Principles of personal data protection at KASTT, spol. s r.o.

Principles of personal data protection at KASTT, spol. s r.o.

With these principles of personal data protection (hereinafter referred to as “Principles”), we provide information about how KASTT, spol. s r.o. obtains and processes personal data, primarily in connection with orders and deliveries of HVAC supplies and in the context of its other activities, claims, other customer-supplier relationships and the operation of the website. We would also like to inform you of your rights in relation to the processed personal data.

When processing personal data, we are governed by the applicable legislation, with effect from 25 May 2018 in particular by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, the General Data Protection Regulation (hereinafter referred to as GDPR) and Act No. 110/2019 Coll. on personal data processing.

Personal data processing always takes place in connection with our production and business activities (especially in connection with inquiries, orders and deliveries of our goods and services) and in accordance with the defined purpose of processing.

This document will be updated periodically as the need arises to update it. The updated version of the Principles is effective upon posting on the website https://www.kastt.cz/.

We recommend that you read this information carefully. If anything is unclear, we will be happy to explain any term or passage to you. Please direct any questions to the contact person set forth in Article 1 below.

1. Controller of your data, contact person

The controller of personal data is KASTT spol. s r.o., address: Jižní 870, Hradec Králové 3, 500 03.

The contact details of the person responsible for personal data protection are: finance@kastt.cz,
Phone: 495 404 060, contact person: Ing. Jan Horák

The Company is not obliged to appoint a Data Protection Officer nor has it voluntarily appointed one. The controller of collects your data, handles them and bears responsibility for their proper and lawful processing. You may exercise your rights vis-à-vis the controller as set out below.

2. Data we process, purpose and reason for processing

We only process such data in order to provide you with quality deliveries in the area of our business and to properly deliver the ordered goods or perform the work or service or respond to your request for goods or work or provision of services. It is a fact that the vast majority of our business partners are commercial companies and the data of legal entities are not personal data under the EU regulation.

As far as personal data are concerned, we process personal data in the following ways and for the purposes listed in the table below:

Kastt GDPR table personal data processing

3. Explanation of the table and processing

Legal titles – are the lawful justifications for processing and are defined in the GDPR, Articles 6 and 9.

Storage period – means the period for which we are entitled or obliged to process and store your data.

Other recipients – here we indicate to which other recipients we transfer data. If it says “None”, it means that we do not pass it on to anyone.

Source of data – here we indicate from whom we obtained the personal data. If it says “Data subject” then this means that we have obtained it directly from the person it relates to.

We do not intend to transfer your personal data outside the EU or to any international organisation.

In cases where the processing is based on the legal title “Conclusion or performance of a contract”, we need your personal data for the conclusion of the contract and its subsequent performance, without which the contract cannot be concluded.

In cases where the processing is based on the legal title “Legal obligation”, we need to process your personal data on the basis of legal requirements for the period of time specified by the law in question, and we may not restrict or erase this processing during this period.

We will only process your personal data for the purposes set out in the table.

We obtain personal data directly from the data subjects.

 

4. Data we process, purpose and reason for processing

1. Conclusion and performance of contracts for the purchase and sale of goods, provision of services and performance of works

a) Information in connection with the conclusion of the contract

The following types of personal data are among the basic identification data that we process about you in connection with the conclusion of a contractual relationship and that you provide to us:
name and surname, 
permanent address, 
ID number and VAT number in the case of a natural person – entrepreneur

These data are part of any concluded purchase contract, framework purchase contract, contract for work, framework contract for work. We would not be able to enter into a contractual relationship with you without your providing them.

Reason (legal basis) why we process the data:
– performance of a concluded purchase contract, contract for work (we use this reason in accordance with Article 6(1)(b) GDPR

We process personal data for a period of 10 years.

b) Information in connection with the performance of the contract

Other types of personal data we usually process about you in connection with the performance of a contract include the following:
delivery address, 
data bout the content of the purchase and payments made.

These data are a normal part of any contractual relationship and related performance of the contract and are needed for the performance of the contract, including communication with you during the actual process of delivery of the purchased goods or performed work.

