Privacy policy
(hereinafter referred to as the "Policy")
Preamble
1. The company ASES GROUP, s.r.o., with its registered office at Antala Staška 1859/34, Krč, 140 00 Prague 4,
Company ID: 076 14 870, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, Insert 304082 (hereinafter referred to as the “Controller”) is aware of the importance of protecting personal data and the privacy of individuals.
2. When collecting, storing, and processing buyers’ personal data, the Controller complies with the legal regulations of the European Union and the Czech Republic.
3. The purpose of this Policy is to fulfill the information obligation towards data subjects as stipulated by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), as amended (also referred to as the “GDPR”).
I. Definitions
1.1 For the purposes of this Policy, this refers to a person who, in the course of the Controller's business activities, provides the Controller with their personal data, an individual acting on their behalf, or otherwise discloses personal data to the Controller.
1.2 For the purposes of this Policy, personal data refers to personal information provided to the Controller in the course of the Controller’s business activities.
1.3 The controller of personal data is ASES GROUP, s.r.o., with its registered office at Antala Staška 1859/34, Krč, 140 00 Prague 4, Company ID: 076 14 870, which determines the purposes and means of personal data processing.
II. Purpose of the Policy
2.1. The purpose of this Policy is to fulfill the information obligation towards Data Subjects arising from the GDPR.
III. Information on the Processing of Personal Data
3.1. The Controller processes the following personal data about the Data Subject, provided directly by the Data Subject:
| 3.1.1. First and last name (or company name) | 3.5.1. Identification number |
| 3.2.1. Address (business/place of residence/delivery) | 3.6.1. Country |
| 3.3.1. Website address | 3.7.1. Email address |
| 3.4.1. Tax identification number | 3.8.1. Telephone and fax number |
3.2. Personal data will be retained for the duration of the contractual or other relationship between the Data Subject and the Controller and further until the mutual financial obligations between the Controller and the Data Subject are settled. Thereafter, the data will be handled in accordance with applicable legal regulations, especially Act No. 499/2004 Coll. (the Act on Archiving and File Service) and the GDPR.
3.3. The Controller processes the above-mentioned personal data for the following purposes:
- 3.3.1. To fulfill obligations and protect interests from concluded contracts,
- 3.3.2. To set up, control, operate, and manage assigned IDs and passwords,
- 3.3.3. To fulfill legal obligations, especially in the areas of accounting, taxation, archiving, etc.,
- 3.3.4. To improve the quality of services (legitimate interest of the Controller),
- 3.3.5. For marketing purposes (see section 3.4 of this Policy for details)
3.4. Personal data is also used for marketing purposes. The legal basis for this processing is the legitimate interest of the Controller, where direct marketing is considered a legitimate interest under the GDPR.
3.5. The Controller may, in some cases, use the services of external companies that process your personal data provided to the Controller. For this purpose, the Controller is authorized to enter into a processing contract with another entity.
3.6. All persons involved by the Controller in the processing of personal data meet the requirements under the GDPR. All employees of the Controller are obligated to maintain confidentiality about the personal data they process during the performance of their work for the Controller.
3.7. The Controller may involve international organizations and processors located in so-called third countries, i.e., outside the European Union and the European Economic Area, in the processing. However, the Controller may transfer personal data to third countries only if adequate protection is ensured under the GDPR. Information on the entities to whom data is transferred and on suitable safeguards and adequate protection measures can be found in the annex to this Policy.
3.8. Personal data is stored on servers and data storage systems owned or controlled by the Controller and located within the European Union. These servers and storage systems are maintained with all necessary expertise appropriate to the nature and character of an online business in accordance with European and Czech legislation. The Controller has ensured an adequate level of security for these servers and storage systems. Personal data may be transferred within these countries among various technical and computing devices (including servers and storage) under the Controller’s control or ownership.
3.9. The Controller is also authorized to anonymize personal data for statistical and analytical purposes. In such cases, it no longer constitutes personal data processing.
