INFORMATION ON PERSONAL DATA PROCESSING Harpen & Son, s.r.o., Reg. no.: 08311846, with its registered office at Vojtěšská 211/6, 110 00 Praha 1, entered in the Business Register kept with Municipal Court in Prague, file no. C 316737, pursuant to article 13 and subsequent of Regulation of the European Parliament and of the Council (EU) no. 2016/679, on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC

(General Data Protection Regulation, hereinafter referred to as GDPR), in the role of the Controller of personal data, provides you with information related to processing of your personal data and advice on rights you have in relation thereto.

Principles of personal data processing

When processing your personal data, we honour and respect high standards of personal data protection and we abide by especially the following principles:

• we always process personal data for the purpose set clearly and understandably, with specified means and in specified manner and for time period which is necessary as for the purpose of its processing;

• we process only accurate personal data;

• we process the personal data in a manner which ensures their safety and which prevents unauthorized or random access to your personal data, their alteration, destruction, loss or unauthorized transmissions, processing or other misuse;

• we will always inform you in an understandable manner about processing of your personal data and about your rights for exact and full information about circumstances of the processing as well as about your other related rights;

• we adhere to particular technical and organizational measures so that a security level appropriate to all possible risks is ensured;

• all persons, who get in touch with your personal data are obliged to keep all information gained in relation to its processing confidential.
  
  

Purpose of personal data processing

As a Controller, our company processes the personal data for the purposes set below, if necessary for:

• fulfilment of a contract or to implement measures taken before entering into a contract ((6)(1)(b) of GDPR);

• fulfilment of legal obligation which applies on the Controller ((6)(1)(c) of GDPR);

• legitimate interests of our company or a third party, especially but not limited to providing protection of property or other rights, recovery of debts and claims, safety at workplace ((6)(1)(c) of GDPR);

• fulfilment of obligations and exercise of special rights of the Controller or rights of a subject in the area of labour law and in the field of social security and social protection ((9)(2)(b) of GDPR);

• preventive or labour related medical practice for the purpose of assessment of work ability of an employee, medical diagnostics, providing health or social care or treatment or systems and services of health and social care management ((9)(2)(h) of GDPR);

• records retention for public, scientific or historic research interests or for statistical purposes ((9)(2)(j) of GDPR).

Categories of personal data processed for the above mentioned purposes In accordance with the above mentioned purposes, our company is entitled to process the following categories of personal data of our clients (buyers) and business partners:

• name and surname;

• e-mail address;

• telephone number;

• type and specification of purchased goods;

• data related to fulfilment of contractual relation (company registration number, VAT-Id number, registered office or place of business, address of invoice, banking connection); camera records of premises in our company (spaces with cameras are always visibly marked);

• data of communication between our company and data subject;

Source of personal data
All processed personal data come exclusively from the subjects of these data or from publicly available sources.
Storage period
We store your personal data for the period of contract fulfilment, during the guarantee period for the goods delivered and then for 4 years after the lapse of the last guarantee period for the goods delivered.

Invoices issued by us are stored for 10 years after the end of the taxation period when the fulfilment occurred in line with § 35 of Act no. 235/2004 Coll., on Value added tax. For the purpose of necessity to support invoices issued with legal reasons, also customers' contracts are stored for the period of 10 years after the termination of the contract.

Camera records of premises of our company and its surroundings are processed for 90 days after they were made.

Processing of web pages cookies operated by us

If you have in your web browser enabled cookies, we process web browser behaviour from cookies located on webs operated by our company for the purpose of better running of our web and for the purpose of internet advertisement.

Cookies data processing may be eliminated by setting of web browser.

Categories of recipients of personal data

When fulfilling our obligations, we use expert and specialized services of other entities. If these suppliers process personal data handed over by us, they are in the role of personal data processors and they process the handed over data only within instructions of our company. They must not use them in a different way. These are especially services of insurance companies, experts, attorneys, auditors, tax advisors or IT system administrators.

We always carefully select these entities and we pay attention to meeting strict duties in relation to your personal data security when we enter into contract with them on personal data processing, if statutory confidentiality of such entities prescribed by particular legal regulations is not sufficient. These are companies with their registered office in the territory of the Czech Republic or in other member states of the European Union, which have the same standards of personal data protection as the Czech Republic.

Right to access to your personal data

As a data subject, you have the right to ask us to inform you whether we process your personal data (article 15 of GDPR).

If so, you have the right to get access to these personal data. You can also request for some other information as for their processing like the purposes of the processing, information about categories of personal data in question or information about planned period of time for which they will be stored and if it is not possible to determine, then at least to inform about criteria used to determine it.

If you ask for a copy of processed personal data, all other copies, after the first one, may be charged with appropriate administrative costs.

Right to withdraw the consent with personal data processing

If your personal data processing is based on your free consent, you have the right to withdraw such consent at any time.

