Rules for the Protection and Processing of Personal Data

according to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

Identification of the Data Controller
The data controller of your personal data is STAVTECH Hrbáček s.r.o., ID: 02416841, based at Kladeruby 122, 756 43 Kladeruby, registered in the commercial register maintained by the Regional Court in Ostrava, section C, file no. 57854 (hereinafter referred to as the "Controller").

Introductory Information
These rules for the protection and processing of personal data (hereinafter referred to as the "Rules") describe which personal data of natural persons, especially customers (hereinafter referred to as the "Data Subject"), are processed in the activity of the Controller.

These Rules specify the types of personal data we collect and process when you use our services or enter into another contract with us, as well as how your personal data is used, shared, and protected. You will also find explanations of the options available to you regarding your personal data and how you can contact us. Thus, we hereby inform you below about the processing of your personal data and your rights in accordance with Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as "GDPR").

Personal data refers to any information about an identified or identifiable natural person; an identifiable natural person is one who can be directly or indirectly identified, in particular by reference to a specific identifier, such as a name, identification number, location data, online identifier, or to one or more specific elements of that person's physical, physiological, genetic, mental, economic, cultural, or social identity.

The Controller has not appointed a data protection officer.

Processing Principles
In processing personal data, we respect and uphold the highest standards of data protection and particularly adhere to the following principles:

We always process personal data for a clearly and unambiguously defined purpose, by established means, in a defined manner, and only for as long as is necessary in relation to the purposes for which they are processed. We only process accurate personal data and ensure that their processing corresponds to the established purposes and is necessary to achieve those purposes.

We process personal data in a manner that ensures the highest possible security of such data and prevents any unauthorized or accidental access to personal data, changes, destruction, or loss, unauthorized transfers, or any other unauthorized processing, as well as other misuse.

We always inform you clearly about the processing of personal data and your rights to accurate and complete information regarding the circumstances of this processing, as well as your other related rights. We comply with appropriate technical and organizational measures to ensure a level of security appropriate to all possible risks; all persons who come into contact with your personal data are required to maintain confidentiality regarding information obtained in connection with the processing of such data.

Information on the Processing of Personal Data

Purposes of Processing and Legal Basis for Processing
We process personal data for the following purposes:

1. if you have subscribed to our newsletter:
   information about events in the region (purpose no. 1),
2. if you are a visitor to our website:
   analysis of your preferences, marketing (purpose no. 2),
3. if you are representatives or employees of our partners or suppliers:
   entering into and managing supplier-customer relationships (purpose no. 3),
   information about events in the region (purpose no. 4).

Legal Basis for Processing
The legal basis for the processing of personal data is Article 6(1) of the GDPR, as follows:

1. the data subject has given consent to the processing of their personal data (purpose no. 1, 2);
2. processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract (purpose no. 3);
3. processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party (purpose no. 4).

Categories of Processed Personal Data
The Controller processes personal data to the extent necessary to fulfill the above purposes. This usually includes (but is not limited to) the data you provide to us or that we must process by law or because we pursue our legitimate interest, such as:

• identification data (e.g., name and surname, username and password, ID number, VAT number, and billing details);
• contact data (e.g., email address, phone number, organization you work for, place of work, delivery address);
• data about your orders (e.g., data about goods and services you ordered, method of delivery and payment, including account number and data about complaints);
• data about the device on which you view our website (especially data obtained from cookies such as device identification, operating system and its version, screen resolution, browser used and its version, as well as IP address and derived location);
• other data necessary for fulfilling the contract or that you have provided to the Controller.

Method of Processing Personal Data
The method of processing personal data is governed by the following principles:

• The processing of personal data is carried out by the Administrator, except for processing based on a data processing agreement, which is delegated to the Processor.
• Processing is conducted at the premises, branches, and headquarters of the Administrator by authorized employees of the Administrator or the Processor.
• Processing occurs through computing technology, or manually for personal data in paper form, while adhering to all security principles for managing and processing personal data. For this purpose, the Administrator has adopted technical and organizational measures to ensure the protection of personal data, especially measures to prevent unauthorized or accidental access to personal data, changes, destruction or loss, unauthorized transfers, unauthorized processing, and other misuse of personal data.
• All entities to whom personal data may be disclosed respect the right of Data Subjects to privacy and are obliged to comply with applicable legal regulations concerning the protection of personal data.

The Administrator does not perform automated individual decision-making or profiling of personal data.
Personal data of Data Subjects will not be transferred to third countries (i.e., countries outside the EU and EEA).

