GDPR

PRIVACY POLICY

Advice on rights and obligations in connection with the processing of personal data

and by granting consents

H2 WORLD HEALTH & BEAUTY COMPANY s.r.o.

Registered office at Muglinovská 154/73, Muglinov, 712 00 Ostrava, ID 019 07 565 Registered in the Commercial Register maintained by the Regional Court in Ostrava, Section C, File 71464 E-mail address: info@h2world.world, data box:7rsntfc www.h2vibe.com, Tel: 777 724 731 hereinafter referred to as the "Administrator"

Contact person for all matters relating to the processing of personal data:

Ing. Gabriela Maršalová, tel. 777 724 726, email: gabriela.marsalkova@h2world.world

The personal data controller, i.e. H2 WORLD HEALTH & BEAUTY COMPANY s.r.o., hereby informs data subjects (all persons whose personal data is processed) that the personal data provided to them or obtained in connection with their line of business are processed in accordance with the relevant legal regulations, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Regulation on Personal Data Protection – GDPR, hereinafter referred to as GDPR), and also the Personal Data Processing Act No. 110/2019 Coll., as amended.

We are part of the H2 group, whose members are: here

To help you better understand the text below, we explain by way of introduction the basic principles regarding the processing of personal data and the main concepts:

BASIC TERMS:

'personal data' means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

'special category of personal data' means personal data revealing ethnic origin, political opinions, religion, philosophical beliefs or trade union membership, as well as genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation;

"data subject" means a natural person to whom the personal data relate (it may be an employee, customer, member of the controller's body, representative of a supplier, customer, etc.);

'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means; such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (this is not an exhaustive list);

'further processing' means the processing of personal data for a purpose other than that for which they were originally collected, e.g. further processing of freely available data (public data from the land register that were originally collected for the purpose of keeping land registers, etc.);

'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; under certain conditions, the controller may also be in the position of a processor or may be, for example, an entity that provides accounting, IT services for the controller, etc.;

The main principles of personal data processing:

When processing your personal data, we follow the basic principles that permeate the entire area of personal data protection. These principles are:

Legality, correctness, transparency:

According to the regulations, personal data can only be processed in a correct, lawful and transparent manner, and only on the basis of legal titles defined in the GDPR regulation. The controller is obliged to ensure that data subjects are informed as much as possible and to proceed openly and in accordance with the GDPR when processing personal data.

For this reason, we have prepared this document, which, among other things, ensures the above.

Purpose limitation: The purpose of the processing of personal data determines the framework of the processing that can be carried out. It is the responsibility of the controller to define the purpose. It is forbidden to process personal data for purposes other than those for which they were collected. There are exceptions to this (e.g. if the data subject gives consent, if the new purpose of processing is compatible with the original, etc.). Processing for other purposes is so-called further processing.

The main purposes of processing your personal data are listed below, but in relation to customers and our contractual partners, it is mainly the processing of personal data for the purpose of performing a contract with you, whether it is ordering goods through the e-shop, participation in an event organized by us or performing another contract.

Data minimisation: The regulations require the processing and collection of only personal data that are relevant and adequate to the purpose of the processing, and only to the extent necessary to fulfil the defined purpose. If the purpose could be achieved without processing some personal data, it is necessary to stop processing such excess personal data.

For this reason, we process only the necessary data and aim to comply with the principle of data minimization.

Accuracy: The processed data must be accurate and correspond to reality and, if necessary (depending on the nature of the processing), the controller is obliged to update them. As soon as the controller or processor discovers that the data is inaccurate, it will take all reasonable steps to correct or delete the inaccurate data. Accuracy must be ensured during both processing and data collection, to the extent of the risk of potential harm to the data subject. The controller is not responsible for the inaccuracy of the data if the data subject provides false information.

In view of the above, we hereby ask you to notify us of this fact if any of your data, especially identification data, changes.

Limitation and form of storage: Personal data is only stored for as long as is necessary for the purposes for which the personal data are processed. After the end of this period, the controller is obliged to destroy (delete or anonymise) the personal data, this does not apply if one of the exceptions set out in the GDPR applies.

