GDPR

Privacy Policy

I. Personal Data Protection

1.1. By pressing the “I Understand” button under these terms, the user confirms that they understand the terms of personal data protection, that they agree with its wording, and that they fully accept it.

1.2. The provider is the data controller of the users’ personal data under Article 4, paragraph 7 of the Regulation of the European Parliament and Council (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: “GDPR”). The provider undertakes to process personal data in accordance with legal regulations, especially the GDPR.

1.3. Personal data includes all information about an identified or identifiable natural person; an identifiable natural person is a person who can be identified, directly or indirectly, particularly by reference to an identifier, such as a name, identification number, location data, online identifier, or to one or more specific elements of physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

1.4. When placing an order, personal data required for successful order processing (name and address, contact details) is requested. The purpose of processing personal data is to fulfill the user’s order and to exercise the rights and obligations arising from the contractual relationship between the provider and the user. The purpose of processing personal data also includes sending commercial communications and performing other marketing activities. The legal basis for the processing of personal data is the fulfillment of the contract pursuant to Article 6, paragraph 1, point (b) of the GDPR, the fulfillment of the legal obligation of the controller under Article 6, paragraph 1, point (c) of the GDPR, and the legitimate interest of the provider under Article 6, paragraph 1, point (f) of the GDPR. The legitimate interest of the provider is the processing of personal data for direct marketing purposes.

1.5. To fulfill the licensing agreement, the provider uses subcontractors’ services, especially the mailing service provider (personal data is stored in third countries) and the web hosting provider. Subcontractors are verified for safe data processing. The provider and the web hosting subcontractor have entered into a data processing agreement, under which the subcontractor is responsible for adequately securing the physical, hardware, and software perimeter, thus bearing direct responsibility to the user for any breach or compromise of personal data.

1.6. The provider stores personal data of the user for the period necessary to exercise the rights and obligations arising from the contractual relationship between the provider and the user and to assert claims from these contractual relationships (for 15 years from the end of the contractual relationship). After this period, the data will be deleted.

1.7. The user has the right to request access to their personal data from the provider under Article 15 of the GDPR, rectification of personal data under Article 16 of the GDPR, or restriction of processing under Article 18 of the GDPR. The user has the right to deletion of personal data under Article 17, paragraph 1, points (a), (c) to (f) of the GDPR. The user also has the right to object to processing under Article 21 of the GDPR and the right to data portability under Article 20 of the GDPR.

1.8. The user has the right to file a complaint with the Office for Personal Data Protection if they believe that their right to data protection has been violated.

1.9. The user is not required to provide personal data. However, the provision of personal data is a necessary requirement for the conclusion and fulfillment of the contract, and without providing personal data, it is not possible to conclude or fulfill the contract by the provider.

1.10. The provider does not engage in automated individual decision-making within the meaning of Article 22 of the GDPR.

1.11. By filling out the contact form, the user:

  • agrees to the use of their personal data for the purposes of electronic sending of commercial communications, advertising materials, direct sales, market research, and direct product offers by the provider and third parties, but no more than once a week, and at the same time,
  • declares that sending information according to point 1.11.1 is not considered unsolicited advertising within the meaning of Act No. 40/1995 Coll., as amended, as the user expressly agrees to receive information according to point 1.11.1 in connection with Section 7 of Act No. 480/2004 Coll.
  • The user can withdraw consent under this section at any time in writing to cafex@cafex.cz

1.12. The provider uses cookies on its website to improve service quality, personalize offers, collect anonymous data, and for analytical purposes. By using the website, the user agrees to the use of this technology.

II. Rights and Obligations between the Controller and the Processor (Processing Agreement)

2.1. The provider is the processor of clients’ personal data in relation to users under Article 28 of the GDPR. The user is the controller of this data.

2.2. These terms regulate the mutual rights and obligations regarding the processing of personal data to which the provider has access under the licensing agreement entered into by accepting the general terms and conditions on www.cafex.cz (hereinafter referred to as the “licensing agreement”) concluded with the user on the day the user account was established.

2.3. The provider undertakes to process personal data for the user within the scope and for the purposes set out in Articles 2.4 to 2.7 of these terms. The means of processing will be automated. Within the processing, the provider will collect, store on information carriers, retain, block, and dispose of personal data. The provider is not authorized to process personal data contrary to or beyond the scope specified in these terms.

2.4. The provider agrees to process the user’s personal data within this scope:

  • basic personal data,
  • special categories of data under Article 9 of the GDPR,
  • that the user has obtained in c