3.10. The Controller has adopted and implements technical and organizational security measures to protect personal data, fully compliant with ISO 27001.
IV. Rights of Data Subjects
4.1. As a Data Subject, you are entitled to exercise the rights set out in points 4.2 to 4.8 of this article, to the extent and under the conditions specified in Chapter III of the GDPR.
4.2. You have the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed. If your personal data is being processed, you have the right to access such data. This access will include, for example, information on the purposes of the processing, the categories of personal data, and the source of the personal data. You also have the right to request a copy of the processed personal data.
4.3. You have the right to have the Controller rectify any inaccurate personal data concerning you without undue delay.
4.4. If any of the conditions set by the GDPR are met (e.g., the personal data is no longer necessary for the purposes for which it was collected, or you withdraw your consent), you have the right to have the Controller erase your personal data without undue delay. This right does not apply without limitation. For example, erasure will not occur if the data is processed based on a legal obligation.
4.5. You have the right to request the restriction of processing in cases specified by the GDPR. For instance, this includes situations where you contest the accuracy of the personal data, and processing is restricted while the accuracy is being verified.
4.6. In some cases specified by the GDPR (e.g., if processing is based on your consent), you have the right to receive your personal data from the Controller in a structured, commonly used, and machine-readable format and to transmit those data to another controller. You also have the right, if technically feasible, to have the data transferred directly from one controller to another.
4.7. You have the right, for reasons related to your specific situation, to object at any time to the processing of personal data concerning you, if such data is processed based on the performance of a task carried out in the public interest or in the exercise of official authority or legitimate interests of the Controller or a third party, including profiling based on these provisions. You have the right to object to processing for direct marketing purposes.
4.8. You have the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. However, this right does not apply in all cases, e.g., if the decision is necessary for the performance of a contract between you and the Controller.
V. Right to Withdraw Consent at Any Time
5.1. In cases where the processing of your personal data is based on your consent, you may withdraw this consent at any time. The data processed based on your consent is specified in Article III.
5.2. When you provide any personal data and consent to its processing, you do so voluntarily. The withdrawal of consent, as well as granting it, is your free choice, and the Controller is not entitled to force you into such actions or penalize you in any way. However, the withdrawal of consent does not affect the lawfulness of processing before its withdrawal (i.e., it does not have retroactive effects).
5.3. You may withdraw your consent to the processing of personal data given to the Controller via the contact details provided on the Controller's website.
VI. Right to Withdraw Consent at Any Time
6.1. The Controller is entitled to send the Subject (i) email messages to the provided address; (ii) SMS/MMS messages to the provided phone numbers; (iii) written postal messages and marketing materials to the provided addresses, regarding any actions, events, or circumstances related to the activities of the Controller in relation to the data subject.
6.2. The Controller is entitled to use the contact details provided in Article 6.1 also for sending commercial communications, which are not directly related to its contractual relationships with the Controller but concern another product or service of the Controller or the Controller itself. However, this entitlement arises only in the case that (i) you have not rejected it; or (ii) you have given consent to receive commercial communications. You have the option to later object to the receipt of commercial communications free of charge. This option will be provided in each individual message.
6.3. If you explicitly consent to the Controller using your email address also for sending commercial communications that are not directly related to the goods or services of the Controller but concern another product or service of the Controller or the Controller itself, or another product or service offered by another company in the same group of companies to which the Controller belongs, or another company in this group, you will receive such commercial communications. However, you will have the right to withdraw your consent at any time by following the procedure provided in the already sent commercial communication.
VII. Provision of Personal Data by You
7.1. Processing where providing personal data is mandatory is specified in Article IV.
7.2. In cases where providing your personal data is a legal requirement, you are obliged to provide this data. The same applies if you are required to provide personal data based on a contract concluded between you and us. If the provision of personal data is mandatory and you do not provide it, consequences outlined in the relevant legislation or contract may apply.