Personal data controller and its identification

1. The controller is the person who holds the personal data of the data subject (customers) and determines the purpose and means of their processing. The company is a data controller as it collects personal data of its customers who are natural persons for the purposes of fulfilling obligations under contractual relationships, compliance with related legal obligations, and, in the case of express consent, for sending marketing communications and promoting the company's services.
2. The Company hereby informs its customers that no Data Protection Officer has been appointed by the Company and the Company also has no representative to fulfil its obligations under the Regulation.
3. The Company's contact details are set out at the head of this document.

Scope and categories of personal data processing.

1. The company processes only those personal data that are necessary for the proper negotiation of the contractual relationship with the customer, the performance of obligations under the concluded contracts, the fulfilment of legal obligations, the protection of the company's interests and, in the case of explicit consent to the processing of personal data by the customer, the data, which is necessary for informing the customer about the company's services and products, news, events, competitions, catalogues, advertisements, evaluation of competitions and sending prizes, holiday and birthday wishes and similar events (hereinafter referred to as "marketing purposes").

Categories of personal data of customers processed by the company:

1. identification data - name, surname, delivery and billing address of the customer
2. contact data - e-mail address and telephone number.

Purpose of personal data processing, lawfulness of processing.

1. Processing of personal data without the need for consent:
   1. for the purposes of negotiating the relevant contract and providing contractual performance:
      • this is a voluntary provision of personal data by a customer who is interested in the company's products and services,
   2. for the purpose of fulfilling the company's legal obligations:
      • the company also processes personal data if it is required to do so by law,
   3. processing based on the legitimate interests of the company:
      • in particular for the purpose of asserting legal claims, protecting and promoting the legitimate interests of the company.
   4. Processing of personal data with the customer's consent:
      1. the customer's consent is completely voluntary, but at the same time necessary for the company to inform him/her about its products and services, news, promotions, contests, catalogues, advertisements, contest evaluations and the sending of prizes, holiday and birthday wishes and similar events.
      2. The Company does not provide customer's personal data to third parties for marketing purposes.
      3. The Company hereby informs its customers that without their consent it is not possible to send the customer information about the Company's products and services, news, events, competitions, catalogues, advertisements, evaluation of competitions and sending of prizes, greetings for holidays, birthdays and similar events.
      4. The Customer may withdraw the consent granted at any time by writing to GDPR@harmonelo.com.

The period for which the personal data is processed.

1. Personal data of the company's customers are processed for the period of time during which the company provides its services to these persons or for the duration of the contractual relationship.
2. After the termination of the contractual relationship and after the settlement of all related obligations, the company retains these personal data for the necessary period required by the relevant legislation, e.g. the Accounting Act, the Archives and Records Act, the Value Added Tax Act, etc., as well as for the duration of the general and special limitation periods for individual claims.
3. In the case of consents granted for the processing of personal data for marketing purposes, the retention period is 3 years from the date of the consent, unless the consent is revoked earlier.
4. The company is guided by the principle of data minimisation when storing personal data. When the purpose of processing personal data ceases to exist or the period for which the company is obliged or entitled to retain personal data expires, the personal data shall be completely deleted from the company's records and system. Thus, personal data is never processed or stored for longer than is strictly necessary.

Who has access to personal data, to whom it is provided.

1. In order to ensure the above processing purposes, the personal data of customers may also be processed by other processors, in addition to the company and its employees, with whom the company has concluded contracts for the processing of personal data in accordance with the Regulation and the law.
2. In particular, the following are the processors of personal data:
   1. persons providing or participating in the provision of services to the company,
   2. The company's legal representative or auditor,
   3. an IT technician,
   4. The insurance company in the event of a reported insurance claim.
3. The company processes personal data in an automated manner, but does not use profiling.