Reason (legal basis) why we process the data:
– performance of a concluded contract (we use this reason in accordance with Article 6(1)(b) GDPR

We process personal data for a period of 10 years.

c) Data from mutual communication

We process data about our mutual communication other related to the purchase of goods or requests for goods, as well as data related to the performance of work or provision of services, such as handling your requests for certain goods, performance of work or provision of services, comments on the services provided, communication about the delivery of purchased goods or performance of work, handling of claims, delays, etc. In this communication we process the following personal data that you provide to us:
name and surname, invoicing address (or different delivery address)
e-mail and telephone
ID number and VAT number in the case of a natural person – entrepreneur,
your bank account number

Reason (legal basis) why we process the data:
– handling your requests when purchasing goods, performing work or services, handling claims, withdrawal from a contract – i.e. actions related to the performance of a concluded purchase contract or contract for work, in the case of the provision of services (we use this reason in accordance with Article 6(1)(b) GDPR

– handling your requests when you express an interest in the purchase of goods, performance of work or provision of services (inquiry), i.e. we carry out pre-contractual measures at your request (we use this reason in accordance with Article 6(1)(b) GDPR.

We process personal data for a period of 10 years.

2. Marketing communication on the basis of consent

If you have subscribed to the newsletter via the web form, we will only be able to send you the newsletter and process your e-mail address for this purpose with your prior consent.

We will start processing the personal data (e-mail) only after you fill in your e-mail address for sending the newsletter in the relevant web form, agree to the processing of these personal data and then activate and confirm the newsletter subscription according to the instructions contained in the received e-mail message. If the newsletter subscription is not confirmed in accordance with the instructions contained in the received e-mail message within 7 days, the entered e-mail will be deleted without undue delay.

Consent is voluntary and you can withdraw your consent at any time. Withdrawal of consent is only effective in the future and therefore does not affect the lawfulness of previous processing of personal data based on the consent given.

The legal basis for sending the newsletter in this case is therefore your consent in accordance with Article 6(1)(a) GDPR.

We process the personal data collected with your written consent for as long as the consent is valid (i.e. in the case of consent to receive the newsletter for 5 years or until the consent is withdrawn).

Furthermore, under the terms of Section 7(3) of the Act on Certain Information Society Services, we are entitled to use your electronic address and telephone number for the purpose of disseminating commercial communications regarding our products and services similar to those we have provided to you. Similarly, it is our legitimate interest to process personal data within the scope of name, surname and address for direct marketing purposes on the basis of prior contact with you.

In both cases, this can be done until you have expressed your disagreement or objection pursuant to Article 21(2) GDPR.

3. Conclusion and performance of supplier-customer relationships

For the proper functioning of our company, we need to enter into supplier-customer relationships that are related to our business activities (e.g. purchase contracts for the supply of materials, lease agreements, contracts with external IT service providers, tax advisors, legal advisors, auditors, etc.).

For these purposes, we process only a minimum amount of personal data (if provided to us, then identification data such as name and surname, residence, e-mail or telephone number, or ID number, VAT number of the natural person) that are directly related to the concluded contractual relationship and its performance.

In this context, we only store personal data for the duration of the contractual relationship (or for the fulfilment of legal obligations arising in particular from tax or accounting legislation).

The reason (legal basis) for this processing is:
– performance of the concluded contract (we use this reason in accordance with Article 6(1)(b) GDPR.

We process personal data for the duration of the contractual relationship which establishes the reason for processing personal data or potentially the period for exercising the right to claim defects in the services provided.

4. Accounting and taxation

We collect your identification and transactional data (in particular about cash payments of purchase prices for purchased goods and payments of prices for work and services rendered) in order to fulfil our accounting and tax obligations imposed by applicable legislation (in particular the Accounting Act and the Value Added Tax Act). These are the data that are provided on invoices, delivery notes, payment receipts.

Therefore, if we are required by law to keep these documents, we will keep your personal data that must be included in the documents together with them. This purpose applies to all contractual relationships referred to in these Principles.