We process personal data in such a way that the above is fulfilled.

Integrity and confidentiality: Personal data are processed in such a way that ensures their security against unauthorized or unlawful processing, as well as destruction, damage or loss, etc.

We store personal data in a form that does not allow access to this data by unauthorized persons, when the security of your personal data is our number one priority.

We hereby inform you that we process the following categories of personal data in particular:

Common:

Address and identification data used to identify you as a data subject and to perform the contract (in particular name, surname, permanent address, ID number, VAT number, date of birth) and data enabling contact with you (telephone number, e-mail address)
Descriptive data and bank details (bank details for the purpose of fulfilling financial transactions)
portrait and recording of behaviour (e.g. within CCTV systems in establishments or when recording events organised by the controller)
other other necessary to fulfil the purpose

We do not process special categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning health or data concerning a natural person's sex life or sexual orientation) for our customers and contractual partners.

If a special category of data is processed, only to the extent necessary, always on the basis of a legitimate legal title, namely in the case of the controller's employees, e.g. in the event of an accident at work of the employee or on the basis of explicit consent.

We obtain personal data directly from you (they are obtained during negotiations on concluding a contract, in the form of personal, e-mail, telephone, chat, website – e-shops, business cards, web forms, etc.). Alternatively, we can use publicly accessible registers, lists and records (e.g. the Commercial Register, Trade Register, Land Registry, Public Telephone Directory, etc.) to obtain certain data.

LAWFUL GROUNDS FOR PROCESSING

Personal data may be processed by administrators only on the basis of existing legal titles.

We therefore process personal data on the basis of processing necessary for the performance of a contract, fulfilment of a legal obligation, or legitimate interest.

For customers and contractual partners , we process personal data because it is necessary for the performance of the contract (purchase of products and services) and we may also process some data on the basis of our legitimate interest as administrators.

In the case of employees, we process personal data mainly out of necessity to perform the contract and the employer's legal obligations.

In the case of representatives of corporations and statutory bodies of corporations or their employees (authorized representatives), we process personal data on the basis of fulfilling the legal obligation to identify a person acting on behalf of a contracting party.

We process some data on the basis of a legitimate interest, and if we process it for this reason (e.g. camera system in the establishment or video and audio recordings from events), we always carefully consider, balance whether the processing is really necessary and whether the legal requirements are met (before processing, we assess the legitimacy by so-called balance tests). In the operation of the camera system, the legitimate interest of the administrator is to ensure the protection of personal health and property.

The processing of personal data of job applicants takes place for the purpose of negotiating the conclusion of an employment contract or certain agreements on work performed outside the employment relationship within the framework of the selection procedure. And after its completion, for a period of one year for registration purposes and any repeated interest of the job seeker. The Controller processes the identification and contact data of job applicants to the extent in which the applicant has voluntarily provided them to the Controller.

PROCESSING WHEN GRANTING CONSENT TO THE PROCESSING OF PERSONAL DATA

If you give us your consent to the processing of your personal data, whether for the purpose of sending commercial communications, enabling the collection of cookies or for other purposes:

We hereby inform you that you can withdraw your consent at any time by contacting us in this document.

Cookies are small data files that are stored on the buyer's device (mobile, laptop, pc, etc.) when using the Controller's website. In some cases, cookies are necessary, otherwise the website would not function properly – these cookies cannot be restricted. If the buyer does not agree to the storage of necessary cookies, he is obliged to leave the website (e-shop). Further storage of cookies (advertising, analytical, advertising) is optional, and the buyer is entitled to save his own settings for storing cookies on his device. The buyer can make changes to the cookie settings at any time. You can set it up on our website.

If you give us your consent to send you commercial communications, the purpose of this consent is to use your personal data, in particular contact data (e-mail address, telephone) for sending business and marketing offers of all goods and services we provide. Giving consent is free, we do not condition anything on it. We would like to inform you that you can change your consent at any time if the commercial communications sent fully meet the conditions for sending commercial communications under Act No. 480/2004 Coll., as amended. Consent may be granted simultaneously in relation to other members of the H2 group.