Information about recording phone calls

1. One of the ways in which the company processes the personal data of its customers is by recording telephone calls. The customer is informed at the beginning of the telephone call that it is a recorded call and whether they agree to the recording.
2. The controller of the personal data processed in this way is the company and the personal data is processed for the purpose of fulfilling its contractual obligations and also to control how our employees fulfil their obligations towards customers. The recordings may also serve as evidence in any judicial or administrative proceedings.
3. The processing time varies depending on the subject of the telephone communication. However, the company always retains recordings for the period of time required by law, for reasons of legitimate interest of the company, and for as long as the company and the customer are entitled to assert rights and claims arising from such communications against each other under the relevant legislation, i.e. taking into account statutory limitation periods. Depending on the company's assessment of the subject matter of the call and who the caller is, recordings may be retained for a period of 3 months, 3 years or 10 years.
4. Due to the fact that the subject of the recording is a telephone call, it is not possible to say in advance which personal data will be subject to this processing. It will therefore be personal data that the customer discloses to the company during the telephone call. In principle, it will be basic identification data and contact details, or other descriptive data.
5. The recordings and the personal data contained therein may be disclosed to authorised employees of the company, to persons to whom it is necessary to disclose personal data on the basis of and in accordance with the provisions of the relevant legislation, to entities to which the controller is entitled to disclose personal data for the purpose of protecting rights and obligations arising from the negotiation of a contractual relationship or from the contractual relationship itself, and to companies or other entities that perform activities for the company on the basis of service or cooperation contracts. In the latter case, these companies act as processors of personal data.

What are the rights of our customers.

1. The right to information concerning the processing of personal data
   1. The right to information means all the rights of the customer contained in Article 13 of the Regulation. In particular, it is the right to know the identity and contact details of the controller of the personal data, the purpose and legal basis of the processing of personal data, the recipients or categories of recipients of the personal data, the period of storage of the personal data, the rights of the data subject (customers) and the possibilities of exercising them.
2. Right of access to personal data
   1. The right of access to personal data means all the rights of the customer contained in Article 15 of the Regulation. In particular, it is the customer's right to obtain confirmation from the company as to whether and, where applicable, for what purpose personal data are processed.
   2. The customer has the right to request copies of the personal data processed from the company. In the event of repeated and manifestly unfounded requests, the company is entitled to charge the customer a reasonable fee to cover the administrative costs of obtaining a copy.
   3. Recordings of telephone calls may be requested for a fee of CZK 1,500/recorded call. The applicant must identify himself in the request in such a way that it is clear that he is entitled to request the relevant recording. In particular, this will include his/her identification data provided during the telephone call, the subject of the call and, if applicable, the date and time of the telephone call.
3. Right to rectification
   1. The right of rectification means all the rights of the customer contained in Article 16 of the Regulation, in particular the right to have inaccurate or incorrect personal data concerning the customer corrected by the company without undue delay.
   2. The basis for the exercise of this right is the communication of the facts leading to the rectification or completion to the company.
4. Right to erasure (right to be forgotten)
   1. The right to erasure means all the rights of the customer contained in Article 17 of the Regulation, in particular the right of the customer to have his personal data, including recordings of telephone calls, erased by the company without undue delay on request, provided that the conditions set out in the Regulation are met.
5. Right to restriction of processing
   1. the right to restriction of processing means all the rights of the customer contained in Article 18 of the Regulation, in particular the right to restrict the processing of his personal data to the most necessary lawful grounds.
   2. This right can be exercised in particular in cases where it is not clear whether and when the personal data will have to be deleted.
6. Right to object
   1. The right to object means all the rights of the customer contained in Article 21 of the Regulation. If the customer discovers or believes that the company is processing his/her personal data in violation of the protection of his/her private life, in violation of the Regulation or in violation of the law, he/she may request an explanation from the company or demand that the situation be remedied.
7. Right to data portability
   1. The right to data portability means all the rights of the customer contained in Article 20 of the Regulation, in particular the right to obtain and/or transfer personal data provided by the customer to another controller in a structured, commonly used and machine-readable format.
8. The right to lodge a complaint with the Data Protection Authority
   1. The customer also has the right to lodge a complaint with the Data Protection Authority, which acts as a supervisory authority in matters of data protection. The customer's right to other means of protection is not affected.

Where customers can exercise their rights.

1. Customers may exercise the individual rights set out in Article 7 of this information document by contacting the Company by e-mail: GDPR@harmonelo.com
2. The Company is obliged to resolve customer requests within a maximum of 1 month from the date of receipt of the request. In justified cases, in particular with regard to the scope of the request, the company is entitled to extend the deadline for comments to 2 months, the company always informs the customer in due time of the need for an extension.

The document is regularly updated, last updated on 28 June 2022