Recipients of Personal Data
Personal data of the Data Subject may be further disclosed to the following recipients/categories of recipients:

• suppliers and partners of the Administrator (only if the Administrator has signed a data processing agreement with the supplier and only if necessary for fulfilling the above-mentioned purposes),
• financial institutions and insurance companies,
• state authorities in the fulfillment of the Administrator's legal obligations established by relevant legal regulations.

Duration of Personal Data Processing
Personal data will be processed only for as long as necessary for the purpose of their processing. In view of the above:

• if established by law or other generally binding legal regulations or decisions of an administrative authority, personal data must be archived for at least the time specified for the described purpose;
• for the purpose of sending information from the region, personal data will be processed until the Data Subject expresses their disagreement with such processing,
• in the event of the initiation and duration of judicial, administrative, or other proceedings regarding the rights or obligations of the Administrator in relation to the relevant Data Subject, the processing of personal data will not cease before the end of such proceedings;
• in the case of fulfilling contractual obligations from commercial contracts, until the expiration of the 5th calendar year following the end of the warranty period according to the contract (if a quality guarantee was stipulated in the contract) and for a further period of 2 years in case of a possible commercial dispute;
• in other cases, for at least one year from their acquisition and a maximum of 5 years from their last use.

No later than by the end of the calendar quarter following the expiration of the processing period above, the relevant personal data for which the purpose of processing has expired will be destroyed (by shredding or in another way that ensures that unauthorized persons cannot access personal data) or anonymized. In the case of processing based on consent, the Data Subject may be contacted by the Administrator to renew their consent.

Your Rights

We comply with data protection laws valid in the European Economic Area, which, when applicable, include the following rights:

• access to your personal data (under the conditions of Art. 15 GDPR),
• correction or deletion of personal data (under the conditions of Art. 16 or Art. 17 GDPR),
• restriction of personal data processing (under the conditions of Art. 18 GDPR),
• object to the processing of personal data (under the conditions of Art. 21 GDPR),
• right to data portability (under the conditions of Art. 20 GDPR),
• right to withdraw consent to the processing of personal data (see below),
• right to lodge a complaint with a supervisory authority (see below).

Right to Lodge a Complaint
If you believe that your personal data is being processed in violation of the privacy and personal life protection of the Data Subject or in violation of legal regulations, you have the right to contact the Administrator with a request for explanation and/or remedy. The request should be made in writing by sending a letter or email, see contact below.

You also have the option to contact the supervisory authority, which is the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, +420 234 665 555, www.uoou.cz.

Right to Withdraw Consent
You are not obligated to grant your consent to the Administrator for the processing of your personal data, and you have the right to withdraw this consent at any time. If you withdraw your consent, we will cease processing the relevant personal data for the purposes requiring that consent. If you wish to withdraw your consent to the processing of personal data, you can do so in the manner defined in the Contact Us section.

Cookies

A cookie is a small data file placed in your browser on the device (computer, smartphone, or tablet) you use to browse the website. Cookies serve various purposes, and some may contain your personal data. On our website, we use so-called technical cookies (PHPSessionID, lang, cookies), which are necessary for the operation of the website (e.g., due to responsive design). According to the opinions of the WP29 expert group in the EU, consent is not required for such cookies. Cookies can be blocked = disabled, but some parts of the site may not display correctly, and some parts may not function at all. You can find cookie settings for the most commonly used browsers here:

Google Chrome
Firefox
Internet Explorer and Edge
Safari
Opera

We also use so-called analytical and advertising cookies from companies:
Google (e.g., _ga, _gid, NID),
OptinMonster (e.g., _omappvp, _omappvs),
Facebook (fr).

We use these cookies to track traffic, advertising, and analyze visitor behavior on the website, and their presence is not essential for the proper functioning of our site. Consent is required for these cookies (see the section Purposes of Processing and Legal Basis for Processing, purpose no. 2), which can be granted by adjusting your browser settings to disable third-party cookies. To enable/disable this feature, please refer to the help for your specific browser.

Contact Us

If you have any questions about personal data protection, wish to withdraw consent for further processing of your personal data, or have a complaint, you can use the following options:

• by written officially verified communication delivered to the address of the Administrator’s registered office
• in person or by phone at: STAVTECH Hrbáček s.r.o., Kladeruby 122, 756 43 Kladeruby, tel.: 723 221 264, hrbacek@stavtech.net
• by data message sent to the data box, ID: stu7zpr, STAVTECH Hrbáček s.r.o.

Changes
We will update this privacy policy statement as necessary based on the feedback from our customers. When we publish changes to this statement, we will always adjust the last updated date listed at the end of this statement, including a description of the changes. If there are substantial changes in this statement or in the ways our organization will use your personal data, we will notify you of these changes by publishing a visible notice before implementing those changes or sending you a personal notification. We recommend that you regularly review this statement to stay informed about how we protect your personal data.