PURPOSE OF PROCESSING.

The purpose of personal data processing is in particular the fulfillment of contractual obligations under the concluded contract or on the basis of your order, or in connection with negotiations on the conclusion of a contract - i.e. personal data are processed so that we can conclude the contract and then perform it (whether it is a purchase contract for the delivery of goods, purchase through the e-shop, delivery of services or another contract that we enter into together). Even if you participate in an event organized by us, we enter into a contract when you buy a ticket and participate in the event).

At the same time, the purpose of processing is acts related to or related to the performance of the contract, such as securing financial transactions, handling complaints, improving customer relations, improving the quality of services provided, defending against any claims made, where consent has been granted, as well as processing and sending commercial communications.

As we strive to provide you with the best possible services within the group, processing may also be carried out to improve our services (statistics, research, innovations, cooperation with other members of the group).

If the Buyer opens a user account with the Seller, the Buyer acknowledges that his/her personal data are further processed for the purpose of maintaining this account.

In the case of employees, the main purpose is also the performance of the employment contract concluded by the employer and the fulfillment of legal obligations by employees.

When using CCTV recording, the main purpose is to ensure the protection of the health of persons and property of the controller. Data subjects are informed about the camera system by pictograms wherever it is located.

When taking photographs and video recordings of events organized by us (e.g. trainings, conferences, etc.), the main purpose of the acquisition is to ensure the protection of the health of persons, the property of the administrator, the property of third parties, as well as the interest of the administrator in documenting the event and the subsequent promotion of its person, services and goods. Data subjects are always informed in advance that photographs and images are being taken and in such a case they have a choice whether to participate in such an event or not.

The purpose of processing may also be the purposes contained in the data subject's consent to processing.

Personal data are processed by the Controller to the extent in which the relevant data subject has provided them to the Controller, in connection with the conclusion of a contractual or other legal relationship with the Controller or to the extent in which the Controller has obtained them for the performance of its obligations.

The purpose of the processing may also be:

Fulfilling your requests
Manage and improve the business model and relationships with customers and contractors
Market research, statistics

RECIPIENTS OF PERSONAL DATA

We may transfer your personal data to the RECIPIENTS of personal data, which may be, in accordance with the purpose for which we process the data, in particular: Subcontractors of services (e.g. post office), public authorities (e.g. courts, administrative bodies, etc.), insurance companies, banks and payment intermediaries or other processors of personal data - providers of information system maintenance, external accountants, external carriers, etc.

In the case of organizing an event, training, seminars, conferences, the recipients of your personal contact data may be entities that provide us with advance sales and ticket sales, as well as providers or intermediaries of bank transfers for the purpose of payment for services and goods.

Should the relationship between any of our partners and us be assessed as joint controllership, we will ensure that all the requirements of data protection regulations are met in respect of you at all times. You can always contact us as if it were an independent stewardship.

Within the H2 group, other members of the group may also be beneficiaries, due to the legitimate interest of the controller.

Group members: here

RETENTION PERIOD

We store personal data for the necessary period of time in accordance with legal obligations, in accordance with statutory deadlines for shredding and archiving, or for the legitimate interest of the administrator.

Personal data are always processed for the period necessary to ensure the rights and obligations arising from the contractual relationship as well as from the relevant legal regulations or to fulfil the purpose of the consents granted.

In the case of personal data retention after the contract has been performed, the data are stored on the basis of the controller's legitimate interest in protecting its property and interests, for the duration of the limitation periods stipulated by law for exercising rights (in particular on the basis of liability for a defective service or product, or a warranty provided).

PROCESSING METHODS

We process personal data ourselves or through a processor. The processing is carried out at our headquarters or premises, by individual employees or processors. In the event that personal data is transferred on the basis of a valid title to other persons – processors, we have concluded written contracts with them. The processing is carried out mainly by means of computer technology, or manually in the case of personal data in paper form, while complying with all security principles for the management and processing of personal data.

