data do we process

Personal data means any information concerning an identified or identifiable natural person. In other words, any data connected to a certain person that can (on its own or in combination with other data) result in identification of the specific person. Any information that cannot be linked to a specific person, and any anonymous or aggregated data, i.e. any data that cannot be connected to a specific person from the beginning of the processing or thereafter, will not be considered personal data.

We process the following categories of data, and the scope of the processing depends on the products and services that you make use of:

Identification data:

Degree, name surname, company name, Company Id. No. and VAT number

Contact details:

telephone number, e-mail address, social media nickname, IP addresses, persons authorised to represent the company

Invoicing and payment details:

Billing address, information on the account number, payment methods, data on late payment history, prices for the provided products and services

Information on services/products provided:

List of orders, products and services provided, ancillary services (including membership in our loyalty programmes, etc.) customer category, type of partner, complaints, recordings of communications

Special information:

Login (including password where applicable), photography portraits (only some business partners), cookies (see the section Cookies hereof) (e.g. to the customer section or loyalty programme)

CCTV systems and recordings:

They are used only in parts of the premises where it is designated so in order to secure persons and protect assets (legitimate interest of the controller). Only a few persons who need to have the access to be able to perform their work are authorised to access the CCTV system and recordings thereof. The transfer channels and data media are secured. The recordings are stored only for the minimum necessary time.

We may also process other data if you provide them to us in connection with your activity or our business activities. Processing of such data is then governed by this policy or, where the case may be, any rules set out for this particular purpose.

 

How we use the data (purpose of the processing)

Providing your personal data is voluntary, yet for some activities (e.g. product/services supplies, loyalty programmes or competitions) your data are indispensable. We process the data that you provide us, primarily for the purposes of provision of our services and products or for any other legitimate interests we may have, for our internal needs or for our marketing and business purposes.

We process your data based on your consent or based on our legitimate interests. In the case of processing based on our legitimate interests, our interests must objectively override your right of privacy, and at the same time, the purpose of the processing cannot be achieved in any other way, and we shall take any and all necessary measures to minimise the interference with your privacy. In cases where your data are processed based on your consent, you may withdraw the consent at any time. In cases where your data are processed based on our legitimate interests of the data controller, you may raise an object to such processing at any time. Unless provided below otherwise, we do not use the concept of joint controller, nor do we make automated decision-making, or profiling.

Processing based on legitimate interests of the data controller

  • Description: To provide products and services based on a contract, these services include also ancillary services (e.g. loyalty programme) and counselling/advisory services, including billing of such services, customer management and sending of any related messages/notifications/ confirmations/complaint handling/contract modifications and customer care while using our services, etc.
  • Categories of the processed data: identification data, contact details, invoicing and payment details, information on the services/products provided, special data, CCTVs and recordings
  • Legal title of the processing: contract
  • Legal basis of the processing: performance of the contractual obligations
  • The source of the data: customers, business partners, public registers, controller’s activity
  • Period of processing: during the term of the contract and during the period for which the parties are entitled to make any claims based on the contract, during the period of existence of the customer’s account
  • Right to withdraw your consent/raise an objection: No

Compliance with statutory duties

  • Description: Any duties arising out of any applicable legal regulations that require that the personal data be processed as part of the records (e.g. tax documents). The scope of the processing will always depend on the provisions of the applicable legislation, in other words, the list is not exhaustive
  • Category of personal data: as required by the legislation (tax legislation and accounting standards, obligations arising out of the business activities, etc.).
  • Legal title of processing: legislation or any other binding laws and regulations
  • Legal basis of the processing: compliance with statutory duty
  • Sources of the data: customers, business partners, public registers
  • Period of processing: as provided for in the relevant laws and regulations
  • Right to withdraw your consent/raise an objection: No

Processing based on your consent

You have the right to decide whether you will give us the consent to the processing or not. When entering into the contract for the first time (or when entering into any other contracts) or when registering (e.g. with our loyalty programme or into a competition), we will ask you whether you consent to the processing. Usually, you will give us consent by means of tick-off of a relevant box.

  • Description: This type of processing of personal data and other information (e.g. information on how you use our services or products, and the like) includes profiling or segmenting for the purposes of understanding your needs and preferences and their use in order to offer you the relevant products and services and improve them. In relation to this processing, you also give us your consent to be sent marketing communications
  • Categories of the personal data processed: identification data, contact details, invoicing and payment details, information on the services/products used, socio-demographic data, special data, cookies (in the case of use of our website)
  • Legal basis of the processing: consent by the data subject
  • Sources of the data: customers, business partners, public registers, business activities of the controller
  • Period of the processing: until the consent is withdrawn
  • Right to withdraw your consent/raise an objection: No

 

Period of the personal data processing

In the case of consenting to the processing, your personal data will be processed for a period for which the consent has been given or until it is withdrawn, however, no longer than for three years from the end of the relevant contractual relationship.