Reason (legal basis) why we process the data:
– compliance with legal obligations (we use this reason in accordance with Article 6(1)(c) GDPR

We process personal data for a period of generally 10 years from the date of the taxable transaction, unless in some cases a longer period is required by legislation.

5. Exercise (or defence) of rights

Should a dispute arise between our company and you, we will process your personal data necessary to defend our legal claims in connection with the dispute until the dispute is resolved. As a rule, in this context we process basic customer data, data about the disputed contractual relationship, data about payments made, data from the claims procedure, data from mutual communication, data on legal actions taken and their results.

We also explicitly inform you of your right to object to the processing of your personal data on the grounds of the so-called legitimate interest of our company in accordance with Article 21 GDPR.

Reason (legal basis) why we process the data:
– processing is necessary for the legitimate interests of our company in defending our claims (we use this reason in accordance with Article 6(1)(f) GDPR).

We process personal data until the dispute is resolved and for one year thereafter.

6. Camera recordings

If you visit us at our premises at K Dolíkám 388, 503 11 Hradec Králové, please note that selected areas of our company are monitored and recorded by CCTV for security reasons. These areas are visibly marked with a camera pictogram and accompanied by the information required by the GDPR.

Access to these CCTV recordings is strictly restricted internally and regulated by an internal data protection directive related to the CCTV system. The camera recordings may be transferred outside the company only under specified conditions to the authorities of the Police of the Czech Republic in connection with the investigation of a suspected crime.

We also explicitly inform you of your right to object to the processing of your personal data on the grounds of the so-called legitimate interest of our company in accordance with Article 21 GDPR.

Reason (legal basis) why we process the data:
– to protect our legitimate rights and interests (we use this reason in accordance with Article 6(1)(f) GDPR.

We process personal data for 3-5 days depending on the nature of the recorded area.

7. Cookies

In accordance with the provisions of Section 89(3) of Act No. 127/2005 Coll. on Electronic Communications, as amended, we inform you that our website uses cookies for its activities, i.e. that we process your cookies, including persistent ones. Cookies are short text files that the website sends to your browser. They allow the website to record information about your visit, such as your chosen language and so on, so that your next visit to the website can be easier and more enjoyable. Cookies are important because without them, browsing the internet would be much more difficult.

Within your browser settings, you can manually delete, block or completely disable the use of individual cookies. For more information, please use your browser’s help. If you do not allow the use of cookies, some functions and pages may not work as they should.

We use cookies to personalise content and ads, provide social media features and analyse our traffic. We share information about how you use our website with our social media and analytics partners. By using the website, you consent to the linking of our services: Google, Facebook, Twitter.

To serve targeted advertising on advertising and social networks on other websites, we transmit information about your web behaviour to these advertising and social networks; however, we do not transmit your personally identifiable information to them.

5. Description of the rights of data subjects

As a data subject (the natural person about whom the data is processed), you have the following rights in relation to your personal data:

6. Method of exercising rights

If you wish to exercise any of these rights, you can submit a request in the following manner:

The request can be submitted to the company’s secretariat, where your identity will be verified by your ID card or passport and you will be informed of the processing date. The application cannot be accepted without identity verification.

On the date of processing, you will be given a written notice of the outcome of your request and related materials after re-verification of your identity.

We are entitled to charge a fee corresponding to the administrative costs for requests for more than one copy.

Actions related to exercising data subjects’ rights are performed free of charge.

However, if the requests are found to be manifestly unfounded or unreasonable, in particular because they are repetitive, then we may:

a) impose a reasonable fee taking into account the administrative costs
b) refuse to grant the request.

To submit a request electronically:

a) send it via e-mail to sekretariat@kastt.cz with a valid electronic signature; without this confirmation of identity it cannot be accepted.
b) or send it from your data mailbox to the data mailbox crmfamx.

In the request, state:

1) Identification data – name, surname, date of birth
2) What right you are seeking to exercise – see the section Description of data subjects’ rights
3) Clarification of the request – e.g. in case of correction of correct data
4) Telephone – for any clarifications and to arrange further action

If there is any doubt about your identity, we may ask you to provide additional information to confirm your identity.