In order to protect ourselves, we have taken technical and organizational measures to ensure the protection of personal data, in particular measures to prevent unauthorized or accidental access to personal data, their change, destruction or loss, unauthorized transfers, unauthorized processing, as well as other misuse of personal data. All entities to whom personal data may be disclosed respect your right to privacy protection and are obliged to proceed in accordance with applicable legal regulations relating to the protection of personal data.

We hereby inform you that the administrator does not make automatic decision-making or profiling during the processing of personal data. We also do not transfer personal data to third countries.

Automated decision-making means decision-making by technological means or on the basis of the results of the activity of technological means without human intervention/voluntary decision-making.

Profiling means the use of personal data to evaluate certain personal aspects of a person, such as estimating their work performance, economic situation, health, personal preferences, interests, etc.

If you do not provide us with your personal contact and identification data in the case of contract negotiations, the contract cannot be concluded because we would not have a way to perform it. The provision of your contact and identification data is thus a legal requirement for the identification of the contracting party, but also a contractual requirement necessary for the performance of the contract.

In the case of personal data processing in the form of CCTV operation, you are not obliged to provide personal data (portrait and image recording). At the entrance to the monitored premises, all persons are informed that the object is under CCTV recording and if they do not agree with this, they do not have to enter the building.

As far as employees are concerned, the provision of personal data is a legal requirement, as the controller fulfils a number of legal obligations in relation to employees, and also concludes an employment contract with them. If the data is not provided, the employment contract cannot be concluded.

RIGHTS OF THE DATA SUBJECT:

We hereby inform you of your rights:

As data subjects (customers, employees and others), you have the right to obtain confirmation from us as to whether or not personal data concerning you is being processed, and if so, you have the right to access such personal data.

You have the right to be informed of:

the purpose of processing
the category of personal data concerned
the recipients or categories of recipients to whom the personal data have been or will be disclosed
the planned period for which the personal data will be stored
all available information about the source of the personal data
if it is not obtained from the data subject, whether automated decision-making, including profiling, takes place.

You have the right to a copy of the personal data being processed.

You also have the right to be informed.

You can complete or correct incomplete or inaccurate personal data if the processed data is inaccurate or incomplete.

If the legal conditions are met, you have the right to erasure of your personal data, as follows:

a)	the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

b)	the data subject withdraws the consent on the basis of which the data were processed and there is no other legal ground for the processing;

c)	the data subject raises a relevant objection to the processing

d)	the personal data have been unlawfully processed;

e)	the personal data must be erased for compliance with a legal obligation laid down in Union or Member State law to which the controller is subject;

f)	the personal data were collected in connection with the offer of information society services pursuant to Article 8 para. 1 GDPR.

You have the right to obtain from us the restriction of the processing of your personal data in certain cases provided for in Article 18 GDPR. The data subject shall have the right to obtain from the controller restriction of processing in any of the following cases:

a)	the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

b)	the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c)	the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims;

d)	the data subject has objected to the processing pending the verification of whether the legitimate grounds of the controller override those of the data subject.

You have the right to object to processing that is based on our legitimate interests or those of a third party at any time.

If personal data is processed for the purposes of direct advertising, the data subject has the right to object at any time to the processing of personal data concerning him or her for such advertising, which includes profiling insofar as this direct marketing is concerned. If you object to processing for direct marketing purposes, personal data may no longer be processed for these purposes.

The right to data portability gives you the opportunity to receive the personal data that we have collected in a commonly used and machine-readable format. You can then transfer this data to another controller or, if technically possible, request that we transmit it.

You also have the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly affects you (except for the exceptions provided for in the GDPR).

In the case of processing of personal data on the basis of your consent, you have the right to withdraw your consent to the processing of personal data at any time.

You also have the right to file a complaint with the Office for Personal Data Protection. However, we are fully at your disposal and believe that there will be no need for a complaint.

Exercising rights, requests for information:

If you require any information regarding the processing of your personal data, you can primarily contact:

email: gabriela.marsalkova@h2world.world

or in writing to the address Muglinovská 154/73, Muglinov, 712 00 Ostrava

Do not hesitate to contact us, we will process your request immediately.

H2 WORLD HEALTH & BEAUTY COMPANY s.r.o.

Version 1.2024