In the case of processing based on our legitimate interest of the data controller, the data will be processed for the necessary period or until you raise an objection, which may lead to the termination of the processing, as the case may be.

 

Rights of the data subjects

You can exercise your rights through the contacts specified above in this document in the “How to contact us”. If you withdraw your consent to certain data processing, we will stop the processing in a reasonable time proportionately to our technical and administrative capacities.

Right of access to the data and to their copies

You have the right to ask for the overview of your data that we process and to ask for their copy. At the same time, you have the right to information on the source of the data where we have not obtained the data directly from you, and on whether we use automated decision-making and, on any information, related thereto. The right to access can only be exercised by a person who is identifiable and whose identity has been verified.

Right of rectification

If you think that the data we process on you are incorrect or incomplete, you have the right to ask to have your data updated and complemented.

Right of erasure (right to be forgotten)

You have the right to have your data erased if they are not necessary for the purpose for which they have been processed. Please be aware that as a result of the erasure of some of the data the functionality of some of the services may be restricted or disabled (e.g. membership in the loyalty programme).

Right of restriction of the personal data processing

You have the right to request that the processing be restricted if you claim your personal data are incorrect or the processing is unlawful, and you refuse to have such personal data erased or your data are necessary for establishment, exercise or defence of your legal claims, or if you object to the processing carried out on the basis of our legitimate interests of the data controller and it should be demonstrated that our legitimate interests of the data controller override your legitimate interests.

We may, at your request, process your data even after the legal basis ceases to exist, e.g. for the purposes of making a claim before court, where you will need the personal data that we process.

Right of data portability

If you have provided your data to us, their processing is based on your consent and it is carried out by means of automation, you have the right to request this data concerning you in a structured, commonly used and machine-readable format and the right to provide this data to another controller. If it is technically feasible, the data may be transmitted directly to the controller you designate. If exercising your right has an adverse effect on the rights and freedoms of third persons, such request may not be granted.

Right to object to personal data processing

You may raise the objection to the personal data processing at any time. In such a case your personal data will not be processed for the relevant purpose anymore. Please be aware that as a result of the erasure of some of the data, the functionality of some of the services may be restricted or disabled (e.g. membership in the loyalty programme).

Withdrawal of the consent

The consent to the processing given to us may be withdrawn at any time. Withdrawing your consent does not affect the lawfulness of the processing based on the consent before its withdrawal. Please be aware that as a result of the erasure of some of the data the functionality of some of the services may be restricted or disabled (e.g. membership in the loyalty programme).

Automated individualised decision-making, including profiling

You have the right not to be subject to any decision made exclusively based on automated processing, including profiling, that may produce legal effects concerning you or similarly significantly affect you. This will not apply if the decision is necessary for the entering into a contract with us or for the performance of such contract, or it is authorised under the relevant laws or based on your explicit consent.

Right to lodge a complaint with the supervisory authority/legal remedies

You have the right to lodge a complaint with our Data Protection Officer. Or you have the right to lodge a complaint with the Personal Data Protection Office at Pplk. Sochora 27, 170 00 Prague 7, Czech Republic (to find out more, please go to www.uoou.cz).

 

To who your data may be disclosed and what technical and organisational measure will be taken

The data you have provided to us may be disclosed only to the data controller (including its employees and persons in similar relationship) and to the data processors in the extent necessary for their activities. They will not be disclosed to any other persons. This applies subject to our possible duty to hand your data over to entities that may request such data in line with the applicable legal regulations.

Personal data processing is carried out only by those processors who have entered into a contract on personal data processing with us; this contract allows them to use the data only for the purposes set out in the contract. We carefully select all processors to ensure that the collected data be protected from the technological and organisational point of view and to ensure that the personal data processing be carried out in compliance with the applicable laws and regulations, and thus that the rights of the data subjects be protected.

When considering the best suitable level of security, the data processors always take into account the risks that the processing may entail, including without limitation any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Each data processor is obliged to take any appropriate technical and organisational measures to secure the appropriate protection of the data, taking into account the services provided by this processor, scope, context, purpose and degree of diverse risks endangering the rights and freedoms of the natural persons. When assessing the appropriate degree of security, the processors take into consideration inter alia, the risks, including without limitation any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Technical and organisational measures must include without limitation the following activities (the list is applicable according to individual specificities):

  • To detect any actual processing of the data – to prevent any physical handling with the data or data media
  • To control the access to the systems – including without limitation to control authentication, recording of accesses, secured transfer of the login data within the net, to set up blocking of a password after unsuccessful attempts to login, to identify the persons authorised to use the data and minimise the use of the data, to administer and record individual access permissions and means used for the authentication, to set-up the rules of users’ conduct and access rights
  • To create authentication method – to implement access restrictions, to provide only the minimum necessary number of permissions, to check disclosure of the data and to limit the disclosure to just vital permitted purposes
  • To set up rules for transfer of data – to set up stricter conditions for transfers abroad and encrypted transfers of data into external systems, to secure storage of data, process of collection and disposal of data, to prohibit reproduction of the data for other than the permitted use, to set up rules for handling with documents containing personal data (including without limitation their use, storage, archiving of print copies and reproducing such documents), for making back copies, to minimise the volume of the collected data (especially separate processing and organisational checks)
  • To take preventive measures and carry out audits – to introduce training and carry internal audits.