However, withdrawal of your consent does not affect the lawfulness of the processing based on the consent, which was conferred before its withdrawal or the lawfulness of the processing based upon other legal reason mentioned in the article 6 of GDPR other than your free consent.

Right to correction
One of the basic principles of personal data processing is its accuracy. If you think, that your personal data, which we process, are inaccurate, you can ask for their correction (article no. 16 of GDPR). We will check the affected personal data based on your application and we will correct the possible inaccuracy.

You can also ask for completion of incomplete personal data with regard to the purpose of the processing.

Right to erasure
If there is any of the reasons specified in GDPR and at the same time your personal data processing is not necessary with regard to any of circumstances, which exclude the application of this right pursuant to GDPR, you are entitled to ask us to erase (dispose of) your personal data and not to keep them any longer.

Especially the fact, that your personal data is no longer needed for the purposes for which they were collected or otherwise processed is among the reasons for which you can ask for their erasure. Further, it is possible to withdraw your consent with personal data processing if there is no other legal reason for its processing (see also your right to withdraw the consent with personal data processing) or if your personal data is processed illegally.

Application of the right of erasure is for example excluded by the fact, that its processing is necessary to fulfil a concluded contract, to fulfil legal obligation imposed on us by generally binding legal regulations or for the purposes of legitimate interests of ours or of a third party (e.g. property protection, determination, exercise or defence of legal claims).

Right for restriction of processing
You may also have the right to request restriction of processing your personal data and this occurs in any of the following cases:
for the period necessary for us to verify the accuracy of your personal data if you negate their accuracy, personal data processing is illegal and you request for restriction of use of them instead of their erasure, we will no longer need your personal data for the purposes of the processing, but you will request them for determination, exercise or defence of legal claims, if you object to personal data processing in accordance with article 21(1) GDPR for the period of time until it is verified, whether your legitimate reasons override the reasons of our company (see also the right to object).

If the processing of your personal data is restricted, your personal data may be, with exclusion of their storage, processed only upon your consent or for the purpose of determination, exercise or defence of legal claims, for the purposes of the protection of right of other physical or legal entity or for the purpose of an important public interest of the European Union or any of its member states.

Right to notification of correction, erasure or restriction of personal data processing
In the case of correction, erasure or restriction of processing of your personal data, you may request us to notify you about recipients of your personal data, who we have informed about such a fact, with exception of cases, when such notification is impossible or it requires a disproportionate effort.

Right to portability of personal data
In the case of personal data that are processed upon your free consent or upon an agreement, which are at the same time processed by automated means, you are entitled to transfer these data to another Controller. If technically feasible, you can also request us to transfer your personal data, which you provided us with, directly to another Controller in a structured, commonly used and machine-readable format.

Rights and freedoms of other persons must not be adversely affect by the right of data portability.

Right to object
For the purposes related to your particular situation, you are entitled to object against your personal data processing (see article 21 of GDPR), if they are processed for a public interest, within the exercise of public power or for the purposes of legitimate interests of ours or of a third party. If you raise such an objection, your data may be further processed only in the case of provable serious legitimate reasons for processing, which would override your legitimate interests or rights and freedoms or for reasons of determination or defence of legal claims.

Should we process your personal data for direct marketing purposes (including profiling, if applicable) you have the right to object to such processing at any time. However, we do not process personal data for these purposes.

Right not to be the subject of automated individual decision making, including profiling

As a personal data subject, you have the right not to be the subject of any decision based upon exclusively automated processing, including profiling, which brings legal consequences to you or which significantly affects you in a similar way.

This shall not be applied, if the decision is necessary to enter into or fulfil a contract between you and the Controller, if based upon your explicit agreement or when it is permitted by generally binding legal regulations. However, we do not make any decisions without influence of human assessment which would have legal consequences for the data subject.

Right to file a complaint to the supervisory authority
Without prejudice to any other means of administrative or judicial protection, you have the right to file in a complaint with any supervisory authority, especially in the state of your common place of residence, place of employment or place where the alleged infringement occurred, if you suppose that GDPR was infringed by processing of your personal data.

The Office for Personal Data Protection (OPDP) (Úřad pro ochranu osobních údajů – ÚOOÚ) is such supervisory authority in the Czech Republic. You can find contacts and further information about the office at www.uoou.cz.

You will be notified about progress of the complaint and you will be informed about its result by the supervisory authority you have filed the complaint with.

Notifying cases of personal data protection infringement
Your personal data protection is also secured by the obligation of each Controller to notify you without undue delay about infringement of your personal data protection, if there is a high probability risk to your rights and freedoms.

The above mentioned notification is, however not required pursuant to the article 34(3) of GDPR if:
the Controller has implemented due technical and organizational protective measures and such measures were used (especially such ones, which make your personal data unintelligible to anyone who is not authorized to access them, as may be encryption for instance), the Controller has taken follow-up measures, which shall ensure that the high risk to your rights and freedoms, pursuant to the paragraph above, will probably not occur or if disproportionate effort is needed.