The recipients of the data, i.e. entities that process your data, include:

Name

Id. No.

Purpose

Public authorities

------------

Compliance with statutory duties

BOOTIQ s.r.o.

29155495

Legitimate interests of the controller (business activities)

4profit, s.r.o.

27506550

Compliance with statutory duties, Legitimate interests of the controller (business activities, database of partners), Consent of the data subject (promotion and marketing)

Master Internet, s.r.o.

26277557

Compliance with statutory duties, Legitimate interests of the controller (business activities), Consent of the data subject (promotion and marketing)

Mailkit s.r.o.

26449901

Consent of the data subject (promotion and marketing)

Sprinx Systems, a.s.

26770211

Compliance with statutory duties, Legitimate interests of the controller (business activities), Consent of the data subject (promotion and marketing)

OLYMPIC s.r.o.

27480381

Compliance with statutory duties, Legitimate interests of the controller (business activities)

Fameless s.r.o.

04072448

Consent of the data subject (promotion and marketing)

Petr Nacházel

68464860

Compliance with statutory duties, Legitimate interests of the controller (business activities, database of partners), Consent of the data subject (promotion and marketing)

Kristýna Báčová

05876354

Legitimate interests of the controller (business activities, database of partners), Consent of the data subject (promotion and marketing)

Ivana Hošková

73667862

Compliance with statutory duties

Jana Dvořáková

71127267

Legitimate interests of the controller (business activities, database of partners), Consent of the data subject (promotion and marketing)

Oldřich Kejík

75341948

Consent of the data subject (promotion and marketing)

 

Provision of data to third countries

The provision of our products and services does not involve transfer of the personal data for processing outside the EU.

 

Marketing communications

We label our marketing communications or marketing communications of third parties as “Marketing Communication”, or “MC” or designate them in any other suitable manner to make you aware that the communication constitutes a marketing communication in the sense of the valid legal regulations and that the communication has been sent by us.

We send our marketing communications based on your consent when registering or when placing your order, or where you provide us with your e-mail address for such purpose.

If you do not wish to receive the marketing communications, please contact us by email or at the telephone specified herein, in the part hereof titled “How to contact us”.

 

Security of the processing

We have taken all necessary measures to protect sensitive information (including personal data) against any unauthorised access. For this purpose, we apply appropriate internal measures and we comply with any regulation or legal requirements. We also abide by security policy that includes, without limitation, security management of all persons, platforms/systems and devices that are used for accessing such data. Our services make use of state-of-the-art security technologies.

When considering the best suitable level of security, we always take into account the risks that the processing may entail, including without limitation any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

We have implemented suitable technical and organisational measures to ensure the appropriate level of security corresponding to the given risk, including without limitation, ongoing confidentiality, integrity, availability and resilience of processing systems and services;

We have implemented a system of management and documentation of accesses and permits, which helps us prevent any unauthorised access to the information. The relevant piece of information can only be accessed by a person who needs the relevant information to perform his/her activities.

Our employees (and persons in a similar relationship) are familiarised with the information protection policy at the start of their employment (and also during the employer-employee relationship). The same obligation also applies to our contractors and suppliers. Our employees and persons acting on behalf of the suppliers are obliged not to disclose any information.

The premises where the personal data are located are secured by constructional features of the premises.

 

Cookies

A cookie is a small text file that is stored in your computer or mobile device during the visit of our website. We use cookies to know your preferences and to adjust our website to your needs. Thus, the cookies make your repeated visits of our website more user-friendly (therefore, your device will remember the website you have visited and the preferred settings of the individual webpages).

Cookies are processed mainly by server operators or other relevant website operators and by operators of marketing systems used on the given websites. The cookies are processed for a period of time that is necessary for their use, however not longer than 1 year from the date of generation of the relevant cookie.

None of our cookies collects or contains information that constitutes personal data and does not enable identification of persons.

The website browsers support cookies administration. You may delete, block or ban the use of any cookies in your browser settings. You can ban processing of the cookies used on our website easily and free-of-charge by means of your browser. If your browser allows the use of cookies, it is deemed that you agree with the use of the standard cookies used on our servers and website. To find out how to delete cookies, please consult the Help section in your internet browser.

 

Final provisions

We reserve the right to modify and amend this policy.

In Prague on 2 May 2018

 

This policy was amended on 22/02/2019

Support

Keep an overview

Sign up for our newsletter and you'll know everything first.

By sending the e-mail, you give your consent to processing of your personal data